mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
Use https for man7.org
This commit is contained in:
parent
41d6f3bf4d
commit
e2285c5735
@ -8,7 +8,7 @@ SPDX-License-Identifier: LGPL-2.1-or-later
|
||||
# Locking Block Device Access
|
||||
|
||||
*TL;DR: Use BSD file locks
|
||||
[(`flock(2)`)](http://man7.org/linux/man-pages/man2/flock.2.html) on block
|
||||
[(`flock(2)`)](https://man7.org/linux/man-pages/man2/flock.2.html) on block
|
||||
device nodes to synchronize access for partitioning and file system formatting
|
||||
tools.*
|
||||
|
||||
@ -22,7 +22,7 @@ Applications manipulating a block device can temporarily stop `systemd-udevd`
|
||||
from processing rules on it — and thus bar it from probing the device — by
|
||||
taking a BSD file lock on the block device node. Specifically, whenever
|
||||
`systemd-udevd` starts processing a block device it takes a `LOCK_SH|LOCK_NB`
|
||||
lock using [`flock(2)`](http://man7.org/linux/man-pages/man2/flock.2.html) on
|
||||
lock using [`flock(2)`](https://man7.org/linux/man-pages/man2/flock.2.html) on
|
||||
the main block device (i.e. never on any partition block device, but on the
|
||||
device the partition belongs to). If this lock cannot be taken (i.e. `flock()`
|
||||
returns `EAGAIN`), it refrains from processing the device. If it manages to take
|
||||
|
@ -308,7 +308,7 @@ does not exist, no assumptions should be made.
|
||||
A unified kernel image is a single EFI PE executable combining an EFI stub
|
||||
loader, a kernel image, an initramfs image, and the kernel command line. See
|
||||
the description of the `--uefi` option in
|
||||
[dracut(8)](http://man7.org/linux/man-pages/man8/dracut.8.html). Such unified
|
||||
[dracut(8)](https://man7.org/linux/man-pages/man8/dracut.8.html). Such unified
|
||||
images are installed in the`$BOOT/EFI/Linux/` and `$XBOOTLDR/EFI/Linux/`
|
||||
directories and must have the extension `.efi`.
|
||||
Support for images of this type is of course specific to systems with EFI
|
||||
|
@ -56,8 +56,8 @@ Here's the step-by-step guide:
|
||||
|
||||
This will tell you the `/etc/passwd` and `/etc/shadow` entries for your
|
||||
user. For details about the fields, see the respective man pages
|
||||
[passwd(5)](http://man7.org/linux/man-pages/man5/passwd.5.html) and
|
||||
[shadow(5)](http://man7.org/linux/man-pages/man5/shadow.5.html).
|
||||
[passwd(5)](https://man7.org/linux/man-pages/man5/passwd.5.html) and
|
||||
[shadow(5)](https://man7.org/linux/man-pages/man5/shadow.5.html).
|
||||
|
||||
The fourth field in the `getent passwd foobar` output tells you the GID of
|
||||
your user's main group. Depending on your distribution it's a group private
|
||||
|
@ -12,7 +12,7 @@ systemd 12 and newer support lightweight password agents which can be used to qu
|
||||
* A Plymouth agent used for querying passwords during boot-up
|
||||
* A console agent used in similar situations if Plymouth is not available
|
||||
* A GNOME agent which can be run as part of the normal user session which pops up a notification message and icon which when clicked receives the passphrase from the user. This is useful and necessary in case an encrypted system hard-disk is plugged in when the machine is already up.
|
||||
* A [`wall(1)`](http://man7.org/linux/man-pages/man1/wall.1.html) agent which sends wall messages as soon as a password shall be entered.
|
||||
* A [`wall(1)`](https://man7.org/linux/man-pages/man1/wall.1.html) agent which sends wall messages as soon as a password shall be entered.
|
||||
* A simple tty agent which is built into "`systemctl start`" (and similar commands) and asks passwords to the user during manual startup of a service
|
||||
* A simple tty agent which can be run manually to respond to all queued passwords
|
||||
|
||||
|
@ -25,7 +25,7 @@ for high-quality random numbers cannot be fulfilled.
|
||||
The Linux kernel provides three relevant userspace APIs to request random data
|
||||
from the kernel's entropy pool:
|
||||
|
||||
* The [`getrandom()`](http://man7.org/linux/man-pages/man2/getrandom.2.html)
|
||||
* The [`getrandom()`](https://man7.org/linux/man-pages/man2/getrandom.2.html)
|
||||
system call with its `flags` parameter set to 0. If invoked the calling
|
||||
program will synchronously block until the random pool is fully initialized
|
||||
and the requested bytes can be provided.
|
||||
@ -35,7 +35,7 @@ from the kernel's entropy pool:
|
||||
pool is not initialized yet.
