28.01.2025 17:45, stsp пишет:

28.01.2025 17:20, Ondrej Mosnacek пишет:

quoted

That could work, but the semantics become a bit weird, actually: When
you set both uid and gid, one of them needs to match. If you unset
uid/gid, you get a stricter condition (gid/uid must match). And if you
then also unset the other one, you suddenly get a less strict
condition than the first two - nothing has to match.

Maybe this means that
unsetting with -1 is something
that shouldn't be done and/or
allowed?
In this case you only stricten.
Modulo the inability to set both
user/group at the same time,
so you still get "less strict" when
setting group after user already
set...

It may actually be possible to
add the ioctl to set both at once.
In this case you also reset both
(with the same ioctl or add another
one for resetting both), which
makes the problem fully solved.