summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/home/homectl.c10
-rw-r--r--src/home/homed-bus.c2
-rw-r--r--src/home/homed-home-bus.c4
-rw-r--r--src/home/homed-home.c14
-rw-r--r--src/home/homed-manager-bus.c4
-rw-r--r--src/home/homed-manager.c2
-rw-r--r--src/home/homed-varlink.c2
-rw-r--r--src/home/homework-cifs.c2
-rw-r--r--src/home/homework-directory.c2
-rw-r--r--src/home/homework-fscrypt.c2
-rw-r--r--src/home/homework-luks.c8
-rw-r--r--src/home/homework.c6
-rw-r--r--src/home/pam_systemd_home.c2
-rw-r--r--src/home/user-record-sign.c4
-rw-r--r--src/home/user-record-util.c4
-rw-r--r--src/login/pam_systemd.c2
-rw-r--r--src/nspawn/nspawn-bind-user.c6
-rw-r--r--src/shared/user-record.c4
-rw-r--r--src/shared/userdb-dropin.c6
-rw-r--r--src/userdb/userwork.c4
20 files changed, 47 insertions, 43 deletions
diff --git a/src/home/homectl.c b/src/home/homectl.c
index 7128f6cea1..6273cb6c90 100644
--- a/src/home/homectl.c
+++ b/src/home/homectl.c
@@ -571,9 +571,9 @@ static void dump_home_record(UserRecord *hr) {
_cleanup_(user_record_unrefp) UserRecord *stripped = NULL;
if (arg_export_format == EXPORT_FORMAT_STRIPPED)
- r = user_record_clone(hr, USER_RECORD_EXTRACT_EMBEDDED, &stripped);
+ r = user_record_clone(hr, USER_RECORD_EXTRACT_EMBEDDED|USER_RECORD_PERMISSIVE, &stripped);
else if (arg_export_format == EXPORT_FORMAT_MINIMAL)
- r = user_record_clone(hr, USER_RECORD_EXTRACT_SIGNABLE, &stripped);
+ r = user_record_clone(hr, USER_RECORD_EXTRACT_SIGNABLE|USER_RECORD_PERMISSIVE, &stripped);
else
r = 0;
if (r < 0)
@@ -678,7 +678,7 @@ static int inspect_home(int argc, char *argv[], void *userdata) {
if (!hr)
return log_oom();
- r = user_record_load(hr, v, USER_RECORD_LOAD_REFUSE_SECRET|USER_RECORD_LOG);
+ r = user_record_load(hr, v, USER_RECORD_LOAD_REFUSE_SECRET|USER_RECORD_LOG|USER_RECORD_PERMISSIVE);
if (r < 0) {
if (ret == 0)
ret = r;
@@ -1060,7 +1060,7 @@ static int acquire_new_home_record(UserRecord **ret) {
if (!hr)
return log_oom();
- r = user_record_load(hr, v, USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_SECRET|USER_RECORD_ALLOW_PRIVILEGED|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_SIGNATURE|USER_RECORD_LOG);
+ r = user_record_load(hr, v, USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_SECRET|USER_RECORD_ALLOW_PRIVILEGED|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_SIGNATURE|USER_RECORD_LOG|USER_RECORD_PERMISSIVE);
if (r < 0)
return r;
@@ -1426,7 +1426,7 @@ static int acquire_updated_home_record(
if (!hr)
return log_oom();
- r = user_record_load(hr, json, USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PRIVILEGED|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_SECRET|USER_RECORD_ALLOW_SIGNATURE|USER_RECORD_LOG);
+ r = user_record_load(hr, json, USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PRIVILEGED|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_SECRET|USER_RECORD_ALLOW_SIGNATURE|USER_RECORD_LOG|USER_RECORD_PERMISSIVE);
if (r < 0)
return r;
diff --git a/src/home/homed-bus.c b/src/home/homed-bus.c
index 8f7a646d4a..24b421a58c 100644
--- a/src/home/homed-bus.c
+++ b/src/home/homed-bus.c
@@ -28,7 +28,7 @@ int bus_message_read_secret(sd_bus_message *m, UserRecord **ret, sd_bus_error *e
if (!hr)
return -ENOMEM;
- r = user_record_load(hr, full, USER_RECORD_REQUIRE_SECRET);
+ r = user_record_load(hr, full, USER_RECORD_REQUIRE_SECRET|USER_RECORD_PERMISSIVE);
if (r < 0)
return r;
diff --git a/src/home/homed-home-bus.c b/src/home/homed-home-bus.c
index 2a58ecbc1a..c71256d15e 100644
--- a/src/home/homed-home-bus.c
+++ b/src/home/homed-home-bus.c
@@ -95,7 +95,7 @@ int bus_home_get_record_json(
trusted = false;
}
- flags = USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_BINDING|USER_RECORD_STRIP_SECRET|USER_RECORD_ALLOW_STATUS|USER_RECORD_ALLOW_SIGNATURE;
+ flags = USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_BINDING|USER_RECORD_STRIP_SECRET|USER_RECORD_ALLOW_STATUS|USER_RECORD_ALLOW_SIGNATURE|USER_RECORD_PERMISSIVE;
if (trusted)
flags |= USER_RECORD_ALLOW_PRIVILEGED;
else
@@ -443,7 +443,7 @@ int bus_home_method_update(
assert(message);
assert(h);
- r = bus_message_read_home_record(message, USER_RECORD_REQUIRE_REGULAR|USER_RECORD_REQUIRE_SECRET|USER_RECORD_ALLOW_PRIVILEGED|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_SIGNATURE, &hr, error);
+ r = bus_message_read_home_record(message, USER_RECORD_REQUIRE_REGULAR|USER_RECORD_REQUIRE_SECRET|USER_RECORD_ALLOW_PRIVILEGED|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_SIGNATURE|USER_RECORD_PERMISSIVE, &hr, error);
if (r < 0)
return r;
diff --git a/src/home/homed-home.c b/src/home/homed-home.c
index 54e36e3b71..39dd501a32 100644
--- a/src/home/homed-home.c
+++ b/src/home/homed-home.c
@@ -145,7 +145,7 @@ int home_new(Manager *m, UserRecord *hr, const char *sysfs, Home **ret) {
return r;
}
- r = user_record_clone(hr, USER_RECORD_LOAD_MASK_SECRET, &home->record);
+ r = user_record_clone(hr, USER_RECORD_LOAD_MASK_SECRET|USER_RECORD_PERMISSIVE, &home->record);
if (r < 0)
return r;
@@ -243,7 +243,7 @@ int home_set_record(Home *h, UserRecord *hr) {
if (!new_hr)
return -ENOMEM;
- r = user_record_load(new_hr, v, USER_RECORD_LOAD_REFUSE_SECRET);
+ r = user_record_load(new_hr, v, USER_RECORD_LOAD_REFUSE_SECRET|USER_RECORD_PERMISSIVE);
if (r < 0)
return r;
@@ -384,7 +384,7 @@ static int home_parse_worker_stdout(int _fd, UserRecord **ret) {
if (!hr)
return log_oom();
- r = user_record_load(hr, v, USER_RECORD_LOAD_REFUSE_SECRET);
+ r = user_record_load(hr, v, USER_RECORD_LOAD_REFUSE_SECRET|USER_RECORD_PERMISSIVE);
if (r < 0)
return log_error_errno(r, "Failed to load home record identity: %m");
@@ -1410,7 +1410,7 @@ static int home_update_internal(
return sd_bus_error_set(error, BUS_ERROR_HOME_RECORD_DOWNGRADE, "Refusing to update to older home record.");
