userdb: Add missing .membership extension to membership files

Follow up for fe0342edf4693ac14c8cb9a977afa09e4acd4daf

This also drops the mkosi testuser from the wheel and systemd-journal
groups as the integration tests rely on the testuser not being to read
the full journal.

(cherry picked from commit 472161f3688d8b2bf14d0ef0d3c2585e4ac0f40d)

mkosi/mkosi.conf

@@ -111,7 +111,6 @@ Packages=
         llvm
         lsof
         lvm2
-        man
         mdadm
         mtools
         nano

mkosi/mkosi.conf.d/arch/mkosi.conf

@@ -22,6 +22,7 @@ Packages=
         dbus-broker
         dbus-broker-units
         dhcp
+        elfutils
         erofs-utils
         f2fs-tools
         git
@@ -39,6 +40,7 @@ Packages=
         openssl
         pacman
         perf
+        pkgconf
         polkit
         procps-ng
         psmisc

mkosi/mkosi.conf.d/centos-fedora/mkosi.conf

@@ -9,7 +9,6 @@ PrepareScripts=systemd.prepare
 VolatilePackages=
         systemd
         systemd-container
-        systemd-devel
         systemd-journal-remote
         systemd-libs
         systemd-networkd
@@ -28,6 +27,8 @@ Packages=
         device-mapper-event
         device-mapper-multipath
         dfuzzer
+        elfutils-devel
+        elfutils-libs
         erofs-utils
         git-core
         glibc-langpack-de
@@ -49,6 +50,7 @@ Packages=
         pam
         passwd
         perf
+        pkgconf
         policycoreutils
         polkit
         procps-ng

mkosi/mkosi.conf.d/debian-ubuntu/mkosi.conf

@@ -12,10 +12,8 @@ VolatilePackages=
         libnss-resolve
         libnss-systemd
         libpam-systemd
-        libsystemd-dev
         libsystemd-shared
         libsystemd0
-        libudev-dev
         systemd
         systemd-container
         systemd-coredump
@@ -53,6 +51,8 @@ Packages=
         isc-dhcp-server
         knot
         libcap-ng-utils
+        libdw-dev
+        libdw1
         locales
         login
         man-db
@@ -63,6 +63,7 @@ Packages=
         openssh-server
         passwd
         polkitd
+        pkgconf
         procps
         psmisc
         python3-pexpect

mkosi/mkosi.conf.d/opensuse/mkosi.conf

@@ -17,7 +17,6 @@ VolatilePackages=
         libudev1
         systemd
         systemd-container
-        systemd-devel
         systemd-doc
         systemd-experimental
         systemd-homed
@@ -58,7 +57,11 @@ Packages=
         knot
         libapparmor1
         libcap-progs
+        libdw-devel
+        libdw1
         libtss2-tcti-device0
+        libz1
+        man
         multipath-tools
         ncat
         open-iscsi
@@ -67,6 +70,8 @@ Packages=
         pam
         patterns-base-minimal_base
         perf
+        policycoreutils
+        pkgconf
         procps4
         psmisc
         python3-pefile
@@ -76,6 +81,8 @@ Packages=
         quota
         rsync
         sed
+        selinux-policy
+        selinux-policy-targeted
         shadow
         softhsm
         squashfs

mkosi/mkosi.credentials/userdb.user.testuser

@@ -3,10 +3,6 @@
     "uid": 4711,
     "disposition": "regular",
     "enforcePasswordPolicy": false,
-    "memberOf": [
-        "wheel",
-        "systemd-journal"
-    ],
     "shell": "/bin/bash",
     "privileged": {
         "hashedPassword": ["$1$kqp7NF1f$tNnQcshPX53CSfRKTQD0R1"]

mkosi/mkosi.extra.common/usr/lib/systemd/system/systemd-pcrphase-factory-reset.service.d/exit-on-failure.conf

@@ -0,0 +1,2 @@
+[Unit]
+FailureAction=exit

mkosi/mkosi.extra.common/usr/lib/systemd/system/systemd-storagetm.service.d/exit-on-failure.conf

@@ -0,0 +1,2 @@
+[Unit]
+FailureAction=exit

mkosi/mkosi.extra.common/usr/lib/systemd/system/systemd-validatefs@.service.d/exit-on-failure.conf

@@ -0,0 +1,2 @@
+[Unit]
+FailureAction=exit

mkosi/mkosi.extra/usr/lib/systemd/system/systemd-pcrfs-root.service.d/exit-on-failure.conf

@@ -0,0 +1,2 @@
+[Unit]
+FailureAction=exit

mkosi/mkosi.extra/usr/lib/systemd/system/systemd-pcrfs@.service.d/exit-on-failure.conf

@@ -0,0 +1,2 @@
+[Unit]
+FailureAction=exit

mkosi/mkosi.extra/usr/lib/systemd/system/systemd-pcrphase-sysinit.service.d/exit-on-failure.conf

@@ -0,0 +1,2 @@
+[Unit]
+FailureAction=exit

mkosi/mkosi.extra/usr/lib/systemd/system/systemd-pcrphase.service.d/exit-on-failure.conf

@@ -0,0 +1,2 @@
+[Unit]
+FailureAction=exit

mkosi/mkosi.images/initrd/mkosi.extra/usr/lib/systemd/system/systemd-pcrphase-initrd.service.d/exit-on-failure.conf

@@ -0,0 +1,2 @@
+[Unit]
+FailureAction=exit

mkosi/mkosi.images/initrd/mkosi.extra/usr/lib/systemd/system/systemd-pcrphase-storage-target-mode.service.d/exit-on-failure.conf

@@ -0,0 +1,2 @@
+[Unit]
+FailureAction=exit

mkosi/mkosi.images/minimal-base/mkosi.conf.d/debian-ubuntu.conf

@@ -7,6 +7,7 @@ Distribution=|ubuntu
 [Content]
 PrepareScripts=%D/mkosi/mkosi.conf.d/debian-ubuntu/systemd.prepare
 Packages=
+        bsdextrautils
         hostname
         iproute2
         mount

mkosi/mkosi.postinst.chroot

@@ -28,6 +28,7 @@ rm -f /etc/resolv.conf
 
 for f in "$BUILDROOT"/usr/share/*.verity.sig; do
     jq --join-output '.rootHash' "$f" >"${f%.verity.sig}.roothash"
+    jq --join-output '.signature' "$f" | base64 --decode >"${f%.verity.sig}.roothash.p7s"
 done
 
 # We want /var/log/journal to be created on first boot so it can be created with the right chattr settings by

src/test/meson.build

@@ -276,6 +276,17 @@ executables += [
                 'sources' : files('test-compress.c'),
                 'link_with' : [libshared],
         },
+        test_template + {
+                'sources' : files('test-coredump-stacktrace.c'),
+                'type' : 'manual',
+                # This test intentionally crashes with SIGSEGV by dereferencing a NULL pointer
+                # to generate a coredump with a predictable stack trace. To prevent sanitizers
+                # from catching the error first let's disable them explicitly, and also always
+                # build with minimal optimizations to make the stack trace predictable no matter
+                # what we build the rest of systemd with
+                'override_options' : ['b_sanitize=none', 'strip=false', 'debug=true'],
+                'c_args' : ['-fno-sanitize=all', '-fno-optimize-sibling-calls', '-O1'],
+        },
         test_template + {
                 'sources' : files('test-cryptolib.c'),
                 'dependencies' : libopenssl,

src/test/test-coredump-stacktrace.c

@@ -0,0 +1,29 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+/* This is a test program that intentionally segfaults so we can generate a
+ * predictable-ish stack trace in tests. */
+
+#include <stdlib.h>
+
+__attribute__((noinline))
+static void baz(int *x) {
+        *x = rand();
+}
+
+__attribute__((noinline))
+static void bar(void) {
+        int * volatile x = NULL;
+
+        baz(x);
+}
+
+__attribute__((noinline))
+static void foo(void) {
+        bar();
+}
+
+int main(void) {
+        foo();
+
+        return 0;
+}

src/userdb/userdbctl.c

@@ -1405,7 +1405,7 @@ static int load_credential_one(
 
         if (ur)
                 STRV_FOREACH(g, ur->member_of) {
-                        _cleanup_free_ char *membership = strjoin(ur->user_name, ":", *g);
+                        _cleanup_free_ char *membership = strjoin(ur->user_name, ":", *g, ".membership");
                         if (!membership)
                                 return log_oom();
 
