1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-22 13:33:56 +03:00
Commit Graph

43086 Commits

Author SHA1 Message Date
Zbigniew Jędrzejewski-Szmek
def9443793 Revert "sysctl: always write net.ipv4.conf.all.xyz= in addition to net.ipv4.conf.default.xyz="
This reverts commits 1836bf9e1d
and 9fefb9e3cd.

The race is reintroduced, and will be fixed later.
2020-01-30 10:48:43 +01:00
Zbigniew Jędrzejewski-Szmek
fa2111bd3e man: document logging downgrade in systemctl
Fixup for 32458cc968.
2020-01-30 10:48:35 +01:00
Zbigniew Jędrzejewski-Szmek
f3b136a484 shared/sysctl-util: normalize repeated slashes or dots to a single value
We use those strings as hash keys. While writing "a...b" looks strange,
"a///b" does not look so strange. Both syntaxes would actually result in the
value being correctly written to the file, but they would confuse our
de-deplication over keys. So let's normalize. Output also becomes nicer.

Add test.
2020-01-30 10:48:27 +01:00
Zbigniew Jędrzejewski-Szmek
c16460cf78 shared/sysctl-util: add missing header
one_zero() is used later in the header...
2020-01-16 15:51:44 +01:00
Zbigniew Jędrzejewski-Szmek
32458cc968 sysctl: downgrade message when we have no permission
We need to run sysctl also in containers, because the network
subtree is namespaces and may legitimately be writable. But logging
all "errors" at notice level creates unwanted noise.

Also downgrade message about missing sysctls to log_info. This might also be
relatively common when configuration is targeted at different kernel
versions. With log_debug it'll still end up in the logs, but isn't really worth
of "notice" most of the time.

https://bugzilla.redhat.com/show_bug.cgi?id=1609806
2020-01-16 14:45:50 +01:00
Zbigniew Jędrzejewski-Szmek
b2ae4d9eb8 sysctl: move hashmap allocation out of main function
This allocation is a low level detail, and it seems nicer to keep it
out of run().
2020-01-16 14:45:37 +01:00
Zbigniew Jędrzejewski-Szmek
e76c60bf2a man: rework section about configuration file precedence
This section is loaded in a bunch of places, so this affects many
man pages.

1. point the reader to the synopsis section, which has the exact paths
that are used to load files.
2. put the "reference" part first, and recommendations later, in separate
paragraphs.
3. describe how individual settings and whole files are replaces.

Closes #12791.
2020-01-16 14:45:37 +01:00
Zbigniew Jędrzejewski-Szmek
251d3d20c3
Merge pull request #14581 from poettering/setcred-alternative-fix
alternative pam_setcred() fix
2020-01-16 09:53:26 +01:00
Lennart Poettering
4bb68f2fee core: on each iteration processing /proc/self/mountinfo merge all discovery flags for each path
This extends on d253a45e1c, and instead of
merging just a single flag from previous mount entries of
/proc/self/mountinfo for the same path we merge all three.

This shouldn't change behaviour, but I think make things more readable.

Previously we'd set MOUNT_PROC_IS_MOUNTED unconditionally, we still do.

Previously we'd inherit MOUNT_PROC_JUST_MOUNTED from a previous entry on
the same line, we still do.

MOUNT_PROC_JUST_CHANGED should generally stay set too. Why that? If we
have two mount entries on the same mount point we'd first process one
and then the other, and the almost certainly different mount parameters
of the two would mean we'd set MOUNT_PROC_JUST_CHANGED for the second.
And with this we'll definitely do that still.

