Compare commits

...

8 Commits

Author SHA1 Message Date
splantefeve 552cafaa86 po: update French translation 2020-01-29 12:13:15 +01:00
Lennart Poettering 723822f00a NEWS: start preparing v245 2020-01-29 11:44:32 +01:00
Yu Watanabe 2462111da9
Merge pull request #14689 from poettering/portable-chase-symlink-fix
various chase_symlink() fixes
2020-01-29 18:51:42 +09:00
Lennart Poettering bcb1eadc0c test: fix rename_noreplace() test
This corrects the fix b81b9d406d, making the test operate like it was
originally.
2020-01-28 22:53:59 +01:00
Lennart Poettering 3c7b4ebf94 test: make sure chase_symlink() returns normalized paths 2020-01-28 22:53:59 +01:00
Lennart Poettering 47d7ab727c fs-util: make sure we output normalized paths in chase_symlinks()
Let's eat up multiple slashes.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1787089
Replaces: #14687
2020-01-28 22:53:59 +01:00
Lennart Poettering 6efb1257d1 test: add test for the non-resolving of chase_symlink() root prefix 2020-01-28 22:53:59 +01:00
Lennart Poettering c2595d3b02 fs-util: when calling chase_symlinks() with root path, leave root part unresolved
Previously there was a weird asymmetry: initially we'd resolve the
specified prefix path when chasing symlinks together with the actual
path we were supposed to cover, except when we hit an absolute symlink
where we'd use the root as it was. Let's unify handling here: the prefix
path is never resolved, and always left as it is.

This in particular fixes issues with symlinks in the prefix path, as
that confused the check that made sure we never left the root directory.

Fixes: #14634
Replaces: #14635
2020-01-28 22:53:59 +01:00
4 changed files with 381 additions and 24 deletions

