From: Daan De Meyer <daan@amutable.com>
Date: Wed, 18 Feb 2026 14:58:39 +0000 (+0100)
Subject: machined: Skip root user namespace check for user managers
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=db1689e69cbb25c5e24d845601088897bf3df5d7;p=thirdparty%2Fsystemd.git

machined: Skip root user namespace check for user managers

You can register whatever process you want in the user machined instance
that is running in the same namespace as pid 1 as machined won't be allowed
to do anything privileged anyway that could be dangerous when running as a user
instance.

We have to skip the check as we user machined instances don't have
privileges to inspect pid1's user namespaces.
---

diff --git a/src/machine/machine-dbus.c b/src/machine/machine-dbus.c
index e3281e1d385..b09a2facb0b 100644
--- a/src/machine/machine-dbus.c
+++ b/src/machine/machine-dbus.c
@@ -373,7 +373,7 @@ int bus_machine_method_open_shell(sd_bus_message *message, void *userdata, sd_bu
          * do not need to check the caller's uid, as that will be checked by polkit, and if they machine's
          * and the caller's do not match, authorization will be required. It's only the case where the
          * caller owns the machine that will be shortcut and needs to be checked here. */
-        if (m->uid != 0 && m->class != MACHINE_HOST) {
+        if (m->manager->runtime_scope != RUNTIME_SCOPE_USER && m->uid != 0 && m->class != MACHINE_HOST) {
                 r = pidref_in_same_namespace(&PIDREF_MAKE_FROM_PID(1), &m->leader, NAMESPACE_USER);
                 if (r < 0)
                         return log_debug_errno(