Debrand for AlmaLinux

This commit is contained in:
Andrew Lukoshko 2026-07-02 04:07:38 +00:00 committed by root
commit d4407d0797
10 changed files with 688 additions and 2 deletions

View File

@ -0,0 +1,90 @@
From ac160a968eb734f18e662bb48254e5200489df77 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 6 May 2025 11:14:10 +0200
Subject: [PATCH] man: reword the description of "secure pager" handling
The existing description was not *wrong*, but it was a bit muddled. Let's
reorder the text to give a short intro and then describe what the options
actually do and the clear "true" and "false" cases first, and then describe
autodetection.
Related to https://yeswehack.com/vulnerability-center/reports/346802.
(cherry picked from commit 718dbdb2ca4458cf91711cd9a7de3a972e46658e)
Related: RHEL-102939
---
man/common-variables.xml | 58 ++++++++++++++++++++++++++--------------
1 file changed, 38 insertions(+), 20 deletions(-)
diff --git a/man/common-variables.xml b/man/common-variables.xml
index 2d26bf7242..9f322dbf23 100644
--- a/man/common-variables.xml
+++ b/man/common-variables.xml
@@ -167,28 +167,46 @@
<varlistentry id='lesssecure'>
<term><varname>$SYSTEMD_PAGERSECURE</varname></term>
- <listitem><para>Takes a boolean argument. When true, the "secure" mode of the pager is enabled; if
- false, disabled. If <varname>$SYSTEMD_PAGERSECURE</varname> is not set at all, secure mode is enabled
- if the effective UID is not the same as the owner of the login session, see
- <citerefentry project='man-pages'><refentrytitle>geteuid</refentrytitle><manvolnum>2</manvolnum></citerefentry>
- and <citerefentry><refentrytitle>sd_pid_get_owner_uid</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
- In secure mode, <option>LESSSECURE=1</option> will be set when invoking the pager, and the pager shall
- disable commands that open or create new files or start new subprocesses. When
- <varname>$SYSTEMD_PAGERSECURE</varname> is not set at all, pagers which are not known to implement
- secure mode will not be used. (Currently only
- <citerefentry project='man-pages'><refentrytitle>less</refentrytitle><manvolnum>1</manvolnum></citerefentry>
- implements secure mode.)</para>
-
- <para>Note: when commands are invoked with elevated privileges, for example under <citerefentry
+ <listitem>
+ <para>Common pager commands like <citerefentry
+ project='man-pages'><refentrytitle>less</refentrytitle><manvolnum>1</manvolnum></citerefentry>, in
+ addition to "paging", i.e. scrolling through the output, support opening of or writing to other files
+ and running arbitrary shell commands. When commands are invoked with elevated privileges, for example
+ under <citerefentry
project='man-pages'><refentrytitle>sudo</refentrytitle><manvolnum>8</manvolnum></citerefentry> or
<citerefentry
- project='die-net'><refentrytitle>pkexec</refentrytitle><manvolnum>1</manvolnum></citerefentry>, care
- must be taken to ensure that unintended interactive features are not enabled. "Secure" mode for the
- pager may be enabled automatically as describe above. Setting <varname>SYSTEMD_PAGERSECURE=0</varname>
- or not removing it from the inherited environment allows the user to invoke arbitrary commands. Note
- that if the <varname>$SYSTEMD_PAGER</varname> or <varname>$PAGER</varname> variables are to be
- honoured, <varname>$SYSTEMD_PAGERSECURE</varname> must be set too. It might be reasonable to completely
- disable the pager using <option>--no-pager</option> instead.</para></listitem>
+ project='die-net'><refentrytitle>pkexec</refentrytitle><manvolnum>1</manvolnum></citerefentry>, the
+ pager becomes a security boundary. Care must be taken that only programs with strictly limited
+ functionality are used as pagers, and unintended interactive features like opening or creation of new
+ files or starting of subprocesses are not allowed. "Secure mode" for the pager may be enabled as
+ described below, <emphasis>if the pager supports that</emphasis> (most pagers are not written in a way
+ that takes this into consideration). It is recommended to either explicitly enable "secure mode" or to
+ completely disable the pager using <option>--no-pager</option> or <varname>PAGER=cat</varname> when
+ allowing untrusted users to execute commands with elevated privileges.</para>
+
+ <para>This option takes a boolean argument. When set to true, the "secure mode" of the pager is
+ enabled. In "secure mode", <option>LESSSECURE=1</option> will be set when invoking the pager, which
+ instructs the pager to disable commands that open or create new files or start new subprocesses.
+ Currently only <citerefentry
+ project='man-pages'><refentrytitle>less</refentrytitle><manvolnum>1</manvolnum></citerefentry> is known
+ to understand this variable and implement "secure mode".</para>
+
+ <para>When set to false, no limitation is placed on the pager. Setting
+ <varname>SYSTEMD_PAGERSECURE=0</varname> or not removing it from the inherited environment may allow
+ the user to invoke arbitrary commands.</para>
+
+ <para>When <varname>$SYSTEMD_PAGERSECURE</varname> is not set, systemd tools attempt to automatically
+ figure out if "secure mode" should be enabled and whether the pager supports it. "Secure mode" is
+ enabled if the effective UID is not the same as the owner of the login session, see
+ <citerefentry project='man-pages'><refentrytitle>geteuid</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+ and
+ <citerefentry><refentrytitle>sd_pid_get_owner_uid</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+ In this case, <varname>SYSTEMD_PAGERSECURE=1</varname> will be set and pagers which are not known to
+ implement "secure mode" will not be used at all.</para>
+
+ <para>Note that if the <varname>$SYSTEMD_PAGER</varname> or <varname>$PAGER</varname> variables are to
+ be honoured, <varname>$SYSTEMD_PAGERSECURE</varname> must be set too.</para>
+ </listitem>
</varlistentry>
<varlistentry id='colors'>

