execute: drop group priviliges only after setting up namespace

If PrivateDevices=yes is set, the namespace code creates device nodes in /dev
that should be owned by the host's root, hence let's make sure we set up the
namespace before dropping group privileges.

1 files changed, 9 insertions, 6 deletions

diff --git a/src/core/execute.c b/src/core/execute.c
index 20e74ec8a6..ae251b2a4c 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -2291,14 +2291,9 @@ static int exec_child(
         }
         accum_env = strv_env_clean(accum_env);
 
-        umask(context->umask);
+        (void) umask(context->umask);
 
         if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
-                r = enforce_groups(context, username, gid);
-                if (r < 0) {
-                        *exit_status = EXIT_GROUP;
-                        return r;
-                }
 #ifdef HAVE_SMACK
                 if (context->smack_process_label) {
                         r = mac_smack_apply_pid(0, context->smack_process_label);
@@ -2395,6 +2390,14 @@ static int exec_child(
                 }
         }
 
+        if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
+                r = enforce_groups(context, username, gid);
+                if (r < 0) {
+                        *exit_status = EXIT_GROUP;
+                        return r;
+                }
+        }
+
         if (context->working_directory_home)
                 wd = home;
         else if (context->working_directory)