diff --git a/man/org.freedesktop.systemd1.xml b/man/org.freedesktop.systemd1.xml
index 2f61e2f946..a49b81b0c6 100644
--- a/man/org.freedesktop.systemd1.xml
+++ b/man/org.freedesktop.systemd1.xml
@@ -557,6 +557,8 @@ node /org/freedesktop/systemd1 {
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly i DefaultOOMScoreAdjust = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
+ readonly b DefaultRestrictSUIDSGID = ...;
+ @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s CtrlAltDelBurstAction = '...';
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly u SoftRebootsCount = ...;
@@ -793,6 +795,8 @@ node /org/freedesktop/systemd1 {
+
+
@@ -1237,6 +1241,8 @@ node /org/freedesktop/systemd1 {
+
+
@@ -12366,7 +12372,8 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
ShutdownStartTimestamp,
ShutdownStartTimestampMonotonic, and
SoftRebootsCount were added in version 256.
- RemoveSubgroupFromUnit(), and
+ DefaultRestrictSUIDSGID,
+ RemoveSubgroupFromUnit(), and
KillUnitSubgroup() were added in version 258.
diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml
index 23c422df80..164cfee1ed 100644
--- a/man/systemd-system.conf.xml
+++ b/man/systemd-system.conf.xml
@@ -547,6 +547,17 @@
+
+
+ DefaultRestrictSUIDSGID=
+
+ Takes a boolean argument. This is used as a default for units
+ which lack an explicit definition for RestrictSUIDSGID=.
+ See systemd.exec5
+ for the details.
+
+
+
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index a78187e0eb..ac25f6f260 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -2690,7 +2690,11 @@ RestrictNamespaces=~cgroup net
programs that actually require them. Note that this restricts marking of any type of file system
object with these bits, including both regular files and directories (where the SGID is a different
meaning than for files, see documentation). This option is implied if DynamicUser=
- is enabled. Defaults to off.
+ is enabled.
+
+ In other cases, this setting defaults to the value set with DefaultRestrictSUIDSGID= in
+ systemd-system.conf5, which
+ defaults to off.
diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c
index 67398b7cb3..6b6b8916de 100644
--- a/src/core/dbus-manager.c
+++ b/src/core/dbus-manager.c
@@ -2938,6 +2938,7 @@ const sd_bus_vtable bus_manager_vtable[] = {
SD_BUS_PROPERTY("TimerSlackNSec", "t", property_get_timer_slack_nsec, 0, SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("DefaultOOMPolicy", "s", bus_property_get_oom_policy, offsetof(Manager, defaults.oom_policy), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("DefaultOOMScoreAdjust", "i", property_get_oom_score_adjust, 0, SD_BUS_VTABLE_PROPERTY_CONST),
+ SD_BUS_PROPERTY("DefaultRestrictSUIDSGID", "b", bus_property_get_bool, offsetof(Manager, defaults.restrict_suid_sgid), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("CtrlAltDelBurstAction", "s", bus_property_get_emergency_action, offsetof(Manager, cad_burst_action), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("SoftRebootsCount", "u", bus_property_get_unsigned, offsetof(Manager, soft_reboots_count), SD_BUS_VTABLE_PROPERTY_CONST),
diff --git a/src/core/main.c b/src/core/main.c
index c32a971455..953681c99d 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -773,6 +773,7 @@ static int parse_config_file(void) {
{ "Manager", "DefaultStartLimitInterval", config_parse_sec, 0, &arg_defaults.start_limit.interval}, /* obsolete alias */
{ "Manager", "DefaultStartLimitIntervalSec", config_parse_sec, 0, &arg_defaults.start_limit.interval},
{ "Manager", "DefaultStartLimitBurst", config_parse_unsigned, 0, &arg_defaults.start_limit.burst },
+ { "Manager", "DefaultRestrictSUIDSGID", config_parse_bool, 0, &arg_defaults.restrict_suid_sgid },
{ "Manager", "DefaultEnvironment", config_parse_environ, arg_runtime_scope, &arg_default_environment },
{ "Manager", "ManagerEnvironment", config_parse_environ, arg_runtime_scope, &arg_manager_environment },