View File

@ -0,0 +1,132 @@
From 517489471d6f314e834a6ee675974151ce2e0234 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 6 May 2025 14:29:02 +0200
Subject: [PATCH] pager: also check for $SUDO_UID
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This returns to the original approach proposed in
https://github.com/systemd/systemd/pull/17270. After review, the approach was
changed to use sd_pid_get_owner_uid() instead. Back then, when running in a
typical graphical session, sd_pid_get_owner_uid() would usually return the user
UID, and when running under sudo, geteuid() would return 0, so we'd trigger the
secure path.
sudo may allocate a new session if is invoked outside of a session (depending
on the PAM config). Since nowadays desktop environments usually start the user
shell through user units, the typical shell in a terminal emulator is not part
of a session, and when sudo is invoked, a new session is allocated, and
sd_pid_get_owner_uid() returns 0 too. Technically, the code still works as
documented in the man page, but in the common case, it doesn't do the expected
thing.
$ build/test-sd-login |& rg 'get_(owner_uid|cgroup|session)'
sd_pid_get_session(0) → No data available
sd_pid_get_owner_uid(0) → 1000
sd_pid_get_cgroup(0) → /user.slice/user-1000.slice/user@1000.service/app.slice/app-ghostty-transient-5088.scope/surfaces/556FAF50BA40.scope
$ sudo build/test-sd-login |& rg 'get_(owner_uid|cgroup|session)'
sd_pid_get_session(0) → c289
sd_pid_get_owner_uid(0) → 0
sd_pid_get_cgroup(0) → /user.slice/user-0.slice/session-c289.scope
I think it's worth checking for sudo because it is a common case used by users.
There obviously are other mechanims, so the man page is extended to say that
only some common mechanisms are supported, and to (again) recommend setting
SYSTEMD_LESSSECURE explicitly. The other option would be to set "secure mode"
by default. But this would create an inconvenience for users doing the right
thing, running systemctl and other tools directly, because then they can't run
privileged commands from the pager, e.g. to save the output to a file. (Or the
user would need to explicitly set SYSTEMD_LESSSECURE. One option would be to
set it always in the environment and to rely on sudo and other tools stripping
it from the environment before running privileged code. But that is also fairly
fragile and it obviously relies on the user doing a complicated setup to
support a fairly common use case. I think this decreases usability of the
system quite a bit. I don't think we should build solutions that work in
priniciple, but are painfully inconvenient in common cases.)
Fixes https://yeswehack.com/vulnerability-center/reports/346802.
Also see https://github.com/polkit-org/polkit/pull/562, which adds support for
$SUDO_UID/$SUDO_GID to pkexec.
(cherry picked from commit cd93478af8b9dc69478d5667f113b67d175090fa)
Resolves: RHEL-102939
---
man/common-variables.xml | 13 ++++++++++---
src/shared/pager.c | 29 +++++++++++++++++++----------
2 files changed, 29 insertions(+), 13 deletions(-)
diff --git a/man/common-variables.xml b/man/common-variables.xml
index 9f322dbf23..825cfe57e9 100644
--- a/man/common-variables.xml
+++ b/man/common-variables.xml
@@ -200,9 +200,16 @@
enabled if the effective UID is not the same as the owner of the login session, see
<citerefentry project='man-pages'><refentrytitle>geteuid</refentrytitle><manvolnum>2</manvolnum></citerefentry>
and
- <citerefentry><refentrytitle>sd_pid_get_owner_uid</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
- In this case, <varname>SYSTEMD_PAGERSECURE=1</varname> will be set and pagers which are not known to
- implement "secure mode" will not be used at all.</para>
+ <citerefentry><refentrytitle>sd_pid_get_owner_uid</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+ or when running under
+ <citerefentry><refentrytitle>sudo</refentrytitle><manvolnum>8</manvolnum></citerefentry> or similar
+ tools (<varname>$SUDO_UID</varname> is set <footnote>
+ <para>It is recommended for other tools to set and check <varname>$SUDO_UID</varname> as appropriate,
+ treating it is a common interface.</para></footnote>). In those cases,
+ <varname>SYSTEMD_PAGERSECURE=1</varname> will be set and pagers which are not known to implement
+ "secure mode" will not be used at all. Note that this autodetection only covers the most common
+ mechanisms to elevate privileges and is intended as convenience. It is recommended to explicitly set
+ <varname>$SYSTEMD_PAGERSECURE</varname> or disable the pager.</para>
<para>Note that if the <varname>$SYSTEMD_PAGER</varname> or <varname>$PAGER</varname> variables are to
be honoured, <varname>$SYSTEMD_PAGERSECURE</varname> must be set too.</para>
diff --git a/src/shared/pager.c b/src/shared/pager.c
index 9b8ae76700..f1043ec132 100644
--- a/src/shared/pager.c
+++ b/src/shared/pager.c
@@ -82,6 +82,22 @@ static int no_quit_on_interrupt(int exe_name_fd, const char *less_opts) {
return r;
}
+static bool running_with_escalated_privileges(void) {
+ int r;
+
+ if (getenv("SUDO_UID"))
+ return true;
+
+ uid_t uid;
+ r = sd_pid_get_owner_uid(0, &uid);
+ if (r < 0) {
+ log_debug_errno(r, "sd_pid_get_owner_uid() failed, enabling pager secure mode: %m");
+ return true;
+ }
+
+ return uid != geteuid();
+}
+
void pager_open(PagerFlags flags) {
_cleanup_close_pair_ int fd[2] = EBADF_PAIR, exe_name_pipe[2] = EBADF_PAIR;
_cleanup_strv_free_ char **pager_args = NULL;
@@ -177,16 +193,9 @@ void pager_open(PagerFlags flags) {
* know to be good. */
int use_secure_mode = secure_getenv_bool("SYSTEMD_PAGERSECURE");
bool trust_pager = use_secure_mode >= 0;
- if (use_secure_mode == -ENXIO) {
- uid_t uid;
-
- r = sd_pid_get_owner_uid(0, &uid);
- if (r < 0)
- log_debug_errno(r, "sd_pid_get_owner_uid() failed, enabling pager secure mode: %m");
-
- use_secure_mode = r < 0 || uid != geteuid();
-
- } else if (use_secure_mode < 0) {
+ if (use_secure_mode == -ENXIO)
+ use_secure_mode = running_with_escalated_privileges();
+ else if (use_secure_mode < 0) {
log_warning_errno(use_secure_mode, "Unable to parse $SYSTEMD_PAGERSECURE, assuming true: %m");
use_secure_mode = true;
}

