From 8f9f3cb72414a831699d9012601e09d0daa1051e Mon Sep 17 00:00:00 2001 From: Alexey Bogdanenko Date: Sun, 16 Dec 2018 19:04:28 +0300 Subject: [PATCH] core: fix KeyringMode for user services KeyringMode option is useful for user services. Also, documentation for the option suggests that the option applies to user services. However, setting the option to any of its allowed values has no effect. This commit fixes that and removes EXEC_NEW_KEYRING flag. The flag is no longer necessary: instead of checking if the flag is set we can check if keyring_mode is not equal to EXEC_KEYRING_INHERIT. --- src/core/execute.c | 3 --- src/core/execute.h | 19 +++++++++---------- src/core/service.c | 3 --- 3 files changed, 9 insertions(+), 16 deletions(-) diff --git a/src/core/execute.c b/src/core/execute.c index e966f9cfe8..e11143148f 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -2530,9 +2530,6 @@ static int setup_keyring( * on-demand behaviour is very appropriate for login users, but probably not so much for system services, where * UIDs are not necessarily specific to a service but reused (at least in the case of UID 0). */ - if (!(p->flags & EXEC_NEW_KEYRING)) - return 0; - if (context->keyring_mode == EXEC_KEYRING_INHERIT) return 0; diff --git a/src/core/execute.h b/src/core/execute.h index fb8c752efa..0f1bf56744 100644 --- a/src/core/execute.h +++ b/src/core/execute.h @@ -289,18 +289,17 @@ typedef enum ExecFlags { EXEC_APPLY_SANDBOXING = 1 << 0, EXEC_APPLY_CHROOT = 1 << 1, EXEC_APPLY_TTY_STDIN = 1 << 2, - EXEC_NEW_KEYRING = 1 << 3, - EXEC_PASS_LOG_UNIT = 1 << 4, /* Whether to pass the unit name to the service's journal stream connection */ - EXEC_CHOWN_DIRECTORIES = 1 << 5, /* chown() the runtime/state/cache/log directories to the user we run as, under all conditions */ - EXEC_NSS_BYPASS_BUS = 1 << 6, /* Set the SYSTEMD_NSS_BYPASS_BUS environment variable, to disable nss-systemd for dbus */ - EXEC_CGROUP_DELEGATE = 1 << 7, - EXEC_IS_CONTROL = 1 << 8, - EXEC_CONTROL_CGROUP = 1 << 9, /* Place the process not in the indicated cgroup but in a subcgroup '/.control', but only EXEC_CGROUP_DELEGATE and EXEC_IS_CONTROL is set, too */ + EXEC_PASS_LOG_UNIT = 1 << 3, /* Whether to pass the unit name to the service's journal stream connection */ + EXEC_CHOWN_DIRECTORIES = 1 << 4, /* chown() the runtime/state/cache/log directories to the user we run as, under all conditions */ + EXEC_NSS_BYPASS_BUS = 1 << 5, /* Set the SYSTEMD_NSS_BYPASS_BUS environment variable, to disable nss-systemd for dbus */ + EXEC_CGROUP_DELEGATE = 1 << 6, + EXEC_IS_CONTROL = 1 << 7, + EXEC_CONTROL_CGROUP = 1 << 8, /* Place the process not in the indicated cgroup but in a subcgroup '/.control', but only EXEC_CGROUP_DELEGATE and EXEC_IS_CONTROL is set, too */ /* The following are not used by execute.c, but by consumers internally */ - EXEC_PASS_FDS = 1 << 10, - EXEC_SETENV_RESULT = 1 << 11, - EXEC_SET_WATCHDOG = 1 << 12, + EXEC_PASS_FDS = 1 << 9, + EXEC_SETENV_RESULT = 1 << 10, + EXEC_SET_WATCHDOG = 1 << 11, } ExecFlags; /* Parameters for a specific invocation of a command. This structure is put together right before a command is diff --git a/src/core/service.c b/src/core/service.c index d631687205..cfa3271232 100644 --- a/src/core/service.c +++ b/src/core/service.c @@ -1535,9 +1535,6 @@ static int service_spawn( if (!final_env) return -ENOMEM; - /* System services should get a new keyring by default. */ - SET_FLAG(exec_params.flags, EXEC_NEW_KEYRING, MANAGER_IS_SYSTEM(UNIT(s)->manager)); - /* System D-Bus needs nss-systemd disabled, so that we don't deadlock */ SET_FLAG(exec_params.flags, EXEC_NSS_BYPASS_BUS, MANAGER_IS_SYSTEM(UNIT(s)->manager) && unit_has_name(UNIT(s), SPECIAL_DBUS_SERVICE)); -- 2.25.1