From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Wed, 11 Mar 2026 12:15:26 +0000 (+0000)
Subject: [PATCH] nspawn: apply BindUser/Ephemeral from settings file only if trusted
X-Git-Tag: archive/raspbian/252.39-1_deb12u2+rpi1^2~2
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=b11102694357c3ea776d4db4d79cc8c586857254;p=systemd.git

[PATCH] nspawn: apply BindUser/Ephemeral from settings file only if trusted

Originally reported on yeswehack.com as:
YWH-PGM9780-116

Follow-up for 2f8930449079403b26c9164b8eeac78d5af2c8df
Follow-up for a2f577fca0be79b23f61f033229b64884e7d840a

(cherry picked from commit 61bceb1bff4b1f9c126b18dc971ca3e6d8c71c40)
(cherry picked from commit 718711ed876c870a72149eea279b819cdab14e91)
(cherry picked from commit e4db9c12957d315c0ed22c6ca87a816d0927d6dc)

Origin: upstream, https://github.com/systemd/systemd/commit/773fd3b6e72e6c83cbb1cfc1cb20f3793db8649a

Gbp-Pq: Name CVE-2026-40226-1.patch
---

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 0e27c6d6..cd12042b 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -4329,8 +4329,13 @@ static int merge_settings(Settings *settings, const char *path) {
         }
 
         if ((arg_settings_mask & SETTING_EPHEMERAL) == 0 &&
-            settings->ephemeral >= 0)
-                arg_ephemeral = settings->ephemeral;
+            settings->ephemeral >= 0) {
+
+                if (!arg_settings_trusted)
+                        log_warning("Ignoring ephemeral setting, file %s is not trusted.", path);
+                else
+                        arg_ephemeral = settings->ephemeral;
+        }
 
         if ((arg_settings_mask & SETTING_DIRECTORY) == 0 &&
             settings->root) {
@@ -4498,8 +4503,13 @@ static int merge_settings(Settings *settings, const char *path) {
         }
 
         if ((arg_settings_mask & SETTING_BIND_USER) == 0 &&
-            !strv_isempty(settings->bind_user))
-                strv_free_and_replace(arg_bind_user, settings->bind_user);
+            !strv_isempty(settings->bind_user)) {
+
+                if (!arg_settings_trusted)
+                        log_warning("Ignoring bind user setting, file %s is not trusted.", path);
+                else
+                        strv_free_and_replace(arg_bind_user, settings->bind_user);
+        }
 
         if ((arg_settings_mask & SETTING_NOTIFY_READY) == 0 &&
             settings->notify_ready >= 0)