const void *data,
size_t size,
uid_t uid,
+ gid_t gid,
bool ownership_ok) {
_cleanup_(unlink_and_freep) char *tmp = NULL;
* user can no longer chmod() the file to gain write access. */
return r;
- if (fchown(fd, uid, GID_INVALID) < 0)
+ if (fchown(fd, uid, gid) < 0)
return -errno;
}
}
const char *id,
bool encrypted,
uid_t uid,
+ gid_t gid,
bool ownership_ok,
const char *data,
size_t size,
if (add > *left)
return -E2BIG;
- r = write_credential(dir_fd, id, data, size, uid, ownership_ok);
+ r = write_credential(dir_fd, id, data, size, uid, gid, ownership_ok);
if (r < 0)
return log_debug_errno(r, "Failed to write credential '%s': %m", id);
ReadFullFileFlags flags,
int write_dfd,
uid_t uid,
+ gid_t gid,
bool ownership_ok,
uint64_t *left) {
fn,
encrypted,
uid,
+ gid,
ownership_ok,
data, size,
left);
int read_dfd,
int write_dfd,
uid_t uid,
+ gid_t gid,
bool ownership_ok,
uint64_t *left) {
if (r < 0)
return log_debug_errno(r, "Failed to read credential '%s': %m", path);
- return maybe_decrypt_and_write_credential(write_dfd, id, encrypted, uid, ownership_ok, data, size, left);
+ return maybe_decrypt_and_write_credential(write_dfd, id, encrypted, uid, gid, ownership_ok, data, size, left);
}
struct load_cred_args {
const char *unit;
int dfd;
uid_t uid;
+ gid_t gid;
bool ownership_ok;
uint64_t *left;
};
dir_fd,
args->dfd,
args->uid,
+ args->gid,
args->ownership_ok,
args->left);
if (r < 0)
const char *unit,
const char *p,
uid_t uid,
+ gid_t gid,
bool ownership_ok) {
uint64_t left = CREDENTIALS_TOTAL_SIZE_MAX;
AT_FDCWD,
dfd,
uid,
+ gid,
ownership_ok,
&left);
else
.unit = unit,
.dfd = dfd,
.uid = uid,
+ .gid = gid,
.ownership_ok = ownership_ok,
.left = &left,
});
READ_FULL_FILE_SECURE|READ_FULL_FILE_FAIL_WHEN_LARGER,
dfd,
uid,
+ gid,
ownership_ok,
&left);
if (r < 0)
READ_FULL_FILE_SECURE|READ_FULL_FILE_FAIL_WHEN_LARGER|READ_FULL_FILE_UNBASE64,
dfd,
uid,
+ gid,
ownership_ok,
&left);
if (r < 0)
if (add > left)
return -E2BIG;
- r = write_credential(dfd, sc->id, data, size, uid, ownership_ok);
+ r = write_credential(dfd, sc->id, data, size, uid, gid, ownership_ok);
if (r < 0)
return r;
if (!ownership_ok)
return r;
- if (fchown(dfd, uid, GID_INVALID) < 0)
+ if (fchown(dfd, uid, gid) < 0)
return -errno;
}
}
const char *workspace, /* This is where we can prepare it before moving it to the final place */
bool reuse_workspace, /* Whether to reuse any existing workspace mount if it already is a mount */
bool must_mount, /* Whether to require that we mount something, it's not OK to use the plain directory fall back */
- uid_t uid) {
+ uid_t uid,
+ gid_t gid) {
int r, workspace_mounted; /* negative if we don't know yet whether we have/can mount something; true
* if we mounted something; false if we definitely can't mount anything */
(void) label_fix_full(AT_FDCWD, where, final, 0);
- r = acquire_credentials(context, params, unit, where, uid, workspace_mounted);
+ r = acquire_credentials(context, params, unit, where, uid, gid, workspace_mounted);
if (r < 0)
return r;
const ExecContext *context,
const ExecParameters *params,
const char *unit,
- uid_t uid) {
+ uid_t uid,
+ gid_t gid) {
_cleanup_free_ char *p = NULL, *q = NULL;
int r;
u, /* temporary workspace to overmount */
true, /* reuse the workspace if it is already a mount */
false, /* it's OK to fall back to a plain directory if we can't mount anything */
- uid);
+ uid,
+ gid);
(void) rmdir(u); /* remove the workspace again if we can. */
"/dev/shm", /* temporary workspace to overmount */
false, /* do not reuse /dev/shm if it is already a mount, under no circumstances */
true, /* insist that something is mounted, do not allow fallback to plain directory */
- uid);
+ uid,
+ gid);
if (r < 0)
goto child_fail;
}
if (FLAGS_SET(params->flags, EXEC_WRITE_CREDENTIALS)) {
- r = setup_credentials(context, params, unit->id, uid);
+ r = setup_credentials(context, params, unit->id, uid, gid);
if (r < 0) {
*exit_status = EXIT_CREDENTIALS;
return log_unit_error_errno(unit, r, "Failed to set up credentials: %m");
projects / thirdparty / systemd.git / commitdiff