This also adds a comment explaining the situation a bit, and why we get
into this situation.
2020-01-15 17:42:12 +01:00
Lennart Poettering
dd1b23a313
Merge pull request #14375 from poettering/userdb
New varlink API for user and group management
2020-01-15 17:41:29 +01:00
Lennart Poettering
46d7c6afbf execute: allow pam_setcred() to fail, ignore errors
Fixes: #14567
Alternative-To: #14569
2020-01-15 17:10:43 +01:00
Lennart Poettering
5b8d1f6b77 execute: add const to array parameters, where possible 2020-01-15 17:10:28 +01:00
Lennart Poettering
c903ee8976 docs: add documentation for the varlink user/group APIs 2020-01-15 15:34:09 +01:00
Lennart Poettering
32eb3c4229 docs: add documentation for JSON group records, too 2020-01-15 15:34:09 +01:00
Lennart Poettering
812862db71 docs: add documentation for JSON user records 2020-01-15 15:34:09 +01:00
Lennart Poettering
0ba56d3657 man: document the new nss-systemd behaviour
(This also changes the suggested /etc/nsswitch.conf line to use for
hooking up nss-system to use glibc's [SUCCESS=merge] feature so that we
can properly merge group membership lists).
2020-01-15 15:31:00 +01:00
Lennart Poettering
7d9ad0e5e5 man: document systemd-userdbd.service 2020-01-15 15:30:40 +01:00
Lennart Poettering
3b2db6f110 man: document userdbctl(1) 2020-01-15 15:30:20 +01:00
Lennart Poettering
fc89f88e56 man: document new pam_systemd features in man page
This also updates the suggested PAM snippet in a number of way:

1. Be closer to the logic nowadays implemented in Fedora where the
   auth/account/password stacks are all finished off with
   pam_{deny|permit}.so

2. Make pam_unix.so just "sufficient" instead of "required" (paving
   ground for pam_systemd_home.so being hooked in as additional
   sufficient module.

3. Only do pam_nologin in the "account" stack, since it's about account
   validity really.

4. Use modern parameters to pam_unix when changing passwords, i.e.
   sha512 and shadow, and use already set up passwords (preparing ground
   for pam_systemd_home again)
2020-01-15 15:30:06 +01:00
Lennart Poettering
f9c1f4e193 pam-systemd: apply user record properties to session
This way any component providing us with JSON user record data can use
this for automatic resource management and other session properties.
2020-01-15 15:30:02 +01:00
Lennart Poettering
7bfbf6cc92 pam-systemd: normalize return values of append_session_xyz()
Let's propagate the PAM errors we got.
2020-01-15 15:29:59 +01:00
Lennart Poettering
9ab0d3ebe5 pam-systemd: port over to use a UserRecord structure
Later on this allows us to set various session properties from user
record.
2020-01-15 15:29:55 +01:00
Lennart Poettering
355c9966c2 pam-systemd: share bus connection with pam_systemd_home if we can
Let's use the pam-util.h provided helpers to acquire them.
2020-01-15 15:29:52 +01:00
Lennart Poettering
d750dde2a6 pam-systemd: port to pam_bus_log_{create|parse}_error() and pam_log_oom() 2020-01-15 15:29:48 +01:00
Lennart Poettering
cef9f2a647 shared: add pam utility helpers 2020-01-15 15:29:31 +01:00
Lennart Poettering
d510589fd0 logind: honour per-user stopDelayUSec property 2020-01-15 15:29:27 +01:00
Lennart Poettering
156a363750 logind: honour killProcesses field of user record 2020-01-15 15:29:24 +01:00
Lennart Poettering
e8e4b7a0b6 logind: enforce user record resource settings when user logs in 2020-01-15 15:29:21 +01:00
Lennart Poettering
22c902facc logind: port to UserRecord object
This changes the user tracking of logind to use the new-style UserRecord
object.

In a later commit this enables us to do per-user resource management.
2020-01-15 15:29:17 +01:00
Lennart Poettering
1684c56f40 nss: hook up nss-systemd with userdb varlink bits
This changes nss-systemd to use the new varlink user/group APIs for
looking up everything.

(This also changes the factory /etc/nsswitch.conf line to use for
hooking up nss-system to use glibc's [SUCCESS=merge] feature so that we
can properly merge group membership lists).

