| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
| |
Types used for pids and uids in various interfaces are unpredictable.
Too bad.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
The kernel module system is not namespaced, so no container should ever
modify global options. Make sure we set the kdbus attach_flags_mask only
on a real boot as PID1.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Whenever a process performs an action on an object, the kernel uses the
EUID of the process to do permission checks and to apply on any newly
created objects. The UID of a process is only used if someone *ELSE* acts
on the process. That is, the UID of a process defines who owns the
process, the EUID defines what privileges are used by this process when
performing an action.
Process limits, on the other hand, are always applied to the real UID, not
the effective UID. This is, because a process has a user object linked,
which always corresponds to its UID. A process never has a user object
linked for its EUID. Thus, accounting (and limits) is always done on the
real UID.
This commit fixes all sd-bus users to use the EUID when performing
privilege checks and alike. Furthermore, it fixes unix-creds to be parsed
as EUID, not UID (as the kernel always takes the EUID on UDS). Anyone
using UID (eg., to do user-accounting) has to fall back to the EUID as UDS
does not transmit the UID.
|
| | |
|
| |
|
|
| |
Commit 3bd5c3 added a check for EACCES, but missed the minus sign.
|
| |
|
|
|
|
|
| |
deb6120920 'man: there's actually no "fail" fstab option, but only
"nofail" removed it from our documentation, which I missed.
fstab(5) only mentions "auto", "noauto", and "nofail". Stick to
those three.
|
| |
|
|
|
| |
Just a simple variable rename, and a dropped flag that sd-bus didn't make
use of.
|
| |
|
|
|
|
|
|
|
| |
strempty() will return an empty string in case the input parameter is
a NULL pointer. The correct test to check for an empty string is
isempty(), so use that instead.
This fixes a regression from commit 17a1c59 ("core/mount: filter out
noauto,auto,nofail,fail options").
|
| |
|
|
|
| |
With a command line like "@/something" we would allocate an array with
0 elements. Avoid that, and add a test too.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We passed the full option string from fstab to /bin/mount. It would in
turn pass the full option string to its helper, if it needed to invoke
one. Some helpers would ignore things like "nofail", but others would
be confused. We could try to get all helpers to ignore those
"meta-options", but it seems better to simply filter them out.
In our model, /bin/mount simply has no business in knowing whether the
mount was configured as fail or nofail, auto or noauto, in the
fstab. If systemd tells invokes a command to mount something, and it
fails, it should always return an error. It seems cleaner to filter
out the option, since then there's no doubt how the command should
behave.
https://bugzilla.redhat.com/show_bug.cgi?id=1177823
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes parsing of options in shared/generator.c. Existing code
had some issues:
- it would treate whitespace and semicolons as seperators. fstab(5)
is pretty clear that only commas matter. And the syntax does
not allow for spaces to be inserted in the field in fstab.
Whitespace might be escaped, but then it should not seperate
options. Treat whitespace and semicolons as any other character.
- it assumed that x-systemd.device-timeout would always be followed
by "=". But this is not guaranteed, hasmntopt will return this
option even if there's no value. Uninitialized memory could be read.
- some error paths would log, and inconsistently, some would just
return an error code.
Filtering is split out to a separate function and tests are added.
Similar code paths in other places are adjusted to use the new function.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Sometimes it is necessary to stop a generator from running. Either
because of a bug, or for testing, or some other reason. The only way
to do that would be to rename or chmod the generator binary, which is
inconvenient and does not survive upgrades. Allow masking and
overriding generators similarly to units and other configuration
files.
For the systemd instance, masking would be more common, rather than
overriding generators. For the user instances, it may also be useful
for users to have generators in $XDG_CONFIG_HOME to augment or
override system-wide generators.
Directories are searched according to the usual scheme (/usr/lib,
/usr/local/lib, /run, /etc), and files with the same name in higher
priority directories override files with the same name in lower
priority directories. Empty files and links to /dev/null mask a given
name.
https://bugs.freedesktop.org/show_bug.cgi?id=87230
|
| |
|
|
|
|
|
|
|
| |
Remove the optional sepearate opening of the directory,
it would be just too complicated with the change to
multiple directories.
Move the middle of execute_directory() to a seperate
function to make it easier to grok.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Among other things, avoid log_struct() unless we really need it.
Also, use "r" as variable to store function errors in, instead of "err".
"r" is pretty much what we use everywhere else, hence using the same
here make sense.
