core: apply WorkingDirectory after enforce_user

If WorkingDirectory is on NFS, root might only have the privileges of
nobody and the chdir to the WorkingDirectory might fail, even if the
user running the service would have the proper privileges to chdir to
that directory.

Fixes #10568

diff --git a/src/core/execute.c b/src/core/execute.c
index 89964b7bc1bc5a3ea7946c4e9c0f0db8f00324c4..33aa1093a313feb12a4f1dda04967272d74152c3 100644 (file)
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -3196,11 +3196,6 @@ static int exec_child(
                 }
         }
 
-        /* Apply just after mount namespace setup */
-        r = apply_working_directory(context, params, home, needs_mount_namespace, exit_status);
-        if (r < 0)
-                return log_unit_error_errno(unit, r, "Changing to the requested working directory failed: %m");
-
         /* Drop groups as early as possbile */
         if (needs_setuid) {
                 r = enforce_groups(gid, supplementary_gids, ngids);
@@ -3375,6 +3370,12 @@ static int exec_child(
                 }
         }
 
+        /* Apply working directory here, because the working directory might be on NFS and only the user running
+         * this service might have the correct privilege to change to the working directory */
+        r = apply_working_directory(context, params, home, needs_mount_namespace, exit_status);
+        if (r < 0)
+                return log_unit_error_errno(unit, r, "Changing to the requested working directory failed: %m");
+
         if (needs_sandboxing) {
                 /* Apply other MAC contexts late, but before seccomp syscall filtering, as those should really be last to
                  * influence our own codepaths as little as possible. Moreover, applying MAC contexts usually requires