|
||||
|
||||
* Reading from the
|
||||
[`/dev/urandom`](http://man7.org/linux/man-pages/man4/urandom.4.html)
|
||||
[`/dev/urandom`](https://man7.org/linux/man-pages/man4/urandom.4.html)
|
||||
pseudo-device will always return random bytes immediately, even if the pool
|
||||
is not initialized. The provided random bytes will be of low quality in this
|
||||
case however. Moreover the kernel will log about all programs using this
|
||||
@ -294,7 +294,7 @@ This primarily leaves two kind of systems in the cold:
|
||||
do use it in many cases, but not in all. Please read the above again!
|
||||
|
||||
2. *Why don't you use
|
||||
[getentropy()](http://man7.org/linux/man-pages/man3/getentropy.3.html)? That's
|
||||
[getentropy()](https://man7.org/linux/man-pages/man3/getentropy.3.html)? That's
|
||||
all you need!*
|
||||
|
||||
Same story. That call is just a different name for `getrandom()` with
|
||||
@ -303,7 +303,7 @@ This primarily leaves two kind of systems in the cold:
|
||||
are trying to address here.
|
||||
|
||||
3. *Why don't you generate your UUIDs with
|
||||
[`uuidd`](http://man7.org/linux/man-pages/man8/uuidd.8.html)? That's all you
|
||||
[`uuidd`](https://man7.org/linux/man-pages/man8/uuidd.8.html)? That's all you
|
||||
need!*
|
||||
|
||||
First of all, that's a system service, i.e. something that runs as "payload"
|
||||
|
@ -44,15 +44,15 @@ installation during runtime is permitted.)
|
||||
To protect yourself against these kinds of attacks Linux provides a couple of
|
||||
APIs that help you avoiding guessable names. Specifically:
|
||||
|
||||
1. Use [`mkstemp()`](http://man7.org/linux/man-pages/man3/mkstemp.3.html)
|
||||
1. Use [`mkstemp()`](https://man7.org/linux/man-pages/man3/mkstemp.3.html)
|
||||
(POSIX), `mkostemp()` (glibc),
|
||||
[`mkdtemp()`](http://man7.org/linux/man-pages/man3/mkdtemp.3.html) (POSIX),
|
||||
[`tmpfile()`](http://man7.org/linux/man-pages/man3/tmpfile.3.html) (C89)
|
||||
[`mkdtemp()`](https://man7.org/linux/man-pages/man3/mkdtemp.3.html) (POSIX),
|
||||
[`tmpfile()`](https://man7.org/linux/man-pages/man3/tmpfile.3.html) (C89)
|
||||
|
||||
2. Use [`open()`](http://man7.org/linux/man-pages/man2/open.2.html) with
|
||||
2. Use [`open()`](https://man7.org/linux/man-pages/man2/open.2.html) with
|
||||
`O_TMPFILE` (Linux)
|
||||
|
||||
3. [`memfd_create()`](http://man7.org/linux/man-pages/man2/memfd_create.2.html)
|
||||
3. [`memfd_create()`](https://man7.org/linux/man-pages/man2/memfd_create.2.html)
|
||||
(Linux; this doesn't bother with `/tmp/` or `/var/tmp/` at all, but uses the
|
||||
same RAM/swap backing as `tmpfs` uses, hence is very similar to `/tmp/`
|
||||
semantics.)
|
||||
@ -113,7 +113,7 @@ strategies to avoid these issues:
|
||||
|
||||
3. 🥇 Operate below a sub-directory of `/tmp/` and `/var/tmp/` you created, and
|
||||
take a BSD file lock ([`flock(dir_fd,
|
||||
LOCK_SH)`](http://man7.org/linux/man-pages/man2/flock.2.html)) on that
|
||||
LOCK_SH)`](https://man7.org/linux/man-pages/man2/flock.2.html)) on that
|
||||
sub-directory. This is particularly interesting when operating on more than
|
||||
a single file, or on file nodes that are not plain regular files, for
|
||||
example when extracting a tarball to a temporary directory. The ageing
|
||||
@ -126,7 +126,7 @@ strategies to avoid these issues:
|
||||
this when decompressing tarballs that contain files with old
|
||||
modification/access times, as extracted files are otherwise immediately
|
||||
candidates for deletion by the ageing algorithm. The
|
||||
[`flock`](http://man7.org/linux/man-pages/man1/flock.1.html) tool of the
|
||||
[`flock`](https://man7.org/linux/man-pages/man1/flock.1.html) tool of the
|
||||
`util-linux` packages makes this concept available to shell scripts. Note
|
||||
that `systemd-tmpfiles` only checks for BSD file locks on directories, locks
|
||||
on other types of file nodes (including regular files) are not considered.
|
||||
@ -217,7 +217,7 @@ packages instead use `/dev/shm/` for temporary files during early boot; this is
|
||||
not advisable however, as it offers no benefits over a private directory in
|
||||
`/run/` as both are backed by the same concept: `tmpfs`. The directory
|
||||
`/dev/shm/` exists to back POSIX shared memory (see
|
||||
[`shm_open()`](http://man7.org/linux/man-pages/man3/shm_open.3.html) and
|
||||
[`shm_open()`](https://man7.org/linux/man-pages/man3/shm_open.3.html) and
|
||||
related calls), and not as a place for temporary files. `/dev/shm` is
|
||||
problematic as it is world-writable and there's no automatic clean-up logic in
|
||||
place.)
