From 30bbdf07710960c135c36723a2cb063c0a3abb5d Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Tue, 8 Jul 2025 21:21:25 +0200 Subject: [PATCH] core: add 'DefaultRestrictSUIDSGID' config option closes #37602 On typical systems, only few services need to create SUID/SGID files. This often is limited to the user explicitly setting suid/sgid, the `systemd-tmpfiles*` services, and the package manager. Allowing a default to globally restrict creation of suid/sgid files makes it easier to apply this restriction precisely. --- src/core/main.c | 1 + src/core/manager.c | 2 ++ src/core/manager.h | 2 ++ src/core/system.conf.in | 1 + src/core/unit.c | 2 ++ src/core/user.conf.in | 1 + 6 files changed, 9 insertions(+) diff --git a/src/core/main.c b/src/core/main.c index c32a971455c..953681c99d3 100644 --- a/src/core/main.c +++ b/src/core/main.c @@ -773,6 +773,7 @@ static int parse_config_file(void) { { "Manager", "DefaultStartLimitInterval", config_parse_sec, 0, &arg_defaults.start_limit.interval}, /* obsolete alias */ { "Manager", "DefaultStartLimitIntervalSec", config_parse_sec, 0, &arg_defaults.start_limit.interval}, { "Manager", "DefaultStartLimitBurst", config_parse_unsigned, 0, &arg_defaults.start_limit.burst }, + { "Manager", "DefaultRestrictSUIDSGID", config_parse_bool, 0, &arg_defaults.restrict_suid_sgid }, { "Manager", "DefaultEnvironment", config_parse_environ, arg_runtime_scope, &arg_default_environment }, { "Manager", "ManagerEnvironment", config_parse_environ, arg_runtime_scope, &arg_manager_environment }, { "Manager", "DefaultLimitCPU", config_parse_rlimit, RLIMIT_CPU, arg_defaults.rlimit }, diff --git a/src/core/manager.c b/src/core/manager.c index aa43c9d79b1..d85896577f3 100644 --- a/src/core/manager.c +++ b/src/core/manager.c @@ -4259,6 +4259,8 @@ int manager_set_unit_defaults(Manager *m, const UnitDefaults *defaults) { m->defaults.timeout_abort_set = defaults->timeout_abort_set; m->defaults.device_timeout_usec = defaults->device_timeout_usec; + m->defaults.restrict_suid_sgid = defaults->restrict_suid_sgid; + m->defaults.start_limit = defaults->start_limit; m->defaults.memory_accounting = defaults->memory_accounting; diff --git a/src/core/manager.h b/src/core/manager.h index c267ebe7eee..a7009a49d79 100644 --- a/src/core/manager.h +++ b/src/core/manager.h @@ -141,6 +141,8 @@ typedef struct UnitDefaults { CGroupTasksMax tasks_max; usec_t timer_accuracy_usec; + bool restrict_suid_sgid; + OOMPolicy oom_policy; int oom_score_adjust; bool oom_score_adjust_set; diff --git a/src/core/system.conf.in b/src/core/system.conf.in index 051a18bd21c..54196e84894 100644 --- a/src/core/system.conf.in +++ b/src/core/system.conf.in @@ -79,5 +79,6 @@ #DefaultMemoryPressureWatch=auto #DefaultOOMPolicy=stop #DefaultSmackProcessLabel= +#DefaultRestrictSUIDSGID= #ReloadLimitIntervalSec= #ReloadLimitBurst= diff --git a/src/core/unit.c b/src/core/unit.c index e7965157476..9051fc69236 100644 --- a/src/core/unit.c +++ b/src/core/unit.c @@ -191,6 +191,8 @@ static void unit_init(Unit *u) { ec->oom_score_adjust_set = true; } + ec->restrict_suid_sgid = u->manager->defaults.restrict_suid_sgid; + if (MANAGER_IS_SYSTEM(u->manager)) ec->keyring_mode = EXEC_KEYRING_SHARED; else { diff --git a/src/core/user.conf.in b/src/core/user.conf.in index 14f0eae7f8a..9c37f4b54e9 100644 --- a/src/core/user.conf.in +++ b/src/core/user.conf.in @@ -55,5 +55,6 @@ #DefaultMemoryPressureThresholdSec=200ms #DefaultMemoryPressureWatch=auto #DefaultSmackProcessLabel= +#DefaultRestrictSUIDSGID= #ReloadLimitIntervalSec= #ReloadLimitBurst -- 2.47.3