src/login/logind-seat.c

@@ -6,10 +6,8 @@
 
 #include "sd-messages.h"
 
-#include "acl-util.h"
 #include "alloc-util.h"
 #include "device-util.h"
-#include "dirent-util.h"
 #include "errno-util.h"
 #include "fd-util.h"
 #include "format-util.h"
@@ -28,7 +26,6 @@
 #include "mkdir-label.h"
 #include "path-util.h"
 #include "set.h"
-#include "stat-util.h"
 #include "stdio-util.h"
 #include "string-util.h"
 #include "terminal-util.h"
@@ -324,88 +321,12 @@ static int seat_trigger_devices(Seat *s) {
                         return r;
         }
 
+        seat_triggered_uevents_done(s);
         return 0;
 }
 
-static int static_node_acl(Seat *s) {
-#if HAVE_ACL
-        int r, ret = 0;
-        uid_t uid;
-
-        assert(s);
-
-        if (s->active)
-                uid = s->active->user->user_record->uid;
-        else
-                uid = 0;
-
-        _cleanup_closedir_ DIR *dir = opendir("/run/udev/static_node-tags/uaccess/");
-        if (!dir) {
-                if (errno == ENOENT)
-                        return 0;
-
-                return log_debug_errno(errno, "Failed to open /run/udev/static_node-tags/uaccess/: %m");
-        }
-
-        FOREACH_DIRENT(de, dir, return -errno) {
-                _cleanup_close_ int fd = RET_NERRNO(openat(dirfd(dir), de->d_name, O_CLOEXEC|O_PATH));
-                if (ERRNO_IS_NEG_DEVICE_ABSENT_OR_EMPTY(fd))
-                        continue;
-                if (fd < 0) {
-                        RET_GATHER(ret, log_debug_errno(fd, "Failed to open '/run/udev/static_node-tags/uaccess/%s': %m", de->d_name));
-                        continue;
-                }
-
-                struct stat st;
-                if (fstat(fd, &st) < 0) {
-                        RET_GATHER(ret, log_debug_errno(errno, "Failed to stat '/run/udev/static_node-tags/uaccess/%s': %m", de->d_name));
-                        continue;
-                }
-
-                r = stat_verify_device_node(&st);
-                if (r < 0) {
-                        RET_GATHER(ret, log_debug_errno(fd, "'/run/udev/static_node-tags/uaccess/%s' points to a non-device node: %m", de->d_name));
-                        continue;
-                }
-
-                _cleanup_(sd_device_unrefp) sd_device *dev = NULL;
-                r = sd_device_new_from_stat_rdev(&dev, &st);
-                if (r >= 0) {
-                        log_device_debug(dev, "'/run/udev/static_node-tags/uaccess/%s' points to a non-static device node, ignoring.", de->d_name);
-                        continue;
-                }
-                if (!ERRNO_IS_NEG_DEVICE_ABSENT_OR_EMPTY(r))
-                        log_debug_errno(r, "Failed to check if '/run/udev/static_node-tags/uaccess/%s' points to a static device node, ignoring: %m", de->d_name);
-
-                r = devnode_acl(fd, uid);
-                if (r >= 0 || r == -ENOENT)
-                        continue;
-
-                /* de->d_name is escaped, like "snd\x2ftimer", hence let's use the path to node, if possible. */
-                _cleanup_free_ char *node = NULL;
-                (void) fd_get_path(fd, &node);
-
-                if (uid != 0) {
-                        RET_GATHER(ret, log_debug_errno(r, "Failed to apply ACL on '%s': %m", node ?: de->d_name));
-
-                        /* Better be safe than sorry and reset ACL */
-                        r = devnode_acl(fd, /* uid = */ 0);
-                        if (r >= 0 || r == -ENOENT)
-                                continue;
-                }
-                if (r < 0)
-                        RET_GATHER(ret, log_debug_errno(r, "Failed to flush ACL on '%s': %m", node ?: de->d_name));
-        }
-
-        return ret;
-#else
-        return 0;
-#endif
-}
-
 int seat_set_active(Seat *s, Session *session) {
         Session *old_active;
-        int r;
 
         assert(s);
         assert(!session || session->seat == s);
@@ -437,16 +358,7 @@ int seat_set_active(Seat *s, Session *session) {
                 session_send_changed(old_active, "Active");
         }
 
-        r = seat_trigger_devices(s);
-        if (r < 0)
-                return r;
-
-        r = static_node_acl(s);
-        if (r < 0)
-                return r;
-
-        seat_triggered_uevents_done(s);
-        return 0;
+        return seat_trigger_devices(s);
 }
 
 static Session* seat_get_position(Seat *s, unsigned pos) {

src/login/meson.build

@@ -49,7 +49,6 @@ executables += [
                 'include_directories' : [libexec_template['include_directories'], include_directories('.')],
                 'extract' : systemd_logind_extract_sources,
                 'dependencies' : [
-                        libacl,
                         threads,
                 ],
         },

src/shared/acl-util.c

@@ -6,106 +6,12 @@
 #include "alloc-util.h"
 #include "errno-util.h"
 #include "extract-word.h"
-#include "fd-util.h"
 #include "string-util.h"
 #include "strv.h"
 #include "user-util.h"
 
 #if HAVE_ACL
 
-int devnode_acl(int fd, uid_t uid) {
-        bool changed = false, found = false;
-        int r;
-
-        assert(fd >= 0);
-
-        _cleanup_(acl_freep) acl_t acl = NULL;
-        acl = acl_get_file(FORMAT_PROC_FD_PATH(fd), ACL_TYPE_ACCESS);
-        if (!acl)
-                return -errno;
-
-        acl_entry_t entry;
-        for (r = acl_get_entry(acl, ACL_FIRST_ENTRY, &entry);
-             r > 0;
-             r = acl_get_entry(acl, ACL_NEXT_ENTRY, &entry)) {
-
-                acl_tag_t tag;
-                if (acl_get_tag_type(entry, &tag) < 0)
-                        return -errno;
-
-                if (tag != ACL_USER)
-                        continue;
-
-                if (uid > 0) {
-                        uid_t *u = acl_get_qualifier(entry);
-                        if (!u)
-                                return -errno;
-
-                        if (*u == uid) {
-                                acl_permset_t permset;
-                                if (acl_get_permset(entry, &permset) < 0)
-                                        return -errno;
-
-                                int rd = acl_get_perm(permset, ACL_READ);
-                                if (rd < 0)
-                                        return -errno;
-
-                                int wt = acl_get_perm(permset, ACL_WRITE);
-                                if (wt < 0)
-                                        return -errno;
-
-                                if (!rd || !wt) {
-                                        if (acl_add_perm(permset, ACL_READ|ACL_WRITE) < 0)
-                                                return -errno;
-
-                                        changed = true;
-                                }
-
-                                found = true;
-                                continue;
-                        }
-                }
-
-                if (acl_delete_entry(acl, entry) < 0)
-                        return -errno;
-
-                changed = true;
-        }
-        if (r < 0)
-                return -errno;
-
-        if (!found && uid > 0) {
-                if (acl_create_entry(&acl, &entry) < 0)
-                        return -errno;
-
-                if (acl_set_tag_type(entry, ACL_USER) < 0)
-                        return -errno;
-
-                if (acl_set_qualifier(entry, &uid) < 0)
-                        return -errno;
-
-                acl_permset_t permset;
-                if (acl_get_permset(entry, &permset) < 0)
-                        return -errno;
-
-                if (acl_add_perm(permset, ACL_READ|ACL_WRITE) < 0)
-                        return -errno;
-
-                changed = true;
-        }
-
-        if (!changed)
-                return 0;
-
-        if (acl_calc_mask(&acl) < 0)
-                return -errno;
-
-        if (acl_set_file(FORMAT_PROC_FD_PATH(fd), ACL_TYPE_ACCESS, acl) < 0)
-                return -errno;
-
-        return 0;
-}
-
 static int acl_find_uid(acl_t acl, uid_t uid, acl_entry_t *ret_entry) {
         acl_entry_t i;
         int r;

src/shared/acl-util.h

@@ -10,8 +10,6 @@ int fd_acl_make_writable_fallback(int fd);
 #include <acl/libacl.h> /* IWYU pragma: export */
 #include <sys/acl.h>    /* IWYU pragma: export */
 
-int devnode_acl(int fd, uid_t uid);
-
 int calc_acl_mask_if_needed(acl_t *acl_p);
 int add_base_acls_if_needed(acl_t *acl_p, const char *path);
 int acl_search_groups(const char* path, char ***ret_groups);
@@ -42,10 +40,6 @@ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(gid_t*, acl_free_gid_tp, NULL);
 #define ACL_WRITE   0x02
 #define ACL_EXECUTE 0x01
 
-static inline int devnode_acl(int fd, uid_t uid) {
-        return -EOPNOTSUPP;
-}
-
 static inline int fd_add_uid_acl_permission(int fd, uid_t uid, unsigned mask) {
         return -EOPNOTSUPP;
 }

src/udev/udev-builtin-uaccess.c

@@ -1,4 +1,7 @@
 /* SPDX-License-Identifier: GPL-2.0-or-later */
+/*
+ * manage device node user ACL
+ */
 
 #include "sd-login.h"
 
@@ -9,6 +12,99 @@
 #include "login-util.h"
 #include "udev-builtin.h"
 
+static int devnode_acl(int fd, uid_t uid) {
+        bool changed = false, found = false;
+        int r;
+
+        assert(fd >= 0);
+
+        _cleanup_(acl_freep) acl_t acl = NULL;
+        acl = acl_get_file(FORMAT_PROC_FD_PATH(fd), ACL_TYPE_ACCESS);
+        if (!acl)
+                return -errno;
+
+        acl_entry_t entry;
+        for (r = acl_get_entry(acl, ACL_FIRST_ENTRY, &entry);
+             r > 0;
+             r = acl_get_entry(acl, ACL_NEXT_ENTRY, &entry)) {
+
+                acl_tag_t tag;
+                if (acl_get_tag_type(entry, &tag) < 0)
+                        return -errno;
+
+                if (tag != ACL_USER)
+                        continue;
+
+                if (uid > 0) {
+                        uid_t *u = acl_get_qualifier(entry);
+                        if (!u)
+                                return -errno;
+
+                        if (*u == uid) {
+                                acl_permset_t permset;
+                                if (acl_get_permset(entry, &permset) < 0)
+                                        return -errno;
+
+                                int rd = acl_get_perm(permset, ACL_READ);
+                                if (rd < 0)
+                                        return -errno;
+
+                                int wt = acl_get_perm(permset, ACL_WRITE);
+                                if (wt < 0)
+                                        return -errno;
+
+                                if (!rd || !wt) {
+                                        if (acl_add_perm(permset, ACL_READ|ACL_WRITE) < 0)
+                                                return -errno;
+
+                                        changed = true;
+                                }
+
+                                found = true;
+                                continue;
+                        }
+                }
+
+                if (acl_delete_entry(acl, entry) < 0)
+                        return -errno;
+
+                changed = true;
+        }
+        if (r < 0)
+                return -errno;
+
+        if (!found && uid > 0) {
+                if (acl_create_entry(&acl, &entry) < 0)
+                        return -errno;
+
+                if (acl_set_tag_type(entry, ACL_USER) < 0)
+                        return -errno;
+
+                if (acl_set_qualifier(entry, &uid) < 0)
+                        return -errno;
+
+                acl_permset_t permset;
+                if (acl_get_permset(entry, &permset) < 0)
+                        return -errno;
+
+                if (acl_add_perm(permset, ACL_READ|ACL_WRITE) < 0)
+                        return -errno;
+
+                changed = true;
+        }
+
+        if (!changed)
+                return 0;
+
+        if (acl_calc_mask(&acl) < 0)
+                return -errno;
+
+        if (acl_set_file(FORMAT_PROC_FD_PATH(fd), ACL_TYPE_ACCESS, acl) < 0)
+                return -errno;
+
+        return 0;
+}
+
 static int builtin_uaccess(UdevEvent *event, int argc, char *argv[]) {
         sd_device *dev = ASSERT_PTR(ASSERT_PTR(event)->dev);
         int r, k;

test/integration-tests/TEST-03-JOBS/TEST-03-JOBS.units/always-activating.service

@@ -5,4 +5,4 @@ After=always-activating.socket
 
 [Service]
 Type=notify
-ExecStart=sleep infinity
+ExecStart=bash -c 'sleep infinity'

test/integration-tests/TEST-03-JOBS/TEST-03-JOBS.units/hello.service

@@ -3,4 +3,4 @@
 Description=Hello World
 
 [Service]
-ExecStart=echo "Hello World"
+ExecStart=/bin/echo "Hello World"

test/integration-tests/TEST-03-JOBS/TEST-03-JOBS.units/sleep-infinity-restart-direct.service

