1 files changed, 7 insertions, 1 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index e0cecda1b..e1959a453 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -669,7 +669,9 @@ int sandbox(void* sandbox_arg) {
                // do nothing - there are problems with ibus version 1.5.11
        }
        else
+                EUID_USER();
                env_ibus_load();
+                EUID_ROOT();
        //****************************
        // fs pre-processing:
@@ -925,6 +927,8 @@ int sandbox(void* sandbox_arg) {
        // set application environment
        //****************************
        prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
+        EUID_USER();
        int cwd = 0;
        if (cfg.cwd) {
                if (chdir(cfg.cwd) == 0)
@@ -951,7 +955,7 @@ int sandbox(void* sandbox_arg) {
                }
        }
+        EUID_ROOT();
        // set nice
        if (arg_nice) {
                errno = 0;
@@ -980,7 +984,9 @@ int sandbox(void* sandbox_arg) {
        // set cpu affinity
        if (cfg.cpus) {
                save_cpu(); // save cpu affinity mask to CPU_CFG file
+                EUID_USER();
                set_cpu_affinity();
+                EUID_ROOT();
        }
        // save cgroup in CGROUP_CFG file

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index e0cecda1b..e1959a453 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -669,7 +669,9 @@ int sandbox(void* sandbox_arg) {
669	// do nothing - there are problems with ibus version 1.5.11	669	// do nothing - there are problems with ibus version 1.5.11
670	}	670	}
671	else	671	else
		672	EUID_USER();
672	env_ibus_load();	673	env_ibus_load();
		674	EUID_ROOT();
673		675
674	//****************************	676	//****************************
675	// fs pre-processing:	677	// fs pre-processing:
@@ -925,6 +927,8 @@ int sandbox(void* sandbox_arg) {
925	// set application environment	927	// set application environment
926	//****************************	928	//****************************
927	prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died	929	prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
		930
		931	EUID_USER();
928	int cwd = 0;	932	int cwd = 0;
929	if (cfg.cwd) {	933	if (cfg.cwd) {
930	if (chdir(cfg.cwd) == 0)	934	if (chdir(cfg.cwd) == 0)
@@ -951,7 +955,7 @@ int sandbox(void* sandbox_arg) {
951	}	955	}
952	}	956	}
953		957
954		958	EUID_ROOT();
955	// set nice	959	// set nice
956	if (arg_nice) {	960	if (arg_nice) {
957	errno = 0;	961	errno = 0;
@@ -980,7 +984,9 @@ int sandbox(void* sandbox_arg) {
980	// set cpu affinity	984	// set cpu affinity
981	if (cfg.cpus) {	985	if (cfg.cpus) {
982	save_cpu(); // save cpu affinity mask to CPU_CFG file	986	save_cpu(); // save cpu affinity mask to CPU_CFG file
		987	EUID_USER();
983	set_cpu_affinity();	988	set_cpu_affinity();
		989	EUID_ROOT();
984	}	990	}
985		991
986	// save cgroup in CGROUP_CFG file	992	// save cgroup in CGROUP_CFG file