Set group id before user id in child process

author Davin McCall <davmac@davmac.org>

Tue, 23 Jun 2020 11:36:40 +0000 (21:36 +1000)

committer Davin McCall <davmac@davmac.org>

Tue, 23 Jun 2020 11:36:40 +0000 (21:36 +1000)
author Davin McCall <davmac@davmac.org>
Tue, 23 Jun 2020 11:36:40 +0000 (21:36 +1000)
committer Davin McCall <davmac@davmac.org>
Tue, 23 Jun 2020 11:36:40 +0000 (21:36 +1000)
diff --git a/src/run-child-proc.cc b/src/run-child-proc.cc

index ba54ab275e001bf0baf59b17dc31db168c2f5755..757ddd71aaeabd09502c4d6a3696457e8181e46a 100644 (file)
--- a/src/run-child-proc.cc
+++ b/src/run-child-proc.cc
@@ -258,8 +258,9 @@ void base_process_service::run_child_proc(run_proc_params params) noexcept
  
      if (uid != uid_t(-1)) {
          err.stage = exec_stage::SET_UIDGID;
-        if (setreuid(uid, uid) != 0) goto failure_out;
+        // We must set group first (i.e. before we drop privileges)
          if (setregid(gid, gid) != 0) goto failure_out;
+        if (setreuid(uid, uid) != 0) goto failure_out;
      }
  
      sigprocmask(SIG_SETMASK, &sigwait_set, nullptr);
author	Davin McCall <davmac@davmac.org>
	Tue, 23 Jun 2020 11:36:40 +0000 (21:36 +1000)
committer	Davin McCall <davmac@davmac.org>
	Tue, 23 Jun 2020 11:36:40 +0000 (21:36 +1000)