@@ -3,6 +3,6 @@
 OnFailure=restart-on-failure.service
 
 [Service]
-ExecStart=sleep infinity
+ExecStart=/bin/sleep infinity
 Restart=on-failure
 RestartMode=direct

test/integration-tests/TEST-03-JOBS/TEST-03-JOBS.units/sleep-infinity-restart-normal.service

@@ -3,6 +3,6 @@
 OnFailure=restart-on-failure.service
 
 [Service]
-ExecStart=sleep infinity
+ExecStart=/bin/sleep infinity
 Restart=on-failure
 RestartMode=normal

test/integration-tests/TEST-03-JOBS/TEST-03-JOBS.units/sleep-infinity-simple.service

@@ -4,4 +4,4 @@ Description=Sleep infinitely
 
 [Service]
 Type=simple
-ExecStart=sleep infinity
+ExecStart=/bin/sleep infinity

test/integration-tests/TEST-03-JOBS/TEST-03-JOBS.units/sleep.service

@@ -4,4 +4,4 @@ Description=Sleep for 1 minute
 
 [Service]
 Type=oneshot
-ExecStart=sleep 60
+ExecStart=/bin/sleep 60

test/integration-tests/TEST-03-JOBS/TEST-03-JOBS.units/unstoppable.service

@@ -2,5 +2,5 @@
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-ExecStart=echo "I'm unstoppable!"
-ExecStop=systemctl start --no-block unstoppable.service
+ExecStart=/bin/echo "I'm unstoppable!"
+ExecStop=/bin/systemctl start --no-block unstoppable.service

test/integration-tests/TEST-06-SELINUX/TEST-06-SELINUX.units/hola.service

@@ -1,7 +1,7 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 [Service]
 Type=oneshot
-ExecStart=echo Start Hola
-ExecReload=echo Reload Hola
-ExecStop=echo Stop Hola
+ExecStart=/bin/echo Start Hola
+ExecReload=/bin/echo Reload Hola
+ExecStop=/bin/echo Stop Hola
 RemainAfterExit=yes

test/integration-tests/TEST-07-PID1/TEST-07-PID1.units/issue14566-repro.service

@@ -4,5 +4,5 @@ Description=Issue 14566 Repro
 
 [Service]
 ExecStart=/usr/lib/systemd/tests/testdata/TEST-07-PID1.units/%N.sh
-ExecStopPost=true
+ExecStopPost=/bin/true
 KillMode=mixed

test/integration-tests/TEST-07-PID1/TEST-07-PID1.units/issue16115-repro-1.service

@@ -5,6 +5,6 @@ Description=Issue 16115 Repro with on-abnormal
 [Service]
 Type=simple
 Restart=on-abnormal
-ExecCondition=false
+ExecCondition=/bin/false
 ExecStart=sleep 100
 RestartSec=1

test/integration-tests/TEST-07-PID1/TEST-07-PID1.units/issue16115-repro-2.service

@@ -5,6 +5,6 @@ Description=Issue 16115 Repro with on-failure
 [Service]
 Type=simple
 Restart=on-failure
-ExecCondition=false
+ExecCondition=/bin/false
 ExecStart=sleep 100
 RestartSec=1

test/integration-tests/TEST-07-PID1/TEST-07-PID1.units/issue16115-repro-3.service

@@ -5,6 +5,6 @@ Description=Issue 22257 Repro with Restart=always
 [Service]
 Type=simple
 Restart=always
-ExecCondition=false
+ExecCondition=/bin/false
 ExecStart=sleep 100
 RestartSec=1

test/integration-tests/TEST-16-EXTEND-TIMEOUT/TEST-16-EXTEND-TIMEOUT.units/fail-stop.service

@@ -13,4 +13,4 @@ Environment=SERVICE=fail_stop extend_timeout_interval=5 sleep_interval=7 start_i
 ExecStart=/usr/lib/systemd/tests/testdata/TEST-16-EXTEND-TIMEOUT.units/extend-timeout.sh
 # Due to 6041a7ee2c1bbff6301082f192fc1b0882400d42 SIGTERM isn't sent as the service shuts down with STOPPING=1
 # This file makes the test assess.sh quicker by notifying it that this test has finished.
-ExecStopPost=bash -c '[[ $SERVICE_RESULT == timeout && $EXIT_CODE == killed ]] && touch /fail_runtime.terminated'
+ExecStopPost=/bin/bash -c '[[ $SERVICE_RESULT == timeout && $EXIT_CODE == killed ]] && touch /fail_runtime.terminated'

test/integration-tests/TEST-62-RESTRICT-IFACES/TEST-62-RESTRICT-IFACES.units/TEST-62-RESTRICT-IFACES-6.service

@@ -2,9 +2,9 @@
 [Unit]
 Description=TEST-62-RESTRICT-IFACES-altname
 [Service]
-ExecStart=sh -c 'ping -c 1 -W 0.2 192.168.113.1'
-ExecStart=sh -c 'ping -c 1 -W 0.2 192.168.113.5'
-ExecStart=sh -c '! ping -c 1 -W 0.2 192.168.113.9'
+ExecStart=/bin/sh -c 'ping -c 1 -W 0.2 192.168.113.1'
+ExecStart=/bin/sh -c 'ping -c 1 -W 0.2 192.168.113.5'
+ExecStart=/bin/sh -c '! ping -c 1 -W 0.2 192.168.113.9'
 RestrictNetworkInterfaces=veth0-altname-with-more-than-15-chars
 RestrictNetworkInterfaces=veth1-altname-with-more-than-15-chars
 Type=oneshot

test/integration-tests/TEST-63-PATH/TEST-63-PATH.units/test63-issue-24577-dep.service

@@ -1,4 +1,4 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 [Service]
 Type=oneshot
-ExecStart=sleep infinity
+ExecStart=bash -c 'sleep infinity'

test/integration-tests/TEST-63-PATH/TEST-63-PATH.units/test63-issue-24577.service

@@ -5,4 +5,4 @@ After=test63-issue-24577-dep.service
 
 [Service]
 Type=oneshot
-ExecStart=sleep infinity
+ExecStart=bash -c 'sleep infinity'

test/units/TEST-04-JOURNAL.SYSTEMD_JOURNAL_COMPRESS.sh

@@ -26,7 +26,7 @@ EOF
     journalctl --rotate
 
     ID="$(systemd-id128 new)"
-    systemd-cat -t "$ID" bash -c "for ((i=0;i<100;i++)); do echo -n hoge with ${c}; done; echo"
+    systemd-cat -t "$ID" /bin/bash -c "for ((i=0;i<100;i++)); do echo -n hoge with ${c}; done; echo"
     journalctl --sync
     timeout 10 bash -c "until SYSTEMD_LOG_LEVEL=debug journalctl --verify --quiet --file /var/log/journal/$MACHINE_ID/system.journal 2>&1 | grep -q -F 'compress=${c}'; do sleep .5; done"
 

test/units/TEST-04-JOURNAL.journal.sh

@@ -93,7 +93,7 @@ grep -vq "^_PID=$PID" /tmp/output
 # https://github.com/systemd/systemd/issues/15654
 ID=$(systemd-id128 new)
 printf "This will\nusually fail\nand be truncated\n" >/tmp/expected
-systemd-cat -t "$ID" sh -c 'env echo -n "This will";echo;env echo -n "usually fail";echo;env echo -n "and be truncated";echo;'
+systemd-cat -t "$ID" /bin/sh -c 'env echo -n "This will";echo;env echo -n "usually fail";echo;env echo -n "and be truncated";echo;'
 journalctl --sync
 journalctl -b -o cat -t "$ID" >/tmp/output
 diff /tmp/expected /tmp/output
@@ -120,7 +120,7 @@ journalctl -b -n 1 /bin/true /bin/false
 journalctl -b -n 1 /bin/true + /bin/false
 journalctl -b -n 1 -r --unit "systemd*"
 
-systemd-run --user -M "testuser@.host" echo hello
+systemd-run --user -M "testuser@.host" /bin/echo hello
 journalctl --sync
 journalctl -b -n 1 -r --user-unit "*"
 
@@ -158,7 +158,7 @@ journalctl --header | grep system.journal
 journalctl --field _EXE | grep . >/dev/null
 journalctl --no-hostname --utc --catalog | grep . >/dev/null
 # Exercise executable_is_script() and the related code, e.g. `journalctl -b /path/to/a/script.sh` should turn
-# into ((_EXE=/usr/bin/bash AND _COMM=script.sh) AND _BOOT_ID=c002e3683ba14fa8b6c1e12878386514)
+# into ((_EXE=/bin/bash AND _COMM=script.sh) AND _BOOT_ID=c002e3683ba14fa8b6c1e12878386514)
 journalctl -b "$(readlink -f "$0")" | grep . >/dev/null
 journalctl -b "$(systemd-id128 boot-id)" | grep . >/dev/null
 journalctl --since yesterday --reverse | grep . >/dev/null
@@ -219,7 +219,7 @@ journalctl --follow --merge | head -n1 | grep .
 rm -f /tmp/issue-26746-log /tmp/issue-26746-cursor
 ID="$(systemd-id128 new)"
 journalctl -t "$ID" --follow --cursor-file=/tmp/issue-26746-cursor | tee /tmp/issue-26746-log &
-systemd-cat -t "$ID" sh -c 'echo hogehoge'
+systemd-cat -t "$ID" /bin/sh -c 'echo hogehoge'
 # shellcheck disable=SC2016
 timeout 10 bash -c 'until [[ -f /tmp/issue-26746-log && "$(cat /tmp/issue-26746-log)" =~ hogehoge ]]; do sleep .5; done'
 pkill -TERM journalctl

test/units/TEST-07-PID1.exec-context.sh

@@ -405,7 +405,7 @@ if [[ ! -v ASAN_OPTIONS ]]; then
     # Here, -p EnvironmentFile=-/usr/lib/systemd/systemd-asan-env does not work,
     # as sd-executor loads NSS module and fails before applying the environment:
     # (true)[660]: test-dynamicuser-fail.service: Changing to the requested working directory failed: No such file or directory
-    # (true)[660]: test-dynamicuser-fail.service: Failed at step CHDIR spawning true: No such file or directory
+    # (true)[660]: test-dynamicuser-fail.service: Failed at step CHDIR spawning /usr/bin/true: No such file or directory
     # TEST-07-PID1.sh[660]: ==660==LeakSanitizer has encountered a fatal error.
     # TEST-07-PID1.sh[660]: ==660==HINT: For debugging, try setting environment variable LSAN_OPTIONS=verbosity=1:log_threads=1
     # TEST-07-PID1.sh[660]: ==660==HINT: LeakSanitizer does not work under ptrace (strace, gdb, etc)

test/units/TEST-07-PID1.exec-deserialization.sh

@@ -193,7 +193,7 @@ testcase_issue_6533() {
     cat >"$unit_path" <<EOF
 [Service]
 Type=simple
-ExecStart=sleep 5
+ExecStart=/bin/sleep 5
 EOF
     systemctl daemon-reload
 
@@ -207,7 +207,7 @@ EOF
     cat >"$unit_path" <<EOF
 [Service]
 Type=simple
-ExecStart=sleep 5
+ExecStart=/bin/sleep 5
 ExecStart=bash -c "echo foo >>$log_file"
 EOF
     systemctl daemon-reload

test/units/TEST-07-PID1.issue-31752.sh

@@ -23,7 +23,7 @@ trap cleanup EXIT
 
 cat > /run/systemd/system/"$UNIT" <<EOF
 [Service]
-ExecStart=true
+ExecStart=/usr/bin/true
 RemainAfterExit=yes
 EOF
 

test/units/TEST-07-PID1.issue-33672.sh

@@ -23,7 +23,7 @@ trap cleanup EXIT
 
 cat > /run/systemd/system/"$UNIT" <<EOF
 [Service]
-ExecStart=true
+ExecStart=/usr/bin/true
 EOF
 
 mkdir /run/systemd/system/"$UNIT".d

test/units/TEST-07-PID1.main-PID-change.sh

@@ -18,7 +18,7 @@ INTERNALPID=$!
 disown
 
 # Start a test process outside of our own cgroup
-systemd-run -p DynamicUser=1 --unit=test-sleep.service sleep infinity
+systemd-run -p DynamicUser=1 --unit=test-sleep.service /bin/sleep infinity
 EXTERNALPID="$(systemctl show -P MainPID test-sleep.service)"
 
 # Update our own main PID to the external test PID, this should work
@@ -162,11 +162,11 @@ chmod 755 /dev/shm/test-mainpid3.sh
 test "$(systemctl show -P Result test-mainpidsh3.service)" = timeout
 
 # Test that scope units work
-systemd-run --scope --unit test-true.scope true
+systemd-run --scope --unit test-true.scope /bin/true
 test "$(systemctl show -P Result test-true.scope)" = success
 
 # Test that user scope units work as well
 
 systemctl start user@4711.service
-runas testuser systemd-run --scope --user --unit test-true.scope true
+runas testuser systemd-run --scope --user --unit test-true.scope /bin/true
 test "$(systemctl show -P Result test-true.scope)" = success

test/units/TEST-07-PID1.mqueue-ownership.sh

@@ -35,7 +35,7 @@ cat << 'EOF' > /run/systemd/system/mqueue-ownership.service
 Description=Dummy service for the socket unit
 Requires=%N.socket
 [Service]
-ExecStart=true
+ExecStart=/usr/bin/true
 Type=oneshot
 EOF
 

test/units/TEST-07-PID1.private-network.sh

@@ -4,4 +4,4 @@ set -eux
 set -o pipefail
 
 # For issue https://github.com/systemd/systemd/issues/29526
-systemd-run -p PrivateNetwork=yes --wait true
+systemd-run -p PrivateNetwork=yes --wait /bin/true

test/units/TEST-07-PID1.quota.sh

@@ -41,7 +41,7 @@ PrivateUsers=yes
 TemporaryFileSystem=/run /var/opt /var/lib /vol
 ${exec_directory_directive}
 ${exec_quota_directive}
-ExecStart=bash -c ' \
+ExecStart=/bin/bash -c ' \
     set -eux; \
     set -o pipefail; \
     touch ${directory}/quotadir/testfile; \
@@ -77,7 +77,7 @@ PrivateUsers=yes
 TemporaryFileSystem=/run /var/opt /var/lib /vol
 ${exec_directory_directive}
 ${exec_quota_directive}
-ExecStart=bash -c ' \
+ExecStart=/bin/bash -c ' \
     set -eux; \
     set -o pipefail; \
     (! fallocate -l 10000G ${directory}/quotadir/largefile); \

test/units/TEST-07-PID1.transient-unit-container.sh

@@ -121,8 +121,8 @@ After=basic.target
 
 [Service]
 Type=oneshot
-ExecStart=sh -c 'echo "$EXPECTED_OUTPUT"  > "$guest_output"'
-ExecStartPost=systemctl --no-block exit 0
+ExecStart=/bin/sh -c 'echo "$EXPECTED_OUTPUT"  > "$guest_output"'
+ExecStartPost=/usr/bin/systemctl --no-block exit 0
 TimeoutStopSec=15s
 
 [Install]

test/units/TEST-07-PID1.type-exec-parallel.sh

@@ -6,4 +6,4 @@ set -o pipefail
 # Make sure that we never mistake a process starting but failing quickly for a process failing to start, with Type=exec.
 # See https://github.com/systemd/systemd/pull/30799
 
-seq 25 | xargs -n 1 -P 0 systemd-run -p Type=exec false
+seq 25 | xargs -n 1 -P 0 systemd-run -p Type=exec /bin/false

test/units/TEST-13-NSPAWN.machined.sh

@@ -40,7 +40,7 @@ done
 # Create one "long running" container with some basic signal handling
 create_dummy_container /var/lib/machines/long-running
 cat >/var/lib/machines/long-running/sbin/init <<\EOF
-#!/usr/bin/env bash
+#!/usr/bin/bash
 
 set -x
 
@@ -316,7 +316,7 @@ varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.Unreg
 # test io.systemd.Machine.List with addresses, OSRelease, and UIDShift fields
 create_dummy_container "/var/lib/machines/container-without-os-release"
 cat >>/var/lib/machines/container-without-os-release/sbin/init <<\EOF
-#!/usr/bin/env bash
+#!/usr/bin/bash
 
 set -x
 
@@ -397,13 +397,13 @@ rm -f /tmp/none-existent-file
 # server side, to not generate early SIGHUP. Hence, let's just invoke "sleep
 # infinity" client side, once we acquired the fd (passing it to it), and kill
 # it once we verified everything worked.
-PID=$(systemd-notify --fork -- varlinkctl --exec call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.Open '{"name": ".host", "mode": "shell", "user": "root", "path": "/usr/bin/bash", "args": ["bash", "-c", "echo $FOO > /tmp/none-existent-file"], "environment": ["FOO=BAR"]}' -- sleep infinity)
+PID=$(systemd-notify --fork -- varlinkctl --exec call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.Open '{"name": ".host", "mode": "shell", "user": "root", "path": "/bin/bash", "args": ["/bin/bash", "-c", "echo $FOO > /tmp/none-existent-file"], "environment": ["FOO=BAR"]}' -- sleep infinity)
 timeout 30 bash -c "until test -e /tmp/none-existent-file; do sleep .5; done"
 grep -q "BAR" /tmp/none-existent-file
 kill "$PID"
 
 # Test varlinkctl's --exec fd passing logic properly
-assert_eq "$(varlinkctl --exec call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.Open '{"name": ".host", "mode": "shell", "user": "root", "path": "/usr/bin/bash", "args": ["bash", "-c", "echo $((7 + 8))"], "environment": ["TERM=dumb"]}' -- bash -c 'read -r -N 2 x <&3 ; echo "$x"')" 15
+assert_eq "$(varlinkctl --exec call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.Open '{"name": ".host", "mode": "shell", "user": "root", "path": "/bin/bash", "args": ["/bin/bash", "-c", "echo $((7 + 8))"], "environment": ["TERM=dumb"]}' -- bash -c 'read -r -N 2 x <&3 ; echo "$x"')" 15
 
 # test io.systemd.Machine.MapFrom
 varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.MapFrom '{"name": "long-running", "uid":0, "gid": 0}'

test/units/TEST-13-NSPAWN.nspawn-oci.sh

@@ -351,8 +351,7 @@ EOF
 # Create a simple "entrypoint" script that validates that the container
 # is created correctly according to the OCI config
 cat >"$OCI/rootfs/entrypoint.sh" <<EOF
-#!/usr/bin/env bash
-set -e
+#!/usr/bin/bash -e
 
 # Mounts
 mountpoint /root

test/units/TEST-13-NSPAWN.nspawn.sh

@@ -193,7 +193,7 @@ testcase_sanity() {
     # "Fake" getent passwd's bare minimum, so we don't have to pull it in
     # with all the DSO shenanigans
     cat >"$root/bin/getent" <<\EOF
-#!/usr/bin/env bash
+#!/bin/bash
 
 if [[ $# -eq 0 ]]; then
     :
@@ -456,7 +456,7 @@ Port=tcp:60
 Port=udp:60:61
 EOF
     cat >"$root/entrypoint.sh" <<\EOF
-#!/usr/bin/env bash
+#!/bin/bash
 set -ex
 
 env
@@ -844,7 +844,7 @@ testcase_owneridmap() {
     # "Fake" getent passwd's bare minimum, so we don't have to pull it in
     # with all the DSO shenanigans
     cat >"$root/bin/getent" <<\EOF
-#!/usr/bin/env bash
+#!/bin/bash
 
 if [[ $# -eq 0 ]]; then
     :
@@ -869,7 +869,7 @@ EOF
                            --user=testuser \
                            --bind=/tmp/owneridmap/bind:/home/testuser:owneridmap \
                            ${COVERAGE_BUILD_DIR:+--bind="$COVERAGE_BUILD_DIR"} \
-                           bash -c "$cmd" |& tee nspawn.out; then
+                           /usr/bin/bash -c "$cmd" |& tee nspawn.out; then
         if grep -q "Failed to map ids for bind mount.*: Function not implemented" nspawn.out; then
             echo "idmapped mounts are not supported, skipping the test..."
             return 0
@@ -906,8 +906,7 @@ testcase_os_release() {
     create_dummy_container "$root"
     entrypoint="$root/entrypoint.sh"
     cat >"$entrypoint" <<\EOF
-#!/usr/bin/env bash
-set -ex
+#!/usr/bin/bash -ex
 
