userdb: suppress creation of empty userdb dirs

The initrd units are described in the graphs in the bootup manpage,
so use that one for them.

man/rules/meson.build

@@ -916,11 +916,17 @@ manpages = [
   'HAVE_PAM'],
  ['sd_varlink_push_fd', '3', ['sd_varlink_push_dup_fd'], ''],
  ['sd_varlink_send', '3', ['sd_varlink_sendb', 'sd_varlink_sendbo'], ''],
+ ['sd_varlink_server_new', '3', [], ''],
  ['sd_varlink_set_description', '3', ['sd_varlink_get_description'], ''],
+ ['sd_varlink_set_relative_timeout', '3', [], ''],
  ['sd_watchdog_enabled', '3', [], ''],
  ['shutdown', '8', [], ''],
  ['smbios-type-11', '7', [], ''],
  ['sysctl.d', '5', [], ''],
+ ['sysext.conf',
+  '5',
+  ['confext.conf', 'confext.conf.d', 'sysext.conf.d'],
+  'ENABLE_SYSEXT'],
  ['systemctl', '1', [], ''],
  ['systemd-ac-power', '1', [], ''],
  ['systemd-analyze', '1', [], 'ENABLE_ANALYZE'],
@@ -1138,7 +1144,6 @@ manpages = [
    'systemd-sysext-initrd.service',
    'systemd-sysext.service'],
   'ENABLE_SYSEXT'],
- ['sysext.conf', '5', ['confext.conf'], 'ENABLE_SYSEXT'],
  ['systemd-system-update-generator', '8', [], ''],
  ['systemd-system.conf',
   '5',

