11 files changed, 407 insertions, 211 deletions
diff --git a/internal/syscallcompat/asuser.go b/internal/syscallcompat/asuser.go
new file mode 100644
index 0000000..0c083ec
--- /dev/null
+++ b/internal/syscallcompat/asuser.go
@@ -0,0 +1,59 @@
+package syscallcompat
+
+import (
+	"golang.org/x/sys/unix"
+
+	"github.com/hanwen/go-fuse/v2/fuse"
+)
+
+// OpenatUser runs the Openat syscall in the context of a different user.
+// It switches the current thread to the new user, performs the syscall,
+// and switches back.
+//
+// If `context` is nil, this function behaves like ordinary Openat (no
+// user switching).
+func OpenatUser(dirfd int, path string, flags int, mode uint32, context *fuse.Context) (fd int, err error) {
+	f := func() (int, error) {
+		return Openat(dirfd, path, flags, mode)
+	}
+	return asUser(f, context)
+}
+
+// MknodatUser runs the Mknodat syscall in the context of a different user.
+// If `context` is nil, this function behaves like ordinary Mknodat.
+//
+// See OpenatUser() for how this works.
+func MknodatUser(dirfd int, path string, mode uint32, dev int, context *fuse.Context) (err error) {
+	f := func() (int, error) {
+		err := Mknodat(dirfd, path, mode, dev)
+		return -1, err
+	}
+	_, err = asUser(f, context)
+	return err
+}
+
+// SymlinkatUser runs the Symlinkat syscall in the context of a different user.
+// If `context` is nil, this function behaves like ordinary Symlinkat.
+//
+// See OpenatUser() for how this works.
+func SymlinkatUser(oldpath string, newdirfd int, newpath string, context *fuse.Context) (err error) {
+	f := func() (int, error) {
+		err := unix.Symlinkat(oldpath, newdirfd, newpath)
+		return -1, err
+	}
+	_, err = asUser(f, context)
+	return err
+}
+
+// MkdiratUser runs the Mkdirat syscall in the context of a different user.
+// If `context` is nil, this function behaves like ordinary Mkdirat.
+//
+// See OpenatUser() for how this works.
+func MkdiratUser(dirfd int, path string, mode uint32, context *fuse.Context) (err error) {
+	f := func() (int, error) {
+		err := unix.Mkdirat(dirfd, path, mode)
+		return -1, err
+	}
+	_, err = asUser(f, context)
+	return err
+}
diff --git a/internal/syscallcompat/asuser_darwin.go b/internal/syscallcompat/asuser_darwin.go
new file mode 100644
index 0000000..5da2782
--- /dev/null
+++ b/internal/syscallcompat/asuser_darwin.go
@@ -0,0 +1,46 @@
+package syscallcompat
+
+import (
+	"runtime"
+	"syscall"
+
+	"github.com/hanwen/go-fuse/v2/fuse"
+)
+
+// asUser runs `f()` under the effective uid, gid, groups specified
+// in `context`.
+//
+// If `context` is nil, `f()` is executed directly without switching user id.
+func asUser(f func() (int, error), context *fuse.Context) (int, error) {
+	if context == nil {
+		return f()
+	}
+
+	runtime.LockOSThread()
+	defer runtime.UnlockOSThread()
+
+	err := pthread_setugid_np(context.Owner.Uid, context.Owner.Gid)
+	if err != nil {
+		return -1, err
+	}
+