 . /tmp/os-release
 [[ -n "${ID:-}" && "$ID" != "$container_host_id" ]] && exit 1
@@ -954,7 +953,7 @@ testcase_machinectl_bind() {
     cat >"$service_path" <<EOF
 [Service]
 Type=notify
-ExecStart=systemd-nspawn --directory="$root" --notify-ready=no bash -xec "$cmd"
+ExecStart=systemd-nspawn --directory="$root" --notify-ready=no /usr/bin/bash -xec "$cmd"
 EOF
 
     systemctl daemon-reload

test/units/TEST-13-NSPAWN.nss-mymachines.sh

@@ -25,8 +25,7 @@ mount --bind "$(mktemp --tmpdir=/var/tmp -d)" /var/lib/machines
 # 1) Have no IP addresses assigned
 create_dummy_container /var/lib/machines/nss-mymachines-noip
 cat >/var/lib/machines/nss-mymachines-noip/sbin/init <<\EOF
-#!/usr/bin/env bash
-set -ex
+#!/usr/bin/bash -ex
 
 ip addr show dev ve-noip
 touch /initialized
@@ -39,8 +38,7 @@ EOF
 # 2) Have one IP address assigned (IPv4 only)
 create_dummy_container /var/lib/machines/nss-mymachines-singleip
 cat >/var/lib/machines/nss-mymachines-singleip/sbin/init <<\EOF
-#!/usr/bin/env bash
-set -ex
+#!/usr/bin/bash -ex
 
 ip addr add 10.1.0.2/24 dev ve-singleip
 ip addr show dev ve-singleip
@@ -53,8 +51,7 @@ EOF
 # 3) Have bunch of IP addresses assigned (both IPv4 and IPv6)
 create_dummy_container /var/lib/machines/nss-mymachines-manyips
 cat >/var/lib/machines/nss-mymachines-manyips/sbin/init <<\EOF
-#!/usr/bin/env bash
-set -ex
+#!/usr/bin/bash -ex
 
 ip addr add 10.2.0.2/24 dev ve-manyips
 for i in {100..120}; do

test/units/TEST-13-NSPAWN.unpriv.sh

@@ -24,7 +24,7 @@ run0 -u testuser mkdir -p .local/state/machines
 
 create_dummy_container /home/testuser/.local/state/machines/zurps
 cat >/home/testuser/.local/state/machines/zurps/sbin/init <<EOF
-#!/usr/bin/env bash
+#!/bin/sh
 echo "I am living in a container"
 exec sleep infinity
 EOF

test/units/TEST-15-DROPIN.sh

@@ -116,16 +116,16 @@ testcase_basic_dropins() {
 
     echo "*** test service.d/ top level drop-in"
     create_services test15-a test15-b
-    check_ko test15-a ExecCondition "echo a"
-    check_ko test15-b ExecCondition "echo b"
+    check_ko test15-a ExecCondition "/bin/echo a"
+    check_ko test15-b ExecCondition "/bin/echo b"
     mkdir -p /run/systemd/system/service.d
     cat >/run/systemd/system/service.d/override.conf <<EOF
 [Service]
-ExecCondition=echo %n
+ExecCondition=/bin/echo %n
 EOF
     systemctl daemon-reload
-    check_ok test15-a ExecCondition "echo test15-a"
-    check_ok test15-b ExecCondition "echo test15-b"
+    check_ok test15-a ExecCondition "/bin/echo test15-a"
+    check_ok test15-b ExecCondition "/bin/echo test15-b"
     rm -rf /run/systemd/system/service.d
 
     clear_units test15-{a,b,c,c1}.service

test/units/TEST-16-EXTEND-TIMEOUT.sh

@@ -70,21 +70,21 @@ runtime_max_sec=5
 systemd-run \
     --property=RuntimeMaxSec=${runtime_max_sec}s \
     -u runtime-max-sec-test-1.service \
-    sh -c "while true; do sleep 1; done"
+    /usr/bin/sh -c "while true; do sleep 1; done"
 wait_for_timeout runtime-max-sec-test-1.service $((runtime_max_sec + 2))
 
 systemd-run \
     --property=RuntimeMaxSec=${runtime_max_sec}s \
     --scope \
     -u runtime-max-sec-test-2.scope \
-    sh -c "while true; do sleep 1; done" &
+    /usr/bin/sh -c "while true; do sleep 1; done" &
 wait_for_timeout runtime-max-sec-test-2.scope $((runtime_max_sec + 2))
 
 # These ensure that RuntimeMaxSec is honored for scope and service
 # units if the value is changed and then the manager is reloaded.
 systemd-run \
     -u runtime-max-sec-test-3.service \
-    sh -c "while true; do sleep 1; done"
+    /usr/bin/sh -c "while true; do sleep 1; done"
 mkdir -p /etc/systemd/system/runtime-max-sec-test-3.service.d/
 cat > /etc/systemd/system/runtime-max-sec-test-3.service.d/override.conf << EOF
 [Service]
@@ -96,7 +96,7 @@ wait_for_timeout runtime-max-sec-test-3.service $((runtime_max_sec + 2))
 systemd-run \
     --scope \
     -u runtime-max-sec-test-4.scope \
-    sh -c "while true; do sleep 1; done" &
+    /usr/bin/sh -c "while true; do sleep 1; done" &
 
 # Wait until the unit is running to avoid race with creating the override.
 until systemctl is-active runtime-max-sec-test-4.scope; do

test/units/TEST-17-UDEV.IMPORT.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 set -ex
 set -o pipefail
@@ -7,7 +7,7 @@ mkdir -p /run/udev/rules.d/
 
 cat >/run/udev/rules.d/50-testsuite.rules <<EOF
 SUBSYSTEM=="mem", KERNEL=="null", OPTIONS="log_level=debug"
-ACTION=="add", SUBSYSTEM=="mem", KERNEL=="null", IMPORT{program}="/usr/bin/echo -e HOGE=aa\\\\x20\\\\x20\\\\x20bb\nFOO=\\\\x20aaa\\\\x20\n\n\n"
+ACTION=="add", SUBSYSTEM=="mem", KERNEL=="null", IMPORT{program}="/bin/echo -e HOGE=aa\\\\x20\\\\x20\\\\x20bb\nFOO=\\\\x20aaa\\\\x20\n\n\n"
 EOF
 
 udevadm control --reload

test/units/TEST-17-UDEV.TAG.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 set -ex
 set -o pipefail

test/units/TEST-17-UDEV.failed-event.sh

@@ -17,8 +17,8 @@ SUBSYSTEM!="mem", GOTO="test_end"
 KERNEL!="null", GOTO="test_end"
 
 OPTIONS="log_level=debug"
-PROGRAM=="/usr/bin/touch /tmp/test-udev-marker"
-PROGRAM!="/usr/bin/sleep 60", ENV{PROGRAM_RESULT}="KILLED"
+PROGRAM=="/bin/touch /tmp/test-udev-marker"
+PROGRAM!="/bin/sleep 60", ENV{PROGRAM_RESULT}="KILLED"
 
 LABEL="test_end"
 EOF

test/units/TEST-17-UDEV.queued-events-serialization.sh

@@ -17,9 +17,9 @@ KERNEL!="null", GOTO="end"
 ACTION=="remove", GOTO="end"
 
 IMPORT{db}="INVOCATIONS"
-IMPORT{program}="/usr/bin/bash -c 'systemctl show --property=InvocationID systemd-udevd.service'"
+IMPORT{program}="/bin/bash -c 'systemctl show --property=InvocationID systemd-udevd.service'"
 ENV{INVOCATIONS}+="%E{ACTION}_%E{SEQNUM}_%E{InvocationID}"
-ACTION=="add", RUN+="/usr/bin/bash -c ':> /tmp/marker'", RUN+="/usr/bin/sleep 10"
+ACTION=="add", RUN+="/bin/bash -c ':> /tmp/marker'", RUN+="/usr/bin/sleep 10"
 
 LABEL="end"
 EOF

test/units/TEST-17-UDEV.verify.sh

@@ -160,13 +160,13 @@ echo "Failed to parse rules file $(pwd)/${rules}: No buffer space available" >"$
 assert_1 "${rules}"
 
 {
-    printf 'RUN+="/usr/bin/true",%8170s\\\n' ' '
-    printf 'RUN+="/usr/bin/false"%8170s\\\n' ' '
+    printf 'RUN+="/bin/true",%8174s\\\n' ' '
+    printf 'RUN+="/bin/false"%8174s\\\n' ' '
     echo
 } >"${rules}"
 assert_0 "${rules}"
 
-printf 'RUN+="/usr/bin/true"%8176s\\\n #\n' ' ' ' ' >"${rules}"
+printf 'RUN+="/bin/true"%8176s\\\n #\n' ' ' ' ' >"${rules}"
 echo >>"${rules}"
 cat >"${exp}" <<EOF
 $(pwd)/${rules}:1 Line is too long, ignored.

test/units/TEST-17-UDEV.watch.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 set -ex
 set -o pipefail

test/units/TEST-19-CGROUP.keyed-properties.sh

@@ -43,7 +43,7 @@ EOF
 testcase_iodevice_unitfile () {
     cat >/run/systemd/system/test1.service <<EOF
 [Service]
-ExecStart=sleep inf
+ExecStart=/usr/bin/sleep inf
 IOReadBandwidthMax=/dev/sda1 1M
 IOReadBandwidthMax=/dev/sda2 2M
 IOReadBandwidthMax=/dev/sda3 4M

test/units/TEST-22-TMPFILES.01.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 #
 # With "e" don't attempt to set permissions when file doesn't exist, see

test/units/TEST-22-TMPFILES.02.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 #
 # Basic tests for types creating directories

test/units/TEST-22-TMPFILES.03.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 #
 # Basic tests for types creating/writing files

test/units/TEST-22-TMPFILES.04.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 #
 # Basic tests for types creating fifos

test/units/TEST-22-TMPFILES.05.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#! /bin/bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 set -eux
 set -o pipefail

test/units/TEST-22-TMPFILES.06.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 #
 # Inspired by https://github.com/systemd/systemd/issues/9508

test/units/TEST-22-TMPFILES.07.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 #
 # Verifies the issues described by https://github.com/systemd/systemd/issues/10191

test/units/TEST-22-TMPFILES.08.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 #
 # Verify tmpfiles can run in a root directory under a path prefix that contains

test/units/TEST-22-TMPFILES.13.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 #
 # Tests for configuration directory and file precedences

test/units/TEST-22-TMPFILES.14.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 #
 # Tests for the ":" uid/gid/mode modifier

test/units/TEST-22-TMPFILES.15.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 #
 # Check specifier expansion in L lines.

test/units/TEST-22-TMPFILES.16.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 #
 # Test for conditionalized execute bit ('X' bit)

test/units/TEST-22-TMPFILES.17.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 #
 # Test for C-style escapes in file names and contents

test/units/TEST-22-TMPFILES.18.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 #
 # Tests for the --purge switch

test/units/TEST-22-TMPFILES.19.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 #
 # Tests for character and block device creation

test/units/TEST-23-UNIT-FILE.ExecReload.sh

@@ -15,7 +15,7 @@ echo "[#1] Failing ExecReload= should not kill the service"
 cat >"$SERVICE_PATH" <<EOF
 [Service]
 ExecStart=sleep infinity
-ExecReload=false
+ExecReload=/bin/false
 EOF
 
 systemctl daemon-reload
@@ -31,9 +31,9 @@ echo "[#2] Failing ExecReload= should not kill the service (multiple ExecReload=
 cat >"$SERVICE_PATH" <<EOF
 [Service]
 ExecStart=sleep infinity
-ExecReload=true
-ExecReload=false
-ExecReload=true
+ExecReload=/bin/true
+ExecReload=/bin/false
+ExecReload=/bin/true
 EOF
 
 systemctl daemon-reload
@@ -48,7 +48,7 @@ echo "[#3] Failing ExecReload=- should not affect reload's exit code"
 cat >"$SERVICE_PATH" <<EOF
 [Service]
 ExecStart=sleep infinity
-ExecReload=-false
+ExecReload=-/bin/false
 EOF
 
 systemctl daemon-reload

test/units/TEST-23-UNIT-FILE.ExecStopPost.sh

@@ -7,19 +7,19 @@ set -eux
 systemd-analyze log-level debug
 
 systemd-run --unit=simple1.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=simple \
-    -p ExecStopPost='touch /run/simple1' true
+    -p ExecStopPost='/bin/touch /run/simple1' true
 test -f /run/simple1
 