@@ -1417,7 +1417,7 @@ static int load_credential_one(
                 }
         else
                 STRV_FOREACH(u, gr->members) {
-                        _cleanup_free_ char *membership = strjoin(*u, ":", gr->group_name);
+                        _cleanup_free_ char *membership = strjoin(*u, ":", gr->group_name, ".membership");
                         if (!membership)
                                 return log_oom();
 

test/integration-tests/TEST-03-JOBS/TEST-03-JOBS.units/always-activating.service

@@ -5,4 +5,4 @@ After=always-activating.socket
 
 [Service]
 Type=notify
-ExecStart=bash -c 'sleep infinity'
+ExecStart=sleep infinity

test/integration-tests/TEST-03-JOBS/TEST-03-JOBS.units/hello.service

@@ -3,4 +3,4 @@
 Description=Hello World
 
 [Service]
-ExecStart=/bin/echo "Hello World"
+ExecStart=echo "Hello World"

test/integration-tests/TEST-03-JOBS/TEST-03-JOBS.units/sleep-infinity-restart-direct.service

@@ -3,6 +3,6 @@
 OnFailure=restart-on-failure.service
 
 [Service]
-ExecStart=/bin/sleep infinity
+ExecStart=sleep infinity
 Restart=on-failure
 RestartMode=direct

test/integration-tests/TEST-03-JOBS/TEST-03-JOBS.units/sleep-infinity-restart-normal.service

@@ -3,6 +3,6 @@
 OnFailure=restart-on-failure.service
 
 [Service]
-ExecStart=/bin/sleep infinity
+ExecStart=sleep infinity
 Restart=on-failure
 RestartMode=normal

test/integration-tests/TEST-03-JOBS/TEST-03-JOBS.units/sleep-infinity-simple.service

@@ -4,4 +4,4 @@ Description=Sleep infinitely
 
 [Service]
 Type=simple
-ExecStart=/bin/sleep infinity
+ExecStart=sleep infinity

test/integration-tests/TEST-03-JOBS/TEST-03-JOBS.units/sleep.service

@@ -4,4 +4,4 @@ Description=Sleep for 1 minute
 
 [Service]
 Type=oneshot
-ExecStart=/bin/sleep 60
+ExecStart=sleep 60

test/integration-tests/TEST-03-JOBS/TEST-03-JOBS.units/unstoppable.service

@@ -2,5 +2,5 @@
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-ExecStart=/bin/echo "I'm unstoppable!"
-ExecStop=/bin/systemctl start --no-block unstoppable.service
+ExecStart=echo "I'm unstoppable!"
+ExecStop=systemctl start --no-block unstoppable.service

test/integration-tests/TEST-06-SELINUX/TEST-06-SELINUX.units/hola.service

@@ -1,7 +1,7 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 [Service]
 Type=oneshot
-ExecStart=/bin/echo Start Hola
-ExecReload=/bin/echo Reload Hola
-ExecStop=/bin/echo Stop Hola
+ExecStart=echo Start Hola
+ExecReload=echo Reload Hola
+ExecStop=echo Stop Hola
 RemainAfterExit=yes

test/integration-tests/TEST-07-PID1/TEST-07-PID1.units/issue14566-repro.service

@@ -4,5 +4,5 @@ Description=Issue 14566 Repro
 
 [Service]
 ExecStart=/usr/lib/systemd/tests/testdata/TEST-07-PID1.units/%N.sh
-ExecStopPost=/bin/true
+ExecStopPost=true
 KillMode=mixed

test/integration-tests/TEST-07-PID1/TEST-07-PID1.units/issue16115-repro-1.service

@@ -5,6 +5,6 @@ Description=Issue 16115 Repro with on-abnormal
 [Service]
 Type=simple
 Restart=on-abnormal
-ExecCondition=/bin/false
+ExecCondition=false
 ExecStart=sleep 100
 RestartSec=1

test/integration-tests/TEST-07-PID1/TEST-07-PID1.units/issue16115-repro-2.service

@@ -5,6 +5,6 @@ Description=Issue 16115 Repro with on-failure
 [Service]
 Type=simple
 Restart=on-failure
-ExecCondition=/bin/false
+ExecCondition=false
 ExecStart=sleep 100
 RestartSec=1

test/integration-tests/TEST-07-PID1/TEST-07-PID1.units/issue16115-repro-3.service

@@ -5,6 +5,6 @@ Description=Issue 22257 Repro with Restart=always
 [Service]
 Type=simple
 Restart=always
-ExecCondition=/bin/false
+ExecCondition=false
 ExecStart=sleep 100
 RestartSec=1

test/integration-tests/TEST-16-EXTEND-TIMEOUT/TEST-16-EXTEND-TIMEOUT.units/fail-stop.service

@@ -13,4 +13,4 @@ Environment=SERVICE=fail_stop extend_timeout_interval=5 sleep_interval=7 start_i
 ExecStart=/usr/lib/systemd/tests/testdata/TEST-16-EXTEND-TIMEOUT.units/extend-timeout.sh
 # Due to 6041a7ee2c1bbff6301082f192fc1b0882400d42 SIGTERM isn't sent as the service shuts down with STOPPING=1
 # This file makes the test assess.sh quicker by notifying it that this test has finished.
-ExecStopPost=/bin/bash -c '[[ $SERVICE_RESULT == timeout && $EXIT_CODE == killed ]] && touch /fail_runtime.terminated'
+ExecStopPost=bash -c '[[ $SERVICE_RESULT == timeout && $EXIT_CODE == killed ]] && touch /fail_runtime.terminated'

test/integration-tests/TEST-62-RESTRICT-IFACES/TEST-62-RESTRICT-IFACES.units/TEST-62-RESTRICT-IFACES-6.service

@@ -2,9 +2,9 @@
 [Unit]
 Description=TEST-62-RESTRICT-IFACES-altname
 [Service]
-ExecStart=/bin/sh -c 'ping -c 1 -W 0.2 192.168.113.1'
-ExecStart=/bin/sh -c 'ping -c 1 -W 0.2 192.168.113.5'
-ExecStart=/bin/sh -c '! ping -c 1 -W 0.2 192.168.113.9'
+ExecStart=sh -c 'ping -c 1 -W 0.2 192.168.113.1'
+ExecStart=sh -c 'ping -c 1 -W 0.2 192.168.113.5'
+ExecStart=sh -c '! ping -c 1 -W 0.2 192.168.113.9'
 RestrictNetworkInterfaces=veth0-altname-with-more-than-15-chars
 RestrictNetworkInterfaces=veth1-altname-with-more-than-15-chars
 Type=oneshot

test/integration-tests/TEST-63-PATH/TEST-63-PATH.units/test63-issue-24577-dep.service

@@ -1,4 +1,4 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 [Service]
 Type=oneshot
-ExecStart=bash -c 'sleep infinity'
+ExecStart=sleep infinity

test/integration-tests/TEST-63-PATH/TEST-63-PATH.units/test63-issue-24577.service

@@ -5,4 +5,4 @@ After=test63-issue-24577-dep.service
 
 [Service]
 Type=oneshot
-ExecStart=bash -c 'sleep infinity'
+ExecStart=sleep infinity

test/integration-tests/TEST-87-AUX-UTILS-VM/meson.build

@@ -5,7 +5,7 @@ integration_tests += [
         integration_test_template + {
                 'name' : fs.name(meson.current_source_dir()),
                 'storage': 'persistent',
-                'coredump-exclude-regex' : '/(test-usr-dump|test-dump|bash)$',
+                'coredump-exclude-regex' : '/(test-usr-dump|test-dump|test-stacktrace(-not)?-symbolized|bash)$',
                 'vm' : true,
                 'firmware' : 'auto',
         },

test/units/TEST-04-JOURNAL.SYSTEMD_JOURNAL_COMPRESS.sh

@@ -26,7 +26,7 @@ EOF
     journalctl --rotate
 
     ID="$(systemd-id128 new)"
-    systemd-cat -t "$ID" /bin/bash -c "for ((i=0;i<100;i++)); do echo -n hoge with ${c}; done; echo"
+    systemd-cat -t "$ID" bash -c "for ((i=0;i<100;i++)); do echo -n hoge with ${c}; done; echo"
     journalctl --sync
     timeout 10 bash -c "until SYSTEMD_LOG_LEVEL=debug journalctl --verify --quiet --file /var/log/journal/$MACHINE_ID/system.journal 2>&1 | grep -q -F 'compress=${c}'; do sleep .5; done"
 

test/units/TEST-04-JOURNAL.journal.sh

@@ -93,7 +93,7 @@ grep -vq "^_PID=$PID" /tmp/output
 # https://github.com/systemd/systemd/issues/15654
 ID=$(systemd-id128 new)
 printf "This will\nusually fail\nand be truncated\n" >/tmp/expected
-systemd-cat -t "$ID" /bin/sh -c 'env echo -n "This will";echo;env echo -n "usually fail";echo;env echo -n "and be truncated";echo;'
+systemd-cat -t "$ID" sh -c 'env echo -n "This will";echo;env echo -n "usually fail";echo;env echo -n "and be truncated";echo;'
 journalctl --sync
 journalctl -b -o cat -t "$ID" >/tmp/output
 diff /tmp/expected /tmp/output
@@ -122,7 +122,7 @@ journalctl -b -n 1 /bin/true /bin/false
 journalctl -b -n 1 /bin/true + /bin/false
 journalctl -b -n 1 -r --unit "systemd*"
 