if (!secret && FLAGS_SET(hr->mask, USER_RECORD_SECRET)) {
- r = user_record_clone(hr, USER_RECORD_EXTRACT_SECRET, &saved_secret);
+ r = user_record_clone(hr, USER_RECORD_EXTRACT_SECRET|USER_RECORD_PERMISSIVE, &saved_secret);
if (r < 0)
return r;
@@ -1445,7 +1445,7 @@ static int home_update_internal(
return r;
}
- r = user_record_extend_with_binding(hr, h->record, USER_RECORD_LOAD_MASK_SECRET, &new_hr);
+ r = user_record_extend_with_binding(hr, h->record, USER_RECORD_LOAD_MASK_SECRET|USER_RECORD_PERMISSIVE, &new_hr);
if (r < 0)
return r;
@@ -1539,7 +1539,7 @@ int home_resize(Home *h, uint64_t disk_size, UserRecord *secret, sd_bus_error *e
if (h->signed_locally <= 0) /* Don't allow changing of records not signed only by us */
return sd_bus_error_setf(error, BUS_ERROR_HOME_RECORD_SIGNED, "Home %s is signed and cannot be modified locally.", h->user_name);
- r = user_record_clone(h->record, USER_RECORD_LOAD_REFUSE_SECRET, &c);
+ r = user_record_clone(h->record, USER_RECORD_LOAD_REFUSE_SECRET|USER_RECORD_PERMISSIVE, &c);
if (r < 0)
return r;
@@ -1628,7 +1628,7 @@ int home_passwd(Home *h,
if (r < 0)
return r;
- r = user_record_clone(h->record, USER_RECORD_LOAD_REFUSE_SECRET, &c);
+ r = user_record_clone(h->record, USER_RECORD_LOAD_REFUSE_SECRET|USER_RECORD_PERMISSIVE, &c);
if (r < 0)
return r;
diff --git a/src/home/homed-manager-bus.c b/src/home/homed-manager-bus.c
index 8a06bb62bf..7ac5b8d0fc 100644
--- a/src/home/homed-manager-bus.c
+++ b/src/home/homed-manager-bus.c
@@ -398,7 +398,7 @@ static int method_register_home(
assert(message);
assert(m);
- r = bus_message_read_home_record(message, USER_RECORD_LOAD_EMBEDDED, &hr, error);
+ r = bus_message_read_home_record(message, USER_RECORD_LOAD_EMBEDDED|USER_RECORD_PERMISSIVE, &hr, error);
if (r < 0)
return r;
@@ -513,7 +513,7 @@ static int method_update_home(sd_bus_message *message, void *userdata, sd_bus_er
assert(message);
assert(m);
- r = bus_message_read_home_record(message, USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_SECRET|USER_RECORD_ALLOW_PRIVILEGED|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_SIGNATURE, &hr, error);
+ r = bus_message_read_home_record(message, USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_SECRET|USER_RECORD_ALLOW_PRIVILEGED|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_SIGNATURE|USER_RECORD_PERMISSIVE, &hr, error);
if (r < 0)
return r;
diff --git a/src/home/homed-manager.c b/src/home/homed-manager.c
index f8dfa272b9..b255426382 100644
--- a/src/home/homed-manager.c
+++ b/src/home/homed-manager.c
@@ -364,7 +364,7 @@ static int manager_add_home_by_record(
if (!hr)
return log_oom();
- r = user_record_load(hr, v, USER_RECORD_LOAD_REFUSE_SECRET|USER_RECORD_LOG);
+ r = user_record_load(hr, v, USER_RECORD_LOAD_REFUSE_SECRET|USER_RECORD_LOG|USER_RECORD_PERMISSIVE);
if (r < 0)
return r;