+	const (
+		// KAUTH_UID_NONE and KAUTH_GID_NONE are special values to
+		// revert permissions to the process credentials.
+		KAUTH_UID_NONE = ^uint32(0) - 100
+		KAUTH_GID_NONE = ^uint32(0) - 100
+	)
+
+	defer pthread_setugid_np(KAUTH_UID_NONE, KAUTH_GID_NONE)
+
+	return f()
+}
+
+// Unfortunately pthread_setugid_np does not have a syscall wrapper yet.
+func pthread_setugid_np(uid uint32, gid uint32) (err error) {
+	_, _, e1 := syscall.RawSyscall(syscall.SYS_SETTID, uintptr(uid), uintptr(gid), 0)
+	if e1 != 0 {
+		err = e1
+	}
+	return
+}
diff --git a/internal/syscallcompat/asuser_linux.go b/internal/syscallcompat/asuser_linux.go
new file mode 100644
index 0000000..39e3ff2
--- /dev/null
+++ b/internal/syscallcompat/asuser_linux.go
@@ -0,0 +1,80 @@
+package syscallcompat
+
+import (
+	"fmt"
+	"os"
+	"runtime"
+	"strconv"
+	"strings"
+
+	"github.com/hanwen/go-fuse/v2/fuse"
+)
+
+// asUser runs `f()` under the effective uid, gid, groups specified
+// in `context`.
+//
+// If `context` is nil, `f()` is executed directly without switching user id.
+func asUser(f func() (int, error), context *fuse.Context) (int, error) {
+	if context == nil {
+		return f()
+	}
+
+	runtime.LockOSThread()
+	defer runtime.UnlockOSThread()
+
+	// Since go1.16beta1 (commit d1b1145cace8b968307f9311ff611e4bb810710c ,
+	// https://go-review.googlesource.com/c/go/+/210639 )
+	// syscall.{Setgroups,Setregid,Setreuid} affects all threads, which
+	// is exactly what we not want.
+	//
+	// And unix.{Setgroups,Setregid,Setreuid} also changed to this behavoir in
+	// v0.1.0 (commit d0df966e6959f00dc1c74363e537872647352d51 ,
+	// https://go-review.googlesource.com/c/sys/+/428174 ), so we use
+	// our own syscall wrappers.
+
+	err := Setgroups(getSupplementaryGroups(context.Pid))
+	if err != nil {
+		return -1, err
+	}
+	defer SetgroupsPanic(nil)
+
+	err = Setregid(-1, int(context.Owner.Gid))
+	if err != nil {
+		return -1, err
+	}
+	defer SetregidPanic(-1, 0)
+
+	err = Setreuid(-1, int(context.Owner.Uid))
+	if err != nil {
+		return -1, err
+	}
+	defer SetreuidPanic(-1, 0)
+
+	return f()
+}
+
+func getSupplementaryGroups(pid uint32) (gids []int) {
+	procPath := fmt.Sprintf("/proc/%d/task/%d/status", pid, pid)
+	blob, err := os.ReadFile(procPath)
+	if err != nil {
+		return nil
+	}
+
+	lines := strings.Split(string(blob), "\n")
+	for _, line := range lines {
+		if strings.HasPrefix(line, "Groups:") {
+			f := strings.Fields(line[7:])
+			gids = make([]int, len(f))
+			for i := range gids {
+				val, err := strconv.ParseInt(f[i], 10, 32)
+				if err != nil {
+					return nil
+				}
+				gids[i] = int(val)
+			}
+			return gids
+		}
+	}
+
+	return nil
+}
diff --git a/internal/syscallcompat/getdents_test.go b/internal/syscallcompat/getdents_test.go
index eb670d6..c9e6a99 100644
--- a/internal/syscallcompat/getdents_test.go
+++ b/internal/syscallcompat/getdents_test.go
@@ -4,7 +4,6 @@
 package syscallcompat
 
