execute: do initgroups() first, pam initialization second so that it can still modify the groups list
This commit is contained in:
Lennart Poettering
parent
64747e2d4b
commit
3b8bdddeff
|
|
@ -886,7 +886,7 @@ static int setup_pam(
|
||||||
* cleanups, so forget about the handle here. */
|
* cleanups, so forget about the handle here. */
|
||||||
handle = NULL;
|
handle = NULL;
|
||||||
|
|
||||||
/* Unblock SIGSUR1 again in the parent */
|
/* Unblock SIGTERM again in the parent */
|
||||||
if (sigprocmask(SIG_SETMASK, &old_ss, NULL) < 0)
|
if (sigprocmask(SIG_SETMASK, &old_ss, NULL) < 0)
|
||||||
goto fail;
|
goto fail;
|
||||||
|
|
||||||
|
|
@ -1255,6 +1255,14 @@ int exec_spawn(ExecCommand *command,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (apply_permissions)
|
||||||
|
if (enforce_groups(context, username, uid) < 0) {
|
||||||
|
r = EXIT_GROUP;
|
||||||
|
goto fail_child;
|
||||||
|
}
|
||||||
|
|
||||||
|
umask(context->umask);
|
||||||
|
|
||||||
#ifdef HAVE_PAM
|
#ifdef HAVE_PAM
|
||||||
if (context->pam_name && username) {
|
if (context->pam_name && username) {
|
||||||
if (setup_pam(context->pam_name, username, context->tty_path, &pam_env, fds, n_fds) < 0) {
|
if (setup_pam(context->pam_name, username, context->tty_path, &pam_env, fds, n_fds) < 0) {
|
||||||
|
|
@ -1264,14 +1272,6 @@ int exec_spawn(ExecCommand *command,
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if (apply_permissions)
|
|
||||||
if (enforce_groups(context, username, uid) < 0) {
|
|
||||||
r = EXIT_GROUP;
|
|
||||||
goto fail_child;
|
|
||||||
}
|
|
||||||
|
|
||||||
umask(context->umask);
|
|
||||||
|
|
||||||
if (strv_length(context->read_write_dirs) > 0 ||
|
if (strv_length(context->read_write_dirs) > 0 ||
|
||||||
strv_length(context->read_only_dirs) > 0 ||
|
strv_length(context->read_only_dirs) > 0 ||
|
||||||
strv_length(context->inaccessible_dirs) > 0 ||
|
strv_length(context->inaccessible_dirs) > 0 ||
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue