IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Otherwise it doesn't hold that VLANs 100-400 are allowed (because 201-299 are disallowed).
(cherry picked from commit ae2f3af63962ba6e2f67cfce07c9fee61722e30e)
(cherry picked from commit 9fad72cc52bdec7f44337b1e48c23ee15fc08d77)
(cherry picked from commit 0102ff403ee230bdd7a0c2b38463d9292fb9c0ae)
(cherry picked from commit b879b06ed1498f88a01191f4e8422976a80db344)
(cherry picked from commit d548785ed8900a20ef898ae12ec6e95463d5aadd)
Document the fact that read-only properties may not have the flag
SD_BUS_VTABLE_UNPRIVILEGED as that is not obvious especially given the
flag is accepted for writable properties.
Based on the check in `add_object_vtable_internal` called by
`sd_bus_add_object_vtable` (as of the current tip of the main branch
f7f5ba019206cacd486b0892fec76f70f525e04d):
case _SD_BUS_VTABLE_PROPERTY: {
[...]
if ([...] ||
[...]
(v->flags & SD_BUS_VTABLE_UNPRIVILEGED && v->type == _SD_BUS_VTABLE_PROPERTY)) {
r = -EINVAL;
goto fail;
}
(where `_SD_BUS_VTABLE_PROPERTY` means read-only property whereas
`_SD_BUS_VTABLE_WRITABLE_PROPERTY` maps to writable property).
This was implemented in the commit
adacb9575a09981fcf11279f2f661e3fc21e58ff ("bus: introduce "trusted" bus
concept and encode access control in object vtables") where
`SD_BUS_VTABLE_UNPRIVILEGED` was introduced:
Writable properties are also subject to SD_BUS_VTABLE_UNPRIVILEGED
and SD_BUS_VTABLE_CAPABILITY() for controlling write access to them.
Note however that read access is unrestricted, as PropertiesChanged
messages might send out the values anyway as an unrestricted
broadcast.
(cherry picked from commit 3ca09aa4dd57327989eceb1298754601046ac041)
(cherry picked from commit cd727031a4daafe19f491df360c512433562f469)
(cherry picked from commit f694a84faf082ce4a18cc2478d7843bb2b7e7fc4)
(cherry picked from commit 0aea62ba3364192e70f426aaf1e8596f67fdc2c3)
(cherry picked from commit 413d82c4620b5e2bcc7001f98a9f90bc109c1998)
Fixes https://github.com/systemd/systemd/issues/28514.
Quoting https://github.com/systemd/systemd/issues/28514#issuecomment-1831781486:
> Whenever PAM is enabled for a service, we set up the PAM session and then
> fork off a process whose only job is to eventually close the PAM session when
> the service dies. That services we run with service privileges, both to
> minimize attack surface and because we want to use PR_SET_DEATHSIG to be get
> a notification via signal whenever the main process dies. But that only works
> if we have the same credentials as that main process.
>
> Now, if pam_systemd runs inside the PAM stack (which it normally does) it's
> session close hook will ask logind to synchronously end the session via a bus
> call. Currently that call is not accessible to unprivileged clients. And
> that's the part we need to relax: allow users to end their own sessions.
The check is implemented in a way that allows the kill if the sender is in
the target session.
I found 'sudo systemctl --user -M "zbyszek@" is-system-running' to
be a convenient reproducer.
Before:
May 16 16:25:26 x1c systemd[1]: run-u24754.service: Deactivated successfully.
May 16 16:25:26 x1c dbus-broker[1489]: A security policy denied :1.24757 to send method call /org/freedesktop/login1:org.freedesktop.login1.Manager.ReleaseSession to org.freedesktop.login1.
May 16 16:25:26 x1c (sd-pam)[3036470]: pam_systemd(login:session): Failed to release session: Access denied
May 16 16:25:26 x1c systemd[1]: Stopping session-114.scope...
May 16 16:25:26 x1c systemd[1]: session-114.scope: Deactivated successfully.
May 16 16:25:26 x1c systemd[1]: Stopped session-114.scope.
May 16 16:25:26 x1c systemd[1]: session-c151.scope: Deactivated successfully.
May 16 16:25:26 x1c systemd-logind[1513]: Session c151 logged out. Waiting for processes to exit.
