7 files changed, 39 insertions, 11 deletions

diff --git a/src/core/execute.c b/src/core/execute.c
index 35aea2f830..e791c31b27 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -3247,7 +3247,7 @@ static int apply_mount_namespace(
                             propagate_dir,
                             incoming_dir,
                             root_dir || root_image ? params->notify_socket : NULL,
-                            DISSECT_IMAGE_DISCARD_ON_LOOP|DISSECT_IMAGE_RELAX_VAR_CHECK|DISSECT_IMAGE_FSCK,
+                            DISSECT_IMAGE_DISCARD_ON_LOOP|DISSECT_IMAGE_RELAX_VAR_CHECK|DISSECT_IMAGE_FSCK|DISSECT_IMAGE_USR_NO_ROOT,
                             error_path);
 
         /* If we couldn't set up the namespace this is probably due to a missing capability. setup_namespace() reports
diff --git a/src/dissect/dissect.c b/src/dissect/dissect.c
index cb96a57abe..06808a231e 100644
--- a/src/dissect/dissect.c
+++ b/src/dissect/dissect.c
@@ -44,7 +44,7 @@ static const char *arg_image = NULL;
 static const char *arg_path = NULL;
 static const char *arg_source = NULL;
 static const char *arg_target = NULL;
-static DissectImageFlags arg_flags = DISSECT_IMAGE_REQUIRE_ROOT|DISSECT_IMAGE_DISCARD_ON_LOOP|DISSECT_IMAGE_RELAX_VAR_CHECK|DISSECT_IMAGE_FSCK;
+static DissectImageFlags arg_flags = DISSECT_IMAGE_REQUIRE_ROOT|DISSECT_IMAGE_DISCARD_ON_LOOP|DISSECT_IMAGE_RELAX_VAR_CHECK|DISSECT_IMAGE_FSCK|DISSECT_IMAGE_USR_NO_ROOT;
 static VeritySettings arg_verity_settings = VERITY_SETTINGS_DEFAULT;
 static JsonFormatFlags arg_json_format_flags = JSON_FORMAT_OFF;
 static PagerFlags arg_pager_flags = 0;
diff --git a/src/gpt-auto-generator/gpt-auto-generator.c b/src/gpt-auto-generator/gpt-auto-generator.c
index f9d0ca5421..dda9b18815 100644
--- a/src/gpt-auto-generator/gpt-auto-generator.c
+++ b/src/gpt-auto-generator/gpt-auto-generator.c
@@ -665,7 +665,13 @@ static int enumerate_partitions(dev_t devnum) {
         if (r <= 0)
                 return r;
 
-        r = dissect_image(fd, NULL, NULL, DISSECT_IMAGE_GPT_ONLY|DISSECT_IMAGE_NO_UDEV, &m);
+        r = dissect_image(
+                        fd,
+                        NULL, NULL,
+                        DISSECT_IMAGE_GPT_ONLY|
+                        DISSECT_IMAGE_NO_UDEV|
+                        DISSECT_IMAGE_USR_NO_ROOT,
+                        &m);
         if (r == -ENOPKG) {
                 log_debug_errno(r, "No suitable partition table found, ignoring.");
                 return 0;
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index a4ac8ed2bb..00e2ba2654 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -3581,8 +3581,12 @@ static int outer_child(
                  * makes sure ESP partitions and userns are compatible. */
 
                 r = dissected_image_mount_and_warn(
-                                dissected_image, directory, arg_uid_shift,
-                                DISSECT_IMAGE_MOUNT_ROOT_ONLY|DISSECT_IMAGE_DISCARD_ON_LOOP|
+                                dissected_image,
+                                directory,
+                                arg_uid_shift,
+                                DISSECT_IMAGE_MOUNT_ROOT_ONLY|
+                                DISSECT_IMAGE_DISCARD_ON_LOOP|
+                                DISSECT_IMAGE_USR_NO_ROOT|
                                 (arg_read_only ? DISSECT_IMAGE_READ_ONLY : DISSECT_IMAGE_FSCK)|
                                 (arg_start_mode == START_BOOT ? DISSECT_IMAGE_VALIDATE_OS : 0));
                 if (r < 0)
@@ -3669,8 +3673,14 @@ static int outer_child(
 
