From bbeea271172a4664ce9a4a41a7fa3b1ca18dbedd Mon Sep 17 00:00:00 2001 From: Djalal Harouni Date: Wed, 2 Nov 2016 17:51:35 +0100 Subject: core: initialize groups list before checking SupplementaryGroups= of a unit (#4533) Always initialize the supplementary groups of caller before checking the unit SupplementaryGroups= option. Fixes https://github.com/systemd/systemd/issues/4531 --- src/core/execute.c | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) (limited to 'src') diff --git a/src/core/execute.c b/src/core/execute.c index ae9df41b99..a1bd0c1238 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -787,6 +787,20 @@ static int get_fixed_supplementary_groups(const ExecContext *c, assert(c); + /* + * If user is given, then lookup GID and supplementary groups list. + * We avoid NSS lookups for gid=0. Also we have to initialize groups + * as early as possible so we keep the list of supplementary groups + * of the caller. + */ + if (user && gid_is_valid(gid) && gid != 0) { + /* First step, initialize groups from /etc/groups */ + if (initgroups(user, gid) < 0) + return -errno; + + keep_groups = true; + } + if (!c->supplementary_groups) return 0; @@ -803,18 +817,6 @@ static int get_fixed_supplementary_groups(const ExecContext *c, return -EOPNOTSUPP; /* For all other values */ } - /* - * If user is given, then lookup GID and supplementary group list. - * We avoid NSS lookups for gid=0. - */ - if (user && gid_is_valid(gid) && gid != 0) { - /* First step, initialize groups from /etc/groups */ - if (initgroups(user, gid) < 0) - return -errno; - - keep_groups = true; - } - l_gids = new(gid_t, ngroups_max); if (!l_gids) return -ENOMEM; @@ -2577,7 +2579,7 @@ static int exec_child( return r; } - /* Drop group as early as possbile */ + /* Drop groups as early as possbile */ if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) { r = enforce_groups(context, gid, supplementary_gids, ngids); if (r < 0) { -- cgit v1.2.3-54-g00ecf