summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDjalal Harouni <tixxdz@opendz.org>2016-11-02 17:51:35 +0100
committerLennart Poettering <lennart@poettering.net>2016-11-02 10:51:35 -0600
commitbbeea271172a4664ce9a4a41a7fa3b1ca18dbedd (patch)
treee2200a8204af5e562000072e4351b32e674eeb97
parent4887b656c22af059d4e833de7b56544f24951184 (diff)
core: initialize groups list before checking SupplementaryGroups= of a unit (#4533)
Always initialize the supplementary groups of caller before checking the unit SupplementaryGroups= option. Fixes https://github.com/systemd/systemd/issues/4531
-rw-r--r--src/core/execute.c28
1 files changed, 15 insertions, 13 deletions
diff --git a/src/core/execute.c b/src/core/execute.c
index ae9df41b99..a1bd0c1238 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -787,6 +787,20 @@ static int get_fixed_supplementary_groups(const ExecContext *c,
assert(c);
+ /*
+ * If user is given, then lookup GID and supplementary groups list.
+ * We avoid NSS lookups for gid=0. Also we have to initialize groups
+ * as early as possible so we keep the list of supplementary groups
+ * of the caller.
+ */
+ if (user && gid_is_valid(gid) && gid != 0) {
+ /* First step, initialize groups from /etc/groups */
+ if (initgroups(user, gid) < 0)
+ return -errno;
+
+ keep_groups = true;
+ }
+
if (!c->supplementary_groups)
return 0;
@@ -803,18 +817,6 @@ static int get_fixed_supplementary_groups(const ExecContext *c,
return -EOPNOTSUPP; /* For all other values */
}
- /*
- * If user is given, then lookup GID and supplementary group list.
- * We avoid NSS lookups for gid=0.
- */
- if (user && gid_is_valid(gid) && gid != 0) {
- /* First step, initialize groups from /etc/groups */
- if (initgroups(user, gid) < 0)
- return -errno;
-
- keep_groups = true;
- }
-
l_gids = new(gid_t, ngroups_max);
if (!l_gids)
return -ENOMEM;
@@ -2577,7 +2579,7 @@ static int exec_child(
return r;
}
- /* Drop group as early as possbile */
+ /* Drop groups as early as possbile */
if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
r = enforce_groups(context, gid, supplementary_gids, ngids);
if (r < 0) {