From 722dc73699f63118e443dbdfaff1190db6a614b5 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 26 Nov 2025 11:16:46 +0100
Subject: [PATCH] machined: in --user mode, restrict register access to our own
 UID, and that's it

This is a follow-up for 119d332d9c2cf1974b235c8d9e4e3ad821cf436a and
ensures the check only is applied to the system instance of machined. It
doesn't really apply to the per-user instance, because we never want to
permit differently privileged clients access anyway.

(The process_is_owned_by_uid() call might fail if invoked unpriv, hence
there's value in not calling it if machined runs in --user mode, it's
what makes machined actually work)
---
 src/machine/machined-dbus.c | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/src/machine/machined-dbus.c b/src/machine/machined-dbus.c
index 0f1ac1776ad..25f72ae3cdb 100644
--- a/src/machine/machined-dbus.c
+++ b/src/machine/machined-dbus.c
@@ -270,12 +270,33 @@ static int machine_add_from_params(
                 return r;
 
         /* Ensure an unprivileged user cannot claim any process they don't control as their own machine */
-        if (uid != 0) {
+        switch (manager->runtime_scope) {
+
+        case RUNTIME_SCOPE_SYSTEM:
+                /* In system mode root may register anything */
+                if (uid == 0)
+                        break;
+
+                /* And non-root may only register things if they own the userns */
                 r = process_is_owned_by_uid(leader_pidref, uid);
                 if (r < 0)
                         return r;
-                if (r == 0)
-                        return sd_bus_error_set(error, SD_BUS_ERROR_ACCESS_DENIED, "Only root may register machines for other users");
+                if (r > 0)
+                        break;
+
+                /* Nothing else may */
+                return sd_bus_error_set(error, SD_BUS_ERROR_ACCESS_DENIED, "Only root may register machines for other users");
+
+        case RUNTIME_SCOPE_USER:
+                /* In user mode the user owning our instance may register anything. */
+                if (uid == getuid())
+                        break;
+
+                /* Nothing else may */
+                return sd_bus_error_set(error, SD_BUS_ERROR_ACCESS_DENIED, "Other users may not register machines with us, sorry.");
+
+        default:
+                assert_not_reached();
         }
 
         if (manager->runtime_scope != RUNTIME_SCOPE_USER) {
-- 
2.47.3