2026-03-14 09:04:47 +01:00
9 changed files with 47 additions and 92 deletions
--- a/docs/COREDUMP_PACKAGE_METADATA.md
+++ b/docs/COREDUMP_PACKAGE_METADATA.md
@ -39,9 +39,6 @@ Implementers working on build tools should strive to use the same key names, for
 consistency. The most common will be listed here. When corresponding to the content of
 os-release, the values should match, again for consistency.

-If available, the metadata should also include the debuginfod server URL that can provide
-the original executable, debuginfo and sources, to further facilitate debugging.
-
 * Section header

 ```
@ -60,8 +57,7 @@ Value: a JSON string with the structure described below
     "osVersion":"33",
     "name":"coreutils",
     "version": "4711.0815.fc13.arm32",
-     "osCpe": "cpe:/o:fedoraproject:fedora:33",          # A CPE name for the operating system, `CPE_NAME` from os-release is a good default
-     "debugInfoUrl": "https://debuginfod.fedoraproject.org/"
+     "osCpe":               # A CPE name for the operating system, `CPE_NAME` from os-release is a good default
 }
 ```

@ -108,18 +104,3 @@ SECTIONS
 }
 INSERT AFTER .note.gnu.build-id;
 ```
-
-## Well-known keys
-
-The metadata format is intentionally left open, so that vendors can add their own information.
-A set of well-known keys is defined here, and hopefully shared among all vendors.
-
-| Key name     | Key description                                                          | Example value                         |
-|--------------|--------------------------------------------------------------------------|---------------------------------------|
-| type         | The packaging type                                                       | rpm                                   |
-| os           | The OS name, typically corresponding to ID in os-release                 | fedora                                |
-| osVersion    | The OS version, typically corresponding to VERSION_ID in os-release      | 33                                    |
-| name         | The source package name                                                  | coreutils                             |
-| version      | The source package version                                               | 4711.0815.fc13.arm32                  |
-| osCpe        | A CPE name for the OS, typically corresponding to CPE_NAME in os-release | cpe:/o:fedoraproject:fedora:33        |
-| debugInfoUrl | The debuginfod server url, if available                                  | https://debuginfod.fedoraproject.org/ |
--- a/src/basic/user-util.h
+++ b/src/basic/user-util.h
@ -111,12 +111,3 @@ int putsgent_sane(const struct sgrp *sg, FILE *stream);
 bool is_nologin_shell(const char *shell);

 int is_this_me(const char *username);
-
-/* A locked *and* invalid password for "struct spwd"'s .sp_pwdp and "struct passwd"'s .pw_passwd field */
-#define PASSWORD_LOCKED_AND_INVALID "!*"
-
-/* A password indicating "look in shadow file, please!" for "struct passwd"'s .pw_passwd */
-#define PASSWORD_SEE_SHADOW "x"
-
-/* A password indicating "hey, no password required for login" */
-#define PASSWORD_NONE ""
--- a/src/core/execute.c
+++ b/src/core/execute.c
@ -5231,7 +5231,7 @@ static void strv_dump(FILE* f, const char *prefix, const char *name, char **strv
        assert(name);

        if (!strv_isempty(strv)) {
-                fprintf(f, "%s%s:", prefix, name);
+                fprintf(f, "%s%s:", name, prefix);
                strv_fprintf(f, strv);
                fputs("\n", f);
        }
--- a/src/firstboot/firstboot.c
+++ b/src/firstboot/firstboot.c
@ -922,20 +922,20 @@ static int process_root_args(void) {
                return r;

        if (arg_root_password && arg_root_password_is_hashed) {
-                password = PASSWORD_SEE_SHADOW;
+                password = "x";
                hashed_password = arg_root_password;
        } else if (arg_root_password) {
                r = hash_password(arg_root_password, &_hashed_password);
                if (r < 0)
                        return log_error_errno(r, "Failed to hash password: %m");

-                password = PASSWORD_SEE_SHADOW;
+                password = "x";
                hashed_password = _hashed_password;

        } else if (arg_delete_root_password)
-                password = hashed_password = PASSWORD_NONE;
+                password = hashed_password = "";
        else
