Compare commits

..

3 Commits

Author SHA1 Message Date
Yu Watanabe 23b25034bd test-network: add test case for [IPv6RoutePrefix] Preference= 2024-11-19 04:48:41 +09:00
Yu Watanabe 01dd73edb2 network/radv: add [IPv6RoutePrefix] Preference= setting 2024-11-19 04:48:41 +09:00
Yu Watanabe 8b1c925f5b network/radv: modernize config_parse_router_preference() 2024-11-19 04:48:41 +09:00
22 changed files with 116 additions and 167 deletions

14
TODO
View File

@ -129,20 +129,6 @@ Deprecations and removals:
Features: Features:
* Teach systemd-ssh-generator to generated an /run/issue.d/ drop-in telling
users how to connect to the system via the AF_VSOCK, as per:
https://github.com/systemd/systemd/issues/35071#issuecomment-2462803142
* maybe introduce an OSC sequence that signals when we ask for a password, so
that terminal emulators can maybe connect a password manager or so, and
highlight things specially.
* Port pidref_namespace_open() to use PIDFD_GET_MNT_NAMESPACE and related
ioctls to get nsfds directly from pidfds.
* start using STATX_SUBVOL in btrfs_is_subvol(). Also, make use of it
generically, so that image discovery recognizes bcachefs subvols too.
* format-table: introduce new cell type for strings with ansi sequences in * format-table: introduce new cell type for strings with ansi sequences in
them. display them in regular output mode (via strip_tab_ansi()), but them. display them in regular output mode (via strip_tab_ansi()), but
suppress them in json mode. suppress them in json mode.

View File

@ -376,12 +376,11 @@ sensor:modalias:acpi:KIOX000A*:dmi:*:svncube:pni1-TF:*
sensor:modalias:acpi:SMO8500*:dmi:*:svncube:pni7:* sensor:modalias:acpi:SMO8500*:dmi:*:svncube:pni7:*
ACCEL_MOUNT_MATRIX=1, 0, 0; 0, -1, 0; 0, 0, 1 ACCEL_MOUNT_MATRIX=1, 0, 0; 0, -1, 0; 0, 0, 1
# Cube i7 Stylus, i7 Stylus I8L Model, i7 Book (i16) and Mix Plus (i18B/i18D) # Cube i7 Stylus, i7 Stylus I8L Model, i7 Book (i16) and Mix Plus (i18B)
sensor:modalias:acpi:KIOX000A*:dmi:*:svnCube:pni7Stylus:* sensor:modalias:acpi:KIOX000A*:dmi:*:svnCube:pni7Stylus:*
sensor:modalias:acpi:KIOX000A*:dmi:*:svnCube:pni8-L:* sensor:modalias:acpi:KIOX000A*:dmi:*:svnCube:pni8-L:*
sensor:modalias:acpi:KIOX000A*:dmi:*:svnCube:pni16:* sensor:modalias:acpi:KIOX000A*:dmi:*:svnCube:pni16:*
sensor:modalias:acpi:KIOX000A*:dmi:*:svnCube:pni18B:* sensor:modalias:acpi:KIOX000A*:dmi:*:svnCube:pni18B:*
sensor:modalias:acpi:KIOX000A*:dmi:*:svnALLDOCUBE:pni18D:*
ACCEL_MOUNT_MATRIX=-1, 0, 0; 0, 1, 0; 0, 0, 1 ACCEL_MOUNT_MATRIX=-1, 0, 0; 0, 1, 0; 0, 0, 1
# Cube iWork 10 Flagship # Cube iWork 10 Flagship

View File

@ -421,7 +421,7 @@
<term><varname>rd.systemd.verity=</varname></term> <term><varname>rd.systemd.verity=</varname></term>
<term><varname>systemd.verity_root_data=</varname></term> <term><varname>systemd.verity_root_data=</varname></term>
<term><varname>systemd.verity_root_hash=</varname></term> <term><varname>systemd.verity_root_hash=</varname></term>
<term><varname>systemd.verity_root_options=</varname></term> <term><varname>systemd.verity.root_options=</varname></term>
<term><varname>usrhash=</varname></term> <term><varname>usrhash=</varname></term>
<term><varname>systemd.verity_usr_data=</varname></term> <term><varname>systemd.verity_usr_data=</varname></term>
<term><varname>systemd.verity_usr_hash=</varname></term> <term><varname>systemd.verity_usr_hash=</varname></term>

View File

@ -1,7 +0,0 @@
#!/bin/bash
# SPDX-License-Identifier: LGPL-2.1-or-later
set -e
if [[ "$1" == "clangd" ]]; then
exec "$@"
fi

