core: apply WorkingDirectory after enforce_user

If WorkingDirectory is on NFS, root might only have the privileges of nobody and the chdir to the WorkingDirectory might fail, even if the user running the service would have the proper privileges to chdir to that directory. Fixes #10568
2018-10-30 16:01:43 +01:00 · 2018-10-30 16:01:43 +01:00 · 56ef8db9f5
parent 0ba8987337
commit 56ef8db9f5
1 changed files with 6 additions and 5 deletions
--- a/src/core/execute.c
+++ b/src/core/execute.c
@ -3196,11 +3196,6 @@ static int exec_child(
                }
        }

-        /* Apply just after mount namespace setup */
-        r = apply_working_directory(context, params, home, needs_mount_namespace, exit_status);
-        if (r < 0)
-                return log_unit_error_errno(unit, r, "Changing to the requested working directory failed: %m");
-
        /* Drop groups as early as possbile */
        if (needs_setuid) {
                r = enforce_groups(gid, supplementary_gids, ngids);
@ -3375,6 +3370,12 @@ static int exec_child(
                }
        }

+        /* Apply working directory here, because the working directory might be on NFS and only the user running
+         * this service might have the correct privilege to change to the working directory */
+        r = apply_working_directory(context, params, home, needs_mount_namespace, exit_status);
+        if (r < 0)
+                return log_unit_error_errno(unit, r, "Changing to the requested working directory failed: %m");
+
        if (needs_sandboxing) {
                /* Apply other MAC contexts late, but before seccomp syscall filtering, as those should really be last to
                 * influence our own codepaths as little as possible. Moreover, applying MAC contexts usually requires