 import (
-	"io/ioutil"
 	"os"
 	"runtime"
 	"strings"
@@ -49,13 +48,13 @@ func testGetdents(t *testing.T) {
 		getdentsUnderTest = emulateGetdents
 	}
 	// Fill a directory with filenames of length 1 ... 255
-	testDir, err := ioutil.TempDir(tmpDir, "TestGetdents")
+	testDir, err := os.MkdirTemp(tmpDir, "TestGetdents")
 	if err != nil {
 		t.Fatal(err)
 	}
 	for i := 1; i <= unix.NAME_MAX; i++ {
 		n := strings.Repeat("x", i)
-		err = ioutil.WriteFile(testDir+"/"+n, nil, 0600)
+		err = os.WriteFile(testDir+"/"+n, nil, 0600)
 		if err != nil {
 			t.Fatal(err)
 		}
diff --git a/internal/syscallcompat/main_test.go b/internal/syscallcompat/main_test.go
index ddf6bc4..7183f5a 100644
--- a/internal/syscallcompat/main_test.go
+++ b/internal/syscallcompat/main_test.go
@@ -2,7 +2,6 @@ package syscallcompat
 
 import (
 	"fmt"
-	"io/ioutil"
 	"os"
 	"testing"
 )
@@ -23,7 +22,7 @@ func TestMain(m *testing.M) {
 		fmt.Println(err)
 		os.Exit(1)
 	}
-	tmpDir, err = ioutil.TempDir(parent, "syscallcompat")
+	tmpDir, err = os.MkdirTemp(parent, "syscallcompat")
 	if err != nil {
 		fmt.Println(err)
 		os.Exit(1)
diff --git a/internal/syscallcompat/rename_exchange_test.go b/internal/syscallcompat/rename_exchange_test.go
new file mode 100644
index 0000000..97a95f8
--- /dev/null
+++ b/internal/syscallcompat/rename_exchange_test.go
@@ -0,0 +1,58 @@
+package syscallcompat
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"golang.org/x/sys/unix"
+)
+
+func TestRenameExchange(t *testing.T) {
+	// Create a temporary directory for testing
+	tmpDir, err := os.MkdirTemp("", "renameat2_test")
+	if err != nil {
+		t.Fatalf("Failed to create temp dir: %v", err)
+	}
+	defer os.RemoveAll(tmpDir)
+
+	// Test basic exchange functionality
+	file1 := filepath.Join(tmpDir, "file1.txt")
+	file2 := filepath.Join(tmpDir, "file2.txt")
+
+	content1 := []byte("content of file 1")
+	content2 := []byte("content of file 2")
+
+	if err := os.WriteFile(file1, content1, 0644); err != nil {
+		t.Fatalf("Failed to create file1: %v", err)
+	}
+
+	if err := os.WriteFile(file2, content2, 0644); err != nil {
+		t.Fatalf("Failed to create file2: %v", err)
+	}
+
+	// Test RENAME_EXCHANGE - this is the core functionality for issue #914
+	err = Renameat2(unix.AT_FDCWD, file1, unix.AT_FDCWD, file2, RENAME_EXCHANGE)
+	if err != nil {
+		t.Fatalf("RENAME_EXCHANGE failed: %v", err)
+	}
+
+	// Verify that the files have been swapped
+	newContent1, err := os.ReadFile(file1)
+	if err != nil {
+		t.Fatalf("Failed to read file1 after exchange: %v", err)
+	}
+
+	newContent2, err := os.ReadFile(file2)
+	if err != nil {
+		t.Fatalf("Failed to read file2 after exchange: %v", err)
+	}
+
+	if string(newContent1) != string(content2) {
+		t.Errorf("file1 content after exchange. Expected: %s, Got: %s", content2, newContent1)
+	}
+
+	if string(newContent2) != string(content1) {
+		t.Errorf("file2 content after exchange. Expected: %s, Got: %s", content1, newContent2)
+	}
+}
diff --git a/internal/syscallcompat/sys_darwin.go b/internal/syscallcompat/sys_darwin.go
index 06f09f0..0ebdd3b 100644
--- a/internal/syscallcompat/sys_darwin.go
+++ b/internal/syscallcompat/sys_darwin.go
@@ -3,7 +3,6 @@ package syscallcompat
 import (
 	"log"
 	"path/filepath"
-	"runtime"
 	"syscall"
 	"time"
 	"unsafe"
@@ -21,27 +20,15 @@ const (
 	// O_PATH is only defined on Linux
 	O_PATH = 0
 
+	// Same meaning, different name
+	RENAME_NOREPLACE = unix.RENAME_EXCL
+	RENAME_EXCHANGE  = unix.RENAME_SWAP
+
 	// Only exists on Linux. Define here to fix build failure, even though
-	// we will never see the flags.
-	RENAME_NOREPLACE = 1
-	RENAME_EXCHANGE  = 2
-	RENAME_WHITEOUT  = 4
-
-	// KAUTH_UID_NONE and KAUTH_GID_NONE are special values to
-	// revert permissions to the process credentials.
-	KAUTH_UID_NONE = ^uint32(0) - 100
-	KAUTH_GID_NONE = ^uint32(0) - 100
+	// we will never see this flag.
+	RENAME_WHITEOUT = 1 << 30
 )
 