View File

@ -2,6 +2,10 @@
# SPDX-License-Identifier: LGPL-2.1-or-later # SPDX-License-Identifier: LGPL-2.1-or-later
set -e set -e
if [[ "$1" == "clangd" ]]; then
exec "$@"
fi
if [[ ! -f "pkg/$PKG_SUBDIR/PKGBUILD" ]]; then if [[ ! -f "pkg/$PKG_SUBDIR/PKGBUILD" ]]; then
echo "PKGBUILD not found at pkg/$PKG_SUBDIR/PKGBUILD, run mkosi once with -ff to make sure the PKGBUILD is cloned" >&2 echo "PKGBUILD not found at pkg/$PKG_SUBDIR/PKGBUILD, run mkosi once with -ff to make sure the PKGBUILD is cloned" >&2
exit 1 exit 1

View File

@ -6,7 +6,7 @@ msgstr ""
"Project-Id-Version: systemd\n" "Project-Id-Version: systemd\n"
"Report-Msgid-Bugs-To: \n" "Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2024-11-06 14:42+0000\n" "POT-Creation-Date: 2024-11-06 14:42+0000\n"
"PO-Revision-Date: 2024-11-19 07:38+0000\n" "PO-Revision-Date: 2024-11-17 15:48+0000\n"
"Last-Translator: Yaron Shahrabani <sh.yaron@gmail.com>\n" "Last-Translator: Yaron Shahrabani <sh.yaron@gmail.com>\n"
"Language-Team: Hebrew <https://translate.fedoraproject.org/projects/systemd/" "Language-Team: Hebrew <https://translate.fedoraproject.org/projects/systemd/"
"main/he/>\n" "main/he/>\n"
@ -375,9 +375,10 @@ msgid "Cancel transfer of a disk image"
msgstr "ביטול העברה של דמות כונן" msgstr "ביטול העברה של דמות כונן"
#: src/import/org.freedesktop.import1.policy:53 #: src/import/org.freedesktop.import1.policy:53
#, fuzzy
msgid "" msgid ""
"Authentication is required to cancel the ongoing transfer of a disk image." "Authentication is required to cancel the ongoing transfer of a disk image."
msgstr "נדרש אימות כדי לבטל העברה של דמות כונן שמתבצעת בזמן אמת." msgstr "נדרש אימות כדי להחליף סיסמה של אזור בית למשתמש."
#: src/locale/org.freedesktop.locale1.policy:22 #: src/locale/org.freedesktop.locale1.policy:22
msgid "Set system locale" msgid "Set system locale"
@ -719,8 +720,9 @@ msgid "Set a wall message"
msgstr "הגדרת הודעת קיר" msgstr "הגדרת הודעת קיר"
#: src/login/org.freedesktop.login1.policy:397 #: src/login/org.freedesktop.login1.policy:397
#, fuzzy
msgid "Authentication is required to set a wall message." msgid "Authentication is required to set a wall message."
msgstr "נדרש אימות כדי להגדיר הודעת קיר." msgstr "נדרש אימות כדי להגדיר הודעת קיר"
#: src/login/org.freedesktop.login1.policy:406 #: src/login/org.freedesktop.login1.policy:406
msgid "Change Session" msgid "Change Session"
@ -790,14 +792,16 @@ msgstr ""
"נדרש אימות כדי לנהל מכונות וירטואליות (VM) ומכולות (container) מקומיות." "נדרש אימות כדי לנהל מכונות וירטואליות (VM) ומכולות (container) מקומיות."
#: src/machine/org.freedesktop.machine1.policy:95 #: src/machine/org.freedesktop.machine1.policy:95
#, fuzzy
msgid "Create a local virtual machine or container" msgid "Create a local virtual machine or container"
msgstr "יצירת מכונה וירטואלית או מכולה מקומיות" msgstr "ניהול מכונות וירטואליות ומכולות מקומיות"
#: src/machine/org.freedesktop.machine1.policy:96 #: src/machine/org.freedesktop.machine1.policy:96
#, fuzzy
msgid "" msgid ""
"Authentication is required to create a local virtual machine or container." "Authentication is required to create a local virtual machine or container."
msgstr "" msgstr ""
"נדרש אימות כדי ליצור מכונות וירטואליות (VM) או מכולות (container) מקומיות." "נדרש אימות כדי לנהל מכונות וירטואליות (VM) ומכולות (container) מקומיות."
#: src/machine/org.freedesktop.machine1.policy:106 #: src/machine/org.freedesktop.machine1.policy:106
msgid "Manage local virtual machine and container images" msgid "Manage local virtual machine and container images"
@ -949,13 +953,13 @@ msgstr "נדרש אימות כדי להגדיר כרטיס רשת מחדש."
#: src/network/org.freedesktop.network1.policy:187 #: src/network/org.freedesktop.network1.policy:187
