From bfc0cc1a2506eb2327dca8e1a474be51634e8ab9 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 31 May 2021 21:55:44 +0200
Subject: [PATCH] userdb: make most loading of JSON user record data
 "permissive"

We want user records to be extensible, hence we shouldn't complain about
fields we can't parse. In particular we want them to be extensible for
our own future extensions.

Some code already turned the permissive flag when parsing the JSON data,
but most did not. Fix that. A few select cases remain where the bit is
not set: where we just gnerated the JSON data ourselves, and thus can be
reasonably sure that if we can't parse it it's our immediate programming
error and not just us processing a user record from some other tool or a
newer version of ourselves.
---
 src/home/homectl.c            | 10 +++++-----
 src/home/homed-bus.c          |  2 +-
 src/home/homed-home-bus.c     |  4 ++--
 src/home/homed-home.c         | 14 +++++++-------
 src/home/homed-manager-bus.c  |  4 ++--
 src/home/homed-manager.c      |  2 +-
 src/home/homed-varlink.c      |  2 +-
 src/home/homework-cifs.c      |  2 +-
 src/home/homework-directory.c |  2 +-
 src/home/homework-fscrypt.c   |  2 +-
 src/home/homework-luks.c      |  8 ++++----
 src/home/homework.c           |  6 +++---
 src/home/pam_systemd_home.c   |  2 +-
 src/home/user-record-sign.c   |  4 ++--
 src/home/user-record-util.c   |  4 ++--
 src/login/pam_systemd.c       |  2 +-
 src/nspawn/nspawn-bind-user.c |  6 ++++--
 src/shared/user-record.c      |  4 ++--
 src/shared/userdb-dropin.c    |  6 ++++--
 src/userdb/userwork.c         |  4 ++--
 20 files changed, 47 insertions(+), 43 deletions(-)

diff --git a/src/home/homectl.c b/src/home/homectl.c
index 7128f6cea1f..6273cb6c906 100644
--- a/src/home/homectl.c
+++ b/src/home/homectl.c
@@ -571,9 +571,9 @@ static void dump_home_record(UserRecord *hr) {
                 _cleanup_(user_record_unrefp) UserRecord *stripped = NULL;
 
                 if (arg_export_format == EXPORT_FORMAT_STRIPPED)
-                        r = user_record_clone(hr, USER_RECORD_EXTRACT_EMBEDDED, &stripped);
+                        r = user_record_clone(hr, USER_RECORD_EXTRACT_EMBEDDED|USER_RECORD_PERMISSIVE, &stripped);
                 else if (arg_export_format == EXPORT_FORMAT_MINIMAL)
-                        r = user_record_clone(hr, USER_RECORD_EXTRACT_SIGNABLE, &stripped);
+                        r = user_record_clone(hr, USER_RECORD_EXTRACT_SIGNABLE|USER_RECORD_PERMISSIVE, &stripped);
                 else
                         r = 0;
                 if (r < 0)
@@ -678,7 +678,7 @@ static int inspect_home(int argc, char *argv[], void *userdata) {
                 if (!hr)
                         return log_oom();
 
-                r = user_record_load(hr, v, USER_RECORD_LOAD_REFUSE_SECRET|USER_RECORD_LOG);
+                r = user_record_load(hr, v, USER_RECORD_LOAD_REFUSE_SECRET|USER_RECORD_LOG|USER_RECORD_PERMISSIVE);
                 if (r < 0) {
                         if (ret == 0)
                                 ret = r;
@@ -1060,7 +1060,7 @@ static int acquire_new_home_record(UserRecord **ret) {
         if (!hr)
                 return log_oom();
 
-        r = user_record_load(hr, v, USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_SECRET|USER_RECORD_ALLOW_PRIVILEGED|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_SIGNATURE|USER_RECORD_LOG);
+        r = user_record_load(hr, v, USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_SECRET|USER_RECORD_ALLOW_PRIVILEGED|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_SIGNATURE|USER_RECORD_LOG|USER_RECORD_PERMISSIVE);
         if (r < 0)
                 return r;
 
@@ -1426,7 +1426,7 @@ static int acquire_updated_home_record(
         if (!hr)
                 return log_oom();
 