-                password = hashed_password = PASSWORD_LOCKED_AND_INVALID;
+                password = hashed_password = "!";

        r = write_root_passwd(etc_passwd, password, arg_root_shell);
        if (r < 0)
--- a/src/nspawn/nspawn-settings.h
+++ b/src/nspawn/nspawn-settings.h
@ -149,7 +149,7 @@ typedef struct OciHook {
 } OciHook;

 typedef struct Settings {
-        /* [Exec] */
+        /* [Run] */
        StartMode start_mode;
        bool ephemeral;
        char **parameters;
@ -180,7 +180,7 @@ typedef struct Settings {
        bool link_journal_try;
        TimezoneMode timezone;

-        /* [Files] */
+        /* [Image] */
        int read_only;
        VolatileMode volatile_mode;
        CustomMount *custom_mounts;
--- a/src/nss-systemd/nss-systemd.c
+++ b/src/nss-systemd/nss-systemd.c
@ -20,7 +20,7 @@

 static const struct passwd root_passwd = {
        .pw_name = (char*) "root",
-        .pw_passwd = (char*) PASSWORD_SEE_SHADOW,
+        .pw_passwd = (char*) "x", /* see shadow file */
        .pw_uid = 0,
        .pw_gid = 0,
        .pw_gecos = (char*) "Super User",
@ -30,7 +30,7 @@ static const struct passwd root_passwd = {

 static const struct passwd nobody_passwd = {
        .pw_name = (char*) NOBODY_USER_NAME,
-        .pw_passwd = (char*) PASSWORD_LOCKED_AND_INVALID,
+        .pw_passwd = (char*) "*", /* locked */
        .pw_uid = UID_NOBODY,
        .pw_gid = GID_NOBODY,
        .pw_gecos = (char*) "User Nobody",
@ -41,14 +41,14 @@ static const struct passwd nobody_passwd = {
 static const struct group root_group = {
        .gr_name = (char*) "root",
        .gr_gid = 0,
-        .gr_passwd = (char*) PASSWORD_SEE_SHADOW,
+        .gr_passwd = (char*) "x", /* see shadow file */
        .gr_mem = (char*[]) { NULL },
 };

 static const struct group nobody_group = {
        .gr_name = (char*) NOBODY_GROUP_NAME,
        .gr_gid = GID_NOBODY,
-        .gr_passwd = (char*) PASSWORD_LOCKED_AND_INVALID,
+        .gr_passwd = (char*) "*", /* locked */
        .gr_mem = (char*[]) { NULL },
 };

--- a/src/nss-systemd/userdb-glue.c
+++ b/src/nss-systemd/userdb-glue.c
@ -6,7 +6,6 @@
 #include "strv.h"
 #include "user-record-nss.h"
 #include "user-record.h"
-#include "user-util.h"
 #include "userdb-glue.h"
 #include "userdb.h"

@ -51,7 +50,7 @@ int nss_pack_user_record(
                .pw_name = buffer,
                .pw_uid = hr->uid,
                .pw_gid = user_record_gid(hr),
-                .pw_passwd = (char*) PASSWORD_SEE_SHADOW,
+                .pw_passwd = (char*) "x", /* means: see shadow file */
        };

        assert(buffer);
@ -185,7 +184,7 @@ int nss_pack_group_record(
        *gr = (struct group) {
                .gr_name = strcpy(p, g->group_name),
                .gr_gid = g->gid,
-                .gr_passwd = (char*) PASSWORD_SEE_SHADOW,
+                .gr_passwd = (char*) "x", /* means: see shadow file */
                .gr_mem = array,
        };

--- a/src/shared/userdb.c
+++ b/src/shared/userdb.c
@ -27,7 +27,6 @@ typedef enum LookupWhat {

 struct UserDBIterator {
        LookupWhat what;
-        UserDBFlags flags;
        Set *links;
        bool nss_covered:1;
        bool nss_iterating:1;
@ -93,7 +92,7 @@ UserDBIterator* userdb_iterator_free(UserDBIterator *iterator) {
        return mfree(iterator);
 }

-static UserDBIterator* userdb_iterator_new(LookupWhat what, UserDBFlags flags) {
+static UserDBIterator* userdb_iterator_new(LookupWhat what) {
        UserDBIterator *i;

        assert(what >= 0);
@ -105,7 +104,6 @@ static UserDBIterator* userdb_iterator_new(LookupWhat what, UserDBFlags flags) {

        *i = (UserDBIterator) {
                .what = what,
-                .flags = flags,
        };

        return i;
@ -610,7 +608,7 @@ int userdb_by_name(const char *name, UserDBFlags flags, UserRecord **ret) {
        if (r < 0)
                return r;

-        iterator = userdb_iterator_new(LOOKUP_USER, flags);
+        iterator = userdb_iterator_new(LOOKUP_USER);
        if (!iterator)
                return -ENOMEM;

@ -657,7 +655,7 @@ int userdb_by_uid(uid_t uid, UserDBFlags flags, UserRecord **ret) {
        if (r < 0)
                return r;

-        iterator = userdb_iterator_new(LOOKUP_USER, flags);
+        iterator = userdb_iterator_new(LOOKUP_USER);
        if (!iterator)
                return -ENOMEM;

@ -695,7 +693,7 @@ int userdb_all(UserDBFlags flags, UserDBIterator **ret) {

        assert(ret);