msgid "Specify whether persistent storage for systemd-networkd is available" msgid "Specify whether persistent storage for systemd-networkd is available"
msgstr "נא לציין האם יש אחסון קבוע זמין ל־systemd-networkd" msgstr ""
#: src/network/org.freedesktop.network1.policy:188 #: src/network/org.freedesktop.network1.policy:188
msgid "" msgid ""
"Authentication is required to specify whether persistent storage for systemd-" "Authentication is required to specify whether persistent storage for systemd-"
"networkd is available." "networkd is available."
msgstr "נדרש אימות כדי לציין האם אחסון קבוע זמין ל־systemd-networkd." msgstr ""
#: src/portable/org.freedesktop.portable1.policy:13 #: src/portable/org.freedesktop.portable1.policy:13
msgid "Inspect a portable service image" msgid "Inspect a portable service image"
@ -988,16 +992,18 @@ msgid "Register a DNS-SD service"
msgstr "רישום שירות DNS-SD" msgstr "רישום שירות DNS-SD"
#: src/resolve/org.freedesktop.resolve1.policy:23 #: src/resolve/org.freedesktop.resolve1.policy:23
#, fuzzy
msgid "Authentication is required to register a DNS-SD service." msgid "Authentication is required to register a DNS-SD service."
msgstr "נדרש אימות כדי לרשום שירות DNS-SD." msgstr "נדרש אימות כדי לרשום שירות DNS-SD"
#: src/resolve/org.freedesktop.resolve1.policy:33 #: src/resolve/org.freedesktop.resolve1.policy:33
msgid "Unregister a DNS-SD service" msgid "Unregister a DNS-SD service"
msgstr "ביטול רישום שירות DNS-SD" msgstr "ביטול רישום שירות DNS-SD"
#: src/resolve/org.freedesktop.resolve1.policy:34 #: src/resolve/org.freedesktop.resolve1.policy:34
#, fuzzy
msgid "Authentication is required to unregister a DNS-SD service." msgid "Authentication is required to unregister a DNS-SD service."
msgstr "נדרש אימות כדי לבטל רישום של שירות DNS-SD." msgstr "נדרש אימות כדי לבטל רישום של שירות DNS-SD"
#: src/resolve/org.freedesktop.resolve1.policy:132 #: src/resolve/org.freedesktop.resolve1.policy:132
msgid "Revert name resolution settings" msgid "Revert name resolution settings"
@ -1009,85 +1015,95 @@ msgstr "נדרש אימות כדי לאפס את הגדרות פתרון השמ
#: src/resolve/org.freedesktop.resolve1.policy:143 #: src/resolve/org.freedesktop.resolve1.policy:143
msgid "Subscribe query results" msgid "Subscribe query results"
msgstr "רישום לתוצאות שאילתה" msgstr ""
#: src/resolve/org.freedesktop.resolve1.policy:144 #: src/resolve/org.freedesktop.resolve1.policy:144
#, fuzzy
msgid "Authentication is required to subscribe query results." msgid "Authentication is required to subscribe query results."
msgstr "נדרש אימות כדי להירשם לתוצאות שאילתה." msgstr "נדרש אימות כדי להשהות את המערכת."
#: src/resolve/org.freedesktop.resolve1.policy:154 #: src/resolve/org.freedesktop.resolve1.policy:154
msgid "Dump cache" msgid "Dump cache"
msgstr "היטל המטמון" msgstr ""
#: src/resolve/org.freedesktop.resolve1.policy:155 #: src/resolve/org.freedesktop.resolve1.policy:155
#, fuzzy
msgid "Authentication is required to dump cache." msgid "Authentication is required to dump cache."
msgstr "נדרש אימות כדי להטיל את המטמון." msgstr "נדרש אימות כדי להגדיר שמות תחום."
#: src/resolve/org.freedesktop.resolve1.policy:165 #: src/resolve/org.freedesktop.resolve1.policy:165
msgid "Dump server state" msgid "Dump server state"
msgstr "היטל מצב השרת" msgstr ""
#: src/resolve/org.freedesktop.resolve1.policy:166 #: src/resolve/org.freedesktop.resolve1.policy:166
#, fuzzy
msgid "Authentication is required to dump server state." msgid "Authentication is required to dump server state."
msgstr "נדרש אימות כדי להטיל את מצב השרת." msgstr "נדרש אימות כדי להגדיר שרתי NTP."
#: src/resolve/org.freedesktop.resolve1.policy:176 #: src/resolve/org.freedesktop.resolve1.policy:176
msgid "Dump statistics" msgid "Dump statistics"
msgstr "היטל סטטיסטיקה" msgstr ""
#: src/resolve/org.freedesktop.resolve1.policy:177 #: src/resolve/org.freedesktop.resolve1.policy:177
