paranoia: refuse rm_rf("/")

TODO

@@ -22,6 +22,10 @@ Bugfixes:
 
 Features:
 
+* refuse taking lower-case variable names in sd_journal_send() and friends.
+
+* when running as user instance: implicitly default to WorkingDirectory=$HOME for all services.
+
 * journalctl highlight reboots
 
 * Merge KillUnit()'s mode and who params into one

src/journal/journald.c

@@ -2058,7 +2058,6 @@ static int system_journal_open(Server *s) {
 }
 
 static int server_flush_to_var(Server *s) {
-        char path[] = "/run/log/journal/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
         Object *o = NULL;
         int r;
         sd_id128_t machine;
@@ -2135,6 +2134,7 @@ finish:
         s->runtime_journal = NULL;
 
         if (r >= 0) {
+                char path[] = "/run/log/journal/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
                 sd_id128_to_string(machine, path + 17);
                 rm_rf(path, false, true, false);
         }

src/shared/util.c

@@ -3339,6 +3339,9 @@ int rm_rf(const char *path, bool only_dirs, bool delete_root, bool honour_sticky
 
         assert(path);
 
+        /* Be paranoid */
+        assert(!streq(path, "/"));
+
         fd = open(path, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
         if (fd < 0) {