man/sd_varlink_server_new.xml

@@ -0,0 +1,145 @@
+<?xml version='1.0'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
+
+<refentry id="sd_varlink_server_new" xmlns:xi="http://www.w3.org/2001/XInclude">
+
+  <refentryinfo>
+    <title>sd_varlink_server_new</title>
+    <productname>systemd</productname>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>sd_varlink_server_new</refentrytitle>
+    <manvolnum>3</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>sd_varlink_server_new</refname>
+
+    <refpurpose>Allocate Varlink server object</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <funcsynopsis>
+      <funcsynopsisinfo>#include &lt;systemd/sd-varlink.h&gt;</funcsynopsisinfo>
+
+      <funcprototype>
+        <funcdef>int <function>sd_varlink_server_new</function></funcdef>
+        <paramdef>sd_varlink_server** <parameter>ret</parameter></paramdef>
+        <paramdef>sd_varlink_server_flags_t <parameter>flags</parameter></paramdef>
+      </funcprototype>
+
+    </funcsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para><function>sd_varlink_server_new()</function> allocates a new Varlink server object. Initially the
+    server does not listen on any socket or file descriptor. The newly allocated server object is returned in
+    the <parameter>ret</parameter> parameter. Use <function>sd_varlink_server_unref()</function> to release
+    the server object again after use.</para>
+
+    <para>The following flags may be passed in the <parameter>flags</parameter> parameter:</para>
+
+    <itemizedlist>
+      <listitem><para><constant>SD_VARLINK_SERVER_ROOT_ONLY</constant>: only allow connections from UID 0
+      (i.e. the root user). This has two effects: any incoming connections is authenticated via
+      <constant>SO_PEERCRED</constant> ensuring the UID reported by the kernel is zero. If this check fails
+      the connection is immediately terminated. Moreover, when binding a socket inode in the file system, the
+      access mode is set to 0600 (rather than 0666). If this option is used connections on
+      non-<constant>AF_UNIX</constant> sockets or via pipes are never permitted.</para></listitem>
+
+      <listitem><para><constant>SD_VARLINK_SERVER_MYSELF_ONLY</constant>: this is very similar to
+      <constant>SD_VARLINK_SERVER_ROOT_ONLY</constant> but enforces that the connecting client's UID must
+      match the server's UID (i.e. the UID this function is invoked as). For servers that run as UID 0 the
+      flags are equivalent. If both flags are specified in combination, connections are allowed by both UID 0
+      and the server's own UID.</para></listitem>
+
+      <listitem><para><constant>SD_VARLINK_SERVER_ACCOUNT_UID</constant>: if set connection accounting per
+      client UID is enabled, and a limit on concurrent connections from the same UID is enforced. The limit can
+      be set via <function>sd_varlink_server_set_connections_per_uid_max()</function>, and defaults to 3/4th
+      of the total concurrent connection limit, as settable via
+      <function>sd_varlink_server_set_connections_max()</function>.</para></listitem>
+
+      <listitem><para><constant>SD_VARLINK_SERVER_INHERIT_USERDATA</constant>: if set the user data field for
+      incoming connection (i.e. <type>sd_varlink</type>) objects (as settable via
+      <function>sd_varlink_set_userdata()</function>) is automatically set to the userdata field of the
+      server (i.e. <type>sd_varlink_server</type>) object (as settable via
+      <function>sd_varlink_server_set_userdata()</function>). If this flag is not specified the connection's
+      user data field will default to <constant>NULL</constant>.</para></listitem>
+
+      <listitem><para><constant>SD_VARLINK_SERVER_INPUT_SENSITIVE</constant>: mark all incoming method call
+      parameters as security sensitive (equivalent to calling
+      <function>sd_json_variant_sensitive()</function>). This is useful for services that deal with secrets
+      and similar, as it ensures that the parameters are kept out of debug logging, and memory used by the
+      parameters is erased after use.</para></listitem>
+
+      <listitem><para><constant>SD_VARLINK_SERVER_ALLOW_FD_PASSING_INPUT</constant>: if set, allow receiving
+      UNIX file descriptors via the connections, equivalent to calling
+      <function>sd_varlink_set_allow_fd_passing_input()</function> immediately for each incoming
+      connection. Note that this only has an effect if <constant>AF_UNIX</constant> sockets are used for
+      communication.</para></listitem>
+
+      <listitem><para><constant>SD_VARLINK_SERVER_ALLOW_FD_PASSING_OUTPUT</constant>: similar, but controls
+      sending of UNIX file descriptors.</para></listitem>
+
+      <listitem><para><constant>SD_VARLINK_SERVER_FD_PASSING_INPUT_STRICT</constant>: this flag can be used
+      in conjunction with <constant>SD_VARLINK_SERVER_ALLOW_FD_PASSING_INPUT</constant>. If so, file
+      descriptor passing is turned off on the listening sockets already, ensuring that the connection sockets
+      derived from it at no time have file descriptor passing enabled. If
+      <constant>SD_VARLINK_SERVER_ALLOW_FD_PASSING_INPUT</constant> is used without
+      <constant>SD_VARLINK_SERVER_FD_PASSING_INPUT_STRICT</constant> then a choice when to prohibit or allow
+      file descriptor passing can still be made after the connection came in, however permitting a time
+      window where file descriptors might already be enqueued, that then need to be dropped
+      again.</para></listitem>
+
+      <listitem><para><constant>SD_VARLINK_SERVER_HANDLE_SIGINT</constant>: if set, and
+      <function>sd_varlink_server_loop_auto()</function> is used, incoming <constant>SIGINT</constant>
+      process signals will be caught gracefully and cause the event loop to exit cleanly.</para></listitem>
+
+      <listitem><para><constant>SD_VARLINK_SERVER_HANDLE_SIGTERM</constant>: similar, but does the same for
+      <constant>SIGTERM</constant>.</para></listitem>
+    </itemizedlist>
+  </refsect1>
+
+  <refsect1>
+    <title>Return Value</title>
+
+    <para>On success, <function>sd_varlink_server_new()</function> returns a non-negative integer. On
+    failure, it returns a negative errno-style error code.</para>
+
+    <refsect2>
+      <title>Errors</title>
+
+      <para>Returned errors may indicate the following problems:</para>
+
+      <variablelist>
+        <varlistentry>
+          <term><constant>-EINVAL</constant></term>
+
+          <listitem><para>An argument is invalid.</para></listitem>
+        </varlistentry>
+      </variablelist>
+    </refsect2>
+  </refsect1>
+
+  <xi:include href="libsystemd-pkgconfig.xml" />
+
+  <refsect1>
+    <title>History</title>
+    <para><function>sd_varlink_server_new()</function> was added in version 257.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See Also</title>
+
+    <para><simplelist type="inline">
+      <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+      <member><citerefentry><refentrytitle>sd-varlink</refentrytitle><manvolnum>3</manvolnum></citerefentry></member>
+    </simplelist></para>
+  </refsect1>
+
+</refentry>