-systemd-run --user -M "testuser@.host" /bin/echo hello
+systemd-run --user -M "testuser@.host" echo hello
 journalctl --sync
 journalctl -b -n 1 -r --user-unit "*"
 
@@ -160,7 +160,7 @@ journalctl --header | grep system.journal
 journalctl --field _EXE | grep . >/dev/null
 journalctl --no-hostname --utc --catalog | grep . >/dev/null
 # Exercise executable_is_script() and the related code, e.g. `journalctl -b /path/to/a/script.sh` should turn
-# into ((_EXE=/bin/bash AND _COMM=script.sh) AND _BOOT_ID=c002e3683ba14fa8b6c1e12878386514)
+# into ((_EXE=/usr/bin/bash AND _COMM=script.sh) AND _BOOT_ID=c002e3683ba14fa8b6c1e12878386514)
 journalctl -b "$(readlink -f "$0")" | grep . >/dev/null
 journalctl -b "$(systemd-id128 boot-id)" | grep . >/dev/null
 journalctl --since yesterday --reverse | grep . >/dev/null
@@ -221,7 +221,7 @@ journalctl --follow --merge | head -n1 | grep .
 rm -f /tmp/issue-26746-log /tmp/issue-26746-cursor
 ID="$(systemd-id128 new)"
 journalctl -t "$ID" --follow --cursor-file=/tmp/issue-26746-cursor | tee /tmp/issue-26746-log &
-systemd-cat -t "$ID" /bin/sh -c 'echo hogehoge'
+systemd-cat -t "$ID" sh -c 'echo hogehoge'
 # shellcheck disable=SC2016
 timeout 10 bash -c 'until [[ -f /tmp/issue-26746-log && "$(cat /tmp/issue-26746-log)" =~ hogehoge ]]; do sleep .5; done'
 pkill -TERM journalctl

test/units/TEST-07-PID1.exec-context.sh

@@ -405,7 +405,7 @@ if [[ ! -v ASAN_OPTIONS ]]; then
     # Here, -p EnvironmentFile=-/usr/lib/systemd/systemd-asan-env does not work,
     # as sd-executor loads NSS module and fails before applying the environment:
     # (true)[660]: test-dynamicuser-fail.service: Changing to the requested working directory failed: No such file or directory
-    # (true)[660]: test-dynamicuser-fail.service: Failed at step CHDIR spawning /usr/bin/true: No such file or directory
+    # (true)[660]: test-dynamicuser-fail.service: Failed at step CHDIR spawning true: No such file or directory
     # TEST-07-PID1.sh[660]: ==660==LeakSanitizer has encountered a fatal error.
     # TEST-07-PID1.sh[660]: ==660==HINT: For debugging, try setting environment variable LSAN_OPTIONS=verbosity=1:log_threads=1
     # TEST-07-PID1.sh[660]: ==660==HINT: LeakSanitizer does not work under ptrace (strace, gdb, etc)

test/units/TEST-07-PID1.exec-deserialization.sh

@@ -193,7 +193,7 @@ testcase_issue_6533() {
     cat >"$unit_path" <<EOF
 [Service]
 Type=simple
-ExecStart=/bin/sleep 5
+ExecStart=sleep 5
 EOF
     systemctl daemon-reload
 
@@ -207,7 +207,7 @@ EOF
     cat >"$unit_path" <<EOF
 [Service]
 Type=simple
-ExecStart=/bin/sleep 5
+ExecStart=sleep 5
 ExecStart=bash -c "echo foo >>$log_file"
 EOF
     systemctl daemon-reload

test/units/TEST-07-PID1.issue-31752.sh

@@ -23,7 +23,7 @@ trap cleanup EXIT
 
 cat > /run/systemd/system/"$UNIT" <<EOF
 [Service]
-ExecStart=/usr/bin/true
+ExecStart=true
 RemainAfterExit=yes
 EOF
 

test/units/TEST-07-PID1.issue-33672.sh

@@ -23,7 +23,7 @@ trap cleanup EXIT
 
 cat > /run/systemd/system/"$UNIT" <<EOF
 [Service]
-ExecStart=/usr/bin/true
+ExecStart=true
 EOF
 
 mkdir /run/systemd/system/"$UNIT".d

test/units/TEST-07-PID1.main-PID-change.sh

@@ -18,7 +18,7 @@ INTERNALPID=$!
 disown
 
 # Start a test process outside of our own cgroup
-systemd-run -p DynamicUser=1 --unit=test-sleep.service /bin/sleep infinity
+systemd-run -p DynamicUser=1 --unit=test-sleep.service sleep infinity
 EXTERNALPID="$(systemctl show -P MainPID test-sleep.service)"
 
 # Update our own main PID to the external test PID, this should work
@@ -162,11 +162,11 @@ chmod 755 /dev/shm/test-mainpid3.sh
 test "$(systemctl show -P Result test-mainpidsh3.service)" = timeout
 
 # Test that scope units work
-systemd-run --scope --unit test-true.scope /bin/true
+systemd-run --scope --unit test-true.scope true
 test "$(systemctl show -P Result test-true.scope)" = success
 
 # Test that user scope units work as well
 
 systemctl start user@4711.service
-runas testuser systemd-run --scope --user --unit test-true.scope /bin/true
+runas testuser systemd-run --scope --user --unit test-true.scope true
 test "$(systemctl show -P Result test-true.scope)" = success

test/units/TEST-07-PID1.mqueue-ownership.sh

@@ -35,7 +35,7 @@ cat << 'EOF' > /run/systemd/system/mqueue-ownership.service
 Description=Dummy service for the socket unit
 Requires=%N.socket
 [Service]
-ExecStart=/usr/bin/true
+ExecStart=true
 Type=oneshot
 EOF
 

test/units/TEST-07-PID1.private-network.sh

@@ -4,4 +4,4 @@ set -eux
 set -o pipefail
 
 # For issue https://github.com/systemd/systemd/issues/29526
-systemd-run -p PrivateNetwork=yes --wait /bin/true
+systemd-run -p PrivateNetwork=yes --wait true

test/units/TEST-07-PID1.quota.sh

@@ -41,7 +41,7 @@ PrivateUsers=yes
 TemporaryFileSystem=/run /var/opt /var/lib /vol
 ${exec_directory_directive}
 ${exec_quota_directive}
-ExecStart=/bin/bash -c ' \
+ExecStart=bash -c ' \
     set -eux; \
     set -o pipefail; \
     touch ${directory}/quotadir/testfile; \
@@ -77,7 +77,7 @@ PrivateUsers=yes
 TemporaryFileSystem=/run /var/opt /var/lib /vol
 ${exec_directory_directive}
 ${exec_quota_directive}
-ExecStart=/bin/bash -c ' \
+ExecStart=bash -c ' \
     set -eux; \
     set -o pipefail; \
     (! fallocate -l 10000G ${directory}/quotadir/largefile); \

test/units/TEST-07-PID1.transient-unit-container.sh

@@ -121,8 +121,8 @@ After=basic.target
 
 [Service]
 Type=oneshot
-ExecStart=/bin/sh -c 'echo "$EXPECTED_OUTPUT"  > "$guest_output"'
-ExecStartPost=/usr/bin/systemctl --no-block exit 0
+ExecStart=sh -c 'echo "$EXPECTED_OUTPUT"  > "$guest_output"'
+ExecStartPost=systemctl --no-block exit 0
 TimeoutStopSec=15s
 
 [Install]

test/units/TEST-07-PID1.type-exec-parallel.sh

@@ -6,4 +6,4 @@ set -o pipefail
 # Make sure that we never mistake a process starting but failing quickly for a process failing to start, with Type=exec.
 # See https://github.com/systemd/systemd/pull/30799
 
-seq 25 | xargs -n 1 -P 0 systemd-run -p Type=exec /bin/false
+seq 25 | xargs -n 1 -P 0 systemd-run -p Type=exec false

test/units/TEST-13-NSPAWN.machined.sh

@@ -40,7 +40,7 @@ done
 # Create one "long running" container with some basic signal handling
 create_dummy_container /var/lib/machines/long-running
 cat >/var/lib/machines/long-running/sbin/init <<\EOF
-#!/usr/bin/bash
+#!/usr/bin/env bash
 
 set -x
 
@@ -317,7 +317,7 @@ varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.Unreg
 # test io.systemd.Machine.List with addresses, OSRelease, and UIDShift fields
 create_dummy_container "/var/lib/machines/container-without-os-release"
 cat >>/var/lib/machines/container-without-os-release/sbin/init <<\EOF
-#!/usr/bin/bash
+#!/usr/bin/env bash
 
 set -x
 
@@ -399,13 +399,13 @@ rm -f /tmp/none-existent-file
 # server side, to not generate early SIGHUP. Hence, let's just invoke "sleep
 # infinity" client side, once we acquired the fd (passing it to it), and kill
 # it once we verified everything worked.
-PID=$(systemd-notify --fork -- varlinkctl --exec call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.Open '{"name": ".host", "mode": "shell", "user": "root", "path": "/bin/bash", "args": ["/bin/bash", "-c", "echo $FOO > /tmp/none-existent-file"], "environment": ["FOO=BAR"]}' -- sleep infinity)
+PID=$(systemd-notify --fork -- varlinkctl --exec call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.Open '{"name": ".host", "mode": "shell", "user": "root", "path": "/usr/bin/bash", "args": ["bash", "-c", "echo $FOO > /tmp/none-existent-file"], "environment": ["FOO=BAR"]}' -- sleep infinity)
 timeout 30 bash -c "until test -e /tmp/none-existent-file; do sleep .5; done"
 grep -q "BAR" /tmp/none-existent-file
 kill "$PID"
 
