| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This tries to get rid of most manual sigprocmask() changes, in favour
of:
1. The SD_EVENT_SIGNAL_PROCMASK flag to sd_event_add_signal()
2. The sd_event_set_signal_exit() call for handling SIGTERM/SIGINT
3. Move masking of SIGWINCH into ptyfwd, out of nspawn/vmspawn/run
And while we are at it get rid of a bunch of event source fields whose
lifetime is bound to the sd_event object they belong to anyway, and make
use of the "floating" event source feature of sd-event instead.
|
| |
|
|
| |
and welcome messages
|
| |
|
|
|
|
| |
Apparently _PATH_UTMPX is a glibc'ism. UTMPX_FILE is the same thing and
what everyone else uses. Since they are otherwise equivalent, let's just
switch.
|
| |
|
|
|
| |
This makes the macros use log_syntax_parse_error(), hopefully which provides
more informative log message in general, and reduces binary size.
|
| |\
| |
| | |
logind: two follow-ups
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This partially reverts 52bcc872b5f97a14a9b4e4e383f45bb3066e1643.
We explicitly support running without user manager,
hence only user-runtime-dir@.service should be
required.
Fixes #33405
|
| | |
| |
| |
| |
| |
| | |
Follow-up for 0e10c3d8724b0a5d07871c9de71565ac91dd55b7
Addresses https://github.com/systemd/systemd/pull/25049#discussion_r1647513862
|
| |/
|
|
| |
which combines sigbus_install() and bumping fd limit.
|
| | |
|
| |\
| |
| | |
Update warnings for failed EVIOCREVOKE invocations
|
| | |
| |
| |
| |
| |
| | |
EINVAL means the kernel doesn't support it, ENODEV means it's
already revoked or the device is no longer there which has the same
effect anyway. All others - let's print an error to the logs.
|
| | |
| |
| |
| |
| | |
Let's assume that if the ioctl fails once with EINVAL, we won't have to
try this again.
|
| |/ |
|
| |
|
|
|
|
|
| |
The PrepareForShutdownWithMetadata signal was added via
e4aab5cf1a00bbb73f325f4f785dd4171ccdae77 but a corresponding property
was not. A property has to be a single type, so the bool needs to be
one of the key/value pairs as 'ba{sv}' is not a valid property.
|
| |
|
|
| |
Follow-up for 0e10c3d8724b0a5d07871c9de71565ac91dd55b7.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently inhibitors are bypassed unless an explicit request is made to
check for them, or even in that case when the requestor is root or the
same uid as the holder of the lock.
But in many cases this makes it impractical to rely on inhibitor locks.
For example, in Debian there are several convoluted and archaic
workarounds that divert systemctl/reboot to some hacky custom scripts
to try and enforce blocking accidental reboots, when it's not expected
that the requestor will remember to specify the command line option
to enable checking for active inhibitor locks.
Also in many cases one wants to ensure that locks taken by a user are
respected by actions initiated by that same user.
Change logind so that inhibitors checks are not skipped in these
cases, and systemctl so that locks are checked in order to show a
friendly error message rather than "permission denied".
Add new block-weak and delay-weak modes that keep the previous
behaviour unchanged.
|
| |
|
|
| |
Fixes #33834
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Prompted by #33650
Previously, if a user manually starts user@.service (which is
something we support), we'd track it as 'manager' session.
However, since user_get_state() ignores all non-pinning sessions,
if lingering is not enabled, the user state would always be
reported as 'closing', which is spurious.
Let's instead take gc_mode into consideration, and ignore
non-pinning sessions only if USER_GC_BY_PIN.
|
| |
|
|
|
|
|
| |
The mode switch from any to pin is currently done in create_session().
However, if no (pinning) session is created before (or after) linger
is disabled, the user will not be gc'd after that. Therefore, also
perform the mode switch when linger is being disabled.
|
| |\
| |
| | |
Allow interactive auth in inhibit
|
| | |
| |
| |
| |
| |
| |
| |
| | |
We already had 'auth_admin_keep' for org.freedesktop.login1.reboot and similar
actions. If a user is allowed to perform an action, I think they should be
allowed to _block_ the same action. Guarding this by auth_admin follows the
general principle of not allowing fully unprivileged users to have too much say
over the machine.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
It seems entirely reasonable to make a policy which e.g. allows block operations
for interactive users after authentication. The tool should support this, so that
more complicated local policies can be used.
Related to https://github.com/systemd/systemd/pull/30307.
|
| | |
| |
| |
| |
| | |
The functions in the file were *not* using the spawn prefix,
and the prefix seems completely unnecessary.
|
| | |
| |
| |
| | |
pressed
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Update frameworks that work automatically in the background
occasionally need to schedule reboots. Systemd-logind already
provides a nice mechanism to schedule shutdowns, send notfications
and block logins short before the time. Systemd has a framework for
calendar events, so we may conveniently use logind to define a
maintenance time for reboots.
The existing ScheduleShutdown DBus method in logind expects a usec_t
with an absolute time. Passing USEC_INFINITY as magic value now tells
logind to take the time from the configured maintenance time if set.
"shutdown -r" leverages that and uses the maintenance time
automatically if configured. The one minute default is still used if
nothing was specified.
Similarly the new 'auto' setting for the --when parameter of systemctl
uses the maintenance time if configured or a one minute timer like the
shutdown command.
|
| |\ \
| | |
| | | |
Fix confusion between killer and prey
|
| | | | |
|
| | | | |
|
| | |/
| |
| |
| |
| | |
"who" is the entity doing the killing, "whom" is the target.