May 16 16:25:26 x1c systemd-logind[1513]: Removed session c151.
After:
May 16 17:02:15 x1c systemd[1]: run-u24770.service: Deactivated successfully.
May 16 17:02:15 x1c systemd[1]: Stopping session-115.scope...
May 16 17:02:15 x1c systemd[1]: session-c153.scope: Deactivated successfully.
May 16 17:02:15 x1c systemd[1]: session-115.scope: Deactivated successfully.
May 16 17:02:15 x1c systemd[1]: Stopped session-115.scope.
May 16 17:02:15 x1c systemd-logind[1513]: Session c153 logged out. Waiting for processes to exit.
May 16 17:02:15 x1c systemd-logind[1513]: Removed session c153.
Edit: this seems to also fix https://github.com/systemd/systemd/issues/8598.
It seems that with the call to ReleaseSession, we wait for the pam session
close hooks to finish. I inserted a 'sleep(10)' after the call to ReleaseSession
in pam_systemd, and things block on that, nothing is killed prematurely.
(cherry picked from commit fc0bb7ccc763ec79efe7a8a58220e9bc80f34f81)
Resolves https://bugzilla.redhat.com/show_bug.cgi?id=2221337.
(cherry picked from commit 97ad9a336a7f121770e6b74e8411da7278847d4f)
(cherry picked from commit 39f457fe60605e8b138eafdd468d1a4e67bb952c)
This page contains many short example codes. I do not think we should
add SPDX-License-Identifier for all codes.
Closes#35356.
(cherry picked from commit 6046cc3660810efcc6fe50b1c850ea642218245b)
(cherry picked from commit 6f2483eed8d790b94945aece37833c3604e3fc11)
(cherry picked from commit cb1077c9aa7779f35b3f5f8b5d226925079eb495)
(cherry picked from commit 238f1f1dc5ecbdee65fd12bbd4a8dc2f850cc826)
(cherry picked from commit a04d42821bb5350b0ffa82834e50e9b679279854)
(cherry picked from commit 03b993a9bfd97d42ebc0b3713e583c806c89e632)
(cherry picked from commit acb760fbe811781dcc262c59ac3c5a540fd10531)
(cherry picked from commit 90fd71a695de523e27bb9d46f23074200d770032)
Processes can easily survive the first kill operation we execute, hence
we shouldn't make strong claims about them having exited already. Let's
just say "likely" hence.
Fixes: #15032
(cherry picked from commit ac804bc2f8d814d2afcdccd88f7469ac320da1c8)
(cherry picked from commit 307a6332a63dd0f6addbc5c77d21f72ce4578070)
(cherry picked from commit b38386ae2bff5cc55a83094a625a026e23a69e0c)
(cherry picked from commit e23cbecd7fbec8a99c7fc466d49c69724fcdee68)
(cherry picked from commit 9b1a5bc365e379b4b13849adacfde3427f55ca38)
(cherry picked from commit a816075978767187f1a172326f414f67d905001b)
(cherry picked from commit e6247b048f4a37af0f79088e921262232236e339)
(cherry picked from commit 207ee49f20545004456bff1c7a3934a69b0b11ee)
The documentation claimed that ExecStartPre=/ExecStartPost= accepts
multiple command lines, in contrast to ExecStart=. This is half an
untruth, because ExecStart= allows that too – as long as Type=oneshot is
set.
Hence, reword this a bit, and do not emphasize the contrast.