man/sd_varlink_set_relative_timeout.xml

@@ -0,0 +1,88 @@
+<?xml version='1.0'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
+
+<refentry id="sd_varlink_set_relative_timeout" xmlns:xi="http://www.w3.org/2001/XInclude">
+
+  <refentryinfo>
+    <title>sd_varlink_set_relative_timeout</title>
+    <productname>systemd</productname>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>sd_varlink_set_relative_timeout</refentrytitle>
+    <manvolnum>3</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>sd_varlink_set_relative_timeout</refname>
+
+    <refpurpose>Set method call time-out</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <funcsynopsis>
+      <funcsynopsisinfo>#include &lt;systemd/sd-varlink.h&gt;</funcsynopsisinfo>
+
+      <funcprototype>
+        <funcdef>int <function>sd_varlink_set_relative_timeout</function></funcdef>
+        <paramdef>sd_varlink *<parameter>link</parameter></paramdef>
+        <paramdef>uint64_t <parameter>usec</parameter></paramdef>
+      </funcprototype>
+
+    </funcsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para><function>sd_varlink_set_relative_timeout()</function> sets the relative timeout in µs to enforce
+    on Varlink method calls. A default time-out of 45s (currently) applies, which may be changed with this
+    call. Set to <constant>UINT64_MAX</constant> to disable the time-out, and to 0 to revert to revert back
+    to the default time-out. The time-out begins whenever a method call is started, and if no response is
+    received by the time the time-out elapses a synthetic <constant>io.systemd.TimedOut</constant> error is
+    raised as client-generated reply to the method call.</para>
+
+    <para>This call is particularly useful for method calls issued via
+    <function>sd_varlink_observe()</function> that shall remain open continously for a long time.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Return Value</title>
+
+    <para>On success, <function>sd_varlink_set_relative_timeout()</function> returns a non-negative integer. On
+    failure, it returns a negative errno-style error code.</para>
+
+    <refsect2>
+      <title>Errors</title>
+
+      <para>Returned errors may indicate the following problems:</para>
+
+      <variablelist>
+        <varlistentry>
+          <term><constant>-EINVAL</constant></term>
+
+          <listitem><para>An argument is invalid.</para></listitem>
+        </varlistentry>
+      </variablelist>
+    </refsect2>
+  </refsect1>
+
+  <xi:include href="libsystemd-pkgconfig.xml" />
+
+  <refsect1>
+    <title>History</title>
+    <para><function>sd_varlink_set_relative_timeout()</function> was added in version 257.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See Also</title>
+
+    <para><simplelist type="inline">
+      <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+      <member><citerefentry><refentrytitle>sd-varlink</refentrytitle><manvolnum>3</manvolnum></citerefentry></member>
+    </simplelist></para>
+  </refsect1>
+
+</refentry>

shell-completion/zsh/_bootctl

@@ -75,7 +75,6 @@ _arguments \
     '(-p --print-esp-path)'{-p,--print-esp-path}'[Print path to the EFI system partition]' \
     '(-x --print-boot-path)'{-x,--print-boot-path}'[Print path to the $BOOT partition]' \
     '--make-machine-id-directory=[Control creation and deletion of the top-level machine ID directory.]:options:(yes no auto)' \
-    '--no-variables[Do not touch EFI variables]' \
     '--no-pager[Do not pipe output into a pager]' \
     '--graceful[Do not fail when locating ESP or writing fails]' \
     '--dry-run[Dry run (unlink and cleanup)]' \
@@ -83,4 +82,5 @@ _arguments \
     '--image=[Operate on the specified image]:PATH' \
     '--install-source[Where to pick files when using --root=/--image=]:options:(image host auto)' \
     '--random-seed[Whether to create random-seed file during install]:options:(yes no)' \
+    '--variables=[Touch EFI variables]:options:(yes no)' \
     '*::bootctl command:_bootctl_commands'

src/basic/time-util.c

@@ -1435,6 +1435,10 @@ static int get_timezones_from_zone1970_tab(char ***ret) {
                 if (*cc == '#')
                         continue;
 
