IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This tweaks user creation logic to properly take into consideration
an explicitly requested GID.
It fixes a bug where the creation flow would mistakenly fall back
to use the username instead, resulting in wrong lookups in case of
users and groups using the same name.
(cherry picked from commit 5ed47c4d23)
(cherry picked from commit f9d936b865)
This relaxes the availability check when creating a group, if an
explicit GID has been requested.
It avoids mixing up users and groups entries with valid and unique
UIDs/GIDs, but each having the same ID number.
(cherry picked from commit 6b6e45eb73)
(cherry picked from commit ec5a46ca34)
Fixes a bug introduced by 324f818781.
This also renames several macros for DHCP packet size.
(cherry picked from commit 4473cd7f61)
(cherry picked from commit 037b1a8acc)
When deploying an image using systemd-repart and systemd-growfs one
should have the image expanded entirely and ready to use after the first
boot. This ensures that growfs does not occur before repart, thus
requiring a second boot.
(cherry picked from commit 7b45d6b6f6)
(cherry picked from commit 4fdca1ab9e)
crypt_init_data_device() replaces the crypt_device struct with a
new allocation, losing the old one, which we get from crypt_init().
Use crypt_set_data_device() instead.
Enhance the test to cover this option too.
(cherry picked from commit 872f9da4d8)
(cherry picked from commit a27b694453)
The llvm bpf compiler appears to place const volatile variables in
a non-standard section which creates an incompatibility with the gcc
bpf compiler.
To fix this force GCC to also use the rodata section.
Note this does emit an assembler warning:
Generating src/core/bpf/restrict_ifaces/restrict-ifaces.bpf.unstripped.o with a custom command
/tmp/ccM2b7jP.s: Assembler messages:
/tmp/ccM2b7jP.s:87: Warning: setting incorrect section attributes for .rodata
See:
https://github.com/llvm/llvm-project/issues/56468
Fixes:
../src/core/restrict-ifaces.c:45:14: error: ‘struct
restrict_ifaces_bpf’ has no member named ‘rodata’; did you mean
‘data’?
45 | obj->rodata->is_allow_list = is_allow_list;
| ^~~~~~
| data
(cherry picked from commit e8b1e9cf10)
(cherry picked from commit cdd3f180b0)
According to the C++ ISO standard, a conformant compiler is allowed to
define this macro to any value for any reason as it is implementation
defined: https://timsong-cpp.github.io/cppwp/cpp.predefined#2.3
This mean that it cannot be assumed that it is not defined in a C++.
Change the condition to reflect that.
(cherry picked from commit 00852912ed)
(cherry picked from commit 45faf77d4d)
And point people to "journalctl --unit=" for information of prior runs.
Inspired by: #24159
(cherry picked from commit 157cb4337b)
(cherry picked from commit 0cfe2d7e88)
Via the "backing_fd" variable we intend to pin the backing inode through
our entire code. So far we typically created the fd via F_DUPFD_CLOEXEC,
and thus any BSD lock taken one the original fd is shared with our
backing_fd reference. And if the origina fd is closed but our backing_fd
is not, we'll keep the BSD lock open, even if we then reopen the block
device through the backing_fd. If hit, this results in a deadlock.
Let's fix that by creating the backing_fd via fd_reopen(), so that the
locks are no longer shared, and if the original fd is closed all BSD
locks on it that are in effect are auto-released.
(Note the deadlock is only triggered if multiple operations on the same
backing inode are executed, i.e. factory reset, resize and applying of
partitions.)
Replaces: #24181
(cherry picked from commit 38f81e9374)
(cherry picked from commit d3e84e4703)
Everywhere else that `conf.get('ENABLE_*')` is used as a boolean key for
something (for example in if statements) it always checks if == 1, but
in this one case it neglects to do so. This is important because
conf.get yields the same int that was stored, but if statements require
booleans.
So does executable's "install" kwarg, at least according to the
documentation. In actuality, it accepts all types without sanity
checking, then uses python "if bool(var)", so you can actually do
`install: 'do not'` and that's treated identical to `true`. This is a
type-checking bug which Meson will eventually fix.
muon fails on the same code, today.
(cherry picked from commit 9e4a50bcdf)
(cherry picked from commit 3a382bf86b)
by default, gcrypt defaults to an userspace RNG, this is
the wrong thing (tm) to do on linux.
Switch to the SYSTEM rng instead.
(cherry picked from commit 80f967311a)
(cherry picked from commit ca0ed3a78c)
Kubevirt is currently technically based on KVM (but not xen yet[1]).
