From 4b2a1030f9b51e90f6ff4cdbc115871a398c1e0f Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Fri, 20 Aug 2010 18:18:01 +0100 Subject: [PATCH] master: Set RESTRICT_* environment even when drop_priv_before_exec=yes Otherwise the executed process could still try to drop some of the privileges (groups). --- src/master/service-process.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/master/service-process.c b/src/master/service-process.c index ac5eef1b86..3575081588 100644 --- a/src/master/service-process.c +++ b/src/master/service-process.c @@ -166,11 +166,10 @@ drop_privileges(struct service *service) } rset.extra_groups = service->extra_gids; + restrict_access_set_env(&rset); if (service->set->drop_priv_before_exec) { disallow_root = service->type == SERVICE_TYPE_LOGIN; restrict_access(&rset, NULL, disallow_root); - } else { - restrict_access_set_env(&rset); } } -- 2.47.3