diff options
| -rw-r--r-- | man/systemd.exec.xml | 9 | ||||
| -rw-r--r-- | src/basic/process-util.c | 17 | ||||
| -rw-r--r-- | src/basic/process-util.h | 1 | ||||
| -rw-r--r-- | src/core/unit.c | 12 |
4 files changed, 35 insertions, 4 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 073d331e6d..401233475e 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -652,8 +652,13 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting> <term><varname>UMask=</varname></term> <listitem><para>Controls the file mode creation mask. Takes an access mode in octal notation. See - <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry> for details. Defaults - to 0022.</para></listitem> + <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry> for + details. Defaults to 0022 for system units. For units of the user service manager the default value + is inherited from the user instance (whose default is inherited from the system service manager, and + thus also is 0022). Hence changing the default value of a user instance, either via + <varname>UMask=</varname> or via a PAM module, will affect the user instance itself and all user + units started by the user instance unless a user unit has specified its own + <varname>UMask=</varname>.</para></listitem> </varlistentry> <varlistentry> diff --git a/src/basic/process-util.c b/src/basic/process-util.c index fefc2bd840..704d668253 100644 --- a/src/basic/process-util.c +++ b/src/basic/process-util.c @@ -628,6 +628,23 @@ int get_process_ppid(pid_t pid, pid_t *_ppid) { return 0; } +int get_process_umask(pid_t pid, mode_t *umask) { + _cleanup_free_ char *m = NULL; + const char *p; + int r; + + assert(umask); + assert(pid >= 0); + + p = procfs_file_alloca(pid, "status"); + + r = get_proc_field(p, "Umask", WHITESPACE, &m); + if (r == -ENOENT) + return -ESRCH; + + return parse_mode(m, umask); +} + int wait_for_terminate(pid_t pid, siginfo_t *status) { siginfo_t dummy; diff --git a/src/basic/process-util.h b/src/basic/process-util.h index 4160af45ba..ca9825293c 100644 --- a/src/basic/process-util.h +++ b/src/basic/process-util.h @@ -45,6 +45,7 @@ int get_process_cwd(pid_t pid, char **cwd); int get_process_root(pid_t pid, char **root); int get_process_environ(pid_t pid, char **environ); int get_process_ppid(pid_t pid, pid_t *ppid); +int get_process_umask(pid_t pid, mode_t *umask); int wait_for_terminate(pid_t pid, siginfo_t *status); diff --git a/src/core/unit.c b/src/core/unit.c index 96e1a6c320..019eed7236 100644 --- a/src/core/unit.c +++ b/src/core/unit.c @@ -187,8 +187,16 @@ static void unit_init(Unit *u) { if (ec) { exec_context_init(ec); - ec->keyring_mode = MANAGER_IS_SYSTEM(u->manager) ? - EXEC_KEYRING_SHARED : EXEC_KEYRING_INHERIT; + if (MANAGER_IS_SYSTEM(u->manager)) + ec->keyring_mode = EXEC_KEYRING_SHARED; + else { + ec->keyring_mode = EXEC_KEYRING_INHERIT; + + /* User manager might have its umask redefined by PAM or UMask=. In this + * case let the units it manages inherit this value by default. They can + * still tune this value through their own unit file */ + (void) get_process_umask(getpid_cached(), &ec->umask); + } } kc = unit_get_kill_context(u); |