mirror of
https://github.com/systemd/systemd.git
synced 2024-12-23 21:35:11 +03:00
exec-invoke: extend comment on placement of apply_working_directory() call
Inspired by CVE-2024-21626, let's add a longer comment explaining why the code really shouldn#t be moved any earlier. Just in the hope that anyone who feels tempted to move this around maybe actually reads the comment and reconsiders.
This commit is contained in:
parent
0d1332841e
commit
a13fb98ba7
@ -5040,8 +5040,10 @@ int exec_invoke(
|
||||
}
|
||||
}
|
||||
|
||||
/* Apply working directory here, because the working directory might be on NFS and only the user running
|
||||
* this service might have the correct privilege to change to the working directory */
|
||||
/* Apply working directory here, because the working directory might be on NFS and only the user
|
||||
* running this service might have the correct privilege to change to the working directory. Also, it
|
||||
* is absolutely 💣 crucial 💣 we applied all mount namespacing rearrangements before this, so that
|
||||
* the cwd cannot be used to pin directories outside of the sandbox. */
|
||||
r = apply_working_directory(context, params, runtime, home, exit_status);
|
||||
if (r < 0)
|
||||
return log_exec_error_errno(context, params, r, "Changing to the requested working directory failed: %m");
|
||||
|
Loading…
Reference in New Issue
Block a user