Prompted by: #34570
(cherry picked from commit c3069a6bfb454a0e02607ad21b5badf9847fe11a)
(cherry picked from commit ff667d8c2ef7ed2378fb1de39e1bcc2af2197d0e)
(cherry picked from commit d0063ca6949c2b3dfad3e233f5ac10df928d6b12)
(cherry picked from commit 4e2337232959e431217b860f2a27599d74e9eb40)
(cherry picked from commit a41da1e7037dc36a601d3428343bbc7f0eed3e20)
(cherry picked from commit 697d247e308828e74132305606f73078616f42e2)
(cherry picked from commit 54a43fe71072f649beafe839dfd44b58b348740e)
(cherry picked from commit 4e089fc7ad5eb942a423bba3485167c81d8ce24d)
(cherry picked from commit f4e3c6e5b318d22a9c40144c6d52ae68a70c264c)
(cherry picked from commit 5a2f94d2dae50fbaa430a96a3096368dfc488380)
(cherry picked from commit 109da92157425ffecd4ef063b74439f611fdb305)
(cherry picked from commit 10808d1efba40252e56d06166554a07f5033a5ab)
(cherry picked from commit 56f32d9e782f8ba43f17cb04687c915a7e41d10e)
(cherry picked from commit 5b5f5666b2fd32950325387a3e0bc0b60f0b1808)
(cherry picked from commit 7cc52eb6e10256c0eaf9b2da6083f9f966ce1eac)
(cherry picked from commit c3bcc2f897d6090d7690c2da39d5bf8cbb752d28)
Avoids the need to maintain the same list over and over again, and
link it to the defition table in the implementation as a reminder
too
(cherry picked from commit 3509fe124d3a4fe2934028f83ae156ade050c8fe)
(cherry picked from commit 1075727f7fe9436d2e468147cf663aaa1be867fd)
(cherry picked from commit 42521e2d2d0b8beb59ed58b9bb3135e58468fcd7)
(cherry picked from commit e644a619bf1f66a3627156f4f4548ea62eae60f9)
We had several users, that wrote their unit files with
WantedBy=default.target because it should be started "every time".
But for example in Fedora/CentOS/RHEL, this often breaks for
example selinux relabels (where we just want to do a relabel and reboot).
(cherry picked from commit 67b6404b80cf8078f3d9ec6d4c2f34ac25b15077)
(cherry picked from commit adc57cd81c02e5afc8efcbc64eb3a6305a97c62c)
(cherry picked from commit 02447d28887d01bf8f980c16bd80ea40f30ef73a)
(cherry picked from commit 3f7bf5ac5fb1c68ca68be42e02be9bb1da8e0a38)
fix pointer constness in documentation
(cherry picked from commit fec09ff094670a6903b12b1c599b00b39a2b0c88)
(cherry picked from commit 072ea04e26c84ac25419316c659f4d89d8002f34)
(cherry picked from commit a422935fe076c758b4a05dc495944d798b71b938)
(cherry picked from commit add0dca8d386a3c735c24ab53e33402f13bf0783)
Bit 60 is the one corresponding to ReadOnly, not 50. Fix this.
(cherry picked from commit 932cc94436e653d0487c29e0dd44685610cd7bcb)
(cherry picked from commit 2665618555d08fc3877043cac392f1b6573811b7)
(cherry picked from commit f38c19bc695636700d85c5eb689680b017cc29e8)
(cherry picked from commit 5ae6c773e4e6f3e95db8de7d6b4e1a8ff45f7e10)
(cherry picked from commit 3f24fa57df552accc2a6f9ab4d36724ba7227eff)
(cherry picked from commit ec3f2c8c8ad86004d6048510382167ee5f1ded61)
(cherry picked from commit 8e0cb57134161105f4eceae321a3ad3e51c60639)
(cherry picked from commit 53493370d24ecaa0b49175c9ab5849a193a5935c)
- Improve wording for explanation when these variables are inherited
- Clarify that these variables are not placed in the process environment block,
so /proc/PID/environ cannot be used as a debugging tool
(cherry picked from commit 6c1e0823b04525716d9ee0031a2b6735d3f7dfa4)
(cherry picked from commit 5cf0c45f64079430b0b7c12ad323f238386260b0)
(cherry picked from commit 79f335d0ef2d3c35fdf4c19988c711a3abd31ee0)
(cherry picked from commit bb28a6c0b68a4a9dc2aa33972b3419680d333c05)
Certainly on systemd 252 at least a configuration of
```
MemorySwapMax=40%
```
is supported but this was missing from the man page.
Only MemoryMax was documented as supporting a %.
(cherry picked from commit 8af38e5b0475f514141d314088dcf9fffd7edc37)
(cherry picked from commit 766af3f782299a7cbfba24a4333444ac008c17d2)
(cherry picked from commit 69681c222e8198ed7327173eada85cdd7684546d)
(cherry picked from commit 5ff55bc33c7d8c29ed609e7fe1eb4237566c69b0)
Make the warning for oneshot services (where RuntimeMaxSec= has no
effect) more actionable by pointing to the directive people can use
instead to effectively limit their runtime.
