1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-22 13:33:56 +03:00
Commit Graph

58194 Commits

Author SHA1 Message Date
Luca Boccassi
6e111d2811 portable: set PrivateTmp=yes in trusted profile too
When running on images you don't want to modify the /tmp
directory even if it's writable, and often it will just
be read-only. Set PrivateTmp=yes.

Fixes https://github.com/systemd/systemd/issues/23592

(cherry picked from commit f2d26cd89b)
2022-08-08 10:41:31 +02:00
Yu Watanabe
9f8b7ee55a core/mount: downgrade log level about several mkdir failures
(cherry picked from commit 574febda6b)
2022-08-08 10:38:02 +02:00
Yu Watanabe
b1e494d64d Revert "core/mount: fail early if directory cannot be created"
This reverts commit e4de58c823.

If mkdir() fails and the path does exist, then the later mount
command fails anyway. Hence, it is not necessary to fail here.

Fixes #24120.

(cherry picked from commit e5e6b7c225)
2022-08-08 10:37:55 +02:00
Yu Watanabe
739d7130cb home: drop conflicted headers
Fixes #24117.

(cherry picked from commit 0a58cd0045)
2022-08-08 10:32:20 +02:00
Yu Watanabe
834632a477 homed: fix dbus node enumerator
Fixes #24114.

(cherry picked from commit 52023622d2)
2022-08-08 10:32:08 +02:00
Lennart Poettering
200cbc299b localed: don't fail if we cannot copy an xattr
We ignore xattr copy failures on all other cases, and we should do so
here too.

Fixes: #24106
(cherry picked from commit d3efe29452)
2022-08-08 10:27:45 +02:00
Yu Watanabe
a9dd0f6fc9 udev: downgrade error level and mention that the error is ignored
(cherry picked from commit 6e40ed5325)
2022-08-08 10:27:45 +02:00
Rudi Heitbaum
8fe0c12178 glibc: Remove #include <linux/fs.h> to resolve fsconfig_command/mount_attr conflict with glibc 2.36
(cherry picked from commit 3657d3a01c)
2022-08-08 10:27:45 +02:00
Yu Watanabe
9ac0ad80fe unit-file: avoid (null) in debugging logs
The variable `inst` was set to NULL by TAKE_PTR().

This fixes the following log message:
```
systemd[1]: Unit getty@tty2.service has alias (null).
```

(cherry picked from commit 7c35b78a0b)
2022-08-08 10:27:45 +02:00
Zbigniew Jędrzejewski-Szmek
dc3333bcc9 manager: limit access to private dbus socket
For the system manager, /run/systemd/private is publicly accessible, because
/run/systemd is 0755, and /run/systemd/private is 0777. For the user manager,
/run/user/<uid> is 0700, and /run/user/<uid>/systemd/private is 0777. This
does not directly cause any security issue because we check the sender in
bus_check_peercred (ucred.uid != 0 && ucred.uid != geteuid()).

But it makes sense to limit access to the socket to avoid wasting time in PID1.
Somebody could send messages there that'd we'd reject anyway. It also makes
things more explicit.

(cherry picked from commit df1cbd1adf)
2022-08-08 10:27:45 +02:00
Kai Lueke
fbf4050e2c man: Use correct target type for sysupdate entry
While Type=file works because it seems to be the default, the line gets
ignored as printed on the stderr output.
Use the correct value "regular-file" for the target type.

(cherry picked from commit 0ad7b7b809)
2022-08-08 10:27:45 +02:00
Ulrich Ölmann
a4a04055f8 man: document udevadm lock's exit code
(cherry picked from commit aa386add67)
2022-08-08 10:27:45 +02:00
Jan Janssen
8d688da26d man: Miscellaneous fixes
Fixes: #24056
(cherry picked from commit 6a1d8f1161)
2022-08-08 10:27:45 +02:00
Ansgar Burchardt
bf9e8207df man/system-or-user-ns.xml: explicitly refer to PrivateUsers= option
It is not clear what "unprivileged user namespaces are available" means.
It could mean either that they are only usable, that is, enabled in the kernel,
or they have been enabled for the specific service. Referring to the
`PrivateUsers=` options makes it clear that the latter is meant.

(cherry picked from commit 34aee208b5)
2022-08-08 10:27:45 +02:00
Richard Huang
9f3ed4f5cc Update sleep.conf HibernateDelaySec default to match implementation
(cherry picked from commit 5f2b4f9cb9)
2022-08-08 10:27:45 +02:00
David Tardon
8e466d902d systemctl: include upheld units in dependencies
Fixes: #22706
(cherry picked from commit cbc2593eea)
2022-08-08 10:27:45 +02:00
Vito Caputo
110d49d151 man: fix grammatical error in --cursor-file description
Just a minor cleanup to fix unparseable wording

(cherry picked from commit 729d2df806)
2022-08-08 10:27:45 +02:00
Frantisek Sumsal
5c822e33c9 core: drop a stray %m specifier from a warning message
since in this specific case (r == 0) `errno` is irrelevant and most likely
set to zero, leading up to a confusing message:

```
[  120.595085] H systemd[1]: session-5.scope: No PIDs left to attach to the scope's control group, refusing: Success
[  120.595144] H systemd[1]: session-5.scope: Failed with result 'resources'.
```

(cherry picked from commit e99b9285cb)
2022-08-08 10:27:44 +02:00
Zbigniew Jędrzejewski-Szmek
b7c5530a1f man: fix formatting of "BARRIER=1"
Whitespace inside of the <varname> field was propagated to the displayed form,
causing strange indentation.

(cherry picked from commit 9cfc294fe0)
2022-08-08 10:27:44 +02:00
lastkrick
7632ff4ccc man: fix typo in systemd.network documentation in IPv6RoutePrefix section (#24030)
(cherry picked from commit 69a7d10832)
2022-08-08 10:27:44 +02:00
Łukasz Stelmach
c88309d5cd core: drop ambient capabilities in user manager
Ambient capabilities should not be passed implicitly to user
services. Dropping them does not affect the permitted and effective sets
which are important for the manager itself to operate.

(cherry picked from commit 963b6b906e)
2022-08-08 10:27:44 +02:00
Lennart Poettering
689487785f cgroups-agent: connect stdin/stdout/stderr to /dev/null
Inspired by https://github.com/systemd/systemd/pull/24024 this is
another user mode helper, where this might be an issue. hence let's
rather be safe than sorry, and also connect stdin/stdout/stderr
explicitly with /dev/null.

(cherry picked from commit 50492ce815)
2022-08-08 10:27:44 +02:00
Daan De Meyer
fba50bc0fc coredump: Connect stdout/stderr to /dev/null before doing anything
When invoked as the coredump handler by the kernel, systemd-coredump's
stdout and stderr streams are closed. This is dangerous as this means
the fd's can get reallocated, leading to hard to debug errors such as
log messages ending up being appended to a compressed coredump file.

To avoid such issues in the future, let's bind stdout/stderr to
/dev/null so the file descriptors can't get used for anything else.

(cherry picked from commit 1f9d2a8199)
2022-08-08 10:27:44 +02:00
Lennart Poettering
724d52146a man: explain why various resource limits don't make sense and should not be used.
(cherry picked from commit 8c88895772)
2022-08-08 10:27:44 +02:00
Lennart Poettering
83203873ee man: drop misplaced ','
(cherry picked from commit 3840b14781)
2022-08-08 10:27:44 +02:00
Andre Kalb
098d70f438 man/network: ServerAddress= drop "literal" from IP address ranges
(cherry picked from commit 1df6201882)
2022-08-08 10:27:44 +02:00
Lennart Poettering
64be8d8a34 base-filesystem: pick more conservative access mode for /root/
Let's not allow anyone to look into /root/ if we create it via the
base-filesystem logic. i.e. change 0755 → 0750 as default access mode
for /root/, in case we create it if it happens to be missing.

(cherry picked from commit 93cbc9ca12)
2022-08-08 10:27:44 +02:00
Lennart Poettering
625472b219 tmpfiles: check the directory we were supposed to create, not its parent
This current code checks the wrong directory. This was broken in
4c39d899ff which converted the previous
code incorrectly.

(cherry picked from commit 92631578ff)
2022-08-08 10:27:41 +02:00
Lennart Poettering
9255fa3a15 stat-util: replace is_dir() + is_dir_fd() by single is_dir_full() call
This new call can execute both of the old operations, but also do
generic fstatat() like behaviour.

(cherry picked from commit a586dc791c)
2022-08-08 10:00:23 +02:00
undef
378e187ed4 growfs: Expand FS even if underlying block expansion fails
This allows growfs to expand the filesystem even when the underlying
block device cannot be expanded. This has been useful for example on
LUKS devices that have already been expanded using systemd-repart.

This works around the following error:
```
root@mobian:/home/mobian# /usr/lib/systemd/systemd-growfs /
crypt_resize() of /dev/block/179:2 failed: Operation not permitted
```

(cherry picked from commit e9a28b8ccd)
2022-08-08 09:59:42 +02:00
Lennart Poettering
3221c3a657 import-ceds: use the right error variables at four places
(cherry picked from commit 1ab8cd794c)
2022-08-08 09:59:11 +02:00
undef
00c6c62845 growfs: don't actually resize on dry-run
This causes systemd-growfs to exit before resizing the partition when
`--dry-run` is passed. Resizing during a dry run of a change breaks the
users expectations.

