1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2025-01-10 01:17:44 +03:00

Merge pull request #3005 from keszybz/kill-user-proceses

Kill user session scope by default
This commit is contained in:
Lennart Poettering 2016-04-21 12:29:36 +02:00
commit 52b9b66b7d
15 changed files with 374 additions and 185 deletions

View File

@ -5720,7 +5720,7 @@ dist_dbussystemservice_DATA += \
dist_dbuspolicy_DATA += \
src/login/org.freedesktop.login1.conf
dist_pkgsysconf_DATA += \
nodist_pkgsysconf_DATA += \
src/login/logind.conf
polkitpolicy_files += \
@ -5757,7 +5757,8 @@ gperf_gperf_sources += \
EXTRA_DIST += \
src/login/71-seat.rules.in \
src/login/73-seat-late.rules.in \
units/systemd-logind.service.in
units/systemd-logind.service.in \
src/login/logind.conf.in
# ------------------------------------------------------------------------------
if HAVE_PAM
@ -5874,6 +5875,7 @@ substitutions = \
'|NTP_SERVERS=$(NTP_SERVERS)|' \
'|DNS_SERVERS=$(DNS_SERVERS)|' \
'|DEFAULT_DNSSEC_MODE=$(DEFAULT_DNSSEC_MODE)|' \
'|KILL_USER_PROCESSES=$(KILL_USER_PROCESSES)|' \
'|systemuidmax=$(SYSTEM_UID_MAX)|' \
'|systemgidmax=$(SYSTEM_GID_MAX)|' \
'|TTY_GID=$(TTY_GID)|' \

31
NEWS
View File

@ -22,9 +22,30 @@ CHANGES WITH 230 in spe:
* systemd-resolve conveniently resolves DANE records with the --tlsa
option and OPENPGPKEY records with the --openpgp option.
* Testing tool /usr/lib/systemd/systemd-activate is renamed to
systemd-socket-activate and installed into /usr/bin. It is now fully
supported.
* systemd-logind will now by default terminate user processes that are
part of the user session scope unit (session-XX.scope) when the user
logs out. This behaviour is controlled by the
KillUserProcesses=yes|no setting in logind.conf, and previous default
of "no" is now changed to "yes". This means that user sessions will
be properly cleaned up after, but additional steps are necessary to
allow intentionally long-running processes to survive logout.
While the user is logged in at least once, user@.service is running,
and any service that should survive the end of any individual login
session can be started at a user service or scope using systemd-run.
systemd-run(1) man page has been extended with an example which
shows how to run screen in a scope unit underneath user@.service.
The same command works for tmux.
After the user logs out of all sessions, user@.service will be
terminated too, by default, unless the user has "lingering" enabled.
To effectively allow users to run long-term tasks even if they are
logged out, lingering must be enabled for them. See loginctl(1) for
details. The default polkit policy was modified to allow users to
set lingering for themselves without authentication.
Previous defaults can be restored at compile time by the
--without-kill-user-processes option.
* The unified cgroup hierarchy added in Linux 4.5 is now supported.
Use systemd.unified_cgroup_hierarchy=1 on the kernel command line
@ -45,6 +66,10 @@ CHANGES WITH 230 in spe:
* The Unique Identifier sent in DHCP requests can be configured.
* Testing tool /usr/lib/systemd/systemd-activate is renamed to
systemd-socket-activate and installed into /usr/bin. It is now fully
supported.
* systemd-journald now uses separate threads to flush changes to
disk when closing journal files.

