| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In a number of occasions we use FORK_CLOSE_ALL_FDS when forking off a
child, since we don't want to pass fds to the processes spawned (either
because we later want to execve() some other process there, or because
our child might hang around for longer than expected, in which case it
shouldn't keep our fd pinned). This also closes any logging fds, and
thus means logging is turned off in the child. If we want to do proper
logging, explicitly reopen the logs hence in the child at the right
time.
This is particularly crucial in the umount/remount children we fork off
the shutdown binary, as otherwise the children can't log, which is
why #8155 is harder to debug than necessary: the log messages we
generate about failing mount() system calls aren't actually visible on
screen, as they done in the child processes where the log fds are
closed.
|
| |
|
|
|
|
|
|
|
|
|
| |
Coverity now started warning about this ("Calling unlinkat without checking
return value (as is done elsewhere 12 out of 15 times).", and it is right:
most of the time we should at list print a log message so people can figure
out something is wrong when this happens.
v2:
- use warning level in journald too (this is unlikely to happen ever, so it
should be safe to something that is visible by default).
|
| |
|
|
|
|
|
| |
This usually is very annoying to users who then cannot log in, so
make sure we always warn if that happens (selinux, or whatever other reason).
This reverts a790812cb349c5cef95d1b4a20fc80ca08d3a145.
|
| |
|
|
|
| |
Those files don't contain any @variables@, so the configuration step was just
copying them to build/. Let's avoid that, and fix their suffixes while at it.
|
| |
|
|
|
|
|
| |
* Don't merge translations into the files
* Add gettext-domain="systemd" to description and message
Closes #8162, replaces #8118.
|
| | |
|
| |
|
|
|
|
| |
path
Let's make use of our new hash_ops!
|
| |
|
|
|
|
|
|
| |
This change adds support for controlling the suspend-on-lid-close
behaviour based on the power status as well as whether the machine is
docked or has an external monitor. For backwards compatibility the new
configuration file variable is ignored completely by default, and must
be set explicitly before being considered in any decisions.
|
| |
|
|
|
| |
Don't install udev rules that requires the uaccess builtin if systemd is
being built without the uaccess builtin.
|
| |
|
|
|
| |
Don't install udev rules that requires the uaccess builtin if systemd is
being built without the uaccess builtin.
|
| |
|
|
|
|
| |
Apparently O_NONBLOCK is the modern name used in most documentation and
for most cases in our sources. Let's hence replace the old alias
O_NDELAY and stick to O_NONBLOCK everywhere.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
log.h really should only include the bare minimum of other headers, as
it is really pulled into pretty much everything else and already in
itself one of the most basic pieces of code we have.
Let's hence drop inclusion of:
1. sd-id128.h because it's entirely unneeded in current log.h
2. errno.h, dito.
3. sys/signalfd.h which we can replace by a simple struct forward
declaration
4. process-util.h which was needed for getpid_cached() which we now hide
in a funciton log_emergency_level() instead, which nicely abstracts
the details away.
5. sys/socket.h which was needed for struct iovec, but a simple struct
forward declaration suffices for that too.
Ultimately this actually makes our source tree larger (since users of
the functionality above must now include it themselves, log.h won't do
that for them), but I think it helps to untangle our web of includes a
tiny bit.
(Background: I'd like to isolate the generic bits of src/basic/ enough
so that we can do a git submodule import into casync for it)
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
appropriate places"
This reverts commit 0b3c84eb7da3a8c28ac248a68228f6a7edbb2e19.
The removal of _cleanup_() usages was done on purpose, see
cf647b69baee4c478d3909c327e3d917e1563f44.
Fixes: #3543
|
| |
|
|
|
|
|
| |
The logic was completely borked since
e4d2984bf8514ab576a66d5ac1f1cde746bb32a3, correct that.
CID #1384234
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let's directly reference /run instead, so that we can work without /var
being around, or with /var/run being incorrectly set up.
Note that we keep the old socket path in place when referencing the
system bus of containers, as they might be foreign operating systems,
that still don't have adopted /run, and where it makes sense to use the
standardized name instead. On local systems, we insist on /run being set
up properly however, hence this limitation does not apply.