-// Unfortunately pthread_setugid_np does not have a syscall wrapper yet.
-func pthread_setugid_np(uid uint32, gid uint32) (err error) {
-	_, _, e1 := syscall.RawSyscall(syscall.SYS_SETTID, uintptr(uid), uintptr(gid), 0)
-	if e1 != 0 {
-		err = e1
-	}
-	return
-}
-
 // Unfortunately fsetattrlist does not have a syscall wrapper yet.
 func fsetattrlist(fd int, list unsafe.Pointer, buf unsafe.Pointer, size uintptr, options int) (err error) {
 	_, _, e1 := syscall.Syscall6(syscall.SYS_FSETATTRLIST, uintptr(fd), uintptr(list), uintptr(buf), uintptr(size), uintptr(options), 0)
@@ -84,74 +71,14 @@ func Dup3(oldfd int, newfd int, flags int) (err error) {
 //// Emulated Syscalls (see emulate.go) ////////////////
 ////////////////////////////////////////////////////////
 
-func OpenatUser(dirfd int, path string, flags int, mode uint32, context *fuse.Context) (fd int, err error) {
-	if context != nil {
-		runtime.LockOSThread()
-		defer runtime.UnlockOSThread()
-
-		err = pthread_setugid_np(context.Owner.Uid, context.Owner.Gid)
-		if err != nil {
-			return -1, err
-		}
-		defer pthread_setugid_np(KAUTH_UID_NONE, KAUTH_GID_NONE)
-	}
-
-	return Openat(dirfd, path, flags, mode)
-}
-
 func Mknodat(dirfd int, path string, mode uint32, dev int) (err error) {
 	return emulateMknodat(dirfd, path, mode, dev)
 }
 
-func MknodatUser(dirfd int, path string, mode uint32, dev int, context *fuse.Context) (err error) {
-	if context != nil {
-		runtime.LockOSThread()
-		defer runtime.UnlockOSThread()
-
-		err = pthread_setugid_np(context.Owner.Uid, context.Owner.Gid)
-		if err != nil {
-			return err
-		}
-		defer pthread_setugid_np(KAUTH_UID_NONE, KAUTH_GID_NONE)
-	}
-
-	return Mknodat(dirfd, path, mode, dev)
-}
-
 func FchmodatNofollow(dirfd int, path string, mode uint32) (err error) {
 	return unix.Fchmodat(dirfd, path, mode, unix.AT_SYMLINK_NOFOLLOW)
 }
 
-func SymlinkatUser(oldpath string, newdirfd int, newpath string, context *fuse.Context) (err error) {
-	if context != nil {
-		runtime.LockOSThread()
-		defer runtime.UnlockOSThread()
-
-		err = pthread_setugid_np(context.Owner.Uid, context.Owner.Gid)
-		if err != nil {
-			return err
-		}
-		defer pthread_setugid_np(KAUTH_UID_NONE, KAUTH_GID_NONE)
-	}
-
-	return unix.Symlinkat(oldpath, newdirfd, newpath)
-}
-
-func MkdiratUser(dirfd int, path string, mode uint32, context *fuse.Context) (err error) {
-	if context != nil {
-		runtime.LockOSThread()
-		defer runtime.UnlockOSThread()
-
-		err = pthread_setugid_np(context.Owner.Uid, context.Owner.Gid)
-		if err != nil {
-			return err
-		}
-		defer pthread_setugid_np(KAUTH_UID_NONE, KAUTH_GID_NONE)
-	}
-
-	return unix.Mkdirat(dirfd, path, mode)
-}
-
 type attrList struct {
 	bitmapCount uint16
 	_           uint16
@@ -227,7 +154,12 @@ func GetdentsSpecial(fd int) (entries []fuse.DirEntry, entriesSpecial []fuse.Dir
 	return emulateGetdents(fd)
 }
 