 (! systemd-run --unit=simple2.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=simple \
-    -p ExecStopPost='touch /run/simple2' false)
+    -p ExecStopPost='/bin/touch /run/simple2' false)
 test -f /run/simple2
 
 systemd-run --unit=exec1.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=exec \
-    -p ExecStopPost='touch /run/exec1' sleep 1
+    -p ExecStopPost='/bin/touch /run/exec1' sleep 1
 test -f /run/exec1
 
 (! systemd-run --unit=exec2.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=exec \
-   -p ExecStopPost='touch /run/exec2' sh -c 'sleep 1; false')
+   -p ExecStopPost='/bin/touch /run/exec2' sh -c 'sleep 1; false')
 test -f /run/exec2
 
 cat >/tmp/forking1.sh <<EOF
@@ -36,7 +36,7 @@ EOF
 chmod +x /tmp/forking1.sh
 
 systemd-run --unit=forking1.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=forking -p NotifyAccess=exec \
-        -p ExecStopPost='touch /run/forking1' /tmp/forking1.sh
+        -p ExecStopPost='/bin/touch /run/forking1' /tmp/forking1.sh
 test -f /run/forking1
 
 cat >/tmp/forking2.sh <<EOF
@@ -53,29 +53,29 @@ EOF
 chmod +x /tmp/forking2.sh
 
 (! systemd-run --unit=forking2.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=forking -p NotifyAccess=exec \
-    -p ExecStopPost='touch /run/forking2' /tmp/forking2.sh)
+    -p ExecStopPost='/bin/touch /run/forking2' /tmp/forking2.sh)
 test -f /run/forking2
 
 systemd-run --unit=oneshot1.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=oneshot \
-    -p ExecStopPost='touch /run/oneshot1' true
+    -p ExecStopPost='/bin/touch /run/oneshot1' true
 test -f /run/oneshot1
 
 (! systemd-run --unit=oneshot2.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=oneshot \
-    -p ExecStopPost='touch /run/oneshot2' false)
+    -p ExecStopPost='/bin/touch /run/oneshot2' false)
 test -f /run/oneshot2
 
 systemd-run --unit=dbus1.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=dbus -p BusName=systemd.test.ExecStopPost \
-    -p ExecStopPost='touch /run/dbus1' \
+    -p ExecStopPost='/bin/touch /run/dbus1' \
     busctl call org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus RequestName su systemd.test.ExecStopPost 4 || :
 test -f /run/dbus1
 
 systemd-run --unit=dbus2.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=dbus -p BusName=systemd.test.ExecStopPost \
-    -p ExecStopPost='touch /run/dbus2' true
+     -p ExecStopPost='/bin/touch /run/dbus2' true
 test -f /run/dbus2
 
 # https://github.com/systemd/systemd/issues/19920
 (! systemd-run --unit=dbus3.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=dbus \
-    -p ExecStopPost='touch /run/dbus3' true)
+    -p ExecStopPost='/bin/touch /run/dbus3' true)
 
 cat >/tmp/notify1.sh <<EOF
 #!/usr/bin/env bash
@@ -87,19 +87,18 @@ EOF
 chmod +x /tmp/notify1.sh
 
 systemd-run --unit=notify1.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=notify \
-    -p ExecStopPost='touch /run/notify1' /tmp/notify1.sh
+    -p ExecStopPost='/bin/touch /run/notify1' /tmp/notify1.sh
 test -f /run/notify1
 
 (! systemd-run --unit=notify2.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=notify \
-    -p ExecStopPost='touch /run/notify2' true)
+    -p ExecStopPost='/bin/touch /run/notify2' true)
 test -f /run/notify2
 
-systemd-run --unit=idle1.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=idle \
-    -p ExecStopPost='touch /run/idle1' true
+systemd-run --unit=idle1.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=idle -p ExecStopPost='/bin/touch /run/idle1' true
 test -f /run/idle1
 
 (! systemd-run --unit=idle2.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=idle \
-    -p ExecStopPost='touch /run/idle2' false)
+     -p ExecStopPost='/bin/touch /run/idle2' false)
 test -f /run/idle2
 
 systemd-analyze log-level info

test/units/TEST-23-UNIT-FILE.exec-command-ex.sh

@@ -20,16 +20,16 @@ property[7_seven]=ExecStopPost
 # These should all get upgraded to the corresponding Ex property as the non-Ex variant
 # does not support the ":" prefix (no-env-expand).
 for c in "${!property[@]}"; do
-    systemd-run --unit="$c" -r -p "Type=oneshot" -p "${property[$c]}=:echo \${$c}" true
-    systemctl show -p "${property[$c]}" "$c" | grep -F "path=echo ; argv[]=echo \${$c} ; ignore_errors=no"
-    systemctl show -p "${property[$c]}Ex" "$c" | grep -F "path=echo ; argv[]=echo \${$c} ; flags=no-env-expand"
+    systemd-run --unit="$c" -r -p "Type=oneshot" -p "${property[$c]}=:/bin/echo \${$c}" true
+    systemctl show -p "${property[$c]}" "$c" | grep -F "path=/bin/echo ; argv[]=/bin/echo \${$c} ; ignore_errors=no"
+    systemctl show -p "${property[$c]}Ex" "$c" | grep -F "path=/bin/echo ; argv[]=/bin/echo \${$c} ; flags=no-env-expand"
 done
 
 # Ex names on the commandline are supported for backward compat.
 for c in "${!property[@]}"; do
-    systemd-run --unit="${c}_ex" -r -p "Type=oneshot" -p "${property[$c]}Ex=:echo \${$c}" true
-    systemctl show -p "${property[$c]}" "$c" | grep -F "path=echo ; argv[]=echo \${$c} ; ignore_errors=no"
-    systemctl show -p "${property[$c]}Ex" "$c" | grep -F "path=echo ; argv[]=echo \${$c} ; flags=no-env-expand"
+    systemd-run --unit="${c}_ex" -r -p "Type=oneshot" -p "${property[$c]}Ex=:/bin/echo \${$c}" true
+    systemctl show -p "${property[$c]}" "$c" | grep -F "path=/bin/echo ; argv[]=/bin/echo \${$c} ; ignore_errors=no"
+    systemctl show -p "${property[$c]}Ex" "$c" | grep -F "path=/bin/echo ; argv[]=/bin/echo \${$c} ; flags=no-env-expand"
 done
 
 systemd-analyze log-level info

test/units/TEST-23-UNIT-FILE.oneshot-restart.sh

@@ -14,7 +14,7 @@ MAX_SECS=60
 systemctl log-level debug
 
 # test one: Restart=on-failure should restart the service
-(! systemd-run --unit=oneshot-restart-one -p Type=oneshot -p Restart=on-failure bash -c "exit 1")
+(! systemd-run --unit=oneshot-restart-one -p Type=oneshot -p Restart=on-failure /bin/bash -c "exit 1")
 
 for ((secs = 0; secs < MAX_SECS; secs++)); do
     [[ "$(systemctl show oneshot-restart-one.service -P NRestarts)" -le 0 ]] || break
@@ -35,7 +35,7 @@ TMP_FILE="/tmp/test-23-oneshot-restart-test$RANDOM"
         -p StartLimitBurst=3 \
         -p Type=oneshot \
         -p Restart=on-failure \
-        -p ExecStart="bash -c 'printf a >>$TMP_FILE'" bash -c "exit 1")
+        -p ExecStart="/bin/bash -c 'printf a >>$TMP_FILE'" /bin/bash -c "exit 1")
 
 # wait for at least 3 restarts
 for ((secs = 0; secs < MAX_SECS; secs++)); do

test/units/TEST-23-UNIT-FILE.statedir.sh

@@ -16,13 +16,13 @@ systemctl start user@0.service
 ( ! test -d "$HOME"/.local/state/foo)
 ( ! test -d "$HOME"/.config/foo)
 
-systemd-run --user -p StateDirectory=foo --wait true
+systemd-run --user -p StateDirectory=foo --wait /bin/true
 
 test -d "$HOME"/.local/state/foo
 ( ! test -L "$HOME"/.local/state/foo)
 ( ! test -d "$HOME"/.config/foo)
 
-systemd-run --user -p StateDirectory=foo -p ConfigurationDirectory=foo --wait true
+systemd-run --user -p StateDirectory=foo -p ConfigurationDirectory=foo --wait /bin/true
 
 test -d "$HOME"/.local/state/foo
 ( ! test -L "$HOME"/.local/state/foo)
@@ -30,7 +30,7 @@ test -d "$HOME"/.config/foo
 
 rmdir "$HOME"/.local/state/foo "$HOME"/.config/foo
 
-systemd-run --user -p StateDirectory=foo -p ConfigurationDirectory=foo --wait true
+systemd-run --user -p StateDirectory=foo -p ConfigurationDirectory=foo --wait /bin/true
 
 test -d "$HOME"/.local/state/foo
 ( ! test -L "$HOME"/.local/state/foo)
@@ -39,13 +39,13 @@ test -d "$HOME"/.config/foo
 rmdir "$HOME"/.local/state/foo "$HOME"/.config/foo
 
 # Now trigger an update scenario by creating a config dir first
-systemd-run --user -p ConfigurationDirectory=foo --wait true
+systemd-run --user -p ConfigurationDirectory=foo --wait /bin/true
 
 ( ! test -d "$HOME"/.local/state/foo)
 test -d "$HOME"/.config/foo
 
 # This will look like an update and result in a symlink
-systemd-run --user -p StateDirectory=foo -p ConfigurationDirectory=foo --wait true
+systemd-run --user -p StateDirectory=foo -p ConfigurationDirectory=foo --wait /bin/true
 
 test -d "$HOME"/.local/state/foo
 test -L "$HOME"/.local/state/foo
@@ -54,7 +54,7 @@ test -d "$HOME"/.config/foo
 test "$(readlink "$HOME"/.local/state/foo)" = ../../.config/foo
 
 # Check that this will work safely a second time
-systemd-run --user -p StateDirectory=foo -p ConfigurationDirectory=foo --wait true
+systemd-run --user -p StateDirectory=foo -p ConfigurationDirectory=foo --wait /bin/true
 
 ( ! systemd-run --user -p StateDirectory=foo::ro --wait sh -c "echo foo > $HOME/.local/state/foo/baz")
 ( ! systemd-run --user -p StateDirectory=foo:bar:ro --wait sh -c "echo foo > $HOME/.local/state/foo/baz")

test/units/TEST-23-UNIT-FILE.type-exec.sh

@@ -12,16 +12,16 @@ touch /tmp/brokenbinary
 chmod +x /tmp/brokenbinary
 
 # These three commands should succeed.
-systemd-run --unit=exec-one -p Type=simple sleep infinity
-systemd-run --unit=exec-two -p Type=simple -p User=idontexist sleep infinity
+systemd-run --unit=exec-one -p Type=simple /bin/sleep infinity
+systemd-run --unit=exec-two -p Type=simple -p User=idontexist /bin/sleep infinity
 systemd-run --unit=exec-three -p Type=simple /tmp/brokenbinary
 