141
NEWS
View File

@ -1,5 +1,146 @@
systemd System and Service Manager
CHANGES WITH 245 in spe:
* When systemd-tmpfiles copies a file tree using the 'C' line type it
will now implicitly label every copied file matching the SELinux
database.
* When systemd/PID 1 detects it is used in the initrd it will now boot
into initrd.target rather than default.target by default. This should
make it simpler to build initrds with systemd as for many cases the
only difference between a host OS image and an initrd image now is
the /etc/initrd-release file that identifies the initrd as one.
* A new kernel command line option systemd.cpu_affinity= is now
understood. It's equivalent to the CPUAffinity= option in
/etc/systemd/system.conf and allows setting the CPU mask for PID 1
itself and the default for all forked off processes.
* When systemd/PID 1 is reloaded (with systemctl daemon-reload or an
equivalent tool) the SELinux database is now reloaded, ensuring that
sockets and other file system objects are generated taking the new
database into account.
* The sd-event.h API now has native support for the new Linux "pidfd"
concept. This permits watching processes using file descriptors
instead of PID numbers, which fixes a number of races and makes
process supervision more robust and more efficient. All of systemd's
components will now use pidfds if the kernel supports it for process
watching, with the exception of PID 1 itself, unfortunately. We hope
to move PID 1 to exclusively using pidfds too eventually, but this
requires some more kernel work first. (Background: PID 1 watches
processes using waitid() with the P_ALL flag, and that does not play
together nicely with pidfds yet.)
* Closely related to this, the sd-event.h API gained two new calls
sd_event_source_send_child_signal() (for sending a signal to a
watched process) and sd_event_source_get_child_process_own() (for
marking a process so that it is killed implicitly whenever the event
source watching it is freed).
* systemd-networkd gained support for configuring Token Buffer Filter
(TBF) parameters in its qdisc configuration support. Similar, support
for Stochastic Fairness Queuing (SFQ), Controlled-Delay Active
Queue Management (CoDel), Fair Queue (FQ) has been added.
* systemd-networkd gained support for Intermediate Functional Block
(IFB) network devices.
* systemd-networkd gained support for configuring multi-path IP routes,
using the new MultiPathRoute= setting in the [Route] section.
* systemd-networkd's DHCPv4 support has been updated to support a new
SendDecline= option. If enabled duplicate address detection is done
after a DHCP offer is received from a server. If a conflict is
detected the address is declined. The DHCPv4 support also gained
support for a new RouteMTUBytes= setting that allows to configure the
MTU size to be used for routes generated from DHCPv4 leases.
* The PrefixRoute= setting in systemd-networkd's [Address] section of
.network files has been deprecated, and replaced by AddPrefixRoute=,
with it's sense inverted.
* The Gateway= setting of [Route] sections of .network files gained
support for a special new value "dhcp". If set the configured static
route uses the gateway host configured via DHCP.
* sd-bus gained a new API call sd_bus_message_sensitive() for marking a
D-Bus message object as "sensitive". Objects that are marked that way
are erased from memory when they are freed. This concept is intended
to be used for messages that contain security sensitive data that
should be erased after use. A new flag SD_BUS_VTABLE_SENSITIVE has
been introduced as well that allows marking method calls in sd-bus
vtables like this, so that this new message flag is implicitly set
for incoming and outgoing messages of specific methods.
* systemd-resolved's DNS-over-TLS support gained SNI validation.
* systemd-growfs (i.e. the x-systemd.growfs mount option in /etc/fstab)
gained support for growing XFS partitions. Previously it supported
only ext4 and btrfs partitions.
* The support for /etc/crypttab gained a new x-initrd.attach option. If
set the specified encrypted volume is unlocked in the initrd
already. This concept corresponds to the x-initrd.mount option in
/etc/fstab.
* systemd-cryptsetup gained native support for unlocking encrypted
volumes utilizing PKCS#11 smartcards, i.e. for example to bind
encryption of volumes to YubiKeys.This is exposed in the new
pkcs11-uri= option in /etc/crypttab.
* The https://systemd.io/ web site has been relaunched, directly
populated with most of the documentation included in the systemd
repository. In particular, systemd acquired a new logo, thanks to
Tobias Bernard.
* systemd-udevd gained support for managing "alternative" network
interface names, as supported by new Linux kernels. For the first
time this permits assigning multiple (and longer!) names to a network
interface. systemd-udevd will now by default assign the names
generated via all supported naming schemes to each interface in
parallel. This may be further tweaked with .link drop-in files, and
the AlternativeName= and AlternativeNamesPolicy= settings. All other
components of systemd have been updated to support the new
alternative names too, wherever that is appropriate. For example,
systemd-nspawn will now generate alternative interface names for the
host-facing side of container veth links based on the full container
name without truncation.
* systemd-nspawn interface naming logic has been updated in another way
too: if the main interface name (i.e. as opposed to new-style
"alternative" names) is the truncated result of container name a
simple hashing scheme is used that ensures that multiple containers
whose name all begin the same are likely resulting in different
interface names. Since this changes the primary interface names
pointing to containers if truncation happens the old scheme may still
be requested by selecting a different naming scheme than the v245
one, via the net.naming-scheme= kernel command line option.
* PrivateUsers= now works in services run by the systemd --user
per-user instance of the service manager.
* The Discoverable Partitions Specification has been updated to support
/var and /var/tmp partition discovery. Support for this has been
added to systemd-gpt-auto-generator. For details see:
https://systemd.io/DISCOVERABLE_PARTITIONS
* "systemctl list-unit-files" has been updated to show a new column
with the suggested enablement state based on the vendor preset files
for the respective units.
* networkctl gained support for showing per-interface logs in its
"status" output.
* The [Match] section of .link and .network files now supports a new
option PermanentMACAddress= which may be used to check against the
permanent MAC address of a network device even if a randomized MAC
address is used.
CHANGES WITH 244:
* Support for the cpuset cgroups v2 controller has been added.

