Merge pull request systemd#34548 from SimonPilkington/fix-creds-cat

YHNdnzj · web-flow · commit 6fd58537e5b0 · 2024-09-27T20:51:57.000+02:00
creds: fix cat with encrypted credentials
diff --git a/NEWS b/NEWS
@@ -11,7 +11,12 @@ CHANGES WITH 257 in spe:
           be updated accordingly. This change has been made to make it harder
           to accidentally delete too many files when using --purge incorrectly.
 
-        Announcements of Future Feature Removals and Incompatible Changes:
+        * The systemd-creds 'cat' verb now expects base64-encoded encrypted
+          credentials for consistency with the 'decrypt' verb and the
+          LoadCredentialEncrypted= service setting. Previously it could only
+          read raw binary data.
+
+       Announcements of Future Feature Removals and Incompatible Changes:
 
         * Support for automatic flushing of the nscd user/group database caches
           has been dropped.
diff --git a/src/creds/creds.c b/src/creds/creds.c
@@ -434,10 +434,14 @@ static int verb_cat(int argc, char **argv, void *userdata) {
                         if (!d) /* Not set */
                                 continue;
 
+                        ReadFullFileFlags flags = READ_FULL_FILE_SECURE|READ_FULL_FILE_WARN_WORLD_READABLE;
+                        if (encrypted)
+                                flags |= READ_FULL_FILE_UNBASE64;
+
                         r = read_full_file_full(
                                         dirfd(d), *cn,
                                         UINT64_MAX, SIZE_MAX,
-                                        READ_FULL_FILE_SECURE|READ_FULL_FILE_WARN_WORLD_READABLE,
+                                        flags,
                                         NULL,
                                         (char**) &data, &size);
                         if (r == -ENOENT) /* Not found */
diff --git a/test/units/TEST-54-CREDS.sh b/test/units/TEST-54-CREDS.sh
@@ -43,8 +43,8 @@ CRED_DIR="$(mktemp -d)"
 ENC_CRED_DIR="$(mktemp -d)"
 echo foo >"$CRED_DIR/secure-or-weak"
 echo foo >"$CRED_DIR/insecure"
-echo foo | systemd-creds --name="encrypted" encrypt - - | base64 -d >"$ENC_CRED_DIR/encrypted"
-echo foo | systemd-creds encrypt - - | base64 -d >"$ENC_CRED_DIR/encrypted-unnamed"
+echo foo | systemd-creds --name="encrypted" encrypt - "$ENC_CRED_DIR/encrypted"
+echo foo | systemd-creds encrypt - "$ENC_CRED_DIR/encrypted-unnamed"
 chmod -R 0400 "$CRED_DIR" "$ENC_CRED_DIR"
 chmod -R 0444 "$CRED_DIR/insecure"
 mkdir /tmp/empty/