-        r = user_record_load(hr, json, USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PRIVILEGED|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_SECRET|USER_RECORD_ALLOW_SIGNATURE|USER_RECORD_LOG);
+        r = user_record_load(hr, json, USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PRIVILEGED|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_SECRET|USER_RECORD_ALLOW_SIGNATURE|USER_RECORD_LOG|USER_RECORD_PERMISSIVE);
         if (r < 0)
                 return r;
 
diff --git a/src/home/homed-bus.c b/src/home/homed-bus.c
index 8f7a646d4a7..24b421a58c0 100644
--- a/src/home/homed-bus.c
+++ b/src/home/homed-bus.c
@@ -28,7 +28,7 @@ int bus_message_read_secret(sd_bus_message *m, UserRecord **ret, sd_bus_error *e
         if (!hr)
                 return -ENOMEM;
 
-        r = user_record_load(hr, full, USER_RECORD_REQUIRE_SECRET);
+        r = user_record_load(hr, full, USER_RECORD_REQUIRE_SECRET|USER_RECORD_PERMISSIVE);
         if (r < 0)
                 return r;
 
diff --git a/src/home/homed-home-bus.c b/src/home/homed-home-bus.c
index 2a58ecbc1a8..c71256d15e5 100644
--- a/src/home/homed-home-bus.c
+++ b/src/home/homed-home-bus.c
@@ -95,7 +95,7 @@ int bus_home_get_record_json(
                 trusted = false;
         }
 
-        flags = USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_BINDING|USER_RECORD_STRIP_SECRET|USER_RECORD_ALLOW_STATUS|USER_RECORD_ALLOW_SIGNATURE;
+        flags = USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_BINDING|USER_RECORD_STRIP_SECRET|USER_RECORD_ALLOW_STATUS|USER_RECORD_ALLOW_SIGNATURE|USER_RECORD_PERMISSIVE;
         if (trusted)
                 flags |= USER_RECORD_ALLOW_PRIVILEGED;
         else
@@ -443,7 +443,7 @@ int bus_home_method_update(
         assert(message);
         assert(h);
 
-        r = bus_message_read_home_record(message, USER_RECORD_REQUIRE_REGULAR|USER_RECORD_REQUIRE_SECRET|USER_RECORD_ALLOW_PRIVILEGED|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_SIGNATURE, &hr, error);
+        r = bus_message_read_home_record(message, USER_RECORD_REQUIRE_REGULAR|USER_RECORD_REQUIRE_SECRET|USER_RECORD_ALLOW_PRIVILEGED|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_SIGNATURE|USER_RECORD_PERMISSIVE, &hr, error);
         if (r < 0)
                 return r;
 
diff --git a/src/home/homed-home.c b/src/home/homed-home.c
index 54e36e3b712..39dd501a32e 100644
--- a/src/home/homed-home.c
+++ b/src/home/homed-home.c
@@ -145,7 +145,7 @@ int home_new(Manager *m, UserRecord *hr, const char *sysfs, Home **ret) {
                         return r;
         }
 
-        r = user_record_clone(hr, USER_RECORD_LOAD_MASK_SECRET, &home->record);
+        r = user_record_clone(hr, USER_RECORD_LOAD_MASK_SECRET|USER_RECORD_PERMISSIVE, &home->record);
         if (r < 0)
                 return r;
 
@@ -243,7 +243,7 @@ int home_set_record(Home *h, UserRecord *hr) {
                 if (!new_hr)
                         return -ENOMEM;
 
-                r = user_record_load(new_hr, v, USER_RECORD_LOAD_REFUSE_SECRET);
+                r = user_record_load(new_hr, v, USER_RECORD_LOAD_REFUSE_SECRET|USER_RECORD_PERMISSIVE);
                 if (r < 0)
                         return r;
 
@@ -384,7 +384,7 @@ static int home_parse_worker_stdout(int _fd, UserRecord **ret) {
         if (!hr)
                 return log_oom();
 
-        r = user_record_load(hr, v, USER_RECORD_LOAD_REFUSE_SECRET);
+        r = user_record_load(hr, v, USER_RECORD_LOAD_REFUSE_SECRET|USER_RECORD_PERMISSIVE);
         if (r < 0)
                 return log_error_errno(r, "Failed to load home record identity: %m");
 