203
po/fr.po
View File

@ -7,7 +7,7 @@ msgid ""
msgstr ""
"Project-Id-Version: systemd\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2019-03-07 22:43+0100\n"
"POT-Creation-Date: 2020-01-28 22:40+0100\n"
"PO-Revision-Date: 2019-03-07 23:09+0100\n"
"Last-Translator: Sylvain Plantefève <sylvain.plantefeve@gmail.com>\n"
"Language-Team: French\n"
@ -489,11 +489,20 @@ msgstr ""
"actives."
#: src/login/org.freedesktop.login1.policy:341
msgid "Indicate to the firmware to boot to setup interface"
msgstr ""
"Indiquer au micrologiciel de démarrer sur l'interface de configuration"
msgid "Set the reboot \"reason\" in the kernel"
msgstr "Définir la « raison » du redémarrage dans le noyau"
#: src/login/org.freedesktop.login1.policy:342
msgid "Authentication is required to set the reboot \"reason\" in the kernel."
msgstr ""
"Authentification requise pour définir la « raison » du redémarrage dans "
"le noyau."
#: src/login/org.freedesktop.login1.policy:352
msgid "Indicate to the firmware to boot to setup interface"
msgstr "Indiquer au micrologiciel de démarrer sur l'interface de configuration"
#: src/login/org.freedesktop.login1.policy:353
msgid ""
"Authentication is required to indicate to the firmware to boot to setup "
"interface."
@ -501,23 +510,23 @@ msgstr ""
"Authentification requise pour indiquer au micrologiciel de démarrer sur "
"l'interface de configuration."
#: src/login/org.freedesktop.login1.policy:352
#: src/login/org.freedesktop.login1.policy:363
msgid "Indicate to the boot loader to boot to the boot loader menu"
msgstr "Indiquer au programme d'amorçage d'afficher le menu au démarrage"
#: src/login/org.freedesktop.login1.policy:353
#: src/login/org.freedesktop.login1.policy:364
msgid ""
"Authentication is required to indicate to the boot loader to boot to the "
"boot loader menu."
msgstr ""
"Authentification requise pour indiquer au programme d'amorçage d'afficher "
"le menu au démarrage."
"Authentification requise pour indiquer au programme d'amorçage d'afficher le "
"menu au démarrage."
#: src/login/org.freedesktop.login1.policy:363
#: src/login/org.freedesktop.login1.policy:374
msgid "Indicate to the boot loader to boot a specific entry"
msgstr "Indiquer au programme d'amorçage de démarrer une entrée spécifique"
#: src/login/org.freedesktop.login1.policy:364
#: src/login/org.freedesktop.login1.policy:375
msgid ""
"Authentication is required to indicate to the boot loader to boot into a "
"specific boot loader entry."
@ -525,14 +534,22 @@ msgstr ""
"Authentification requise pour indiquer au programme d'amorçage de démarrer "
"une entrée spécifique."
#: src/login/org.freedesktop.login1.policy:374
#: src/login/org.freedesktop.login1.policy:385
msgid "Set a wall message"
msgstr "Définir un message wall"
#: src/login/org.freedesktop.login1.policy:375
#: src/login/org.freedesktop.login1.policy:386
msgid "Authentication is required to set a wall message"
msgstr "Authentification requise pour définir un message wall."
#: src/login/org.freedesktop.login1.policy:395
msgid "Change Session"
msgstr "Changer de Session"
#: src/login/org.freedesktop.login1.policy:396
msgid "Authentication is required for changing the virtual terminal."
msgstr "Authentification requise pour changer de terminal virtuel."
#: src/machine/org.freedesktop.machine1.policy:22
msgid "Log into a local container"
msgstr "Connexion dans un conteneur local"
@ -612,6 +629,136 @@ msgstr ""
"Authentification requise pour gérer les images locales de machines "
"virtuelles (VM) et de conteneurs."
#: src/network/org.freedesktop.network1.policy:22
msgid "Set NTP servers"
msgstr "Définir les serveurs NTP"
#: src/network/org.freedesktop.network1.policy:23
msgid "Authentication is required to set NTP servers."
msgstr "Authentification requise pour définir les serveurs NTP."
