3 files changed, 13 insertions, 2 deletions

diff --git a/buildstream/element.py b/buildstream/element.py
index d03f32c6c..c43701d09 100644
--- a/buildstream/element.py
+++ b/buildstream/element.py
@@ -1395,7 +1395,7 @@ class Element(Plugin):
             if scope == Scope.BUILD:
                 flags |= SandboxFlags.ROOT_READ_ONLY
             elif scope == Scope.RUN:
-                flags |= SandboxFlags.NETWORK_ENABLED
+                flags |= SandboxFlags.NETWORK_ENABLED | SandboxFlags.INHERIT_UID
 
             if command:
                 argv = [arg for arg in command]
diff --git a/buildstream/sandbox/_sandboxbwrap.py b/buildstream/sandbox/_sandboxbwrap.py
index 71fd6951b..cab178f0f 100644
--- a/buildstream/sandbox/_sandboxbwrap.py
+++ b/buildstream/sandbox/_sandboxbwrap.py
@@ -130,7 +130,9 @@ class SandboxBwrap(Sandbox):
 
         # Set UID and GUI
         if self.user_ns_available:
-            bwrap_command += ['--unshare-user', '--uid', '0', '--gid', '0']
+            bwrap_command += ['--unshare-user']
+            if not flags & SandboxFlags.INHERIT_UID:
+                bwrap_command += ['--uid', '0', '--gid', '0']
 
         # Add the command
         bwrap_command += command
diff --git a/buildstream/sandbox/sandbox.py b/buildstream/sandbox/sandbox.py
index bc080e30d..9f0a58628 100644
--- a/buildstream/sandbox/sandbox.py
+++ b/buildstream/sandbox/sandbox.py
@@ -61,6 +61,15 @@ class SandboxFlags():
     the terminal entirely.
     """
 
+    INHERIT_UID = 0x08
+    """Whether to use the user id and group id from the host environment
+
+    This determines if processes in the sandbox should run with the
+    same user id and group id as BuildStream itself. By default,
+    processes run with user id and group id 0, protected by a user
+    namespace where available.
+    """
+
 
 class Sandbox():
     """Sandbox()