update TODO

(And some other minor tweaks)

TODO

@@ -446,10 +446,6 @@ Features:
 * credentials: add a flag to the scoped credentials that if set require PK
   reauthentication when unlocking a secret.
 
-* teach systemd --user to properly load credentials off disk, with
-  /etc/credstore equivalent and similar. Make sure that $CREDENTIALS_DIRECTORY=
-  actually works too when run with user privs.
-
 * extend the smbios11 logic for passing credentials so that instead of passing
   the credential data literally it can also just reference an AF_VSOCK CID/port
   to read them from. This way the data doesn't remain in the SMBIOS blob during

man/systemd.exec.xml

@@ -3468,37 +3468,43 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX
         <term><varname>LoadCredentialEncrypted=</varname><replaceable>ID</replaceable><optional>:<replaceable>PATH</replaceable></optional></term>
 
         <listitem><para>Pass a credential to the unit. Credentials are limited-size binary or textual objects
-        that may be passed to unit processes. They are primarily used for passing cryptographic keys (both
-        public and private) or certificates, user account information or identity information from host to
-        services. The data is accessible from the unit's processes via the file system, at a read-only
-        location that (if possible and permitted) is backed by non-swappable memory. The data is only
-        accessible to the user associated with the unit, via the
-        <varname>User=</varname>/<varname>DynamicUser=</varname> settings (as well as the superuser). When
-        available, the location of credentials is exported as the <varname>$CREDENTIALS_DIRECTORY</varname>
-        environment variable to the unit's processes.</para>
+        that may be passed to unit processes. They are primarily intended for passing cryptographic keys
+        (both public and private) or certificates, user account information or identity information from host
+        to services, but can be freely used to pass any kind of limited-size information to a service. The
+        data is accessible from the unit's processes via the file system, at a read-only location that (if
+        possible and permitted) is backed by non-swappable memory. The data is only accessible to the user
+        associated with the unit, via the <varname>User=</varname>/<varname>DynamicUser=</varname> settings
+        (as well as the superuser). When available, the location of credentials is exported as the
+        <varname>$CREDENTIALS_DIRECTORY</varname> environment variable to the unit's processes.</para>
 
         <para>The <varname>LoadCredential=</varname> setting takes a textual ID to use as name for a
         credential plus a file system path, separated by a colon. The ID must be a short ASCII string
         suitable as filename in the filesystem, and may be chosen freely by the user. If the specified path
         is absolute it is opened as regular file and the credential data is read from it. If the absolute
         path refers to an <constant>AF_UNIX</constant> stream socket in the file system a connection is made
-        to it (only once at unit start-up) and the credential data read from the connection, providing an
+        to it (once at process invocation) and the credential data read from the connection, providing an
         easy IPC integration point for dynamically transferring credentials from other services.</para>
 
         <para>If the specified path is not absolute and itself qualifies as valid credential identifier it is
         attempted to find a credential that the service manager itself received under the specified name —
         which may be used to propagate credentials from an invoking environment (e.g. a container manager
-        that invoked the service manager) into a service. If no matching system credential is found, the
-        directories <filename>/etc/credstore/</filename>, <filename>/run/credstore/</filename> and
-        <filename>/usr/lib/credstore/</filename> are searched for files under the credential's name — which
-        hence are recommended locations for credential data on disk. If
+        that invoked the service manager) into a service. If no matching passed credential is found, the
+        system service manager will search the directories <filename>/etc/credstore/</filename>,
+        <filename>/run/credstore/</filename> and <filename>/usr/lib/credstore/</filename> for files under the
+        credential's name — which hence are recommended locations for credential data on disk. If
         <varname>LoadCredentialEncrypted=</varname> is used <filename>/run/credstore.encrypted/</filename>,
         <filename>/etc/credstore.encrypted/</filename>, and
-        <filename>/usr/lib/credstore.encrypted/</filename> are searched as well.</para>
+        <filename>/usr/lib/credstore.encrypted/</filename> are searched as well. The per-user service manager
+        will search <filename>$HOME/.config/credstore/</filename>,
+        <filename>$XDG_RUNTIME_DIR/credstore/</filename>, <filename>$HOME/.local/lib/credstore/</filename>
+        (and the counterparts ending with <filename>…/credstore.encrypted/</filename>) instead. The
+        <citerefentry><refentrytitle>systemd-path</refentrytitle><manvolnum>1</manvolnum></citerefentry> tool
+        may be used to query the precise credential store search path.</para>
 