 # Test varlinkctl's --exec fd passing logic properly
-assert_eq "$(varlinkctl --exec call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.Open '{"name": ".host", "mode": "shell", "user": "root", "path": "/bin/bash", "args": ["/bin/bash", "-c", "echo $((7 + 8))"], "environment": ["TERM=dumb"]}' -- bash -c 'read -r -N 2 x <&3 ; echo "$x"')" 15
+assert_eq "$(varlinkctl --exec call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.Open '{"name": ".host", "mode": "shell", "user": "root", "path": "/usr/bin/bash", "args": ["bash", "-c", "echo $((7 + 8))"], "environment": ["TERM=dumb"]}' -- bash -c 'read -r -N 2 x <&3 ; echo "$x"')" 15
 
 # test io.systemd.Machine.MapFrom
 varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.MapFrom '{"name": "long-running", "uid":0, "gid": 0}'

test/units/TEST-13-NSPAWN.nspawn-oci.sh

@@ -351,7 +351,8 @@ EOF
 # Create a simple "entrypoint" script that validates that the container
 # is created correctly according to the OCI config
 cat >"$OCI/rootfs/entrypoint.sh" <<EOF
-#!/usr/bin/bash -e
+#!/usr/bin/env bash
+set -e
 
 # Mounts
 mountpoint /root

test/units/TEST-13-NSPAWN.nspawn.sh

@@ -193,7 +193,7 @@ testcase_sanity() {
     # "Fake" getent passwd's bare minimum, so we don't have to pull it in
     # with all the DSO shenanigans
     cat >"$root/bin/getent" <<\EOF
-#!/bin/bash
+#!/usr/bin/env bash
 
 if [[ $# -eq 0 ]]; then
     :
@@ -456,7 +456,7 @@ Port=tcp:60
 Port=udp:60:61
 EOF
     cat >"$root/entrypoint.sh" <<\EOF
-#!/bin/bash
+#!/usr/bin/env bash
 set -ex
 
 env
@@ -844,7 +844,7 @@ testcase_owneridmap() {
     # "Fake" getent passwd's bare minimum, so we don't have to pull it in
     # with all the DSO shenanigans
     cat >"$root/bin/getent" <<\EOF
-#!/bin/bash
+#!/usr/bin/env bash
 
 if [[ $# -eq 0 ]]; then
     :
@@ -869,7 +869,7 @@ EOF
                            --user=testuser \
                            --bind=/tmp/owneridmap/bind:/home/testuser:owneridmap \
                            ${COVERAGE_BUILD_DIR:+--bind="$COVERAGE_BUILD_DIR"} \
-                           /usr/bin/bash -c "$cmd" |& tee nspawn.out; then
+                           bash -c "$cmd" |& tee nspawn.out; then
         if grep -q "Failed to map ids for bind mount.*: Function not implemented" nspawn.out; then
             echo "idmapped mounts are not supported, skipping the test..."
             return 0
@@ -906,7 +906,8 @@ testcase_os_release() {
     create_dummy_container "$root"
     entrypoint="$root/entrypoint.sh"
     cat >"$entrypoint" <<\EOF
-#!/usr/bin/bash -ex
+#!/usr/bin/env bash
+set -ex
 
 . /tmp/os-release
 [[ -n "${ID:-}" && "$ID" != "$container_host_id" ]] && exit 1
@@ -953,7 +954,7 @@ testcase_machinectl_bind() {
     cat >"$service_path" <<EOF
 [Service]
 Type=notify
-ExecStart=systemd-nspawn --directory="$root" --notify-ready=no /usr/bin/bash -xec "$cmd"
+ExecStart=systemd-nspawn --directory="$root" --notify-ready=no bash -xec "$cmd"
 EOF
 
     systemctl daemon-reload

test/units/TEST-13-NSPAWN.nss-mymachines.sh

@@ -25,7 +25,8 @@ mount --bind "$(mktemp --tmpdir=/var/tmp -d)" /var/lib/machines
 # 1) Have no IP addresses assigned
 create_dummy_container /var/lib/machines/nss-mymachines-noip
 cat >/var/lib/machines/nss-mymachines-noip/sbin/init <<\EOF
-#!/usr/bin/bash -ex
+#!/usr/bin/env bash
+set -ex
 
 ip addr show dev ve-noip
 touch /initialized
@@ -38,7 +39,8 @@ EOF
 # 2) Have one IP address assigned (IPv4 only)
 create_dummy_container /var/lib/machines/nss-mymachines-singleip
 cat >/var/lib/machines/nss-mymachines-singleip/sbin/init <<\EOF
-#!/usr/bin/bash -ex
+#!/usr/bin/env bash
+set -ex
 
 ip addr add 10.1.0.2/24 dev ve-singleip
 ip addr show dev ve-singleip
@@ -51,7 +53,8 @@ EOF
 # 3) Have bunch of IP addresses assigned (both IPv4 and IPv6)
 create_dummy_container /var/lib/machines/nss-mymachines-manyips
 cat >/var/lib/machines/nss-mymachines-manyips/sbin/init <<\EOF
-#!/usr/bin/bash -ex
+#!/usr/bin/env bash
+set -ex
 
 ip addr add 10.2.0.2/24 dev ve-manyips
 for i in {100..120}; do

test/units/TEST-13-NSPAWN.unpriv.sh

@@ -24,7 +24,7 @@ run0 -u testuser mkdir -p .local/state/machines
 
 create_dummy_container /home/testuser/.local/state/machines/zurps
 cat >/home/testuser/.local/state/machines/zurps/sbin/init <<EOF
-#!/bin/sh
+#!/usr/bin/env bash
 echo "I am living in a container"
 exec sleep infinity
 EOF

test/units/TEST-15-DROPIN.sh

@@ -116,16 +116,16 @@ testcase_basic_dropins() {
 
     echo "*** test service.d/ top level drop-in"
     create_services test15-a test15-b
-    check_ko test15-a ExecCondition "/bin/echo a"
-    check_ko test15-b ExecCondition "/bin/echo b"
+    check_ko test15-a ExecCondition "echo a"
+    check_ko test15-b ExecCondition "echo b"
     mkdir -p /run/systemd/system/service.d
     cat >/run/systemd/system/service.d/override.conf <<EOF
 [Service]
-ExecCondition=/bin/echo %n
+ExecCondition=echo %n
 EOF
     systemctl daemon-reload
-    check_ok test15-a ExecCondition "/bin/echo test15-a"
-    check_ok test15-b ExecCondition "/bin/echo test15-b"
+    check_ok test15-a ExecCondition "echo test15-a"
+    check_ok test15-b ExecCondition "echo test15-b"
     rm -rf /run/systemd/system/service.d
 
     clear_units test15-{a,b,c,c1}.service

test/units/TEST-16-EXTEND-TIMEOUT.sh

@@ -70,21 +70,21 @@ runtime_max_sec=5
 systemd-run \
     --property=RuntimeMaxSec=${runtime_max_sec}s \
     -u runtime-max-sec-test-1.service \
-    /usr/bin/sh -c "while true; do sleep 1; done"
+    sh -c "while true; do sleep 1; done"
 wait_for_timeout runtime-max-sec-test-1.service $((runtime_max_sec + 2))
 
 systemd-run \
     --property=RuntimeMaxSec=${runtime_max_sec}s \
     --scope \
     -u runtime-max-sec-test-2.scope \
-    /usr/bin/sh -c "while true; do sleep 1; done" &
+    sh -c "while true; do sleep 1; done" &
 wait_for_timeout runtime-max-sec-test-2.scope $((runtime_max_sec + 2))
 
 # These ensure that RuntimeMaxSec is honored for scope and service
 # units if the value is changed and then the manager is reloaded.
 systemd-run \
     -u runtime-max-sec-test-3.service \
-    /usr/bin/sh -c "while true; do sleep 1; done"
+    sh -c "while true; do sleep 1; done"
 mkdir -p /etc/systemd/system/runtime-max-sec-test-3.service.d/
 cat > /etc/systemd/system/runtime-max-sec-test-3.service.d/override.conf << EOF
 [Service]
@@ -96,7 +96,7 @@ wait_for_timeout runtime-max-sec-test-3.service $((runtime_max_sec + 2))
 systemd-run \
     --scope \
     -u runtime-max-sec-test-4.scope \
-    /usr/bin/sh -c "while true; do sleep 1; done" &
+    sh -c "while true; do sleep 1; done" &
 
