1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-22 13:33:56 +03:00
Commit Graph

56035 Commits

Author SHA1 Message Date
Luca BRUNO
3733943f5a sysusers: properly process user entries with an explicit GID
This tweaks user creation logic to properly take into consideration
an explicitly requested GID.
It fixes a bug where the creation flow would mistakenly fall back
to use the username instead, resulting in wrong lookups in case of
users and groups using the same name.

(cherry picked from commit 5ed47c4d23)
(cherry picked from commit f9d936b865)
2022-11-04 13:02:20 +01:00
Luca BRUNO
6ab318435e sysusers: only check whether the requested GID is available
This relaxes the availability check when creating a group, if an
explicit GID has been requested.
It avoids mixing up users and groups entries with valid and unique
UIDs/GIDs, but each having the same ID number.

(cherry picked from commit 6b6e45eb73)
(cherry picked from commit ec5a46ca34)
2022-11-04 13:02:20 +01:00
Yu Watanabe
887837a5a9 dhcp: fix potential buffer overflow
Fixes a bug introduced by 324f818781.

This also renames several macros for DHCP packet size.

(cherry picked from commit 4473cd7f61)
(cherry picked from commit 037b1a8acc)
2022-11-04 13:02:20 +01:00
Yu Watanabe
647c44c21a udev-util: assume system is running on AC power when no battery found
Fixes #24214.

(cherry picked from commit 96788d2aa4)
(cherry picked from commit ed2955f8fe)
2022-11-04 13:02:20 +01:00
undef
d1166a9060 shared/generator: Ensure growfs unit runs after repart
When deploying an image using systemd-repart and systemd-growfs one
should have the image expanded entirely and ready to use after the first
boot. This ensures that growfs does not occur before repart, thus
requiring a second boot.

(cherry picked from commit 7b45d6b6f6)
(cherry picked from commit 4fdca1ab9e)
2022-11-04 13:02:20 +01:00
Yu Watanabe
89a5b7752f network: dhcp4: disable DHCPv4 client on interfaces with non-supported types
Replaces f42d41cc5f.

(cherry picked from commit 7e2f684e1f)
(cherry picked from commit 9951ea07d5)
2022-11-04 13:02:20 +01:00
Jan Janssen
b9216947a3 boot: Build with at least -O1 as workaround
Fixes: #24202
(cherry picked from commit 2fb1165238)
(cherry picked from commit b0da0d6102)
2022-11-04 13:02:20 +01:00
Ludwig Nussel
8625211cc8 pull: fix PullFlags numbering
(cherry picked from commit 5243331fb8)
(cherry picked from commit 6a9cf204a7)
2022-11-04 13:02:20 +01:00
Luca Boccassi
c454d5fafb integritysetup: do not use crypt_init_data_device after crypt_init
crypt_init_data_device() replaces the crypt_device struct with a
new allocation, losing the old one, which we get from crypt_init().
Use crypt_set_data_device() instead.

Enhance the test to cover this option too.

(cherry picked from commit 872f9da4d8)
(cherry picked from commit a27b694453)
2022-11-04 13:02:20 +01:00
Daan De Meyer
215b6ce2d6 man: Clarify that tools should prefer mount units over editing fstab
(cherry picked from commit 29e804dffd)
(cherry picked from commit 3814bd0e71)
2022-11-04 13:02:20 +01:00
Lennart Poettering
3367e1bf48 man: fix docbook
(cherry picked from commit 1374f5a03a)
(cherry picked from commit 6b58b06c7d)
2022-11-04 13:02:20 +01:00
James Hilliard
4fa81b6a2d bpf: fix is_allow_list section
The llvm bpf compiler appears to place const volatile variables in
a non-standard section which creates an incompatibility with the gcc
bpf compiler.

To fix this force GCC to also use the rodata section.

Note this does emit an assembler warning:
Generating src/core/bpf/restrict_ifaces/restrict-ifaces.bpf.unstripped.o with a custom command
/tmp/ccM2b7jP.s: Assembler messages:
/tmp/ccM2b7jP.s:87: Warning: setting incorrect section attributes for .rodata

See:
https://github.com/llvm/llvm-project/issues/56468

Fixes:
../src/core/restrict-ifaces.c:45:14: error: ‘struct
restrict_ifaces_bpf’ has no member named ‘rodata’; did you mean
‘data’?
   45 |         obj->rodata->is_allow_list = is_allow_list;
      |              ^~~~~~
      |              data

(cherry picked from commit e8b1e9cf10)
(cherry picked from commit cdd3f180b0)
2022-11-04 13:02:20 +01:00
Loïc Collignon
12b041584a Fix 24172: __STDC_VERSION__ may be defined in C++
According to the C++ ISO standard, a conformant compiler is allowed to
define this macro to any value for any reason as it is implementation
defined: https://timsong-cpp.github.io/cppwp/cpp.predefined#2.3

This mean that it cannot be assumed that it is not defined in a C++.
Change the condition to reflect that.