#: src/network/org.freedesktop.network1.policy:33
#: src/resolve/org.freedesktop.resolve1.policy:44
msgid "Set DNS servers"
msgstr "Définir les serveurs DNS"
#: src/network/org.freedesktop.network1.policy:34
#: src/resolve/org.freedesktop.resolve1.policy:45
msgid "Authentication is required to set DNS servers."
msgstr "Authentification requise pour définir les serveurs DNS."
#: src/network/org.freedesktop.network1.policy:44
#: src/resolve/org.freedesktop.resolve1.policy:55
msgid "Set domains"
msgstr "Définir les domaines"
#: src/network/org.freedesktop.network1.policy:45
#: src/resolve/org.freedesktop.resolve1.policy:56
msgid "Authentication is required to set domains."
msgstr "Authentification requise pour définir les domaines."
#: src/network/org.freedesktop.network1.policy:55
#: src/resolve/org.freedesktop.resolve1.policy:66
msgid "Set default route"
msgstr "Définir la route par défaut"
#: src/network/org.freedesktop.network1.policy:56
#: src/resolve/org.freedesktop.resolve1.policy:67
msgid "Authentication is required to set default route."
msgstr "Authentification requise pour définir la route par défaut."
#: src/network/org.freedesktop.network1.policy:66
#: src/resolve/org.freedesktop.resolve1.policy:77
msgid "Enable/disable LLMNR"
msgstr "Activer/désactiver LLMNR"
#: src/network/org.freedesktop.network1.policy:67
#: src/resolve/org.freedesktop.resolve1.policy:78
msgid "Authentication is required to enable or disable LLMNR."
msgstr "Authentification requise pour activer ou désactiver LLMNR."
#: src/network/org.freedesktop.network1.policy:77
#: src/resolve/org.freedesktop.resolve1.policy:88
msgid "Enable/disable multicast DNS"
msgstr "Activer/désactiver la multidiffusion DNS"
#: src/network/org.freedesktop.network1.policy:78
#: src/resolve/org.freedesktop.resolve1.policy:89
msgid "Authentication is required to enable or disable multicast DNS."
msgstr ""
"Authentification requise pour activer ou désactiver la multidiffusion DNS."
#: src/network/org.freedesktop.network1.policy:88
#: src/resolve/org.freedesktop.resolve1.policy:99
msgid "Enable/disable DNS over TLS"
msgstr "Activer/désactiver DNS sur TLS"
#: src/network/org.freedesktop.network1.policy:89
#: src/resolve/org.freedesktop.resolve1.policy:100
msgid "Authentication is required to enable or disable DNS over TLS."
msgstr "Authentification requise pour activer ou désactiver DNS sur TLS."
#: src/network/org.freedesktop.network1.policy:99
#: src/resolve/org.freedesktop.resolve1.policy:110
msgid "Enable/disable DNSSEC"
msgstr "Activer/désactiver DNSSEC"
#: src/network/org.freedesktop.network1.policy:100
#: src/resolve/org.freedesktop.resolve1.policy:111
msgid "Authentication is required to enable or disable DNSSEC."
msgstr "Authentification requise pour activer ou désactiver DNSSEC"
#: src/network/org.freedesktop.network1.policy:110
#: src/resolve/org.freedesktop.resolve1.policy:121
msgid "Set DNSSEC Negative Trust Anchors"
msgstr "Définir les Negative Trust Anchors DNSSEC"
#: src/network/org.freedesktop.network1.policy:111
#: src/resolve/org.freedesktop.resolve1.policy:122
msgid "Authentication is required to set DNSSEC Negative Trust Anchors."
msgstr ""
"Authentification requise pour définir les Negative Trust Anchors DNSSEC."
#: src/network/org.freedesktop.network1.policy:121
msgid "Revert NTP settings"
msgstr "Réinitialiser les paramètres NTP"
#: src/network/org.freedesktop.network1.policy:122
msgid "Authentication is required to reset NTP settings."
msgstr "Authentification requise pour réinitialiser les paramètres NTP."
#: src/network/org.freedesktop.network1.policy:132
msgid "Revert DNS settings"
msgstr "Réinitialiser les paramètres DNS"
#: src/network/org.freedesktop.network1.policy:133
msgid "Authentication is required to reset DNS settings."