#, fuzzy
msgid "Authentication is required to dump statistics." msgid "Authentication is required to dump statistics."
msgstr "נדרש אימות כדי להטיל סטטיסטיקה." msgstr "נדרש אימות כדי להגדיר שמות תחום."
#: src/resolve/org.freedesktop.resolve1.policy:187 #: src/resolve/org.freedesktop.resolve1.policy:187
msgid "Reset statistics" msgid "Reset statistics"
msgstr "איפוס סטטיסטיקה" msgstr ""
#: src/resolve/org.freedesktop.resolve1.policy:188 #: src/resolve/org.freedesktop.resolve1.policy:188
#, fuzzy
msgid "Authentication is required to reset statistics." msgid "Authentication is required to reset statistics."
msgstr "נדרש אימות כדי לאפס סטטיסטיקה." msgstr "נדרש אימות כדי לאפס הגדרות NTP."
#: src/sysupdate/org.freedesktop.sysupdate1.policy:35 #: src/sysupdate/org.freedesktop.sysupdate1.policy:35
msgid "Check for system updates" msgid "Check for system updates"
msgstr "חיפוש עדכוני מערכת" msgstr ""
#: src/sysupdate/org.freedesktop.sysupdate1.policy:36 #: src/sysupdate/org.freedesktop.sysupdate1.policy:36
#, fuzzy
msgid "Authentication is required to check for system updates." msgid "Authentication is required to check for system updates."
msgstr "נדרש אימות כדי לחפש עדכוני מערכת." msgstr "נדרש אימות כדי להגדיר את שעון המערכת."
#: src/sysupdate/org.freedesktop.sysupdate1.policy:45 #: src/sysupdate/org.freedesktop.sysupdate1.policy:45
msgid "Install system updates" msgid "Install system updates"
msgstr "התקנת עדכוני מערכת" msgstr ""
#: src/sysupdate/org.freedesktop.sysupdate1.policy:46 #: src/sysupdate/org.freedesktop.sysupdate1.policy:46
#, fuzzy
msgid "Authentication is required to install system updates." msgid "Authentication is required to install system updates."
msgstr "נדרש אימות כדי להתקין עדכוני מערכת." msgstr "נדרש אימות כדי להגדיר את שעון המערכת."
#: src/sysupdate/org.freedesktop.sysupdate1.policy:55 #: src/sysupdate/org.freedesktop.sysupdate1.policy:55
msgid "Install specific system version" msgid "Install specific system version"
msgstr "התקנת גרסת מערכת מסוימת" msgstr ""
#: src/sysupdate/org.freedesktop.sysupdate1.policy:56 #: src/sysupdate/org.freedesktop.sysupdate1.policy:56
#, fuzzy
msgid "" msgid ""
"Authentication is required to update the system to a specific (possibly old) " "Authentication is required to update the system to a specific (possibly old) "
"version." "version."
msgstr "נדרש אימות כדי לעדכן את המערכת לגרסה מסוימת (כנראה ישנה)." msgstr "נדרש אימות כדי להגדיר את אזור הזמן של המערכת."
#: src/sysupdate/org.freedesktop.sysupdate1.policy:65 #: src/sysupdate/org.freedesktop.sysupdate1.policy:65
msgid "Cleanup old system updates" msgid "Cleanup old system updates"
msgstr "ניקוי עדכוני מערכת ישנים" msgstr ""
#: src/sysupdate/org.freedesktop.sysupdate1.policy:66 #: src/sysupdate/org.freedesktop.sysupdate1.policy:66
#, fuzzy
msgid "Authentication is required to cleanup old system updates." msgid "Authentication is required to cleanup old system updates."
msgstr "נדרש אימות כדי לנקות עדכוני מערכת ישנים." msgstr "נדרש אימות כדי להגדיר את שעון המערכת."
#: src/sysupdate/org.freedesktop.sysupdate1.policy:75 #: src/sysupdate/org.freedesktop.sysupdate1.policy:75
msgid "Manage optional features" msgid "Manage optional features"
msgstr "ניהול יכולות רשות" msgstr ""
#: src/sysupdate/org.freedesktop.sysupdate1.policy:76 #: src/sysupdate/org.freedesktop.sysupdate1.policy:76
#, fuzzy
msgid "Authentication is required to manage optional features" msgid "Authentication is required to manage optional features"
msgstr "נדרש אימות כדי לנהל יכולות רשות" msgstr "נדרש אימות כדי לנהל הפעלות, משתמשים ומושבים פעילים."
#: src/timedate/org.freedesktop.timedate1.policy:22 #: src/timedate/org.freedesktop.timedate1.policy:22
msgid "Set system time" msgid "Set system time"