+                if (!timezone_is_valid(tz, LOG_DEBUG))
+                        /* Don't list unusable timezones. */
+                        continue;
+
                 r = strv_extend(&zones, tz);
                 if (r < 0)
                         return r;
@@ -1487,6 +1491,10 @@ static int get_timezones_from_tzdata_zi(char ***ret) {
                         /* Not a line we care about. */
                         continue;
 
+                if (!timezone_is_valid(tz, LOG_DEBUG))
+                        /* Don't list unusable timezones. */
+                        continue;
+
                 r = strv_extend(&zones, tz);
                 if (r < 0)
                         return r;

src/libsystemd/sd-varlink/sd-varlink.c

@@ -2911,9 +2911,9 @@ _public_ int sd_varlink_get_peer_pidfd(sd_varlink *v) {
 
 _public_ int sd_varlink_set_relative_timeout(sd_varlink *v, uint64_t timeout) {
         assert_return(v, -EINVAL);
-        assert_return(timeout > 0, -EINVAL);
 
-        v->timeout = timeout;
+        /* If set to 0, reset to default value */
+        v->timeout = timeout == 0 ? VARLINK_DEFAULT_TIMEOUT_USEC : timeout;
         return 0;
 }
 
@@ -3309,7 +3309,9 @@ _public_ int sd_varlink_server_new(sd_varlink_server **ret, sd_varlink_server_fl
                                  SD_VARLINK_SERVER_INPUT_SENSITIVE|
                                  SD_VARLINK_SERVER_ALLOW_FD_PASSING_INPUT|
                                  SD_VARLINK_SERVER_ALLOW_FD_PASSING_OUTPUT|
-                                 SD_VARLINK_SERVER_FD_PASSING_INPUT_STRICT)) == 0, -EINVAL);
+                                 SD_VARLINK_SERVER_FD_PASSING_INPUT_STRICT|
+                                 SD_VARLINK_SERVER_HANDLE_SIGINT|
+                                 SD_VARLINK_SERVER_HANDLE_SIGTERM)) == 0, -EINVAL);
 
         s = new(sd_varlink_server, 1);
         if (!s)
@@ -3882,6 +3884,18 @@ _public_ int sd_varlink_server_loop_auto(sd_varlink_server *server) {
         if (r < 0)
                 return r;
 
+        if (FLAGS_SET(server->flags, SD_VARLINK_SERVER_HANDLE_SIGINT)) {
+                r = sd_event_add_signal(event, /* ret= */ NULL, SIGINT|SD_EVENT_SIGNAL_PROCMASK, /* callback= */ NULL, /* userdata= */ NULL);
+                if (r < 0)
+                        return r;
+        }
+
+        if (FLAGS_SET(server->flags, SD_VARLINK_SERVER_HANDLE_SIGTERM)) {
+                r = sd_event_add_signal(event, /* ret= */ NULL, SIGTERM|SD_EVENT_SIGNAL_PROCMASK, /* callback= */ NULL, /* userdata= */ NULL);
+                if (r < 0)
+                        return r;
+        }
+
         r = sd_varlink_server_attach_event(server, event, 0);
         if (r < 0)
                 return r;

src/mountfsd/mountwork.c

@@ -771,6 +771,8 @@ static int vl_method_mount_directory(
                 return log_debug_errno(r, "Failed to get client UID: %m");
 
         DirectoryOwnership owned_by = validate_directory_fd(directory_fd, peer_uid);
+        if (owned_by == -EREMOTEIO)
+                return sd_varlink_errorbo(link, "io.systemd.MountFileSystem.BadFileDescriptorFlags", SD_JSON_BUILD_PAIR_STRING("parameter", "directoryFileDescriptor"));
         if (owned_by < 0)
                 return owned_by;
 

src/shared/varlink-io.systemd.MountFileSystem.c

@@ -115,6 +115,9 @@ static SD_VARLINK_DEFINE_ERROR(RootPartitionNotFound);
 static SD_VARLINK_DEFINE_ERROR(DeniedByImagePolicy);
 static SD_VARLINK_DEFINE_ERROR(KeyNotFound);
 static SD_VARLINK_DEFINE_ERROR(VerityFailure);
+static SD_VARLINK_DEFINE_ERROR(BadFileDescriptorFlags,
+                               SD_VARLINK_FIELD_COMMENT("Name of the parameter referencing the file descriptor with one or more bad flag."),
+                               SD_VARLINK_DEFINE_FIELD(parameter, SD_VARLINK_STRING, 0));
 
