| Commit message (Collapse) | Author | Age |
| |
|
|
|
|
| |
(cherry picked from commit a96cb75c17b008312fca8f81bc2a126f8a87850c)
|
| |
|
|
|
|
| |
No functional change.
|
|
|
|
|
| |
This message would also be emitted at boot for any user with linger
enabled, so "logged in" is the wrong term to use.
|
|
|
|
| |
Don't bother with removing the directory if we didn't create it.
|
| |
|
|
|
|
| |
using elogind as a drop-in replacement expect the first.
|
| |
|
|
|
|
|
|
|
| |
This adds uid_is_system() and gid_is_system(), similar in style to
uid_is_dynamic(). That a helper like this is useful is illustrated by
the fact that test-condition.c didn't get the check right so far, which
this patch fixes.
|
|
|
|
|
|
|
|
|
|
| |
In https://bugzilla.redhat.com/show_bug.cgi?id=1486859 error messages appera:
Sep 06 19:09:07 ld92.e.math.uh.edu audit[21482]: AVC avc: denied { read } for pid=21482 comm="elogind-logind" name="dbus-1" dev="tmpfs" ino=5548194 scontext=system_u:system_r:elogind_logind_t:s0 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=dir permissive=0
Sep 06 19:09:07 ld92.e.math.uh.edu elogind-logind[21482]: Failed to remove runtime directory /run/user/8664: Permission denied
But it's not clear which of the two rm_rf's is the source. Let's make
them different.
|
| |
|
|
|
|
|
|
| |
The included cocci was used to generate the changes.
Thanks to @flo-wer for pointing this case out.
|
| |
|
|
|
|
|
|
| |
If manager_gc() does not find the user/session, their respective
finalize_*() method is never called, leaving stale state files in
/run/systemd/sessions and run/systemd/users.
|
|
|
|
|
|
|
|
| |
Let's use chase_symlinks() everywhere, and stop using GNU
canonicalize_file_name() everywhere. For most cases this should not change
behaviour, however increase exposure of our function to get better tested. Most
importantly in a few cases (most notably nspawn) it can take the correct root
directory into account when chasing symlinks.
|
|
|
|
|
|
| |
We don't have plural in the name of any other -util files and this
inconsistency trips me up every time I try to type this file name
from memory. "formats-util" is even hard to pronounce.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a docker container is confined with AppArmor [1] and happens to run
on top of a kernel that supports mount mediation [2], e.g. any Ubuntu
kernel, mount(2) returns EACCES instead of EPERM. This then leads to:
elogind-logind[33]: Failed to mount per-user tmpfs directory /run/user/1000: Permission denied
login[42]: pam_elogind(login:session): Failed to create session: Access denied
and user sessions don't start.
This also applies to selinux that too returns EACCES on mount denial.
[1] https://github.com/docker/docker/blob/master/docs/security/apparmor.md#understand-the-policies
[2] http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/view/head:/kernel-patches/4.7/0025-UBUNTU-SAUCE-apparmor-Add-the-ability-to-mediate-mou.patch
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The parsing functions for [User]TasksMax were inconsistent. Empty string and
"infinity" were interpreted as no limit for TasksMax but not accepted for
UserTasksMax. Update them so that they're consistent with other knobs.
* Empty string indicates the default value.
* "infinity" indicates no limit.
While at it, replace opencoded (uint64_t) -1 with CGROUP_LIMIT_MAX in TasksMax
handling.
v2: Update empty string to indicate the default value as suggested by Zbigniew
Jędrzejewski-Szmek.
v3: Fixed empty UserTasksMax handling.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds the boolean RemoveIPC= setting to service, socket, mount and swap
units (i.e. all unit types that may invoke processes). if turned on, and the
unit's user/group is not root, all IPC objects of the user/group are removed
when the service is shut down. The life-cycle of the IPC objects is hence bound
to the unit life-cycle.
This is particularly relevant for units with dynamic users, as it is essential
that no objects owned by the dynamic users survive the service exiting. In
fact, this patch adds code to imply RemoveIPC= if DynamicUser= is set.
In order to communicate the UID/GID of an executed process back to PID 1 this
adds a new "user lookup" socket pair, that is inherited into the forked
processes, and closed before the exec(). This is needed since we cannot do NSS
from PID 1 due to deadlock risks, However need to know the used UID/GID in
order to clean up IPC owned by it if the unit shuts down.
|
| |
|
|
|
|
|
|
|
| |
config_parse_user_tasks_max() was incorrectly accepting percentage value
between 1 and 99. Update it to accept 0% and 100%. This brings it in line
with TasksMax handling in elogind.
(cherry picked from commit cb3e4417590196bd30e1b8097348dca6ba34bd15)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let's change from a fixed value of 12288 tasks per user to a relative value of
33%, which with the kernel's default of 32768 translates to 10813. This is a
slight decrease of the limit, for no other reason than "33%" sounding like a nice
round number that is close enough to 12288 (which would translate to 37.5%).