View File

@ -220,9 +220,9 @@ static int synthesize_user_creds(
if (ret_gid) if (ret_gid)
*ret_gid = GID_NOBODY; *ret_gid = GID_NOBODY;
if (ret_home) if (ret_home)
*ret_home = FLAGS_SET(flags, USER_CREDS_SUPPRESS_PLACEHOLDER) ? NULL : "/"; *ret_home = FLAGS_SET(flags, USER_CREDS_CLEAN) ? NULL : "/";
if (ret_shell) if (ret_shell)
*ret_shell = FLAGS_SET(flags, USER_CREDS_SUPPRESS_PLACEHOLDER) ? NULL : NOLOGIN; *ret_shell = FLAGS_SET(flags, USER_CREDS_CLEAN) ? NULL : NOLOGIN;
return 0; return 0;
} }
@ -244,7 +244,6 @@ int get_user_creds(
assert(username); assert(username);
assert(*username); assert(*username);
assert((ret_home || ret_shell) || !(flags & (USER_CREDS_SUPPRESS_PLACEHOLDER|USER_CREDS_CLEAN)));
if (!FLAGS_SET(flags, USER_CREDS_PREFER_NSS) || if (!FLAGS_SET(flags, USER_CREDS_PREFER_NSS) ||
(!ret_home && !ret_shell)) { (!ret_home && !ret_shell)) {
@ -316,14 +315,17 @@ int get_user_creds(
if (ret_home) if (ret_home)
/* Note: we don't insist on normalized paths, since there are setups that have /./ in the path */ /* Note: we don't insist on normalized paths, since there are setups that have /./ in the path */
*ret_home = (FLAGS_SET(flags, USER_CREDS_SUPPRESS_PLACEHOLDER) && empty_or_root(p->pw_dir)) || *ret_home = (FLAGS_SET(flags, USER_CREDS_CLEAN) &&
(FLAGS_SET(flags, USER_CREDS_CLEAN) && (!path_is_valid(p->pw_dir) || !path_is_absolute(p->pw_dir))) (empty_or_root(p->pw_dir) ||
? NULL : p->pw_dir; !path_is_valid(p->pw_dir) ||
!path_is_absolute(p->pw_dir))) ? NULL : p->pw_dir;
if (ret_shell) if (ret_shell)
*ret_shell = (FLAGS_SET(flags, USER_CREDS_SUPPRESS_PLACEHOLDER) && shell_is_placeholder(p->pw_shell)) || *ret_shell = (FLAGS_SET(flags, USER_CREDS_CLEAN) &&
(FLAGS_SET(flags, USER_CREDS_CLEAN) && (!path_is_valid(p->pw_shell) || !path_is_absolute(p->pw_shell))) (isempty(p->pw_shell) ||
? NULL : p->pw_shell; !path_is_valid(p->pw_shell) ||
!path_is_absolute(p->pw_shell) ||
is_nologin_shell(p->pw_shell))) ? NULL : p->pw_shell;
if (patch_username) if (patch_username)
*username = p->pw_name; *username = p->pw_name;

View File

@ -12,8 +12,6 @@
#include <sys/types.h> #include <sys/types.h>
#include <unistd.h> #include <unistd.h>
#include "string-util.h"
/* Users managed by systemd-homed. See https://systemd.io/UIDS-GIDS for details how this range fits into the rest of the world */ /* Users managed by systemd-homed. See https://systemd.io/UIDS-GIDS for details how this range fits into the rest of the world */
#define HOME_UID_MIN ((uid_t) 60001) #define HOME_UID_MIN ((uid_t) 60001)
#define HOME_UID_MAX ((uid_t) 60513) #define HOME_UID_MAX ((uid_t) 60513)
@ -38,20 +36,10 @@ static inline int parse_gid(const char *s, gid_t *ret_gid) {
char* getlogname_malloc(void); char* getlogname_malloc(void);
char* getusername_malloc(void); char* getusername_malloc(void);
const char* default_root_shell_at(int rfd);
const char* default_root_shell(const char *root);
bool is_nologin_shell(const char *shell);
static inline bool shell_is_placeholder(const char *shell) {
return isempty(shell) || is_nologin_shell(shell);
}
typedef enum UserCredsFlags { typedef enum UserCredsFlags {
USER_CREDS_PREFER_NSS = 1 << 0, /* if set, only synthesize user records if database lacks them. Normally we bypass the userdb entirely for the records we can synthesize */ USER_CREDS_PREFER_NSS = 1 << 0, /* if set, only synthesize user records if database lacks them. Normally we bypass the userdb entirely for the records we can synthesize */
USER_CREDS_ALLOW_MISSING = 1 << 1, /* if a numeric UID string is resolved, be OK if there's no record for it */ USER_CREDS_ALLOW_MISSING = 1 << 1, /* if a numeric UID string is resolved, be OK if there's no record for it */
USER_CREDS_CLEAN = 1 << 2, /* try to clean up shell and home fields with invalid data */ USER_CREDS_CLEAN = 1 << 2, /* try to clean up shell and home fields with invalid data */
USER_CREDS_SUPPRESS_PLACEHOLDER = 1 << 3, /* suppress home and/or shell fields if value is placeholder (root/empty/nologin) */
} UserCredsFlags; } UserCredsFlags;
int get_user_creds(const char **username, uid_t *ret_uid, gid_t *ret_gid, const char **ret_home, const char **ret_shell, UserCredsFlags flags); int get_user_creds(const char **username, uid_t *ret_uid, gid_t *ret_gid, const char **ret_home, const char **ret_shell, UserCredsFlags flags);
@ -137,6 +125,10 @@ int fgetsgent_sane(FILE *stream, struct sgrp **sg);
int putsgent_sane(const struct sgrp *sg, FILE *stream); int putsgent_sane(const struct sgrp *sg, FILE *stream);
#endif #endif
bool is_nologin_shell(const char *shell);
const char* default_root_shell_at(int rfd);
const char* default_root_shell(const char *root);
int is_this_me(const char *username); int is_this_me(const char *username);
const char* get_home_root(void); const char* get_home_root(void);

