From: Mike Yuan <me@yhndnzj.com>
Date: Fri, 6 Mar 2026 18:22:44 +0000 (+0100)
Subject: core/unit: refuse PrivatePIDs= + PAMName=
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=6f0731cf34e110a7d964367f42ec16f720ebf486;p=thirdparty%2Fsystemd.git

core/unit: refuse PrivatePIDs= + PAMName=

Fixes #40928
---

diff --git a/src/core/unit.c b/src/core/unit.c
index 35691363e06..2205ad0e2bc 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -4345,10 +4345,13 @@ static int unit_verify_contexts(const Unit *u) {
                 return log_unit_error_errno(u, SYNTHETIC_ERRNO(ENOEXEC), "PrivatePIDs= setting is only supported for service units. Refusing.");
 
         if ((ec->user || ec->dynamic_user || ec->group || ec->pam_name) && ec->private_users == PRIVATE_USERS_MANAGED)
-                return log_unit_error_errno(u, SYNTHETIC_ERRNO(ENOEXEC), "PrivateUsers=managed may not be used in combination with User=/DynamicUser=/Group=/PAMName=, refusing.");
+                return log_unit_error_errno(u, SYNTHETIC_ERRNO(ENOEXEC), "PrivateUsers=managed may not be used in combination with User=/DynamicUser=/Group=/PAMName=. Refusing.");
 
         if (ec->user_namespace_path && ec->private_users != PRIVATE_USERS_NO)
-                return log_unit_error_errno(u, SYNTHETIC_ERRNO(ENOEXEC), "PrivateUsers= may not be used with custom UserNamespacePath=, refusing.");
+                return log_unit_error_errno(u, SYNTHETIC_ERRNO(ENOEXEC), "PrivateUsers= may not be used with custom UserNamespacePath=. Refusing.");
+
+        if (ec->private_pids != PRIVATE_PIDS_NO && ec->pam_name)
+                return log_unit_error_errno(u, SYNTHETIC_ERRNO(ENOEXEC), "PAM is not supported under PrivatePIDs=. Refusing.");
 
         const KillContext *kc = unit_get_kill_context(u);