]> git.ipfire.org Git - thirdparty/systemd.git/commit
projects / thirdparty / systemd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 825dc2f) | patch
nspawn: ensure single-process container running as --user can access credentials
authorLuca Boccassi <bluca@debian.org>
Thu, 14 Mar 2024 23:44:20 +0000 (23:44 +0000)
committerLuca Boccassi <luca.boccassi@gmail.com>
Mon, 22 Apr 2024 13:47:44 +0000 (15:47 +0200)
commitedd3d4d7c2373e0d53b09894ce6405ff697185aa
tree840960cbb3705c29bb7f4efb6a737bda675cdcb6tree | snapshot
parent825dc2f32e0e9ca54d1f84335f9fef7f8c5369ffcommit | diff
nspawn: ensure single-process container running as --user can access credentials

When starting a container with --user, the new uid will be resolved and switched to
only in the inner child, at the end of the setup, by spawning getent. But the
credentials are set up in the outer child, long before the user is resolvable,
and the directories/files are made only readable by root and read-only, which
means they cannot be changed later and made visible to the user.

When this particular combination is specified, it is obvious the caller wants
the single-process container to be able to use credentials, so make them world
readable only in that specific case.

Fixes https://github.com/systemd/systemd/issues/31794
man/systemd-nspawn.xml diff | blob | blame | history
src/nspawn/nspawn.c diff | blob | blame | history
test/units/testsuite-13.nspawn.sh diff | blob | blame | history
Unnamed repository; edit this file 'description' to name the repository.