 SD_VARLINK_DEFINE_INTERFACE(
                 io_systemd_MountFileSystem,
@@ -143,4 +146,6 @@ SD_VARLINK_DEFINE_INTERFACE(
                 SD_VARLINK_SYMBOL_COMMENT("The authentication key for this image is not available."),
                 &vl_error_KeyNotFound,
                 SD_VARLINK_SYMBOL_COMMENT("Verity could not be set up."),
-                &vl_error_VerityFailure);
+                &vl_error_VerityFailure,
+                SD_VARLINK_SYMBOL_COMMENT("A passed file descriptor has unexpected/forbidden flags set."),
+                &vl_error_BadFileDescriptorFlags);

src/systemd/sd-varlink.h

@@ -69,6 +69,8 @@ __extension__ typedef enum _SD_ENUM_TYPE_S64(sd_varlink_server_flags_t) {
         SD_VARLINK_SERVER_ALLOW_FD_PASSING_INPUT  = 1 << 5, /* Allow receiving fds over all connections */
         SD_VARLINK_SERVER_ALLOW_FD_PASSING_OUTPUT = 1 << 6, /* Allow sending fds over all connections */
         SD_VARLINK_SERVER_FD_PASSING_INPUT_STRICT = 1 << 7, /* Reject input messages with fds if fd passing is disabled (needs kernel v6.16+) */
+        SD_VARLINK_SERVER_HANDLE_SIGINT           = 1 << 8, /* Exit cleanly on SIGINT */
+        SD_VARLINK_SERVER_HANDLE_SIGTERM          = 1 << 9, /* Exit cleanly on SIGTERM */
         _SD_ENUM_FORCE_S64(SD_VARLINK_SERVER)
 } sd_varlink_server_flags_t;
 

src/userdb/userdbctl.c

@@ -1184,15 +1184,15 @@ static int ssh_authorized_keys(int argc, char *argv[], void *userdata) {
 static int load_credential_one(
                 int credential_dir_fd,
                 const char *name,
-                int userdb_dir_persist_fd,
-                int userdb_dir_transient_fd) {
+                int *userdb_dir_persist_fd,
+                int *userdb_dir_transient_fd) {
 
         int r;
 
         assert(credential_dir_fd >= 0);
         assert(name);
-        assert(userdb_dir_persist_fd >= 0);
-        assert(userdb_dir_transient_fd >= 0);
+        assert(userdb_dir_persist_fd);
+        assert(userdb_dir_transient_fd);
 
         const char *suffix = startswith(name, "userdb.");
         if (!suffix)
@@ -1205,7 +1205,17 @@ static int load_credential_one(
                 return 0;
 
         const char *userdb_dir = transient ? "/run/userdb" : "/etc/userdb";
-        int userdb_dir_fd = transient ? userdb_dir_transient_fd : userdb_dir_persist_fd;
+
+        int *userdb_dir_fd = transient ? userdb_dir_transient_fd : userdb_dir_persist_fd;
+        if (*userdb_dir_fd == -EBADF) {
+                *userdb_dir_fd = xopenat_full(AT_FDCWD, userdb_dir,
+                                              /* open_flags= */ O_DIRECTORY|O_CREAT|O_CLOEXEC,
+                                              /* xopen_flags= */ XO_LABEL,
+                                              /* mode= */ 0755);
+                if (*userdb_dir_fd < 0)
+                        return log_error_errno(*userdb_dir_fd, "Failed to open '%s/': %m", userdb_dir);
+        } else if (*userdb_dir_fd < 0)
+                return log_debug_errno(*userdb_dir_fd, "Previous attempt to open '%s/' failed, skipping.", userdb_dir);
 
