1 files changed, 12 insertions, 2 deletions

diff --git a/pkg/rootless/rootless_linux.c b/pkg/rootless/rootless_linux.c
index c409e3343..19b76f387 100644
--- a/pkg/rootless/rootless_linux.c
+++ b/pkg/rootless/rootless_linux.c
@@ -82,7 +82,7 @@ do_pause ()
   struct sigaction act;
   int const sig[] =
     {
-     SIGALRM, SIGHUP, SIGINT, SIGPIPE, SIGQUIT, SIGTERM, SIGPOLL,
+     SIGALRM, SIGHUP, SIGINT, SIGPIPE, SIGQUIT, SIGPOLL,
      SIGPROF, SIGVTALRM, SIGXCPU, SIGXFSZ, 0
     };
 
@@ -244,7 +244,7 @@ static void __attribute__((constructor)) init()
   /* Shortcut.  If we are able to join the pause pid file, do it now so we don't
      need to re-exec.  */
   xdg_runtime_dir = getenv ("XDG_RUNTIME_DIR");
-  if (xdg_runtime_dir && xdg_runtime_dir[0] && can_use_shortcut ())
+  if (geteuid () != 0 && xdg_runtime_dir && xdg_runtime_dir[0] && can_use_shortcut ())
     {
       int r;
       int fd;
@@ -542,6 +542,11 @@ reexec_userns_join (int userns, int mountns, char *pause_pid_file_path)
       fprintf (stderr, "cannot sigdelset(SIGCHLD): %s\n", strerror (errno));
       _exit (EXIT_FAILURE);
     }
+  if (sigdelset (&sigset, SIGTERM) < 0)
+    {
+      fprintf (stderr, "cannot sigdelset(SIGTERM): %s\n", strerror (errno));
+      _exit (EXIT_FAILURE);
+    }
   if (sigprocmask (SIG_BLOCK, &sigset, &oldsigset) < 0)
     {
       fprintf (stderr, "cannot block signals: %s\n", strerror (errno));
@@ -736,6 +741,11 @@ reexec_in_user_namespace (int ready, char *pause_pid_file_path, char *file_to_re
       fprintf (stderr, "cannot sigdelset(SIGCHLD): %s\n", strerror (errno));
       _exit (EXIT_FAILURE);
     }
+  if (sigdelset (&sigset, SIGTERM) < 0)
+    {
+      fprintf (stderr, "cannot sigdelset(SIGTERM): %s\n", strerror (errno));
+      _exit (EXIT_FAILURE);
+    }
   if (sigprocmask (SIG_BLOCK, &sigset, &oldsigset) < 0)
     {
       fprintf (stderr, "cannot block signals: %s\n", strerror (errno));