Also, get rid of the UNIX_SYSTEM_BUS_ADDRESS and
UNIX_USER_BUS_ADDRESS_FMT defines. They had a purpose when we still did
kdbus, as we then had to support two different backends. But since
that's gone, we don't need this indirection anymore, hence settle on a
one define only.
|
| |
|
|
|
|
|
|
|
| |
Let's remove a number of synchronization points from our service
startups: let's drop synchronous match installation, and let's opt for
asynchronous instead.
Also, let's use sd_bus_match_signal() instead of sd_bus_add_match()
where we can.
|
| |
|
|
|
| |
This optimizes service startup a bit, and makes it less prone to
deadlocks.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This renames wait_for_terminate_and_warn() to
wait_for_terminate_and_check(), and adds a flags parameter, that
controls how much to log: there's one flag that means we log about
abnormal stuff, and another one that controls whether we log about
non-zero exit codes. Finally, there's a shortcut flag value for logging
in both cases, as that's what we usually use.
All callers are accordingly updated. At three occasions duplicate logging
is removed, i.e. where the old function was called but logged in the
caller, too.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds a new safe_fork() wrapper around fork() and makes use of it
everywhere. The new wrapper does a couple of things we previously did
manually and separately in a safer, more correct and automatic way:
1. Optionally resets signal handlers/mask in the child
2. Sets a name on all processes we fork off right after forking off (and
the patch assigns useful names for all processes we fork off now,
following a systematic naming scheme: always enclosed in () – in order
to indicate that these are not proper, exec()ed processes, but only
forked off children, and if the process is long-running with only our
own code, without execve()'ing something else, it gets am "sd-" prefix.)
3. Optionally closes all file descriptors in the child
4. Optionally sets a PR_SET_DEATHSIG to SIGTERM in the child, in a safe
way so that the parent dying before this happens being handled
safely.
5. Optionally reopens the logs
6. Optionally connects stdin/stdout/stderr to /dev/null
7. Debug logs about the forked off processes.
|
| |
|
|
| |
No functional change.
|
| |
|
|
|
| |
This message would also be emitted at boot for any user with linger
enabled, so "logged in" is the wrong term to use.
|
| |
|
|
| |
Don't bother with removing the directory if we didn't create it.
|
| | |
|
| |
|
|
| |
using elogind as a drop-in replacement expect the first.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
This adds uid_is_system() and gid_is_system(), similar in style to
uid_is_dynamic(). That a helper like this is useful is illustrated by
the fact that test-condition.c didn't get the check right so far, which
this patch fixes.
|
| | |
|
| |
|
|
|
| |
We can't create files in sysfs, hence don't bother. Also if we ignore
the return value, do so explicitly by casting to void.
|
| |
|
|
|
|
|
| |
Let's explicitly tell PID 1 that we don't need an fd anymore, instead of
relying exclusively on POLLERR/POLLHUP for it to be removed.
Fixes: #6908
|
| |
|
|
| |
Fixes: #7466
|
| |
|
|
|
|
|
|
| |
Distcc removes comments, making the comment silencing
not work.
I know there was a decision against a macro in commit
ec251fe7d5bc24b5d38b0853bc5969f3a0ba06e2
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SetLinger is authorized by the PolicyKit action "set-self-linger", if it is
not passed an explicit UID.
According to comments we were determining the default UID from the client's
session. However, user processes e.g. which are run from a terminal
emulator do not necessarily belong to a session scope unit. They may
equally be started from the elogind user manager [1][2]. Actually the
comment was wrong, and it would also have worked for processes
started from the elogind user manager.
Nevertheless it seems to involve fetching "augmented credentials" i.e.
it's using a racy method, so we shouldn't have been authenticating based
on it.
We could change the default UID, but that raises issues especially for
consistency between the methods. Instead we can just use the clients
effective UID for authorization.
This commit also fixes `loginctl enable-linger $USER` to match the docs
that say it was equivalent to `loginctl enable-linger` (given that $USER
matches the callers user and owner_uid). Previously, the former would not
have suceeded for unpriviliged users in the default configuration.
[1] It seems the main meaning of per-session scopes is tracking the PAM
login process. Killing that provokes logind to revoke device access. Less
circularly, killing it provokes getty to hangup the TTY.
