New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: allow unsandboxed renderers to request new privileges #19953
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM given the context from issue.
Probably should also write a test for this. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add a test before merging?
@jkleinsc PTAL, test added. |
Release Notes Persisted
|
I was unable to backport this PR to "5-0-x" cleanly; |
I was unable to backport this PR to "6-0-x" cleanly; |
I was unable to backport this PR to "7-0-x" cleanly; |
A maintainer has manually backported this PR to "7-0-x", please check out #19999 |
A maintainer has manually backported this PR to "6-0-x", please check out #20023 |
Any chance this will be backported to Electron 5.0.13? Seems there is a regression for this see https://github.com/bus-stop/terminus/issues/84 Atom 1.47.0 latest version is using electron 5.0.13 which fails, earlier Atom 1.46.0 with electron 4.2.7 worked. |
@the-j0k3r has manually backported this PR to "5-0-x", please check out #23881 |
Has anyone checked this fix exists in newer electron version greater than 7.x? |
Description of Change
This used to be set for all processes, but was removed in #15229. This re-enables
allow_new_privs
but only for unsandboxed renderers. All other child processes will continue to have the default behaviour, which is to prevent new privileges viaprctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)
(see prctl(2)).Fixes #18521.
Checklist
npm test
passesRelease Notes
Notes: Fixed an issue that prevented setuid binaries from being launched from the renderer process on Linux.