(cherry picked from commit 8c4aa0f1c6a78b35712fa6a7acf6d755d0c0bd86)
(cherry picked from commit 468b0646342986c6cc9bd797b4ba189dc488ee8d)
(cherry picked from commit 017d7fd49085e8f877cfa2510f251b9a6b59f207)
(cherry picked from commit a7e6ebc98418bc28f30f89588127e6dbce526156)
Symlink created by Alias will use the value as the file name.
(cherry picked from commit 3f0e7fd4fd1d20e3f4be18f485c76d25ce10f41b)
(cherry picked from commit a68188e985d29e46cfa6eb2e17419fad90f0b287)
(cherry picked from commit 4b8ce6a18720c2347063b6d681e5a1dac560b6c0)
(cherry picked from commit e8566d7bbfc4f269835ecbcc8c7960e025cdbd2b)
The XDG base dir spec adopted ~/.local/state/ as a thing a while back,
and we updated our docs in b4d6bc63e602048188896110a585aa7de1c70c9b, but
forgot to to update the table at the bottom to fully reflect the update.
Fix that.
(cherry picked from commit 72a6296b16a75d4e26eec972f2999e69c9967b9d)
(cherry picked from commit df1ed3fbe2d03e9c1d0eed7d836c5aa541f4fb52)
(cherry picked from commit 15352fa22315cd76582ae33a63d065c808b9e958)
(cherry picked from commit 083380e814ac5dc773a849315702d0707088aa8b)
(cherry picked from commit 163bb43ceaa1e5bdcda27c4417339b3af9cf28af)
(cherry picked from commit 3e435e970d157271b2378400cbc9c84610d38f06)
(cherry picked from commit b3bc7b8a586171f58ca8a0ba100ebc43ae23079b)
(cherry picked from commit 6e37495d22bd136939e540dd6a8e595f48ad7a2c)
(cherry picked from commit 051d462b42fe6c27824046c15cd3c84fa5afe05b)
(cherry picked from commit 90b5cb35e9901947fca63d82e69b74b2df959258)
(cherry picked from commit 130358d6def563aeb8897a7d9eb8f860f162f7a3)
(cherry picked from commit b54581e10d771b967806d512b4a3d4da164aaff1)
Historically, systemd-tmpfiles was designed to manager temporary
files, but nowadays it has become a generic tool for managing
all kinds of files. To avoid user confusion, let's remove "temporary"
from the tool's description.
As discussed in #33349
(cherry picked from commit b5c8cc0a3b8e4e2fea0539d6420a76b524ea5735)
(cherry picked from commit 1a0e6961cfaed42bda542e111738c136f7b4d73f)
(cherry picked from commit c752efdfbac84cd62ddc54fc6ff7c58361f7f998)
(cherry picked from commit 269fb21700909aa43e3afdde31410304a8192bbb)
(cherry picked from commit d73a47d259be795958c8aa5b65b002f3d7338b6e)
(cherry picked from commit ce25cf6df1c6f86eabb4f35fae13a3c932096eb9)
(cherry picked from commit d1e36e6a35576dc6b328ecac4e12177bf2851ae7)
LinkLocalAddressing accepts a boolean. This can be seen by looking at
`link_local_address_family_from_strong(cont char *s)` in
`src/network/netword-util.c#L102-108` which falls back to
`address_family_from_string`, defined two lines above (L100)
using `DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN`.
(cherry picked from commit 07b6924de4d83c0d66ddfe92d3f2df4995e1e087)
(cherry picked from commit 586e10fa612c4740517acdd67727ed8a4ac9166d)
(cherry picked from commit 2b822b9008b34114e993f221db84caf1873749e1)
(cherry picked from commit 3cb7fc5fcb486a6ac775d637a7edc46afd312358)
(cherry picked from commit 02015cf563ffa39e8c447bf863dacf6ef8ac044f)
(cherry picked from commit e929b3e4f694d87056a219b61740b6a2a6f0fd8b)
And while we are at it reword the introductary sentence a bit to make it
clearer.
Fixes: #30555
(cherry picked from commit 6b7a1a3679f1facbc192d4abd209530002510f34)
(cherry picked from commit 968c569a8e4b6f1cd6c4199dd110828333a562a5)
(cherry picked from commit 4b8fe21619476c0732ae3b5bb662da8a52ba333b)
When an IO event source owns relevant fd, replacing with a new fd leaks
the previously assigned fd.
