From e0e65f7d097841630faac1f6813ec9bcf2083faa Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 24 Jun 2019 14:20:36 +0200 Subject: [PATCH 1/5] man: document that DynamicUser=1 implied sandboxing cannot be turned off Fixes: #12476 --- man/systemd.exec.xml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index d65b842f44..f333c2c812 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -254,14 +254,15 @@ part of a unit for which dynamic users/groups are enabled do not leave files or directories owned by these users/groups around, as a different unit might get the same UID/GID assigned later on, and thus gain access to these files or directories. If DynamicUser= is enabled, - RemoveIPC=, PrivateTmp= are implied. This ensures that the - lifetime of IPC objects and temporary files created by the executed processes is bound to the runtime - of the service, and hence the lifetime of the dynamic user/group. Since /tmp and - /var/tmp are usually the only world-writable directories on a system this - ensures that a unit making use of dynamic user/group allocation cannot leave files around after unit - termination. Furthermore NoNewPrivileges= and RestrictSUIDSGID= - are implicitly enabled to ensure that processes invoked cannot take benefit or create SUID/SGID files - or directories. Moreover ProtectSystem=strict and + RemoveIPC= and PrivateTmp= are implied (and cannot be turned + off). This ensures that the lifetime of IPC objects and temporary files created by the executed + processes is bound to the runtime of the service, and hence the lifetime of the dynamic + user/group. Since /tmp/ and /var/tmp/ are usually the only + world-writable directories on a system this ensures that a unit making use of dynamic user/group + allocation cannot leave files around after unit termination. Furthermore + NoNewPrivileges= and RestrictSUIDSGID= are implicitly enabled + (and cannot be disabled), to ensure that processes invoked cannot take benefit or create SUID/SGID + files or directories. Moreover ProtectSystem=strict and ProtectHome=read-only are implied, thus prohibiting the service to write to arbitrary file system locations. In order to allow the service to write to certain directories, they have to be whitelisted using ReadWritePaths=, but care must be taken so that From b30772a403399e7b36ff30a4f8ebbd4eb7cb190d Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 24 Jun 2019 14:22:43 +0200 Subject: [PATCH 2/5] man: correct that Sockets= may not be undone Fixes: #12415 --- man/systemd.service.xml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/man/systemd.service.xml b/man/systemd.service.xml index c2b3e21076..22329f6c2f 100644 --- a/man/systemd.service.xml +++ b/man/systemd.service.xml @@ -945,11 +945,9 @@ inverse of the Sockets= setting of the .service it refers to. - This option may appear more than once, in which case the - list of socket units is merged. If the empty string is - assigned to this option, the list of sockets is reset, and all - prior uses of this setting will have no - effect. + This option may appear more than once, in which case the list of socket units is merged. Note + that once set, clearing the list of sockets again (for example, by assigning the empty string to this + option) is not supported. From cd69e88ba3a692618048117b26fc9ea339aa1845 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 24 Jun 2019 14:51:52 +0200 Subject: [PATCH 3/5] doc: make clear that --system and --user only make sense with --test Fixes: #12843 --- man/systemd.xml | 30 ++++++++++++++++-------------- src/core/main.c | 6 +++--- 2 files changed, 19 insertions(+), 17 deletions(-) diff --git a/man/systemd.xml b/man/systemd.xml index c51f0bf4d1..7ede4e3f40 100644 --- a/man/systemd.xml +++ b/man/systemd.xml @@ -70,8 +70,13 @@ - Determine startup sequence, dump it and exit. - This is an option useful for debugging only. + Determine the initial start-up transaction (i.e. the list of jobs enqueued at + start-up), dump it and exit. This option is useful for debugging only. Note that during regular + service manager start-up further units might be started than this operation shows, because hardware, + socket, bus or other kinds of activation might add additional jobs. Use to + request the initial transaction of the system service manager (this is also the implied default), + combine with to request the initial transaction of the per-user service + manager instead. @@ -94,23 +99,20 @@ not specified, defaults to default.target. + - For , tell systemd to - run a system instance, even if the process ID is not 1, i.e. - systemd is not run as init process. - does the opposite, running a user instance even if the process - ID is 1. Normally, it should not be necessary to pass these - options, as systemd automatically detects the mode it is - started in. These options are hence of little use except for - debugging. Note that it is not supported booting and - maintaining a full system with systemd running in - mode, but PID not 1. In practice, - passing explicitly is only useful in - conjunction with . + When used in conjunction with , selects whether to calculate + the initial transaction for the system instance or for a per-user instance. These options have no + effect when invoked without , as during regular + (i.e. non-) invocations the service manager will automatically detect whether + it shall operate in system or per-user mode, by checking whether the PID it is run as is 1 or + not. Note that it is not supported booting and maintaining a system with the service manager running + in mode but with a PID other than 1. + diff --git a/src/core/main.c b/src/core/main.c index a94e6caf85..3a41573ef0 100644 --- a/src/core/main.c +++ b/src/core/main.c @@ -1157,13 +1157,13 @@ static int help(void) { "Starts up and maintains the system or user services.