IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
The variable is renamed to SYSTEMD_PAGERSECURE (because it's not just about
less now), and we automatically enable secure mode in certain cases, but not
otherwise.
This approach is more nuanced, but should provide a better experience for
users:
- Previusly we would set LESSSECURE=1 and trust the pager to make use of
it. But this has an effect only on less. We need to not start pagers which
are insecure when in secure mode. In particular more is like that and is a
very popular pager.
- We don't enable secure mode always, which means that those other pagers can
reasonably used.
- We do the right thing by default, but the user has ultimate control by
setting SYSTEMD_PAGERSECURE.
Fixes#5666.
v2:
- also check $PKEXEC_UID
v3:
- use 'sd_pid_get_owner_uid() != geteuid()' as the condition
(cherry picked from commit 0a42426d797406b4b01a0d9c13bb759c2629d108)
Some extra safety when invoked via "sudo". With this we address a
genuine design flaw of sudo, and we shouldn't need to deal with this.
But it's still a good idea to disable this surface given how exotic it
is.
Prompted by #5666
(cherry picked from commit 612ebf6c913dd0e4197c44909cb3157f5c51a2f0)
When doing import-environment, we shouldn't fail if some assignment is invalid.
OTOH, if the invalid assignment is specified as a positional argument, we should
keep failing.
This would also fix https://bugzilla.redhat.com/show_bug.cgi?id=1754395, by
ignoring certain variables which are not important in that scenario. It seems
like the right thing to do in general.
(cherry picked from commit a4ccce22d9552dc74b6916cc5ec57f2a0b686b4f)
It's not clear what libc's make of this. We clamp to 1 byte allocations
in most cases already, let's add this for a few where this was missing.
(cherry picked from commit 562b01e99646a21ba8a0f4f52c578a38b3f7d03d)
This fixes an issue caused by eb1c1dc029c91750e6255c3fd844b4f4bf238fab.
Before the commit, multiple values can be specified for the same
sysattr or property.
Fixes#17259.
(cherry picked from commit a0887abbd8bd9f1a9a975af08e6b4a43960bb3e2)
We need to make sure that our coredump pattern handler manages to read
process metadata from /proc/$PID/ before the kernel reaps the crashed
process. By default the kernel will reap the process as soon as it can.
By setting kernel.core_pipe_limit to a non-zero the kernel will wait for
userspace to finish before reaping.
We'll set the value to 16, which allows 16 crashes to be
processed in parallel. This matches the MaxConnections= setting in
systemd-coredump.socket.
See: #17301
(This doesn't close 17301, since we probably should also gracefully
handle if /proc/$PID/ vanished already while our coredump handler runs,
just in case people loclly set the sysctl back to zero. i.e. we should
collect what we can and rather issue an incomplete log record than
none.)
(cherry picked from commit 2a9b9323cd844baae3229e9dba67e478bee70654)
It is expected for numerous autostart files to not be convertible to
corresponding units. The information is only useful for someone
debugging why a file might not be started, but it is not generally
useful for users in most situations.
As such, lower the warnings. Anyone wondering why an application is not
started will easily notice that the unit is not generated. From there it
will be somewhat harder to figure out why, but the overall trade-off is
still improved.
Fixes: #17305
(cherry picked from commit 47c1db6730b8a81b01e8505a648624fa6ad0bbd7)
My logs have lines like this:
Oct 10 09:38:38 krowka systemd-logind[1889]: External (2) displays connected.
Oct 10 09:38:38 krowka systemd-logind[1889]: Refusing operation, as it is turned off.
Without some hint *what* operation is ignored, this is not very informative.
(I remember this came up before, but I don't remember why we didn't change this
log line back then...)
(cherry picked from commit bf135d82585f9a6356fa818fe4c130d3e3524918)
We previously checked the QR bit to decide whether the RFC6975 algorithm
data in our packets. But that doesn't work in many cases, since we
initialize the QR flags along with the other flags usually only after
appending OPT (since success to do so propagates into flags). Hence,
let's add an explicit parameter that controls whether to include RFC6975
data in DNS packets, and set it to false for stub reply, and on true for
upstream queries.