         if (dissected_image) {
                 /* Now we know the uid shift, let's now mount everything else that might be in the image. */
-                r = dissected_image_mount(dissected_image, directory, arg_uid_shift,
-                                          DISSECT_IMAGE_MOUNT_NON_ROOT_ONLY|DISSECT_IMAGE_DISCARD_ON_LOOP|(arg_read_only ? DISSECT_IMAGE_READ_ONLY : DISSECT_IMAGE_FSCK));
+                r = dissected_image_mount(
+                                dissected_image,
+                                directory,
+                                arg_uid_shift,
+                                DISSECT_IMAGE_MOUNT_NON_ROOT_ONLY|
+                                DISSECT_IMAGE_DISCARD_ON_LOOP|
+                                DISSECT_IMAGE_USR_NO_ROOT|
+                                (arg_read_only ? DISSECT_IMAGE_READ_ONLY : DISSECT_IMAGE_FSCK));
                 if (r == -EUCLEAN)
                         return log_error_errno(r, "File system check for image failed: %m");
                 if (r < 0)
@@ -5378,7 +5388,10 @@ static int run(int argc, char *argv[]) {
                 }
 
         } else {
-                DissectImageFlags dissect_image_flags = DISSECT_IMAGE_REQUIRE_ROOT | DISSECT_IMAGE_RELAX_VAR_CHECK;
+                DissectImageFlags dissect_image_flags =
+                        DISSECT_IMAGE_REQUIRE_ROOT |
+                        DISSECT_IMAGE_RELAX_VAR_CHECK |
+                        DISSECT_IMAGE_USR_NO_ROOT;
                 assert(arg_image);
                 assert(!arg_template);
 
diff --git a/src/portable/portable.c b/src/portable/portable.c
index 6c09e8bbd4..aacc573ef6 100644
--- a/src/portable/portable.c
+++ b/src/portable/portable.c
@@ -380,7 +380,7 @@ static int portable_extract_by_path(
                 if (r < 0)
                         return log_debug_errno(r, "Failed to create temporary directory: %m");
 
-                r = dissect_image(d->fd, NULL, NULL, DISSECT_IMAGE_READ_ONLY|DISSECT_IMAGE_REQUIRE_ROOT|DISSECT_IMAGE_DISCARD_ON_LOOP|DISSECT_IMAGE_RELAX_VAR_CHECK, &m);
+                r = dissect_image(d->fd, NULL, NULL, DISSECT_IMAGE_READ_ONLY|DISSECT_IMAGE_REQUIRE_ROOT|DISSECT_IMAGE_DISCARD_ON_LOOP|DISSECT_IMAGE_RELAX_VAR_CHECK|DISSECT_IMAGE_USR_NO_ROOT, &m);
                 if (r == -ENOPKG)
                         sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Couldn't identify a suitable partition table or file system in '%s'.", path);
                 else if (r == -EADDRNOTAVAIL)
diff --git a/src/shared/discover-image.c b/src/shared/discover-image.c
index 79c4c70a41..a2f2261980 100644
--- a/src/shared/discover-image.c
+++ b/src/shared/discover-image.c
@@ -1198,7 +1198,12 @@ int image_read_metadata(Image *i) {
                 if (r < 0)
                         return r;
 
-                r = dissect_image(d->fd, NULL, NULL, DISSECT_IMAGE_REQUIRE_ROOT|DISSECT_IMAGE_RELAX_VAR_CHECK, &m);
+                r = dissect_image(
+                                d->fd,
+                                NULL, NULL,
+                                DISSECT_IMAGE_REQUIRE_ROOT|
+                                DISSECT_IMAGE_RELAX_VAR_CHECK|
+                                DISSECT_IMAGE_USR_NO_ROOT, &m);
                 if (r < 0)
                         return r;
 
diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c
index 9b1c4908a4..2ebb96c397 100644
--- a/src/sysext/sysext.c
+++ b/src/sysext/sysext.c
@@ -509,7 +509,11 @@ static int merge_subprocess(Hashmap *images, const char *workspace) {
                         _cleanup_(loop_device_unrefp) LoopDevice *d = NULL;
                         _cleanup_(decrypted_image_unrefp) DecryptedImage *di = NULL;
                         _cleanup_(verity_settings_done) VeritySettings verity_settings = VERITY_SETTINGS_DEFAULT;
-                        DissectImageFlags flags = DISSECT_IMAGE_READ_ONLY|DISSECT_IMAGE_REQUIRE_ROOT|DISSECT_IMAGE_MOUNT_ROOT_ONLY;
+                        DissectImageFlags flags =
+                                DISSECT_IMAGE_READ_ONLY|
+                                DISSECT_IMAGE_REQUIRE_ROOT|
+                                DISSECT_IMAGE_MOUNT_ROOT_ONLY|
+                                DISSECT_IMAGE_USR_NO_ROOT;
 
                         r = verity_settings_load(&verity_settings, img->path, NULL, NULL);
                         if (r < 0)