         _cleanup_(sd_json_variant_unrefp) sd_json_variant *v = NULL;
         unsigned line = 0, column = 0;
@@ -1362,11 +1372,11 @@ static int load_credential_one(
         if (r < 0)
                 return log_error_errno(r, "Failed to format JSON record: %m");
 
-        r = write_string_file_at(userdb_dir_fd, fn, formatted, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_ATOMIC);
+        r = write_string_file_at(*userdb_dir_fd, fn, formatted, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_ATOMIC);
         if (r < 0)
                 return log_error_errno(r, "Failed to write JSON record to %s/%s: %m", userdb_dir, fn);
 
-        if (symlinkat(fn, userdb_dir_fd, link) < 0)
+        if (symlinkat(fn, *userdb_dir_fd, link) < 0)
                 return log_error_errno(errno, "Failed to create symlink from %s to %s: %m", link, fn);
 
         log_info("Installed %s/%s from credential.", userdb_dir, fn);
@@ -1383,7 +1393,7 @@ static int load_credential_one(
                 if (r < 0)
                         return log_error_errno(r, "Failed to format JSON record: %m");
 
-                r = write_string_file_at(userdb_dir_fd, fn, formatted, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_ATOMIC|WRITE_STRING_FILE_MODE_0600);
+                r = write_string_file_at(*userdb_dir_fd, fn, formatted, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_ATOMIC|WRITE_STRING_FILE_MODE_0600);
                 if (r < 0)
                         return log_error_errno(r, "Failed to write JSON record to %s/%s: %m", userdb_dir, fn);
 
@@ -1397,7 +1407,7 @@ static int load_credential_one(
                                 return log_oom();
                 }
 
-                if (symlinkat(fn, userdb_dir_fd, link) < 0)
+                if (symlinkat(fn, *userdb_dir_fd, link) < 0)
                         return log_error_errno(errno, "Failed to create symlink from %s to %s: %m", link, fn);
 
                 log_info("Installed %s/%s from credential.", userdb_dir, fn);
@@ -1409,7 +1419,7 @@ static int load_credential_one(
                         if (!membership)
                                 return log_oom();
 
-                        _cleanup_close_ int fd = openat(userdb_dir_fd, membership, O_WRONLY|O_CREAT|O_CLOEXEC, 0644);
+                        _cleanup_close_ int fd = openat(*userdb_dir_fd, membership, O_WRONLY|O_CREAT|O_CLOEXEC, 0644);
                         if (fd < 0)
                                 return log_error_errno(errno, "Failed to create %s: %m", membership);
 
@@ -1421,7 +1431,7 @@ static int load_credential_one(
                         if (!membership)
                                 return log_oom();
 
-                        _cleanup_close_ int fd = openat(userdb_dir_fd, membership, O_WRONLY|O_CREAT|O_CLOEXEC, 0644);
+                        _cleanup_close_ int fd = openat(*userdb_dir_fd, membership, O_WRONLY|O_CREAT|O_CLOEXEC, 0644);
                         if (fd < 0)
                                 return log_error_errno(errno, "Failed to create %s: %m", membership);
 
@@ -1475,21 +1485,7 @@ static int load_credentials(int argc, char *argv[], void *userdata) {
         if (r < 0)
                 return log_error_errno(r, "Failed to enumerate credentials: %m");
 
-        _cleanup_close_ int userdb_persist_dir_fd = xopenat_full(
-                        AT_FDCWD, "/etc/userdb",
-                        /* open_flags= */ O_DIRECTORY|O_CREAT|O_CLOEXEC,
-                        /* xopen_flags= */ XO_LABEL,
-                        /* mode= */ 0755);
-        if (userdb_persist_dir_fd < 0)
-                return log_error_errno(userdb_persist_dir_fd, "Failed to open /etc/userdb/: %m");
-
-        _cleanup_close_ int userdb_transient_dir_fd = xopenat_full(
-                        AT_FDCWD, "/run/userdb",
-                        /* open_flags= */ O_DIRECTORY|O_CREAT|O_CLOEXEC,
-                        /* xopen_flags= */ XO_LABEL,
-                        /* mode= */ 0755);
-        if (userdb_transient_dir_fd < 0)
-                return log_error_errno(userdb_transient_dir_fd, "Failed to open /run/userdb/: %m");
+        _cleanup_close_ int userdb_persist_dir_fd = -EBADF, userdb_transient_dir_fd = -EBADF;
 
