From: Michael Vogt Date: Fri, 10 Jul 2026 15:27:11 +0000 (+0200) Subject: creds: allow normal users to encrypt with`--with-key=null` X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8877f63ee11ba37cead45d2797382ade0105f614;p=thirdparty%2Fsystemd.git creds: allow normal users to encrypt with`--with-key=null` When encrypting with the `--with-key=null` option systemd-creds is currently doing the encryption via IPC. This is not needed for the null key, no privs are required so we can just do the in-process operation. So instead simply check for the null-key and if its requested use the in-process path. --- diff --git a/src/creds/creds.c b/src/creds/creds.c index d559b59e6b2..fed10ad5b07 100644 --- a/src/creds/creds.c +++ b/src/creds/creds.c @@ -602,7 +602,7 @@ static int verb_encrypt(int argc, char *argv[], uintptr_t _data, void *userdata) if (arg_not_after != USEC_INFINITY && arg_not_after < timestamp) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Credential is invalidated before it is valid."); - if (geteuid() != 0) { + if (geteuid() != 0 && !sd_id128_equal(arg_with_key, CRED_AES256_GCM_BY_NULL)) { (void) polkit_agent_open_if_enabled(BUS_TRANSPORT_LOCAL, arg_ask_password); r = ipc_encrypt_credential(