 # Wait until the unit is running to avoid race with creating the override.
 until systemctl is-active runtime-max-sec-test-4.scope; do

test/units/TEST-17-UDEV.IMPORT.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 set -ex
 set -o pipefail
@@ -7,7 +7,7 @@ mkdir -p /run/udev/rules.d/
 
 cat >/run/udev/rules.d/50-testsuite.rules <<EOF
 SUBSYSTEM=="mem", KERNEL=="null", OPTIONS="log_level=debug"
-ACTION=="add", SUBSYSTEM=="mem", KERNEL=="null", IMPORT{program}="/bin/echo -e HOGE=aa\\\\x20\\\\x20\\\\x20bb\nFOO=\\\\x20aaa\\\\x20\n\n\n"
+ACTION=="add", SUBSYSTEM=="mem", KERNEL=="null", IMPORT{program}="/usr/bin/echo -e HOGE=aa\\\\x20\\\\x20\\\\x20bb\nFOO=\\\\x20aaa\\\\x20\n\n\n"
 EOF
 
 udevadm control --reload

test/units/TEST-17-UDEV.TAG.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 set -ex
 set -o pipefail

test/units/TEST-17-UDEV.failed-event.sh

@@ -17,8 +17,8 @@ SUBSYSTEM!="mem", GOTO="test_end"
 KERNEL!="null", GOTO="test_end"
 
 OPTIONS="log_level=debug"
-PROGRAM=="/bin/touch /tmp/test-udev-marker"
-PROGRAM!="/bin/sleep 60", ENV{PROGRAM_RESULT}="KILLED"
+PROGRAM=="/usr/bin/touch /tmp/test-udev-marker"
+PROGRAM!="/usr/bin/sleep 60", ENV{PROGRAM_RESULT}="KILLED"
 
 LABEL="test_end"
 EOF

test/units/TEST-17-UDEV.queued-events-serialization.sh

@@ -17,9 +17,9 @@ KERNEL!="null", GOTO="end"
 ACTION=="remove", GOTO="end"
 
 IMPORT{db}="INVOCATIONS"
-IMPORT{program}="/bin/bash -c 'systemctl show --property=InvocationID systemd-udevd.service'"
+IMPORT{program}="/usr/bin/bash -c 'systemctl show --property=InvocationID systemd-udevd.service'"
 ENV{INVOCATIONS}+="%E{ACTION}_%E{SEQNUM}_%E{InvocationID}"
-ACTION=="add", RUN+="/bin/bash -c ':> /tmp/marker'", RUN+="/usr/bin/sleep 10"
+ACTION=="add", RUN+="/usr/bin/bash -c ':> /tmp/marker'", RUN+="/usr/bin/sleep 10"
 
 LABEL="end"
 EOF

test/units/TEST-17-UDEV.verify.sh

@@ -160,13 +160,13 @@ echo "Failed to parse rules file $(pwd)/${rules}: No buffer space available" >"$
 assert_1 "${rules}"
 
 {
-    printf 'RUN+="/bin/true",%8174s\\\n' ' '
-    printf 'RUN+="/bin/false"%8174s\\\n' ' '
+    printf 'RUN+="/usr/bin/true",%8170s\\\n' ' '
+    printf 'RUN+="/usr/bin/false"%8170s\\\n' ' '
     echo
 } >"${rules}"
 assert_0 "${rules}"
 
-printf 'RUN+="/bin/true"%8176s\\\n #\n' ' ' ' ' >"${rules}"
+printf 'RUN+="/usr/bin/true"%8176s\\\n #\n' ' ' ' ' >"${rules}"
 echo >>"${rules}"
 cat >"${exp}" <<EOF
 $(pwd)/${rules}:1 Line is too long, ignored.

test/units/TEST-17-UDEV.watch.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 set -ex
 set -o pipefail

test/units/TEST-19-CGROUP.keyed-properties.sh

@@ -43,7 +43,7 @@ EOF
 testcase_iodevice_unitfile () {
     cat >/run/systemd/system/test1.service <<EOF
 [Service]
-ExecStart=/usr/bin/sleep inf
+ExecStart=sleep inf
 IOReadBandwidthMax=/dev/sda1 1M
 IOReadBandwidthMax=/dev/sda2 2M
 IOReadBandwidthMax=/dev/sda3 4M

test/units/TEST-22-TMPFILES.01.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 #
 # With "e" don't attempt to set permissions when file doesn't exist, see

test/units/TEST-22-TMPFILES.02.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 #
 # Basic tests for types creating directories

test/units/TEST-22-TMPFILES.03.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 #
 # Basic tests for types creating/writing files

test/units/TEST-22-TMPFILES.04.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 #
 # Basic tests for types creating fifos

test/units/TEST-22-TMPFILES.05.sh

@@ -1,4 +1,4 @@
-#! /bin/bash
+#!/usr/bin/env bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 set -eux
 set -o pipefail

test/units/TEST-22-TMPFILES.06.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 #
 # Inspired by https://github.com/systemd/systemd/issues/9508

test/units/TEST-22-TMPFILES.07.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 #
 # Verifies the issues described by https://github.com/systemd/systemd/issues/10191

test/units/TEST-22-TMPFILES.08.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 #
 # Verify tmpfiles can run in a root directory under a path prefix that contains

test/units/TEST-22-TMPFILES.13.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 #
 # Tests for configuration directory and file precedences

test/units/TEST-22-TMPFILES.14.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 #
 # Tests for the ":" uid/gid/mode modifier

test/units/TEST-22-TMPFILES.15.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 #
 # Check specifier expansion in L lines.

test/units/TEST-22-TMPFILES.16.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 #
 # Test for conditionalized execute bit ('X' bit)

test/units/TEST-22-TMPFILES.17.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 #
 # Test for C-style escapes in file names and contents

test/units/TEST-22-TMPFILES.18.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 #
 # Tests for the --purge switch

test/units/TEST-22-TMPFILES.19.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 #
 # Tests for character and block device creation

test/units/TEST-23-UNIT-FILE.ExecReload.sh

@@ -15,7 +15,7 @@ echo "[#1] Failing ExecReload= should not kill the service"
 cat >"$SERVICE_PATH" <<EOF
 [Service]
 ExecStart=sleep infinity
-ExecReload=/bin/false
+ExecReload=false
 EOF
 
 systemctl daemon-reload
@@ -31,9 +31,9 @@ echo "[#2] Failing ExecReload= should not kill the service (multiple ExecReload=
 cat >"$SERVICE_PATH" <<EOF
 [Service]
 ExecStart=sleep infinity
-ExecReload=/bin/true
-ExecReload=/bin/false
-ExecReload=/bin/true
+ExecReload=true
+ExecReload=false
+ExecReload=true
 EOF
 
 systemctl daemon-reload
@@ -48,7 +48,7 @@ echo "[#3] Failing ExecReload=- should not affect reload's exit code"
 cat >"$SERVICE_PATH" <<EOF
 [Service]
 ExecStart=sleep infinity
-ExecReload=-/bin/false
+ExecReload=-false
 EOF
 
 systemctl daemon-reload

test/units/TEST-23-UNIT-FILE.ExecStopPost.sh

@@ -7,19 +7,19 @@ set -eux
 systemd-analyze log-level debug
 
 systemd-run --unit=simple1.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=simple \
-    -p ExecStopPost='/bin/touch /run/simple1' true
+    -p ExecStopPost='touch /run/simple1' true
 test -f /run/simple1
 
 (! systemd-run --unit=simple2.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=simple \
-    -p ExecStopPost='/bin/touch /run/simple2' false)
+    -p ExecStopPost='touch /run/simple2' false)
 test -f /run/simple2
 
 systemd-run --unit=exec1.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=exec \
-    -p ExecStopPost='/bin/touch /run/exec1' sleep 1
+    -p ExecStopPost='touch /run/exec1' sleep 1
 test -f /run/exec1
 