         <para>If the file system path is omitted it is chosen identical to the credential name, i.e. this is
-        a terse way to declare credentials to inherit from the service manager into a service. This option
-        may be used multiple times, each time defining an additional credential to pass to the unit.</para>
+        a terse way to declare credentials to inherit from the service manager or credstore directories into
+        a service. This option may be used multiple times, each time defining an additional credential to
+        pass to the unit.</para>
 
         <para>Note that if the path is not specified or a valid credential identifier is given, i.e.
         in the above two cases, a missing credential is not considered fatal.</para>

src/core/exec-credential.c

@@ -117,10 +117,9 @@ int exec_context_put_load_credential(ExecContext *c, const char *id, const char
                         return -ENOMEM;
 
                 r = hashmap_ensure_put(&c->load_credentials, &exec_load_credential_hash_ops, lc->id, lc);
-                if (r < 0) {
                 assert(r != -EEXIST);
+                if (r < 0)
                         return r;
-                }
 
                 TAKE_PTR(lc);
         }
@@ -167,10 +166,9 @@ int exec_context_put_set_credential(
                         return -ENOMEM;
 
                 r = hashmap_ensure_put(&c->set_credentials, &exec_set_credential_hash_ops, sc->id, sc);
-                if (r < 0) {
                 assert(r != -EEXIST);
+                if (r < 0)
                         return r;
-                }
 
                 TAKE_PTR(sc);
         }
@@ -193,19 +191,22 @@ int exec_context_put_import_credential(ExecContext *c, const char *glob, const c
 
         *ic = (ExecImportCredential) {
                 .glob = strdup(glob),
-                .rename = rename ? strdup(rename) : NULL,
         };
-        if (!ic->glob || (rename && !ic->rename))
+        if (!ic->glob)
                 return -ENOMEM;
+        if (rename) {
+                ic->rename = strdup(rename);
+                if (!ic->rename)
+                        return -ENOMEM;
+        }
 
         if (ordered_set_contains(c->import_credentials, ic))
                 return 0;
 
         r = ordered_set_ensure_put(&c->import_credentials, &exec_import_credential_hash_ops, ic);
-        if (r < 0) {
         assert(r != -EEXIST);
+        if (r < 0)
                 return r;
-        }
 
         TAKE_PTR(ic);
 
@@ -383,30 +384,46 @@ typedef enum CredentialSearchPath {
         _CREDENTIAL_SEARCH_PATH_INVALID = -EINVAL,
 } CredentialSearchPath;
 
-static char** credential_search_path(const ExecParameters *params, CredentialSearchPath path) {
+static int credential_search_path(const ExecParameters *params, CredentialSearchPath path, char ***ret) {
         _cleanup_strv_free_ char **l = NULL;
+        int r;
 
         assert(params);
         assert(path >= 0 && path < _CREDENTIAL_SEARCH_PATH_MAX);
+        assert(ret);
 
         /* Assemble a search path to find credentials in. For non-encrypted credentials, We'll look in
          * /etc/credstore/ (and similar directories in /usr/lib/ + /run/). If we're looking for encrypted
          * credentials, we'll look in /etc/credstore.encrypted/ (and similar dirs). */
 
         if (IN_SET(path, CREDENTIAL_SEARCH_PATH_ENCRYPTED, CREDENTIAL_SEARCH_PATH_ALL)) {
-                if (strv_extend(&l, params->received_encrypted_credentials_directory) < 0)
-                        return NULL;
+                r = strv_extend(&l, params->received_encrypted_credentials_directory);
+                if (r < 0)
+                        return r;
 
-                if (strv_extend_strv(&l, CONF_PATHS_STRV("credstore.encrypted"), /* filter_duplicates= */ true) < 0)
-                        return NULL;
+                _cleanup_strv_free_ char **add = NULL;
+                r = credential_store_path_encrypted(params->runtime_scope, &add);
+                if (r < 0)
+                        return r;
+
+                r = strv_extend_strv_consume(&l, TAKE_PTR(add), /* filter_duplicates= */ true);
+                if (r < 0)
+                        return r;
         }
 
         if (IN_SET(path, CREDENTIAL_SEARCH_PATH_TRUSTED, CREDENTIAL_SEARCH_PATH_ALL)) {
-                if (strv_extend(&l, params->received_credentials_directory) < 0)
-                        return NULL;
+                r = strv_extend(&l, params->received_credentials_directory);
+                if (r < 0)
+                        return r;
 
