From 3f2ac1d5cd873c57042ea6f8d88c74e24e9dee37 Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Sun, 22 Apr 2018 13:24:01 +0200
Subject: priv tweaks

---
 src/firejail/env.c     | 2 --
 src/firejail/join.c    | 5 +++++
 src/firejail/sandbox.c | 8 +++++++-
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/firejail/env.c b/src/firejail/env.c
index 73d68724e..cc63bd542 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -101,9 +101,7 @@ void env_ibus_load(void) {
 				*ptr = '\0';
 			if (arg_debug)
 				printf("%s\n", buf);
-			EUID_USER();
 			env_store(buf, SETENV);
-			EUID_ROOT();
 		}
 
 		fclose(fp);
diff --git a/src/firejail/join.c b/src/firejail/join.c
index c303d3fb8..d4a2389c6 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -292,6 +292,8 @@ void join(pid_t pid, int argc, char **argv, int index) {
 		}
 
 		prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
+
+		EUID_USER();
 		if (chdir("/") < 0)
 			errExit("chdir");
 		if (homedir) {
@@ -308,6 +310,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
 			set_cpu_affinity();
 
 		// set caps filter
+		EUID_ROOT();
 		if (apply_caps == 1)	// not available for uid 0
 			caps_set(caps);
 #ifdef HAVE_SECCOMP
@@ -347,6 +350,8 @@ void join(pid_t pid, int argc, char **argv, int index) {
 		}
 
 		// set environment, add x11 display
+		EUID_USER();
+
 		env_defaults();
 		if (display) {
 			char *display_str;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index e0cecda1b..e1959a453 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -669,7 +669,9 @@ int sandbox(void* sandbox_arg) {
 		// do nothing - there are problems with ibus version 1.5.11
 	}
 	else
+		EUID_USER();
 		env_ibus_load();
+		EUID_ROOT();
 
 	//****************************
 	// fs pre-processing:
@@ -925,6 +927,8 @@ int sandbox(void* sandbox_arg) {
 	// set application environment
 	//****************************
 	prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
+
+	EUID_USER();
 	int cwd = 0;
 	if (cfg.cwd) {
 		if (chdir(cfg.cwd) == 0)
@@ -951,7 +955,7 @@ int sandbox(void* sandbox_arg) {
 		}
 	}
 
-
+	EUID_ROOT();
 	// set nice
 	if (arg_nice) {
 		errno = 0;
@@ -980,7 +984,9 @@ int sandbox(void* sandbox_arg) {
 	// set cpu affinity
 	if (cfg.cpus) {
 		save_cpu(); // save cpu affinity mask to CPU_CFG file
+		EUID_USER();
 		set_cpu_affinity();
+		EUID_ROOT();
 	}
 
 	// save cgroup in CGROUP_CFG file
-- 
cgit v1.2.3-54-g00ecf