View File

@ -0,0 +1,38 @@
From fef6198a931a9d7538c0c93a446fd02ffc52fc79 Mon Sep 17 00:00:00 2001
From: David Tardon <dtardon@redhat.com>
Date: Thu, 25 Jun 2026 14:26:45 +0200
Subject: [PATCH] Revert "mount-setup: tune down log level if usrquota is not
supported, apply usrquota when smack is in use too"
This reverts commit d5642d888c6bc1b8014b727b6b1b4851a0829239.
Reverts: RHEL-143028
---
src/shared/mount-setup.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/shared/mount-setup.c b/src/shared/mount-setup.c
index 4c5151c7db..93e646d045 100644
--- a/src/shared/mount-setup.c
+++ b/src/shared/mount-setup.c
@@ -90,7 +90,7 @@ static const MountPoint mount_table[] = {
{ "smackfs", "/sys/fs/smackfs", "smackfs", "smackfsdef=*", MS_NOSUID|MS_NOEXEC|MS_NODEV,
mac_smack_use, MNT_FATAL },
{ "tmpfs", "/dev/shm", "tmpfs", "mode=01777,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
- mac_smack_use, MNT_FATAL|MNT_USRQUOTA_GRACEFUL },
+ mac_smack_use, MNT_FATAL },
#endif
{ "tmpfs", "/dev/shm", "tmpfs", "mode=01777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
NULL, MNT_FATAL|MNT_IN_CONTAINER|MNT_USRQUOTA_GRACEFUL },
@@ -194,9 +194,9 @@ static int mount_one(const MountPoint *p, bool relabel) {
if (FLAGS_SET(p->mode, MNT_USRQUOTA_GRACEFUL)) {
r = mount_option_supported(p->type, "usrquota", /* value= */ NULL);
if (r < 0)
- log_full_errno(priority, r, "Unable to determine whether %s supports 'usrquota' mount option, assuming not: %m", p->type);
+ log_warning_errno(r, "Unable to determine whether %s supports 'usrquota' mount option, assuming not: %m", p->type);
else if (r == 0)
- log_debug("Not enabling 'usrquota' on '%s' as kernel lacks support for it.", p->where);
+ log_info("Not enabling 'usrquota' on '%s' as kernel lacks support for it.", p->where);
else {
if (!strextend_with_separator(&extend_options, ",", p->options ?: POINTER_MAX, "usrquota"))
return log_oom();

View File

@ -0,0 +1,72 @@
From 05f890fb4841d10372aee1413340013e701ee210 Mon Sep 17 00:00:00 2001
From: David Tardon <dtardon@redhat.com>
Date: Thu, 25 Jun 2026 14:28:13 +0200
Subject: [PATCH] Revert "nspawn: enable usrquota support on /tmp/ and
/dev/shm/"
This reverts commit b9cfb8c02ec36304e0a3ba730363a6dd747dd26a.
Reverts: RHEL-143028
---
src/nspawn/nspawn-mount.c | 21 ++-------------------
src/nspawn/nspawn-mount.h | 1 -
2 files changed, 2 insertions(+), 20 deletions(-)
diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c
index cd5a634ec0..c233cdf600 100644
--- a/src/nspawn/nspawn-mount.c
+++ b/src/nspawn/nspawn-mount.c
@@ -592,7 +592,7 @@ int mount_all(const char *dest,
/* Then we list outer child mounts (i.e. mounts applied *before* entering user namespacing when we are privileged) */
{ "tmpfs", "/tmp", "tmpfs", "mode=01777" NESTED_TMPFS_LIMITS, MS_NOSUID|MS_NODEV|MS_STRICTATIME,
- MOUNT_FATAL|MOUNT_APPLY_TMPFS_TMP|MOUNT_MKDIR|MOUNT_USRQUOTA_GRACEFUL },
+ MOUNT_FATAL|MOUNT_APPLY_TMPFS_TMP|MOUNT_MKDIR },
{ "tmpfs", "/sys", "tmpfs", "mode=0555" TMPFS_LIMITS_SYS, MS_NOSUID|MS_NOEXEC|MS_NODEV,
MOUNT_FATAL|MOUNT_APPLY_APIVFS_NETNS|MOUNT_MKDIR|MOUNT_PRIVILEGED },
{ "sysfs", "/sys", "sysfs", NULL, SYS_DEFAULT_MOUNT_FLAGS,
@@ -602,7 +602,7 @@ int mount_all(const char *dest,
{ "tmpfs", "/dev", "tmpfs", "mode=0755" TMPFS_LIMITS_PRIVATE_DEV, MS_NOSUID|MS_STRICTATIME,
MOUNT_FATAL|MOUNT_MKDIR },
{ "tmpfs", "/dev/shm", "tmpfs", "mode=01777" NESTED_TMPFS_LIMITS, MS_NOSUID|MS_NODEV|MS_STRICTATIME,
- MOUNT_FATAL|MOUNT_MKDIR|MOUNT_USRQUOTA_GRACEFUL },
+ MOUNT_FATAL|MOUNT_MKDIR },
{ "tmpfs", "/run", "tmpfs", "mode=0755" TMPFS_LIMITS_RUN, MS_NOSUID|MS_NODEV|MS_STRICTATIME,
MOUNT_FATAL|MOUNT_MKDIR },
{ "/run/host", "/run/host", NULL, NULL, MS_BIND,
@@ -710,23 +710,6 @@ int mount_all(const char *dest,
o = options;
}
- if (FLAGS_SET(m->mount_settings, MOUNT_USRQUOTA_GRACEFUL)) {
- r = mount_option_supported(m->type, /* key= */ "usrquota", /* value= */ NULL);
- if (r < 0)
- log_warning_errno(r, "Failed to determine if '%s' supports 'usrquota', assuming it doesn't: %m", m->type);
- else if (r == 0)
- log_debug("Kernel doesn't support 'usrquota' on '%s', not including in mount options for '%s'.", m->type, m->where);
- else {
- _cleanup_free_ char *joined = NULL;
-
- if (!strextend_with_separator(&joined, ",", o ?: POINTER_MAX, "usrquota"))
- return log_oom();
-
- free_and_replace(options, joined);
- o = options;
- }
- }
-
if (FLAGS_SET(m->mount_settings, MOUNT_PREFIX_ROOT)) {
/* Optionally prefix the mount source with the root dir. This is useful in bind
* mounts to be created within the container image before we transition into it. Note
diff --git a/src/nspawn/nspawn-mount.h b/src/nspawn/nspawn-mount.h
index 529fa16658..5f66bc7328 100644
--- a/src/nspawn/nspawn-mount.h
+++ b/src/nspawn/nspawn-mount.h
@@ -21,7 +21,6 @@ typedef enum MountSettingsMask {
MOUNT_PREFIX_ROOT = 1 << 10,/* if set, prefix the source path with the container's root directory */
MOUNT_FOLLOW_SYMLINKS = 1 << 11,/* if set, we'll follow symlinks for the mount target */
MOUNT_PRIVILEGED = 1 << 12,/* if set, we'll only mount this in the outer child if we are running in privileged mode */
- MOUNT_USRQUOTA_GRACEFUL = 1 << 13,/* if set, append "usrquota" to mount options if kernel tmpfs supports that */
} MountSettingsMask;
typedef enum CustomMountType {

View File

@ -0,0 +1,25 @@
From 9da37815ff97c67a890f2e74893a7e79d45bded9 Mon Sep 17 00:00:00 2001
From: David Tardon <dtardon@redhat.com>
Date: Thu, 25 Jun 2026 14:28:48 +0200
Subject: [PATCH] Revert "units: enable usrquota support on /tmp/"
This reverts commit bc192261e4801ad27a8610fea4e10010d705bfc0.
Reverts: RHEL-143028
---
units/tmp.mount | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/units/tmp.mount b/units/tmp.mount
index 373b131211..d7beaa8d14 100644
--- a/units/tmp.mount
+++ b/units/tmp.mount
@@ -22,7 +22,7 @@ After=swap.target
What=tmpfs
Where=/tmp
Type=tmpfs
-Options=mode=1777,strictatime,nosuid,nodev,size=50%%,nr_inodes=1m,x-systemd.graceful-option=usrquota
+Options=mode=1777,strictatime,nosuid,nodev,size=50%%,nr_inodes=1m
# Make 'systemctl enable tmp.mount' work:
[Install]

View File

@ -0,0 +1,75 @@
From 1d0d81d776f35dc0c5c2f98fbf546fee06fdf2ff Mon Sep 17 00:00:00 2001
From: David Tardon <dtardon@redhat.com>
Date: Thu, 25 Jun 2026 14:29:22 +0200
Subject: [PATCH] Revert "pid1: enable usrquota support on /dev/shm"
This reverts commit 75f712d4fb8d5b05f28eda98e9ae44512ba6d7f8.
Reverts: RHEL-143028
---
src/shared/mount-setup.c | 33 ++++++++-------------------------
1 file changed, 8 insertions(+), 25 deletions(-)
diff --git a/src/shared/mount-setup.c b/src/shared/mount-setup.c
index 93e646d045..e7a315a420 100644
--- a/src/shared/mount-setup.c
+++ b/src/shared/mount-setup.c
@@ -34,12 +34,11 @@
#include "virt.h"
typedef enum MountMode {
- MNT_NONE = 0,
- MNT_FATAL = 1 << 0,
- MNT_IN_CONTAINER = 1 << 1,
- MNT_CHECK_WRITABLE = 1 << 2,
- MNT_FOLLOW_SYMLINK = 1 << 3,
- MNT_USRQUOTA_GRACEFUL = 1 << 4,
+ MNT_NONE = 0,
+ MNT_FATAL = 1 << 0,
+ MNT_IN_CONTAINER = 1 << 1,
+ MNT_CHECK_WRITABLE = 1 << 2,
+ MNT_FOLLOW_SYMLINK = 1 << 3,
} MountMode;
typedef struct MountPoint {
@@ -93,7 +92,7 @@ static const MountPoint mount_table[] = {
mac_smack_use, MNT_FATAL },
#endif
{ "tmpfs", "/dev/shm", "tmpfs", "mode=01777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
- NULL, MNT_FATAL|MNT_IN_CONTAINER|MNT_USRQUOTA_GRACEFUL },
+ NULL, MNT_FATAL|MNT_IN_CONTAINER },
{ "devpts", "/dev/pts", "devpts", "mode=" STRINGIFY(TTY_MODE) ",gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC,
NULL, MNT_IN_CONTAINER },
#if ENABLE_SMACK
@@ -189,29 +188,13 @@ static int mount_one(const MountPoint *p, bool relabel) {
else
(void) mkdir_p(p->where, 0755);
- _cleanup_free_ char *extend_options = NULL;
- const char *o = p->options;
- if (FLAGS_SET(p->mode, MNT_USRQUOTA_GRACEFUL)) {
- r = mount_option_supported(p->type, "usrquota", /* value= */ NULL);
- if (r < 0)
- log_warning_errno(r, "Unable to determine whether %s supports 'usrquota' mount option, assuming not: %m", p->type);
- else if (r == 0)
- log_info("Not enabling 'usrquota' on '%s' as kernel lacks support for it.", p->where);
- else {
- if (!strextend_with_separator(&extend_options, ",", p->options ?: POINTER_MAX, "usrquota"))
- return log_oom();
-
- o = extend_options;
- }
- }
-
log_debug("Mounting %s to %s of type %s with options %s.",
p->what,
p->where,
p->type,
- strna(o));
+ strna(p->options));
- r = mount_verbose_full(priority, p->what, p->where, p->type, p->flags, o, FLAGS_SET(p->mode, MNT_FOLLOW_SYMLINK));
+ r = mount_verbose_full(priority, p->what, p->where, p->type, p->flags, p->options, FLAGS_SET(p->mode, MNT_FOLLOW_SYMLINK));
if (r < 0)
return FLAGS_SET(p->mode, MNT_FATAL) ? r : 0;

View File

@ -0,0 +1,88 @@
From 99af961154502ebce7b0c99875f131af9dc19955 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Thu, 12 Mar 2026 07:14:44 +0900
Subject: [PATCH] Revert "udev-builtin-net-id: print cescaped bad attributes"
This reverts commit 7c4047957ef58744ecfad6d277f7c45d430f6d70.
This is not necessary, as bad characters are already filtered.
(cherry picked from commit c6ea72e39a8d829b1bd65f15f6dd7d1c2b6d04c3)
Resolves: RHEL-180922
---
src/udev/udev-builtin-net_id.c | 19 +++++++------------
1 file changed, 7 insertions(+), 12 deletions(-)
diff --git a/src/udev/udev-builtin-net_id.c b/src/udev/udev-builtin-net_id.c
index fd39a90c87..0d3c62f4b5 100644
--- a/src/udev/udev-builtin-net_id.c
+++ b/src/udev/udev-builtin-net_id.c
@@ -28,7 +28,6 @@
#include "device-private.h"
#include "device-util.h"
#include "dirent-util.h"
-#include "escape.h"
#include "ether-addr-util.h"
#include "fd-util.h"
#include "fileio.h"
@@ -46,12 +45,6 @@
#define ONBOARD_14BIT_INDEX_MAX ((1U << 14) - 1)
#define ONBOARD_16BIT_INDEX_MAX ((1U << 16) - 1)
-static int log_invalid_device_attr(sd_device *dev, const char *attr, const char *value) {
- _cleanup_free_ char *escaped = cescape(value);
- return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL),
- "Invalid %s value '%s'.", attr, strnull(escaped));
-}
-
/* skip intermediate virtio devices */
static sd_device *device_skip_virtio(sd_device *dev) {
/* there can only ever be one virtio bus per parent device, so we can
@@ -245,7 +238,7 @@ static int get_port_specifier(sd_device *dev, bool fallback_to_dev_id, char **re
}
if (!utf8_is_valid(phys_port_name) || string_has_cc(phys_port_name, /* ok= */ NULL))
- return log_invalid_device_attr(dev, "phys_port_name", phys_port_name);
+ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "Invalid phys_port_name");
/* Otherwise, use phys_port_name as is. */
buf = strjoin("n", phys_port_name);
@@ -352,7 +345,7 @@ static int names_pci_onboard_label(UdevEvent *event, sd_device *pci_dev, const c
return log_device_debug_errno(pci_dev, r, "Failed to get PCI onboard label: %m");
if (!utf8_is_valid(label) || string_has_cc(label, /* ok= */ NULL))
- return log_invalid_device_attr(dev, "label", label);
+ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "Invalid label");
char str[ALTIFNAMSIZ];
if (snprintf_ok(str, sizeof str, "%s%s",
@@ -758,7 +751,8 @@ static int names_vio(UdevEvent *event, const char *prefix) {
"VIO bus ID and slot ID have invalid length: %s", s);
if (!in_charset(s, HEXDIGITS))
- return log_invalid_device_attr(dev, "VIO bus ID and slot ID", s);
+ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL),
+ "VIO bus ID and slot ID contain invalid characters: %s", s);
/* Parse only slot ID (the last 4 hexdigits). */
r = safe_atou_full(s + 4, 16, &slotid);
@@ -814,7 +808,8 @@ static int names_platform(UdevEvent *event, const char *prefix) {
return -EOPNOTSUPP;
if (!in_charset(vendor, validchars))
- return log_invalid_device_attr(dev, "platform vendor", vendor);
+ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(ENOENT),
+ "Platform vendor contains invalid characters: %s", vendor);
ascii_strlower(vendor);
@@ -1270,7 +1265,7 @@ static int names_netdevsim(UdevEvent *event, const char *prefix) {
return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EOPNOTSUPP),
"The 'phys_port_name' attribute is empty.");
if (!utf8_is_valid(phys_port_name) || string_has_cc(phys_port_name, /* ok= */ NULL))
- return log_invalid_device_attr(dev, "phys_port_name", phys_port_name);
+ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "Invalid phys_port_name");
char str[ALTIFNAMSIZ];
if (snprintf_ok(str, sizeof str, "%si%un%s", prefix, addr, phys_port_name))

