From: David Kalnischkies <david@kalnischkies.de>
Date: Wed, 15 Oct 2014 01:53:47 +0000 (+0200)
Subject: set PR_SET_NO_NEW_PRIVS even if sandbox is disabled
X-Git-Tag: 1.1.exp6~2
X-Git-Url: https://git.saurik.com/apt.git/commitdiff_plain/990dd78ab46607ad06d81b36e303156040a236e2

set PR_SET_NO_NEW_PRIVS even if sandbox is disabled

Similar to 8f45798d532223adc378a4ad9ecfc64b3be26e4f, there is no harm to
set this, even if we don't drop privileges.

Git-Dch: Ignore
---

diff --git a/apt-pkg/contrib/fileutl.cc b/apt-pkg/contrib/fileutl.cc
index f6351b7b5..c51eee737 100644
--- a/apt-pkg/contrib/fileutl.cc
+++ b/apt-pkg/contrib/fileutl.cc
@@ -2168,12 +2168,6 @@ bool DropPrivileges()							/*{{{*/
    if(_config->FindB("Debug::NoDropPrivs", false) == true)
       return true;
 
-   // empty setting disables DropPrivilidges - this also ensures
-   // backward compatibility, see bug #764506
-   const std::string toUser = _config->Find("APT::Sandbox::User");
-   if (toUser.empty())
-      return true;
-
 #if __gnu_linux__
 #if defined(PR_SET_NO_NEW_PRIVS) && ( PR_SET_NO_NEW_PRIVS != 38 )
 #error "PR_SET_NO_NEW_PRIVS is defined, but with a different value than expected!"
@@ -2185,6 +2179,12 @@ bool DropPrivileges()							/*{{{*/
       _error->Warning("PR_SET_NO_NEW_PRIVS failed with %i", ret);
 #endif
 
+   // empty setting disables privilege dropping - this also ensures
+   // backward compatibility, see bug #764506
+   const std::string toUser = _config->Find("APT::Sandbox::User");
+   if (toUser.empty())
+      return true;
+
    // uid will be 0 in the end, but gid might be different anyway
    uid_t const old_uid = getuid();
    gid_t const old_gid = getgid();