From: Alexey Bogdanenko Date: Sun, 16 Dec 2018 16:04:28 +0000 (+0300) Subject: core: fix KeyringMode for user services X-Git-Tag: v240~37 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8f9f3cb72414a831699d9012601e09d0daa1051e;p=thirdparty%2Fsystemd.git core: fix KeyringMode for user services KeyringMode option is useful for user services. Also, documentation for the option suggests that the option applies to user services. However, setting the option to any of its allowed values has no effect. This commit fixes that and removes EXEC_NEW_KEYRING flag. The flag is no longer necessary: instead of checking if the flag is set we can check if keyring_mode is not equal to EXEC_KEYRING_INHERIT. --- diff --git a/src/core/execute.c b/src/core/execute.c index e966f9cfe85..e11143148fb 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -2530,9 +2530,6 @@ static int setup_keyring( * on-demand behaviour is very appropriate for login users, but probably not so much for system services, where * UIDs are not necessarily specific to a service but reused (at least in the case of UID 0). */ - if (!(p->flags & EXEC_NEW_KEYRING)) - return 0; - if (context->keyring_mode == EXEC_KEYRING_INHERIT) return 0; diff --git a/src/core/execute.h b/src/core/execute.h index fb8c752efaa..0f1bf56744b 100644 --- a/src/core/execute.h +++ b/src/core/execute.h @@ -289,18 +289,17 @@ typedef enum ExecFlags { EXEC_APPLY_SANDBOXING = 1 << 0, EXEC_APPLY_CHROOT = 1 << 1, EXEC_APPLY_TTY_STDIN = 1 << 2, - EXEC_NEW_KEYRING = 1 << 3, - EXEC_PASS_LOG_UNIT = 1 << 4, /* Whether to pass the unit name to the service's journal stream connection */ - EXEC_CHOWN_DIRECTORIES = 1 << 5, /* chown() the runtime/state/cache/log directories to the user we run as, under all conditions */ - EXEC_NSS_BYPASS_BUS = 1 << 6, /* Set the SYSTEMD_NSS_BYPASS_BUS environment variable, to disable nss-systemd for dbus */ - EXEC_CGROUP_DELEGATE = 1 << 7, - EXEC_IS_CONTROL = 1 << 8, - EXEC_CONTROL_CGROUP = 1 << 9, /* Place the process not in the indicated cgroup but in a subcgroup '/.control', but only EXEC_CGROUP_DELEGATE and EXEC_IS_CONTROL is set, too */ + EXEC_PASS_LOG_UNIT = 1 << 3, /* Whether to pass the unit name to the service's journal stream connection */ + EXEC_CHOWN_DIRECTORIES = 1 << 4, /* chown() the runtime/state/cache/log directories to the user we run as, under all conditions */ + EXEC_NSS_BYPASS_BUS = 1 << 5, /* Set the SYSTEMD_NSS_BYPASS_BUS environment variable, to disable nss-systemd for dbus */ + EXEC_CGROUP_DELEGATE = 1 << 6, + EXEC_IS_CONTROL = 1 << 7, + EXEC_CONTROL_CGROUP = 1 << 8, /* Place the process not in the indicated cgroup but in a subcgroup '/.control', but only EXEC_CGROUP_DELEGATE and EXEC_IS_CONTROL is set, too */ /* The following are not used by execute.c, but by consumers internally */ - EXEC_PASS_FDS = 1 << 10, - EXEC_SETENV_RESULT = 1 << 11, - EXEC_SET_WATCHDOG = 1 << 12, + EXEC_PASS_FDS = 1 << 9, + EXEC_SETENV_RESULT = 1 << 10, + EXEC_SET_WATCHDOG = 1 << 11, } ExecFlags; /* Parameters for a specific invocation of a command. This structure is put together right before a command is diff --git a/src/core/service.c b/src/core/service.c index d631687205e..cfa32712320 100644 --- a/src/core/service.c +++ b/src/core/service.c @@ -1535,9 +1535,6 @@ static int service_spawn( if (!final_env) return -ENOMEM; - /* System services should get a new keyring by default. */ - SET_FLAG(exec_params.flags, EXEC_NEW_KEYRING, MANAGER_IS_SYSTEM(UNIT(s)->manager)); - /* System D-Bus needs nss-systemd disabled, so that we don't deadlock */ SET_FLAG(exec_params.flags, EXEC_NSS_BYPASS_BUS, MANAGER_IS_SYSTEM(UNIT(s)->manager) && unit_has_name(UNIT(s), SPECIAL_DBUS_SERVICE));