From 990dd78ab46607ad06d81b36e303156040a236e2 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Wed, 15 Oct 2014 03:53:47 +0200 Subject: [PATCH] set PR_SET_NO_NEW_PRIVS even if sandbox is disabled Similar to 8f45798d532223adc378a4ad9ecfc64b3be26e4f, there is no harm to set this, even if we don't drop privileges. Git-Dch: Ignore --- apt-pkg/contrib/fileutl.cc | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/apt-pkg/contrib/fileutl.cc b/apt-pkg/contrib/fileutl.cc index f6351b7b5..c51eee737 100644 --- a/apt-pkg/contrib/fileutl.cc +++ b/apt-pkg/contrib/fileutl.cc @@ -2168,12 +2168,6 @@ bool DropPrivileges() /*{{{*/ if(_config->FindB("Debug::NoDropPrivs", false) == true) return true; - // empty setting disables DropPrivilidges - this also ensures - // backward compatibility, see bug #764506 - const std::string toUser = _config->Find("APT::Sandbox::User"); - if (toUser.empty()) - return true; - #if __gnu_linux__ #if defined(PR_SET_NO_NEW_PRIVS) && ( PR_SET_NO_NEW_PRIVS != 38 ) #error "PR_SET_NO_NEW_PRIVS is defined, but with a different value than expected!" @@ -2185,6 +2179,12 @@ bool DropPrivileges() /*{{{*/ _error->Warning("PR_SET_NO_NEW_PRIVS failed with %i", ret); #endif + // empty setting disables privilege dropping - this also ensures + // backward compatibility, see bug #764506 + const std::string toUser = _config->Find("APT::Sandbox::User"); + if (toUser.empty()) + return true; + // uid will be 0 in the end, but gid might be different anyway uid_t const old_uid = getuid(); gid_t const old_gid = getgid(); -- 2.47.2