execute: for processes where creds logic is turned off, don't pass creds path to...

Otherwise, the namespace logic will try to mount a dir that doesn't
actually exist.

Fixes: #18116

diff --git a/src/core/execute.c b/src/core/execute.c
index 14bebf4b3f4c92671e59d5c159fa8871271a71a6..38235ec77edf4a97954762a2ee6156537cb5e69d 100644 (file)
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -3183,7 +3183,9 @@ static int apply_mount_namespace(
         if (context->mount_flags == MS_SHARED)
                 log_unit_debug(u, "shared mount propagation hidden by other fs namespacing unit settings: ignoring");
 
-        if (exec_context_has_credentials(context) && params->prefix[EXEC_DIRECTORY_RUNTIME]) {
+        if (exec_context_has_credentials(context) &&
+            params->prefix[EXEC_DIRECTORY_RUNTIME] &&
+            FLAGS_SET(params->flags, EXEC_WRITE_CREDENTIALS)) {
                 creds_path = path_join(params->prefix[EXEC_DIRECTORY_RUNTIME], "credentials", u->id);
                 if (!creds_path) {
                         r = -ENOMEM;