View File

@ -1014,6 +1014,16 @@ fi
AM_CONDITIONAL(ENABLE_LOGIND, [test "$have_logind" = "yes"])
AS_IF([test "$have_logind" = "yes"], [ AC_DEFINE(HAVE_LOGIND, [1], [Logind support available]) ])
AC_ARG_WITH([kill-user-processes],
[AS_HELP_STRING([--without-kill-user-processes], [Set logind's KillUserProcesses=no by default])])
AS_IF([test "$with_kill_user_processes" != "no"],
[kill_user_processes=true
KILL_USER_PROCESSES=yes],
[kill_user_processes=false
KILL_USER_PROCESSES=no])
AC_DEFINE_UNQUOTED(KILL_USER_PROCESSES, [$kill_user_processes], [Default KillUserProcesses setting])
AC_SUBST(KILL_USER_PROCESSES)
# ------------------------------------------------------------------------------
have_machined=no
AC_ARG_ENABLE(machined, AS_HELP_STRING([--disable-machined], [disable machine daemon]))
@ -1585,6 +1595,7 @@ AC_MSG_RESULT([
backlight: ${have_backlight}
rfkill: ${have_rfkill}
logind: ${have_logind}
Default KillUserProcesses setting: ${KILL_USER_PROCESSES}
machined: ${have_machined}
importd: ${have_importd}
hostnamed: ${have_hostnamed}

View File

@ -312,7 +312,10 @@
This allows users who are not logged in to run long-running
services. Takes one or more user names or numeric UIDs as
argument. If no argument is specified, enables/disables
lingering for the user of the session of the caller.
lingering for the user of the session of the caller.</para>
<para>See also <varname>KillUserProcesses=</varname> setting in
<citerefentry><refentrytitle>logind.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
</para></listitem>
</varlistentry>
@ -410,6 +413,37 @@
otherwise.</para>
</refsect1>
<refsect1>
<title>Examples</title>
<example>
<title>Querying user status</title>
<programlisting>$ loginctl user-status
fatima (1005)
Since: Sat 2016-04-09 14:23:31 EDT; 54min ago
State: active
Sessions: 5 *3
Unit: user-1005.slice
├─user@1005.service
...
├─session-3.scope
...
└─session-5.scope
├─3473 login -- fatima
└─3515 -zsh
Apr 09 14:40:30 laptop login[2325]: pam_unix(login:session):
session opened for user fatima by LOGIN(uid=0)
Apr 09 14:40:30 laptop login[2325]: LOGIN ON tty3 BY fatima
</programlisting>
<para>There are two sessions, 3 and 5. Session 3 is a graphical session,
marked with a star. The tree of processing including the two corresponding
scope units and the user manager unit are shown.</para>
</example>
</refsect1>
<xi:include href="less-variables.xml" />
<refsect1>

View File

@ -119,30 +119,46 @@
<varlistentry>
<term><varname>KillUserProcesses=</varname></term>
<listitem><para>Takes a boolean argument. Configures whether
the processes of a user should be killed when the user
completely logs out (i.e. after the user's last session
ended). Defaults to <literal>no</literal>.</para>
<listitem><para>Takes a boolean argument. Configures whether the processes of a
user should be killed when the user logs out. If true, the scope unit
corresponding to the session and all processes inside that scope will be
terminated. If false, the scope is "abandonded", see
<citerefentry><refentrytitle>systemd.scope</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
and processes are not killed. Defaults to <literal>yes</literal>,
but see the options <varname>KillOnlyUsers=</varname> and
<varname>KillExcludeUsers=</varname> below.</para>
<para>Note that setting <varname>KillUserProcesses=1</varname>
<para>In addition to session processes, user process may run under the user
manager unit <filename>user@.service</filename>. Depending on the linger
settings, this may allow users to run processes independent of their login
sessions. See the description of <command>enable-linger</command> in
<citerefentry><refentrytitle>loginctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
</para>
<para>Note that setting <varname>KillUserProcesses=yes</varname>
will break tools like
<citerefentry project='die-net'><refentrytitle>screen</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para></listitem>
<citerefentry project='die-net'><refentrytitle>screen</refentrytitle><manvolnum>1</manvolnum></citerefentry>
and
<citerefentry project='die-net'><refentrytitle>tmux</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
unless they are moved out of the session scope. See example in
<citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>KillOnlyUsers=</varname></term>
<term><varname>KillExcludeUsers=</varname></term>
<listitem><para>These settings take space-separated lists of
usernames that influence the effect of
<varname>KillUserProcesses=</varname>. If not empty, only
processes of users listed in <varname>KillOnlyUsers=</varname>
will be killed when they log out entirely. Processes of users
listed in <varname>KillExcludeUsers=</varname> are excluded
from being killed. <varname>KillExcludeUsers=</varname>
defaults to <literal>root</literal> and takes precedence over
<varname>KillOnlyUsers=</varname>, which defaults to the empty
list.</para></listitem>
<listitem><para>These settings take space-separated lists of usernames that override
the <varname>KillUserProcesses=</varname> setting. A user name may be added to
<varname>KillExcludeUsers=</varname> to exclude the processes in the session scopes of
that user from being killed even if <varname>KillUserProcesses=yes</varname> is set. If
<varname>KillExcludeUsers=</varname> is not set, the <literal>root</literal> user is
excluded by default. <varname>KillExcludeUsers=</varname> may be set to an empty value
to override this default. If a user is not excluded, <varname>KillOnlyUsers=</varname>
is checked next. If this setting is specified, only the session scopes of those users
will be killed. Otherwise, users are subject to the
<varname>KillUserProcesses=yes</varname> setting.</para></listitem>
</varlistentry>
<varlistentry>

