diff --git a/0007-core-allow-omitting-second-part-of-LoadCredentials-a.patch b/0007-core-allow-omitting-second-part-of-LoadCredentials-a.patch new file mode 100644 index 0000000..b21b108 --- /dev/null +++ b/0007-core-allow-omitting-second-part-of-LoadCredentials-a.patch @@ -0,0 +1,102 @@ +From 5aa097c851aebc056871485c35e65d8badc8f69f Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 11 Mar 2021 10:02:46 +0100 +Subject: [PATCH] core: allow omitting second part of LoadCredentials= argument + +This allows "LoadCredentials=foo" to be used as shortcut for +"LoadCredentials=foo:foo", i.e. it's a very short way to inherit a +credential under its original name from the service manager into a +service. + +(cherry picked from commit 8a29862e32fc7981fe16fc8dd79ad6863a8dc486) + +Resolves: #1949568 +--- + man/systemd.exec.xml | 30 ++++++++++++++++-------------- + src/core/load-fragment.c | 25 +++++++++++++++++-------- + 2 files changed, 33 insertions(+), 22 deletions(-) + +diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml +index 5bb9af3e7d..6ae630f615 100644 +--- a/man/systemd.exec.xml ++++ b/man/systemd.exec.xml +@@ -2821,7 +2821,7 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy + + + +- LoadCredential=ID:PATH ++ LoadCredential=ID:PATH + + Pass a credential to the unit. Credentials are limited-size binary or textual objects + that may be passed to unit processes. They are primarily used for passing cryptographic keys (both +@@ -2834,19 +2834,21 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy + environment variable to the unit's processes. + + The LoadCredential= setting takes a textual ID to use as name for a +- credential plus a file system path. The ID must be a short ASCII string suitable as filename in the +- filesystem, and may be chosen freely by the user. If the specified path is absolute it is opened as +- regular file and the credential data is read from it. If the absolute path refers to an +- AF_UNIX stream socket in the file system a connection is made to it (only once +- at unit start-up) and the credential data read from the connection, providing an easy IPC integration +- point for dynamically providing credentials from other services. If the specified path is not +- absolute and itself qualifies as valid credential identifier it is understood to refer to a +- credential that the service manager itself received via the $CREDENTIALS_DIRECTORY +- environment variable, which may be used to propagate credentials from an invoking environment (e.g. a +- container manager that invoked the service manager) into a service. The contents of the file/socket +- may be arbitrary binary or textual data, including newline characters and NUL +- bytes. This option may be used multiple times, each time defining an additional credential to pass to +- the unit. ++ credential plus a file system path, separated by a colon. The ID must be a short ASCII string ++ suitable as filename in the filesystem, and may be chosen freely by the user. If the specified path ++ is absolute it is opened as regular file and the credential data is read from it. If the absolute ++ path refers to an AF_UNIX stream socket in the file system a connection is made ++ to it (only once at unit start-up) and the credential data read from the connection, providing an ++ easy IPC integration point for dynamically providing credentials from other services. If the ++ specified path is not absolute and itself qualifies as valid credential identifier it is understood ++ to refer to a credential that the service manager itself received via the ++ $CREDENTIALS_DIRECTORY environment variable, which may be used to propagate ++ credentials from an invoking environment (e.g. a container manager that invoked the service manager) ++ into a service. The contents of the file/socket may be arbitrary binary or textual data, including ++ newline characters and NUL bytes. If the file system path is omitted it is ++ chosen identical to the credential name, i.e. this is a terse way do declare credentials to inherit ++ from the service manager into a service. This option may be used multiple times, each time defining ++ an additional credential to pass to the unit. + + The credential files/IPC sockets must be accessible to the service manager, but don't have to + be directly accessible to the unit's processes: the credential data is read and copied into separate, +diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c +index c6fc4fe083..6a998bb801 100644 +--- a/src/core/load-fragment.c ++++ b/src/core/load-fragment.c +@@ -4606,14 +4606,23 @@ int config_parse_load_credential( + log_syntax(unit, LOG_WARNING, filename, line, 0, "Credential name \"%s\" not valid, ignoring.", k); + return 0; + } +- r = unit_full_printf(u, p, &q); +- if (r < 0) { +- log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to resolve unit specifiers in \"%s\", ignoring: %m", p); +- return 0; +- } +- if (path_is_absolute(q) ? !path_is_normalized(q) : !credential_name_valid(q)) { +- log_syntax(unit, LOG_WARNING, filename, line, r, "Credential source \"%s\" not valid, ignoring.", q); +- return 0; ++ ++ if (isempty(p)) { ++ /* If only one field field is specified take it as shortcut for inheriting a credential named ++ * the same way from our parent */ ++ q = strdup(k); ++ if (!q) ++ return log_oom(); ++ } else { ++ r = unit_full_printf(u, p, &q); ++ if (r < 0) { ++ log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to resolve unit specifiers in \"%s\", ignoring: %m", p); ++ return 0; ++ } ++ if (path_is_absolute(q) ? !path_is_normalized(q) : !credential_name_valid(q)) { ++ log_syntax(unit, LOG_WARNING, filename, line, r, "Credential source \"%s\" not valid, ignoring.", q); ++ return 0; ++ } + } + + r = strv_consume_pair(&context->load_credentials, TAKE_PTR(k), TAKE_PTR(q)); diff --git a/systemd.spec b/systemd.spec index 2de4d84..1e4a3ba 100644 --- a/systemd.spec +++ b/systemd.spec @@ -21,7 +21,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd Version: 248 -Release: 6%{?dist} +Release: 7%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -83,6 +83,7 @@ Patch0003: 0003-logind-set-RemoveIPC-to-false-by-default.patch Patch0004: 0004-Revert-rfkill-fix-the-format-string-to-prevent-compi.patch Patch0005: 0005-Revert-rfkill-don-t-compare-values-of-different-sign.patch Patch0006: 0006-rfkill-add-some-casts-to-silence-Werror-sign-compare.patch +Patch0007: 0007-core-allow-omitting-second-part-of-LoadCredentials-a.patch # Downstream-only patches (9000–9999) # https://github.com/systemd/systemd/pull/17050 @@ -851,6 +852,9 @@ getent passwd systemd-oom &>/dev/null || useradd -r -l -g systemd-oom -d / -s /s %files standalone-sysusers -f .file-list-standalone-sysusers %changelog +* Thu Jun 17 2021 systemd maintenance team - 248-7 +- core: allow omitting second part of LoadCredentials= argument (#1949568) + * Tue Jun 15 2021 Mohan Boddu - Rebuilt for RHEL 9 BETA for openssl 3.0