@@ -1410,7 +1410,7 @@ static int home_update_internal(
                 return sd_bus_error_set(error, BUS_ERROR_HOME_RECORD_DOWNGRADE, "Refusing to update to older home record.");
 
         if (!secret && FLAGS_SET(hr->mask, USER_RECORD_SECRET)) {
-                r = user_record_clone(hr, USER_RECORD_EXTRACT_SECRET, &saved_secret);
+                r = user_record_clone(hr, USER_RECORD_EXTRACT_SECRET|USER_RECORD_PERMISSIVE, &saved_secret);
                 if (r < 0)
                         return r;
 
@@ -1445,7 +1445,7 @@ static int home_update_internal(
                 return r;
         }
 
-        r = user_record_extend_with_binding(hr, h->record, USER_RECORD_LOAD_MASK_SECRET, &new_hr);
+        r = user_record_extend_with_binding(hr, h->record, USER_RECORD_LOAD_MASK_SECRET|USER_RECORD_PERMISSIVE, &new_hr);
         if (r < 0)
                 return r;
 
@@ -1539,7 +1539,7 @@ int home_resize(Home *h, uint64_t disk_size, UserRecord *secret, sd_bus_error *e
                 if (h->signed_locally <= 0) /* Don't allow changing of records not signed only by us */
                         return sd_bus_error_setf(error, BUS_ERROR_HOME_RECORD_SIGNED, "Home %s is signed and cannot be modified locally.", h->user_name);
 
-                r = user_record_clone(h->record, USER_RECORD_LOAD_REFUSE_SECRET, &c);
+                r = user_record_clone(h->record, USER_RECORD_LOAD_REFUSE_SECRET|USER_RECORD_PERMISSIVE, &c);
                 if (r < 0)
                         return r;
 
@@ -1628,7 +1628,7 @@ int home_passwd(Home *h,
         if (r < 0)
                 return r;
 
-        r = user_record_clone(h->record, USER_RECORD_LOAD_REFUSE_SECRET, &c);
+        r = user_record_clone(h->record, USER_RECORD_LOAD_REFUSE_SECRET|USER_RECORD_PERMISSIVE, &c);
         if (r < 0)
                 return r;
 
diff --git a/src/home/homed-manager-bus.c b/src/home/homed-manager-bus.c
index 8a06bb62bf7..7ac5b8d0fc7 100644
--- a/src/home/homed-manager-bus.c
+++ b/src/home/homed-manager-bus.c
@@ -398,7 +398,7 @@ static int method_register_home(
         assert(message);
         assert(m);
 
-        r = bus_message_read_home_record(message, USER_RECORD_LOAD_EMBEDDED, &hr, error);
+        r = bus_message_read_home_record(message, USER_RECORD_LOAD_EMBEDDED|USER_RECORD_PERMISSIVE, &hr, error);
         if (r < 0)
                 return r;
 
@@ -513,7 +513,7 @@ static int method_update_home(sd_bus_message *message, void *userdata, sd_bus_er
         assert(message);
         assert(m);
 
-        r = bus_message_read_home_record(message, USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_SECRET|USER_RECORD_ALLOW_PRIVILEGED|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_SIGNATURE, &hr, error);
+        r = bus_message_read_home_record(message, USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_SECRET|USER_RECORD_ALLOW_PRIVILEGED|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_SIGNATURE|USER_RECORD_PERMISSIVE, &hr, error);
         if (r < 0)
                 return r;
 
diff --git a/src/home/homed-manager.c b/src/home/homed-manager.c
index f8dfa272b93..b2554263825 100644
--- a/src/home/homed-manager.c
+++ b/src/home/homed-manager.c
@@ -364,7 +364,7 @@ static int manager_add_home_by_record(
         if (!hr)
                 return log_oom();
 
