| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
| |
We make copies (without O_CLOEXEC) of the fds anyway before using them,
hence let's be safe and create them with O_CLOEXEC first, so that we
don't run into issues should pager_open() be called in a threaded
environment where another thread fork()s at the wrong time and ends up
with fds not marked O_CLOEXEC.
|
|
|
|
|
|
|
| |
The linux console apparently can't do underlining, hence let's not do it
on the console.
Also see: #6601
|
|
|
|
|
|
|
|
|
| |
glibc appears to propagate different errors in different ways, let's fix
this up, so that our own code doesn't get confused by this.
See #6752 + #6737 for details.
Fixes: #6755
|
|
|
|
| |
Fixes #6633.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a path passes though an autofs filesystem, then accessing
the path might trigger and automount. As elogind-tmpfiles is run before
the network is up, and as automounts are often used for networked
filesystems, this can cause a deadlock.
So chase_symlinks is enhance to accept a new flag which tells it
to check for autofs, and return -EREMOTE if autofs is found.
tmpfiles is changed to check just before acting on a path so that it
can avoid autofs even if a symlink was created earlier by tmpfiles
that would send this path through an autofs.
This fixes a deadlock that happens when /home is listed in /etc/fstab as
x-elogind.automount for an NFS directory.
|
|
|
|
|
|
| |
vfs is used
Fixes #6591.
|
|
|
|
|
|
| |
We have the same code at two places, let's unify that at one place.
Follow-up for #6606
|
| |
|
|
|
|
|
|
|
|
| |
This prevents `systemctl` from runnning /bin/touch when the following
command is used:
```
systemctl -H '-oProxyCommand=/bin/touch i-shouldnt-be-here' show-environment
```
|
|
|
|
|
|
| |
Reopen log so that failed and aborting assertions can be written to log.
Closes: #6658
|
| |
|
|
|
|
| |
Follow-up for 21771f338d268e06dc9a10b9b08b14ff8217d4be.
|
|
|
|
|
| |
`vt_is_busy(16)` would always return FALSE. So we could have started
autovt@16.service even when VT 16 was already being used for something.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a message is too large to fit into the output buffer, it will be
transmitted to the kernel in several chunks. However, the FDs must
only ever be transmitted once or they will bereceived by the remote
end repeatedly.
The D-Bus specification disallows several sets of FDs attached to
one message, however, the reference implementation of D-Bus will
not reject such a message, rather it will reassign the duplicate
FDs to subsequent FD-carrying messages.
This attaches the FD array only to the first byte of the message.
|
|
|
|
| |
terminal reset should honour default_utf8 kernel setting
|
|
|
|
|
|
|
| |
Let's lock the personality to the currently set one, if nothing is
specifically specified. But do so with a grain of salt, and never
default to any exotic personality here, but only PER_LINUX or
PER_LINUX32.
|
|
|
|
|
|
|
| |
Following commit b498d6ea, I belated realized we should tighten the
assertions as well, to make sure that we're setting `m->action_what` to
represent an action in progress. (The check for an action in progress is
to compare `m->action_what` to zero)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixed https://bugzilla.redhat.com/show_bug.cgi?id=1476313
as much as I was able to reproduce it in a VM, at least.
E.g. this signal might wake the screen back up, providing a more visible
indicator of suspend failure. In my VM testing, it was also required in
order to unblock keyboard input in gnome-shell after the failed suspend.
At the same time, fix the error handling for scheduled shutdowns. This now
mirrors the behaviour of when you use `shutdown -k` - it sends all the
scary messages about shutting down, "but you'll have to do it [shut down
the system] yourself". It also avoids the risk of locking out the admin
(nologin file), in case they logged out for some reason (and they use
`sudo` instead of root).
Not that I have any idea why you'd want to use `shutdown -k`, but the code
is easier to analyze if it rolls back on error (in the absence of any code
comment as to why that's not wanted).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is no justification not to wait an extra (default) 5 seconds, for
a more graceful shutdown of user programs. Again, you don't get to ignore
delay inhibitors for unscheduled shutdowns, short of
`systemctl poweroff -f`.
It is simplest if we move the test for `m->shutdown_dry_run` into
manager_scheduled_shutdown_handler().
However we need to not add such delays during a "dry run". Otherwise, we
would still have to be considered "in progress" for some seconds after our
admin has seen the final wall message. If they go to `poweroff`, we would
have blocked them with a misleading error message. Note this `poweroff`
will still process delay inhibitors as needed. If the admin planned to
use a more forceful method... eh. It's their responsibility to assess
whether that's safe.
