diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-07-15 18:04:10 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-07-15 18:04:10 +0000 |
| commit | ac2b04198d1ab44f5c30687a35c69744b2889e6a (patch) | |
| tree | 461965f95498703647380dcb9b6b2451a189453d /sandbox/linux | |
| parent | 2216d02d83e8c7ef50187384f6ce24ebeb16962c (diff) | |
| download | chromium_src-ac2b04198d1ab44f5c30687a35c69744b2889e6a.zip chromium_src-ac2b04198d1ab44f5c30687a35c69744b2889e6a.tar.gz chromium_src-ac2b04198d1ab44f5c30687a35c69744b2889e6a.tar.bz2 | |
Linux: add comment to the sandbox binary as suggested by Markus.
(Because, otherwise, that chunk of code looks pretty scary.)
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@20746 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'sandbox/linux')
| -rw-r--r-- | sandbox/linux/suid/sandbox.cc | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/sandbox/linux/suid/sandbox.cc b/sandbox/linux/suid/sandbox.cc index 30b8426..ea53406 100644 --- a/sandbox/linux/suid/sandbox.cc +++ b/sandbox/linux/suid/sandbox.cc @@ -221,7 +221,9 @@ static bool DropRoot() { static bool SetupChildEnvironment() { // ld.so will have cleared LD_LIBRARY_PATH because we are SUID. However, the // child process might need this so zygote_host_linux.cc saved a copy in - // SANDBOX_LD_LIBRARY_PATH. + // SANDBOX_LD_LIBRARY_PATH. This is safe because we have dropped root by this + // point, so we can only exec a binary with the permissions of the user who + // ran us in the first place. const char* sandbox_ld_library_path = getenv("SANDBOX_LD_LIBRARY_PATH"); if (sandbox_ld_library_path) { setenv("LD_LIBRARY_PATH", sandbox_ld_library_path, 1 /* overwrite */); |