View File

@ -855,6 +855,9 @@ static int get_fixed_user(
assert(user_or_uid); assert(user_or_uid);
assert(ret_username); assert(ret_username);
/* Note that we don't set $HOME or $SHELL if they are not particularly enlightening anyway
* (i.e. are "/" or "/bin/nologin"). */
r = get_user_creds(&user_or_uid, ret_uid, ret_gid, ret_home, ret_shell, USER_CREDS_CLEAN); r = get_user_creds(&user_or_uid, ret_uid, ret_gid, ret_home, ret_shell, USER_CREDS_CLEAN);
if (r < 0) if (r < 0)
return r; return r;
@ -1880,10 +1883,7 @@ static int build_environment(
} }
} }
/* Note that we don't set $HOME or $SHELL if they are not particularly enlightening anyway if (home && set_user_login_env) {
* (i.e. are "/" or "/bin/nologin"). */
if (home && set_user_login_env && !empty_or_root(home)) {
x = strjoin("HOME=", home); x = strjoin("HOME=", home);
if (!x) if (!x)
return -ENOMEM; return -ENOMEM;
@ -1892,7 +1892,7 @@ static int build_environment(
our_env[n_env++] = x; our_env[n_env++] = x;
} }
if (shell && set_user_login_env && !shell_is_placeholder(shell)) { if (shell && set_user_login_env) {
x = strjoin("SHELL=", shell); x = strjoin("SHELL=", shell);
if (!x) if (!x)
return -ENOMEM; return -ENOMEM;
@ -3471,16 +3471,20 @@ static int apply_working_directory(
const ExecContext *context, const ExecContext *context,
const ExecParameters *params, const ExecParameters *params,
ExecRuntime *runtime, ExecRuntime *runtime,
const char *home) { const char *home,
int *exit_status) {
const char *wd; const char *wd;
int r; int r;
assert(context); assert(context);
assert(exit_status);
if (context->working_directory_home) { if (context->working_directory_home) {
if (!home) if (!home) {
*exit_status = EXIT_CHDIR;
return -ENXIO; return -ENXIO;
}
wd = home; wd = home;
} else } else
@ -3499,7 +3503,13 @@ static int apply_working_directory(
if (r >= 0) if (r >= 0)
r = RET_NERRNO(fchdir(dfd)); r = RET_NERRNO(fchdir(dfd));
} }
return context->working_directory_missing_ok ? 0 : r;
if (r < 0 && !context->working_directory_missing_ok) {
*exit_status = EXIT_CHDIR;
return r;
}
return 0;
} }
static int apply_root_directory( static int apply_root_directory(
@ -3775,7 +3785,7 @@ static int acquire_home(const ExecContext *c, const char **home, char **ret_buf)
if (!c->working_directory_home) if (!c->working_directory_home)
return 0; return 0;
if (c->dynamic_user || (c->user && is_this_me(c->user) <= 0)) if (c->dynamic_user)
return -EADDRNOTAVAIL; return -EADDRNOTAVAIL;
r = get_home_dir(ret_buf); r = get_home_dir(ret_buf);
@ -4533,7 +4543,7 @@ int exec_invoke(
r = acquire_home(context, &home, &home_buffer); r = acquire_home(context, &home, &home_buffer);
if (r < 0) { if (r < 0) {
*exit_status = EXIT_CHDIR; *exit_status = EXIT_CHDIR;
return log_exec_error_errno(context, params, r, "Failed to determine $HOME for the invoking user: %m"); return log_exec_error_errno(context, params, r, "Failed to determine $HOME for user: %m");
} }
/* If a socket is connected to STDIN/STDOUT/STDERR, we must drop O_NONBLOCK */ /* If a socket is connected to STDIN/STDOUT/STDERR, we must drop O_NONBLOCK */
@ -5372,11 +5382,9 @@ int exec_invoke(
* running this service might have the correct privilege to change to the working directory. Also, it * running this service might have the correct privilege to change to the working directory. Also, it
* is absolutely 💣 crucial 💣 we applied all mount namespacing rearrangements before this, so that * is absolutely 💣 crucial 💣 we applied all mount namespacing rearrangements before this, so that
* the cwd cannot be used to pin directories outside of the sandbox. */ * the cwd cannot be used to pin directories outside of the sandbox. */
r = apply_working_directory(context, params, runtime, home); r = apply_working_directory(context, params, runtime, home, exit_status);
if (r < 0) { if (r < 0)
*exit_status = EXIT_CHDIR;
return log_exec_error_errno(context, params, r, "Changing to the requested working directory failed: %m"); return log_exec_error_errno(context, params, r, "Changing to the requested working directory failed: %m");
}
if (needs_sandboxing) { if (needs_sandboxing) {
/* Apply other MAC contexts late, but before seccomp syscall filtering, as those should really be last to /* Apply other MAC contexts late, but before seccomp syscall filtering, as those should really be last to

