git.ipfire.org Git - thirdparty/systemd.git/commit

author	Chris Down <chris@chrisdown.name>
	Fri, 14 Nov 2025 10:04:24 +0000 (18:04 +0800)
committer	Chris Down <chris@chrisdown.name>
	Fri, 14 Nov 2025 10:18:24 +0000 (18:18 +0800)
commit	63855693dcd7a41cac86c29a6f48d75313276127
tree	1b12710a96b02d71c06db7e61e837885e5f5219f	tree \| snapshot
parent	98ae19d9fe5cbdaefae600c5b906cacd1a48c57a	commit \| diff

nspawn: Prevent invalid UIDs propagating in bind mounts

Commit 88fce09 modified the mount_bind() function, causing it to perform
arithmetic on the uid_shift parameter. However, it performs this
arithmetic even when uid_shift was UID_INVALID, which was not intended.
This typically occurred when mount_custom() was called for a simple bind
mount without user namespaces (and thus no rootidmap mount option).

This arithmetic (e.g., uid_shift + m->destination_uid) then wraps
around, resulting in the invalid ID 4294967295 ((uid_t)-1).

This bug manifests for users running systemd-nspawn with
--link-journal=host and --volatile=yes (but without --private-users),
causing systemd-tmpfiles to fail.

Make mount_bind() robust by checking if uid_shift is valid before using
it in arithmetic. If it is UID_INVALID, it defaults to a shift of 0 for
the ownership calculation, restoring correct behavior for plain bind
mounts while preserving the intended logic for ID-mapped mounts.

Fixes: #39714