app/config: always use nobody UID within sandbox

Signed-off-by: Ophestra Umiker <cat@ophivana.moe>

internal/app/config.go

@@ -50,11 +50,8 @@ type SandboxConfig struct {
 	// mediated access to wayland socket
 	Wayland bool `json:"wayland,omitempty"`
 
-	UID int `json:"uid,omitempty"`
-	GID int `json:"gid,omitempty"`
 	// final environment variables
 	Env map[string]string `json:"env"`
-
 	// sandbox host filesystem access
 	Filesystem []*FilesystemConfig `json:"filesystem"`
 }
@@ -77,9 +74,12 @@ func (s *SandboxConfig) Bwrap() *bwrap.Config {
 		return nil
 	}
 
+	nobody := 65534
 	conf := &bwrap.Config{
 		Net:           s.Net,
 		UserNS:        s.UserNS,
+		UID:           &nobody,
+		GID:           &nobody,
 		Hostname:      s.Hostname,
 		Clearenv:      true,
 		SetEnv:        s.Env,
@@ -89,12 +89,6 @@ func (s *SandboxConfig) Bwrap() *bwrap.Config {
 		NewSession:    !s.NoNewSession,
 		DieWithParent: true,
 	}
-	if s.UID > 0 {
-		conf.UID = &s.UID
-	}
-	if s.GID > 0 {
-		conf.GID = &s.GID
-	}
 
 	for _, c := range s.Filesystem {
 		if c == nil {
@@ -150,8 +144,6 @@ func Template() *Config {
 				Net:          true,
 				NoNewSession: true,
 				Wayland:      false,
-				UID:          150,
-				GID:          101,
 				// example API credentials pulled from Google Chrome
 				// DO NOT USE THESE IN A REAL BROWSER
 				Env: map[string]string{