-        iterator = userdb_iterator_new(LOOKUP_USER, flags);
+        iterator = userdb_iterator_new(LOOKUP_USER);
        if (!iterator)
                return -ENOMEM;

@ -740,15 +738,10 @@ int userdb_iterator_get(UserDBIterator *iterator, UserRecord **ret) {
                        if (pw->pw_uid == UID_NOBODY)
                                iterator->synthesize_nobody = false;

-                        if (!FLAGS_SET(iterator->flags, USERDB_AVOID_SHADOW)) {
-                                r = nss_spwd_for_passwd(pw, &spwd, &buffer);
-                                if (r < 0) {
-                                        log_debug_errno(r, "Failed to acquire shadow entry for user %s, ignoring: %m", pw->pw_name);
-                                        incomplete = ERRNO_IS_PRIVILEGE(r);
-                                }
-                        } else {
-                                r = -EUCLEAN;
-                                incomplete = true;
+                        r = nss_spwd_for_passwd(pw, &spwd, &buffer);
+                        if (r < 0) {
+                                log_debug_errno(r, "Failed to acquire shadow entry for user %s, ignoring: %m", pw->pw_name);
+                                incomplete = ERRNO_IS_PRIVILEGE(r);
                        }

                        r = nss_passwd_to_user_record(pw, r >= 0 ? &spwd : NULL, ret);
@ -757,8 +750,6 @@ int userdb_iterator_get(UserDBIterator *iterator, UserRecord **ret) {

                        if (ret)
                                (*ret)->incomplete = incomplete;
-
-                        iterator->n_found++;
                        return r;
                }

@ -783,12 +774,12 @@ int userdb_iterator_get(UserDBIterator *iterator, UserRecord **ret) {
                        iterator->n_found++;
                        return synthetic_nobody_user_build(ret);
                }
-
-                /* if we found at least one entry, then ignore errors and indicate that we reached the end */
-                if (iterator->n_found > 0)
-                        return -ESRCH;
        }

+        /* if we found at least one entry, then ignore errors and indicate that we reached the end */
+        if (r < 0 && iterator->n_found > 0)
+                return -ESRCH;
+
        return r;
 }

@ -821,7 +812,7 @@ int groupdb_by_name(const char *name, UserDBFlags flags, GroupRecord **ret) {
        if (r < 0)
                return r;

-        iterator = userdb_iterator_new(LOOKUP_GROUP, flags);
+        iterator = userdb_iterator_new(LOOKUP_GROUP);
        if (!iterator)
                return -ENOMEM;

@ -865,7 +856,7 @@ int groupdb_by_gid(gid_t gid, UserDBFlags flags, GroupRecord **ret) {
        if (r < 0)
                return r;

-        iterator = userdb_iterator_new(LOOKUP_GROUP, flags);
+        iterator = userdb_iterator_new(LOOKUP_GROUP);
        if (!iterator)
                return -ENOMEM;

@ -902,7 +893,7 @@ int groupdb_all(UserDBFlags flags, UserDBIterator **ret) {

        assert(ret);

-        iterator = userdb_iterator_new(LOOKUP_GROUP, flags);
+        iterator = userdb_iterator_new(LOOKUP_GROUP);
        if (!iterator)
                return -ENOMEM;

@ -917,8 +908,8 @@ int groupdb_all(UserDBFlags flags, UserDBIterator **ret) {

                setgrent();
                iterator->nss_iterating = true;
-        } else if (r < 0)
-                return r;
+        } if (r < 0)
+                  return r;

        *ret = TAKE_PTR(iterator);
        return 0;
@ -945,15 +936,10 @@ int groupdb_iterator_get(UserDBIterator *iterator, GroupRecord **ret) {
                        if (gr->gr_gid == GID_NOBODY)
                                iterator->synthesize_nobody = false;

-                        if (!FLAGS_SET(iterator->flags, USERDB_AVOID_SHADOW)) {
-                                r = nss_sgrp_for_group(gr, &sgrp, &buffer);
-                                if (r < 0) {
-                                        log_debug_errno(r, "Failed to acquire shadow entry for group %s, ignoring: %m", gr->gr_name);
-                                        incomplete = ERRNO_IS_PRIVILEGE(r);
-                                }
-                        } else {
-                                r = -EUCLEAN;
-                                incomplete = true;
+                        r = nss_sgrp_for_group(gr, &sgrp, &buffer);
+                        if (r < 0) {
