mirror of
https://github.com/systemd/systemd.git
synced 2025-01-10 05:18:17 +03:00
core: fix group ownership when Group is set
When Group is set in the unit, the runtime directories are owned by this group and not the default group of the user (same for cgroup paths and standard outputs) Fix #1231
This commit is contained in:
parent
cc3ddc851f
commit
5bc7452b32
@ -629,15 +629,6 @@ static int enforce_groups(const ExecContext *context, const char *username, gid_
|
||||
* we avoid NSS lookups for gid=0. */
|
||||
|
||||
if (context->group || username) {
|
||||
|
||||
if (context->group) {
|
||||
const char *g = context->group;
|
||||
|
||||
r = get_group_creds(&g, &gid);
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
|
||||
/* First step, initialize groups from /etc/groups */
|
||||
if (username && gid != 0) {
|
||||
if (initgroups(username, gid) < 0)
|
||||
@ -1414,6 +1405,17 @@ static int exec_child(
|
||||
}
|
||||
}
|
||||
|
||||
if (context->group) {
|
||||
const char *g = context->group;
|
||||
|
||||
r = get_group_creds(&g, &gid);
|
||||
if (r < 0) {
|
||||
*exit_status = EXIT_GROUP;
|
||||
return r;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/* If a socket is connected to STDIN/STDOUT/STDERR, we
|
||||
* must sure to drop O_NONBLOCK */
|
||||
if (socket_fd >= 0)
|
||||
|
@ -140,6 +140,7 @@ static void test_exec_umask(Manager *m) {
|
||||
static void test_exec_runtimedirectory(Manager *m) {
|
||||
test(m, "exec-runtimedirectory.service", 0, CLD_EXITED);
|
||||
test(m, "exec-runtimedirectory-mode.service", 0, CLD_EXITED);
|
||||
test(m, "exec-runtimedirectory-owner.service", 0, CLD_EXITED);
|
||||
}
|
||||
|
||||
int main(int argc, char *argv[]) {
|
||||
|
9
test/exec-runtimedirectory-owner.service
Normal file
9
test/exec-runtimedirectory-owner.service
Normal file
@ -0,0 +1,9 @@
|
||||
[Unit]
|
||||
Description=Test for RuntimeDirectory owner (must not be the default group of the user if Group is set)
|
||||
|
||||
[Service]
|
||||
ExecStart=/bin/sh -c 'f=/tmp/test-exec_runtimedirectory-owner;g=$(stat -c %G $f); echo "$g"; exit $(test $g = "nobody")'
|
||||
Type=oneshot
|
||||
Group=nobody
|
||||
User=root
|
||||
RuntimeDirectory=test-exec_runtimedirectory-owner
|
Loading…
Reference in New Issue
Block a user