util: drop capabilities immediately after changing uid/gid of child

This is an interim measure to make sure everything still works in this
order. The next step will be to perform capabilities drop and
setuid/gid as a single operation (which is the only way to keep any
capabilities when switching to a non-root uid).

diff --git a/src/util/vircommand.c b/src/util/vircommand.c
index 0699fdbae1839cbf37d70f27839c55a7eb2bd5af..b0361dc82d73bebf4f0f52171c89c77cf7057b3a 100644 (file)
--- a/src/util/vircommand.c
+++ b/src/util/vircommand.c
@@ -652,6 +652,12 @@ virExec(virCommandPtr cmd)
             goto fork_error;
     }
 
+    /* The steps above may need todo something privileged, so
+     * we delay clearing capabilities until the last minute */
+    if (cmd->capabilities || (cmd->flags & VIR_EXEC_CLEAR_CAPS))
+        if (virSetCapabilities(cmd->capabilities) < 0)
+            goto fork_error;
+
     if (cmd->pwd) {
         VIR_DEBUG("Running child in %s", cmd->pwd);
         if (chdir(cmd->pwd) < 0) {
@@ -670,12 +676,6 @@ virExec(virCommandPtr cmd)
         goto fork_error;
     }
 
-    /* The steps above may need todo something privileged, so
-     * we delay clearing capabilities until the last minute */
-    if (cmd->capabilities || (cmd->flags & VIR_EXEC_CLEAR_CAPS))
-        if (virSetCapabilities(cmd->capabilities) < 0)
-            goto fork_error;
-
     /* Close logging again to ensure no FDs leak to child */
     virLogReset();