]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
creds: allow normal users to encrypt with`--with-key=null`
authorMichael Vogt <michael@amutable.com>
Fri, 10 Jul 2026 15:27:11 +0000 (17:27 +0200)
committerLuca Boccassi <luca.boccassi@gmail.com>
Sat, 11 Jul 2026 09:38:46 +0000 (10:38 +0100)
When encrypting with the `--with-key=null` option systemd-creds
is currently doing the encryption via IPC. This is not needed
for the null key, no privs are required so we can just do the
in-process operation. So instead simply check for the null-key and
if its requested use the in-process path.

src/creds/creds.c

index d559b59e6b24035ab7ea5bb9da90f24c1312e403..fed10ad5b07b379eae746a348946009b326e2fdc 100644 (file)
@@ -602,7 +602,7 @@ static int verb_encrypt(int argc, char *argv[], uintptr_t _data, void *userdata)
         if (arg_not_after != USEC_INFINITY && arg_not_after < timestamp)
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Credential is invalidated before it is valid.");
 
-        if (geteuid() != 0) {
+        if (geteuid() != 0 && !sd_id128_equal(arg_with_key, CRED_AES256_GCM_BY_NULL)) {
                 (void) polkit_agent_open_if_enabled(BUS_TRANSPORT_LOCAL, arg_ask_password);
 
                 r = ipc_encrypt_credential(