FInally, in the child, when we want to log, make sure to open the
logging framework first, since it is explicitly closed in preparation
for the exec().
|
| | |
|
| |
|
|
|
|
| |
non-fatal
This should be useful for user namespaces.
|
| |
|
|
| |
.busname units, if BusName= is set
|
| |
|
|
| |
units
|
| | |
|
| |
|
|
|
| |
LOG_DEBUG is already a log level, there is no need to use LOG_PRI which
is for filtering out the facility.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
With this change it is possible to send file descriptors to PID 1, via
sd_pid_notify_with_fds() which PID 1 will store individually for each
service, and pass via the usual fd passing logic on next invocation.
This is useful for enable daemon reload schemes where daemons serialize
their state to /run, push their fds into PID 1 and terminate, restoring
their state on next start from the data in /run and passed in from PID
1.
The fds are kept by PID 1 as long as no POLLHUP or POLLERR is seen on
them, and the service they belong to are either not dead or failed, or
have a job queued.
|
| | |
|
| |
|
|
| |
systemd[1]: Failed to set memory.limit_in_bytes on : Invalid argument
|
| |
|
|
|
|
|
|
|
|
|
| |
When systemd starts a service, it first opened /run/systemd/journal/stdout
socket, and only later switched to the right user.group (if they are
specified). Later on, journald looked at the credentials, and saw
root.root, because credentials are stored at the time the socket is
opened. As a result, all messages passed over _TRANSPORT=stdout were
logged with _UID=0, _GID=0.
Drop real uid and gid temporarily to fix the issue.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Let's unify the code that counts the running jobs a bit, in order to
make sure we are less likely to miss one.
This is related to this bug:
https://bugs.freedesktop.org/show_bug.cgi?id=87349
However, it probably won't fix it fully, and I cannot reproduce the issue.
The change also adds an explicit assert change when the counter is off.
|
| | |
|
| |
|
|
|
|
|
| |
for the container's own subtree in the name=systemd hierarchy
More specifically mount all other hierarchies in their entirety and the
name=systemd above the container's subtree read-only.
|
| |
|
|
| |
mounted read-only
|
| |
|
|
|
|
|
|
| |
-n is only allowed for root. /etc/mtab is nowadays almost always a link to /proc/,
so in practice this does not really matter too much, but should allow .mount units
to work in --user mode.
https://bugs.freedesktop.org/show_bug.cgi?id=87602
|
| | |
|
| |
|
|
|
|
|
| |
https://github.com/vlajos/misspell_fixer
https://github.com/torstehu/systemd/commit/b6fdeb618cf2f3ce1645b3315f15f482710c7ffa
Thanks to Torstein Husebo <torstein@huseboe.net>.
|
| |
|
|
| |
fail
|
| |
|
|
|
|
| |
We no longer configure the addresses on the loopback interface, but simply bring it up
and let the kernel do the rest. Also change the check to only check if the interface
is up, rather than checking for the IPv4 loopback address.
|
| | |
|
| |
|
|
|
| |
Add missing htonl() so that check_loopback() actually tests for 127.0.0.1
instead of 1.0.0.127 on little-endian machines.
|
| |
|
|
|
| |
There is alot of cleanup that will have to happen to turn on
-fstrict-aliasing, but I think our code should be "correct" to the rule.
|
| |
|
|
| |
Accidentally forgot to commit this. Sorry!
|
| |
|
|
|
|
|
|
| |
After all, pretty much all our tools include it, and it should hence be
shared.
Also move sysfs-show.h from core/ to login/, since it has no point to
exist in core.
|
| | |
|
| |
|
|
|
|
|
| |
files from core
Stuff in src/shared or src/libsystemd should *never* include code from
src/core or any of the tools, so don't do that here either. It's not OK!
|
| | |
|
| |
|
|
| |
The KDBUS_CMD_FREE ioctl struct has a size field now, which needs to be set.
|
| |
|
|
|
| |
hidden_file() is a bit more precise, since dot files usually shouldn't
be ignored, but certainly be considered hidden.
|
| |
|
|
| |
rm_rf_dangerous() needlessly
|
| |
|
|
|
|
|
|
|
| |
The handling of the command name and other arguments is unified. This
simplifies things and should make them more predictable for users.
Incidentally, this makes ExecStart handling match the .desktop file
specification, apart for the requirment for an absolute path.
https://bugs.freedesktop.org/show_bug.cgi?id=86171
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
fork() is not async-signal-safe and calling it from the signal handler
could result in a deadlock when at_fork() handlers are called. Using
the raw clone() syscall sidesteps that problem.
The tricky part is that raise() does not work, since getpid() does not
work. Add raw_getpid() to get the real pid, and use kill() instead of
raise().
https://bugs.freedesktop.org/show_bug.cgi?id=86604
|