The systemd-detect-virt command, used to differentiate the current
virtualization environment, works fine on x86 relying on CPUID, while
fails to get the correct value (none instead of kvm) on aarch64.
Let's fix this by adding a new 'vendor[KubeVirt] = kvm' classification
considering the sys_vendor is always KubeVirt.
[1] https://groups.google.com/g/kubevirt-dev/c/C6cUgzTOsVg
Signed-off-by: Fei Li <lifei.shirley@bytedance.com>
(cherry picked from commit c15d1ac2c4)
(cherry picked from commit e7d635f0b9)
Known-Answer list whose remaining TTL is less than half of their original TTL
(cherry picked from commit f941c12427)
(cherry picked from commit ef6c379089)
Fixes the following assertion:
---
Assertion 'r > 0' failed at src/resolve/resolved-mdns.c:180, function mdns_do_tiebreak(). Aborting.
---
(cherry picked from commit f2605af1f2)
(cherry picked from commit 0070302b3c)
Also, this makes mDNS regular queries sent without delay (except for
one caused by the default accuracy of sd-event).
Note, RFC 6762 Section 5.2 is about continuous mDNS query, which is not
implemented yet.
(cherry picked from commit 765647ba80)
(cherry picked from commit 41810cb166)
When running on images you don't want to modify the /tmp
directory even if it's writable, and often it will just
be read-only. Set PrivateTmp=yes.
Fixes https://github.com/systemd/systemd/issues/23592
(cherry picked from commit f2d26cd89b)
(cherry picked from commit 6e111d2811)
This reverts commit e4de58c823.
If mkdir() fails and the path does exist, then the later mount
command fails anyway. Hence, it is not necessary to fail here.
Fixes#24120.
(cherry picked from commit e5e6b7c225)
(cherry picked from commit b1e494d64d)
We ignore xattr copy failures on all other cases, and we should do so
here too.
Fixes: #24106
(cherry picked from commit d3efe29452)
(cherry picked from commit 200cbc299b)
The variable `inst` was set to NULL by TAKE_PTR().
This fixes the following log message:
```
systemd[1]: Unit getty@tty2.service has alias (null).
```
(cherry picked from commit 7c35b78a0b)
(cherry picked from commit 9ac0ad80fe)
For the system manager, /run/systemd/private is publicly accessible, because
/run/systemd is 0755, and /run/systemd/private is 0777. For the user manager,
/run/user/<uid> is 0700, and /run/user/<uid>/systemd/private is 0777. This
does not directly cause any security issue because we check the sender in
bus_check_peercred (ucred.uid != 0 && ucred.uid != geteuid()).
But it makes sense to limit access to the socket to avoid wasting time in PID1.
Somebody could send messages there that'd we'd reject anyway. It also makes
things more explicit.
(cherry picked from commit df1cbd1adf)
(cherry picked from commit dc3333bcc9)
since in this specific case (r == 0) `errno` is irrelevant and most likely
set to zero, leading up to a confusing message:
```
[ 120.595085] H systemd[1]: session-5.scope: No PIDs left to attach to the scope's control group, refusing: Success
[ 120.595144] H systemd[1]: session-5.scope: Failed with result 'resources'.
```
(cherry picked from commit e99b9285cb)
(cherry picked from commit 5c822e33c9)
Whitespace inside of the <varname> field was propagated to the displayed form,
causing strange indentation.
(cherry picked from commit 9cfc294fe0)
(cherry picked from commit b7c5530a1f)
Ambient capabilities should not be passed implicitly to user
services. Dropping them does not affect the permitted and effective sets
which are important for the manager itself to operate.
(cherry picked from commit 963b6b906e)
(cherry picked from commit c88309d5cd)
Inspired by https://github.com/systemd/systemd/pull/24024 this is
another user mode helper, where this might be an issue. hence let's
rather be safe than sorry, and also connect stdin/stdout/stderr
explicitly with /dev/null.
(cherry picked from commit 50492ce815)
(cherry picked from commit 689487785f)
When invoked as the coredump handler by the kernel, systemd-coredump's
stdout and stderr streams are closed. This is dangerous as this means
the fd's can get reallocated, leading to hard to debug errors such as
log messages ending up being appended to a compressed coredump file.
To avoid such issues in the future, let's bind stdout/stderr to
/dev/null so the file descriptors can't get used for anything else.
(cherry picked from commit 1f9d2a8199)
(cherry picked from commit fba50bc0fc)