Fixes: #17217
(cherry picked from commit c36d5b5be900315b113a62199274c37fe47a37cd)
It makes sense to ignore all the common fields that are expected and
that we can safely ignore. Note that it is fine to ignore URL as we will
already warn about the type= being wrong in that case.
Closes: #17276
(cherry picked from commit 51ac77d58c03f337e1347263eb4995e1f9947a9d)
We have an option to set the fallback list, so we don't know what the contents
are. It may in fact be empty. Let's add some examples to make it easy for a user
stranded without any DNS to fill in something that would work. As a bonus, this
also gives names to the entries we provide by default.
(I added google and cloudflare because that's what we have currently, and quad9
because it seems to be a good privacy-concious and fast choice and was requested
in #12499. As a minimum, things we should include should be well-known global
services with a documented privacy policy and both IPv4 and IPv6 support and
decent response times.)
(cherry picked from commit 206178a9d22f5dc60f15decd8fe879326cbf4c25)
Functions that accept no arguments should be
explicitly declared a void parameter in their parameter list.
Signed-off-by: Marco Wang <m.aesophor@gmail.com>
(cherry picked from commit ee85122987decae4f9f3b1dad6f7bc3b08b92526)
The commit 88da55e28b467999da005591d3252a98f4436522 erroneously makes
`udevadm trigger` treat -ENODEV error critical.
This makes -ENODEV ignored again.
Fixes#17250.
(cherry picked from commit 1b97c5cba58fdd1138e7622d7edef9a48309b0e2)
Currently systemd-detect-virt fails to detect running under PowerVM.
Add code to detect PowerVM based on code in util-linux.
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
(cherry picked from commit 3224e38bb6b3287ca253cbafb460a150544d5818)
The usual: "empty string" is meaningless in this context. We are not assigning
DestinationPort="". Just say "unset".
Fixes#17240.
(cherry picked from commit e6fd398d61a9810d53a2a5a30294500718e43286)
"keyed by" is indeed a bit jargony. Say " a HMAC hash of the salt combined with
an internal secret key" instead.
For #17177.
(cherry picked from commit e0c60bf6a0065ba447b50fcb1bb171725e8bd00d)
Completions for systemd-id128 and homectl have been available for a
while, but weren’t being installed.
(cherry picked from commit 7c57a030e0d654ce0e4d557da826170fb5ac5bc2)
When invoked as non-root, we would suggest re-running as root without any
further hint. But this immediately spawns a machine from the local directory,
which can be rather surprising. So let's give a better hint.
(In general, I don't think commandline programs should do "significant" things
when invoked without any arguments. In this regard it would be better if
systemd-nspawn would not spawn a machine from the current directory if called
with no arguments and at least "-D ." would be required.)
(cherry picked from commit 38ee19c04b1a7a9f8858d791c68c8a9b711a4e3d)
It can be one of "foreign", "missing", "stub", "static", "uplink",
depending on how /etc/resolv.conf is set up:
foreign → someone/something else manages /etc/resolv.conf,
systemd-resolved is just the consumer
missing → /etc/resolv.conf is missing altogether
stub/static/uplink → the file is managed by resolved, with the
well-known modes
Fixes: #17159
(cherry picked from commit 4261ab654c0df009b5a37a30593d58d47fec617f)
This basically implements fc58c0c7bf7e4f525b916e3e5be0de2307fef04e for gshadow.
gpasswd may not have a lock/unlock that behaves the same as passwd, but
according to gshadow(5) the logic of the password field is the same.
(cherry picked from commit bbbfe49b5eb0c571c10fa7991c10bac620f3c453)
This is like membarrier() I guess and basically just exposes CPU
functionality via kernel syscall on some archs. Let's whitelist it for
everyone.
Fixes: #17197
(cherry picked from commit 8e24b1d23f5fa711bfdfd38bcfef525de04cd3c1)