-// Renameat2 does not exist on Darwin, so we call Renameat and ignore the flags.
+// Renameat2 does not exist on Darwin, but RenameatxNp does.
 func Renameat2(olddirfd int, oldpath string, newdirfd int, newpath string, flags uint) (err error) {
-	return unix.Renameat(olddirfd, oldpath, newdirfd, newpath)
+	// If no flags are set, use tried and true renameat
+	if flags == 0 {
+		return unix.Renameat(olddirfd, oldpath, newdirfd, newpath)
+	}
+	// Let RenameatxNp handle everything else
+	return unix.RenameatxNp(olddirfd, oldpath, newdirfd, newpath, uint32(flags))
 }
diff --git a/internal/syscallcompat/sys_linux.go b/internal/syscallcompat/sys_linux.go
index a64b27e..19d2c56 100644
--- a/internal/syscallcompat/sys_linux.go
+++ b/internal/syscallcompat/sys_linux.go
@@ -3,10 +3,6 @@ package syscallcompat
 
 import (
 	"fmt"
-	"io/ioutil"
-	"runtime"
-	"strconv"
-	"strings"
 	"sync"
 	"syscall"
 	"time"
@@ -67,104 +63,11 @@ func Fallocate(fd int, mode uint32, off int64, len int64) (err error) {
 	return syscall.Fallocate(fd, mode, off, len)
 }
 
-func getSupplementaryGroups(pid uint32) (gids []int) {
-	procPath := fmt.Sprintf("/proc/%d/task/%d/status", pid, pid)
-	blob, err := ioutil.ReadFile(procPath)
-	if err != nil {
-		return nil
-	}
-
-	lines := strings.Split(string(blob), "\n")
-	for _, line := range lines {
-		if strings.HasPrefix(line, "Groups:") {
-			f := strings.Fields(line[7:])
-			gids = make([]int, len(f))
-			for i := range gids {
-				val, err := strconv.ParseInt(f[i], 10, 32)
-				if err != nil {
-					return nil
-				}
-				gids[i] = int(val)
-			}
-			return gids
-		}
-	}
-
-	return nil
-}
-
-// asUser runs `f()` under the effective uid, gid, groups specified
-// in `context`.
-//
-// If `context` is nil, `f()` is executed directly without switching user id.
-func asUser(f func() (int, error), context *fuse.Context) (int, error) {
-	if context == nil {
-		return f()
-	}
-
-	runtime.LockOSThread()
-	defer runtime.UnlockOSThread()
-
-	// Since go1.16beta1 (commit d1b1145cace8b968307f9311ff611e4bb810710c ,
-	// https://go-review.googlesource.com/c/go/+/210639 )
-	// syscall.{Setgroups,Setregid,Setreuid} affects all threads, which
-	// is exactly what we not want.
-	//
-	// We now use unix.{Setgroups,Setregid,Setreuid} instead.
-
-	err := unix.Setgroups(getSupplementaryGroups(context.Pid))
-	if err != nil {
-		return -1, err
-	}
-	defer unix.Setgroups(nil)
-
-	err = unix.Setregid(-1, int(context.Owner.Gid))
-	if err != nil {
-		return -1, err
-	}
-	defer unix.Setregid(-1, 0)
-
-	err = unix.Setreuid(-1, int(context.Owner.Uid))
-	if err != nil {
-		return -1, err
-	}
-	defer unix.Setreuid(-1, 0)
-
-	return f()
-}
-
-// OpenatUser runs the Openat syscall in the context of a different user.
-//
-// It switches the current thread to the new user, performs the syscall,
-// and switches back.
-//
-// If `context` is nil, this function behaves like ordinary Openat (no
-// user switching).
-func OpenatUser(dirfd int, path string, flags int, mode uint32, context *fuse.Context) (fd int, err error) {
-	f := func() (int, error) {
-		return Openat(dirfd, path, flags, mode)
-	}
-	return asUser(f, context)
-}
-
 // Mknodat wraps the Mknodat syscall.
 func Mknodat(dirfd int, path string, mode uint32, dev int) (err error) {
 	return syscall.Mknodat(dirfd, path, mode, dev)
 }
 