(cherry picked from commit 00852912ed)
(cherry picked from commit 45faf77d4d)
2022-11-04 13:02:20 +01:00
Lennart Poettering
618b8d5a6d systemctl: clarify that "status" is about the most recent invocation of a service
And point people to "journalctl --unit=" for information of prior runs.

Inspired by: #24159

(cherry picked from commit 157cb4337b)
(cherry picked from commit 0cfe2d7e88)
2022-11-04 13:02:20 +01:00
Lennart Poettering
8e6ba03724 repart: when keeping ref to backing inode/devnode, use fd_reopen() rathern than F_DUPFD
Via the "backing_fd" variable we intend to pin the backing inode through
our entire code. So far we typically created the fd via F_DUPFD_CLOEXEC,
and thus any BSD lock taken one the original fd is shared with our
backing_fd reference. And if the origina fd is closed but our backing_fd
is not, we'll keep the BSD lock open, even if we then reopen the block
device through the backing_fd. If hit, this results in a deadlock.

Let's fix that by creating the backing_fd via fd_reopen(), so that the
locks are no longer shared, and if the original fd is closed all BSD
locks on it that are in effect are auto-released.

(Note the deadlock is only triggered if multiple operations on the same
backing inode are executed, i.e. factory reset, resize and applying of
partitions.)

Replaces: #24181
(cherry picked from commit 38f81e9374)
(cherry picked from commit d3e84e4703)
2022-11-04 13:02:20 +01:00
Jacek Migacz
a2fc30409d resolved: fix single-label resolution over DNS
Fixes: #23494 (when ResolveUnicastSingleLabel=yes)
(cherry picked from commit ff0a5070d4)
(cherry picked from commit 7384d152c8)
2022-11-04 13:02:20 +01:00
Cristian Rodríguez
c57e95e8fa gcrypt: switch to system rng before gcry_check_version (#24162)
Current docs claim this must be done before gcry_check_version.

(cherry picked from commit 91375fb9cf)
(cherry picked from commit 695eb67322)
2022-11-04 13:02:20 +01:00
Max Gautier
427d189479 docs: Correct StandartOutput documentation
fix #2114

(cherry picked from commit e0a12b9634)
(cherry picked from commit 79de67e2df)
2022-11-04 13:02:20 +01:00
Eli Schwartz
9359dd6977 meson: fix broken boolean kwarg
Everywhere else that `conf.get('ENABLE_*')` is used as a boolean key for
something (for example in if statements) it always checks if == 1, but
in this one case it neglects to do so. This is important because
conf.get yields the same int that was stored, but if statements require
booleans.

So does executable's "install" kwarg, at least according to the
documentation. In actuality, it accepts all types without sanity
checking, then uses python "if bool(var)", so you can actually do
`install: 'do not'` and that's treated identical to `true`. This is a
type-checking bug which Meson will eventually fix.

muon fails on the same code, today.

(cherry picked from commit 9e4a50bcdf)
(cherry picked from commit 3a382bf86b)
2022-11-04 13:02:20 +01:00
Cristian Rodríguez
97c82a3abb gcrypt: prefer the OS RNG
by default, gcrypt defaults to an userspace RNG, this is
the wrong thing (tm) to do on linux.

Switch to the SYSTEM rng instead.

(cherry picked from commit 80f967311a)
(cherry picked from commit ca0ed3a78c)
2022-11-04 13:02:20 +01:00
Fei Li
427995b49b virt: detect KubeVirt instance
Kubevirt is currently technically based on KVM (but not xen yet[1]).
The systemd-detect-virt command, used to differentiate the current
virtualization environment, works fine on x86 relying on CPUID, while
fails to get the correct value (none instead of kvm) on aarch64.

Let's fix this by adding a new 'vendor[KubeVirt] = kvm' classification
considering the sys_vendor is always KubeVirt.