(cherry picked from commit d26c0f7243)
2022-08-08 09:58:34 +02:00
Yu Watanabe
e56bfc8a41 sd-bus: do not pass NULL when received message with invalid type
Fixes #24003.

(cherry picked from commit 3f0dbb0f0c)
2022-08-08 09:58:05 +02:00
Zbigniew Jędrzejewski-Szmek
a4af8592c6 man: lift pam_systemd_homed description to Summary
Also change the title to describe the module more comprehensively.
Follow-up for 90bc309aa2. Suggested
in https://bugzilla.redhat.com/show_bug.cgi?id=2085485#c5.

(cherry picked from commit 9e6df03412)
2022-08-08 09:57:47 +02:00
Yu Watanabe
7f80102343 sd-device: send udev database version
Otherwise, sd-device object received through sd-device-monitor does not
show current tags.

Fixes #23799.

(cherry picked from commit 4bc4040bc0)
2022-08-08 09:57:17 +02:00
Yu Watanabe
925cff4a15 sd-device: make device_get_properties_{nulstr,strv}() take NULL for result value
In most cases, it is not necessary to call them without retrieving
result. But, most of other getter functions for sd-device can take NULL.
Let's follow the way for consistency.

(cherry picked from commit 793ab3e9dd)
2022-08-08 09:57:13 +02:00
Yu Watanabe
0ecda6fdf0 sd-device: change type of properties nulstr from uint8_t* to char*
(cherry picked from commit cff31876da)
2022-08-08 09:57:08 +02:00
Lennart Poettering
69de3e810a man: explain why pam_systemd_home wants to be in all four stacks
Suggested here:

https://bugzilla.redhat.com/show_bug.cgi?id=2085485#c5
(cherry picked from commit 90bc309aa2)
2022-08-08 09:54:15 +02:00
Michael Biebl
8a6f966be4 Do not fail EFI build with newer binutils
Newer binutils versions currently trigger the following warnings due to
a bug in gnu-efi

on arm64:
/usr/bin/ld.bfd: warning: src/boot/efi/systemd-bootaa64.elf has a LOAD segment with RWX permissions

on amd64:
/usr/bin/ld.bfd: warning: /usr/lib/crt0-efi-x86_64.o: missing .note.GNU-stack section implies executable stack

This results in a build failure due to --fatal-warnings.
Work around this issue by suppressing those warnings until gnu-efi has
been fixed.

See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013341

(cherry picked from commit b0e5bf0451)
2022-08-08 09:51:48 +02:00
Zbigniew Jędrzejewski-Szmek
516108f273 kernel-install: fix invocation as installkernel
Fixes #23681.

(cherry picked from commit c9e7ab8c29)
2022-07-13 13:12:32 +02:00
Yu Watanabe
d36b2af987 sd-device: make sd_device_get_is_initialized() not return -ENOENT
(cherry picked from commit 591c186f2f)
2022-07-13 13:12:32 +02:00
Yu Watanabe
a03ea9798a resolve: introduce FORMAT_DNS_RCODE() macro
Fixes #23958.

(cherry picked from commit 0d609349ba)
2022-07-13 13:12:31 +02:00
Yu Watanabe
d56649142b sd-dhcp-client: fix log message
(cherry picked from commit 3857d367f0)
2022-07-13 13:12:31 +02:00
Yu Watanabe
c87c7e7231 network: drop redundant warning
If file is world readable, then `read_full_file_full()` will warn
about that.

(cherry picked from commit d5ad2ec1d4)
2022-07-13 13:12:31 +02:00
Yu Watanabe
900af21558 core/load-fragment: fix error value in log_syntax()
`extract_first_word()` may return positive value on success.

(cherry picked from commit 6a35d52d78)
2022-07-13 13:12:31 +02:00
Yu Watanabe
b7fc4ffe97 resolve: fix possible integer overflow
(cherry picked from commit 370999c05b)
2022-07-13 13:12:31 +02:00
Yu Watanabe
feb244676b resolve: fix heap-buffer-overflow reported by ASAN with strict_string_checks=1
Fixes #23942.

(cherry picked from commit beeab352de)
2022-07-13 13:12:31 +02:00
Yu Watanabe
72d4c15a94 time-util: fix buffer-over-run
Fixes #23928.

(cherry picked from commit 9102c625a6)
2022-07-13 13:12:31 +02:00
Lennart Poettering
9e73f919ab tmpfiles: correct error variable to use
(cherry picked from commit 149e0ca6c7)
2022-07-13 13:12:31 +02:00
Lennart Poettering
c377dc4832 namespace: fix propagated error number
(cherry picked from commit 1ce268c789)
2022-07-13 13:12:31 +02:00