core: add ':' prefix to ExecXYZ= skip env var substitution

2025-01-26 10:24:17 +08:00 · 2019-02-07 15:25:37 -08:00 · 2019-02-07 15:25:37 -08:00 · 7ca69792e5
commit 7ca69792e5
parent 542e546010
7 changed files with 32 additions and 8 deletions
--- a/man/systemd.service.xml
+++ b/man/systemd.service.xml
@ -338,6 +338,11 @@
                <entry>If the executable path is prefixed with <literal>-</literal>, an exit code of the command normally considered a failure (i.e. non-zero exit status or abnormal exit due to signal) is recorded, but has no further effect and is considered equivalent to success.</entry>
              </row>

+              <row>
+                <entry><literal>:</literal></entry>
+                <entry>If the executable path is prefixed with <literal>:</literal>, environment variable substitution (as described by the "Command Lines" section below) is not applied.</entry>
+              </row>
+
              <row>
                <entry><literal>+</literal></entry>
                <entry>If the executable path is prefixed with <literal>+</literal> then the process is executed with full privileges. In this mode privilege restrictions configured with <varname>User=</varname>, <varname>Group=</varname>, <varname>CapabilityBoundingSet=</varname> or the various file system namespacing options (such as <varname>PrivateDevices=</varname>, <varname>PrivateTmp=</varname>) are not applied to the invoked command line (but still affect any other <varname>ExecStart=</varname>, <varname>ExecStop=</varname>, … lines).</entry>
@ -358,7 +363,7 @@
          </tgroup>
        </table>

-        <para><literal>@</literal>, <literal>-</literal>, and one of
+        <para><literal>@</literal>, <literal>-</literal>, <literal>:</literal>, and one of
        <literal>+</literal>/<literal>!</literal>/<literal>!!</literal> may be used together and they can appear in any
        order. However, only one of <literal>+</literal>, <literal>!</literal>, <literal>!!</literal> may be used at a
        time. Note that these prefixes are also supported for the other command line settings,
--- a/src/core/execute.c
+++ b/src/core/execute.c
@ -2846,12 +2846,13 @@ static int exec_child(
                int user_lookup_fd,
                int *exit_status) {

-        _cleanup_strv_free_ char **our_env = NULL, **pass_env = NULL, **accum_env = NULL, **final_argv = NULL;
+        _cleanup_strv_free_ char **our_env = NULL, **pass_env = NULL, **accum_env = NULL, **replaced_argv = NULL;
        int *fds_with_exec_fd, n_fds_with_exec_fd, r, ngids = 0, exec_fd = -1;
        _cleanup_free_ gid_t *supplementary_gids = NULL;
        const char *username = NULL, *groupname = NULL;
        _cleanup_free_ char *home_buffer = NULL;
        const char *home = NULL, *shell = NULL;
+        char **final_argv = NULL;
        dev_t journal_stream_dev = 0;
        ino_t journal_stream_ino = 0;
        bool needs_sandboxing,          /* Do we need to set up full sandboxing? (i.e. all namespacing, all MAC stuff, caps, yadda yadda */
@ -3604,11 +3605,15 @@ static int exec_child(
                strv_free_and_replace(accum_env, ee);
        }

-        final_argv = replace_env_argv(command->argv, accum_env);
-        if (!final_argv) {
-                *exit_status = EXIT_MEMORY;
-                return log_oom();
-        }
+        if (!FLAGS_SET(command->flags, EXEC_COMMAND_NO_ENV_EXPAND)) {
+                replaced_argv = replace_env_argv(command->argv, accum_env);
+                if (!replaced_argv) {
+                        *exit_status = EXIT_MEMORY;
+                        return log_oom();
+                }
+                final_argv = replaced_argv;
+        } else
+                final_argv = command->argv;

        if (DEBUG_LOGGING) {
                _cleanup_free_ char *line;
--- a/src/core/execute.h
+++ b/src/core/execute.h
@ -91,6 +91,7 @@ typedef enum ExecCommandFlags {
        EXEC_COMMAND_FULLY_PRIVILEGED = 1 << 1,
        EXEC_COMMAND_NO_SETUID        = 1 << 2,
        EXEC_COMMAND_AMBIENT_MAGIC    = 1 << 3,
+        EXEC_COMMAND_NO_ENV_EXPAND    = 1 << 4,
 } ExecCommandFlags;