Follow-up for 4ccde410a3fc141c9ddf285f24a22dfea99e0287.
|
| | |
| |
| |
| | |
Fixes #33388
|
| |/
|
|
| |
Also, add missing trailing / to paths used in STRLEN/sizeof.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is preparation for making our Varlink API a public API. Since our
Varlink API is built on top of our JSON API we need to make that public
first (it's a nice API, but JSON APIs there are already enough, this is
purely about the Varlink angle).
I made most of the json.h APIs public, and just placed them in
sd-json.h. Sometimes I wasn't so sure however, since the underlying data
structures would have to be made public too. If in doubt I didn#t risk
it, and moved the relevant API to src/libsystemd/sd-json/json-util.h
instead (without any sd_* symbol prefixes).
This is mostly a giant search/replace patch.
|
| |
|
|
| |
Suggested by Fossies.
|
| |
|
|
|
|
| |
Follow-up for 5099a50d4398e190387d204f5df81cc176bd33e2
Fixes #33005
|
| |
|
|
| |
Also make the function take const User*
|
| |
|
|
|
|
|
| |
As requested in post-merge review
https://github.com/systemd/systemd/pull/32869#pullrequestreview-2068161094:
> NotInControl error is really about session controllers, but this here really
> is different.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes https://github.com/systemd/systemd/issues/28514.
Quoting https://github.com/systemd/systemd/issues/28514#issuecomment-1831781486:
> Whenever PAM is enabled for a service, we set up the PAM session and then
> fork off a process whose only job is to eventually close the PAM session when
> the service dies. That services we run with service privileges, both to
> minimize attack surface and because we want to use PR_SET_DEATHSIG to be get
> a notification via signal whenever the main process dies. But that only works
> if we have the same credentials as that main process.
>
> Now, if pam_systemd runs inside the PAM stack (which it normally does) it's
> session close hook will ask logind to synchronously end the session via a bus
> call. Currently that call is not accessible to unprivileged clients. And
> that's the part we need to relax: allow users to end their own sessions.
The check is implemented in a way that allows the kill if the sender is in
the target session.
I found 'sudo systemctl --user -M "zbyszek@" is-system-running' to
be a convenient reproducer.
Before:
May 16 16:25:26 x1c systemd[1]: run-u24754.service: Deactivated successfully.
May 16 16:25:26 x1c dbus-broker[1489]: A security policy denied :1.24757 to send method call /org/freedesktop/login1:org.freedesktop.login1.Manager.ReleaseSession to org.freedesktop.login1.
May 16 16:25:26 x1c (sd-pam)[3036470]: pam_systemd(login:session): Failed to release session: Access denied
May 16 16:25:26 x1c systemd[1]: Stopping session-114.scope...
May 16 16:25:26 x1c systemd[1]: session-114.scope: Deactivated successfully.
May 16 16:25:26 x1c systemd[1]: Stopped session-114.scope.
May 16 16:25:26 x1c systemd[1]: session-c151.scope: Deactivated successfully.
May 16 16:25:26 x1c systemd-logind[1513]: Session c151 logged out. Waiting for processes to exit.
May 16 16:25:26 x1c systemd-logind[1513]: Removed session c151.
After:
May 16 17:02:15 x1c systemd[1]: run-u24770.service: Deactivated successfully.
May 16 17:02:15 x1c systemd[1]: Stopping session-115.scope...
May 16 17:02:15 x1c systemd[1]: session-c153.scope: Deactivated successfully.
May 16 17:02:15 x1c systemd[1]: session-115.scope: Deactivated successfully.
May 16 17:02:15 x1c systemd[1]: Stopped session-115.scope.
May 16 17:02:15 x1c systemd-logind[1513]: Session c153 logged out. Waiting for processes to exit.
May 16 17:02:15 x1c systemd-logind[1513]: Removed session c153.
Edit: this seems to also fix https://github.com/systemd/systemd/issues/8598.
It seems that with the call to ReleaseSession, we wait for the pam session
close hooks to finish. I inserted a 'sleep(10)' after the call to ReleaseSession
in pam_systemd, and things block on that, nothing is killed prematurely.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When running inside an LXC container the 'su' process will not be part of
any unit or slice.
manager_get_user_by_pid() which was used until v255 (included) does not fail
if it cannot find a unit/slice, but simply returns 'not found'. Do the same
in manager_get_session_by_pidref().
This was not detected as Semaphore CI does not reboot the testbed before
the logind test, so the session is started by the old logind from the base
distro, instead of the one being tested.
Follow-up for 8494f562c8963d8a936b0598e23eab277ff29374
Follow-up for 5099a50d4398e190387d204f5df81cc176bd33e2
Fixes https://github.com/systemd/systemd/issues/32929
|
| |
|
|
| |
Helped track down issue with session tracking
|
| |
|
|
|
| |
It is always equivalent to getuid(). Let's call getuid() in the
function instead.
|
| |
|
|
|
| |
We never updated the meson checks when glibc finally learned about these
syscalls, address that.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Currently, SLEEP_NOT_ENOUGH_SWAP_SPACE (ENOSPC) is returned
on all sorts of error conditions. But one important case
that's worth differentiating from that is when the resume device
is manually specified yet missing.
Closes #32644
|
| |
|
|
| |
Let's only accept valid ASCII and put a size limit on reboot arguments.
|
| |\
| |
| | |
Some cleanups prompted during review
|
| | | |
|
| |/
|
|
|
|
|
| |
We already log to syslog using pam_syslog() for logs generated directly
within our pam plugins. However, any logs generated by our generic logging
macros that are invoked within a pam plugin will log to the console. Let's
make sure our generic logging macros are set up to log to syslog as well.
|
| |
|
|
|
| |
Otherwise the default log target is the console and we won't use
the journal socket even if it is available.
|
