From: Ronny Chevalier <chevalier.ronny@gmail.com>
Date: Mon, 21 Sep 2015 13:45:51 +0000 (+0200)
Subject: core: fix group ownership when Group is set
X-Git-Tag: v227~116^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5bc7452b3219456e07f931e40da30bb94a884293;p=thirdparty%2Fsystemd.git

core: fix group ownership when Group is set

When Group is set in the unit, the runtime directories are owned by
this group and not the default group of the user (same for cgroup paths
and standard outputs)

Fix #1231
---

diff --git a/src/core/execute.c b/src/core/execute.c
index 3c308e3e3e6..6e14848cd43 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -629,15 +629,6 @@ static int enforce_groups(const ExecContext *context, const char *username, gid_
          * we avoid NSS lookups for gid=0. */
 
         if (context->group || username) {
-
-                if (context->group) {
-                        const char *g = context->group;
-
-                        r = get_group_creds(&g, &gid);
-                        if (r < 0)
-                                return r;
-                }
-
                 /* First step, initialize groups from /etc/groups */
                 if (username && gid != 0) {
                         if (initgroups(username, gid) < 0)
@@ -1414,6 +1405,17 @@ static int exec_child(
                 }
         }
 
+        if (context->group) {
+                const char *g = context->group;
+
+                r = get_group_creds(&g, &gid);
+                if (r < 0) {
+                        *exit_status = EXIT_GROUP;
+                        return r;
+                }
+        }
+
+
         /* If a socket is connected to STDIN/STDOUT/STDERR, we
          * must sure to drop O_NONBLOCK */
         if (socket_fd >= 0)
diff --git a/src/test/test-execute.c b/src/test/test-execute.c
index 60540f8d285..dd8ab7dcb8a 100644
--- a/src/test/test-execute.c
+++ b/src/test/test-execute.c
@@ -140,6 +140,7 @@ static void test_exec_umask(Manager *m) {
 static void test_exec_runtimedirectory(Manager *m) {
         test(m, "exec-runtimedirectory.service", 0, CLD_EXITED);
         test(m, "exec-runtimedirectory-mode.service", 0, CLD_EXITED);
+        test(m, "exec-runtimedirectory-owner.service", 0, CLD_EXITED);
 }
 
 int main(int argc, char *argv[]) {
diff --git a/test/exec-runtimedirectory-owner.service b/test/exec-runtimedirectory-owner.service
new file mode 100644
index 00000000000..077e08d1c58
--- /dev/null
+++ b/test/exec-runtimedirectory-owner.service
@@ -0,0 +1,9 @@
+[Unit]
+Description=Test for RuntimeDirectory owner (must not be the default group of the user if Group is set)
+
+[Service]
+ExecStart=/bin/sh -c 'f=/tmp/test-exec_runtimedirectory-owner;g=$(stat -c %G $f); echo "$g"; exit $(test $g = "nobody")'
+Type=oneshot
+Group=nobody
+User=root
+RuntimeDirectory=test-exec_runtimedirectory-owner