From 7b9c30de1fba4ec190ca7fb6f2d85ddc802f7778 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
Date: Wed, 17 Dec 2025 18:01:04 +0100
Subject: [PATCH] environment: Do not attempt to map GID 0 when invoked as
 root.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* guix/scripts/environment.scm (launch-environment/container): Set ‘gid’ to
1000 when ‘getgid’ returns zero.

Fixes: guix/guix#4234
Reported-by: Maxim Cournoyer <maxim@guixotic.coop>
Change-Id: I781f2939dfd3cda23373d2fa03e288995bce9eb9
---
 guix/scripts/environment.scm | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/guix/scripts/environment.scm b/guix/scripts/environment.scm
index 1b3b1312ea3..b2e715c6ddd 100644
--- a/guix/scripts/environment.scm
+++ b/guix/scripts/environment.scm
@@ -828,7 +828,13 @@ WHILE-LIST."
      (let* ((cwd      (getcwd))
             (home     (getenv "HOME"))
             (uid      (if user 1000 (getuid)))
-            (gid      (if user 1000 (getgid)))
+            (gid      (if user
+                          1000
+                          ;; When running as root, always map a non-zero GID
+                          ;; or writing to 'gid_map' would fail with EPERM.
+                          (match (getgid)
+                            (0 1000)
+                            (gid gid))))
 
             ;; On a foreign distro, the name service switch might be
             ;; dysfunctional and 'getpwuid' throws.  Don't let that hamper