From 3b8bdddeffbbb9569ae68018bf2942cf73befc85 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 30 Jun 2011 02:15:01 +0200
Subject: [PATCH] execute: do initgroups() first, pam initialization second so
 that it can still modify the groups list

---
 src/execute.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/src/execute.c b/src/execute.c
index 6f0f5d09d..cb5584354 100644
--- a/src/execute.c
+++ b/src/execute.c
@@ -886,7 +886,7 @@ static int setup_pam(
          * cleanups, so forget about the handle here. */
         handle = NULL;
 
-        /* Unblock SIGSUR1 again in the parent */
+        /* Unblock SIGTERM again in the parent */
         if (sigprocmask(SIG_SETMASK, &old_ss, NULL) < 0)
                 goto fail;
 
@@ -1255,6 +1255,14 @@ int exec_spawn(ExecCommand *command,
                                 }
                 }
 
+                if (apply_permissions)
+                        if (enforce_groups(context, username, uid) < 0) {
+                                r = EXIT_GROUP;
+                                goto fail_child;
+                        }
+
+                umask(context->umask);
+
 #ifdef HAVE_PAM
                 if (context->pam_name && username) {
                         if (setup_pam(context->pam_name, username, context->tty_path, &pam_env, fds, n_fds) < 0) {
@@ -1264,14 +1272,6 @@ int exec_spawn(ExecCommand *command,
                 }
 #endif
 
-                if (apply_permissions)
-                        if (enforce_groups(context, username, uid) < 0) {
-                                r = EXIT_GROUP;
-                                goto fail_child;
-                        }
-
-                umask(context->umask);
-
                 if (strv_length(context->read_write_dirs) > 0 ||
                     strv_length(context->read_only_dirs) > 0 ||
                     strv_length(context->inaccessible_dirs) > 0 ||
-- 
2.30.2