From: Mike Yuan Date: Tue, 24 Feb 2026 22:33:24 +0000 (+0100) Subject: core/unit: refuse UserNamespacePath= + PrivateUsers= X-Git-Tag: v260-rc1~6^2~7 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2e71d0a2bdcae7b7767041c1de4d5672fb347813;p=thirdparty%2Fsystemd.git core/unit: refuse UserNamespacePath= + PrivateUsers= Such setup makes zero sense, as if we unshare userns ourselves we'd immediately lose CAP_SYS_ADMIN over the userns specified. --- diff --git a/src/core/unit.c b/src/core/unit.c index 1995bb7f8eb..5d3282e1216 100644 --- a/src/core/unit.c +++ b/src/core/unit.c @@ -4329,14 +4329,17 @@ static int unit_verify_contexts(const Unit *u) { if (exec_needs_pid_namespace(ec, /* params= */ NULL) && !UNIT_VTABLE(u)->notify_pidref) return log_unit_error_errno(u, SYNTHETIC_ERRNO(ENOEXEC), "PrivatePIDs= setting is only supported for service units. Refusing."); + if ((ec->user || ec->dynamic_user || ec->group || ec->pam_name) && ec->private_users == PRIVATE_USERS_MANAGED) + return log_unit_error_errno(u, SYNTHETIC_ERRNO(ENOEXEC), "PrivateUsers=managed may not be used in combination with User=/DynamicUser=/Group=/PAMName=, refusing."); + + if (ec->user_namespace_path && ec->private_users != PRIVATE_USERS_NO) + return log_unit_error_errno(u, SYNTHETIC_ERRNO(ENOEXEC), "PrivateUsers= may not be used with custom UserNamespacePath=, refusing."); + const KillContext *kc = unit_get_kill_context(u); if (ec->pam_name && kc && !IN_SET(kc->kill_mode, KILL_CONTROL_GROUP, KILL_MIXED)) return log_unit_error_errno(u, SYNTHETIC_ERRNO(ENOEXEC), "Unit has PAM enabled. Kill mode must be set to 'control-group' or 'mixed'. Refusing."); - if ((ec->user || ec->dynamic_user || ec->group || ec->pam_name) && ec->private_users == PRIVATE_USERS_MANAGED) - return log_unit_error_errno(u, SYNTHETIC_ERRNO(ENOEXEC), "PrivateUsers=managed may not be used in combination with User=/DynamicUser=/Group=/PAMName=, refusing."); - return 0; }