diff --git a/oslo_privsep/daemon.py b/oslo_privsep/daemon.py index 71192a0..df168f5 100644 --- a/oslo_privsep/daemon.py +++ b/oslo_privsep/daemon.py @@ -414,13 +414,11 @@ class Daemon(object): msg = _('Failed to remove supplemental groups') LOG.critical(msg) raise FailedToDropPrivileges(msg) + setgid(self.group) if self.user is not None: setuid(self.user) - if self.group is not None: - setgid(self.group) - finally: capabilities.set_keepcaps(False) diff --git a/oslo_privsep/tests/test_daemon.py b/oslo_privsep/tests/test_daemon.py index 69d8f8c..6f69a0e 100644 --- a/oslo_privsep/tests/test_daemon.py +++ b/oslo_privsep/tests/test_daemon.py @@ -166,6 +166,11 @@ class DaemonTest(base.BaseTestCase): channel = mock.NonCallableMock() context = get_fake_context() + manager = mock.Mock() + manager.attach_mock(mock_setuid, "setuid") + manager.attach_mock(mock_setgid, "setgid") + expected_calls = [mock.call.setgid(84), mock.call.setuid(42)] + d = daemon.Daemon(channel, context) d._drop_privs() @@ -173,6 +178,8 @@ class DaemonTest(base.BaseTestCase): mock_setgid.assert_called_once_with(84) mock_setgroups.assert_called_once_with([]) + assert manager.mock_calls == expected_calls + self.assertCountEqual( [mock.call(True), mock.call(False)], mock_keepcaps.mock_calls) diff --git a/releasenotes/notes/setgid-should-be-called-before-setuid-fcf01083df9d5369.yaml b/releasenotes/notes/setgid-should-be-called-before-setuid-fcf01083df9d5369.yaml new file mode 100644 index 0000000..c98ce13 --- /dev/null +++ b/releasenotes/notes/setgid-should-be-called-before-setuid-fcf01083df9d5369.yaml @@ -0,0 +1,4 @@ +--- +fixes: + - | + Fixed the failing setgid call when overriding both uid and gid to non root