From: Lennart Poettering Date: Mon, 5 Feb 2024 14:42:46 +0000 (+0100) Subject: exec-invoke: extend comment on placement of apply_working_directory() call X-Git-Tag: v256-rc1~961^2~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a13fb98ba76cfad4dcc8f68530d06b4a9b633e0b;p=thirdparty%2Fsystemd.git exec-invoke: extend comment on placement of apply_working_directory() call Inspired by CVE-2024-21626, let's add a longer comment explaining why the code really shouldn#t be moved any earlier. Just in the hope that anyone who feels tempted to move this around maybe actually reads the comment and reconsiders. --- diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c index 1a6f606448f..81d243c5b20 100644 --- a/src/core/exec-invoke.c +++ b/src/core/exec-invoke.c @@ -5040,8 +5040,10 @@ int exec_invoke( } } - /* Apply working directory here, because the working directory might be on NFS and only the user running - * this service might have the correct privilege to change to the working directory */ + /* Apply working directory here, because the working directory might be on NFS and only the user + * running this service might have the correct privilege to change to the working directory. Also, it + * is absolutely 💣 crucial 💣 we applied all mount namespacing rearrangements before this, so that + * the cwd cannot be used to pin directories outside of the sandbox. */ r = apply_working_directory(context, params, runtime, home, exit_status); if (r < 0) return log_exec_error_errno(context, params, r, "Changing to the requested working directory failed: %m");