[systemd-devel] Using credential directives in user units always exits 243/CREDENTIALS

Gesh gesh at gesh.uni.cx
Mon Aug 12 22:28:43 UTC 2024 

Hi,
I've been unsuccessfully trying to migrate my user units to use credentials for
storing gpg passphrases to encrypt stored state.
I've reduced this to the following MWE:
> [Service]
> # generated by
> # printf %s test | systemd-creds encrypt --user --name=test-password -p - -
> SetCredentialEncrypted=test-password: \
>         70rBNnmpSA6n22iJf58WXSAAAAABAAAADAAAABAAAAB6rVkJL5nM+F5NRvYAAAAAgAAAA \
>         AAAAAALACMA0AAAACAAAAAAfgAghijOoUw1lKX9BioGUmvKXDN69osbd2So8speZ/Z+xL \
>         wAENrIkYRenzlbEGpX0v2fDYkkLrdlXO8uqfdIptqgJSisID5vIyqWICPH59LcC66LUeZ \
>         Hq4+p3D//0tbKw95QfQCIlFb21tVytit4NFPueisKb81AD4IbtyG7RABOAAgACwAABBIA \
>         IM9O3Zs/eqFefF0Yu2eq2Q7qe6mpPjCsyQfMjGWkJmvGABAAIGtogyNYFOsRpAaVuwQDu \
>         GHbOedElZmvBpLxQsHzduoYz07dmz96oV58XRi7Z6rZDup7qak+MKzJB8yMZaQma8YAAA \
>         AABwAAAAAAAACnvgUY0faB0COAsMCgUAvznFtWFnIyDPx+u52ls8hW2ajtq5xmkSMnNbz \
>         7ICryM/DCPmN8GcJZy01ZA+I=
> ExecStart=cat %d/test-password
> 
> [Install]
> WantedBy=default.target
which yields the following log
> Aug 13 00:51:15 telcontar systemd[1259]: Started test.service.
> Aug 13 00:51:20 telcontar (cat)[166546]: Failed to determine local credential key: Permission denied
> Aug 13 00:51:20 telcontar (cat)[166546]: test.service: Failed to set up credentials: Permission denied
> Aug 13 00:51:20 telcontar (cat)[166546]: test.service: Failed at step CREDENTIALS spawning cat: Permission denied
> Aug 13 00:51:20 telcontar systemd[1259]: test.service: Main process exited, code=exited, status=243/CREDENTIALS
> Aug 13 00:51:20 telcontar systemd[1259]: test.service: Failed with result 'exit-code'.

However, roundtripping through `systemd-creds` does work:
> $ printf %s test | systemd-creds encrypt --user --name=test-password - - \
> > | systemd-creds decrypt --user --name=test-password -
> test
which brings me to the workaround of using the following instead:
> [Service]
> ExecStart=systemd-creds --user decrypt %S/test.enc
> 
> [Install]
> WantedBy=default.target

Is this the intended usage?

Thanks,
Gesh

More information about the systemd-devel mailing list