View File

@ -341,8 +341,8 @@
<refsect1>
<title>Examples</title>
<para>The following command will log the environment variables
provided by systemd to services:</para>
<example>
<title>Logging environment variables provided by systemd to services</title>
<programlisting># systemd-run env
Running as unit: run-19945.service
@ -352,15 +352,23 @@ Sep 08 07:37:21 bupkis systemd[1]: Started /usr/bin/env.
Sep 08 07:37:21 bupkis env[19948]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
Sep 08 07:37:21 bupkis env[19948]: LANG=en_US.UTF-8
Sep 08 07:37:21 bupkis env[19948]: BOOT_IMAGE=/vmlinuz-3.11.0-0.rc5.git6.2.fc20.x86_64</programlisting>
</example>
<para>The following command invokes the
<example>
<title>Limiting resources available to a command</title>
<programlisting># systemd-run -p BlockIOWeight=10 updatedb</programlisting>
<para>This command invokes the
<citerefentry project='man-pages'><refentrytitle>updatedb</refentrytitle><manvolnum>8</manvolnum></citerefentry>
tool, but lowers the block I/O weight for it to 10. See
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for more information on the <varname>BlockIOWeight=</varname>
property.</para>
</example>
<programlisting># systemd-run -p BlockIOWeight=10 updatedb</programlisting>
<example>
<title>Running commands at a specified time</title>
<para>The following command will touch a file after 30 seconds.</para>
@ -376,13 +384,60 @@ Dec 08 20:44:38 container systemd[1]: Started /bin/touch /tmp/foo.
-- Logs begin at Fri 2014-12-05 19:09:21 KST, end at Mon 2014-12-08 20:44:54 KST. --
Dec 08 20:44:48 container systemd[1]: Starting /bin/touch /tmp/foo...
Dec 08 20:44:48 container systemd[1]: Started /bin/touch /tmp/foo.</programlisting>
</example>
<para>The following command invokes <filename>/bin/bash</filename>
as a service passing its standard input, output and error to
the calling TTY.</para>
<example>
<title>Allowing access to the tty</title>
<para>The following command invokes <filename>/bin/bash</filename> as a service
passing its standard input, output and error to the calling TTY.</para>
<programlisting># systemd-run -t --send-sighup /bin/bash</programlisting>
</example>
<example>
<title>Start <command>screen</command> as a user service</title>
<programlisting>$ systemd-run --scope --user screen
Running scope as unit run-r14b0047ab6df45bfb45e7786cc839e76.scope.
$ screen -ls
There is a screen on:
492..laptop (Detached)
1 Socket in /var/run/screen/S-fatima.
</programlisting>
<para>This starts the <command>screen</command> process as a child of the
<command>systemd --user</command> process that was started by
<filename>user@.service</filename>, in a scope unit. A
<citerefentry><refentrytitle>systemd.scope</refentrytitle><manvolnum>5</manvolnum></citerefentry>
unit is used instead of a
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
unit, because <command>screen</command> will exit when detaching from the terminal,
and a service unit would be terminated. Running <command>screen</command>
as a user unit has the advantage that it is not part of the session scope.
If <varname>KillUserProcesses=yes</varname> is configured in
<citerefentry><refentrytitle>logind.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
the default, the session scope will be terminated when the user logs
out of that session.</para>
<para>The <filename>user@.service</filename> is started automatically
when the user first logs in, and stays around as long as at least one
login session is open. After the user logs out of the last session,
<filename>user@.service</filename> and all services underneath it
are terminated. This behaviour is the default, when "lingering" is
not enabled for that user. Enabling lingering means that
<filename>user@.service</filename> is started automatically during
boot, even if the user is not logged in, and that the service is
not terminated when the user logs out.</para>
<para>Enabling lingering allows the user to run processes without being logged in,
for example to allow <command>screen</command> to persist after the user logs out,
even if the session scope is terminated. In the default configuration, users can
enable lingering for themselves:</para>
<programlisting>$ loginctl enable-linger</programlisting>
</example>
</refsect1>
<refsect1>