There is an argument that the alternative behaviour could be used (racily!)
to kludge around them not being able to shutdown to "single user mode". If
we cared about that case, we would have easily preserved non-racy support
for it in `shutdown`.
Additionally, though I think this code does read more easily by reducing
inconsistencies, we didn't come up with any use case for delay inhibitors
v.s. shutdown.[1] The SIGTERM v.s. SIGKILL delay is more general, and we
allow a whole 90 seconds for it, not just 5. So I don't think keeping this
approach bears a risk of significant damage.
[1] https://www.freedesktop.org/wiki/Software/elogind/inhibit/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
> We don't want to shutdown while a suspend is running, and vice versa.
> This would be confusing and could lead to data loss in the worst case.
https://bugs.launchpad.net/ubuntu/+source/elogind/+bug/1441253/comments/4
According to the above comment, if the conflicting operation is hung,
we don't want to force things when the admin has not passed a force option.
Similarly if you're not an admin, you probably shouldn't get to sneak
around this check by using a scheduled shutdown instead of an unscheduled
one. (And no-one so far thought it necessary to add such a permission in
PolKit).
Note that if the conflicting operation was _not_ hung, and we lost the
race with suspend, the system might not have shut down at the scheduled
time anyway. Which is no good if you were scheduling a power outage.
And scheduling a shutdown for an arbitrary time when the system is resumed,
does not seem a very useful semantic. More likely, scheduled shutdowns are
useful on systems which do not use suspend, such as multi-user servers.
(In which case even PolKit defaults likely don't let the users trigger
suspend).
|
|
|
|
|
| |
Don't test for an empty `type` afterwards. This is not how you cancel
scheduled shutdowns - there's a separate method for that.
|
|
|
|
|
| |
This new function reports whether ambient caps are available, and should
be quick because the result is cached.
|
|
|
|
|
|
|
| |
privileges when executing a NOP
This way daemons which already dropped all caps may use the call to
drop priviliges again, which becomes a non-failing NOP.
|
|
|
|
|
|
|
| |
appropriate
When checking path prefixes we really should use the right APIs, just in
case people add multiple slashes to their paths...
|
|
|
|
|
|
|
| |
This new helper removes a leading /dev if there is one. We have code
doing this all over the place, let's unify this, and correct it while
we are at it, by using path_startswith() rather than startswith() to
drop the prefix.
|
|
|
|
| |
* Merge pull request #29 from shwsh/master
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
> glibc exports a function called sync(), we should probably avoid
> overloading that as a variable here locally (gcc even used to warn about
> that, not sure why it doesn't anymore), to avoid confusion around what
> "if (sync)" actually means
|
|
|
|
|
|
|
|
|
|
|
|
| |
instead of @Base (#6669)
This helps prevent symbol collisions with other programs and libraries. In particular,
because PAM modules are loaded into the process that is creating the session, and
elogind creates PAM sessions, the potential for collisions is high.
Disambiguate all elogind calls by tagging a 'version' SD_SHARED.
Fixes #6624
|
|
|
|
| |
NETLINK_RDMA has been in the kernel since v3.0.
|
|
|
|
|
|
| |
Tiny mistake, big effect.
Fixes: #6375
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For files which are vital to boot
1. Avoid opening any window where power loss will zero them out or worse.
I know app developers all coded to the ext3 implementation, but
the only formal documentation we have says we're broken if we actually
rely on it. E.g.
* `man mount`, search for `auto_da_alloc`.
* http://www.linux-mtd.infradead.org/faq/ubifs.html#L_atomic_change
* https://thunk.org/tytso/blog/2009/03/15/dont-fear-the-fsync/
2. If we tell the kernel we're interested in writing them to disk, it will
tell us if that fails. So at minimum, this means we play our part in
notifying the user about errors.
I refactored error-handling in `udevadm-hwdb` a little. It turns out I did
exactly the same as had already been done in the `elogind-hwdb` version,
i.e. commit d702dcd.
|
|
|
|
|
|
|
| |
privileges when executing a NOP
This way daemons which already dropped all caps may use the call to
drop priviliges again, which becomes a non-failing NOP.
|
| |
|
|
|
|
|
|
|
|
|
| |
Apparently, PAM documents that the PAM_TTY should come with a /dev
prefix, but we don't expect it so far, except that Wayland ends up
setting it after all, the way the docs suggest. Hence, let's simply drop
the /dev prefix if it is there.
Fixes: #6516
|
| |
|
| |
|
| |
|
| |
|
| |
|