[Unit]
# apt-ostree v2023.6 introduced a permission issue on `/etc/[g]shadow[-]`.
# This makes sure to fix permissions on systems that were deployed with the wrong permissions.
Description=Update permissions for /etc/shadow
Documentation=https://github.com/coreos/rpm-ostree-ghsa-2m76-cwhg-7wv6
# This new stamp file is written by the Rust code, and obsoletes
# the old /etc/.apt-ostree-shadow-mode-fixed.stamp
ConditionPathExists=!/etc/.apt-ostree-shadow-mode-fixed2.stamp
ConditionPathExists=/run/ostree-booted
# Filter out non-traditional ostree setups (e.g. live boots)
ConditionKernelCommandLine=ostree
# Because we read the sysroot
RequiresMountsFor=/boot
# Make sure this is started before any unprivileged (interactive) user has access to the system.
Before=systemd-user-sessions.service

[Service]
Type=oneshot
ExecStart=apt-ostree fix-shadow-perms
RemainAfterExit=yes
# So we can remount /sysroot writable in our own namespace
MountFlags=slave

[Install]
WantedBy=multi-user.target