|
 |
923a60 |
From f2300a5c3226d3a66d77c34ae811401c638f430f Mon Sep 17 00:00:00 2001
|
|
|
923a60 |
From: Ronny Chevalier <chevalier.ronny@gmail.com>
|
|
|
923a60 |
Date: Mon, 21 Sep 2015 15:45:51 +0200
|
|
|
923a60 |
Subject: [PATCH] core: fix group ownership when Group is set
|
|
|
923a60 |
|
|
|
923a60 |
When Group is set in the unit, the runtime directories are owned by
|
|
|
923a60 |
this group and not the default group of the user (same for cgroup paths
|
|
|
923a60 |
and standard outputs)
|
|
|
923a60 |
|
|
|
923a60 |
Fix #1231
|
|
|
923a60 |
|
|
|
923a60 |
Cherry-picked from: 5bc7452b3219456e07f931e40da30bb94a884293
|
|
|
923a60 |
Resolves: #1324826
|
|
|
923a60 |
---
|
|
|
923a60 |
src/core/execute.c | 19 +++++++++++--------
|
|
|
923a60 |
src/test/test-execute.c | 1 +
|
|
|
923a60 |
test/exec-runtimedirectory-owner.service | 9 +++++++++
|
|
|
923a60 |
3 files changed, 21 insertions(+), 8 deletions(-)
|
|
|
923a60 |
create mode 100644 test/exec-runtimedirectory-owner.service
|
|
|
923a60 |
|
|
|
923a60 |
diff --git a/src/core/execute.c b/src/core/execute.c
|
|
|
923a60 |
index 1815e3de2d..8172c8b442 100644
|
|
|
923a60 |
--- a/src/core/execute.c
|
|
|
923a60 |
+++ b/src/core/execute.c
|
|
|
923a60 |
@@ -629,14 +629,6 @@ static int enforce_groups(const ExecContext *context, const char *username, gid_
|
|
|
923a60 |
* we avoid NSS lookups for gid=0. */
|
|
|
923a60 |
|
|
|
923a60 |
if (context->group || username) {
|
|
|
923a60 |
-
|
|
|
923a60 |
- if (context->group) {
|
|
|
923a60 |
- const char *g = context->group;
|
|
|
923a60 |
-
|
|
|
923a60 |
- if ((r = get_group_creds(&g, &gid)) < 0)
|
|
|
923a60 |
- return r;
|
|
|
923a60 |
- }
|
|
|
923a60 |
-
|
|
|
923a60 |
/* First step, initialize groups from /etc/groups */
|
|
|
923a60 |
if (username && gid != 0) {
|
|
|
923a60 |
if (initgroups(username, gid) < 0)
|
|
|
923a60 |
@@ -1374,6 +1366,17 @@ static int exec_child(
|
|
|
923a60 |
}
|
|
|
923a60 |
}
|
|
|
923a60 |
|
|
|
923a60 |
+ if (context->group) {
|
|
|
923a60 |
+ const char *g = context->group;
|
|
|
923a60 |
+
|
|
|
923a60 |
+ r = get_group_creds(&g, &gid;;
|
|
|
923a60 |
+ if (r < 0) {
|
|
|
923a60 |
+ *exit_status = EXIT_GROUP;
|
|
|
923a60 |
+ return r;
|
|
|
923a60 |
+ }
|
|
|
923a60 |
+ }
|
|
|
923a60 |
+
|
|
|
923a60 |
+
|
|
|
923a60 |
/* If a socket is connected to STDIN/STDOUT/STDERR, we
|
|
|
923a60 |
* must sure to drop O_NONBLOCK */
|
|
|
923a60 |
if (socket_fd >= 0)
|
|
|
923a60 |
diff --git a/src/test/test-execute.c b/src/test/test-execute.c
|
|
|
923a60 |
index 90b1c871cc..38522a168d 100644
|
|
|
923a60 |
--- a/src/test/test-execute.c
|
|
|
923a60 |
+++ b/src/test/test-execute.c
|
|
|
923a60 |
@@ -144,6 +144,7 @@ static void test_exec_umask(Manager *m) {
|
|
|
923a60 |
static void test_exec_runtimedirectory(Manager *m) {
|
|
|
923a60 |
test(m, "exec-runtimedirectory.service", 0, CLD_EXITED);
|
|
|
923a60 |
test(m, "exec-runtimedirectory-mode.service", 0, CLD_EXITED);
|
|
|
923a60 |
+ test(m, "exec-runtimedirectory-owner.service", 0, CLD_EXITED);
|
|
|
923a60 |
}
|
|
|
923a60 |
|
|
|
923a60 |
int main(int argc, char *argv[]) {
|
|
|
923a60 |
diff --git a/test/exec-runtimedirectory-owner.service b/test/exec-runtimedirectory-owner.service
|
|
|
923a60 |
new file mode 100644
|
|
|
923a60 |
index 0000000000..077e08d1c5
|
|
|
923a60 |
--- /dev/null
|
|
|
923a60 |
+++ b/test/exec-runtimedirectory-owner.service
|
|
|
923a60 |
@@ -0,0 +1,9 @@
|
|
|
923a60 |
+[Unit]
|
|
|
923a60 |
+Description=Test for RuntimeDirectory owner (must not be the default group of the user if Group is set)
|
|
|
923a60 |
+
|
|
|
923a60 |
+[Service]
|
|
|
923a60 |
+ExecStart=/bin/sh -c 'f=/tmp/test-exec_runtimedirectory-owner;g=$(stat -c %G $f); echo "$g"; exit $(test $g = "nobody")'
|
|
|
923a60 |
+Type=oneshot
|
|
|
923a60 |
+Group=nobody
|
|
|
923a60 |
+User=root
|
|
|
923a60 |
+RuntimeDirectory=test-exec_runtimedirectory-owner
|