[1] https://groups.google.com/g/kubevirt-dev/c/C6cUgzTOsVg

Signed-off-by: Fei Li <lifei.shirley@bytedance.com>
(cherry picked from commit c15d1ac2c4)
(cherry picked from commit e7d635f0b9)
2022-11-04 13:02:20 +01:00
w30023233
62ea1502e0 virt: detect OpenStack Nova instance
(cherry picked from commit 01d9fbccdd)
2022-11-04 13:02:19 +01:00
Vishal Chillara Srinivas
fb48f600cf RFC 6762 section 7.1: a Multicast DNS querier SHOULD NOT include records in the
Known-Answer list whose remaining TTL is less than half of their original TTL

(cherry picked from commit f941c12427)
(cherry picked from commit ef6c379089)
2022-11-04 13:02:19 +01:00
Yu Watanabe
d935dd7e9d resolve: do not trigger assertions on invalid query
(cherry picked from commit 055acd4d8b)
(cherry picked from commit b61a61ec53)
2022-11-04 13:02:19 +01:00
Yu Watanabe
30d24c8df6 resolve: mdns_packet_extract_matching_rrs() may return 0
Fixes the following assertion:
---
Assertion 'r > 0' failed at src/resolve/resolved-mdns.c:180, function mdns_do_tiebreak(). Aborting.
---

(cherry picked from commit f2605af1f2)
(cherry picked from commit 0070302b3c)
2022-11-04 13:02:19 +01:00
Yu Watanabe
23d0a99497 resolve: fix misuse of accuracy parameter in sd_event_add_time()
Also, this makes mDNS regular queries sent without delay (except for
one caused by the default accuracy of sd-event).

Note, RFC 6762 Section 5.2 is about continuous mDNS query, which is not
implemented yet.

(cherry picked from commit 765647ba80)
(cherry picked from commit 41810cb166)
2022-11-04 13:02:19 +01:00
Yu Watanabe
324bacfe9a resolve: drop unnecessary else, and add short comment
(cherry picked from commit 4b2ceb8a48)
(cherry picked from commit a1edebfde0)
2022-11-04 13:02:19 +01:00
Yu Watanabe
dc3faeed05 resolve: mdns: fix use-after-free
Fixes #23843 and #23873.

(cherry picked from commit d50a58e725)
(cherry picked from commit e832a277ea)
2022-11-04 13:02:19 +01:00
Luca Boccassi
74c33f69bb portable: set PrivateTmp=yes in trusted profile too
When running on images you don't want to modify the /tmp
directory even if it's writable, and often it will just
be read-only. Set PrivateTmp=yes.

Fixes https://github.com/systemd/systemd/issues/23592

(cherry picked from commit f2d26cd89b)
(cherry picked from commit 6e111d2811)
2022-11-04 13:02:19 +01:00
Yu Watanabe
40cdad3506 core/mount: downgrade log level about several mkdir failures
(cherry picked from commit 574febda6b)
(cherry picked from commit 9f8b7ee55a)
2022-11-04 13:02:19 +01:00
Yu Watanabe
f26f995108 Revert "core/mount: fail early if directory cannot be created"
This reverts commit e4de58c823.

If mkdir() fails and the path does exist, then the later mount
command fails anyway. Hence, it is not necessary to fail here.

Fixes #24120.

(cherry picked from commit e5e6b7c225)
(cherry picked from commit b1e494d64d)
2022-11-04 13:02:19 +01:00
Yu Watanabe
f0f5e74b2b home: drop conflicted headers
Fixes #24117.

(cherry picked from commit 0a58cd0045)
(cherry picked from commit 739d7130cb)
2022-11-04 13:02:19 +01:00
Yu Watanabe
ed66376b05 homed: fix dbus node enumerator
Fixes #24114.

(cherry picked from commit 52023622d2)
(cherry picked from commit 834632a477)
2022-11-04 13:02:19 +01:00
Lennart Poettering
81bc16ab7c localed: don't fail if we cannot copy an xattr
We ignore xattr copy failures on all other cases, and we should do so
here too.

Fixes: #24106
(cherry picked from commit d3efe29452)
(cherry picked from commit 200cbc299b)
2022-11-04 13:02:19 +01:00
Yu Watanabe
8ead3d8e07 udev: downgrade error level and mention that the error is ignored
(cherry picked from commit 6e40ed5325)
(cherry picked from commit a9dd0f6fc9)
2022-11-04 13:02:19 +01:00
Rudi Heitbaum
998b08ec5f glibc: Remove #include <linux/fs.h> to resolve fsconfig_command/mount_attr conflict with glibc 2.36
(cherry picked from commit 3657d3a01c)
(cherry picked from commit 8fe0c12178)
2022-11-04 13:02:19 +01:00
Yu Watanabe
0e7214c8b5 unit-file: avoid (null) in debugging logs
The variable `inst` was set to NULL by TAKE_PTR().