|
||||
|
@ -11,7 +11,7 @@ JSON User/Group Records (as described in the [JSON User Records](USER_RECORD.md)
|
||||
and [JSON Group Records](GROUP_RECORD.md) documents) that are defined on the
|
||||
local system may be queried with a [Varlink](https://varlink.org/) API. This
|
||||
API takes both the role of what
|
||||
[`getpwnam(3)`](http://man7.org/linux/man-pages/man3/getpwnam.3.html) and
|
||||
[`getpwnam(3)`](https://man7.org/linux/man-pages/man3/getpwnam.3.html) and
|
||||
related calls are for `struct passwd`, as well as the interfaces modules
|
||||
implementing the [glibc Name Service Switch
|
||||
(NSS)](https://www.gnu.org/software/libc/manual/html_node/Name-Service-Switch.html)
|
||||
|
@ -297,7 +297,7 @@ for all login sessions of the user.
|
||||
|
||||
`environment` → An array of strings, each containing an environment variable
|
||||
and its value to set for the user's login session, in a format compatible with
|
||||
[`putenv()`](http://man7.org/linux/man-pages/man3/putenv.3.html). Any
|
||||
[`putenv()`](https://man7.org/linux/man-pages/man3/putenv.3.html). Any
|
||||
environment variable listed here is automatically set by
|
||||
[`pam_systemd`](https://www.freedesktop.org/software/systemd/man/pam_systemd.html)
|
||||
for all login sessions of the user.
|
||||
@ -320,7 +320,7 @@ variable, for example: `de_DE.UTF8`.
|
||||
[`pam_systemd`](https://www.freedesktop.org/software/systemd/man/pam_systemd.html)
|
||||
will automatically initialize the login process' nice level to this value with,
|
||||
which is then inherited by all the user's processes, see
|
||||
[`setpriority()`](http://man7.org/linux/man-pages/man2/setpriority.2.html) for
|
||||
[`setpriority()`](https://man7.org/linux/man-pages/man2/setpriority.2.html) for
|
||||
more information.
|
||||
|
||||
`resourceLimits` → An object, where each key refers to a Linux resource limit
|
||||
@ -329,7 +329,7 @@ two keys `cur` and `max` for the soft and hard resource limit. When logging in
|
||||
[`pam_systemd`](https://www.freedesktop.org/software/systemd/man/pam_systemd.html)
|
||||
will automatically initialize the login process' resource limits to these
|
||||
values, which is then inherited by all the user's processes, see
|
||||
[`setrlimit()`](http://man7.org/linux/man-pages/man2/setrlimit.2.html) for more
|
||||
[`setrlimit()`](https://man7.org/linux/man-pages/man2/setrlimit.2.html) for more
|
||||
information.
|
||||
|
||||
`locked` → A boolean value. If true, the user account is locked, the user may
|
||||
@ -625,7 +625,7 @@ user to choose.
|
||||
|
||||
`hashedPassword` → An array of strings, each containing a hashed UNIX password
|
||||
string, in the format
|
||||
[`crypt(3)`](http://man7.org/linux/man-pages/man3/crypt.3.html) generates. This
|
||||
[`crypt(3)`](https://man7.org/linux/man-pages/man3/crypt.3.html) generates. This
|
||||
corresponds with `sp_pwdp` field of `struct spwd` (and in a way the `pw_passwd`
|
||||
field of `struct passwd`).
|
||||
|
||||
|
@ -30,7 +30,7 @@
|
||||
<xsl:template match="citerefentry[@project='man-pages'] | citerefentry[manvolnum='2'] | citerefentry[manvolnum='4']">
|
||||
<a>
|
||||
<xsl:attribute name="href">
|
||||
<xsl:text>http://man7.org/linux/man-pages/man</xsl:text>
|
||||
<xsl:text>https://man7.org/linux/man-pages/man</xsl:text>
|
||||
<xsl:value-of select="manvolnum"/>
|
||||
<xsl:text>/</xsl:text>
|
||||
<xsl:value-of select="refentrytitle"/>
|
||||
|
@ -1261,7 +1261,7 @@
|
||||
The <varname>Key=</varname> is either a number or an IPv4 address-like dotted quad.
|
||||
It is used as mark-configured SAD/SPD entry as part of the lookup key (both in data
|
||||
and control path) in IP XFRM (framework used to implement IPsec protocol).
|
||||
See <ulink url="http://man7.org/linux/man-pages/man8/ip-xfrm.8.html">
|
||||
See <ulink url="https://man7.org/linux/man-pages/man8/ip-xfrm.8.html">
|
||||
ip-xfrm — transform configuration</ulink> for details. It is only used for VTI/VTI6,
|
||||
GRE, GRETAP, and ERSPAN tunnels.</para>
|
||||
</listitem>
|
||||
|
Loading…
Reference in New Issue
Block a user