 # And now, do the same with Type=exec, where the latter two should fail
-systemd-run --unit=exec-four -p Type=exec sleep infinity
-(! systemd-run --unit=exec-five -p Type=exec -p User=idontexist sleep infinity)
+systemd-run --unit=exec-four -p Type=exec /bin/sleep infinity
+(! systemd-run --unit=exec-five -p Type=exec -p User=idontexist /bin/sleep infinity)
 (! systemd-run --unit=exec-six -p Type=exec /tmp/brokenbinary)
 
-systemd-run --unit=exec-seven -p KillSignal=SIGTERM -p RestartKillSignal=SIGINT -p Type=exec sleep infinity
+systemd-run --unit=exec-seven -p KillSignal=SIGTERM -p RestartKillSignal=SIGINT -p Type=exec /bin/sleep infinity
 # Both TERM and SIGINT happen to have the same number on all architectures
 test "$(systemctl show --value -p KillSignal exec-seven.service)" -eq 15
 test "$(systemctl show --value -p RestartKillSignal exec-seven.service)" -eq 2
@@ -37,7 +37,7 @@ busctl call \
     org.freedesktop.systemd1.Manager StartTransientUnit \
     "ssa(sv)a(sa(sv))" test-20933-ok.service replace 1 \
       ExecStart "a(sasb)" 1 \
-        sleep 2 sleep 1 true \
+        /usr/bin/sleep 2 /usr/bin/sleep 1 true \
     0
 
 # DBus call should fail but not crash systemd
@@ -46,7 +46,7 @@ busctl call \
     org.freedesktop.systemd1.Manager StartTransientUnit \
     "ssa(sv)a(sa(sv))" test-20933-bad.service replace 1 \
       ExecStart "a(sasb)" 1 \
-        sleep 0 true \
+        /usr/bin/sleep 0 true \
     0)
 
 # Same but with the empty argv in the middle
@@ -55,9 +55,9 @@ busctl call \
     org.freedesktop.systemd1.Manager StartTransientUnit \
     "ssa(sv)a(sa(sv))" test-20933-bad-middle.service replace 1 \
       ExecStart "a(sasb)" 3 \
-        sleep 2 sleep 1 true \
-        sleep 0         true \
-        sleep 2 sleep 1 true \
+        /usr/bin/sleep 2 /usr/bin/sleep 1 true \
+        /usr/bin/sleep 0                  true \
+        /usr/bin/sleep 2 /usr/bin/sleep 1 true \
     0)
 
 systemd-analyze log-level info

test/units/TEST-26-SYSTEMCTL.sh

@@ -258,7 +258,7 @@ systemctl revert "$UNIT_NAME"
 (! grep -r "CPUQuota=" "/run/systemd/system.control/${UNIT_NAME}.d/")
 
 # Failed-unit related tests
-(! systemd-run --wait --unit "failed.service" false)
+(! systemd-run --wait --unit "failed.service" /bin/false)
 systemctl is-failed failed.service
 systemctl --state=failed | grep failed.service
 systemctl --failed | grep failed.service
@@ -405,7 +405,7 @@ if [[ -x /usr/lib/systemd/system-generators/systemd-sysv-generator ]]; then
 
     # invalid dependency
     cat >"${SYSVINIT_PATH:?}/issue-24990" <<\EOF
-#!/usr/bin/env bash
+#!/bin/bash
 
 ### BEGIN INIT INFO
 # Provides:test1 test2
@@ -459,7 +459,7 @@ EOF
 
     # valid dependency
     cat >"$SYSVINIT_PATH/issue-24990" <<\EOF
-#!/usr/bin/env bash
+#!/bin/bash
 
 ### BEGIN INIT INFO
 # Provides:test1 test2

test/units/TEST-34-DYNAMICUSERMIGRATE.sh

@@ -180,7 +180,7 @@ PrivateUsers=yes
 TemporaryFileSystem=/run /var/opt /var/lib /vol
 UMask=0000
 StateDirectory=testidmapped:sampleservice
-ExecStart=bash -c ' \
+ExecStart=/bin/bash -c ' \
     set -eux; \
     set -o pipefail; \
     touch /var/lib/sampleservice/testfile; \
@@ -213,7 +213,7 @@ PrivateUsers=no
 TemporaryFileSystem=/run /var/opt /var/lib /vol
 UMask=0000
 StateDirectory=testidmapped:sampleservice
-ExecStart=bash -c ' \
+ExecStart=/bin/bash -c ' \
     set -eux; \
     set -o pipefail; \
     touch /var/lib/sampleservice/testfile; \

test/units/TEST-35-LOGIN.sh

@@ -21,7 +21,7 @@ cleanup_test_user() (
 
 setup_test_user() {
     mkdir -p /var/spool/cron /var/spool/mail
-    useradd -m -s /usr/bin/bash logind-test-user
+    useradd -m -s /bin/bash logind-test-user
     trap cleanup_test_user EXIT
 }
 
@@ -351,7 +351,7 @@ create_session() {
 [Service]
 Type=simple
 ExecStart=
-ExecStart=-agetty --autologin logind-test-user --noclear %I $TERM
+ExecStart=-/usr/sbin/agetty --autologin logind-test-user --noclear %I $TERM
 Restart=no
 EOF
     systemctl daemon-reload
@@ -679,7 +679,7 @@ session required   pam_unix.so
 EOF
 
     cat > "$SCRIPT" <<'EOF'
-#!/usr/bin/env bash
+#!/bin/bash
 set -ex
 typeset -i AMB MASK
 AMB="0x$(grep 'CapAmb:' /proc/self/status | cut -d: -f2 | tr -d '[:space:]')"

test/units/TEST-38-FREEZER.sh

@@ -339,7 +339,7 @@ testcase_watchdog() {
     local unit="wd.service"
 
     systemd-run --collect --unit "$unit" --property WatchdogSec=4s --property Type=notify \
-        bash -c 'systemd-notify --ready; while true; do systemd-notify WATCHDOG=1; sleep 1; done'
+        /bin/bash -c 'systemd-notify --ready; while true; do systemd-notify WATCHDOG=1; sleep 1; done'
 
     systemctl freeze "$unit"
     check_freezer_state "$unit" "frozen"

test/units/TEST-43-PRIVATEUSER-UNPRIV.sh

@@ -93,7 +93,7 @@ runas testuser systemd-run --wait --user --unit=test-devices \
 # Same check as test/test-execute/exec-privatenetwork-yes.service
 runas testuser systemd-run --wait --user --unit=test-network \
     -p PrivateNetwork=yes \
-    sh -x -c '! ip link | grep -E "^[0-9]+: " | grep -Ev ": (lo|(erspan|gre|gretap|ip_vti|ip6_vti|ip6gre|ip6tnl|sit|tunl)0@.*):"'
+    /bin/sh -x -c '! ip link | grep -E "^[0-9]+: " | grep -Ev ": (lo|(erspan|gre|gretap|ip_vti|ip6_vti|ip6gre|ip6tnl|sit|tunl)0@.*):"'
 
 (! runas testuser systemd-run --wait --user --unit=test-hostname \
     -p ProtectHostname=yes \

test/units/TEST-46-HOMED.sh

@@ -519,14 +519,14 @@ userdbctl ssh-authorized-keys dropinuser | tee /tmp/authorized-keys
 grep "ssh-ed25519" /tmp/authorized-keys
 grep "ecdsa-sha2-nistp256" /tmp/authorized-keys
 echo "my-top-secret-key 🐱" >/tmp/my-top-secret-key
-userdbctl ssh-authorized-keys dropinuser --chain /usr/bin/cat /tmp/my-top-secret-key | tee /tmp/authorized-keys
+userdbctl ssh-authorized-keys dropinuser --chain /bin/cat /tmp/my-top-secret-key | tee /tmp/authorized-keys
 grep "ssh-ed25519" /tmp/authorized-keys
 grep "ecdsa-sha2-nistp256" /tmp/authorized-keys
 grep "my-top-secret-key 🐱" /tmp/authorized-keys
 (! userdbctl ssh-authorized-keys 🐱)
 (! userdbctl ssh-authorized-keys dropin-user --chain)
 (! userdbctl ssh-authorized-keys dropin-user --chain '')
-(! SYSTEMD_LOG_LEVEL=debug userdbctl ssh-authorized-keys dropin-user --chain /usr/bin/false)
+(! SYSTEMD_LOG_LEVEL=debug userdbctl ssh-authorized-keys dropin-user --chain /bin/false)
 
 (! userdbctl '')
 for opt in json multiplexer output synthesize with-dropin with-nss with-varlink; do
@@ -611,7 +611,7 @@ EOF
 
     cat >/run/systemd/system/mysshserver@.service <<EOF
 [Service]
-ExecStart=-sshd -i -d -e
+ExecStart=-/usr/sbin/sshd -i -d -e
 StandardInput=socket
 StandardOutput=socket
 StandardError=journal

test/units/TEST-50-DISSECT.DDI.sh

@@ -3,7 +3,7 @@
 set -eux
 set -o pipefail
 
-# Check that the /usr/sbin/mount.ddi helper works
+# Check that the /sbin/mount.ddi helper works
 dir="/tmp/mounthelper.$RANDOM"
 mount -t ddi "$MINIMAL_IMAGE.gpt" "$dir" -o ro,X-mount.mkdir,discard
 umount -R "$dir"

test/units/TEST-50-DISSECT.dissect.sh

@@ -29,9 +29,9 @@ systemd-dissect "$MINIMAL_IMAGE.raw" | grep -q -F -f <(sed 's/"//g' "$OS_RELEASE
 
 systemd-dissect --list "$MINIMAL_IMAGE.raw" | grep -q '^etc/os-release$'
 systemd-dissect --mtree "$MINIMAL_IMAGE.raw" --mtree-hash yes | \
-    grep -qE "^.(/usr|)/bin/cat type=file mode=0755 uid=0 gid=0 size=[0-9]* sha256sum=[a-z0-9]*$"
+    grep -qe "^./usr/bin/cat type=file mode=0755 uid=0 gid=0 size=[0-9]* sha256sum=[a-z0-9]*$"
 systemd-dissect --mtree "$MINIMAL_IMAGE.raw" --mtree-hash no  | \
-    grep -qE "^.(/usr|)/bin/cat type=file mode=0755 uid=0 gid=0 size=[0-9]*$"
+    grep -qe "^./usr/bin/cat type=file mode=0755 uid=0 gid=0 size=[0-9]*$"
 
 read -r SHA256SUM1 _ < <(systemd-dissect --copy-from "$MINIMAL_IMAGE.raw" etc/os-release | sha256sum)
 test "$SHA256SUM1" != ""
@@ -879,7 +879,7 @@ echo "ID=_any" >/run/confexts/test/etc/extension-release.d/extension-release.tes
 echo "ARCHITECTURE=_any" >>/run/confexts/test/etc/extension-release.d/extension-release.test
 echo "MARKER_CONFEXT_123" >/run/confexts/test/etc/testfile
 cat <<EOF >/run/confexts/test/etc/testscript
-#!/usr/bin/env bash
+#!/bin/bash
 echo "This should not happen"
 EOF
 chmod +x /run/confexts/test/etc/testscript

test/units/TEST-54-CREDS.sh

@@ -24,7 +24,7 @@ run_with_cred_compare() (
 )
 
 test_mount_with_credential() {
-    local credfile tmpdir unit mount_path mount_test
+    local credfile tmpdir unit
     credfile="/tmp/mount-cred"
     tmpdir="/tmp/test-54-mount"
     unit=$(systemd-escape --suffix mount --path "$tmpdir")
@@ -42,16 +42,14 @@ LoadCredential=loadcred:$credfile
 EOF
 