===
sd_event_add_io(event, &s, fd, ...);
sd_event_source_set_io_fd_own(s, true);
sd_event_source_set_io_fd(s, new_fd); <-- The previous fd is not closed.
sd_event_source_unref(s); <-- new_fd is closed as expected.
===
Without the change, valgrind reports the leak:
==998589==
==998589== FILE DESCRIPTORS: 4 open (3 std) at exit.
==998589== Open file descriptor 4:
==998589== at 0x4F119AB: pipe2 (in /usr/lib64/libc.so.6)
==998589== by 0x408830: test_sd_event_source_set_io_fd (test-event.c:862)
==998589== by 0x403302: run_test_table (tests.h:171)
==998589== by 0x408E31: main (test-event.c:935)
==998589==
==998589==
==998589== HEAP SUMMARY:
==998589== in use at exit: 0 bytes in 0 blocks
==998589== total heap usage: 33,305 allocs, 33,305 frees, 1,283,581 bytes allocated
==998589==
==998589== All heap blocks were freed -- no leaks are possible
==998589==
==998589== For lists of detected and suppressed errors, rerun with: -s
==998589== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
(cherry picked from commit 2fa480592d4f4334881361c5558f563e5ea4c9c3)
(cherry picked from commit 6d2dd436429aafcbb3fd8c99f6b69c9a108bf7f9)
(cherry picked from commit 5f8cf63f17c2ab4fecb0e65e6231ae6931270893)
(cherry picked from commit 41fead40e6b3166f13a3598ab94e3dcb59ed36e1)
(cherry picked from commit 2cc54032fdd8fb80e3c9626daf8cfeecb79aeab3)
(cherry picked from commit 74e96ea95546d29502dd5bcf85059074d6d98a49)
(cherry picked from commit a7d8cacce0cb0451701b81db818d9e5921574f51)
(cherry picked from commit 47b642c4cacd55760902b55ec8cd1502bc82a9af)
(cherry picked from commit 35b716dd23ed7e417ae1240f4dca99852c26d0d6)
(cherry picked from commit 2548ce6a30a1183a7bbbd699aafdf81249a5fe4e)
(cherry picked from commit 52f60014056dcf3e5efd5edf0c67b721a18e723c)
(cherry picked from commit ea8070be46548f23e863504737a01d39fab2050b)
STRLEN() and xsprintf() is our internal macros.
(cherry picked from commit 06d0dcc009f6d8b16d02f65fc20f7e1d76c77721)
(cherry picked from commit ea94162096cef586d3a1b03c45ea530a2dab2652)
(cherry picked from commit 4a7d09423ea721f40da72bef8ba34559f57758bb)
(cherry picked from commit 245bd4af99094e5727727fb0459ed6cb7b78b56a)
(cherry picked from commit 892641af224218a7cae25ddc602d3fa2944de151)
(cherry picked from commit 6a7b65a6182f0ce7c1e663f76996deca5b38d6c6)
The specified vendor UUID is not actually a UUID. This changes it to an actual UUID.
The new value matches the ones from the systemd-boot man page and [The Boot Loader Interface](https://systemd.io/BOOT_LOADER_INTERFACE/).
(cherry picked from commit c6d0c6688ee7b0bb4575ab3e96655fd316543c95)
(cherry picked from commit aa7b8471806136f52287b1737b88bed9d4f221a9)
(cherry picked from commit 53cc058d34a76ccf278ccefd1330a34b033a65bf)
The service parsing/using this directory is systemd-timedated, not
systemd-timesyncd.
(cherry picked from commit 73d8990930b0d84067331c65f0f7731fd76822a4)
(cherry picked from commit 4985c7069e3848009a93791c0ae1d7c9574c93a7)
(cherry picked from commit 9b83f8a2f2f3401dc5998a07073c9daaf2738bf2)
(cherry picked from commit c959e1782316f93464baf4f2fd15484bf84413ba)
(cherry picked from commit 4fb223fdc6c396b16d93f5288fb9a90d88c1a9c5)
(cherry picked from commit cff6c392c14de1a36cd95dbe7b8ae95091727679)
