static int run(int argc, char *argv[]) {
_cleanup_(notify_on_cleanup) const char *notify_message = NULL;
_cleanup_(manager_freep) Manager *m = NULL;
- const char *user = "systemd-network";
- uid_t uid;
- gid_t gid;
int r;
log_setup_service();
if (argc != 1)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "This program takes no arguments.");
- r = get_user_creds(&user, &uid, &gid, NULL, NULL, 0);
- if (r < 0)
- return log_error_errno(r, "Cannot resolve user name %s: %m", user);
-
- /* Create runtime directory. This is not necessary when networkd is
- * started with "RuntimeDirectory=systemd/netif", or after
- * systemd-tmpfiles-setup.service. */
- r = mkdir_safe_label("/run/systemd/netif", 0755, uid, gid, MKDIR_WARN_MODE);
- if (r < 0)
- log_warning_errno(r, "Could not create runtime directory: %m");
-
/* Drop privileges, but only if we have been started as root. If we are not running as root we assume all
- * privileges are already dropped. */
+ * privileges are already dropped and we can't create our runtime directory. */
if (geteuid() == 0) {
+ const char *user = "systemd-network";
+ uid_t uid;
+ gid_t gid;
+
+ r = get_user_creds(&user, &uid, &gid, NULL, NULL, 0);
+ if (r < 0)
+ return log_error_errno(r, "Cannot resolve user name %s: %m", user);
+
+ /* Create runtime directory. This is not necessary when networkd is
+ * started with "RuntimeDirectory=systemd/netif", or after
+ * systemd-tmpfiles-setup.service. */
+ r = mkdir_safe_label("/run/systemd/netif", 0755, uid, gid, MKDIR_WARN_MODE);
+ if (r < 0)
+ log_warning_errno(r, "Could not create runtime directory: %m");
+
r = drop_privileges(uid, gid,
(1ULL << CAP_NET_ADMIN) |
(1ULL << CAP_NET_BIND_SERVICE) |
/* Always create the directories people can create inotify watches in.
* It is necessary to create the following subdirectories after drop_privileges()
* to support old kernels not supporting AmbientCapabilities=. */
- r = mkdir_safe_label("/run/systemd/netif/links", 0755, uid, gid, MKDIR_WARN_MODE);
+ r = mkdir_safe_label("/run/systemd/netif/links", 0755, UID_INVALID, GID_INVALID, MKDIR_WARN_MODE);
if (r < 0)
log_warning_errno(r, "Could not create runtime directory 'links': %m");
- r = mkdir_safe_label("/run/systemd/netif/leases", 0755, uid, gid, MKDIR_WARN_MODE);
+ r = mkdir_safe_label("/run/systemd/netif/leases", 0755, UID_INVALID, GID_INVALID, MKDIR_WARN_MODE);
if (r < 0)
log_warning_errno(r, "Could not create runtime directory 'leases': %m");
- r = mkdir_safe_label("/run/systemd/netif/lldp", 0755, uid, gid, MKDIR_WARN_MODE);
+ r = mkdir_safe_label("/run/systemd/netif/lldp", 0755, UID_INVALID, GID_INVALID, MKDIR_WARN_MODE);
if (r < 0)
log_warning_errno(r, "Could not create runtime directory 'lldp': %m");
static int run(int argc, char *argv[]) {
_cleanup_(notify_on_cleanup) const char *notify_stop = NULL;
_cleanup_(manager_freep) Manager *m = NULL;
- const char *user = "systemd-resolve";
- uid_t uid;
- gid_t gid;
int r;
log_setup_service();
if (r < 0)
return log_error_errno(r, "SELinux setup failed: %m");
- r = get_user_creds(&user, &uid, &gid, NULL, NULL, 0);
- if (r < 0)
- return log_error_errno(r, "Cannot resolve user name %s: %m", user);
-
- /* Always create the directory where resolv.conf will live */
- r = mkdir_safe_label("/run/systemd/resolve", 0755, uid, gid, MKDIR_WARN_MODE);
- if (r < 0)
- return log_error_errno(r, "Could not create runtime directory: %m");
-
/* Drop privileges, but only if we have been started as root. If we are not running as root we assume most
- * privileges are already dropped. */
+ * privileges are already dropped and we can't create our directory. */
if (getuid() == 0) {
+ const char *user = "systemd-resolve";
+ uid_t uid;
+ gid_t gid;
+
+ r = get_user_creds(&user, &uid, &gid, NULL, NULL, 0);
+ if (r < 0)
+ return log_error_errno(r, "Cannot resolve user name %s: %m", user);
+
+ /* As we're root, we can create the directory where resolv.conf will live */
+ r = mkdir_safe_label("/run/systemd/resolve", 0755, uid, gid, MKDIR_WARN_MODE);
+ if (r < 0)
+ return log_error_errno(r, "Could not create runtime directory: %m");
/* Drop privileges, but keep three caps. Note that we drop those too, later on (see below) */
r = drop_privileges(uid, gid,
projects / thirdparty / systemd.git / commitdiff
