diff options
| author | Lennart Poettering <lennart@poettering.net> | 2010-06-19 16:57:54 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2010-06-19 16:57:54 +0200 |
| commit | 4d0e5dbd52291ae49740adb006bfc2595b953ec5 (patch) | |
| tree | ee8b72d08b0945914b8aaf652222987cc33935e9 | |
| parent | 399ab2b1ac07be5afa9708b3280d4e1a4cceb5b8 (diff) | |
service: require KillMode=control-group when PAM is enabled
| -rw-r--r-- | src/mount.c | 5 | ||||
| -rw-r--r-- | src/service.c | 7 | ||||
| -rw-r--r-- | src/socket.c | 7 |
3 files changed, 17 insertions, 2 deletions
diff --git a/src/mount.c b/src/mount.c index e3984203a..081e92c02 100644 --- a/src/mount.c +++ b/src/mount.c @@ -303,6 +303,11 @@ static int mount_verify(Mount *m) { return -EBADMSG; } + if (m->exec_context.pam_name && m->kill_mode != KILL_CONTROL_GROUP) { + log_error("%s has PAM enabled. Kill mode must be set to 'control-group'. Refusing.", m->meta.id); + return -EINVAL; + } + return 0; } diff --git a/src/service.c b/src/service.c index ba60b8f87..aff355112 100644 --- a/src/service.c +++ b/src/service.c @@ -817,7 +817,12 @@ static int service_verify(Service *s) { } if (s->type == SERVICE_DBUS && !s->bus_name) { - log_error("%s is of type D-Bus but no D-Bus service name has been specified. Refusing.", UNIT(s)->meta.id); + log_error("%s is of type D-Bus but no D-Bus service name has been specified. Refusing.", s->meta.id); + return -EINVAL; + } + + if (s->exec_context.pam_name && s->kill_mode != KILL_CONTROL_GROUP) { + log_error("%s has PAM enabled. Kill mode must be set to 'control-group'. Refusing.", s->meta.id); return -EINVAL; } diff --git a/src/socket.c b/src/socket.c index ccbe4326c..7a8624c84 100644 --- a/src/socket.c +++ b/src/socket.c @@ -153,7 +153,12 @@ static int socket_verify(Socket *s) { } if (s->accept && s->max_connections <= 0) { - log_error("%s's MaxConnection setting too small. Refusing.", UNIT(s)->meta.id); + log_error("%s's MaxConnection setting too small. Refusing.", s->meta.id); + return -EINVAL; + } + + if (s->exec_context.pam_name && s->kill_mode != KILL_CONTROL_GROUP) { + log_error("%s has PAM enabled. Kill mode must be set to 'control-group'. Refusing.", s->meta.id); return -EINVAL; } |