(Well, it also has the nice effect of still leaving a bit of room in the PID
space if there are 3 cooperating evil users that try to consume all PIDs...
Also, I like my bikesheds blue).
Since the new value is taken relative, and machined's TasksMax= setting
defaults to 16384, 33% inside of containers is usually equivalent to 5406,
which should still be ample space.
To summarize:
| on the host | in the container
old default | 12288 | 12288
new default | 10813 | 5406
|
|
|
|
|
| |
The various bits of code did the scaling all different, let's unify this,
given that the code is not trivial.
|
|
|
|
| |
And port a couple of users over to it.
|
| |
|
|
|
|
|
|
| |
The deserialize_timestamp_value() is renamed timestamp_deserialize() to be more
consistent with dual_timestamp_deserialize()
And add the NULL check back on realtime and monotonic
|
|
|
|
| |
which is introduced in the ebf30a086d commit.
|
| |
|
|
|
|
|
| |
Compare errno with zero in a way that tells gcc that
(if the condition is true) errno is positive.
|
| |
|
| |
|
|
|
|
|
| |
Apply remaining fixes and the performed move of utility functions
into their own foo-util.[hc] files on the rest of elogind.
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the last reference to a user is released, we queue stop-jobs for the
user-service and slice. Only once those are finished, we drop the
user-object. However, if a new session is opened before the user object is
fully dropped, we currently incorrectly re-use the object. This has the
effect, that we get stale sessions without a valid "elogind --user"
instance.
Fix this by properly allowing user_start() to be called, even if
user->stopping is true.
|
| |
|
|
|
|
|
|
|
|
| |
This commit substitutes all occurrences of
free(foo);
foo = NULL;
with
foo = mfree(foo);
|
| |
|
|
|
|
|
|
|
| |
Create a private cgroup tree associated with no controllers, and use it
to map PIDs to sessions. Since we use our own path structure, remove
internal cgroup-related helpers that interpret the cgroup path structure
to pull out users, slices, and scopes.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* elogind does not support systemd services and units. But at least
the units are needed to support the systemd cgroup slice/scope
system.
* Remove systemd subscription to scope, service and slice jobs.
These can not be supported in any way, as they depend on systemd
running the machine.
* The functions session_start_scope(), user_start_service() and
user_start_slice() no longer try to call systemd via dbus for
assistance.
This way they generate their proper scope, service and slice names,
and store them in the Managers HashMaps for session and user units.
This should enable us to reverse track pids to users and such
stuff, as that is what systemd-logind does, not knowing whether any
unit *really* has been started or not.
However, this will not work out of the box until we find a way to
integrate cg_create_everywhere() into elogind without becoming
dependent of systemd unit, service and job knowledge again.
|
|
|
|
| |
during git am transfer.
|
|
|
|
|
| |
Prep v220: Update logind and loginctl to upstream version.
Prep v220: src/shared/rm-rf.c does not need to be able to handle btrfs subvolumes for elogind.
|
|
|
|
|
|
|
| |
Create a private cgroup tree associated with no controllers, and use it
to map PIDs to sessions. Since we use our own path structure, remove
internal cgroup-related helpers that interpret the cgroup path structure
to pull out users, slices, and scopes.
|
|
|
|
|
|
| |
This removes attempts by logind to listen to systemd messages over the
bus, and to start and/or manage units associated with sessions and
users.
|
|
|
|
|
|
|
|
|
|
| |
* src/login/logind-user.c (user_start): Don't start slices and
systemd-user services.
* src/login/logind-dbus.c (method_create_session): Send a reply directly
instead of waiting on systemd that isn't there.
* configure.ac: Bump version.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, this had a race condition during a user's first login.
Some component calls CreateSession (most likely by a PAM service
other than 'systemd-user' running pam_systemd), with the following
results:
- logind:
* create the user's XDG_RUNTIME_DIR
* tell pid 1 to create user-UID.slice
* tell pid 1 to start user@UID.service
Then these two processes race:
- logind:
* save information including XDG_RUNTIME_DIR to /run/systemd/users/UID
- the subprocess of pid 1 responsible for user@service:
* start a 'systemd-user' PAM session, which reads XDG_RUNTIME_DIR
and puts it in the environment
* run systemd --user, which requires XDG_RUNTIME_DIR in the
environment
If logind wins the race, which usually happens, everything is fine;
but if the subprocesses of pid 1 win the race, which can happen
under load, then systemd --user exits unsuccessfully.
To avoid this race, we have to write out /run/systemd/users/UID
even though the service has not "officially" started yet;
previously this did an early-return without saving anything.
Record its state as OPENING in this case.
Bug: https://github.com/systemd/systemd/issues/232
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
|
|
|
|
|
| |
As discussed in #257: we should ensure the selinux label is correctly
applied to each user's XDG_RUNTIME_DIR.
|
|
|
|
| |
Let's use it as initializer where appropriate.
|
|
|
|
|
|
|
| |
Fix CID 1304686: Dereference after null check (FORWARD_NULL)
However, this commit does not fix any bug in logind. It helps to keep
the elect_display_compare() function generic.
|