\n\n" " -h --help Show this help\n" " --version Show version\n" - " --test Determine startup sequence, dump it and exit\n" + " --test Determine initial transaction, dump it and exit\n" + " --system In combination with --test: operate as system service manager\n" + " --user In combination with --test: operate as per-user service manager\n" " --no-pager Do not pipe output into a pager\n" " --dump-configuration-items Dump understood unit configuration items\n" " --dump-bus-properties Dump exposed bus properties\n" " --unit=UNIT Set default unit\n" - " --system Run a system instance, even if PID != 1\n" - " --user Run a user instance\n" " --dump-core[=BOOL] Dump core on crash\n" " --crash-vt=NR Change to specified VT on crash\n" " --crash-reboot[=BOOL] Reboot on crash\n" From eedaf7f322a850c5d9f49346d43420423fc6f593 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 24 Jun 2019 15:21:22 +0200 Subject: [PATCH 4/5] man: drop references to "syslog" and "syslog+console" from man page These options are pretty much equivalent to "journal" and "journal+console" anyway, let's simplify things, and drop them from the documentation hence. For compat reasons let's keep them in the code. (Note that they are not 100% identical to 'journal', but I doubt the distinction in behaviour is really relevant to keep this in the docs. And we should probably should drop 'syslog' entirely from our codebase eventually, but it's problematic as long as we semi-support udev on non-systemd systems still.) --- man/systemd.exec.xml | 86 ++++++++++++++++++++++---------------------- man/systemd.xml | 2 -- 2 files changed, 43 insertions(+), 45 deletions(-) diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index f333c2c812..8f7d64d017 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1936,12 +1936,12 @@ SystemCallErrorNumber=EPERM StandardOutput= - Controls where file descriptor 1 (STDOUT) of the executed processes is connected to. Takes one - of , , , , - , , , - , , - , , - or . + Controls where file descriptor 1 (STDOUT) of the executed processes is connected + to. Takes one of , , , + , , , + , , + , or + . duplicates the file descriptor of standard input for standard output. @@ -1952,23 +1952,20 @@ SystemCallErrorNumber=EPERM see below). If the TTY is used for output only, the executed process will not become the controlling process of the terminal, and will not fail or wait for other processes to release the terminal. - connects standard output with the journal which is accessible via - journalctl1. Note that - everything that is written to syslog or kmsg (see below) is implicitly stored in the journal as well, the - specific two options listed below are hence supersets of this one. - - connects standard output to the syslog3 system syslog - service, in addition to the journal. Note that the journal daemon is usually configured to forward everything - it receives to syslog anyway, in which case this option is no different from . + connects standard output with the journal, which is accessible via + journalctl1. Note + that everything that is written to kmsg (see below) is implicitly stored in the journal as well, the + specific option listed below is hence a superset of this one. (Also note that any external, + additional syslog daemons receive their log data from the journal, too, hence this is the option to + use when logging shall be processed with such a daemon.) connects standard output with the kernel log buffer which is accessible via dmesg1, in addition to the journal. The journal daemon might be configured to send all logs to kmsg anyway, in which case this option is no different from . - , and work - in a similar way as the three options above but copy the output to the system console as well. + and work in a similar way as the + two options above but copy the output to the system console as well. The option may be used to connect a specific file system object to standard output. The semantics are similar to the same option of @@ -1997,13 +1994,14 @@ SystemCallErrorNumber=EPERM systemd.socket5 for more details about named descriptors and their ordering. - If the standard output (or error output, see below) of a unit is connected to the journal, syslog or the - kernel log buffer, the unit will implicitly gain a dependency of type After= on - systemd-journald.socket (also see the "Implicit Dependencies" section above). Also note - that in this case stdout (or stderr, see below) will be an AF_UNIX stream socket, and not - a pipe or FIFO that can be re-opened. This means when executing shell scripts the construct echo - "hello" > /dev/stderr for writing text to stderr will not work. To mitigate this use the construct - echo "hello" >&2 instead, which is mostly equivalent and avoids this pitfall. + If the standard output (or error output, see below) of a unit is connected to the journal or + the kernel log buffer, the unit will implicitly gain a