+                                log_debug_errno(r, "Failed to acquire shadow entry for group %s, ignoring: %m", gr->gr_name);
+                                incomplete = ERRNO_IS_PRIVILEGE(r);
                        }

                        r = nss_group_to_group_record(gr, r >= 0 ? &sgrp : NULL, ret);
@ -962,8 +948,6 @@ int groupdb_iterator_get(UserDBIterator *iterator, GroupRecord **ret) {

                        if (ret)
                                (*ret)->incomplete = incomplete;
-
-                        iterator->n_found++;
                        return r;
                }

@ -987,12 +971,12 @@ int groupdb_iterator_get(UserDBIterator *iterator, GroupRecord **ret) {
                        iterator->n_found++;
                        return synthetic_nobody_group_build(ret);
                }
-
-                /* if we found at least one entry, then ignore errors and indicate that we reached the end */
-                if (iterator->n_found > 0)
-                        return -ESRCH;
        }

+        /* if we found at least one entry, then ignore errors and indicate that we reached the end */
+        if (r < 0 && iterator->n_found > 0)
+                return -ESRCH;
+
        return r;
 }

@ -1011,7 +995,7 @@ int membershipdb_by_user(const char *name, UserDBFlags flags, UserDBIterator **r
        if (r < 0)
                return r;

-        iterator = userdb_iterator_new(LOOKUP_MEMBERSHIP, flags);
+        iterator = userdb_iterator_new(LOOKUP_MEMBERSHIP);
        if (!iterator)
                return -ENOMEM;

@ -1054,7 +1038,7 @@ int membershipdb_by_group(const char *name, UserDBFlags flags, UserDBIterator **
        if (r < 0)
                return r;

-        iterator = userdb_iterator_new(LOOKUP_MEMBERSHIP, flags);
+        iterator = userdb_iterator_new(LOOKUP_MEMBERSHIP);
        if (!iterator)
                return -ENOMEM;

@ -1095,7 +1079,7 @@ int membershipdb_all(UserDBFlags flags, UserDBIterator **ret) {

        assert(ret);

-        iterator = userdb_iterator_new(LOOKUP_MEMBERSHIP, flags);
+        iterator = userdb_iterator_new(LOOKUP_MEMBERSHIP);
        if (!iterator)
                return -ENOMEM;

@ -1129,7 +1113,7 @@ int membershipdb_iterator_get(
        assert(iterator);

        for (;;) {
-                /* If we are iterating through NSS acquire a new group entry if we haven't acquired one yet. */
+                /* If we are iteratring through NSS acquire a new group entry if we haven't acquired one yet. */
                if (!iterator->members_of_group) {
                        struct group *g;

--- a/src/sysusers/sysusers.c
+++ b/src/sysusers/sysusers.c
@ -441,7 +441,7 @@ static int write_temporary_passwd(const char *passwd_path, FILE **tmpfile, char
                        .pw_gecos = i->description,

                        /* "x" means the password is stored in the shadow file */
-                        .pw_passwd = (char*) PASSWORD_SEE_SHADOW,
+                        .pw_passwd = (char*) "x",

                        /* We default to the root directory as home */
                        .pw_dir = i->home ?: (char*) "/",
@ -551,7 +551,7 @@ static int write_temporary_shadow(const char *shadow_path, FILE **tmpfile, char

                struct spwd n = {
                        .sp_namp = i->name,
-                        .sp_pwdp = (char*) PASSWORD_LOCKED_AND_INVALID,
+                        .sp_pwdp = (char*) "!*", /* lock this password, and make it invalid */
                        .sp_lstchg = lstchg,
                        .sp_min = -1,
                        .sp_max = -1,
@ -682,7 +682,7 @@ static int write_temporary_group(const char *group_path, FILE **tmpfile, char **
                struct group n = {
                        .gr_name = i->name,
                        .gr_gid = i->gid,
-                        .gr_passwd = (char*) PASSWORD_SEE_SHADOW,
+                        .gr_passwd = (char*) "x",
                };

                r = putgrent_with_members(&n, group);
@ -766,7 +766,7 @@ static int write_temporary_gshadow(const char * gshadow_path, FILE **tmpfile, ch
        ORDERED_HASHMAP_FOREACH(i, todo_gids) {
                struct sgrp n = {
                        .sg_namp = i->name,
-                        .sg_passwd = (char*) PASSWORD_LOCKED_AND_INVALID,
+                        .sg_passwd = (char*) "!*",
                };

                r = putsgent_with_members(&n, gshadow);