View File

@ -110,6 +110,7 @@ static int callback_type_to_priority(int type) {
*/
_printf_(2, 3) static int log_callback(int type, const char *fmt, ...) {
va_list ap;
const char *fmt2;
#ifdef HAVE_AUDIT
int fd;
@ -131,8 +132,10 @@ _printf_(2, 3) static int log_callback(int type, const char *fmt, ...) {
}
#endif
fmt2 = strjoina("selinux: ", fmt);
va_start(ap, fmt);
log_internalv(LOG_AUTH | callback_type_to_priority(type), 0, __FILE__, __LINE__, __FUNCTION__, fmt, ap);
log_internalv(LOG_AUTH | callback_type_to_priority(type), 0, __FILE__, __LINE__, __FUNCTION__, fmt2, ap);
va_end(ap);
return 0;

View File

@ -1,4 +1,5 @@
/logind-gperf.c
/logind.conf
/org.freedesktop.login1.policy
/71-seat.rules
/73-seat-late.rules

View File

@ -293,6 +293,7 @@ typedef struct SessionStatusInfo {
typedef struct UserStatusInfo {
uid_t uid;
bool linger;
char *name;
struct dual_timestamp timestamp;
char *state;
@ -551,6 +552,7 @@ static int print_user_status_info(sd_bus *bus, const char *path, bool *new_line)
static const struct bus_properties_map map[] = {
{ "Name", "s", NULL, offsetof(UserStatusInfo, name) },
{ "Linger", "b", NULL, offsetof(UserStatusInfo, linger) },
{ "Slice", "s", NULL, offsetof(UserStatusInfo, slice) },
{ "State", "s", NULL, offsetof(UserStatusInfo, state) },
{ "UID", "u", NULL, offsetof(UserStatusInfo, uid) },
@ -595,16 +597,16 @@ static int print_user_status_info(sd_bus *bus, const char *path, bool *new_line)
char **l;
printf("\tSessions:");
STRV_FOREACH(l, i.sessions) {
if (streq_ptr(*l, i.display))
printf(" *%s", *l);
else
printf(" %s", *l);
}
STRV_FOREACH(l, i.sessions)
printf(" %s%s",
streq_ptr(*l, i.display) ? "*" : "",
*l);
printf("\n");
}
printf("\t Linger: %s\n", yes_no(i.linger));
if (i.slice) {
printf("\t Unit: %s\n", i.slice);
show_unit_cgroup(bus, "org.freedesktop.systemd1.Slice", i.slice, 0);

