core: apply WorkingDirectory after enforce_user
If WorkingDirectory is on NFS, root might only have the privileges of nobody and the chdir to the WorkingDirectory might fail, even if the user running the service would have the proper privileges to chdir to that directory. Fixes #10568
This commit is contained in:
parent
0ba8987337
commit
56ef8db9f5
|
@ -3196,11 +3196,6 @@ static int exec_child(
|
|||
}
|
||||
}
|
||||
|
||||
/* Apply just after mount namespace setup */
|
||||
r = apply_working_directory(context, params, home, needs_mount_namespace, exit_status);
|
||||
if (r < 0)
|
||||
return log_unit_error_errno(unit, r, "Changing to the requested working directory failed: %m");
|
||||
|
||||
/* Drop groups as early as possbile */
|
||||
if (needs_setuid) {
|
||||
r = enforce_groups(gid, supplementary_gids, ngids);
|
||||
|
@ -3375,6 +3370,12 @@ static int exec_child(
|
|||
}
|
||||
}
|
||||
|
||||
/* Apply working directory here, because the working directory might be on NFS and only the user running
|
||||
* this service might have the correct privilege to change to the working directory */
|
||||
r = apply_working_directory(context, params, home, needs_mount_namespace, exit_status);
|
||||
if (r < 0)
|
||||
return log_unit_error_errno(unit, r, "Changing to the requested working directory failed: %m");
|
||||
|
||||
if (needs_sandboxing) {
|
||||
/* Apply other MAC contexts late, but before seccomp syscall filtering, as those should really be last to
|
||||
* influence our own codepaths as little as possible. Moreover, applying MAC contexts usually requires
|
||||
|
|
Loading…
Reference in a new issue