msgstr "Authentification requise pour réinitialiser les paramètres DNS."
#: src/network/org.freedesktop.network1.policy:143
msgid "Renew dynamic addresses"
msgstr "Renouveler les adresses dynamiques"
#: src/network/org.freedesktop.network1.policy:144
msgid "Authentication is required to renew dynamic addresses."
msgstr "Authentification requise pour renouveler les adresses dynamiques."
#: src/network/org.freedesktop.network1.policy:154
msgid "Reload network settings"
msgstr "Recharger les paramètres réseau"
#: src/network/org.freedesktop.network1.policy:155
msgid "Authentication is required to reload network settings."
msgstr "Authentification requise pour recharger les paramètres réseau."
#: src/network/org.freedesktop.network1.policy:165
msgid "Reconfigure network interface"
msgstr "Reconfigurer une interface réseau"
#: src/network/org.freedesktop.network1.policy:166
msgid "Authentication is required to reconfigure network interface."
msgstr "Authentification requise pour reconfigurer une interface réseau."
#: src/portable/org.freedesktop.portable1.policy:13
msgid "Inspect a portable service image"
msgstr "Inspecter une image de service portable"
@ -658,6 +805,16 @@ msgstr "Retirer un service DNS-SD"
msgid "Authentication is required to unregister a DNS-SD service"
msgstr "Authentification requise pour retirer un service DNS-SD"
#: src/resolve/org.freedesktop.resolve1.policy:132
msgid "Revert name resolution settings"
msgstr "Réinitialiser les paramètres de résolution de noms"
#: src/resolve/org.freedesktop.resolve1.policy:133
msgid "Authentication is required to reset name resolution settings."
msgstr ""
"Authentification requise pour réinitialiser les paramètres de résolution "
"de noms."
#: src/timedate/org.freedesktop.timedate1.policy:22
msgid "Set system time"
msgstr "Définir l'heure du système"
@ -700,23 +857,23 @@ msgstr ""
"Authentification requise pour activer ou désactiver la synchronisation de "
"l'heure avec le réseau."
#: src/core/dbus-unit.c:326
#: src/core/dbus-unit.c:355
msgid "Authentication is required to start '$(unit)'."
msgstr "Authentification requise pour démarrer « $(unit) »."
#: src/core/dbus-unit.c:327
#: src/core/dbus-unit.c:356
msgid "Authentication is required to stop '$(unit)'."
msgstr "Authentification requise pour arrêter « $(unit) »."
#: src/core/dbus-unit.c:328
#: src/core/dbus-unit.c:357
msgid "Authentication is required to reload '$(unit)'."
msgstr "Authentification requise pour recharger « $(unit) »."
#: src/core/dbus-unit.c:329 src/core/dbus-unit.c:330
#: src/core/dbus-unit.c:358 src/core/dbus-unit.c:359
msgid "Authentication is required to restart '$(unit)'."
msgstr "Authentification requise pour redémarrer « $(unit) »."
#: src/core/dbus-unit.c:437
#: src/core/dbus-unit.c:531
msgid ""
"Authentication is required to send a UNIX signal to the processes of "
"'$(unit)'."
@ -724,16 +881,24 @@ msgstr ""
"Authentification requise pour envoyer un signal UNIX aux processus de "
"« $(unit) »."
#: src/core/dbus-unit.c:468
#: src/core/dbus-unit.c:562
msgid "Authentication is required to reset the \"failed\" state of '$(unit)'."
msgstr ""
"Authentification requise pour réinitialiser l'état d'« échec » de "
"« $(unit) »."
#: src/core/dbus-unit.c:501
#: src/core/dbus-unit.c:595
msgid "Authentication is required to set properties on '$(unit)'."
msgstr "Authentification requise pour définir des propriétés de « $(unit) »."
#: src/core/dbus-unit.c:704
msgid ""
"Authentication is required to delete files and directories associated with "
"'$(unit)'."
msgstr ""
"Authentification requise pour supprimer les fichiers et les dossiers "
"associés à '$(unit)'."
#~ msgid "Authentication is required to kill '$(unit)'."
#~ msgstr "Authentification requise pour tuer « $(unit) »."