-                if (strv_extend_strv(&l, CONF_PATHS_STRV("credstore"), /* filter_duplicates= */ true) < 0)
-                        return NULL;
+                _cleanup_strv_free_ char **add = NULL;
+                r = credential_store_path(params->runtime_scope, &add);
+                if (r < 0)
+                        return r;
+
+                r = strv_extend_strv_consume(&l, TAKE_PTR(add), /* filter_duplicates= */ true);
+                if (r < 0)
+                        return r;
         }
 
         if (DEBUG_LOGGING) {
@@ -414,7 +431,8 @@ static char** credential_search_path(const ExecParameters *params, CredentialSea
                 log_debug("Credential search path is: %s", strempty(t));
         }
 
-        return TAKE_PTR(l);
+        *ret = TAKE_PTR(l);
+        return 0;
 }
 
 struct load_cred_args {
@@ -445,6 +463,10 @@ static int maybe_decrypt_and_write_credential(
         assert(data || size == 0);
 
         if (args->encrypted) {
+                switch (args->params->runtime_scope) {
+
+                case RUNTIME_SCOPE_SYSTEM:
+                        /* In system mode talk directly to the TPM */
                         r = decrypt_credential_and_warn(
                                         id,
                                         now(CLOCK_REALTIME),
@@ -454,6 +476,25 @@ static int maybe_decrypt_and_write_credential(
                                         &IOVEC_MAKE(data, size),
                                         CREDENTIAL_ANY_SCOPE,
                                         &plaintext);
+                        break;
+
+                case RUNTIME_SCOPE_USER:
+                        /* In per user mode we'll not have access to the machine secret, nor to the TPM (most
+                         * likely), hence go via the IPC service instead. Do this if we are run in root's
+                         * per-user invocation too, to minimize differences and because isolating this logic
+                         * into a separate process is generally a good thing anyway. */
+                        r = ipc_decrypt_credential(
+                                        id,
+                                        now(CLOCK_REALTIME),
+                                        getuid(),
+                                        &IOVEC_MAKE(data, size),
+                                        /* flags= */ 0, /* only allow user creds in user scope */
+                                        &plaintext);
+                        break;
+
+                default:
+                        assert_not_reached();
+                }
                 if (r < 0)
                         return r;
 
@@ -611,9 +652,9 @@ static int load_credential(
                  * directory we received ourselves. We don't support the AF_UNIX stuff in this mode, since we
                  * are operating on a credential store, i.e. this is guaranteed to be regular files. */
 
-                search_path = credential_search_path(args->params, CREDENTIAL_SEARCH_PATH_ALL);
-                if (!search_path)
-                        return -ENOMEM;
+                r = credential_search_path(args->params, CREDENTIAL_SEARCH_PATH_ALL, &search_path);
+                if (r < 0)
+                        return r;
 
                 missing_ok = true;
         } else
@@ -797,9 +838,9 @@ static int acquire_credentials(
         ORDERED_SET_FOREACH(ic, context->import_credentials) {
                 _cleanup_free_ char **search_path = NULL;
 
-                search_path = credential_search_path(params, CREDENTIAL_SEARCH_PATH_TRUSTED);
-                if (!search_path)
-                        return -ENOMEM;
+                r = credential_search_path(params, CREDENTIAL_SEARCH_PATH_TRUSTED, &search_path);
+                if (r < 0)
+                        return r;
 
                 args.encrypted = false;
 
@@ -811,9 +852,10 @@ static int acquire_credentials(
                         return r;
 
                 search_path = strv_free(search_path);
-                search_path = credential_search_path(params, CREDENTIAL_SEARCH_PATH_ENCRYPTED);
-                if (!search_path)
-                        return -ENOMEM;
+
+                r = credential_search_path(params, CREDENTIAL_SEARCH_PATH_ENCRYPTED, &search_path);
+                if (r < 0)
+                        return r;
 
                 args.encrypted = true;
 