 (! systemd-run --unit=exec2.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=exec \
-   -p ExecStopPost='/bin/touch /run/exec2' sh -c 'sleep 1; false')
+   -p ExecStopPost='touch /run/exec2' sh -c 'sleep 1; false')
 test -f /run/exec2
 
 cat >/tmp/forking1.sh <<EOF
@@ -36,7 +36,7 @@ EOF
 chmod +x /tmp/forking1.sh
 
 systemd-run --unit=forking1.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=forking -p NotifyAccess=exec \
-        -p ExecStopPost='/bin/touch /run/forking1' /tmp/forking1.sh
+        -p ExecStopPost='touch /run/forking1' /tmp/forking1.sh
 test -f /run/forking1
 
 cat >/tmp/forking2.sh <<EOF
@@ -53,29 +53,29 @@ EOF
 chmod +x /tmp/forking2.sh
 
 (! systemd-run --unit=forking2.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=forking -p NotifyAccess=exec \
-    -p ExecStopPost='/bin/touch /run/forking2' /tmp/forking2.sh)
+    -p ExecStopPost='touch /run/forking2' /tmp/forking2.sh)
 test -f /run/forking2
 
 systemd-run --unit=oneshot1.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=oneshot \
-    -p ExecStopPost='/bin/touch /run/oneshot1' true
+    -p ExecStopPost='touch /run/oneshot1' true
 test -f /run/oneshot1
 
 (! systemd-run --unit=oneshot2.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=oneshot \
-    -p ExecStopPost='/bin/touch /run/oneshot2' false)
+    -p ExecStopPost='touch /run/oneshot2' false)
 test -f /run/oneshot2
 
 systemd-run --unit=dbus1.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=dbus -p BusName=systemd.test.ExecStopPost \
-    -p ExecStopPost='/bin/touch /run/dbus1' \
+    -p ExecStopPost='touch /run/dbus1' \
     busctl call org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus RequestName su systemd.test.ExecStopPost 4 || :
 test -f /run/dbus1
 
 systemd-run --unit=dbus2.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=dbus -p BusName=systemd.test.ExecStopPost \
-     -p ExecStopPost='/bin/touch /run/dbus2' true
+    -p ExecStopPost='touch /run/dbus2' true
 test -f /run/dbus2
 
 # https://github.com/systemd/systemd/issues/19920
 (! systemd-run --unit=dbus3.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=dbus \
-    -p ExecStopPost='/bin/touch /run/dbus3' true)
+    -p ExecStopPost='touch /run/dbus3' true)
 
 cat >/tmp/notify1.sh <<EOF
 #!/usr/bin/env bash
@@ -87,18 +87,19 @@ EOF
 chmod +x /tmp/notify1.sh
 
 systemd-run --unit=notify1.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=notify \
-    -p ExecStopPost='/bin/touch /run/notify1' /tmp/notify1.sh
+    -p ExecStopPost='touch /run/notify1' /tmp/notify1.sh
 test -f /run/notify1
 
 (! systemd-run --unit=notify2.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=notify \
-    -p ExecStopPost='/bin/touch /run/notify2' true)
+    -p ExecStopPost='touch /run/notify2' true)
 test -f /run/notify2
 
-systemd-run --unit=idle1.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=idle -p ExecStopPost='/bin/touch /run/idle1' true
+systemd-run --unit=idle1.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=idle \
+    -p ExecStopPost='touch /run/idle1' true
 test -f /run/idle1
 
 (! systemd-run --unit=idle2.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=idle \
-     -p ExecStopPost='/bin/touch /run/idle2' false)
+    -p ExecStopPost='touch /run/idle2' false)
 test -f /run/idle2
 
 systemd-analyze log-level info

test/units/TEST-23-UNIT-FILE.exec-command-ex.sh

@@ -20,16 +20,16 @@ property[7_seven]=ExecStopPost
 # These should all get upgraded to the corresponding Ex property as the non-Ex variant
 # does not support the ":" prefix (no-env-expand).
 for c in "${!property[@]}"; do
-    systemd-run --unit="$c" -r -p "Type=oneshot" -p "${property[$c]}=:/bin/echo \${$c}" true
-    systemctl show -p "${property[$c]}" "$c" | grep -F "path=/bin/echo ; argv[]=/bin/echo \${$c} ; ignore_errors=no"
-    systemctl show -p "${property[$c]}Ex" "$c" | grep -F "path=/bin/echo ; argv[]=/bin/echo \${$c} ; flags=no-env-expand"
+    systemd-run --unit="$c" -r -p "Type=oneshot" -p "${property[$c]}=:echo \${$c}" true
+    systemctl show -p "${property[$c]}" "$c" | grep -F "path=echo ; argv[]=echo \${$c} ; ignore_errors=no"
+    systemctl show -p "${property[$c]}Ex" "$c" | grep -F "path=echo ; argv[]=echo \${$c} ; flags=no-env-expand"
 done
 
 # Ex names on the commandline are supported for backward compat.
 for c in "${!property[@]}"; do
-    systemd-run --unit="${c}_ex" -r -p "Type=oneshot" -p "${property[$c]}Ex=:/bin/echo \${$c}" true
-    systemctl show -p "${property[$c]}" "$c" | grep -F "path=/bin/echo ; argv[]=/bin/echo \${$c} ; ignore_errors=no"
-    systemctl show -p "${property[$c]}Ex" "$c" | grep -F "path=/bin/echo ; argv[]=/bin/echo \${$c} ; flags=no-env-expand"
+    systemd-run --unit="${c}_ex" -r -p "Type=oneshot" -p "${property[$c]}Ex=:echo \${$c}" true
+    systemctl show -p "${property[$c]}" "$c" | grep -F "path=echo ; argv[]=echo \${$c} ; ignore_errors=no"
+    systemctl show -p "${property[$c]}Ex" "$c" | grep -F "path=echo ; argv[]=echo \${$c} ; flags=no-env-expand"
 done
 
 systemd-analyze log-level info

test/units/TEST-23-UNIT-FILE.oneshot-restart.sh

@@ -14,7 +14,7 @@ MAX_SECS=60
 systemctl log-level debug
 
 # test one: Restart=on-failure should restart the service
-(! systemd-run --unit=oneshot-restart-one -p Type=oneshot -p Restart=on-failure /bin/bash -c "exit 1")
+(! systemd-run --unit=oneshot-restart-one -p Type=oneshot -p Restart=on-failure bash -c "exit 1")
 
 for ((secs = 0; secs < MAX_SECS; secs++)); do
     [[ "$(systemctl show oneshot-restart-one.service -P NRestarts)" -le 0 ]] || break
@@ -35,7 +35,7 @@ TMP_FILE="/tmp/test-23-oneshot-restart-test$RANDOM"
         -p StartLimitBurst=3 \
         -p Type=oneshot \
         -p Restart=on-failure \
-        -p ExecStart="/bin/bash -c 'printf a >>$TMP_FILE'" /bin/bash -c "exit 1")
+        -p ExecStart="bash -c 'printf a >>$TMP_FILE'" bash -c "exit 1")
 
 # wait for at least 3 restarts
 for ((secs = 0; secs < MAX_SECS; secs++)); do

test/units/TEST-23-UNIT-FILE.statedir.sh

@@ -16,13 +16,13 @@ systemctl start user@0.service
 ( ! test -d "$HOME"/.local/state/foo)
 ( ! test -d "$HOME"/.config/foo)
 
-systemd-run --user -p StateDirectory=foo --wait /bin/true
+systemd-run --user -p StateDirectory=foo --wait true
 
 test -d "$HOME"/.local/state/foo
 ( ! test -L "$HOME"/.local/state/foo)
 ( ! test -d "$HOME"/.config/foo)
 
-systemd-run --user -p StateDirectory=foo -p ConfigurationDirectory=foo --wait /bin/true
+systemd-run --user -p StateDirectory=foo -p ConfigurationDirectory=foo --wait true
 
 test -d "$HOME"/.local/state/foo
 ( ! test -L "$HOME"/.local/state/foo)
@@ -30,7 +30,7 @@ test -d "$HOME"/.config/foo
 
 rmdir "$HOME"/.local/state/foo "$HOME"/.config/foo
 
-systemd-run --user -p StateDirectory=foo -p ConfigurationDirectory=foo --wait /bin/true
+systemd-run --user -p StateDirectory=foo -p ConfigurationDirectory=foo --wait true
 
 test -d "$HOME"/.local/state/foo
 ( ! test -L "$HOME"/.local/state/foo)
@@ -39,13 +39,13 @@ test -d "$HOME"/.config/foo
 rmdir "$HOME"/.local/state/foo "$HOME"/.config/foo
 
 # Now trigger an update scenario by creating a config dir first
-systemd-run --user -p ConfigurationDirectory=foo --wait /bin/true
+systemd-run --user -p ConfigurationDirectory=foo --wait true
 
 ( ! test -d "$HOME"/.local/state/foo)
 test -d "$HOME"/.config/foo
 
 # This will look like an update and result in a symlink
-systemd-run --user -p StateDirectory=foo -p ConfigurationDirectory=foo --wait /bin/true
+systemd-run --user -p StateDirectory=foo -p ConfigurationDirectory=foo --wait true
 
 test -d "$HOME"/.local/state/foo
 test -L "$HOME"/.local/state/foo
@@ -54,7 +54,7 @@ test -d "$HOME"/.config/foo
 test "$(readlink "$HOME"/.local/state/foo)" = ../../.config/foo
 
