userdbd: avoid sending gshadow hash to unprivileged callers via varlink

Reported on yeswehack as YWH-PGM9780-59 Follow-up for d093b62c941ebd6cf16ef9dd6430841eb361ed92
NEWS: note recently added features
2026-02-25 08:44:45 +01:00 · 2026-02-25 02:52:37 +01:00 · 2026-02-24 23:53:45 +00:00
3 changed files with 55 additions and 1 deletions
--- a/41
+++ b/41
@ -103,6 +103,13 @@ CHANGES WITH 260 in spe:
          EXPERIMENTAL at this point. We reserve the right to make incompatible
          changes to the JSON structure and/or place additional requirements.

+        * A new "mstack" feature has been introduced, to allowing defining an
+          overlayfs by structuring the content of an ".mstack/" directory
+          following this specification.
+
+        * A new 'verity' NVPCR has been added. Various components measure
+          dm-verity images to it upon loading.
+
        Changes in the system and user managers:

        * Systemd now uses ANSI CSI 18 sequence to query terminal size. This
@ -118,6 +125,18 @@ CHANGES WITH 260 in spe:
          automatically binds all sockets created by the unit to a specific
          network interface.

+        * A new pair of unit settings ConditionPathIsSocket= and
+          AssertPathIsSocket have been introduced that evaluate whether the
+          given path is a socket, and respectively skips or fails the unit
+          otherwise.
+
+        * A new unit setting RootMStack= has been introduced, to support the
+          new "mstack" feature for services.
+
+        * The unit setting PrivateUsers= gained a new possible value "managed",
+          which automatically assigns a dynamic and transient range of 65536
+          UIDs/GIDs to the unit.
+
        * EnqueueMarkedJobs() D-Bus method now has a Varlink counterpart.

        * SetProperties() D-Bus method now has a Varlink counterpart. For now,
@ -182,6 +201,11 @@ CHANGES WITH 260 in spe:
        * The timeout in the boot menu can be configured with the
          io.systemd.boot.timeout= SMBIOS type 11 string.

+        * A new LoaderEntryPreferred setting has been added to systemd-boot that
+          is similar to LoaderEntryDefault, but that takes into the account boot
+          assessment logic, and will skip entires that have the tries-left counter
+          set to zero.
+
        * bootctl's varlink interface gained a new Install() method for performing
          systemd-boot installation/upgrade via IPC calls.

@ -248,6 +272,23 @@ CHANGES WITH 260 in spe:
          --ephemeral option. This is similar to the functionality provided via
          the same switch in systemd-nspawn.

+        * systemctl gained a new 'enqueue-marked-jobs' verb, which calls the
+          EnqueueMarkedJobs() D-Bus method. The '--marked' parameter, which was
+          previously used for the same purpose, is now deprecated.
+
+        * journalctl now implements a Varlink interface that exposes a
+          GetEntries() method, which allows retrieving journal entries.
+
+        * systemd-importd gained support for downloading OCI images. They will
+          be stored locally in the new "mstack" format, which then can be used
+          by various components.
+
+        * systemd-nspawn gained a new --mstack= parameter to support the new
+          "mstack" feature for containers.
+
+        * A new systemd-mstack command line tool has been introduced to support
+          the new "mstack" feature interactively.
+
        * New options SYSTEMD_COLORS=auto-16, SYSTEMD_COLORS=auto-256, and
          SYSTEMD_COLORS=auto-24bit have been added. They are like
          SYSTEMD_COLORS=16, SYSTEMD_COLORS=256, and SYSTEMD_COLORS=24bit
--- a/src/userdb/userwork.c
+++ b/src/userdb/userwork.c
@ -270,7 +270,7 @@ static int build_group_json(sd_varlink *link, GroupRecord *gr, sd_json_variant *
                (FLAGS_SET(gr->mask, USER_RECORD_PRIVILEGED) &&
                 !FLAGS_SET(stripped->mask, USER_RECORD_PRIVILEGED));

-        v = sd_json_variant_ref(gr->json);
+        v = sd_json_variant_ref(stripped->json);
        r = add_nss_service(&v);
        if (r < 0)
                return r;
--- a/test/units/TEST-74-AUX-UTILS.varlinkctl.sh
+++ b/test/units/TEST-74-AUX-UTILS.varlinkctl.sh
@ -52,6 +52,19 @@ if command -v userdbctl >/dev/null; then
    varlinkctl call --more -j /run/systemd/userdb/io.systemd.Multiplexer io.systemd.UserDatabase.GetMemberships '{ "service" : "io.systemd.Multiplexer" }' --graceful=io.systemd.UserDatabase.NoRecordFound | jq --seq .
    varlinkctl call --oneway /run/systemd/userdb/io.systemd.Multiplexer io.systemd.UserDatabase.GetMemberships '{ "service" : "io.systemd.Multiplexer" }'
    (! varlinkctl call --oneway /run/systemd/userdb/io.systemd.Multiplexer io.systemd.UserDatabase.GetMemberships '{ "service" : "io.systemd.Multiplexer" }' | grep .)
+
+    if command -v openssl >/dev/null && command -v groupadd >/dev/null; then
+        group=haldo
+        salt=waldo
+        getent group "$group" >/dev/null 2>&1 || groupadd "$group"
+        HASH="$(openssl passwd -6 -salt "$salt" baldo)"
+        groupmod -p "$HASH" "$group"
+
+        (! run0 -u testuser varlinkctl call --json=pretty \
+            /run/systemd/userdb/io.systemd.Multiplexer \
+            io.systemd.UserDatabase.GetGroupRecord \
+            '{"groupName":"haldo","service":"io.systemd.NameServiceSwitch"}' | grep waldo)
+    fi
 fi

 IDL_FILE="$(mktemp)"
Author	SHA1	Message	Date
Luca Boccassi	1012c6ce76	userdbd: avoid sending gshadow hash to unprivileged callers via varlink Reported on yeswehack as YWH-PGM9780-59 Follow-up for d093b62c941ebd6cf16ef9dd6430841eb361ed92	2026-02-25 02:52:37 +01:00
Luca Boccassi	afcea7d235	NEWS: note recently added features	2026-02-24 23:53:45 +00:00