3 files changed, 58 insertions, 44 deletions

diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c
index fd13c6d019..868c8cc05a 100644
--- a/src/core/dbus-execute.c
+++ b/src/core/dbus-execute.c
@@ -847,27 +847,36 @@ int bus_exec_context_set_transient_property(
 
                 return 1;
 
-        } else if (streq(name, "TTYPath")) {
-                const char *tty;
+        } else if (STR_IN_SET(name,
+                              "TTYPath", "WorkingDirectory", "RootDirectory")) {
+                const char *s;
 
-                r = sd_bus_message_read(message, "s", &tty);
+                r = sd_bus_message_read(message, "s", &s);
                 if (r < 0)
                         return r;
 
-                if (!path_is_absolute(tty))
-                        return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "TTY device not absolute path");
+                if (!path_is_absolute(s))
+                        return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "%s takes an absolute path", name);
 
                 if (mode != UNIT_CHECK) {
                         char *t;
 
-                        t = strdup(tty);
+                        t = strdup(s);
                         if (!t)
                                 return -ENOMEM;
 
-                        free(c->tty_path);
-                        c->tty_path = t;
+                        if (streq(name, "TTYPath")) {
+                                free(c->tty_path);
+                                c->tty_path = t;
+                        } else if (streq(name, "WorkingDirectory")) {
+                                free(c->working_directory);
+                                c->working_directory = t;
+                        } else if (streq(name, "RootDirectory")) {
+                                free(c->root_directory);
+                                c->root_directory = t;
+                        }
 
-                        unit_write_drop_in_private_format(u, mode, name, "TTYPath=%s\n", tty);
+                        unit_write_drop_in_private_format(u, mode, name, "%s=%s\n", name, s);
                 }
 
                 return 1;
diff --git a/src/core/execute.c b/src/core/execute.c
index a0e39ccae9..7796c07fcf 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1601,25 +1601,50 @@ static int exec_child(
                 }
         }
 
+        umask(context->umask);
+
         if (params->apply_permissions) {
                 r = enforce_groups(context, username, gid);
                 if (r < 0) {
                         *exit_status = EXIT_GROUP;
                         return r;
                 }
-        }
+#ifdef HAVE_SMACK
+                if (context->smack_process_label) {
+                        r = mac_smack_apply_pid(0, context->smack_process_label);
+                        if (r < 0) {
+                                *exit_status = EXIT_SMACK_PROCESS_LABEL;
+                                return r;
+                        }
+                }
+#ifdef SMACK_DEFAULT_PROCESS_LABEL
+                else {
+                        _cleanup_free_ char *exec_label = NULL;
 
-        umask(context->umask);
+                        r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
+                        if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP) {
+                                *exit_status = EXIT_SMACK_PROCESS_LABEL;
+                                return r;
+                        }
 
+                        r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
+                        if (r < 0) {
+                                *exit_status = EXIT_SMACK_PROCESS_LABEL;
+                                return r;
+                        }
+                }
+#endif
+#endif
 #ifdef HAVE_PAM
-        if (params->apply_permissions && context->pam_name && username) {
-                r = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds);
-                if (r < 0) {
-                        *exit_status = EXIT_PAM;
-                        return r;
+                if (context->pam_name && username) {
+                        r = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds);
+                        if (r < 0) {
+                                *exit_status = EXIT_PAM;
+                                return r;
+                        }
                 }
-        }
 #endif
+        }
 
         if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
                 r = setup_netns(runtime->netns_storage_socket);
@@ -1748,33 +1773,6 @@ static int exec_child(
                         }
                 }
 
-#ifdef HAVE_SMACK
-                if (context->smack_process_label) {
-                        r = mac_smack_apply_pid(0, context->smack_process_label);
-                        if (r < 0) {
-                                *exit_status = EXIT_SMACK_PROCESS_LABEL;
-                                return r;
-                        }
-                }
-#ifdef SMACK_DEFAULT_PROCESS_LABEL
-                else {
-                        _cleanup_free_ char *exec_label = NULL;
-
-                        r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
-                        if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP) {
-                                *exit_status = EXIT_SMACK_PROCESS_LABEL;
-                                return r;
-                        }
-
-                        r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
-                        if (r < 0) {
-                                *exit_status = EXIT_SMACK_PROCESS_LABEL;
-                                return r;
-                        }
-                }
-#endif
-#endif
-
                 if (context->user) {
                         r = enforce_user(context, uid);
                         if (r < 0) {
diff --git a/src/core/main.c b/src/core/main.c
index 9c1f8648e7..b57f4c1b7a 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -1807,6 +1807,13 @@ int main(int argc, char *argv[]) {
                         goto finish;
 
                 case MANAGER_EXIT:
+                        if (m->running_as == MANAGER_USER) {
+                                retval = EXIT_SUCCESS;
+                                log_debug("Exit.");
+                                goto finish;
+                        }
+
+                        /* fallthrough */
                 case MANAGER_REBOOT:
                 case MANAGER_POWEROFF:
                 case MANAGER_HALT: