picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

execute: drop group priviliges only after setting up namespace 

If PrivateDevices=yes is set, the namespace code creates device nodes in /dev
that should be owned by the host's root, hence let's make sure we set up the
namespace before dropping group privileges.
This commit is contained in:
Lennart Poettering 2016-08-25 17:29:12 +02:00 committed by Djalal Harouni
parent 920a7899de
commit 096424d123
1 changed files with 9 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/core/execute.c
View File

@ -2291,14 +2291,9 @@ static int exec_child(
}
accum_env = strv_env_clean(accum_env);
umask(context->umask);
(void) umask(context->umask);
if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
r = enforce_groups(context, username, gid);
if (r < 0) {
*exit_status = EXIT_GROUP;
return r;
}
#ifdef HAVE_SMACK
if (context->smack_process_label) {
r = mac_smack_apply_pid(0, context->smack_process_label);
@ -2395,6 +2390,14 @@ static int exec_child(
}
}
if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
r = enforce_groups(context, username, gid);
if (r < 0) {
*exit_status = EXIT_GROUP;
return r;
}
}
if (context->working_directory_home)
wd = home;
else if (context->working_directory)