-        r = user_record_load(hr, v, USER_RECORD_LOAD_REFUSE_SECRET|USER_RECORD_LOG);
+        r = user_record_load(hr, v, USER_RECORD_LOAD_REFUSE_SECRET|USER_RECORD_LOG|USER_RECORD_PERMISSIVE);
         if (r < 0)
                 return r;
 
diff --git a/src/home/homed-varlink.c b/src/home/homed-varlink.c
index c42908349a5..96a6ea754e1 100644
--- a/src/home/homed-varlink.c
+++ b/src/home/homed-varlink.c
@@ -42,7 +42,7 @@ static int build_user_json(Home *h, bool trusted, JsonVariant **ret) {
         assert(h);
         assert(ret);
 
-        flags = USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_BINDING|USER_RECORD_STRIP_SECRET|USER_RECORD_ALLOW_STATUS|USER_RECORD_ALLOW_SIGNATURE;
+        flags = USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_BINDING|USER_RECORD_STRIP_SECRET|USER_RECORD_ALLOW_STATUS|USER_RECORD_ALLOW_SIGNATURE|USER_RECORD_PERMISSIVE;
         if (trusted)
                 flags |= USER_RECORD_ALLOW_PRIVILEGED;
         else
diff --git a/src/home/homework-cifs.c b/src/home/homework-cifs.c
index 2736095f939..2254eb59cd7 100644
--- a/src/home/homework-cifs.c
+++ b/src/home/homework-cifs.c
@@ -185,7 +185,7 @@ int home_create_cifs(UserRecord *h, UserRecord **ret_home) {
         if (r < 0)
                 return r;
 
-        r = user_record_clone(h, USER_RECORD_LOAD_MASK_SECRET, &new_home);
+        r = user_record_clone(h, USER_RECORD_LOAD_MASK_SECRET|USER_RECORD_PERMISSIVE, &new_home);
         if (r < 0)
                 return log_error_errno(r, "Failed to clone record: %m");
 
diff --git a/src/home/homework-directory.c b/src/home/homework-directory.c
index 2d800033ee6..b35d24c85a0 100644
--- a/src/home/homework-directory.c
+++ b/src/home/homework-directory.c
@@ -158,7 +158,7 @@ int home_create_directory_or_subvolume(UserRecord *h, UserRecord **ret_home) {
         if (r < 0)
                 return r;
 
-        r = user_record_clone(h, USER_RECORD_LOAD_MASK_SECRET, &new_home);
+        r = user_record_clone(h, USER_RECORD_LOAD_MASK_SECRET|USER_RECORD_PERMISSIVE, &new_home);
         if (r < 0)
                 return log_error_errno(r, "Failed to clone record: %m");
 
diff --git a/src/home/homework-fscrypt.c b/src/home/homework-fscrypt.c
index 037e4853fd3..86dde4b78b0 100644
--- a/src/home/homework-fscrypt.c
+++ b/src/home/homework-fscrypt.c
@@ -550,7 +550,7 @@ int home_create_fscrypt(
         if (r < 0)
                 return r;
 
-        r = user_record_clone(h, USER_RECORD_LOAD_MASK_SECRET, &new_home);
+        r = user_record_clone(h, USER_RECORD_LOAD_MASK_SECRET|USER_RECORD_PERMISSIVE, &new_home);
         if (r < 0)
                 return log_error_errno(r, "Failed to clone record: %m");
 
diff --git a/src/home/homework-luks.c b/src/home/homework-luks.c
index 543195914fb..7a06bb4b8e5 100644
--- a/src/home/homework-luks.c
+++ b/src/home/homework-luks.c
@@ -779,7 +779,7 @@ static int luks_validate_home_record(
                 if (!lhr)
                         return log_oom();
 
-                r = user_record_load(lhr, rr, USER_RECORD_LOAD_EMBEDDED);
+                r = user_record_load(lhr, rr, USER_RECORD_LOAD_EMBEDDED|USER_RECORD_PERMISSIVE);
                 if (r < 0)
                         return log_error_errno(r, "Failed to parse user record: %m");
 
@@ -902,7 +902,7 @@ int home_store_header_identity_luks(
          * the file system, so that we can validate it first, and only then mount the file system. To keep
          * things simple we use the same encryption settings for this record as for the file system itself. */
 
-        r = user_record_clone(h, USER_RECORD_EXTRACT_EMBEDDED, &header_home);
+        r = user_record_clone(h, USER_RECORD_EXTRACT_EMBEDDED|USER_RECORD_PERMISSIVE, &header_home);
         if (r < 0)
                 return log_error_errno(r, "Failed to determine new header record: %m");
 