-// MknodatUser runs the Mknodat syscall in the context of a different user.
-// If `context` is nil, this function behaves like ordinary Mknodat.
-//
-// See OpenatUser() for how this works.
-func MknodatUser(dirfd int, path string, mode uint32, dev int, context *fuse.Context) (err error) {
-	f := func() (int, error) {
-		err := Mknodat(dirfd, path, mode, dev)
-		return -1, err
-	}
-	_, err = asUser(f, context)
-	return err
-}
-
 // Dup3 wraps the Dup3 syscall. We want to use Dup3 rather than Dup2 because Dup2
 // is not implemented on arm64.
 func Dup3(oldfd int, newfd int, flags int) (err error) {
@@ -205,32 +108,6 @@ func FchmodatNofollow(dirfd int, path string, mode uint32) (err error) {
 	return syscall.Chmod(procPath, mode)
 }
 
-// SymlinkatUser runs the Symlinkat syscall in the context of a different user.
-// If `context` is nil, this function behaves like ordinary Symlinkat.
-//
-// See OpenatUser() for how this works.
-func SymlinkatUser(oldpath string, newdirfd int, newpath string, context *fuse.Context) (err error) {
-	f := func() (int, error) {
-		err := unix.Symlinkat(oldpath, newdirfd, newpath)
-		return -1, err
-	}
-	_, err = asUser(f, context)
-	return err
-}
-
-// MkdiratUser runs the Mkdirat syscall in the context of a different user.
-// If `context` is nil, this function behaves like ordinary Mkdirat.
-//
-// See OpenatUser() for how this works.
-func MkdiratUser(dirfd int, path string, mode uint32, context *fuse.Context) (err error) {
-	f := func() (int, error) {
-		err := unix.Mkdirat(dirfd, path, mode)
-		return -1, err
-	}
-	_, err = asUser(f, context)
-	return err
-}
-
 // LsetxattrUser runs the Lsetxattr syscall in the context of a different user.
 // This is useful when setting ACLs, as the result depends on the user running
 // the operation (see fuse-xfstests generic/375).
@@ -247,8 +124,16 @@ func LsetxattrUser(path string, attr string, data []byte, flags int, context *fu
 
 func timesToTimespec(a *time.Time, m *time.Time) []unix.Timespec {
 	ts := make([]unix.Timespec, 2)
-	ts[0] = unix.Timespec(fuse.UtimeToTimespec(a))
-	ts[1] = unix.Timespec(fuse.UtimeToTimespec(m))
+	if a == nil {
+		ts[0] = unix.Timespec{Nsec: unix.UTIME_OMIT}
+	} else {
+		ts[0], _ = unix.TimeToTimespec(*a)
+	}
+	if m == nil {
+		ts[1] = unix.Timespec{Nsec: unix.UTIME_OMIT}
+	} else {
+		ts[1], _ = unix.TimeToTimespec(*m)
+	}
 	return ts
 }
 
