From fd3b2070111e7830721ec9204f8fcdd7baac9074 Mon Sep 17 00:00:00 2001
From: Grimmauld <Grimmauld@grimmauld.de>
Date: Tue, 8 Jul 2025 22:02:46 +0200
Subject: [PATCH 1/5] units/systemd-tmpfiles-setup.service: explicitly set
 RestrictSUIDSGID=no

The tmpfiles service is used to set file permissions, e.g. for setting
suid bit on the journal log directory [1].

[1] https://github.com/systemd/systemd/blob/48e0f7bc2f94e74d15eed5c9e70b1c0269a495ec/tmpfiles.d/systemd.conf.in#L24-L25
---
 units/systemd-tmpfiles-setup.service | 1 +
 1 file changed, 1 insertion(+)

diff --git a/units/systemd-tmpfiles-setup.service b/units/systemd-tmpfiles-setup.service
index b92beb7314..1299b195fe 100644
--- a/units/systemd-tmpfiles-setup.service
+++ b/units/systemd-tmpfiles-setup.service
@@ -28,3 +28,4 @@ ImportCredential=login.motd
 ImportCredential=login.issue
 ImportCredential=network.hosts
 ImportCredential=ssh.authorized_keys.root
+RestrictSUIDSGID=no

From 30bbdf07710960c135c36723a2cb063c0a3abb5d Mon Sep 17 00:00:00 2001
From: Grimmauld <Grimmauld@grimmauld.de>
Date: Tue, 8 Jul 2025 21:21:25 +0200
Subject: [PATCH 2/5] core: add 'DefaultRestrictSUIDSGID' config option

closes #37602

On typical systems, only few services need to create SUID/SGID files.
This often is limited to the user explicitly setting suid/sgid, the
`systemd-tmpfiles*` services, and the package manager. Allowing a default
to globally restrict creation of suid/sgid files makes it easier to apply
this restriction precisely.
---
 src/core/main.c         | 1 +
 src/core/manager.c      | 2 ++
 src/core/manager.h      | 2 ++
 src/core/system.conf.in | 1 +
 src/core/unit.c         | 2 ++
 src/core/user.conf.in   | 1 +
 6 files changed, 9 insertions(+)

diff --git a/src/core/main.c b/src/core/main.c
index c32a971455..953681c99d 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -773,6 +773,7 @@ static int parse_config_file(void) {
                 { "Manager", "DefaultStartLimitInterval",    config_parse_sec,                   0,                        &arg_defaults.start_limit.interval}, /* obsolete alias */
                 { "Manager", "DefaultStartLimitIntervalSec", config_parse_sec,                   0,                        &arg_defaults.start_limit.interval},
                 { "Manager", "DefaultStartLimitBurst",       config_parse_unsigned,              0,                        &arg_defaults.start_limit.burst   },
+                { "Manager", "DefaultRestrictSUIDSGID",      config_parse_bool,                  0,                        &arg_defaults.restrict_suid_sgid  },
                 { "Manager", "DefaultEnvironment",           config_parse_environ,               arg_runtime_scope,        &arg_default_environment          },
                 { "Manager", "ManagerEnvironment",           config_parse_environ,               arg_runtime_scope,        &arg_manager_environment          },
                 { "Manager", "DefaultLimitCPU",              config_parse_rlimit,                RLIMIT_CPU,               arg_defaults.rlimit               },
diff --git a/src/core/manager.c b/src/core/manager.c
index aa43c9d79b..d85896577f 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -4259,6 +4259,8 @@ int manager_set_unit_defaults(Manager *m, const UnitDefaults *defaults) {
         m->defaults.timeout_abort_set = defaults->timeout_abort_set;
         m->defaults.device_timeout_usec = defaults->device_timeout_usec;
 
+        m->defaults.restrict_suid_sgid = defaults->restrict_suid_sgid;
+
         m->defaults.start_limit = defaults->start_limit;
 
         m->defaults.memory_accounting = defaults->memory_accounting;
diff --git a/src/core/manager.h b/src/core/manager.h
index c267ebe7ee..a7009a49d7 100644
--- a/src/core/manager.h
+++ b/src/core/manager.h
@@ -141,6 +141,8 @@ typedef struct UnitDefaults {
         CGroupTasksMax tasks_max;
         usec_t timer_accuracy_usec;
 
+        bool restrict_suid_sgid;
+
         OOMPolicy oom_policy;
         int oom_score_adjust;
         bool oom_score_adjust_set;
diff --git a/src/core/system.conf.in b/src/core/system.conf.in
index 051a18bd21..54196e8489 100644
--- a/src/core/system.conf.in
+++ b/src/core/system.conf.in
@@ -79,5 +79,6 @@
 #DefaultMemoryPressureWatch=auto
 #DefaultOOMPolicy=stop
 #DefaultSmackProcessLabel=
+#DefaultRestrictSUIDSGID=
 #ReloadLimitIntervalSec=
 #ReloadLimitBurst=
diff --git a/src/core/unit.c b/src/core/unit.c
index e796515747..9051fc6923 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -191,6 +191,8 @@ static void unit_init(Unit *u) {
                         ec->oom_score_adjust_set = true;
                 }
 
+                ec->restrict_suid_sgid = u->manager->defaults.restrict_suid_sgid;
+
                 if (MANAGER_IS_SYSTEM(u->manager))
                         ec->keyring_mode = EXEC_KEYRING_SHARED;
                 else {
diff --git a/src/core/user.conf.in b/src/core/user.conf.in
index 14f0eae7f8..9c37f4b54e 100644
--- a/src/core/user.conf.in
+++ b/src/core/user.conf.in
@@ -55,5 +55,6 @@
 #DefaultMemoryPressureThresholdSec=200ms
 #DefaultMemoryPressureWatch=auto
 #DefaultSmackProcessLabel=
+#DefaultRestrictSUIDSGID=
 #ReloadLimitIntervalSec=
 #ReloadLimitBurst

From 97998d1cbe6a0370e3a12b03ddb08e1c9f433f14 Mon Sep 17 00:00:00 2001
From: Grimmauld <Grimmauld@grimmauld.de>
Date: Wed, 9 Jul 2025 11:46:01 +0200
Subject: [PATCH 3/5] core/dbus-manager: Support 'DefaultRestrictSUIDSGID'
 option

---
 man/org.freedesktop.systemd1.xml | 9 ++++++++-
 src/core/dbus-manager.c          | 1 +
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/man/org.freedesktop.systemd1.xml b/man/org.freedesktop.systemd1.xml
index d5f270c681..8338db5580 100644
--- a/man/org.freedesktop.systemd1.xml
+++ b/man/org.freedesktop.systemd1.xml
@@ -557,6 +557,8 @@ node /org/freedesktop/systemd1 {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly i DefaultOOMScoreAdjust = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
+      readonly b DefaultRestrictSUIDSGID = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly s CtrlAltDelBurstAction = '...';
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly u SoftRebootsCount = ...;
@@ -793,6 +795,8 @@ node /org/freedesktop/systemd1 {
 
     <!--property DefaultOOMScoreAdjust is not documented!-->
 
+    <!--property DefaultRestrictSUIDSGID is not documented!-->
+
     <!--property CtrlAltDelBurstAction is not documented!-->
 
     <!--Autogenerated cross-references for systemd.directives, do not edit-->
@@ -1237,6 +1241,8 @@ node /org/freedesktop/systemd1 {
 
     <variablelist class="dbus-property" generated="True" extra-ref="DefaultOOMScoreAdjust"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="DefaultRestrictSUIDSGID"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="CtrlAltDelBurstAction"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="SoftRebootsCount"/>
@@ -12246,7 +12252,8 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
       <para><varname>ShutdownStartTimestamp</varname>,
       <varname>ShutdownStartTimestampMonotonic</varname>, and
       <varname>SoftRebootsCount</varname> were added in version 256.</para>
-      <para><function>RemoveSubgroupFromUnit()</function>, and
+      <para><varname>DefaultRestrictSUIDSGID</varname>,
+      <function>RemoveSubgroupFromUnit()</function>, and
       <function>KillUnitSubgroup()</function> were added in version 258.</para>
     </refsect2>
     <refsect2>
diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c
index 67398b7cb3..6b6b8916de 100644
--- a/src/core/dbus-manager.c
+++ b/src/core/dbus-manager.c
@@ -2938,6 +2938,7 @@ const sd_bus_vtable bus_manager_vtable[] = {
         SD_BUS_PROPERTY("TimerSlackNSec", "t", property_get_timer_slack_nsec, 0, SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("DefaultOOMPolicy", "s", bus_property_get_oom_policy, offsetof(Manager, defaults.oom_policy), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("DefaultOOMScoreAdjust", "i", property_get_oom_score_adjust, 0, SD_BUS_VTABLE_PROPERTY_CONST),
+        SD_BUS_PROPERTY("DefaultRestrictSUIDSGID", "b", bus_property_get_bool, offsetof(Manager, defaults.restrict_suid_sgid), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("CtrlAltDelBurstAction", "s", bus_property_get_emergency_action, offsetof(Manager, cad_burst_action), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("SoftRebootsCount", "u", bus_property_get_unsigned, offsetof(Manager, soft_reboots_count), SD_BUS_VTABLE_PROPERTY_CONST),
 