View File

@ -0,0 +1,71 @@
From 890fa2263270063b5db76e950db13c1df19ee00f Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Tue, 24 Mar 2026 14:29:27 +0100
Subject: [PATCH] homectl: apply all --member-of= groups from a comma-separated
list
Commit 0e1ede4b4b6d1ce6b5b6cda5f803e4f1b5aa4a03 introduced a bug where
we'd always fetch the "original" (empty) list of groups when processing
a comma-separated list of groups from the --member-of= option, so only
the last group from the list would get applied. This bug was then later
(in 316e9887f2a48bd1c4efa3e31b4bfbaeb22de3a3) refactored into a separate
function.
Follow-up for 0e1ede4b4b6d1ce6b5b6cda5f803e4f1b5aa4a03.
Fixes: #41286
(cherry picked from commit f912de93125bcf0b6c59770503424bcafc683e78)
Resolves: RHEL-180924
---
src/home/homectl.c | 2 +-
test/units/TEST-46-HOMED.sh | 23 +++++++++++++++++++++++
2 files changed, 24 insertions(+), 1 deletion(-)
diff --git a/src/home/homectl.c b/src/home/homectl.c
index c99663ffea..d6eb04a1e5 100644
--- a/src/home/homectl.c
+++ b/src/home/homectl.c
@@ -4080,7 +4080,7 @@ static int parse_argv(int argc, char *argv[]) {
if (!valid_user_group_name(word, 0))
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid group name %s.", word);
- mo = sd_json_variant_ref(sd_json_variant_by_key(arg_identity_extra, "memberOf"));
+ mo = sd_json_variant_ref(sd_json_variant_by_key(*(match_identity ?: &arg_identity_extra), "memberOf"));
r = sd_json_variant_strv(mo, &list);
if (r < 0)
diff --git a/test/units/TEST-46-HOMED.sh b/test/units/TEST-46-HOMED.sh
index 998a52c76a..544dedfb0a 100755
--- a/test/units/TEST-46-HOMED.sh
+++ b/test/units/TEST-46-HOMED.sh
@@ -82,6 +82,29 @@ inspect test-user
SYSTEMD_LOG_LEVEL=debug PASSWORD=yPN4N0fYNKUkOq NEWPASSWORD=xEhErW0ndafV4s homectl passwd test-user
inspect test-user
+# --member-of=
+systemd-sysusers --inline "g test-group1" "g test-group2"
+# Single group
+PASSWORD=xEhErW0ndafV4s homectl update test-user --member-of="test-group1"
+[[ "$(homectl inspect -j test-user | jq -c .memberOf)" == '["test-group1"]' ]]
+# Multiple groups
+PASSWORD=xEhErW0ndafV4s homectl update test-user --member-of="test-group1,test-group2"
+[[ "$(homectl inspect -j test-user | jq -c .memberOf)" == '["test-group1","test-group2"]' ]]
+# Empty argument
+PASSWORD=xEhErW0ndafV4s homectl update test-user --member-of=
+[[ "$(homectl inspect -j test-user | jq -c .memberOf)" == 'null' ]]
+# Argument shenanigans
+# - only separators
+(! PASSWORD=xEhErW0ndafV4s homectl update test-user --member-of=",,,,,,,,,,,,,,,,,,")
+# - invalid group
+(! PASSWORD=xEhErW0ndafV4s homectl update test-user --member-of="test-group1,inv@lid.group?")
+# - separators & valid groups
+PASSWORD=xEhErW0ndafV4s homectl update test-user --member-of=",,,,,test-group1,,,,,,,,,,,,,,test-group2,"
+[[ "$(homectl inspect -j test-user | jq -c .memberOf)" == '["test-group1","test-group2"]' ]]
+# - duplicate groups
+PASSWORD=xEhErW0ndafV4s homectl update test-user --member-of="test-group2,test-group1,test-group1,test-group2"
+[[ "$(homectl inspect -j test-user | jq -c .memberOf)" == '["test-group1","test-group2"]' ]]
+
homectl deactivate test-user
inspect test-user