@@ -1575,7 +1575,7 @@ static int luks_format(
 
         log_info("LUKS activation by volume key succeeded.");
 
-        r = user_record_clone(hr, USER_RECORD_EXTRACT_EMBEDDED, &reduced);
+        r = user_record_clone(hr, USER_RECORD_EXTRACT_EMBEDDED|USER_RECORD_PERMISSIVE, &reduced);
         if (r < 0)
                 return log_error_errno(r, "Failed to prepare home record for LUKS: %m");
 
@@ -2139,7 +2139,7 @@ int home_create_luks(
         if (r < 0)
                 goto fail;
 
-        r = user_record_clone(h, USER_RECORD_LOAD_MASK_SECRET|USER_RECORD_LOG, &new_home);
+        r = user_record_clone(h, USER_RECORD_LOAD_MASK_SECRET|USER_RECORD_LOG|USER_RECORD_PERMISSIVE, &new_home);
         if (r < 0) {
                 log_error_errno(r, "Failed to clone record: %m");
                 goto fail;
diff --git a/src/home/homework.c b/src/home/homework.c
index 3b1f4130957..a6e663503bd 100644
--- a/src/home/homework.c
+++ b/src/home/homework.c
@@ -524,7 +524,7 @@ int home_load_embedded_identity(
         if (!embedded_home)
                 return log_oom();
 
-        r = user_record_load(embedded_home, v, USER_RECORD_LOAD_EMBEDDED);
+        r = user_record_load(embedded_home, v, USER_RECORD_LOAD_EMBEDDED|USER_RECORD_PERMISSIVE);
         if (r < 0)
                 return r;
 
@@ -609,7 +609,7 @@ int home_store_embedded_identity(UserRecord *h, int root_fd, uid_t uid, UserReco
         assert(root_fd >= 0);
         assert(uid_is_valid(uid));
 
-        r = user_record_clone(h, USER_RECORD_EXTRACT_EMBEDDED, &embedded);
+        r = user_record_clone(h, USER_RECORD_EXTRACT_EMBEDDED|USER_RECORD_PERMISSIVE, &embedded);
         if (r < 0)
                 return log_error_errno(r, "Failed to determine new embedded record: %m");
 
@@ -1668,7 +1668,7 @@ static int run(int argc, char *argv[]) {
         if (!home)
                 return log_oom();
 
-        r = user_record_load(home, v, USER_RECORD_LOAD_FULL|USER_RECORD_LOG);
+        r = user_record_load(home, v, USER_RECORD_LOAD_FULL|USER_RECORD_LOG|USER_RECORD_PERMISSIVE);
         if (r < 0)
                 return r;
 
diff --git a/src/home/pam_systemd_home.c b/src/home/pam_systemd_home.c
index 6c2bcbd7d72..b7db39dab9c 100644
--- a/src/home/pam_systemd_home.c
+++ b/src/home/pam_systemd_home.c
@@ -216,7 +216,7 @@ static int acquire_user_record(
         if (!ur)
                 return pam_log_oom(handle);
 
-        r = user_record_load(ur, v, USER_RECORD_LOAD_REFUSE_SECRET);
+        r = user_record_load(ur, v, USER_RECORD_LOAD_REFUSE_SECRET|USER_RECORD_PERMISSIVE);
         if (r < 0) {
                 pam_syslog(handle, LOG_ERR, "Failed to load user record: %s", strerror_safe(r));
                 return PAM_SERVICE_ERR;
diff --git a/src/home/user-record-sign.c b/src/home/user-record-sign.c
index 5ac92255c8b..ab73fba93fa 100644
--- a/src/home/user-record-sign.c
+++ b/src/home/user-record-sign.c
@@ -14,7 +14,7 @@ static int user_record_signable_json(UserRecord *ur, char **ret) {
         assert(ur);
         assert(ret);
 
