Open slave pseudoterminal before CLONE_NEWUSER

Otherwise, when running as root and user namespaces are enabled, opening the slave fails with EPERM. Fixes "opening pseudoterminal slave: Permission denied" followed by a hang (https://hydra.nixos.org/build/213104244), and "error: getting sandbox mount namespace: No such file or directory" (#8072), which happens when the child fails very quickly and consequently reading /proc/<child>/ns fails.
author: Eelco Dolstra <edolstra@gmail.com> 2023-03-20 17:04:57 +0100
committer: Eelco Dolstra <edolstra@gmail.com> 2023-03-20 17:58:36 +0100
commit: 16db8dc96f64a0facbb620907e571f2dfc8e802e (patch)
tree: e8977ff3830df23f787b97bc57773bdba0c1a27f /src/libutil/util.cc
parent: 83b977ff0790753941509e089f33f49240d616bd (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/src/libutil/util.cc b/src/libutil/util.cc
index c605a33e6..a703c5650 100644
--- a/src/libutil/util.cc
+++ b/src/libutil/util.cc
@@ -1983,7 +1983,7 @@ void commonChildInit(int stderrFd)
         throw SysError("creating a new session");
 
     /* Dup the write side of the logger pipe into stderr. */
-    if (dup2(stderrFd, STDERR_FILENO) == -1)
+    if (stderrFd != -1 && dup2(stderrFd, STDERR_FILENO) == -1)
         throw SysError("cannot pipe standard error into log file");
 
     /* Dup stderr to stdout. */
author	Eelco Dolstra <edolstra@gmail.com>	2023-03-20 17:04:57 +0100
committer	Eelco Dolstra <edolstra@gmail.com>	2023-03-20 17:58:36 +0100
commit	16db8dc96f64a0facbb620907e571f2dfc8e802e (patch)
tree	e8977ff3830df23f787b97bc57773bdba0c1a27f /src/libutil/util.cc
parent	83b977ff0790753941509e089f33f49240d616bd (diff)