diff options
author | Djalal Harouni <tixxdz@opendz.org> | 2016-11-02 17:51:35 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2016-11-02 10:51:35 -0600 |
commit | bbeea271172a4664ce9a4a41a7fa3b1ca18dbedd (patch) | |
tree | e2200a8204af5e562000072e4351b32e674eeb97 | |
parent | 4887b656c22af059d4e833de7b56544f24951184 (diff) |
core: initialize groups list before checking SupplementaryGroups= of a unit (#4533)
Always initialize the supplementary groups of caller before checking the
unit SupplementaryGroups= option.
Fixes https://github.com/systemd/systemd/issues/4531
-rw-r--r-- | src/core/execute.c | 28 |
1 files changed, 15 insertions, 13 deletions
diff --git a/src/core/execute.c b/src/core/execute.c index ae9df41b99..a1bd0c1238 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -787,6 +787,20 @@ static int get_fixed_supplementary_groups(const ExecContext *c, assert(c); + /* + * If user is given, then lookup GID and supplementary groups list. + * We avoid NSS lookups for gid=0. Also we have to initialize groups + * as early as possible so we keep the list of supplementary groups + * of the caller. + */ + if (user && gid_is_valid(gid) && gid != 0) { + /* First step, initialize groups from /etc/groups */ + if (initgroups(user, gid) < 0) + return -errno; + + keep_groups = true; + } + if (!c->supplementary_groups) return 0; @@ -803,18 +817,6 @@ static int get_fixed_supplementary_groups(const ExecContext *c, return -EOPNOTSUPP; /* For all other values */ } - /* - * If user is given, then lookup GID and supplementary group list. - * We avoid NSS lookups for gid=0. - */ - if (user && gid_is_valid(gid) && gid != 0) { - /* First step, initialize groups from /etc/groups */ - if (initgroups(user, gid) < 0) - return -errno; - - keep_groups = true; - } - l_gids = new(gid_t, ngroups_max); if (!l_gids) return -ENOMEM; @@ -2577,7 +2579,7 @@ static int exec_child( return r; } - /* Drop group as early as possbile */ + /* Drop groups as early as possbile */ if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) { r = enforce_groups(context, gid, supplementary_gids, ngids); if (r < 0) { |