Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LoadCredential= doesn't fail with 243/CREDENTIALS but silently skips if non-existent ID is specified (without explicit PATH) #32667

Closed
arianvp opened this issue May 6, 2024 · 6 comments · Fixed by #32689
Closed

LoadCredential= doesn't fail with 243/CREDENTIALS but silently skips if non-existent ID is specified (without explicit PATH) #32667

arianvp opened this issue May 6, 2024 · 6 comments · Fixed by #32689
Labels
documentation not-a-bug pid1

Comments

@arianvp
Copy link
Contributor

arianvp commented May 6, 2024
edited

systemd version the issue has been seen with

255.4

Used distribution

NixOS 24.05beta

Linux kernel version used

6.6.27

CPU architectures issue was seen on

aarch64

Component

systemd

Expected behaviour you didn't see

when using the shorthand syntax LoadCredential=ID (as opposed to LoadCredential=ID:PATH):

If a unit specifies a credential with the shorthand syntax (only specifying an ID but no :PATH), I'd expect the unit to fail to start if systemd exhausted all options.

i.e. neither /etc/credstore/this-credential-doesnt-exist nor /run/credstore/this-credential-doesnt-exist or any other place where credentials can be sourced from contain the credential in question

[Service]
LoadCredential=this-credential-doesnt-exist
ExecStart=my-service

should fail with 243/CREDENTIALS because the file doesn't exist just like the non-shorthand syntax:

[Service]
LoadCredential=this-credential-doesnt-exist:/etc/credstore/this-credential-doesnt-exist

Unexpected behaviour you saw

The unit starts succesfully instead of failing with 243/CREDENTIALS

Steps to reproduce the problem

systemd-run -p LoadCredential=foo

succeeds

Additional program output to the terminal or log subsystem illustrating the issue

No response
@arianvp arianvp added the bug 🐛 Programming errors, that need preferential fixing label May 6, 2024
@arianvp arianvp changed the title LoadCredential= doesn't fail with 243/CREDENTIALS but silently skips if non-existent ID is specified but no PATH LoadCredential= doesn't fail with 243/CREDENTIALS but silently skips if non-existent ID is specified (without explicit PATH) May 6, 2024
@github-actions github-actions bot added the pid1 label May 6, 2024
@arianvp
Copy link
Contributor Author

arianvp commented May 6, 2024

I guess this is somewhat similar to #27373 by the way (Except this one is for paths instead of unix sockets)

@YHNdnzj
Copy link
Member

YHNdnzj commented May 6, 2024

This is intentional: https://github.com/systemd/systemd/blob/main/src/core/exec-credential.c#L500

@YHNdnzj YHNdnzj added not-a-bug and removed bug 🐛 Programming errors, that need preferential fixing labels May 6, 2024
@arianvp
Copy link
Contributor Author

arianvp commented May 6, 2024

To give an anecdote about why this bit me:

Nix uses the existence of the signing key whether packaging signing is enabled or not after building a package. So a missing credential caused my packages not to be signed. We can brush that off as "Nix made a stupid design choice there" but that's why I ran into this.

I'm fine with documenting this as "expected behaviour" by the way. and perhaps that means we can close #27373 with the same reason

@YHNdnzj
Copy link
Member

YHNdnzj commented May 6, 2024

Hmm, I think #27373 can serve as a valid RFE?

@arianvp
Copy link
Contributor Author

arianvp commented May 6, 2024

Well. If we can agree on "Hey it's up to the application to actually check that the credential exists" then we can just make all LoadCredential= stanzas work the same. That is: Always succeed silently if the credential doesn't exist. Then people do not get surprised. And then we do not need to change the AF_UNIX protocol to handle "Credential does not exist" scenario"

YHNdnzj added a commit to YHNdnzj/systemd that referenced this issue May 7, 2024
@YHNdnzj
core/exec-credential: complain louder if inherited credential is missing
6b34871 
Also document that a missing inherited credential
is not considered fatal.

Closes systemd#32667
@YHNdnzj YHNdnzj mentioned this issue May 7, 2024
Merged
@poettering
Copy link
Member

This is intended, the idea is that we import creds down the tree that are specified, but gracefully handle the ones that aren't.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation not-a-bug pid1
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

core/exec-credential: complain louder if inherited credential is missing YHNdnzj/systemd
3 participants
@arianvp @poettering @YHNdnzj