From aa668230c988321fcfba52a1de7a80df95ccd1aa Mon Sep 17 00:00:00 2001
From: Grimmauld <Grimmauld@grimmauld.de>
Date: Wed, 9 Jul 2025 11:28:10 +0200
Subject: [PATCH 4/5] core/varlink-manager: Support 'DefaultRestrictSUIDSGID'
 option

---
 src/core/varlink-manager.c              | 1 +
 src/shared/varlink-io.systemd.Manager.c | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/src/core/varlink-manager.c b/src/core/varlink-manager.c
index 8a78052313..217769c153 100644
--- a/src/core/varlink-manager.c
+++ b/src/core/varlink-manager.c
@@ -76,6 +76,7 @@ static int manager_context_build_json(sd_json_variant **ret, const char *name, v
                         JSON_BUILD_PAIR_FINITE_USEC("TimerSlackNSec", (uint64_t) prctl(PR_GET_TIMERSLACK)),
                         SD_JSON_BUILD_PAIR_STRING("DefaultOOMPolicy", oom_policy_to_string(m->defaults.oom_policy)),
                         SD_JSON_BUILD_PAIR_INTEGER("DefaultOOMScoreAdjust", m->defaults.oom_score_adjust),
+                        SD_JSON_BUILD_PAIR_BOOLEAN("DefaultRestrictSUIDSGID", m->defaults.restrict_suid_sgid),
                         SD_JSON_BUILD_PAIR_STRING("CtrlAltDelBurstAction", emergency_action_to_string(m->cad_burst_action)));
 }
 
diff --git a/src/shared/varlink-io.systemd.Manager.c b/src/shared/varlink-io.systemd.Manager.c
index 2b26ef1dcf..299e0a9c30 100644
--- a/src/shared/varlink-io.systemd.Manager.c
+++ b/src/shared/varlink-io.systemd.Manager.c
@@ -74,6 +74,8 @@ static SD_VARLINK_DEFINE_STRUCT_TYPE(
                 SD_VARLINK_DEFINE_FIELD(DefaultOOMPolicy, SD_VARLINK_STRING, 0),
                 SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd-system.conf.html#DefaultOOMScoreAdjust="),
                 SD_VARLINK_DEFINE_FIELD(DefaultOOMScoreAdjust, SD_VARLINK_INT, 0),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd-system.conf.html#DefaultRestrictSUIDSGID="),
+                SD_VARLINK_DEFINE_FIELD(DefaultRestrictSUIDSGID, SD_VARLINK_BOOL, 0),
                 SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd-system.conf.html#CtrlAltDelBurstAction="),
                 SD_VARLINK_DEFINE_FIELD(CtrlAltDelBurstAction, SD_VARLINK_STRING, 0));
 

From 0316fb8219bef47a90db3eb8363251f8391d96cd Mon Sep 17 00:00:00 2001
From: Grimmauld <Grimmauld@grimmauld.de>
Date: Tue, 8 Jul 2025 21:39:06 +0200
Subject: [PATCH 5/5] core: document 'DefaultRestrictSUIDSGID'

---
 man/systemd-system.conf.xml | 11 +++++++++++
 man/systemd.exec.xml        |  6 +++++-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml
index 23c422df80..164cfee1ed 100644
--- a/man/systemd-system.conf.xml
+++ b/man/systemd-system.conf.xml
@@ -547,6 +547,17 @@
 
         <xi:include href="version-info.xml" xpointer="v252"/></listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><varname>DefaultRestrictSUIDSGID=</varname></term>
+
+        <listitem><para>Takes a boolean argument. This is used as a default for units
+        which lack an explicit definition for <varname>RestrictSUIDSGID=</varname>.
+        See <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+        for the details.</para>
+
+        <xi:include href="version-info.xml" xpointer="v258"/></listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 813ea02313..b583668f1d 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -2626,7 +2626,11 @@ RestrictNamespaces=~cgroup net</programlisting>
         programs that actually require them. Note that this restricts marking of any type of file system
         object with these bits, including both regular files and directories (where the SGID is a different
         meaning than for files, see documentation). This option is implied if <varname>DynamicUser=</varname>
-        is enabled. Defaults to off.</para>
+        is enabled.</para>
+
+        <para>In other cases, this setting defaults to the value set with <varname>DefaultRestrictSUIDSGID=</varname> in
+        <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, which
+        defaults to off.</para>
 
         <xi:include href="version-info.xml" xpointer="v242"/></listitem>
       </varlistentry>