From: Lennart Poettering Date: Wed, 20 Dec 2023 18:08:05 +0000 (+0100) Subject: core: imply SetLoginEnvironment= if PAMName= is set X-Git-Tag: v256-rc1~1438 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d1a5be82efd6b785573a5913d0adc776713d9258;p=thirdparty%2Fsystemd.git core: imply SetLoginEnvironment= if PAMName= is set This geneally makes sense as setting up a PAM session pretty much defines what a login session is. In context of #30547 this has the benefit that we can take benefit of the SetLoginEnvironment= effect without having to set it explicitly, thus retaining some compat of the uid0 client towards older systemd service managers. --- diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 525303c6ebf..37fa6e4f3c1 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -703,12 +703,15 @@ SetLoginEnvironment= - Takes a boolean parameter that controls whether to set $HOME, - $LOGNAME, and $SHELL environment variables. If unset, this is - controlled by whether User= is set. If true, they will always be set for system services, - i.e. even when the default user root is used. If false, the mentioned variables are not set - by systemd, no matter whether User= is used or not. This option normally has no effect - on user services, since these variables are typically inherited from user manager's own environment anyway. + Takes a boolean parameter that controls whether to set the $HOME, + $LOGNAME, and $SHELL environment variables. If not set, this + defaults to true if User=, DynamicUser= or + PAMName= are set, false otherwise. If set to true, the variables will always be + set for system services, i.e. even when the default user root is used. If set to + false, the mentioned variables are not set by the service manager, no matter whether + User=, DynamicUser=, or PAMName= are used or + not. This option normally has no effect on services of the per-user service manager, since in that + case these variables are typically inherited from user manager's own environment anyway. diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c index 7ce26582969..61f66b6914a 100644 --- a/src/core/exec-invoke.c +++ b/src/core/exec-invoke.c @@ -1883,7 +1883,7 @@ static int build_environment( "Failed to determine user credentials for root: %m"); } - bool set_user_login_env = c->set_login_environment >= 0 ? c->set_login_environment : (c->user || c->dynamic_user); + bool set_user_login_env = exec_context_get_set_login_environment(c); if (username) { x = strjoin("USER=", username); diff --git a/src/core/execute.c b/src/core/execute.c index da55ef0564b..7b661d70c9f 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1661,6 +1661,15 @@ uint64_t exec_context_get_timer_slack_nsec(const ExecContext *c) { return (uint64_t) MAX(r, 0); } +bool exec_context_get_set_login_environment(const ExecContext *c) { + assert(c); + + if (c->set_login_environment >= 0) + return c->set_login_environment; + + return c->user || c->dynamic_user || c->pam_name; +} + char** exec_context_get_syscall_filter(const ExecContext *c) { _cleanup_strv_free_ char **l = NULL; diff --git a/src/core/execute.h b/src/core/execute.h index 5a6927aa027..e3708e1b014 100644 --- a/src/core/execute.h +++ b/src/core/execute.h @@ -527,6 +527,7 @@ int exec_context_get_nice(const ExecContext *c); int exec_context_get_cpu_sched_policy(const ExecContext *c); int exec_context_get_cpu_sched_priority(const ExecContext *c); uint64_t exec_context_get_timer_slack_nsec(const ExecContext *c); +bool exec_context_get_set_login_environment(const ExecContext *c); char** exec_context_get_syscall_filter(const ExecContext *c); char** exec_context_get_syscall_archs(const ExecContext *c); char** exec_context_get_syscall_log(const ExecContext *c);