diff --git a/internal/syscallcompat/thread_credentials_linux.go b/internal/syscallcompat/thread_credentials_linux.go
new file mode 100644
index 0000000..b5ec6cd
--- /dev/null
+++ b/internal/syscallcompat/thread_credentials_linux.go
@@ -0,0 +1,61 @@
+//go:build linux
+
+// golang.org/x/sys/unix commit
+// https://github.com/golang/sys/commit/d0df966e6959f00dc1c74363e537872647352d51
+// changed unix.Setreuid/unix.Setregid functions to affect the whole thread, which is
+// what gocryptfs does NOT want (https://github.com/rfjakob/gocryptfs/issues/893).
+// The functions Setreuid/Setegid are copy-pasted from one commit before
+// (9e1f76180b77a12eb07c82eb8e1ea8a7f8d202e7).
+//
+// Looking at the diff at https://github.com/golang/sys/commit/d0df966e6959f00dc1c74363e537872647352d51
+// we see that only two architectures, 386 and arm, use SYS_SETREUID32/SYS_SETREGID32
+// (see "man 2 setreuid" for why).
+// All the others architectures use SYS_SETREUID/SYS_SETREGID.
+//
+// As of golang.org/x/sys/unix v0.30.0, Setgroups/setgroups is still per-thread, but
+// it is likely that this will change, too. Setgroups/setgroups are copy-pasted from
+// v0.30.0. The SYS_SETGROUPS32/SYS_SETGROUPS split is the same as for Setreuid.
+//
+// Note: _Gid_t is always uint32 on linux, so we can directly use uint32 for setgroups.
+package syscallcompat
+
+import (
+	"log"
+)
+
+// Setgroups is like setgroups(2) but affects only the current thread
+func Setgroups(gids []int) (err error) {
+	if len(gids) == 0 {
+		return setgroups(0, nil)
+	}
+
+	a := make([]uint32, len(gids))
+	for i, v := range gids {
+		a[i] = uint32(v)
+	}
+	return setgroups(len(a), &a[0])
+}
+
+// SetgroupsPanic calls Setgroups and panics on error
+func SetgroupsPanic(gids []int) {
+	err := Setgroups(gids)
+	if err != nil {
+		log.Panic(err)
+	}
+}
+
+// SetregidPanic calls Setregid and panics on error
+func SetregidPanic(rgid int, egid int) {
+	err := Setregid(rgid, egid)
+	if err != nil {
+		log.Panic(err)
+	}
+}
+
+// SetreuidPanic calls Setreuid and panics on error
+func SetreuidPanic(ruid int, euid int) {
+	err := Setreuid(ruid, euid)
+	if err != nil {
+		log.Panic(err)
+	}
+}
diff --git a/internal/syscallcompat/thread_credentials_linux_32.go b/internal/syscallcompat/thread_credentials_linux_32.go
new file mode 100644
index 0000000..69fffca
--- /dev/null
+++ b/internal/syscallcompat/thread_credentials_linux_32.go
@@ -0,0 +1,40 @@
+//go:build (linux && 386) || (linux && arm)
+
+// Linux on i386 and 32-bit ARM has SYS_SETREUID and friends returning 16-bit values.
+// We need to use SYS_SETREUID32 instead.
+
+package syscallcompat
+
+import (
+	"unsafe"
+
+	"golang.org/x/sys/unix"
+)
+
+// See thread_credentials_linux.go for docs
+
+// Setreuid is like setreuid(2) but affects only the current thread
+func Setreuid(ruid int, euid int) (err error) {
+	_, _, e1 := unix.RawSyscall(unix.SYS_SETREUID32, uintptr(ruid), uintptr(euid), 0)
+	if e1 != 0 {
+		err = e1
+	}
+	return
+}
+
+// Setreuid is like setregid(2) but affects only the current thread
+func Setregid(rgid int, egid int) (err error) {
+	_, _, e1 := unix.RawSyscall(unix.SYS_SETREGID32, uintptr(rgid), uintptr(egid), 0)
+	if e1 != 0 {
+		err = e1
+	}
+	return
+}
+
+func setgroups(n int, list *uint32) (err error) {
+	_, _, e1 := unix.RawSyscall(unix.SYS_SETGROUPS32, uintptr(n), uintptr(unsafe.Pointer(list)), 0)
+	if e1 != 0 {
+		err = e1
+	}
+	return
+}
diff --git a/internal/syscallcompat/thread_credentials_linux_other.go b/internal/syscallcompat/thread_credentials_linux_other.go
new file mode 100644
index 0000000..ab11c71
--- /dev/null
+++ b/internal/syscallcompat/thread_credentials_linux_other.go
@@ -0,0 +1,37 @@
+//go:build !((linux && 386) || (linux && arm))
+
+package syscallcompat
+
+import (
+	"unsafe"
+
+	"golang.org/x/sys/unix"
+)
+
+// See thread_credentials_linux.go for docs
+
+// Setreuid is like setreuid(2) but affects only the current thread
+func Setreuid(ruid int, euid int) (err error) {
+	_, _, e1 := unix.RawSyscall(unix.SYS_SETREUID, uintptr(ruid), uintptr(euid), 0)
+	if e1 != 0 {
+		err = e1
+	}
+	return
+}
+
+// Setreuid is like setregid(2) but affects only the current thread
+func Setregid(rgid int, egid int) (err error) {
+	_, _, e1 := unix.RawSyscall(unix.SYS_SETREGID, uintptr(rgid), uintptr(egid), 0)
+	if e1 != 0 {
+		err = e1
+	}
+	return
+}
+
+func setgroups(n int, list *uint32) (err error) {
+	_, _, e1 := unix.RawSyscall(unix.SYS_SETGROUPS, uintptr(n), uintptr(unsafe.Pointer(list)), 0)
+	if e1 != 0 {
+		err = e1
+	}
+	return
+}