View File

@ -797,6 +797,14 @@ int chase_symlinks(const char *path, const char *original_root, unsigned flags,
if (r < 0)
return r;
/* Simplify the root directory, so that it has no duplicate slashes and nothing at the
* end. While we won't resolve the root path we still simplify it. Note that dropping the
* trailing slash should not change behaviour, since when opening it we specify O_DIRECTORY
* anyway. Moreover at the end of this function after processing everything we'll always turn
* the empty string back to "/". */
delete_trailing_chars(root, "/");
path_simplify(root, true);
if (flags & CHASE_PREFIX_ROOT) {
/* We don't support relative paths in combination with a root directory */
if (!path_is_absolute(path))
@ -810,7 +818,7 @@ int chase_symlinks(const char *path, const char *original_root, unsigned flags,
if (r < 0)
return r;
fd = open("/", O_CLOEXEC|O_NOFOLLOW|O_PATH);
fd = open(root ?: "/", O_CLOEXEC|O_DIRECTORY|O_PATH);
if (fd < 0)
return -errno;
@ -819,6 +827,31 @@ int chase_symlinks(const char *path, const char *original_root, unsigned flags,
return -errno;
}
if (root) {
_cleanup_free_ char *absolute = NULL;
const char *e;
/* If we are operating on a root directory, let's take the root directory as it is. */
e = path_startswith(buffer, root);
if (!e)
return log_full_errno(flags & CHASE_WARN ? LOG_WARNING : LOG_DEBUG,
SYNTHETIC_ERRNO(ECHRNG),
"Specified path '%s' is outside of specified root directory '%s', refusing to resolve.",
path, root);
done = strdup(root);
if (!done)
return -ENOMEM;
/* Make sure "todo" starts with a slash */
absolute = strjoin("/", e);
if (!absolute)
return -ENOMEM;
free_and_replace(buffer, absolute);
}
todo = buffer;
for (;;) {
_cleanup_free_ char *first = NULL;
@ -828,6 +861,15 @@ int chase_symlinks(const char *path, const char *original_root, unsigned flags,
/* Determine length of first component in the path */
n = strspn(todo, "/"); /* The slashes */
if (n > 1) {
/* If we are looking at more than a single slash then skip all but one, so that when
* we are done with everything we have a normalized path with only single slashes
* separating the path components. */
todo += n - 1;
n = 1;
}
m = n + strcspn(todo + n, "/"); /* The entire length of the component */
/* Extract the first component. */
@ -930,7 +972,6 @@ int chase_symlinks(const char *path, const char *original_root, unsigned flags,
if (fstat(child, &st) < 0)
return -errno;
if ((flags & CHASE_SAFE) &&
(empty_or_root(root) || (size_t)(todo - buffer) > strlen(root)) &&
unsafe_transition(&previous_stat, &st))
return log_unsafe_transition(fd, child, path, flags);
@ -961,7 +1002,7 @@ int chase_symlinks(const char *path, const char *original_root, unsigned flags,
* directory as base. */
safe_close(fd);
fd = open(root ?: "/", O_CLOEXEC|O_NOFOLLOW|O_PATH);
fd = open(root ?: "/", O_CLOEXEC|O_DIRECTORY|O_PATH);
if (fd < 0)
return -errno;

View File

@ -148,6 +148,7 @@ static void test_chase_symlinks(void) {
r = chase_symlinks(p, NULL, 0, &result, NULL);
assert_se(r > 0);
assert_se(path_equal(result, "/usr"));
assert_se(streq(result, "/usr")); /* we guarantee that we drop redundant slashes */
result = mfree(result);
r = chase_symlinks(p, temp, 0, &result, NULL);
@ -371,6 +372,15 @@ static void test_chase_symlinks(void) {
assert_se(streq("/usr", result));
result = mfree(result);
/* Make sure that symlinks in the "root" path are not resolved, but those below are */
p = strjoina("/etc/..", temp, "/self");
assert_se(symlink(".", p) >= 0);
q = strjoina(p, "/top/dot/dotdota");
r = chase_symlinks(q, p, 0, &result, NULL);
assert_se(r > 0);
assert_se(path_equal(path_startswith(result, p), "usr"));
result = mfree(result);
cleanup:
assert_se(rm_rf(temp, REMOVE_ROOT|REMOVE_PHYSICAL) >= 0);
}
@ -729,7 +739,7 @@ static void test_rename_noreplace(void) {
STRV_FOREACH(b, (char**) table) {
_cleanup_free_ char *w = NULL;
w = strjoin(w, *b);
w = strjoin(z, *b);
assert_se(w);
if (access(w, F_OK) < 0) {
@ -737,7 +747,7 @@ static void test_rename_noreplace(void) {
continue;
}
assert_se(rename_noreplace(AT_FDCWD, w, AT_FDCWD, y) == -EEXIST);
assert_se(rename_noreplace(AT_FDCWD, x, AT_FDCWD, w) == -EEXIST);
}
y = strjoin(z, "/somethingelse");