 # Check that this will work safely a second time
-systemd-run --user -p StateDirectory=foo -p ConfigurationDirectory=foo --wait /bin/true
+systemd-run --user -p StateDirectory=foo -p ConfigurationDirectory=foo --wait true
 
 ( ! systemd-run --user -p StateDirectory=foo::ro --wait sh -c "echo foo > $HOME/.local/state/foo/baz")
 ( ! systemd-run --user -p StateDirectory=foo:bar:ro --wait sh -c "echo foo > $HOME/.local/state/foo/baz")

test/units/TEST-23-UNIT-FILE.type-exec.sh

@@ -12,16 +12,16 @@ touch /tmp/brokenbinary
 chmod +x /tmp/brokenbinary
 
 # These three commands should succeed.
-systemd-run --unit=exec-one -p Type=simple /bin/sleep infinity
-systemd-run --unit=exec-two -p Type=simple -p User=idontexist /bin/sleep infinity
+systemd-run --unit=exec-one -p Type=simple sleep infinity
+systemd-run --unit=exec-two -p Type=simple -p User=idontexist sleep infinity
 systemd-run --unit=exec-three -p Type=simple /tmp/brokenbinary
 
 # And now, do the same with Type=exec, where the latter two should fail
-systemd-run --unit=exec-four -p Type=exec /bin/sleep infinity
-(! systemd-run --unit=exec-five -p Type=exec -p User=idontexist /bin/sleep infinity)
+systemd-run --unit=exec-four -p Type=exec sleep infinity
+(! systemd-run --unit=exec-five -p Type=exec -p User=idontexist sleep infinity)
 (! systemd-run --unit=exec-six -p Type=exec /tmp/brokenbinary)
 
-systemd-run --unit=exec-seven -p KillSignal=SIGTERM -p RestartKillSignal=SIGINT -p Type=exec /bin/sleep infinity
+systemd-run --unit=exec-seven -p KillSignal=SIGTERM -p RestartKillSignal=SIGINT -p Type=exec sleep infinity
 # Both TERM and SIGINT happen to have the same number on all architectures
 test "$(systemctl show --value -p KillSignal exec-seven.service)" -eq 15
 test "$(systemctl show --value -p RestartKillSignal exec-seven.service)" -eq 2
@@ -37,7 +37,7 @@ busctl call \
     org.freedesktop.systemd1.Manager StartTransientUnit \
     "ssa(sv)a(sa(sv))" test-20933-ok.service replace 1 \
       ExecStart "a(sasb)" 1 \
-        /usr/bin/sleep 2 /usr/bin/sleep 1 true \
+        sleep 2 sleep 1 true \
     0
 
 # DBus call should fail but not crash systemd
@@ -46,7 +46,7 @@ busctl call \
     org.freedesktop.systemd1.Manager StartTransientUnit \
     "ssa(sv)a(sa(sv))" test-20933-bad.service replace 1 \
       ExecStart "a(sasb)" 1 \
-        /usr/bin/sleep 0 true \
+        sleep 0 true \
     0)
 
 # Same but with the empty argv in the middle
@@ -55,9 +55,9 @@ busctl call \
     org.freedesktop.systemd1.Manager StartTransientUnit \
     "ssa(sv)a(sa(sv))" test-20933-bad-middle.service replace 1 \
       ExecStart "a(sasb)" 3 \
-        /usr/bin/sleep 2 /usr/bin/sleep 1 true \
-        /usr/bin/sleep 0                  true \
-        /usr/bin/sleep 2 /usr/bin/sleep 1 true \
+        sleep 2 sleep 1 true \
+        sleep 0         true \
+        sleep 2 sleep 1 true \
     0)
 
 systemd-analyze log-level info

test/units/TEST-26-SYSTEMCTL.sh

@@ -258,7 +258,7 @@ systemctl revert "$UNIT_NAME"
 (! grep -r "CPUQuota=" "/run/systemd/system.control/${UNIT_NAME}.d/")
 
 # Failed-unit related tests
-(! systemd-run --wait --unit "failed.service" /bin/false)
+(! systemd-run --wait --unit "failed.service" false)
 systemctl is-failed failed.service
 systemctl --state=failed | grep failed.service
 systemctl --failed | grep failed.service
@@ -405,7 +405,7 @@ if [[ -x /usr/lib/systemd/system-generators/systemd-sysv-generator ]]; then
 
     # invalid dependency
     cat >"${SYSVINIT_PATH:?}/issue-24990" <<\EOF
-#!/bin/bash
+#!/usr/bin/env bash
 
 ### BEGIN INIT INFO
 # Provides:test1 test2
@@ -459,7 +459,7 @@ EOF
 
     # valid dependency
     cat >"$SYSVINIT_PATH/issue-24990" <<\EOF
-#!/bin/bash
+#!/usr/bin/env bash
 
 ### BEGIN INIT INFO
 # Provides:test1 test2

test/units/TEST-34-DYNAMICUSERMIGRATE.sh

@@ -180,7 +180,7 @@ PrivateUsers=yes
 TemporaryFileSystem=/run /var/opt /var/lib /vol
 UMask=0000
 StateDirectory=testidmapped:sampleservice
-ExecStart=/bin/bash -c ' \
+ExecStart=bash -c ' \
     set -eux; \
     set -o pipefail; \
     touch /var/lib/sampleservice/testfile; \
@@ -213,7 +213,7 @@ PrivateUsers=no
 TemporaryFileSystem=/run /var/opt /var/lib /vol
 UMask=0000
 StateDirectory=testidmapped:sampleservice
-ExecStart=/bin/bash -c ' \
+ExecStart=bash -c ' \
     set -eux; \
     set -o pipefail; \
     touch /var/lib/sampleservice/testfile; \

test/units/TEST-35-LOGIN.sh

@@ -21,7 +21,7 @@ cleanup_test_user() (
 
 setup_test_user() {
     mkdir -p /var/spool/cron /var/spool/mail
-    useradd -m -s /bin/bash logind-test-user
+    useradd -m -s /usr/bin/bash logind-test-user
     trap cleanup_test_user EXIT
 }
 
@@ -351,7 +351,7 @@ create_session() {
 [Service]
 Type=simple
 ExecStart=
-ExecStart=-/sbin/agetty --autologin logind-test-user --noclear %I $TERM
+ExecStart=-agetty --autologin logind-test-user --noclear %I $TERM
 Restart=no
 EOF
     systemctl daemon-reload
@@ -679,7 +679,7 @@ session required   pam_unix.so
 EOF
 
     cat > "$SCRIPT" <<'EOF'
-#!/bin/bash
+#!/usr/bin/env bash
 set -ex
 typeset -i AMB MASK
 AMB="0x$(grep 'CapAmb:' /proc/self/status | cut -d: -f2 | tr -d '[:space:]')"

test/units/TEST-38-FREEZER.sh

@@ -339,7 +339,7 @@ testcase_watchdog() {
     local unit="wd.service"
 
     systemd-run --collect --unit "$unit" --property WatchdogSec=4s --property Type=notify \
-        /bin/bash -c 'systemd-notify --ready; while true; do systemd-notify WATCHDOG=1; sleep 1; done'
+        bash -c 'systemd-notify --ready; while true; do systemd-notify WATCHDOG=1; sleep 1; done'
 
     systemctl freeze "$unit"
     check_freezer_state "$unit" "frozen"

test/units/TEST-43-PRIVATEUSER-UNPRIV.sh

@@ -93,7 +93,7 @@ runas testuser systemd-run --wait --user --unit=test-devices \
 # Same check as test/test-execute/exec-privatenetwork-yes.service
 runas testuser systemd-run --wait --user --unit=test-network \
     -p PrivateNetwork=yes \
-    /bin/sh -x -c '! ip link | grep -E "^[0-9]+: " | grep -Ev ": (lo|(erspan|gre|gretap|ip_vti|ip6_vti|ip6gre|ip6tnl|sit|tunl)0@.*):"'
+    sh -x -c '! ip link | grep -E "^[0-9]+: " | grep -Ev ": (lo|(erspan|gre|gretap|ip_vti|ip6_vti|ip6gre|ip6tnl|sit|tunl)0@.*):"'
 
 (! runas testuser systemd-run --wait --user --unit=test-hostname \
     -p ProtectHostname=yes \

test/units/TEST-46-HOMED.sh

@@ -519,14 +519,14 @@ userdbctl ssh-authorized-keys dropinuser | tee /tmp/authorized-keys
 grep "ssh-ed25519" /tmp/authorized-keys
 grep "ecdsa-sha2-nistp256" /tmp/authorized-keys
 echo "my-top-secret-key 🐱" >/tmp/my-top-secret-key
-userdbctl ssh-authorized-keys dropinuser --chain /bin/cat /tmp/my-top-secret-key | tee /tmp/authorized-keys
+userdbctl ssh-authorized-keys dropinuser --chain /usr/bin/cat /tmp/my-top-secret-key | tee /tmp/authorized-keys
 grep "ssh-ed25519" /tmp/authorized-keys
 grep "ecdsa-sha2-nistp256" /tmp/authorized-keys
 grep "my-top-secret-key 🐱" /tmp/authorized-keys
 (! userdbctl ssh-authorized-keys 🐱)
 (! userdbctl ssh-authorized-keys dropin-user --chain)
 (! userdbctl ssh-authorized-keys dropin-user --chain '')
-(! SYSTEMD_LOG_LEVEL=debug userdbctl ssh-authorized-keys dropin-user --chain /bin/false)
+(! SYSTEMD_LOG_LEVEL=debug userdbctl ssh-authorized-keys dropin-user --chain /usr/bin/false)
 