Fixes: #12492
2020-01-15 15:29:07 +01:00
Lennart Poettering
19d22d433d core: add user/group resolution varlink interface to PID 1 2020-01-15 15:28:55 +01:00
Lennart Poettering
4bad7eedae core: make return parameter of dynamic_user_lookup_name() optional 2020-01-15 15:28:52 +01:00
Lennart Poettering
1604937f83 userdbd: add userdbctl tool as client for userdbd 2020-01-15 15:28:42 +01:00
Lennart Poettering
d093b62c94 userdbd: add new service that can merge userdb queries from multiple clients 2020-01-15 15:28:17 +01:00
Lennart Poettering
295c1a6e45 shared: add helpers for displaying new-style user/group records to users 2020-01-15 15:27:59 +01:00
Lennart Poettering
ec8e4a0ef1 shared: add internal API for querying JSON user records via varlink
This new API can be used in place of NSS by our own internal code if
more than the classic UNIX records are needed.
2020-01-15 15:27:41 +01:00
Lennart Poettering
9b2d907877 shared: add helpers for converting NSS passwd/group structures to new JSON objects
These new calls may be used to convert classic UNIX/glibc NSS struct
passwd and struct group records into new-style JSON-based user/group
objects.
2020-01-15 15:27:23 +01:00
Lennart Poettering
71d0b9d422 shared: add generic user/group record structures and JSON parsers 2020-01-15 15:27:04 +01:00
Lennart Poettering
64aa2622a3 libcrypt-util: add superficial validator for UNIX hashed password strings 2020-01-15 15:26:51 +01:00
Lennart Poettering
42f3b2f975 shared: split out crypt() specific helpers into its own .c/.h in src/shared/
This way we can use libxcrypt specific functionality such as
crypt_gensalt() and thus take benefit of the newer algorithms libxcrypt
implements. (Also adds support for a new env var $SYSTEMD_CRYPT_PREFIX
which may be used to select the hash algorithm to use for libxcrypt.)

Also, let's move the weird crypt.h inclusion into libcrypt.h so that
there's a single place for it.
2020-01-15 15:26:27 +01:00
Lennart Poettering
2ee4b118fa nss-util: add macros for generating getpwent()/getgrent() prototypes
We have similar macros already for getpwuid()/getpwnam(), let's add more
of this.
2020-01-15 15:25:32 +01:00
Zbigniew Jędrzejewski-Szmek
4a9a2a36b0
Merge pull request #14579 from keszybz/docs-index
Revert the test move and fix formatting on main page a bit
2020-01-15 14:26:39 +01:00
Zbigniew Jędrzejewski-Szmek
98f44b97bb
Merge pull request #14562 from yuwata/table-strv
introduce TABLE_STRV and use it in networkctl and resolvectl
2020-01-15 13:59:11 +01:00
Zbigniew Jędrzejewski-Szmek
65e2766f64 docs: fix width of console example 2020-01-15 13:46:16 +01:00
Zbigniew Jędrzejewski-Szmek
5425f8a57c Revert "docs: rename HACKING → Hacking"
This reverts commit 8c5cd27dd1.
2020-01-15 13:45:04 +01:00
Zbigniew Jędrzejewski-Szmek
a50414fce5
Merge pull request #14578 from keszybz/docs-index
Let's see if redirects work
2020-01-15 13:43:24 +01:00
Zbigniew Jędrzejewski-Szmek
8c5cd27dd1 docs: rename HACKING → Hacking
Let's see if this works at all.
2020-01-15 12:38:12 +01:00
Zbigniew Jędrzejewski-Szmek
b6bcde2623 docs: shift console log on index page to the left 2020-01-15 11:58:08 +01:00
Lennart Poettering
eea45a3399
Merge pull request #14424 from poettering/watch-bus-name-rework
pid1: simplify drastically how we watch bus names for service's BusName= setting
2020-01-15 11:46:11 +01:00
Lennart Poettering
f6160131e7
Merge pull request #14573 from keszybz/docs-index
Docs index
2020-01-15 10:25:06 +01:00