diff --git a/src/home/homed-varlink.c b/src/home/homed-varlink.c
index c42908349a..96a6ea754e 100644
--- a/src/home/homed-varlink.c
+++ b/src/home/homed-varlink.c
@@ -42,7 +42,7 @@ static int build_user_json(Home *h, bool trusted, JsonVariant **ret) {
assert(h);
assert(ret);
- flags = USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_BINDING|USER_RECORD_STRIP_SECRET|USER_RECORD_ALLOW_STATUS|USER_RECORD_ALLOW_SIGNATURE;
+ flags = USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_BINDING|USER_RECORD_STRIP_SECRET|USER_RECORD_ALLOW_STATUS|USER_RECORD_ALLOW_SIGNATURE|USER_RECORD_PERMISSIVE;
if (trusted)
flags |= USER_RECORD_ALLOW_PRIVILEGED;
else
diff --git a/src/home/homework-cifs.c b/src/home/homework-cifs.c
index 2736095f93..2254eb59cd 100644
--- a/src/home/homework-cifs.c
+++ b/src/home/homework-cifs.c
@@ -185,7 +185,7 @@ int home_create_cifs(UserRecord *h, UserRecord **ret_home) {
if (r < 0)
return r;
- r = user_record_clone(h, USER_RECORD_LOAD_MASK_SECRET, &new_home);
+ r = user_record_clone(h, USER_RECORD_LOAD_MASK_SECRET|USER_RECORD_PERMISSIVE, &new_home);
if (r < 0)
return log_error_errno(r, "Failed to clone record: %m");
diff --git a/src/home/homework-directory.c b/src/home/homework-directory.c
index 2d800033ee..b35d24c85a 100644
--- a/src/home/homework-directory.c
+++ b/src/home/homework-directory.c
@@ -158,7 +158,7 @@ int home_create_directory_or_subvolume(UserRecord *h, UserRecord **ret_home) {
if (r < 0)
return r;
- r = user_record_clone(h, USER_RECORD_LOAD_MASK_SECRET, &new_home);
+ r = user_record_clone(h, USER_RECORD_LOAD_MASK_SECRET|USER_RECORD_PERMISSIVE, &new_home);
if (r < 0)
return log_error_errno(r, "Failed to clone record: %m");
diff --git a/src/home/homework-fscrypt.c b/src/home/homework-fscrypt.c
index 037e4853fd..86dde4b78b 100644
--- a/src/home/homework-fscrypt.c
+++ b/src/home/homework-fscrypt.c
@@ -550,7 +550,7 @@ int home_create_fscrypt(
if (r < 0)
return r;
- r = user_record_clone(h, USER_RECORD_LOAD_MASK_SECRET, &new_home);
+ r = user_record_clone(h, USER_RECORD_LOAD_MASK_SECRET|USER_RECORD_PERMISSIVE, &new_home);
if (r < 0)
return log_error_errno(r, "Failed to clone record: %m");
diff --git a/src/home/homework-luks.c b/src/home/homework-luks.c
index 543195914f..7a06bb4b8e 100644
--- a/src/home/homework-luks.c
+++ b/src/home/homework-luks.c
@@ -779,7 +779,7 @@ static int luks_validate_home_record(
if (!lhr)
return log_oom();
- r = user_record_load(lhr, rr, USER_RECORD_LOAD_EMBEDDED);
+ r = user_record_load(lhr, rr, USER_RECORD_LOAD_EMBEDDED|USER_RECORD_PERMISSIVE);
if (r < 0)
return log_error_errno(r, "Failed to parse user record: %m");
@@ -902,7 +902,7 @@ int home_store_header_identity_luks(
* the file system, so that we can validate it first, and only then mount the file system. To keep
* things simple we use the same encryption settings for this record as for the file system itself. */