src/libsystemd/sd-path/path-lookup.h

@@ -84,3 +84,19 @@ static inline char** generator_binary_paths(RuntimeScope runtime_scope) {
 static inline char** env_generator_binary_paths(RuntimeScope runtime_scope) {
         return generator_binary_paths_internal(runtime_scope, true);
 }
+
+static inline int credential_store_path(RuntimeScope runtime_scope, char ***ret) {
+        return sd_path_lookup_strv(
+                        runtime_scope == RUNTIME_SCOPE_SYSTEM ?
+                        SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE : SD_PATH_USER_SEARCH_CREDENTIAL_STORE,
+                        /* suffix= */ NULL,
+                        ret);
+}
+
+static inline int credential_store_path_encrypted(RuntimeScope runtime_scope, char ***ret) {
+        return sd_path_lookup_strv(
+                        runtime_scope == RUNTIME_SCOPE_SYSTEM ?
+                        SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE_ENCRYPTED : SD_PATH_USER_SEARCH_CREDENTIAL_STORE_ENCRYPTED,
+                        /* suffix= */ NULL,
+                        ret);
+}

src/libsystemd/sd-path/sd-path.c

@@ -36,7 +36,12 @@ static int from_environment(const char *envname, const char *fallback, const cha
         return -ENXIO;
 }
 
-static int from_home_dir(const char *envname, const char *suffix, char **buffer, const char **ret) {
+static int from_home_dir(
+                const char *envname,
+                const char *suffix,
+                char **buffer,
+                const char **ret) {
+
         _cleanup_free_ char *h = NULL;
         int r;
 
@@ -350,6 +355,30 @@ static int get_path(uint64_t type, char **buffer, const char **ret) {
         case SD_PATH_SYSTEMD_USER_ENVIRONMENT_GENERATOR:
                 *ret = USER_ENV_GENERATOR_DIR;
                 return 0;
+
+        case SD_PATH_SYSTEM_CREDENTIAL_STORE:
+                *ret = "/etc/credstore";
+                return 0;
+
+        case SD_PATH_SYSTEM_CREDENTIAL_STORE_ENCRYPTED:
+                *ret = "/etc/credstore.encrypted";
+                return 0;
+
+        case SD_PATH_USER_CREDENTIAL_STORE:
+                r = xdg_user_config_dir("credstore", buffer);
+                if (r < 0)
+                        return r;
+
+                *ret = *buffer;
+                return 0;
+
+        case SD_PATH_USER_CREDENTIAL_STORE_ENCRYPTED:
+                r = xdg_user_config_dir("credstore.encrypted", buffer);
+                if (r < 0)
+                        return r;
+
+                *ret = *buffer;
+                return 0;
         }
 
         return -EOPNOTSUPP;
@@ -366,12 +395,12 @@ static int get_path_alloc(uint64_t type, const char *suffix, char **ret) {
         if (r < 0)
                 return r;
 
-        if (suffix) {
+        if (!isempty(suffix)) {
                 char *suffixed = path_join(p, suffix);
                 if (!suffixed)
                         return -ENOMEM;
 
-                path_simplify(suffixed);
+                path_simplify_full(suffixed, PATH_SIMPLIFY_KEEP_TRAILING_SLASH);
 
                 free_and_replace(buffer, suffixed);
         } else if (!buffer) {
@@ -601,8 +630,55 @@ static int get_search(uint64_t type, char ***ret) {
         case SD_PATH_SYSTEMD_SEARCH_NETWORK:
                 return strv_from_nulstr(ret, NETWORK_DIRS_NULSTR);
 
+        case SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE:
+        case SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE_ENCRYPTED: {
+                const char *suffix =
+                        type == SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE_ENCRYPTED ? "credstore.encrypted" : "credstore";
+
+                _cleanup_free_ char **l = NULL;
+                FOREACH_STRING(d, CONF_PATHS("")) {
+                        char *j = path_join(d, suffix);
+                        if (!j)
+                                return -ENOMEM;
+
+                        r = strv_consume(&l, TAKE_PTR(j));
+                        if (r < 0)
+                                return r;
                 }
 
