`ProtectHome=true` does not work in systemd --user mode

[Hi-Angel]

systemd version the issue has been seen with

250

Used distribution

No response

Linux kernel version used

5.19.15-lqx1.0.fc36.x86_64

CPU architectures issue was seen on

x86_64

Component

systemd

Expected behaviour you didn't see

Either permission denied errors or lack of content in the output for /home and /run/user

Unexpected behaviour you saw

ls shows content of /home and /run/user

Steps to reproduce the problem

ProtectHome option is described by manual as:

Takes a boolean argument[…]. If true, the directories /home/, /root, and /run/user are made inaccessible and empty for processes invoked by this unit.[…]

For testing purposes I needed to run some graphical app but deny it any possible access to my HOME dir (which may be used together with setting HOME to an arbitrary dir, but is orthogonal to that). So I created a service that makes use of ProtectHome=true which I expected to do exactly that. To my dismay, the option simply doesn't work.

Steps to reproduce In terms of terminal commands:

$ cat ~/.config/systemd/user/test.service
[Unit]
Description=Test unit

[Service]
Type=oneshot
ExecStart=/usr/bin/ls /home/ /run/user/
ProtectHome=true

[Install]
WantedBy=multi-user.target
$ systemctl --user daemon-reload
$ systemctl --user start test
$ systemctl --user status test
○ test.service - Test unit
     Loaded: loaded (/home/konstantin/.config/systemd/user/test.service; disabled; vendor preset: disabled)
     Active: inactive (dead)

окт 15 13:56:55 fedora systemd[3399]: Starting test.service - Test unit...
окт 15 13:56:55 fedora ls[21097]: /home/:
окт 15 13:56:55 fedora ls[21097]: konstantin
окт 15 13:56:55 fedora ls[21097]: /run/user/:
окт 15 13:56:55 fedora ls[21097]: 0
окт 15 13:56:55 fedora ls[21097]: 1000
окт 15 13:56:55 fedora systemd[3399]: Finished test.service - Test unit.

Additional program output to the terminal or log subsystem illustrating the issue

окт 15 13:56:55 fedora systemd[3399]: Starting test.service - Test unit...
окт 15 13:56:55 fedora ls[21097]: /home/:
окт 15 13:56:55 fedora ls[21097]: konstantin
окт 15 13:56:55 fedora ls[21097]: /run/user/:
окт 15 13:56:55 fedora ls[21097]: 0
окт 15 13:56:55 fedora ls[21097]: 1000
окт 15 13:56:55 fedora systemd[3399]: Finished test.service - Test unit.

[Hi-Angel]

Hmm. I think there's a bug in bug template 😄 You see, the "Used distribution" says "no response". Well, that's because Github apparently saved my last used value, and there was a grayed out text "Fedora 36". I assumed giving no response would substitute this text — because that looks exactly like what it's supposed to do. Well, apparently Github didn't, instead it inserted a "no response" sentence 🤷

[mrc0mmand]

In the ProtectHome= paragraph in the man page is one quite important sentence:

This option is only available for system services and is not supported for services running in per-user instances of the service manager.

See: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome=

[Hi-Angel]

@mrc0mmand I see. Shouldn't systemd show an error in this case?

[mrc0mmand]

I guess having a clear error or at least a warning would be beneficial, but I'm not sure if it wouldn't go against the current use case (/cc @bluca), this is a bit out of my scope. Now it sort of shows an ignored error, but only with debug logging enabled:

[230520.691222] systemd[1710]: Setting log level to debug.
[230520.691816] systemd[1710]: Sent message type=method_return sender=n/a destination=:1.2335 path=n/a interface=n/a member=n/a cookie=12414 reply_cookie=2 signature=n/a error-name=n/a error-message=n/a
[230524.751253] systemd[1710]: Got message type=method_call sender=:1.2336 destination=org.freedesktop.systemd1 path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=RestartUnit cookie=3 reply_cookie=0 signature>
[230524.751498] systemd[1710]: Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetConnectionUnixUser cookie=12415 reply_cookie=0 signature=s error->
[230524.751548] systemd[1710]: Got message type=method_return sender=org.freedesktop.DBus destination=:1.1 path=n/a interface=n/a member=n/a cookie=4294967295 reply_cookie=12415 signature=u error-name=n/a error-message=n/a
[230524.751592] systemd[1710]: test.service: Trying to enqueue job test.service/restart/replace
[230524.752741] systemd[1710]: test.service: Installed new job test.service/restart as 1461
[230524.754238] systemd[1710]: test.service: Enqueued job test.service/restart as 1461
[230524.754298] ls[859492]: Failed to unshare the mount namespace: Operation not permitted
[230524.754298] ls[859492]: test.service: Failed to set up namespace, assuming containerized execution and ignoring.

[bluca]

For user instances the unit must have user namespaces (DynamicUser=yes) enabled for this to work

[Hi-Angel]

For user instances the unit must have user namespaces (DynamicUser=yes) enabled for this to work

Oh, cool, thanks!

An alternative way that I found out is having an option PrivateUsers=true. This also makes ProtectHome work for user services.

@bluca anyway, regarding a lack of an error, should it be tackled as part of this issue, or should this be closed, and a new one opened instead about that specifically?