- r = user_record_clone(h, USER_RECORD_EXTRACT_EMBEDDED, &header_home);
+ r = user_record_clone(h, USER_RECORD_EXTRACT_EMBEDDED|USER_RECORD_PERMISSIVE, &header_home);
if (r < 0)
return log_error_errno(r, "Failed to determine new header record: %m");
@@ -1575,7 +1575,7 @@ static int luks_format(
log_info("LUKS activation by volume key succeeded.");
- r = user_record_clone(hr, USER_RECORD_EXTRACT_EMBEDDED, &reduced);
+ r = user_record_clone(hr, USER_RECORD_EXTRACT_EMBEDDED|USER_RECORD_PERMISSIVE, &reduced);
if (r < 0)
return log_error_errno(r, "Failed to prepare home record for LUKS: %m");
@@ -2139,7 +2139,7 @@ int home_create_luks(
if (r < 0)
goto fail;
- r = user_record_clone(h, USER_RECORD_LOAD_MASK_SECRET|USER_RECORD_LOG, &new_home);
+ r = user_record_clone(h, USER_RECORD_LOAD_MASK_SECRET|USER_RECORD_LOG|USER_RECORD_PERMISSIVE, &new_home);
if (r < 0) {
log_error_errno(r, "Failed to clone record: %m");
goto fail;
diff --git a/src/home/homework.c b/src/home/homework.c
index 3b1f413095..a6e663503b 100644
--- a/src/home/homework.c
+++ b/src/home/homework.c
@@ -524,7 +524,7 @@ int home_load_embedded_identity(
if (!embedded_home)
return log_oom();
- r = user_record_load(embedded_home, v, USER_RECORD_LOAD_EMBEDDED);
+ r = user_record_load(embedded_home, v, USER_RECORD_LOAD_EMBEDDED|USER_RECORD_PERMISSIVE);
if (r < 0)
return r;
@@ -609,7 +609,7 @@ int home_store_embedded_identity(UserRecord *h, int root_fd, uid_t uid, UserReco
assert(root_fd >= 0);
assert(uid_is_valid(uid));
- r = user_record_clone(h, USER_RECORD_EXTRACT_EMBEDDED, &embedded);
+ r = user_record_clone(h, USER_RECORD_EXTRACT_EMBEDDED|USER_RECORD_PERMISSIVE, &embedded);
if (r < 0)
return log_error_errno(r, "Failed to determine new embedded record: %m");
@@ -1668,7 +1668,7 @@ static int run(int argc, char *argv[]) {
if (!home)
return log_oom();
- r = user_record_load(home, v, USER_RECORD_LOAD_FULL|USER_RECORD_LOG);
+ r = user_record_load(home, v, USER_RECORD_LOAD_FULL|USER_RECORD_LOG|USER_RECORD_PERMISSIVE);
if (r < 0)
return r;
diff --git a/src/home/pam_systemd_home.c b/src/home/pam_systemd_home.c
index 6c2bcbd7d7..b7db39dab9 100644
--- a/src/home/pam_systemd_home.c
+++ b/src/home/pam_systemd_home.c
@@ -216,7 +216,7 @@ static int acquire_user_record(
if (!ur)
return pam_log_oom(handle);
- r = user_record_load(ur, v, USER_RECORD_LOAD_REFUSE_SECRET);
+ r = user_record_load(ur, v, USER_RECORD_LOAD_REFUSE_SECRET|USER_RECORD_PERMISSIVE);
if (r < 0) {
pam_syslog(handle, LOG_ERR, "Failed to load user record: %s", strerror_safe(r));
return PAM_SERVICE_ERR;
diff --git a/src/home/user-record-sign.c b/src/home/user-record-sign.c
index 5ac92255c8..ab73fba93f 100644
--- a/src/home/user-record-sign.c
+++ b/src/home/user-record-sign.c
@@ -14,7 +14,7 @@ static int user_record_signable_json(UserRecord *ur, char **ret) {
assert(ur);
assert(ret);