-        r = user_record_clone(ur, USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PRIVILEGED|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_STRIP_SECRET|USER_RECORD_STRIP_BINDING|USER_RECORD_STRIP_STATUS|USER_RECORD_STRIP_SIGNATURE, &reduced);
+        r = user_record_clone(ur, USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PRIVILEGED|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_STRIP_SECRET|USER_RECORD_STRIP_BINDING|USER_RECORD_STRIP_STATUS|USER_RECORD_STRIP_SIGNATURE|USER_RECORD_PERMISSIVE, &reduced);
         if (r < 0)
                 return r;
 
@@ -95,7 +95,7 @@ int user_record_sign(UserRecord *ur, EVP_PKEY *private_key, UserRecord **ret) {
         if (!signed_ur)
                 return log_oom();
 
-        r = user_record_load(signed_ur, v, USER_RECORD_LOAD_FULL);
+        r = user_record_load(signed_ur, v, USER_RECORD_LOAD_FULL|USER_RECORD_PERMISSIVE);
         if (r < 0)
                 return r;
 
diff --git a/src/home/user-record-util.c b/src/home/user-record-util.c
index 4e4f5d2341b..b205f1d1e66 100644
--- a/src/home/user-record-util.c
+++ b/src/home/user-record-util.c
@@ -252,7 +252,7 @@ int user_record_reconcile(
                 if (!merged)
                         return -ENOMEM;
 
-                r = user_record_load(merged, extended, USER_RECORD_LOAD_MASK_SECRET);
+                r = user_record_load(merged, extended, USER_RECORD_LOAD_MASK_SECRET|USER_RECORD_PERMISSIVE);
                 if (r < 0)
                         return r;
 
@@ -261,7 +261,7 @@ int user_record_reconcile(
         }
 
         /* Strip out secrets */
-        r = user_record_clone(host, USER_RECORD_LOAD_MASK_SECRET, ret);
+        r = user_record_clone(host, USER_RECORD_LOAD_MASK_SECRET|USER_RECORD_PERMISSIVE, ret);
         if (r < 0)
                 return r;
 
diff --git a/src/login/pam_systemd.c b/src/login/pam_systemd.c
index 2021c31bd52..f8bd17eefec 100644
--- a/src/login/pam_systemd.c
+++ b/src/login/pam_systemd.c
@@ -141,7 +141,7 @@ static int acquire_user_record(
                 if (!ur)
                         return pam_log_oom(handle);
 
-                r = user_record_load(ur, v, USER_RECORD_LOAD_REFUSE_SECRET);
+                r = user_record_load(ur, v, USER_RECORD_LOAD_REFUSE_SECRET|USER_RECORD_PERMISSIVE);
                 if (r < 0) {
                         pam_syslog(handle, LOG_ERR, "Failed to load user record: %s", strerror_safe(r));
                         return PAM_SERVICE_ERR;
diff --git a/src/nspawn/nspawn-bind-user.c b/src/nspawn/nspawn-bind-user.c
index 801a52b7a8d..6852125b9d3 100644
--- a/src/nspawn/nspawn-bind-user.c
+++ b/src/nspawn/nspawn-bind-user.c
@@ -377,14 +377,16 @@ int bind_user_setup(
                 USER_RECORD_STRIP_PRIVILEGED|
                 USER_RECORD_ALLOW_PER_MACHINE|
                 USER_RECORD_ALLOW_BINDING|
-                USER_RECORD_ALLOW_SIGNATURE;
+                USER_RECORD_ALLOW_SIGNATURE|
+                USER_RECORD_PERMISSIVE;
         static const UserRecordLoadFlags shadow_flags = /* Extracts privileged info */
                 USER_RECORD_STRIP_REGULAR|
                 USER_RECORD_ALLOW_PRIVILEGED|
                 USER_RECORD_STRIP_PER_MACHINE|
                 USER_RECORD_STRIP_BINDING|
                 USER_RECORD_STRIP_SIGNATURE|
-                USER_RECORD_EMPTY_OK;
+                USER_RECORD_EMPTY_OK|
+                USER_RECORD_PERMISSIVE;
         int r;
 
         assert(root);
diff --git a/src/shared/user-record.c b/src/shared/user-record.c
index d519ea08955..de949c57e36 100644
--- a/src/shared/user-record.c
+++ b/src/shared/user-record.c
@@ -2114,7 +2114,7 @@ int user_record_masked_equal(UserRecord *a, UserRecord *b, UserRecordMask mask)
         /* Compares the two records, but ignores anything not listed in the specified mask */
 
         if ((a->mask & ~mask) != 0) {
-                r = user_record_clone(a, USER_RECORD_ALLOW(mask) | USER_RECORD_STRIP(~mask & _USER_RECORD_MASK_MAX), &x);
+                r = user_record_clone(a, USER_RECORD_ALLOW(mask) | USER_RECORD_STRIP(~mask & _USER_RECORD_MASK_MAX) | USER_RECORD_PERMISSIVE, &x);
                 if (r < 0)
                         return r;
 