 (! userdbctl '')
 for opt in json multiplexer output synthesize with-dropin with-nss with-varlink; do
@@ -611,7 +611,7 @@ EOF
 
     cat >/run/systemd/system/mysshserver@.service <<EOF
 [Service]
-ExecStart=-/usr/sbin/sshd -i -d -e
+ExecStart=-sshd -i -d -e
 StandardInput=socket
 StandardOutput=socket
 StandardError=journal

test/units/TEST-50-DISSECT.DDI.sh

@@ -3,7 +3,7 @@
 set -eux
 set -o pipefail
 
-# Check that the /sbin/mount.ddi helper works
+# Check that the /usr/sbin/mount.ddi helper works
 dir="/tmp/mounthelper.$RANDOM"
 mount -t ddi "$MINIMAL_IMAGE.gpt" "$dir" -o ro,X-mount.mkdir,discard
 umount -R "$dir"

test/units/TEST-50-DISSECT.dissect.sh

@@ -17,9 +17,9 @@ systemd-dissect "$MINIMAL_IMAGE.raw" | grep -q -F -f <(sed 's/"//g' "$OS_RELEASE
 
 systemd-dissect --list "$MINIMAL_IMAGE.raw" | grep -q '^etc/os-release$'
 systemd-dissect --mtree "$MINIMAL_IMAGE.raw" --mtree-hash yes | \
-    grep -qe "^./usr/bin/cat type=file mode=0755 uid=0 gid=0 size=[0-9]* sha256sum=[a-z0-9]*$"
+    grep -qE "^.(/usr|)/bin/cat type=file mode=0755 uid=0 gid=0 size=[0-9]* sha256sum=[a-z0-9]*$"
 systemd-dissect --mtree "$MINIMAL_IMAGE.raw" --mtree-hash no  | \
-    grep -qe "^./usr/bin/cat type=file mode=0755 uid=0 gid=0 size=[0-9]*$"
+    grep -qE "^.(/usr|)/bin/cat type=file mode=0755 uid=0 gid=0 size=[0-9]*$"
 
 read -r SHA256SUM1 _ < <(systemd-dissect --copy-from "$MINIMAL_IMAGE.raw" etc/os-release | sha256sum)
 test "$SHA256SUM1" != ""
@@ -867,7 +867,7 @@ echo "ID=_any" >/run/confexts/test/etc/extension-release.d/extension-release.tes
 echo "ARCHITECTURE=_any" >>/run/confexts/test/etc/extension-release.d/extension-release.test
 echo "MARKER_CONFEXT_123" >/run/confexts/test/etc/testfile
 cat <<EOF >/run/confexts/test/etc/testscript
-#!/bin/bash
+#!/usr/bin/env bash
 echo "This should not happen"
 EOF
 chmod +x /run/confexts/test/etc/testscript

test/units/TEST-54-CREDS.sh

@@ -24,7 +24,7 @@ run_with_cred_compare() (
 )
 
 test_mount_with_credential() {
-    local credfile tmpdir unit
+    local credfile tmpdir unit mount_path mount_test
     credfile="/tmp/mount-cred"
     tmpdir="/tmp/test-54-mount"
     unit=$(systemd-escape --suffix mount --path "$tmpdir")
@@ -42,14 +42,16 @@ LoadCredential=loadcred:$credfile
 EOF
 
     # Set up test mount type
-    cat >/usr/sbin/mount.thisisatest <<EOF
+    mount_path="$(command -v mount 2>/dev/null)"
+    mount_test="${mount_path/\/bin/\/sbin}.thisisatest"
+    cat >"$mount_test" <<EOF
 #!/usr/bin/env bash
 # Mount after verifying credential file content
 if [ \$(cat \${CREDENTIALS_DIRECTORY}/loadcred) = "foo" ]; then
     mount -t tmpfs \$1 \$2
 fi
 EOF
-    chmod +x /usr/sbin/mount.thisisatest
+    chmod +x "$mount_test"
 
     # Verify mount succeeds
     systemctl daemon-reload
@@ -62,7 +64,7 @@ EOF
 
     # Stop unit and delete files
     systemctl stop "$unit"
-    rm -f "$credfile" /run/systemd/system/"$unit" /usr/sbin/mount.thisisatest
+    rm -f "$credfile" /run/systemd/system/"$unit" "$mount_test"
     rm -rf "$tmpdir"
 }
 

test/units/TEST-55-OOMD.sh

@@ -93,7 +93,7 @@ EOF
 else
     # Ensure that we can start services even with a very low hard memory cap without oom-kills, but skip
     # under sanitizers as they balloon memory usage.
-    systemd-run -t -p MemoryMax=10M -p MemorySwapMax=0 -p MemoryZSwapMax=0 /bin/true
+    systemd-run -t -p MemoryMax=10M -p MemorySwapMax=0 -p MemoryZSwapMax=0 true
 fi
 
 test_basic() {

test/units/TEST-60-MOUNT-RATELIMIT.sh

@@ -68,7 +68,7 @@ testcase_issue_23796() {
     mount_path="$(command -v mount 2>/dev/null)"
     mount_mytmpfs="${mount_path/\/bin/\/sbin}.mytmpfs"
     cat >"$mount_mytmpfs" <<EOF
-#!/bin/bash
+#!/usr/bin/env bash
 sleep ".\$RANDOM"
 exec -- $mount_path -t tmpfs tmpfs "\$2"
 EOF

test/units/TEST-65-ANALYZE.sh

@@ -1133,7 +1133,7 @@ Description=Test unit for systemd-analyze unit-shell
 [Service]
 Type=notify
 NotifyAccess=all
-ExecStart=/bin/sh -c "echo 'Hello from test unit' >/tmp/testfile; systemd-notify --ready; sleep infinity"
+ExecStart=sh -c "echo 'Hello from test unit' >/tmp/testfile; systemd-notify --ready; sleep infinity"
 PrivateTmp=disconnected
 EOF
 # Start the service

test/units/TEST-68-PROPAGATE-EXIT-STATUS.sh

@@ -69,7 +69,7 @@ EOF
 # Script to check that when an OnSuccess= dependency fires, the correct
 # MONITOR* env variables are passed.
 cat >/tmp/check_on_success.sh <<"EOF"
-#!/bin/sh
+#!/usr/bin/env bash
 
 set -ex
 env | sort
@@ -126,7 +126,7 @@ EOF
 # Script to check that when an OnFailure= dependency fires, the correct
 # MONITOR* env variables are passed.
 cat >/tmp/check_on_failure.sh <<"EOF"
-#!/bin/sh
+#!/usr/bin/env bash
 
 set -ex
 env | sort

test/units/TEST-69-SHUTDOWN.py

@@ -1,4 +1,4 @@
-#!/usr/bin/python3
+#!/usr/bin/env python3
 # SPDX-License-Identifier: LGPL-2.1-or-later
 # pylint: disable=broad-except
 

test/units/TEST-74-AUX-UTILS.ask-password.sh

@@ -19,6 +19,6 @@ systemd-tty-ask-password-agent --list
 varlinkctl introspect /run/systemd/io.systemd.AskPassword
 
 # Spawn an agent that always replies all ask password requests with "waldo"
-systemd-run -u waldo-ask-pw-agent.service -p Environment=SYSTEMD_ASK_PASSWORD_AGENT_PASSWORD=waldo -p Type=notify /usr/bin/systemd-tty-ask-password-agent --watch --console=/dev/console
+systemd-run -u waldo-ask-pw-agent.service -p Environment=SYSTEMD_ASK_PASSWORD_AGENT_PASSWORD=waldo -p Type=notify systemd-tty-ask-password-agent --watch --console=/dev/console
 assert_eq "$(systemd-ask-password --no-tty)" "waldo"
 assert_eq "$(varlinkctl call /usr/bin/systemd-ask-password io.systemd.AskPassword.Ask '{"message":"foobar"}' | jq '.passwords[0]')" "\"waldo\""

test/units/TEST-74-AUX-UTILS.capsule.sh

@@ -36,7 +36,7 @@ busctl -C foobar
 
 systemctl -C foobar
 
-systemd-run -C foobar -u sleepinfinity /bin/sleep infinity
+systemd-run -C foobar -u sleepinfinity sleep infinity
 
 systemctl -C foobar status sleepinfinity