Merge pull request #34548 from SimonPilkington/fix-creds-cat

creds: fix cat with encrypted credentials
2024-11-30 13:53:39 +08:00 · 2024-09-27 20:51:57 +02:00 · 2024-09-27 20:51:57 +02:00 · 6fd58537e5
commit 6fd58537e5
parent e996663475 bb322e4340
3 changed files with 13 additions and 4 deletions
--- a/7
+++ b/7
@ -11,7 +11,12 @@ CHANGES WITH 257 in spe:
          be updated accordingly. This change has been made to make it harder
          to accidentally delete too many files when using --purge incorrectly.

-        Announcements of Future Feature Removals and Incompatible Changes:
+        * The systemd-creds 'cat' verb now expects base64-encoded encrypted
+          credentials for consistency with the 'decrypt' verb and the
+          LoadCredentialEncrypted= service setting. Previously it could only
+          read raw binary data.
+
+       Announcements of Future Feature Removals and Incompatible Changes:

        * Support for automatic flushing of the nscd user/group database caches
          has been dropped.
--- a/src/creds/creds.c
+++ b/src/creds/creds.c
@ -434,10 +434,14 @@ static int verb_cat(int argc, char **argv, void *userdata) {
                        if (!d) /* Not set */
                                continue;

+                        ReadFullFileFlags flags = READ_FULL_FILE_SECURE|READ_FULL_FILE_WARN_WORLD_READABLE;
+                        if (encrypted)
+                                flags |= READ_FULL_FILE_UNBASE64;
+
                        r = read_full_file_full(
                                        dirfd(d), *cn,
                                        UINT64_MAX, SIZE_MAX,
-                                        READ_FULL_FILE_SECURE|READ_FULL_FILE_WARN_WORLD_READABLE,
+                                        flags,
                                        NULL,
                                        (char**) &data, &size);
                        if (r == -ENOENT) /* Not found */
--- a/test/units/TEST-54-CREDS.sh
+++ b/test/units/TEST-54-CREDS.sh
@ -43,8 +43,8 @@ CRED_DIR="$(mktemp -d)"
 ENC_CRED_DIR="$(mktemp -d)"
 echo foo >"$CRED_DIR/secure-or-weak"
 echo foo >"$CRED_DIR/insecure"
-echo foo | systemd-creds --name="encrypted" encrypt - - | base64 -d >"$ENC_CRED_DIR/encrypted"
-echo foo | systemd-creds encrypt - - | base64 -d >"$ENC_CRED_DIR/encrypted-unnamed"
+echo foo | systemd-creds --name="encrypted" encrypt - "$ENC_CRED_DIR/encrypted"
+echo foo | systemd-creds encrypt - "$ENC_CRED_DIR/encrypted-unnamed"
 chmod -R 0400 "$CRED_DIR" "$ENC_CRED_DIR"
 chmod -R 0444 "$CRED_DIR/insecure"
 mkdir /tmp/empty/