View File

@ -427,9 +427,6 @@ int wipe_slots(struct crypt_device *cd,
for (size_t i = n_ordered_slots; i > 0; i--) { for (size_t i = n_ordered_slots; i > 0; i--) {
r = crypt_keyslot_destroy(cd, ordered_slots[i - 1]); r = crypt_keyslot_destroy(cd, ordered_slots[i - 1]);
if (r < 0) { if (r < 0) {
if (r == -ENOENT)
log_warning_errno(r, "Failed to wipe non-existent slot %i, continuing.", ordered_slots[i - 1]);
else
log_warning_errno(r, "Failed to wipe slot %i, continuing: %m", ordered_slots[i - 1]); log_warning_errno(r, "Failed to wipe slot %i, continuing: %m", ordered_slots[i - 1]);
if (ret == 0) if (ret == 0)
ret = r; ret = r;

View File

@ -1033,14 +1033,12 @@ global:
sd_varlink_server_listen_fd; sd_varlink_server_listen_fd;
sd_varlink_server_loop_auto; sd_varlink_server_loop_auto;
sd_varlink_server_new; sd_varlink_server_new;
sd_varlink_server_ref;
sd_varlink_server_set_connections_max; sd_varlink_server_set_connections_max;
sd_varlink_server_set_connections_per_uid_max; sd_varlink_server_set_connections_per_uid_max;
sd_varlink_server_set_description; sd_varlink_server_set_description;
sd_varlink_server_set_exit_on_idle; sd_varlink_server_set_exit_on_idle;
sd_varlink_server_set_userdata; sd_varlink_server_set_userdata;
sd_varlink_server_shutdown; sd_varlink_server_shutdown;
sd_varlink_server_unref;
sd_varlink_set_allow_fd_passing_input; sd_varlink_set_allow_fd_passing_input;
sd_varlink_set_allow_fd_passing_output; sd_varlink_set_allow_fd_passing_output;
sd_varlink_set_description; sd_varlink_set_description;

View File

@ -3265,7 +3265,7 @@ static sd_varlink_server* varlink_server_destroy(sd_varlink_server *s) {
return mfree(s); return mfree(s);
} }
DEFINE_PUBLIC_TRIVIAL_REF_UNREF_FUNC(sd_varlink_server, sd_varlink_server, varlink_server_destroy); DEFINE_TRIVIAL_REF_UNREF_FUNC(sd_varlink_server, sd_varlink_server, varlink_server_destroy);
static int validate_connection(sd_varlink_server *server, const struct ucred *ucred) { static int validate_connection(sd_varlink_server *server, const struct ucred *ucred) {
int allowed = -1; int allowed = -1;

View File

@ -2297,8 +2297,7 @@ static int start_transient_scope(sd_bus *bus) {
uid_t uid; uid_t uid;
gid_t gid; gid_t gid;
r = get_user_creds(&arg_exec_user, &uid, &gid, &home, &shell, r = get_user_creds(&arg_exec_user, &uid, &gid, &home, &shell, USER_CREDS_CLEAN|USER_CREDS_PREFER_NSS);
USER_CREDS_CLEAN|USER_CREDS_SUPPRESS_PLACEHOLDER|USER_CREDS_PREFER_NSS);
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to resolve user %s: %m", arg_exec_user); return log_error_errno(r, "Failed to resolve user %s: %m", arg_exec_user);

View File

@ -28,28 +28,21 @@ const char* user_record_state_color(const char *state) {
return NULL; return NULL;
} }
static void dump_self_modifiable( static void dump_self_modifiable(const char *heading, char **field, const char **value) {
const char *heading,
char **field,
const char **value) {
assert(heading); assert(heading);
/* Helper function for printing the various self_modifiable_* fields from the user record */ /* Helper function for printing the various self_modifiable_* fields from the user record */
if (!value) if (strv_isempty((char**) value))
/* Case 1: no value is set and no default either */ /* Case 1: the array is explicitly set to be empty by the administrator */
printf("%13s %snone%s\n", heading, ansi_highlight(), ansi_normal()); printf("%13s %sDisabled by Administrator%s\n", heading, ansi_highlight_red(), ansi_normal());
else if (strv_isempty((char**) value))
/* Case 2: the array is explicitly set to empty by the administrator */
printf("%13s %sdisabled by administrator%s\n", heading, ansi_highlight_red(), ansi_normal());
else if (!field) else if (!field)
/* Case 3: we have values, but the field is NULL. This means that we're using the defaults. /* Case 2: we have values, but the field is NULL. This means that we're using the defaults.
* We list them anyways, because they're security-sensitive to the administrator */ * We list them anyways, because they're security-sensitive to the administrator */
STRV_FOREACH(i, value) STRV_FOREACH(i, value)
printf("%13s %s%s%s\n", i == value ? heading : "", ansi_grey(), *i, ansi_normal()); printf("%13s %s%s%s\n", i == value ? heading : "", ansi_grey(), *i, ansi_normal());
else else
/* Case 4: we have a list provided by the administrator */ /* Case 3: we have a list provided by the administrator */
STRV_FOREACH(i, value) STRV_FOREACH(i, value)
printf("%13s %s\n", i == value ? heading : "", *i); printf("%13s %s\n", i == value ? heading : "", *i);
} }