dependency of type After= + on systemd-journald.socket (also see the "Implicit Dependencies" section + above). Also note that in this case stdout (or stderr, see below) will be an + AF_UNIX stream socket, and not a pipe or FIFO that can be re-opened. This means + when executing shell scripts the construct echo "hello" > /dev/stderr for + writing text to stderr will not work. To mitigate this use the construct echo "hello" + >&2 instead, which is mostly equivalent and avoids this pitfall. This setting defaults to the value set with DefaultStandardOutput= in systemd-system.conf5, which @@ -2121,12 +2119,12 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy SyslogIdentifier= - Sets the process name ("syslog tag") to prefix log lines sent to the logging - system or the kernel log buffer with. If not set, defaults to the process name of the executed process. This - option is only useful when StandardOutput= or StandardError= are set to - , or (or to the same settings in - combination with ) and only applies to log messages written to stdout or - stderr. + Sets the process name ("syslog tag") to prefix log lines sent to + the logging system or the kernel log buffer with. If not set, defaults to the process name of the + executed process. This option is only useful when StandardOutput= or + StandardError= are set to or (or to + the same settings in combination with ) and only applies to log messages + written to stdout or stderr. @@ -2137,12 +2135,13 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy , , , , , , , , , , , , - , , or . See - syslog3 - for details. This option is only useful when StandardOutput= or - StandardError= are set to , or - (or to the same settings in combination with ), and only applies - to log messages written to stdout or stderr. Defaults to . + , , or + . See syslog3 for + details. This option is only useful when StandardOutput= or + StandardError= are set to or (or to + the same settings in combination with ), and only applies to log messages + written to stdout or stderr. Defaults to . @@ -2154,7 +2153,7 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy . See syslog3 for details. This option is only useful when StandardOutput= or - StandardError= are set to , or + StandardError= are set to or (or to the same settings in combination with ), and only applies to log messages written to stdout or stderr. Note that individual lines output by executed processes may be prefixed with a different log level which can be used to override the default log level specified here. The @@ -2167,12 +2166,13 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy SyslogLevelPrefix= Takes a boolean argument. If true and StandardOutput= or - StandardError= are set to , or - (or to the same settings in combination with ), log lines - written by the executed process that are prefixed with a log level will be processed with this log level set - but the prefix removed. If set to false, the interpretation of these prefixes is disabled and the logged lines - are passed on as-is. This only applies to log messages written to stdout or stderr. For details about this - prefixing see sd-daemon3. + StandardError= are set to or (or to + the same settings in combination with ), log lines written by the executed + process that are prefixed with a log level will be processed with this log level set but the prefix + removed. If set to false, the interpretation of these prefixes is disabled and the logged lines are + passed on as-is. This only applies to log messages written to stdout or stderr. For details about + this prefixing see + sd-daemon3. Defaults to true. diff --git a/man/systemd.xml b/man/systemd.xml index 7ede4e3f40..dfd77a474d 100644 --- a/man/systemd.xml +++ b/man/systemd.xml @@ -234,8 +234,6 @@ , , , - , - , , . If the argument is omitted From e5134f00f8c7f5b278a46e4ed0a19fbd220601b2 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 24 Jun 2019 15:30:10 +0200 Subject: [PATCH 5/5] man: document that sd_bus_creds_get_exec() is not suitable for security decisions Fixes: #12704 --- man/sd_bus_creds_get_pid.xml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/man/sd_bus_creds_get_pid.xml b/man/sd_bus_creds_get_pid.xml index 9e79d13cdd..a7690d5817 100644 --- a/man/sd_bus_creds_get_pid.xml +++ b/man/sd_bus_creds_get_pid.xml @@ -325,12 +325,14 @@ /proc/pid/task/tid/comm). - sd_bus_creds_get_exe() will retrieve - the path to the program executable (as stored in the - /proc/pid/exe - link, but with the (deleted) suffix removed). Note - that kernel threads do not have an executable path, in which case - -ENXIO is returned. + sd_bus_creds_get_exe() will retrieve the path to the program executable (as + stored in the /proc/pid/exe link, but with the + (deleted) suffix removed). Note that kernel threads do not have an executable path, in which + case -ENXIO is returned. Note that this property should not be used for more than explanatory + information, in particular it should not be used for security-relevant decisions. That's because the + executable might have been replaced or removed by the time the value can be processed. Moreover, the + kernel exports this information in an ambiguous way (i.e. a deleted executable cannot be safely + distinguished from one whose name suffix is (deleted). sd_bus_creds_get_cmdline() will retrieve an array of command line arguments (as stored in