     # Set up test mount type
-    mount_path="$(command -v mount 2>/dev/null)"
-    mount_test="${mount_path/\/bin/\/sbin}.thisisatest"
-    cat >"$mount_test" <<EOF
+    cat >/usr/sbin/mount.thisisatest <<EOF
 #!/usr/bin/env bash
 # Mount after verifying credential file content
 if [ \$(cat \${CREDENTIALS_DIRECTORY}/loadcred) = "foo" ]; then
     mount -t tmpfs \$1 \$2
 fi
 EOF
-    chmod +x "$mount_test"
+    chmod +x /usr/sbin/mount.thisisatest
 
     # Verify mount succeeds
     systemctl daemon-reload
@@ -64,7 +62,7 @@ EOF
 
     # Stop unit and delete files
     systemctl stop "$unit"
-    rm -f "$credfile" /run/systemd/system/"$unit" "$mount_test"
+    rm -f "$credfile" /run/systemd/system/"$unit" /usr/sbin/mount.thisisatest
     rm -rf "$tmpdir"
 }
 

test/units/TEST-55-OOMD.sh

@@ -93,7 +93,7 @@ EOF
 else
     # Ensure that we can start services even with a very low hard memory cap without oom-kills, but skip
     # under sanitizers as they balloon memory usage.
-    systemd-run -t -p MemoryMax=10M -p MemorySwapMax=0 -p MemoryZSwapMax=0 true
+    systemd-run -t -p MemoryMax=10M -p MemorySwapMax=0 -p MemoryZSwapMax=0 /bin/true
 fi
 
 test_basic() {
@@ -302,7 +302,7 @@ testcase_reload() {
 
 testcase_kernel_oom() {
     cat >/tmp/script.sh <<"EOF"
-#!/usr/bin/env bash
+#!/bin/bash
 choom --adjust '+1000' -- bash -c 'echo f >/proc/sysrq-trigger && exec sleep infinity'
 choom --adjust '+1000' -p $$
 echo f >/proc/sysrq-trigger
@@ -325,7 +325,7 @@ EOF
     systemctl reset-failed
 
     cat >/tmp/script.sh <<"EOF"
-#!/usr/bin/env bash
+#!/bin/bash
 echo '+memory' >/sys/fs/cgroup/system.slice/oom-kill.service/cgroup.subtree_control
 mkdir /sys/fs/cgroup/system.slice/oom-kill.service/sub
 echo 1 >/sys/fs/cgroup/system.slice/oom-kill.service/sub/memory.oom.group

test/units/TEST-60-MOUNT-RATELIMIT.sh

@@ -68,7 +68,7 @@ testcase_issue_23796() {
     mount_path="$(command -v mount 2>/dev/null)"
     mount_mytmpfs="${mount_path/\/bin/\/sbin}.mytmpfs"
     cat >"$mount_mytmpfs" <<EOF
-#!/usr/bin/env bash
+#!/bin/bash
 sleep ".\$RANDOM"
 exec -- $mount_path -t tmpfs tmpfs "\$2"
 EOF

test/units/TEST-65-ANALYZE.sh

@@ -1133,7 +1133,7 @@ Description=Test unit for systemd-analyze unit-shell
 [Service]
 Type=notify
 NotifyAccess=all
-ExecStart=sh -c "echo 'Hello from test unit' >/tmp/testfile; systemd-notify --ready; sleep infinity"
+ExecStart=/bin/sh -c "echo 'Hello from test unit' >/tmp/testfile; systemd-notify --ready; sleep infinity"
 PrivateTmp=disconnected
 EOF
 # Start the service

test/units/TEST-68-PROPAGATE-EXIT-STATUS.sh

@@ -69,7 +69,7 @@ EOF
 # Script to check that when an OnSuccess= dependency fires, the correct
 # MONITOR* env variables are passed.
 cat >/tmp/check_on_success.sh <<"EOF"
-#!/usr/bin/env bash
+#!/bin/sh
 
 set -ex
 env | sort
@@ -126,7 +126,7 @@ EOF
 # Script to check that when an OnFailure= dependency fires, the correct
 # MONITOR* env variables are passed.
 cat >/tmp/check_on_failure.sh <<"EOF"
-#!/usr/bin/env bash
+#!/bin/sh
 
 set -ex
 env | sort

test/units/TEST-69-SHUTDOWN.py

@@ -1,4 +1,4 @@
-#!/usr/bin/env python3
+#!/usr/bin/python3
 # SPDX-License-Identifier: LGPL-2.1-or-later
 # pylint: disable=broad-except
 

test/units/TEST-74-AUX-UTILS.ask-password.sh

@@ -19,6 +19,6 @@ systemd-tty-ask-password-agent --list
 varlinkctl introspect /run/systemd/io.systemd.AskPassword
 
 # Spawn an agent that always replies all ask password requests with "waldo"
-systemd-run -u waldo-ask-pw-agent.service -p Environment=SYSTEMD_ASK_PASSWORD_AGENT_PASSWORD=waldo -p Type=notify systemd-tty-ask-password-agent --watch --console=/dev/console
+systemd-run -u waldo-ask-pw-agent.service -p Environment=SYSTEMD_ASK_PASSWORD_AGENT_PASSWORD=waldo -p Type=notify /usr/bin/systemd-tty-ask-password-agent --watch --console=/dev/console
 assert_eq "$(systemd-ask-password --no-tty)" "waldo"
 assert_eq "$(varlinkctl call /usr/bin/systemd-ask-password io.systemd.AskPassword.Ask '{"message":"foobar"}' | jq '.passwords[0]')" "\"waldo\""

test/units/TEST-74-AUX-UTILS.capsule.sh

@@ -36,7 +36,7 @@ busctl -C foobar
 
 systemctl -C foobar
 
-systemd-run -C foobar -u sleepinfinity sleep infinity
+systemd-run -C foobar -u sleepinfinity /bin/sleep infinity
 
 systemctl -C foobar status sleepinfinity
 

test/units/TEST-74-AUX-UTILS.delta.sh

@@ -29,7 +29,7 @@ systemctl mask delta-test-unit-masked.service
 # Overridden unit
 cp -fv /run/systemd/system/delta-test-unit-extended.service /run/systemd/system/delta-test-unit-overridden.service
 cp -fv /run/systemd/system/delta-test-unit-overridden.service /etc/systemd/system/delta-test-unit-overridden.service
-echo "ExecStartPost=true" >>/etc/systemd/system/delta-test-unit-overridden.service
+echo "ExecStartPost=/bin/true" >>/etc/systemd/system/delta-test-unit-overridden.service
 # Overridden but equivalent unit
 ln -srfv /run/systemd/system/delta-test-unit-extended.service /run/systemd/system/delta-test-unit-equivalent.service
 ln -sfv /run/systemd/system/delta-test-unit-extended.service /etc/systemd/system/delta-test-unit-equivalent.service

test/units/TEST-74-AUX-UTILS.pty-forward.sh

@@ -7,7 +7,7 @@ systemd-pty-forward --background 41 --title test echo foobar
 
 # Test that signals are forwarded to the systemd-pty-forward child process.
 cat >/tmp/child <<\EOF
-#!/usr/bin/env bash
+#!/usr/bin/bash
 set -x
 
 trap 'touch /tmp/int' INT

test/units/TEST-74-AUX-UTILS.run.sh

@@ -126,7 +126,7 @@ systemd-run --remain-after-exit \
             true
 systemctl cat "$UNIT.service" "$UNIT.timer"
 grep -q "^OnUnitInactiveSec=16h$" "/run/systemd/transient/$UNIT.timer"
-grep -qE "^ExecStart=.*true.*$" "/run/systemd/transient/$UNIT.service"
+grep -qE "^ExecStart=.*/bin/true.*$" "/run/systemd/transient/$UNIT.service"
 systemctl stop "$UNIT.timer" "$UNIT.service" || :
 
 UNIT="timer-1-$RANDOM"
@@ -162,7 +162,7 @@ grep -q "^OnTimezoneChange=yes$" "/run/systemd/transient/$UNIT.timer"
 grep -q "^After=systemd-journald.service$" "/run/systemd/transient/$UNIT.timer"
 grep -q "^Description=My Fancy Timer$" "/run/systemd/transient/$UNIT.service"
 grep -q "^RemainAfterExit=yes$" "/run/systemd/transient/$UNIT.service"
-grep -qE "^ExecStart=.*true.*$" "/run/systemd/transient/$UNIT.service"
+grep -qE "^ExecStart=.*/bin/true.*$" "/run/systemd/transient/$UNIT.service"
 (! grep -q "^After=systemd-journald.service$" "/run/systemd/transient/$UNIT.service")
 systemctl stop "$UNIT.timer" "$UNIT.service" || :
 
@@ -180,7 +180,7 @@ systemd-analyze verify --recursive-errors=no "/run/systemd/transient/$UNIT.path"
 grep -q "^PathExists=/tmp$" "/run/systemd/transient/$UNIT.path"
 grep -q "^PathExists=/tmp/foo$" "/run/systemd/transient/$UNIT.path"
 grep -q "^PathChanged=/root/bar$" "/run/systemd/transient/$UNIT.path"
-grep -qE "^ExecStart=.*true.*$" "/run/systemd/transient/$UNIT.service"
+grep -qE "^ExecStart=.*/bin/true.*$" "/run/systemd/transient/$UNIT.service"
 systemctl stop "$UNIT.path" "$UNIT.service" || :
 
 : "Transient socket unit"
@@ -197,7 +197,7 @@ systemd-analyze verify --recursive-errors=no "/run/systemd/transient/$UNIT.socke
 grep -q "^ListenFIFO=/tmp/socket.fifo$" "/run/systemd/transient/$UNIT.socket"
 grep -q "^SocketMode=0666$" "/run/systemd/transient/$UNIT.socket"
 grep -q "^SocketMode=0644$" "/run/systemd/transient/$UNIT.socket"
-grep -qE "^ExecStart=.*true.*$" "/run/systemd/transient/$UNIT.service"
+grep -qE "^ExecStart=.*/bin/true.*$" "/run/systemd/transient/$UNIT.service"
 systemctl stop "$UNIT.socket" "$UNIT.service" || :
 
 : "Job mode"
@@ -215,8 +215,8 @@ SHELL=/bin/true systemd-run --shell
 SHELL=/bin/true systemd-run --scope --shell
 systemd-run --wait --pty true
 systemd-run --wait --machine=.host --pty true
-systemd-run --json=short true | jq . >/dev/null
-systemd-run --json=pretty true | jq . >/dev/null
+systemd-run --json=short /bin/true | jq . >/dev/null
+systemd-run --json=pretty /bin/true | jq . >/dev/null
 (! SHELL=/bin/false systemd-run --quiet --shell)
 