         FOREACH_ARRAY(i, des->entries, des->n_entries) {
                 struct dirent *de = *i;
@@ -1500,8 +1496,8 @@ static int load_credentials(int argc, char *argv[], void *userdata) {
                 RET_GATHER(r, load_credential_one(
                                 credential_dir_fd,
                                 de->d_name,
-                                userdb_persist_dir_fd,
-                                userdb_transient_dir_fd));
+                                &userdb_persist_dir_fd,
+                                &userdb_transient_dir_fd));
         }
 
         return r;

units/initrd-cleanup.service

@@ -9,6 +9,7 @@
 
 [Unit]
 Description=Cleaning Up and Shutting Down Daemons
+Documentation=man:bootup(7)
 DefaultDependencies=no
 AssertPathExists=/etc/initrd-release
 OnFailure=emergency.target

units/initrd-parse-etc.service.in

@@ -9,6 +9,7 @@
 
 [Unit]
 Description=Mountpoints Configured in the Real Root
+Documentation=man:bootup(7)
 AssertPathExists=/etc/initrd-release
 
 DefaultDependencies=no

units/initrd-switch-root.service

@@ -9,6 +9,7 @@
 
 [Unit]
 Description=Switch Root
+Documentation=man:bootup(7)
 
 AssertPathExists=/etc/initrd-release
 

units/initrd-switch-root.target

@@ -9,6 +9,7 @@
 
 [Unit]
 Description=Switch Root
+Documentation=man:bootup(7)
 AssertPathExists=/etc/initrd-release
 DefaultDependencies=no
 Wants=initrd-switch-root.service

units/initrd-udevadm-cleanup-db.service

@@ -9,6 +9,7 @@
 
 [Unit]
 Description=Cleanup udev Database
+Documentation=man:bootup(7)
 DefaultDependencies=no
 AssertPathExists=/etc/initrd-release
 Conflicts=systemd-udevd.service systemd-udev-trigger.service systemd-udev-settle.service

units/kmod-static-nodes.service.in

@@ -9,6 +9,7 @@
 
 [Unit]
 Description=Create List of Static Device Nodes
+Documentation=man:kmod(8)
 DefaultDependencies=no
 Before=sysinit.target systemd-tmpfiles-setup-dev-early.service
 ConditionCapability=CAP_SYS_MODULE

units/systemd-boot-update.service

@@ -21,7 +21,7 @@ Before=shutdown.target
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-ExecStart=bootctl --no-variables --graceful update
+ExecStart=bootctl --variables=no --graceful update
 
 [Install]
 WantedBy=sysinit.target

units/systemd-firstboot.service

@@ -35,6 +35,7 @@ ExecStart=systemd-firstboot --prompt-locale --prompt-keymap --prompt-timezone --
 StandardOutput=tty
 StandardInput=tty
 StandardError=tty
+TTYReset=yes
 
 # Optionally, pick up basic fields from credentials passed to the service
 # manager. This is useful for importing this data from nspawn's

units/systemd-homed-firstboot.service

@@ -21,6 +21,7 @@ ExecStart=homectl firstboot --prompt-new-user
 StandardOutput=tty
 StandardInput=tty
 StandardError=tty
+TTYReset=yes
 ImportCredential=home.*
 
 [Install]

units/systemd-mountfsd.service.in

@@ -18,7 +18,7 @@ Before=sysinit.target shutdown.target
 DefaultDependencies=no
 
 [Service]
-#CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE CAP_BPF CAP_PERFMON CAP_SETGID CAP_SETUID
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE CAP_BPF CAP_PERFMON CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_CHOWN CAP_SYS_ADMIN
 ExecStart={{LIBEXECDIR}}/systemd-mountfsd
 IPAddressDeny=any
 LimitNOFILE={{HIGH_RLIMIT_NOFILE}}

units/systemd-storagetm.service.in

@@ -24,4 +24,5 @@ Type=notify
 RemainAfterExit=yes
 StandardInput=tty
 StandardOutput=tty
+TTYReset=yes
 ExecStart={{LIBEXECDIR}}/systemd-storagetm --all