Merge "setgid should be called before setuid"

2023-07-14 15:22:09 +00:00 · 2023-07-14 15:22:09 +00:00 · e46ad9c44d
commit e46ad9c44d
parent 1f9d71260e 33fec1971b
3 changed files with 12 additions and 3 deletions
--- a/oslo_privsep/daemon.py
+++ b/oslo_privsep/daemon.py
@ -414,13 +414,11 @@ class Daemon(object):
                    msg = _('Failed to remove supplemental groups')
                    LOG.critical(msg)
                    raise FailedToDropPrivileges(msg)
+                setgid(self.group)

            if self.user is not None:
                setuid(self.user)

-            if self.group is not None:
-                setgid(self.group)
-
        finally:
            capabilities.set_keepcaps(False)

--- a/oslo_privsep/tests/test_daemon.py
+++ b/oslo_privsep/tests/test_daemon.py
@ -166,6 +166,11 @@ class DaemonTest(base.BaseTestCase):
        channel = mock.NonCallableMock()
        context = get_fake_context()

+        manager = mock.Mock()
+        manager.attach_mock(mock_setuid, "setuid")
+        manager.attach_mock(mock_setgid, "setgid")
+        expected_calls = [mock.call.setgid(84), mock.call.setuid(42)]
+
        d = daemon.Daemon(channel, context)
        d._drop_privs()

@ -173,6 +178,8 @@ class DaemonTest(base.BaseTestCase):
        mock_setgid.assert_called_once_with(84)
        mock_setgroups.assert_called_once_with([])

+        assert manager.mock_calls == expected_calls
+
        self.assertCountEqual(
            [mock.call(True), mock.call(False)],
            mock_keepcaps.mock_calls)
--- a/releasenotes/notes/setgid-should-be-called-before-setuid-fcf01083df9d5369.yaml
+++ b/releasenotes/notes/setgid-should-be-called-before-setuid-fcf01083df9d5369.yaml
@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    Fixed the failing setgid call when overriding both uid and gid to non root