 /* Stores information about commands we execute. Covers both configuration settings as well as runtime data. */
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@ -561,7 +561,8 @@ int config_parse_exec(
                for (;;) {
                        /* We accept an absolute path as first argument.  If it's prefixed with - and the path doesn't
                         * exist, we ignore it instead of erroring out; if it's prefixed with @, we allow overriding of
-                         * argv[0]; if it's prefixed with +, it will be run with full privileges and no sandboxing; if
+                         * argv[0]; if it's prefixed with :, we will not do environment variable substitution;
+                         * if it's prefixed with +, it will be run with full privileges and no sandboxing; if
                         * it's prefixed with '!' we apply sandboxing, but do not change user/group credentials; if
                         * it's prefixed with '!!', then we apply user/group credentials if the kernel supports ambient
                         * capabilities -- if it doesn't we don't apply the credentials themselves, but do apply most
@ -576,6 +577,8 @@ int config_parse_exec(
                                ignore = true;
                        } else if (*f == '@' && !separate_argv0)
                                separate_argv0 = true;
+                        else if (*f == ':' && !(flags & EXEC_COMMAND_NO_ENV_EXPAND))
+                                flags |= EXEC_COMMAND_NO_ENV_EXPAND;
                        else if (*f == '+' && !(flags & (EXEC_COMMAND_FULLY_PRIVILEGED|EXEC_COMMAND_NO_SETUID|EXEC_COMMAND_AMBIENT_MAGIC)))
                                flags |= EXEC_COMMAND_FULLY_PRIVILEGED;
                        else if (*f == '!' && !(flags & (EXEC_COMMAND_FULLY_PRIVILEGED|EXEC_COMMAND_NO_SETUID|EXEC_COMMAND_AMBIENT_MAGIC)))
--- a/src/test/test-execute.c
+++ b/src/test/test-execute.c
@ -494,6 +494,7 @@ static void test_exec_dynamicuser(Manager *m) {
 }

 static void test_exec_environment(Manager *m) {
+        test(m, "exec-environment-no-substitute.service", 0, CLD_EXITED);
        test(m, "exec-environment.service", 0, CLD_EXITED);
        test(m, "exec-environment-multiple.service", 0, CLD_EXITED);
        test(m, "exec-environment-empty.service", 0, CLD_EXITED);
--- a/test/meson.build
+++ b/test/meson.build
@ -55,6 +55,7 @@ test_data_files = '''
        test-execute/exec-dynamicuser-statedir-migrate-step2.service
        test-execute/exec-dynamicuser-statedir.service
        test-execute/exec-dynamicuser-supplementarygroups.service
+        test-execute/exec-environment-no-substitute.service
        test-execute/exec-environment-empty.service
        test-execute/exec-environment-multiple.service
        test-execute/exec-environment.service
--- a/test/test-execute/exec-environment-no-substitute.service
+++ b/test/test-execute/exec-environment-no-substitute.service
@ -0,0 +1,8 @@
+[Unit]
+Description=Test for No Environment Variable Substitution
+
+[Service]
+ExecStart=/bin/sh -x -c 'test "$${VAR1-unset}" = "unset" && test "$${VAR2}" = "word3" && test "$${VAR3-unset}" = \'$word 5 6\''
+ExecStart=:/bin/sh -x -c 'test "$${VAR1-unset}" != "unset" && test "$${VAR2}" != "word3" && test "$${VAR3-unset}" != \'$word 5 6\''
+Type=oneshot
+Environment="VAR2=word3" "VAR3=$word 5 6"