mirror of
https://github.com/systemd/systemd
synced 2024-07-21 10:17:21 +00:00
execute: drop group priviliges only after setting up namespace
If PrivateDevices=yes is set, the namespace code creates device nodes in /dev that should be owned by the host's root, hence let's make sure we set up the namespace before dropping group privileges.
This commit is contained in:
parent
920a7899de
commit
096424d123
|
@ -2291,14 +2291,9 @@ static int exec_child(
|
|||
}
|
||||
accum_env = strv_env_clean(accum_env);
|
||||
|
||||
umask(context->umask);
|
||||
(void) umask(context->umask);
|
||||
|
||||
if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
|
||||
r = enforce_groups(context, username, gid);
|
||||
if (r < 0) {
|
||||
*exit_status = EXIT_GROUP;
|
||||
return r;
|
||||
}
|
||||
#ifdef HAVE_SMACK
|
||||
if (context->smack_process_label) {
|
||||
r = mac_smack_apply_pid(0, context->smack_process_label);
|
||||
|
@ -2395,6 +2390,14 @@ static int exec_child(
|
|||
}
|
||||
}
|
||||
|
||||
if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
|
||||
r = enforce_groups(context, username, gid);
|
||||
if (r < 0) {
|
||||
*exit_status = EXIT_GROUP;
|
||||
return r;
|
||||
}
|
||||
}
|
||||
|
||||
if (context->working_directory_home)
|
||||
wd = home;
|
||||
else if (context->working_directory)
|
||||
|
|
Loading…
Reference in a new issue