+                *ret = TAKE_PTR(l);
+                return 0;
+        }
+
+        case SD_PATH_USER_SEARCH_CREDENTIAL_STORE:
+        case SD_PATH_USER_SEARCH_CREDENTIAL_STORE_ENCRYPTED: {
+                const char *suffix =
+                        type == SD_PATH_USER_SEARCH_CREDENTIAL_STORE_ENCRYPTED ? "credstore.encrypted" : "credstore";
+
+                static const uint64_t dirs[] = {
+                        SD_PATH_USER_CONFIGURATION,
+                        SD_PATH_USER_RUNTIME,
+                        SD_PATH_USER_LIBRARY_PRIVATE,
+                };
+
+                _cleanup_free_ char **l = NULL;
+                FOREACH_ELEMENT(d, dirs) {
+                        _cleanup_free_ char *p = NULL;
+                        r = sd_path_lookup(*d, suffix, &p);
+                        if (r == -ENXIO)
+                                continue;
+                        if (r < 0)
+                                return r;
+
+                        r = strv_consume(&l, TAKE_PTR(p));
+                        if (r < 0)
+                                return r;
+                }
+
+                *ret = TAKE_PTR(l);
+                return 0;
+        }}
+
         return -EOPNOTSUPP;
 }
 
@@ -637,7 +713,7 @@ _public_ int sd_path_lookup_strv(uint64_t type, const char *suffix, char ***ret)
                         if (!path_extend(i, suffix))
                                 return -ENOMEM;
 
-                        path_simplify(*i);
+                        path_simplify_full(*i, PATH_SIMPLIFY_KEEP_TRAILING_SLASH);
                 }
 
         *ret = TAKE_PTR(l);

src/path/path.c

@@ -14,6 +14,7 @@
 #include "main-func.h"
 #include "pager.h"
 #include "pretty-print.h"
+#include "sort-util.h"
 #include "string-util.h"
 
 static const char *arg_suffix = NULL;
@@ -101,27 +102,50 @@ static const char* const path_table[_SD_PATH_MAX] = {
         [SD_PATH_SYSTEMD_USER_ENVIRONMENT_GENERATOR]          = "systemd-user-environment-generator",
         [SD_PATH_SYSTEMD_SEARCH_SYSTEM_ENVIRONMENT_GENERATOR] = "systemd-search-system-environment-generator",
         [SD_PATH_SYSTEMD_SEARCH_USER_ENVIRONMENT_GENERATOR]   = "systemd-search-user-environment-generator",
+
+        [SD_PATH_SYSTEM_CREDENTIAL_STORE]                     = "system-credential-store",
+        [SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE]              = "system-search-credential-store",
+        [SD_PATH_SYSTEM_CREDENTIAL_STORE_ENCRYPTED]           = "system-credential-store-encrypted",
+        [SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE_ENCRYPTED]    = "system-search-credential-store-encrypted",
+        [SD_PATH_USER_CREDENTIAL_STORE]                       = "user-credential-store",
+        [SD_PATH_USER_SEARCH_CREDENTIAL_STORE]                = "user-search-credential-store",
+        [SD_PATH_USER_CREDENTIAL_STORE_ENCRYPTED]             = "user-credential-store-encrypted",
+        [SD_PATH_USER_SEARCH_CREDENTIAL_STORE_ENCRYPTED]      = "user-search-credential-store-encrypted",
+
 };
 
+static int order_cmp(const size_t *a, const size_t *b) {
+        assert(*a < ELEMENTSOF(path_table));
+        assert(*b < ELEMENTSOF(path_table));
+        return strcmp(path_table[*a], path_table[*b]);
+}
+
 static int list_paths(void) {
-        int r = 0;
+        int ret = 0, r;
 
         pager_open(arg_pager_flags);
 
-        for (size_t i = 0; i < ELEMENTSOF(path_table); i++) {
-                _cleanup_free_ char *p = NULL;
-                int q;
+        size_t order[ELEMENTSOF(path_table)];
 
-                q = sd_path_lookup(i, arg_suffix, &p);
-                if (q < 0) {
-                        log_full_errno(q == -ENXIO ? LOG_DEBUG : LOG_ERR,
-                                       q, "Failed to query %s: %m", path_table[i]);
-                        if (q != -ENXIO)
-                                RET_GATHER(r, q);
+        for (size_t i = 0; i < ELEMENTSOF(order); i++)
+                order[i] = i;
+
+        typesafe_qsort(order, ELEMENTSOF(order), order_cmp);
+
+        for (size_t i = 0; i < ELEMENTSOF(order); i++) {
+                size_t j = order[i];
+                const char *t = ASSERT_PTR(path_table[j]);
+
+                _cleanup_free_ char *p = NULL;
+                r = sd_path_lookup(j, arg_suffix, &p);
+                if (r < 0) {
+                        log_full_errno(r == -ENXIO ? LOG_DEBUG : LOG_ERR, r, "Failed to query %s, proceeding: %m", t);
+                        if (r != -ENXIO)
+                                RET_GATHER(ret, r);
                         continue;
                 }
 