View File

@ -364,16 +364,16 @@ bool manager_shall_kill(Manager *m, const char *user) {
assert(m);
assert(user);
if (!m->kill_user_processes)
if (!m->kill_exclude_users && streq(user, "root"))
return false;
if (strv_contains(m->kill_exclude_users, user))
return false;
if (strv_isempty(m->kill_only_users))
return true;
if (!strv_isempty(m->kill_only_users))
return strv_contains(m->kill_only_users, user);
return m->kill_user_processes;
}
static int vt_is_busy(unsigned int vtnr) {

View File

@ -1077,11 +1077,11 @@ static int method_terminate_seat(sd_bus_message *message, void *userdata, sd_bus
static int method_set_user_linger(sd_bus_message *message, void *userdata, sd_bus_error *error) {
_cleanup_free_ char *cc = NULL;
Manager *m = userdata;
int b, r;
int r, b, interactive;
struct passwd *pw;
const char *path;
uint32_t uid;
int interactive;
bool self = false;
assert(message);
assert(m);
@ -1102,6 +1102,8 @@ static int method_set_user_linger(sd_bus_message *message, void *userdata, sd_bu
if (r < 0)
return r;
self = true;
} else if (!uid_is_valid(uid))
return -EINVAL;
@ -1113,7 +1115,7 @@ static int method_set_user_linger(sd_bus_message *message, void *userdata, sd_bu
r = bus_verify_polkit_async(
message,
CAP_SYS_ADMIN,
"org.freedesktop.login1.set-user-linger",
self ? "org.freedesktop.login1.set-self-linger" : "org.freedesktop.login1.set-user-linger",
NULL,
interactive,
UID_INVALID,