- r = user_record_clone(ur, USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PRIVILEGED|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_STRIP_SECRET|USER_RECORD_STRIP_BINDING|USER_RECORD_STRIP_STATUS|USER_RECORD_STRIP_SIGNATURE, &reduced);
+ r = user_record_clone(ur, USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PRIVILEGED|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_STRIP_SECRET|USER_RECORD_STRIP_BINDING|USER_RECORD_STRIP_STATUS|USER_RECORD_STRIP_SIGNATURE|USER_RECORD_PERMISSIVE, &reduced);
if (r < 0)
return r;
@@ -95,7 +95,7 @@ int user_record_sign(UserRecord *ur, EVP_PKEY *private_key, UserRecord **ret) {
if (!signed_ur)
return log_oom();
- r = user_record_load(signed_ur, v, USER_RECORD_LOAD_FULL);
+ r = user_record_load(signed_ur, v, USER_RECORD_LOAD_FULL|USER_RECORD_PERMISSIVE);
if (r < 0)
return r;
diff --git a/src/home/user-record-util.c b/src/home/user-record-util.c
index 4e4f5d2341..b205f1d1e6 100644
--- a/src/home/user-record-util.c
+++ b/src/home/user-record-util.c
@@ -252,7 +252,7 @@ int user_record_reconcile(
if (!merged)
return -ENOMEM;
- r = user_record_load(merged, extended, USER_RECORD_LOAD_MASK_SECRET);
+ r = user_record_load(merged, extended, USER_RECORD_LOAD_MASK_SECRET|USER_RECORD_PERMISSIVE);
if (r < 0)
return r;
@@ -261,7 +261,7 @@ int user_record_reconcile(
}
/* Strip out secrets */
- r = user_record_clone(host, USER_RECORD_LOAD_MASK_SECRET, ret);
+ r = user_record_clone(host, USER_RECORD_LOAD_MASK_SECRET|USER_RECORD_PERMISSIVE, ret);
if (r < 0)
return r;
diff --git a/src/login/pam_systemd.c b/src/login/pam_systemd.c
index 2021c31bd5..f8bd17eefe 100644
--- a/src/login/pam_systemd.c
+++ b/src/login/pam_systemd.c
@@ -141,7 +141,7 @@ static int acquire_user_record(
if (!ur)
return pam_log_oom(handle);
- r = user_record_load(ur, v, USER_RECORD_LOAD_REFUSE_SECRET);
+ r = user_record_load(ur, v, USER_RECORD_LOAD_REFUSE_SECRET|USER_RECORD_PERMISSIVE);
if (r < 0) {
pam_syslog(handle, LOG_ERR, "Failed to load user record: %s", strerror_safe(r));
return PAM_SERVICE_ERR;
diff --git a/src/nspawn/nspawn-bind-user.c b/src/nspawn/nspawn-bind-user.c
index 801a52b7a8..6852125b9d 100644
--- a/src/nspawn/nspawn-bind-user.c
+++ b/src/nspawn/nspawn-bind-user.c
@@ -377,14 +377,16 @@ int bind_user_setup(
USER_RECORD_STRIP_PRIVILEGED|
USER_RECORD_ALLOW_PER_MACHINE|
USER_RECORD_ALLOW_BINDING|
- USER_RECORD_ALLOW_SIGNATURE;
+ USER_RECORD_ALLOW_SIGNATURE|
+ USER_RECORD_PERMISSIVE;
static const UserRecordLoadFlags shadow_flags = /* Extracts privileged info */
USER_RECORD_STRIP_REGULAR|
USER_RECORD_ALLOW_PRIVILEGED|
USER_RECORD_STRIP_PER_MACHINE|
USER_RECORD_STRIP_BINDING|
USER_RECORD_STRIP_SIGNATURE|
- USER_RECORD_EMPTY_OK;
+ USER_RECORD_EMPTY_OK|
+ USER_RECORD_PERMISSIVE;
int r;
assert(root);
diff --git a/src/shared/user-record.c b/src/shared/user-record.c
index d519ea0895..de949c57e3 100644
--- a/src/shared/user-record.c
+++ b/src/shared/user-record.c