[2] User units may be started with an environment which includes
XDG_SESSION_ID (presuambly GNOME does this?). Or not.
|
| |
|
|
|
|
|
| |
To maintain consistency with `loginctl user-status`, drop the fallback to
XDG_SESSION_ID for `loginctl enable-linger`. The fallback was unnecessary
and also incorrect: it passed the numeric value of the session identifier
as a UID value.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It's confusing that the bus API has aliases like "session/self" that return
an error based on ENXIO, when it also has methods that return e.g.
NO_SESSION_FOR_PID for the same problem. The latter kind of error includes
more specifically helpful messages.
"user/self" is the odd one out; it returns a generic UnknownObject error
when it is not applicable to the caller. It's not clear whether this was
intentional, but at first I thought it was more correct. More
specifically, user_object_find() was returning 0 for "user/self", in the
same situations (more or less) where user_node_enumerator() was omitting
"user/self". I thought that was a good idea, because returning e.g. -ENXIO instead
suggested that there _is_ something specific on that path. And it could be
confused with errors of the method being called.
Therefore I suggested changing the enumerator, always admitting that there
is a handler for the path "foo/self", but returning a specific error when
queried. However this interacts poorly with tools like D-Feet or `busctl`.
In either tool, looking at logind would show an error message, and then go
on to omit "user/self" in the normal listing. These tools are very useful,
so we don't want to interfere with them.
I think we can change the error codes without causing problems. The self
objects were not listed in the documentation. They have been suggested to
other projects - but without reference to error reporting. "seat/self" is
used by various Wayland compositors for VT switching, but they don't appear
to reference specific errors.
We _could_ insist on the link between enumeration and UnknownObject, and
standardize on that as the error for the aliases. But I'm not aware of any
practical complaints, that we returned an error from an object that didn't
exist.
Instead, let's unify the codepaths for "user/self" vs GetUserByPid(0) etc.
We will return the most helpful error message we can think of, if the
object does not exist. E.g. for "session/self", we might return an error
that the caller does not belong to a session. If one of the compositors is
ever simplified to use "session/self" in initialization, users would be
able to trigger such errors (e.g. run `gnome-shell` inside gnome-terminal).
The message text will most likely be logged. The user might not know what
the "session" is, but at least we'll be pointing towards the right
questions. I think it should also be clearer for development / debugging.
Unifying the code paths is also slightly helpful for auditing / marking
calls to sd_bus_creds_get_session() in subsequent commits.
|
| |
|
|
|
|
|
|
| |
- Remove the uaccess tag from /dev/dri/renderD*.
- Change the owning group from video to render.
- Change default mode to 0666.
- Add an option to allow users to set the access mode for these devices at
compile time.
|
| |
|
|
|
| |
- Remove uaccess tag from /dev/kvm.
- Change the default mode for /dev/kvm to 0666.
|
| |
|
|
|
| |
gcc does not warn about those, because of the _cleanup_ usage.
clang is smarter here.
|
| |
|
|
|
|
|
|
|
|
| |
In https://bugzilla.redhat.com/show_bug.cgi?id=1486859 error messages appera:
Sep 06 19:09:07 ld92.e.math.uh.edu audit[21482]: AVC avc: denied { read } for pid=21482 comm="elogind-logind" name="dbus-1" dev="tmpfs" ino=5548194 scontext=system_u:system_r:elogind_logind_t:s0 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=dir permissive=0
Sep 06 19:09:07 ld92.e.math.uh.edu elogind-logind[21482]: Failed to remove runtime directory /run/user/8664: Permission denied
But it's not clear which of the two rm_rf's is the source. Let's make
them different.
|
| | |
|
| | |
|
| |
|
|
| |
elogind block.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The uaccess udev builtin command is only used by logind and contains
functionality only implemented in logind. As such, while we cannot
write udev-builtin commands in elogind (not being udev), we can write
standalone binaries and rewrite our udev rules to use them instead.
This fixes the feature of granting users access to devices using a user
ACL which is toggled only when the user is associated with an active
session. Currently this functionality is half broken, as while the ACL
is granted and revoked while VT-switching, it is not granted to new
devices as they are plugged in. This issue is fixed by this commit.
|
| | |
|
| | |
|
