Bug#1123775: systemd: credentials encrypted in user scope cannot be used in user services

Ankit Gadiya ankit at argp.in
Sun Dec 21 12:31:57 GMT 2025 

Package: systemd
Version: 257.9-1~deb13u1
Severity: normal
Tags: upstream

Dear Maintainer,

Steps to reproduce:

* Generate a **user-scope** credential using systemd-cred

  $ echo 'test' | systemd-creds --user encrypt -
~/.config/systemd/credentials/test.cred

* Reference this credential in a **user-scope** systemd unit.

  $ cat ~/.config/systemd/user/sleep.service
  [Unit]
  Description=Test Sleep

  [Service]
  Type=exec
  ExecStart=/usr/bin/sleep infinity

LoadCredentialEncrypted=test:/home/ankit/.config/systemd/credentials/test.cred

* Reload the user daemon and start the service.

  $ systemctl --user daemon-reload && systemctl --user start sleep


Status logs from the service:

Dec 21 17:46:56 x1-carbon (sleep)[240845]: Failed to determine local
credential key: Permission denied
Dec 21 17:46:56 x1-carbon (sleep)[240845]: sleep.service: Failed to set up
credentials: Permission denied
Dec 21 17:46:56 x1-carbon (sleep)[240845]: sleep.service: Failed at step
CREDENTIALS spawning /usr/bin/sleep: Permission denied
Dec 21 17:46:56 x1-carbon systemd[2082]: sleep.service: Main process
exited, code=exited, status=243/CREDENTIALS
Dec 21 17:46:56 x1-carbon systemd[2082]: sleep.service: Failed with result
'exit-code'.
Dec 21 17:46:56 x1-carbon systemd[2082]: Failed to start sleep.service -
Test Sleep.

-- Package-specific info:

Upstream bugreport: https://github.com/systemd/systemd/issues/35913
Fixed in v259:
https://github.com/systemd/systemd/commit/1af989e8de71a613ae08bd8f095de5308478fd13

-- System Information:
Debian Release: 13.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.57+deb13-amd64 (SMP w/14 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE
not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages systemd depends on:
ii  libacl1            2.3.2-2+b1
ii  libapparmor1       4.1.0-1
ii  libc6              2.41-12
ii  libmount1          2.41-5
ii  libpam0g           1.7.0-5
ii  libseccomp2        2.6.0-2
ii  libselinux1        3.8.1-1
ii  libssl3t64         3.5.4-1~deb13u1
ii  libsystemd-shared  257.9-1~deb13u1
ii  libsystemd0        257.9-1~deb13u1
ii  mount              2.41-5

Versions of packages systemd recommends:
ii  dbus [default-dbus-system-bus]   1.16.2-2
ii  linux-sysctl-defaults            4.12
ii  systemd-cryptsetup               257.9-1~deb13u1
ii  systemd-timesyncd [time-daemon]  257.9-1~deb13u1

Versions of packages systemd suggests:
ii  libtss2-tcti-device0t64 [libtss2-tcti-device0]  4.1.3-1.2
ii  polkitd                                         126-2
ii  systemd-boot                                    257.9-1~deb13u1
pn  systemd-container                               <none>
pn  systemd-homed                                   <none>
pn  systemd-repart                                  <none>
pn  systemd-resolved                                <none>
pn  systemd-userdbd                                 <none>

Versions of packages systemd is related to:
ii  dbus-user-session  1.16.2-2
pn  dracut             <none>
ii  initramfs-tools    0.148.3
ii  libnss-systemd     257.9-1~deb13u1
ii  libpam-systemd     257.9-1~deb13u1
ii  udev               257.9-1~deb13u1

-- no debconf information
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20251221/b5f3b8c6/attachment.htm>

More information about the Pkg-systemd-maintainers mailing list