This fixes the following log message:
```
systemd[1]: Unit getty@tty2.service has alias (null).
```

(cherry picked from commit 7c35b78a0b)
(cherry picked from commit 9ac0ad80fe)
2022-11-04 13:02:19 +01:00
Zbigniew Jędrzejewski-Szmek
aa97e014fa manager: limit access to private dbus socket
For the system manager, /run/systemd/private is publicly accessible, because
/run/systemd is 0755, and /run/systemd/private is 0777. For the user manager,
/run/user/<uid> is 0700, and /run/user/<uid>/systemd/private is 0777. This
does not directly cause any security issue because we check the sender in
bus_check_peercred (ucred.uid != 0 && ucred.uid != geteuid()).

But it makes sense to limit access to the socket to avoid wasting time in PID1.
Somebody could send messages there that'd we'd reject anyway. It also makes
things more explicit.

(cherry picked from commit df1cbd1adf)
(cherry picked from commit dc3333bcc9)
2022-11-04 13:02:19 +01:00
Richard Huang
44725ecccd Update sleep.conf HibernateDelaySec default to match implementation
(cherry picked from commit 5f2b4f9cb9)
(cherry picked from commit 9f3ed4f5cc)
2022-11-04 13:02:19 +01:00
David Tardon
1dbe819311 systemctl: include upheld units in dependencies
Fixes: #22706
(cherry picked from commit cbc2593eea)
(cherry picked from commit 8e466d902d)
2022-11-04 13:02:19 +01:00
Vito Caputo
919b10b361 man: fix grammatical error in --cursor-file description
Just a minor cleanup to fix unparseable wording

(cherry picked from commit 729d2df806)
(cherry picked from commit 110d49d151)
2022-11-04 13:02:19 +01:00
Frantisek Sumsal
32848f4559 core: drop a stray %m specifier from a warning message
since in this specific case (r == 0) `errno` is irrelevant and most likely
set to zero, leading up to a confusing message:

```
[  120.595085] H systemd[1]: session-5.scope: No PIDs left to attach to the scope's control group, refusing: Success
[  120.595144] H systemd[1]: session-5.scope: Failed with result 'resources'.
```

(cherry picked from commit e99b9285cb)
(cherry picked from commit 5c822e33c9)
2022-11-04 13:02:19 +01:00
Zbigniew Jędrzejewski-Szmek
c4c647fdb9 man: fix formatting of "BARRIER=1"
Whitespace inside of the <varname> field was propagated to the displayed form,
causing strange indentation.

(cherry picked from commit 9cfc294fe0)
(cherry picked from commit b7c5530a1f)
2022-11-04 13:02:19 +01:00
lastkrick
c93fb9a57e man: fix typo in systemd.network documentation in IPv6RoutePrefix section (#24030)
(cherry picked from commit 69a7d10832)
(cherry picked from commit 7632ff4ccc)
2022-11-04 13:02:19 +01:00
Łukasz Stelmach
217b3e012b core: drop ambient capabilities in user manager
Ambient capabilities should not be passed implicitly to user
services. Dropping them does not affect the permitted and effective sets
which are important for the manager itself to operate.

(cherry picked from commit 963b6b906e)
(cherry picked from commit c88309d5cd)
2022-11-04 13:02:19 +01:00
Lennart Poettering
d8464304f0 cgroups-agent: connect stdin/stdout/stderr to /dev/null
Inspired by https://github.com/systemd/systemd/pull/24024 this is
another user mode helper, where this might be an issue. hence let's
rather be safe than sorry, and also connect stdin/stdout/stderr
explicitly with /dev/null.

(cherry picked from commit 50492ce815)
(cherry picked from commit 689487785f)
2022-11-04 13:02:19 +01:00
Daan De Meyer
3e1224d4ac coredump: Connect stdout/stderr to /dev/null before doing anything
When invoked as the coredump handler by the kernel, systemd-coredump's
stdout and stderr streams are closed. This is dangerous as this means
the fd's can get reallocated, leading to hard to debug errors such as
log messages ending up being appended to a compressed coredump file.

To avoid such issues in the future, let's bind stdout/stderr to
/dev/null so the file descriptors can't get used for anything else.

(cherry picked from commit 1f9d2a8199)
(cherry picked from commit fba50bc0fc)
2022-11-04 13:02:19 +01:00
Lennart Poettering
7e7a6d60f4 man: explain why various resource limits don't make sense and should not be used.
(cherry picked from commit 8c88895772)
(cherry picked from commit 724d52146a)
2022-11-04 13:02:19 +01:00
Lennart Poettering
e655a7ac7b man: drop misplaced ','
(cherry picked from commit 3840b14781)
(cherry picked from commit 83203873ee)
2022-11-04 13:02:19 +01:00
Andre Kalb
a791dc67f8 man/network: ServerAddress= drop "literal" from IP address ranges
(cherry picked from commit 1df6201882)
(cherry picked from commit 098d70f438)
2022-11-04 13:02:18 +01:00