-                printf("%s%s:%s %s\n", ansi_highlight(), path_table[i], ansi_normal(), p);
+                printf("%s%s:%s %s\n", ansi_highlight(), t, ansi_normal(), p);
         }
 
         return r;
@@ -154,14 +178,16 @@ static int help(void) {
         if (r < 0)
                 return log_oom();
 
-        printf("%s [OPTIONS...] [NAME...]\n\n"
-               "Show system and user paths.\n\n"
+        printf("%s [OPTIONS...] [NAME...]\n"
+               "\n%sShow system and user paths.%s\n\n"
                "  -h --help             Show this help\n"
                "     --version          Show package version\n"
                "     --suffix=SUFFIX    Suffix to append to paths\n"
                "     --no-pager         Do not pipe output into a pager\n"
                "\nSee the %s for details.\n",
                program_invocation_short_name,
+               ansi_highlight(),
+               ansi_normal(),
                link);
 
         return 0;
@@ -224,10 +250,11 @@ static int run(int argc, char* argv[]) {
         if (r <= 0)
                 return r;
 
-        if (argc > optind)
+        if (argc > optind) {
+                r = 0;
                 for (int i = optind; i < argc; i++)
                         RET_GATHER(r, print_path(argv[i]));
-        else
+        } else
                 r = list_paths();
 
         return r;

src/systemd/sd-path.h

@@ -120,6 +120,16 @@ enum {
 
         SD_PATH_USER_STATE_PRIVATE,
 
+        /* credential store */
+        SD_PATH_SYSTEM_CREDENTIAL_STORE,
+        SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE,
+        SD_PATH_SYSTEM_CREDENTIAL_STORE_ENCRYPTED,
+        SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE_ENCRYPTED,
+        SD_PATH_USER_CREDENTIAL_STORE,
+        SD_PATH_USER_SEARCH_CREDENTIAL_STORE,
+        SD_PATH_USER_CREDENTIAL_STORE_ENCRYPTED,
+        SD_PATH_USER_SEARCH_CREDENTIAL_STORE_ENCRYPTED,
+
         _SD_PATH_MAX
 };
 

src/test/test-execute.c

@@ -1398,6 +1398,10 @@ static void run_tests(RuntimeScope scope, char **patterns) {
         ASSERT_NOT_NULL(unit_paths = strjoin(PRIVATE_UNIT_DIR, ":", user_runtime_unit_dir));
         ASSERT_OK(setenv_unit_path(unit_paths));
 
+        /* Write credential for test-execute-load-credential to the fake runtime dir, too */
+        _cleanup_free_ char *j = ASSERT_PTR(path_join(runtime_dir, "credstore/test-execute.load-credential"));
+        ASSERT_OK(write_string_file(j, "foo", WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_MKDIR_0755));
+
         r = manager_new(scope, MANAGER_TEST_RUN_BASIC, &m);
         if (manager_errno_skip_test(r))
                 return (void) log_tests_skipped_errno(r, "manager_new");

test/units/TEST-54-CREDS.sh

@@ -490,7 +490,7 @@ cmp /tmp/vlcredsdata /tmp/vlcredsdata2
 rm /tmp/vlcredsdata /tmp/vlcredsdata2
 
 clean_usertest() {
-    rm -f /tmp/usertest.data /tmp/usertest.data
+    rm -f /tmp/usertest.data /tmp/usertest.data /tmp/brummbaer.data
 }
 
 trap clean_usertest EXIT
@@ -520,6 +520,12 @@ XDG_RUNTIME_DIR=/run/user/0 systemd-run --pipe --user --unit=waldi.service -p Lo
 # Test mount unit with credential
 test_mount_with_credential
 
+# Fully unpriv operation
+dd if=/dev/urandom of=/tmp/brummbaer.data bs=4096 count=1
+run0 -u testuser --pipe mkdir -p /home/testuser/.config/credstore.encrypted
+run0 -u testuser --pipe systemd-creds encrypt --user --name=brummbaer - /home/testuser/.config/credstore.encrypted/brummbaer < /tmp/brummbaer.data
+run0 -u testuser --pipe systemd-run --user --pipe -p ImportCredential=brummbaer systemd-creds cat brummbaer | cmp /tmp/brummbaer.data
+
 systemd-analyze log-level info
 
 touch /testok