containers · giuseppe · Nov 10, 2016 · Nov 10, 2016 · Oct 26, 2016 · cgwalters
diff --git a/bubblewrap.c b/bubblewrap.c
@@ -444,7 +444,7 @@ has_caps (void)
  * unprivileged user namespaces to be used. This case is
  * "is_privileged = FALSE".
  *
- * If bwarp is setuid, then we do things in phases.
+ * If bwrap is setuid, then we do things in phases.
  * The first part is run as euid 0, but with with fsuid as the real user.
  * The second part, inside the child, is run as the real user but with
  * capabilities.
@@ -492,7 +492,7 @@ acquire_privs (void)
   else if (real_uid != 0 && has_caps ())
     {
       /* We have some capabilities in the non-setuid case, which should not happen.
-         Probablye caused by the binary being setcap instead of setuid which we
+         Probably caused by the binary being setcap instead of setuid which we
          don't support anymore */
       die ("Unexpected capabilities but not setuid, old file caps config?");
     }
@@ -511,7 +511,7 @@ switch_to_user_with_privs (void)
   if (prctl (PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0)
     die_with_error ("prctl(PR_SET_KEEPCAPS) failed");
 
-  if (setuid (real_uid) < 0)
+  if (setuid (opt_sandbox_uid) < 0)
     die_with_error ("unable to drop root uid");
 
   /* Regain effective required capabilities from permitted */
@@ -525,7 +525,7 @@ drop_privs (void)
     return;
 
   /* Drop root uid */
-  if (setuid (real_uid) < 0)
+  if (setuid (opt_sandbox_uid) < 0)
     die_with_error ("unable to drop root uid");
 
   drop_all_caps ();
@@ -1907,6 +1907,7 @@ main (int    argc,
         }
       else
         {
+          int status;
           uint32_t buffer[2048];  /* 8k, but is int32 to guarantee nice alignment */
           uint32_t op, flags;
           const char *arg1, *arg2;
@@ -1925,6 +1926,7 @@ main (int    argc,
             }
           while (op != PRIV_SEP_OP_DONE);
 
+          waitpid (child, &status, 0);
           /* Continue post setup */
         }
     }