View File

@ -41,6 +41,35 @@
static void manager_free(Manager *m);
static void manager_reset_config(Manager *m) {
m->n_autovts = 6;
m->reserve_vt = 6;
m->remove_ipc = true;
m->inhibit_delay_max = 5 * USEC_PER_SEC;
m->handle_power_key = HANDLE_POWEROFF;
m->handle_suspend_key = HANDLE_SUSPEND;
m->handle_hibernate_key = HANDLE_HIBERNATE;
m->handle_lid_switch = HANDLE_SUSPEND;
m->handle_lid_switch_docked = HANDLE_IGNORE;
m->power_key_ignore_inhibited = false;
m->suspend_key_ignore_inhibited = false;
m->hibernate_key_ignore_inhibited = false;
m->lid_switch_ignore_inhibited = true;
m->holdoff_timeout_usec = 30 * USEC_PER_SEC;
m->idle_action_usec = 30 * USEC_PER_MINUTE;
m->idle_action = HANDLE_IGNORE;
m->runtime_dir_size = PAGE_ALIGN((size_t) (physical_memory() / 10)); /* 10% */
m->user_tasks_max = UINT64_C(12288);
m->kill_user_processes = KILL_USER_PROCESSES;
m->kill_only_users = strv_free(m->kill_only_users);
m->kill_exclude_users = strv_free(m->kill_exclude_users);
}
static Manager *manager_new(void) {
Manager *m;
int r;
@ -52,25 +81,8 @@ static Manager *manager_new(void) {
m->console_active_fd = -1;
m->reserve_vt_fd = -1;
m->n_autovts = 6;
m->reserve_vt = 6;
m->remove_ipc = true;
m->inhibit_delay_max = 5 * USEC_PER_SEC;
m->handle_power_key = HANDLE_POWEROFF;
m->handle_suspend_key = HANDLE_SUSPEND;
m->handle_hibernate_key = HANDLE_HIBERNATE;
m->handle_lid_switch = HANDLE_SUSPEND;
m->handle_lid_switch_docked = HANDLE_IGNORE;
m->lid_switch_ignore_inhibited = true;
m->holdoff_timeout_usec = 30 * USEC_PER_SEC;
m->idle_action_usec = 30 * USEC_PER_MINUTE;
m->idle_action = HANDLE_IGNORE;
m->idle_action_not_before_usec = now(CLOCK_MONOTONIC);
m->runtime_dir_size = PAGE_ALIGN((size_t) (physical_memory() / 10)); /* 10% */
m->user_tasks_max = UINT64_C(12288);
m->devices = hashmap_new(&string_hash_ops);
m->seats = hashmap_new(&string_hash_ops);
m->sessions = hashmap_new(&string_hash_ops);
@ -84,10 +96,6 @@ static Manager *manager_new(void) {
if (!m->devices || !m->seats || !m->sessions || !m->users || !m->inhibitors || !m->buttons || !m->user_units || !m->session_units)
goto fail;
m->kill_exclude_users = strv_new("root", NULL);
if (!m->kill_exclude_users)
goto fail;
m->udev = udev_new();
if (!m->udev)
goto fail;
@ -98,6 +106,8 @@ static Manager *manager_new(void) {
sd_event_set_watchdog(m->event, true);
manager_reset_config(m);
return m;
fail:
@ -986,6 +996,30 @@ static int manager_dispatch_idle_action(sd_event_source *s, uint64_t t, void *us
return 0;
}
static int manager_parse_config_file(Manager *m) {
assert(m);
return config_parse_many(PKGSYSCONFDIR "/logind.conf",
CONF_PATHS_NULSTR("systemd/logind.conf.d"),
"Login\0",
config_item_perf_lookup, logind_gperf_lookup,
false, m);
}
static int manager_dispatch_reload_signal(sd_event_source *s, const struct signalfd_siginfo *si, void *userdata) {
Manager *m = userdata;
int r;
manager_reset_config(m);
r = manager_parse_config_file(m);
if (r < 0)
log_warning_errno(r, "Failed to parse config file, using defaults: %m");
else
log_info("Config file reloaded.");
return 0;
}
static int manager_startup(Manager *m) {
int r;
Seat *seat;
@ -997,6 +1031,12 @@ static int manager_startup(Manager *m) {
assert(m);
assert_se(sigprocmask_many(SIG_SETMASK, NULL, SIGHUP, -1) >= 0);
r = sd_event_add_signal(m->event, NULL, SIGHUP, manager_dispatch_reload_signal, m);
if (r < 0)
return log_error_errno(r, "Failed to register SIGHUP handler: %m");
/* Connect to console */
r = manager_connect_console(m);
if (r < 0)
@ -1099,16 +1139,6 @@ static int manager_run(Manager *m) {
}
}
static int manager_parse_config_file(Manager *m) {
assert(m);
return config_parse_many(PKGSYSCONFDIR "/logind.conf",
CONF_PATHS_NULSTR("systemd/logind.conf.d"),
"Login\0",
config_item_perf_lookup, logind_gperf_lookup,
false, m);
}
int main(int argc, char *argv[]) {
Manager *m = NULL;
int r;

View File

@ -14,7 +14,7 @@
[Login]
#NAutoVTs=6
#ReserveVT=6
#KillUserProcesses=no
#KillUserProcesses=@KILL_USER_PROCESSES@
#KillOnlyUsers=
#KillExcludeUsers=root
#InhibitDelayMaxSec=5

View File

@ -111,6 +111,14 @@
</defaults>
</action>
<action id="org.freedesktop.login1.set-self-linger">
<_description>Allow non-logged-in user to run programs</_description>
<_message>Explicit request is required to run programs as a non-logged-in user.</_message>
<defaults>
<allow_any>yes</allow_any>
</defaults>
</action>
<action id="org.freedesktop.login1.set-user-linger">
<_description>Allow non-logged-in users to run programs</_description>
<_message>Authentication is required to run programs as a non-logged-in user.</_message>

View File

@ -1073,7 +1073,7 @@ int add_matches_for_unit(sd_journal *j, const char *unit) {
);
if (r == 0 && endswith(unit, ".slice")) {
char *m5 = strappend("_SYSTEMD_SLICE=", unit);
const char *m5 = strjoina("_SYSTEMD_SLICE=", unit);
/* Show all messages belonging to a slice */
(void)(