summaryrefslogtreecommitdiff
path: root/src/basic
diff options
context:
space:
mode:
Diffstat (limited to 'src/basic')
-rw-r--r--src/basic/capability-util.c5
-rw-r--r--src/basic/user-util.c49
2 files changed, 31 insertions, 23 deletions
diff --git a/src/basic/capability-util.c b/src/basic/capability-util.c
index f8db6e0212..c3de20a0e8 100644
--- a/src/basic/capability-util.c
+++ b/src/basic/capability-util.c
@@ -296,8 +296,9 @@ int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities) {
if (setresgid(gid, gid, gid) < 0)
return log_error_errno(errno, "Failed to change group ID: %m");
- if (maybe_setgroups(0, NULL) < 0)
- return log_error_errno(errno, "Failed to drop auxiliary groups list: %m");
+ r = maybe_setgroups(0, NULL);
+ if (r < 0)
+ return log_error_errno(r, "Failed to drop auxiliary groups list: %m");
/* Ensure we keep the permitted caps across the setresuid() */
if (prctl(PR_SET_KEEPCAPS, 1) < 0)
diff --git a/src/basic/user-util.c b/src/basic/user-util.c
index 16496fccfa..de6c93056e 100644
--- a/src/basic/user-util.c
+++ b/src/basic/user-util.c
@@ -460,9 +460,11 @@ int get_shell(char **_s) {
}
int reset_uid_gid(void) {
+ int r;
- if (maybe_setgroups(0, NULL) < 0)
- return -errno;
+ r = maybe_setgroups(0, NULL);
+ if (r < 0)
+ return r;
if (setresgid(0, 0, 0) < 0)
return -errno;
@@ -605,25 +607,30 @@ bool valid_home(const char *p) {
}
int maybe_setgroups(size_t size, const gid_t *list) {
- static int cached_can_setgroups = -1;
- /* check if setgroups is allowed before we try to drop all the auxiliary groups */
- if (size == 0) {
- if (cached_can_setgroups < 0) {
- _cleanup_free_ char *setgroups_content = NULL;
- int r = read_one_line_file("/proc/self/setgroups", &setgroups_content);
- if (r < 0 && errno != ENOENT)
- return r;
- if (r < 0) {
- /* old kernels don't have /proc/self/setgroups, so assume we can use setgroups */
- cached_can_setgroups = true;
- } else {
- cached_can_setgroups = streq(setgroups_content, "allow");
- if (!cached_can_setgroups)
- log_debug("skip setgroups, /proc/self/setgroups is set to 'deny'");
- }
- }
- if (!cached_can_setgroups)
+ int r;
+
+ /* Check if setgroups is allowed before we try to drop all the auxiliary groups */
+ if (size == 0) { /* Dropping all aux groups? */
+ _cleanup_free_ char *setgroups_content = NULL;
+ bool can_setgroups;
+
+ r = read_one_line_file("/proc/self/setgroups", &setgroups_content);
+ if (r == -ENOENT)
+ /* Old kernels don't have /proc/self/setgroups, so assume we can use setgroups */
+ can_setgroups = true;
+ else if (r < 0)
+ return r;
+ else
+ can_setgroups = streq(setgroups_content, "allow");
+
+ if (!can_setgroups) {
+ log_debug("Skipping setgroups(), /proc/self/setgroups is set to 'deny'");
return 0;
+ }
}
- return setgroups(size, list);
+
+ if (setgroups(size, list) < 0)
+ return -errno;
+
+ return 0;
}