Quadlets: rootless unit in /etc/containers/systemd/users/$(UID) loaded for root when /etc/containers/systemd is a symlink

[lelemka0]

Issue Description

Any unit placed in /etc/containers/systemd/users/$(UID) will be loaded for root user when /etc/containers/systemd is a symlink.

Steps to reproduce the issue

1. remove /etc/containers/systemd and recreate it as a synlink.
   e.g. /etc/containers/systemd -> /opt/containers/systemd
2. create a quadlets unit file in /etc/containers/systemd/users/$(UID)
   e.g. /etc/containers/systemd/users/1000/test.container

# test.container
[Container]
Image=docker.io/hello-world:latest

[Install]
WantedBy=default.target

3. systemctl daemon-reload
4. systemctl status test.service

Describe the results you received

# systemctl status test.service
○ test.service
     Loaded: loaded (/opt/containers/systemd/users/1000/test.container; generated)
     Active: inactive (dead)

The rootless unit is loaded as root.

Describe the results you expected

Rootless units in /etc/containers/systemd/users/$(UID) only load for the corresponding user.

podman info output

# podman info
host:
  arch: amd64
  buildahVersion: 1.35.3
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon_2.1.10+ds1-1+b1_amd64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.10, commit: unknown'
  cpuUtilization:
    idlePercent: 99.82
    systemPercent: 0.08
    userPercent: 0.1
  cpus: 2
  databaseBackend: sqlite
  distribution:
    codename: trixie
    distribution: debian
    version: unknown
  eventLogger: journald
  freeLocks: 2045
  hostname: rd
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.9.12-amd64
  linkmode: dynamic
  logDriver: journald
  memFree: 796901376
  memTotal: 2055258112
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns_1.6.0-3_amd64
      path: /usr/lib/podman/aardvark-dns
      version: aardvark-dns 1.6.0
    package: netavark_1.6.0-2.1_amd64
    path: /usr/lib/podman/netavark
    version: netavark 1.6.0
  ociRuntime:
    name: crun
    package: crun_1.15-1_amd64
    path: /usr/bin/crun
    version: |-
      crun version 1.15
      commit: e6eacaf4034e84185fd8780ac9262bbf57082278
      rundir: /run/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt_0.0~git20240726.57a21d2-1_amd64
    version: |
      pasta 0.0~git20240726.57a21d2-1
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: true
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns_1.2.1-1+b1_amd64
    version: |-
      slirp4netns version 1.2.1
      commit: 09e31e92fa3d2a1d3ca261adaeb012c8d75a8194
      libslirp: 4.8.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.5
  swapFree: 2147479552
  swapTotal: 2147479552
  uptime: 14h 1m 25.00s (Approximately 0.58 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries: {}
store:
  configFile: /usr/share/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 1
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 42090315776
  graphRootUsed: 4764323840
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 4
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 5.0.3
  Built: 0
  BuiltTime: Thu Jan  1 00:00:00 1970
  GitCommit: ""
  GoVersion: go1.22.5
  Os: linux
  OsArch: linux/amd64
  Version: 5.0.3

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

No

Additional environment details

Debian Sid
Running latest podman from sources.

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

[lelemka0]

This is related to symbolic links. To facilitate migration, I created a symbolic link /etc/containers/systemd -> /opt/.base/containers/systemd, then the problem occurred.
I tried other situations, such as symbolic links in /etc/containers/systemd, and there were no problems. This problem only occurs when /etc/containers/systemd is a symbolic link.

[lelemka0]

EvalSymlinks returns the path name after the evaluation of any symbolic links.

podman/cmd/quadlet/main.go

Lines 156 to 157 in dfab16e

	func appendSubPaths(dirs []string, path string, isUserFlag bool, filterPtr func(string, bool) bool) []string {
	resolvedPath, err := filepath.EvalSymlinks(path)

Absolute path is used for judgment in userLevelFilter.

podman/cmd/quadlet/main.go

Lines 201 to 205 in dfab16e

	func userLevelFilter(_path string, isUserFlag bool) bool {
	// if quadlet generator is run rootless, do not recurse other user sub dirs
	// if quadlet generator is run as root, ignore users sub dirs
	if strings.Contains(_path, filepath.Join(quadlet.UnitDirAdmin, "users")) {
	if isUserFlag {