From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 25 Aug 2016 15:29:12 +0000 (+0200)
Subject: execute: drop group priviliges only after setting up namespace
X-Git-Tag: v232~181^2~27
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=096424d1230e0a0339735c51b43949809e972430;p=thirdparty%2Fsystemd.git

execute: drop group priviliges only after setting up namespace

If PrivateDevices=yes is set, the namespace code creates device nodes in /dev
that should be owned by the host's root, hence let's make sure we set up the
namespace before dropping group privileges.
---

diff --git a/src/core/execute.c b/src/core/execute.c
index 20e74ec8a67..ae251b2a4cd 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -2291,14 +2291,9 @@ static int exec_child(
         }
         accum_env = strv_env_clean(accum_env);
 
-        umask(context->umask);
+        (void) umask(context->umask);
 
         if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
-                r = enforce_groups(context, username, gid);
-                if (r < 0) {
-                        *exit_status = EXIT_GROUP;
-                        return r;
-                }
 #ifdef HAVE_SMACK
                 if (context->smack_process_label) {
                         r = mac_smack_apply_pid(0, context->smack_process_label);
@@ -2395,6 +2390,14 @@ static int exec_child(
                 }
         }
 
+        if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
+                r = enforce_groups(context, username, gid);
+                if (r < 0) {
+                        *exit_status = EXIT_GROUP;
+                        return r;
+                }
+        }
+
         if (context->working_directory_home)
                 wd = home;
         else if (context->working_directory)