{ "Manager", "DefaultLimitCPU", config_parse_rlimit, RLIMIT_CPU, arg_defaults.rlimit },
diff --git a/src/core/manager.c b/src/core/manager.c
index aa43c9d79b..d85896577f 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -4259,6 +4259,8 @@ int manager_set_unit_defaults(Manager *m, const UnitDefaults *defaults) {
m->defaults.timeout_abort_set = defaults->timeout_abort_set;
m->defaults.device_timeout_usec = defaults->device_timeout_usec;
+ m->defaults.restrict_suid_sgid = defaults->restrict_suid_sgid;
+
m->defaults.start_limit = defaults->start_limit;
m->defaults.memory_accounting = defaults->memory_accounting;
diff --git a/src/core/manager.h b/src/core/manager.h
index c267ebe7ee..a7009a49d7 100644
--- a/src/core/manager.h
+++ b/src/core/manager.h
@@ -141,6 +141,8 @@ typedef struct UnitDefaults {
CGroupTasksMax tasks_max;
usec_t timer_accuracy_usec;
+ bool restrict_suid_sgid;
+
OOMPolicy oom_policy;
int oom_score_adjust;
bool oom_score_adjust_set;
diff --git a/src/core/system.conf.in b/src/core/system.conf.in
index 051a18bd21..54196e8489 100644
--- a/src/core/system.conf.in
+++ b/src/core/system.conf.in
@@ -79,5 +79,6 @@
#DefaultMemoryPressureWatch=auto
#DefaultOOMPolicy=stop
#DefaultSmackProcessLabel=
+#DefaultRestrictSUIDSGID=
#ReloadLimitIntervalSec=
#ReloadLimitBurst=
diff --git a/src/core/unit.c b/src/core/unit.c
index e796515747..9051fc6923 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -191,6 +191,8 @@ static void unit_init(Unit *u) {
ec->oom_score_adjust_set = true;
}
+ ec->restrict_suid_sgid = u->manager->defaults.restrict_suid_sgid;
+
if (MANAGER_IS_SYSTEM(u->manager))
ec->keyring_mode = EXEC_KEYRING_SHARED;
else {
diff --git a/src/core/user.conf.in b/src/core/user.conf.in
index 14f0eae7f8..9c37f4b54e 100644
--- a/src/core/user.conf.in
+++ b/src/core/user.conf.in
@@ -55,5 +55,6 @@
#DefaultMemoryPressureThresholdSec=200ms
#DefaultMemoryPressureWatch=auto
#DefaultSmackProcessLabel=
+#DefaultRestrictSUIDSGID=
#ReloadLimitIntervalSec=
#ReloadLimitBurst
diff --git a/src/core/varlink-manager.c b/src/core/varlink-manager.c
index 8a78052313..217769c153 100644
--- a/src/core/varlink-manager.c
+++ b/src/core/varlink-manager.c
@@ -76,6 +76,7 @@ static int manager_context_build_json(sd_json_variant **ret, const char *name, v
JSON_BUILD_PAIR_FINITE_USEC("TimerSlackNSec", (uint64_t) prctl(PR_GET_TIMERSLACK)),
SD_JSON_BUILD_PAIR_STRING("DefaultOOMPolicy", oom_policy_to_string(m->defaults.oom_policy)),
SD_JSON_BUILD_PAIR_INTEGER("DefaultOOMScoreAdjust", m->defaults.oom_score_adjust),
+ SD_JSON_BUILD_PAIR_BOOLEAN("DefaultRestrictSUIDSGID", m->defaults.restrict_suid_sgid),
SD_JSON_BUILD_PAIR_STRING("CtrlAltDelBurstAction", emergency_action_to_string(m->cad_burst_action)));
}
diff --git a/src/shared/varlink-io.systemd.Manager.c b/src/shared/varlink-io.systemd.Manager.c
index 2b26ef1dcf..299e0a9c30 100644
--- a/src/shared/varlink-io.systemd.Manager.c
+++ b/src/shared/varlink-io.systemd.Manager.c
@@ -74,6 +74,8 @@ static SD_VARLINK_DEFINE_STRUCT_TYPE(
SD_VARLINK_DEFINE_FIELD(DefaultOOMPolicy, SD_VARLINK_STRING, 0),
SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd-system.conf.html#DefaultOOMScoreAdjust="),
SD_VARLINK_DEFINE_FIELD(DefaultOOMScoreAdjust, SD_VARLINK_INT, 0),
+ SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd-system.conf.html#DefaultRestrictSUIDSGID="),
+ SD_VARLINK_DEFINE_FIELD(DefaultRestrictSUIDSGID, SD_VARLINK_BOOL, 0),
SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd-system.conf.html#CtrlAltDelBurstAction="),
SD_VARLINK_DEFINE_FIELD(CtrlAltDelBurstAction, SD_VARLINK_STRING, 0));
diff --git a/units/systemd-tmpfiles-setup.service b/units/systemd-tmpfiles-setup.service
index b92beb7314..1299b195fe 100644
--- a/units/systemd-tmpfiles-setup.service
+++ b/units/systemd-tmpfiles-setup.service
@@ -28,3 +28,4 @@ ImportCredential=login.motd
ImportCredential=login.issue
ImportCredential=network.hosts
ImportCredential=ssh.authorized_keys.root
+RestrictSUIDSGID=no