From: Joerg Behrmann Date: Tue, 30 Oct 2018 15:01:43 +0000 (+0100) Subject: core: apply WorkingDirectory after enforce_user X-Git-Tag: v240~435 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=56ef8db9f5e5c2f2ea077cec41e97a19e98a637a;p=thirdparty%2Fsystemd.git core: apply WorkingDirectory after enforce_user If WorkingDirectory is on NFS, root might only have the privileges of nobody and the chdir to the WorkingDirectory might fail, even if the user running the service would have the proper privileges to chdir to that directory. Fixes #10568 --- diff --git a/src/core/execute.c b/src/core/execute.c index 89964b7bc1b..33aa1093a31 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -3196,11 +3196,6 @@ static int exec_child( } } - /* Apply just after mount namespace setup */ - r = apply_working_directory(context, params, home, needs_mount_namespace, exit_status); - if (r < 0) - return log_unit_error_errno(unit, r, "Changing to the requested working directory failed: %m"); - /* Drop groups as early as possbile */ if (needs_setuid) { r = enforce_groups(gid, supplementary_gids, ngids); @@ -3375,6 +3370,12 @@ static int exec_child( } } + /* Apply working directory here, because the working directory might be on NFS and only the user running + * this service might have the correct privilege to change to the working directory */ + r = apply_working_directory(context, params, home, needs_mount_namespace, exit_status); + if (r < 0) + return log_unit_error_errno(unit, r, "Changing to the requested working directory failed: %m"); + if (needs_sandboxing) { /* Apply other MAC contexts late, but before seccomp syscall filtering, as those should really be last to * influence our own codepaths as little as possible. Moreover, applying MAC contexts usually requires