 (! systemd-run)

test/units/TEST-74-AUX-UTILS.varlinkctl.sh

@@ -53,6 +53,7 @@ fi
 IDL_FILE="$(mktemp)"
 varlinkctl introspect /run/systemd/journal/io.systemd.journal io.systemd.Journal | tee "${IDL_FILE:?}"
 varlinkctl validate-idl "$IDL_FILE"
+varlinkctl validate-idl "$IDL_FILE"
 cat /bin/sh >"$IDL_FILE"
 (! varlinkctl validate-idl "$IDL_FILE")
 
@@ -90,7 +91,7 @@ trap rm_rf_sshbindir EXIT
 
 # Create a fake "ssh" binary that validates everything works as expected if invoked for the "ssh-unix:" Varlink transport
 cat > "$SSHBINDIR"/ssh <<'EOF'
-#!/usr/bin/env bash
+#!/bin/sh
 
 set -xe
 
@@ -106,7 +107,7 @@ SYSTEMD_SSH="$SSHBINDIR/ssh" varlinkctl info ssh-unix:foobar:/run/systemd/journa
 
 # Now build another fake "ssh" binary that does the same for "ssh-exec:"
 cat > "$SSHBINDIR"/ssh <<'EOF'
-#!/usr/bin/env bash
+#!/bin/sh
 
 set -xe
 

test/units/TEST-74-AUX-UTILS.vpick.sh

@@ -98,19 +98,19 @@ ls -l /var/lib/machines/testroot.v
 
 test "$(systemd-vpick /var/lib/machines/testroot.v)" = /var/lib/machines/testroot.v/testroot_34/
 test "$(systemd-vpick --resolve=yes /var/lib/machines/testroot.v)" = /var/lib/machines/testroot.v/testroot_34/
-(! systemd-run --wait -p RootDirectory=/var/lib/machines/testroot.v true)
+(! systemd-run --wait -p RootDirectory=/var/lib/machines/testroot.v /bin/true)
 
 find /var/lib/machines/testroot.v/testroot_34
 rm -rf /var/lib/machines/testroot.v/testroot_34
 test "$(systemd-vpick /var/lib/machines/testroot.v)" = /var/lib/machines/testroot.v/testroot_33/
 test "$(systemd-vpick --resolve=yes /var/lib/machines/testroot.v)" = /tmp/dotvroot/
-systemd-run --wait -p RootDirectory=/var/lib/machines/testroot.v true
+systemd-run --wait -p RootDirectory=/var/lib/machines/testroot.v /bin/true
 
 rm /var/lib/machines/testroot.v/testroot_33
 test "$(systemd-vpick /var/lib/machines/testroot.v)" = /var/lib/machines/testroot.v/testroot_32/
 test "$(systemd-vpick --resolve=yes /var/lib/machines/testroot.v)" = /var/lib/machines/testroot.v/testroot_32/
-(! systemd-run --wait -p RootDirectory=/var/lib/machines/testroot.v true)
+(! systemd-run --wait -p RootDirectory=/var/lib/machines/testroot.v /bin/true)
 
 rm -rf /var/lib/machines/testroot.v/testroot_32
 (! systemd-vpick /var/lib/machines/testroot.v)
-(! systemd-run --wait -p RootDirectory=/var/lib/machines/testroot.v true)
+(! systemd-run --wait -p RootDirectory=/var/lib/machines/testroot.v /bin/true)

test/units/TEST-75-RESOLVED.sh

@@ -970,7 +970,7 @@ testcase_11_nft() {
     } >/run/systemd/system/test-nft.socket
     {
         echo "[Service]"
-        echo "ExecStart=sleep 10000"
+        echo "ExecStart=/usr/bin/sleep 10000"
     } >/run/systemd/system/test-nft.service
     systemctl daemon-reload
     systemctl start test-nft.socket

test/units/TEST-79-MEMPRESS.sh

@@ -28,7 +28,7 @@ UNIT="test-mempress-$RANDOM.service"
 SCRIPT="/tmp/mempress-$RANDOM.sh"
 
 cat >"$SCRIPT" <<'EOF'
-#!/usr/bin/env bash
+#!/bin/bash
 
 set -ex
 

test/units/TEST-81-GENERATORS.run-generator.sh

@@ -54,9 +54,9 @@ ARGS=(
     "systemd.run_success_action="
     "systemd.run_failure_action="
 
-    "systemd.run=false"
+    "systemd.run=/bin/false"
     "systemd.run="
-    "systemd.run=true"
+    "systemd.run=/bin/true"
     "systemd.run='echo this is a long string'"
 
     "systemd.run_success_action=reboot"
@@ -70,7 +70,7 @@ cat "$UNIT"
 systemd-analyze verify --man=no --recursive-errors=no "$UNIT"
 grep -qE "^SuccessAction=reboot$" "$UNIT"
 grep -qE "^FailureAction=poweroff-force$" "$UNIT"
-grep -qE "^ExecStart=false$" "$UNIT"
+grep -qE "^ExecStart=/bin/false$" "$UNIT"
 grep -qE "^ExecStart=$" "$UNIT"
-grep -qE "^ExecStart=true$" "$UNIT"
+grep -qE "^ExecStart=/bin/true$" "$UNIT"
 grep -qE "^ExecStart=echo this is a long string$" "$UNIT"

test/units/TEST-82-SOFTREBOOT.sh

@@ -32,7 +32,7 @@ KERNEL!="null", GOTO="end"
 ACTION=="remove", GOTO="end"
 
 IMPORT{db}="HISTORY"
-IMPORT{program}="/usr/bin/systemctl show --property=SoftRebootsCount"
+IMPORT{program}="/bin/bash -c 'systemctl show --property=SoftRebootsCount'"
 ENV{HISTORY}+="%E{ACTION}_%E{SEQNUM}_%E{SoftRebootsCount}"
 
 LABEL="end"
@@ -242,7 +242,7 @@ else
 
     survive_sigterm="/dev/shm/survive-sigterm-$RANDOM.sh"
     cat >"$survive_sigterm" <<EOF
-#!/usr/bin/env bash
+#!/bin/bash
 trap "" TERM
 systemd-notify --ready
 rm "$survive_sigterm"
@@ -252,7 +252,7 @@ EOF
 
     survive_argv="/dev/shm/survive-argv-$RANDOM.sh"
     cat >"$survive_argv" <<EOF
-#!/usr/bin/env bash
+#!/bin/bash
 systemd-notify --ready
 rm "$survive_argv"
 exec -a @sleep sleep infinity

test/units/TEST-87-AUX-UTILS-VM.coredump.sh

@@ -37,8 +37,7 @@ cp -vf /bin/sleep "${CORE_TEST_UNPRIV_BIN:?}"
 # Simple script that spawns given "fake" binary and then kills it with
 # given signal
 cat >"${MAKE_DUMP_SCRIPT:?}" <<\EOF
-#!/usr/bin/env bash
-set -ex
+#!/bin/bash -ex
 
 bin="${1:?}"
 sig="${2:?}"
@@ -99,12 +98,12 @@ EOF
     machinectl start "$CONTAINER"
     timeout "$TIMEOUT" bash -xec "until systemd-run -M '$CONTAINER' -q --wait --pipe true; do sleep .5; done"
 
-    [[ "$(systemd-run -M "$CONTAINER" -q --wait --pipe coredumpctl list -q --no-legend sleep | wc -l)" -eq 0 ]]
+    [[ "$(systemd-run -M "$CONTAINER" -q --wait --pipe coredumpctl list -q --no-legend /usr/bin/sleep | wc -l)" -eq 0 ]]
     machinectl copy-to "$CONTAINER" "$MAKE_DUMP_SCRIPT"
-    systemd-run -M "$CONTAINER" -q --wait --pipe "$MAKE_DUMP_SCRIPT" "sleep" "SIGABRT"
-    systemd-run -M "$CONTAINER" -q --wait --pipe "$MAKE_DUMP_SCRIPT" "sleep" "SIGTRAP"
+    systemd-run -M "$CONTAINER" -q --wait --pipe "$MAKE_DUMP_SCRIPT" "/usr/bin/sleep" "SIGABRT"
+    systemd-run -M "$CONTAINER" -q --wait --pipe "$MAKE_DUMP_SCRIPT" "/usr/bin/sleep" "SIGTRAP"
     # Wait a bit for the coredumps to get processed
-    timeout 30 bash -c "while [[ \$(systemd-run -M $CONTAINER -q --wait --pipe coredumpctl list -q --no-legend sleep | wc -l) -lt 2 ]]; do sleep 1; done"
+    timeout 30 bash -c "while [[ \$(systemd-run -M $CONTAINER -q --wait --pipe coredumpctl list -q --no-legend /usr/bin/sleep | wc -l) -lt 2 ]]; do sleep 1; done"
 
     machinectl stop "$CONTAINER"
     rm -rf "/var/lib/machines/$CONTAINER"
@@ -254,7 +253,7 @@ systemd-run -t --property CoredumpFilter=default ls /tmp
 if pkgconf --atleast-version 0.192 libdw ; then
     # dwfl_set_sysroot() is supported only in libdw-0.192 or newer.
     cat >"$MAKE_STACKTRACE_DUMP" <<END
-#!/usr/bin/env bash
+#!/bin/bash
 mount -t tmpfs tmpfs /tmp
 gcc -xc -O0 -g -o $CORE_STACKTRACE_TEST_BIN - <<EOF
 void baz(void) { int *x = 0; *x = 42; }
@@ -269,11 +268,11 @@ END
     mkdir -p /run/systemd/coredump.conf.d/
     printf '[Coredump]\nEnterNamespace=no' >/run/systemd/coredump.conf.d/99-enter-namespace.conf
 
-    unshare --pid --fork --mount-proc --mount --uts --ipc --net bash -c "$MAKE_STACKTRACE_DUMP" || :
+    unshare --pid --fork --mount-proc --mount --uts --ipc --net /bin/bash -c "$MAKE_STACKTRACE_DUMP" || :
     timeout 30 bash -c "until coredumpctl -1 info $CORE_STACKTRACE_TEST_BIN | grep -zvqE 'baz.*bar.*foo'; do sleep .2; done"
 
     printf '[Coredump]\nEnterNamespace=yes' >/run/systemd/coredump.conf.d/99-enter-namespace.conf
-    unshare --pid --fork --mount-proc --mount --uts --ipc --net bash -c "$MAKE_STACKTRACE_DUMP" || :
+    unshare --pid --fork --mount-proc --mount --uts --ipc --net /bin/bash -c "$MAKE_STACKTRACE_DUMP" || :
     timeout 30 bash -c "until coredumpctl -1 info $CORE_STACKTRACE_TEST_BIN | grep -zqE 'baz.*bar.*foo'; do sleep .2; done"
 else
     echo "libdw doesn't not support setting sysroot, skipping EnterNamespace= test"

test/units/util.sh

@@ -304,7 +304,7 @@ StateDirectory=app0
 RuntimeDirectory=app0
 EOF
         cat >"$initdir/opt/script0.sh" <<EOF
-#!/usr/bin/env bash
+#!/bin/bash
 set -e
 test -e /usr/lib/os-release
 echo bar >\${STATE_DIRECTORY}/foo
@@ -347,7 +347,7 @@ StateDirectory=app1
 RuntimeDirectory=app1
 EOF
         cat >"$initdir/opt/script1.sh" <<EOF
-#!/usr/bin/env bash
+#!/bin/bash
 set -e
 test -e /usr/lib/os-release
 echo baz >\${STATE_DIRECTORY}/foo