@@ -2122,7 +2122,7 @@ int user_record_masked_equal(UserRecord *a, UserRecord *b, UserRecordMask mask)
         }
 
         if ((b->mask & ~mask) != 0) {
-                r = user_record_clone(b, USER_RECORD_ALLOW(mask) | USER_RECORD_STRIP(~mask & _USER_RECORD_MASK_MAX), &y);
+                r = user_record_clone(b, USER_RECORD_ALLOW(mask) | USER_RECORD_STRIP(~mask & _USER_RECORD_MASK_MAX) | USER_RECORD_PERMISSIVE, &y);
                 if (r < 0)
                         return r;
 
diff --git a/src/shared/userdb-dropin.c b/src/shared/userdb-dropin.c
index 442c6c952bb..5d79f4688a0 100644
--- a/src/shared/userdb-dropin.c
+++ b/src/shared/userdb-dropin.c
@@ -82,7 +82,8 @@ static int load_user(
                         USER_RECORD_ALLOW_PER_MACHINE|
                         USER_RECORD_ALLOW_BINDING|
                         USER_RECORD_ALLOW_SIGNATURE|
-                        (have_privileged ? USER_RECORD_ALLOW_PRIVILEGED : 0));
+                        (have_privileged ? USER_RECORD_ALLOW_PRIVILEGED : 0)|
+                        USER_RECORD_PERMISSIVE);
         if (r < 0)
                 return r;
 
@@ -225,7 +226,8 @@ static int load_group(
                         USER_RECORD_ALLOW_PER_MACHINE|
                         USER_RECORD_ALLOW_BINDING|
                         USER_RECORD_ALLOW_SIGNATURE|
-                        (have_privileged ? USER_RECORD_ALLOW_PRIVILEGED : 0));
+                        (have_privileged ? USER_RECORD_ALLOW_PRIVILEGED : 0)|
+                        USER_RECORD_PERMISSIVE);
         if (r < 0)
                 return r;
 
diff --git a/src/userdb/userwork.c b/src/userdb/userwork.c
index 21caa540965..8b7a20b08d4 100644
--- a/src/userdb/userwork.c
+++ b/src/userdb/userwork.c
@@ -88,7 +88,7 @@ static int build_user_json(Varlink *link, UserRecord *ur, JsonVariant **ret) {
         } else
                 trusted = peer_uid == 0 || peer_uid == ur->uid;
 
-        flags = USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_BINDING|USER_RECORD_STRIP_SECRET|USER_RECORD_ALLOW_STATUS|USER_RECORD_ALLOW_SIGNATURE;
+        flags = USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_BINDING|USER_RECORD_STRIP_SECRET|USER_RECORD_ALLOW_STATUS|USER_RECORD_ALLOW_SIGNATURE|USER_RECORD_PERMISSIVE;
         if (trusted)
                 flags |= USER_RECORD_ALLOW_PRIVILEGED;
         else
@@ -232,7 +232,7 @@ static int build_group_json(Varlink *link, GroupRecord *gr, JsonVariant **ret) {
         } else
                 trusted = peer_uid == 0;
 
-        flags = USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_BINDING|USER_RECORD_STRIP_SECRET|USER_RECORD_ALLOW_STATUS|USER_RECORD_ALLOW_SIGNATURE;
+        flags = USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_BINDING|USER_RECORD_STRIP_SECRET|USER_RECORD_ALLOW_STATUS|USER_RECORD_ALLOW_SIGNATURE|USER_RECORD_PERMISSIVE;
         if (trusted)
                 flags |= USER_RECORD_ALLOW_PRIVILEGED;
         else
-- 
2.47.3