@@ -2114,7 +2114,7 @@ int user_record_masked_equal(UserRecord *a, UserRecord *b, UserRecordMask mask)
/* Compares the two records, but ignores anything not listed in the specified mask */
if ((a->mask & ~mask) != 0) {
- r = user_record_clone(a, USER_RECORD_ALLOW(mask) | USER_RECORD_STRIP(~mask & _USER_RECORD_MASK_MAX), &x);
+ r = user_record_clone(a, USER_RECORD_ALLOW(mask) | USER_RECORD_STRIP(~mask & _USER_RECORD_MASK_MAX) | USER_RECORD_PERMISSIVE, &x);
if (r < 0)
return r;
@@ -2122,7 +2122,7 @@ int user_record_masked_equal(UserRecord *a, UserRecord *b, UserRecordMask mask)
}
if ((b->mask & ~mask) != 0) {
- r = user_record_clone(b, USER_RECORD_ALLOW(mask) | USER_RECORD_STRIP(~mask & _USER_RECORD_MASK_MAX), &y);
+ r = user_record_clone(b, USER_RECORD_ALLOW(mask) | USER_RECORD_STRIP(~mask & _USER_RECORD_MASK_MAX) | USER_RECORD_PERMISSIVE, &y);
if (r < 0)
return r;
diff --git a/src/shared/userdb-dropin.c b/src/shared/userdb-dropin.c
index 442c6c952b..5d79f4688a 100644
--- a/src/shared/userdb-dropin.c
+++ b/src/shared/userdb-dropin.c
@@ -82,7 +82,8 @@ static int load_user(
USER_RECORD_ALLOW_PER_MACHINE|
USER_RECORD_ALLOW_BINDING|
USER_RECORD_ALLOW_SIGNATURE|
- (have_privileged ? USER_RECORD_ALLOW_PRIVILEGED : 0));
+ (have_privileged ? USER_RECORD_ALLOW_PRIVILEGED : 0)|
+ USER_RECORD_PERMISSIVE);
if (r < 0)
return r;
@@ -225,7 +226,8 @@ static int load_group(
USER_RECORD_ALLOW_PER_MACHINE|
USER_RECORD_ALLOW_BINDING|
USER_RECORD_ALLOW_SIGNATURE|
- (have_privileged ? USER_RECORD_ALLOW_PRIVILEGED : 0));
+ (have_privileged ? USER_RECORD_ALLOW_PRIVILEGED : 0)|
+ USER_RECORD_PERMISSIVE);
if (r < 0)
return r;
diff --git a/src/userdb/userwork.c b/src/userdb/userwork.c
index 21caa54096..8b7a20b08d 100644
--- a/src/userdb/userwork.c
+++ b/src/userdb/userwork.c
@@ -88,7 +88,7 @@ static int build_user_json(Varlink *link, UserRecord *ur, JsonVariant **ret) {
} else
trusted = peer_uid == 0 || peer_uid == ur->uid;
- flags = USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_BINDING|USER_RECORD_STRIP_SECRET|USER_RECORD_ALLOW_STATUS|USER_RECORD_ALLOW_SIGNATURE;
+ flags = USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_BINDING|USER_RECORD_STRIP_SECRET|USER_RECORD_ALLOW_STATUS|USER_RECORD_ALLOW_SIGNATURE|USER_RECORD_PERMISSIVE;
if (trusted)
flags |= USER_RECORD_ALLOW_PRIVILEGED;
else
@@ -232,7 +232,7 @@ static int build_group_json(Varlink *link, GroupRecord *gr, JsonVariant **ret) {
} else
trusted = peer_uid == 0;
- flags = USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_BINDING|USER_RECORD_STRIP_SECRET|USER_RECORD_ALLOW_STATUS|USER_RECORD_ALLOW_SIGNATURE;
+ flags = USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_BINDING|USER_RECORD_STRIP_SECRET|USER_RECORD_ALLOW_STATUS|USER_RECORD_ALLOW_SIGNATURE|USER_RECORD_PERMISSIVE;
if (trusted)
flags |= USER_RECORD_ALLOW_PRIVILEGED;
else
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-11 16:32:34 +0100