View File

@ -0,0 +1,75 @@
From 535334a89f042af82de1284f4142c5966fbf1519 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Tue, 13 Jan 2026 15:48:56 +0900
Subject: [PATCH] udevadm: gracefully handle when a maked file is specified to
udevadm verify/cat
Previously, since 7cb4508c5af465ab1be1b103e6c2b613eb58e63c, if a masked
file is specified, the commands failed.
Let's warn that the file is masked and ignore the file.
(cherry picked from commit 782569afd05b97143938ec294b5a28b4f2ffb75c)
Resolves: RHEL-180917
---
src/udev/udevadm-util.c | 11 +++++++++++
test/units/TEST-17-UDEV.10.sh | 2 +-
test/units/TEST-17-UDEV.11.sh | 3 +--
3 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/src/udev/udevadm-util.c b/src/udev/udevadm-util.c
index 4aa5e6b6d7..4c6c76dd54 100644
--- a/src/udev/udevadm-util.c
+++ b/src/udev/udevadm-util.c
@@ -149,6 +149,12 @@ static int search_rules_file_in_conf_dirs(const char *s, const char *root, char
if (!path)
return log_oom();
+ r = null_or_empty_path_with_root(path, root);
+ if (r > 0) {
+ log_warning("File '%s%s' is a mask, ignoring.", empty_to_root(root), skip_leading_slash(path));
+ return 1; /* Found masked file. */
+ }
+
r = chase(path, root, CHASE_PREFIX_ROOT | CHASE_MUST_BE_REGULAR, &resolved, /* ret_fd = */ NULL);
if (r == -ENOENT)
continue;
@@ -183,6 +189,11 @@ static int search_rules_file(const char *s, const char *root, char ***files) {
if (r < 0)
return log_error_errno(r, "Failed to chase \"%s\": %m", s);
+ if (null_or_empty(&st)) {
+ log_warning("File '%s%s' is a mask, ignoring.", empty_to_root(root), skip_leading_slash(s));
+ return 0; /* Found masked file. */
+ }
+
r = stat_verify_regular(&st);
if (r == -EISDIR) {
_cleanup_strv_free_ char **files_in_dir = NULL;
diff --git a/test/units/TEST-17-UDEV.10.sh b/test/units/TEST-17-UDEV.10.sh
index 68d310a8e5..b81b8a9b1f 100755
--- a/test/units/TEST-17-UDEV.10.sh
+++ b/test/units/TEST-17-UDEV.10.sh
@@ -38,7 +38,7 @@ udevadm cat 99-systemd
udevadm cat 99-systemd.rules
udevadm cat /usr/lib/udev/rules.d/99-systemd.rules
udevadm cat /usr/lib/udev/rules.d
-(! udevadm cat /dev/null)
+udevadm cat /dev/null
udevadm cat --config
udevadm cat -h
diff --git a/test/units/TEST-17-UDEV.11.sh b/test/units/TEST-17-UDEV.11.sh
index f0ab20e5c9..ff15343827 100755
--- a/test/units/TEST-17-UDEV.11.sh
+++ b/test/units/TEST-17-UDEV.11.sh
@@ -116,8 +116,7 @@ assert_1 --resolve-names=now
assert_1 ./nosuchfile
# Failed to parse rules file ./nosuchfile: No such file or directory
assert_1 ./nosuchfile /dev/null
-# '/dev/null' is neither a regular file nor a directory: File descriptor in bad state
-assert_1 /dev/null
+assert_0 /dev/null
rules_dir='etc/udev/rules.d'
mkdir -p "${rules_dir}"

View File

@ -48,7 +48,7 @@ Url: https://systemd.io
# Allow users to specify the version and release when building the rpm by
# setting the %%version_override and %%release_override macros.
Version: %{?version_override}%{!?version_override:257}
Release: 27%{?dist}.alma.1
Release: 28%{?dist}.alma.1
%global stable %(c="%version"; [ "$c" = "${c#*.*}" ]; echo $?)
@ -792,6 +792,15 @@ Patch0679: 0679-udev-net_id-introduce-naming-scheme-for-RHEL-10.3.patch
Patch0680: 0680-Tag-accel-devices-for-uaccess-render.patch
Patch0681: 0681-udev-tag-kfd-devices-for-xaccess-render-40888.patch
Patch0682: 0682-fstab-generator-fix-spurious-quota-warning-for-xfs.patch
Patch0683: 0683-man-reword-the-description-of-secure-pager-handling.patch
Patch0684: 0684-pager-also-check-for-SUDO_UID.patch
Patch0685: 0685-Revert-mount-setup-tune-down-log-level-if-usrquota-i.patch
Patch0686: 0686-Revert-nspawn-enable-usrquota-support-on-tmp-and-dev.patch
Patch0687: 0687-Revert-units-enable-usrquota-support-on-tmp.patch
Patch0688: 0688-Revert-pid1-enable-usrquota-support-on-dev-shm.patch
Patch0689: 0689-Revert-udev-builtin-net-id-print-cescaped-bad-attrib.patch
Patch0690: 0690-homectl-apply-all-member-of-groups-from-a-comma-sepa.patch
Patch0691: 0691-udevadm-gracefully-handle-when-a-maked-file-is-speci.patch
# Downstream-only patches (90009999)
%endif
@ -1743,9 +1752,20 @@ rm -f .file-list-*
rm -f %{name}.lang
%changelog
* Tue Jun 16 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 257-27.alma.1
* Thu Jul 02 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 257-28.alma.1
- Debrand for AlmaLinux
* Wed Jul 01 2026 systemd maintenance team <systemd-maint@redhat.com> - 257-28
- man: reword the description of "secure pager" handling (RHEL-102939)
- pager: also check for $SUDO_UID (RHEL-102939)
- Revert "mount-setup: tune down log level if usrquota is not supported, apply usrquota when smack is in use too" (RHEL-143028)
- Revert "nspawn: enable usrquota support on /tmp/ and /dev/shm/" (RHEL-143028)
- Revert "units: enable usrquota support on /tmp/" (RHEL-143028)
- Revert "pid1: enable usrquota support on /dev/shm" (RHEL-143028)
- Revert "udev-builtin-net-id: print cescaped bad attributes" (RHEL-180922)
- homectl: apply all --member-of= groups from a comma-separated list (RHEL-180924)
- udevadm: gracefully handle when a maked file is specified to udevadm verify/cat (RHEL-180917)
* Mon Jun 15 2026 systemd maintenance team <systemd-maint@redhat.com> - 257-27
- Do not build efi stub on i686 anymore (RHEL-176073)