View File

@ -2165,15 +2165,8 @@ const char** user_record_self_modifiable_fields(UserRecord *h) {
assert(h); assert(h);
/* Note: if the self_modifiable_fields field in UserRecord is NULL we'll apply a default, if we have
* one. If it is a non-NULL empty strv, we'll report it as explicit empty list. When the field is
* NULL and we have no default list we'll return NULL. */
/* Note that we intentionally distinguish between NULL and an empty array here */ /* Note that we intentionally distinguish between NULL and an empty array here */
if (h->self_modifiable_fields) return (const char**) h->self_modifiable_fields ?: (const char**) default_fields;
return (const char**) h->self_modifiable_fields;
return user_record_disposition(h) == USER_REGULAR ? (const char**) default_fields : NULL;
} }
const char** user_record_self_modifiable_blobs(UserRecord *h) { const char** user_record_self_modifiable_blobs(UserRecord *h) {
@ -2187,10 +2180,7 @@ const char** user_record_self_modifiable_blobs(UserRecord *h) {
assert(h); assert(h);
/* Note that we intentionally distinguish between NULL and an empty array here */ /* Note that we intentionally distinguish between NULL and an empty array here */
if (h->self_modifiable_blobs) return (const char**) h->self_modifiable_blobs ?: (const char**) default_blobs;
return (const char**) h->self_modifiable_blobs;
return user_record_disposition(h) == USER_REGULAR ? (const char**) default_blobs : NULL;
} }
const char** user_record_self_modifiable_privileged(UserRecord *h) { const char** user_record_self_modifiable_privileged(UserRecord *h) {
@ -2211,10 +2201,7 @@ const char** user_record_self_modifiable_privileged(UserRecord *h) {
assert(h); assert(h);
/* Note that we intentionally distinguish between NULL and an empty array here */ /* Note that we intentionally distinguish between NULL and an empty array here */
if (h->self_modifiable_privileged) return (const char**) h->self_modifiable_privileged ?: (const char**) default_fields;
return (const char**) h->self_modifiable_privileged;
return user_record_disposition(h) == USER_REGULAR ? (const char**) default_fields : NULL;
} }
static int remove_self_modifiable_json_fields_common(UserRecord *current, sd_json_variant **target) { static int remove_self_modifiable_json_fields_common(UserRecord *current, sd_json_variant **target) {

View File

@ -245,7 +245,7 @@ static int add_vsock_socket(
if (r < 0) if (r < 0)
return r; return r;
log_debug("Binding SSH to AF_VSOCK vsock::22.\n" log_info("Binding SSH to AF_VSOCK vsock::22.\n"
"→ connect via 'ssh vsock/%u' from host", local_cid); "→ connect via 'ssh vsock/%u' from host", local_cid);
return 0; return 0;
} }
@ -280,7 +280,7 @@ static int add_local_unix_socket(
if (r < 0) if (r < 0)
return r; return r;
log_debug("Binding SSH to AF_UNIX socket /run/ssh-unix-local/socket.\n" log_info("Binding SSH to AF_UNIX socket /run/ssh-unix-local/socket.\n"
"→ connect via 'ssh .host' locally"); "→ connect via 'ssh .host' locally");
return 0; return 0;
} }
@ -336,7 +336,7 @@ static int add_export_unix_socket(
if (r < 0) if (r < 0)
return r; return r;
log_debug("Binding SSH to AF_UNIX socket /run/host/unix-export/ssh\n" log_info("Binding SSH to AF_UNIX socket /run/host/unix-export/ssh\n"
"→ connect via 'ssh unix/run/systemd/nspawn/unix-export/\?\?\?/ssh' from host"); "→ connect via 'ssh unix/run/systemd/nspawn/unix-export/\?\?\?/ssh' from host");
return 0; return 0;
@ -387,7 +387,7 @@ static int add_extra_sockets(
if (r < 0) if (r < 0)
return r; return r;
log_debug("Binding SSH to socket %s.", *i); log_info("Binding SSH to socket %s.", *i);
n++; n++;
} }
@ -462,7 +462,7 @@ static int run(const char *dest, const char *dest_early, const char *dest_late)
_cleanup_free_ char *sshd_binary = NULL; _cleanup_free_ char *sshd_binary = NULL;
r = find_executable("sshd", &sshd_binary); r = find_executable("sshd", &sshd_binary);
if (r == -ENOENT) { if (r == -ENOENT) {
log_debug("Disabling SSH generator logic, since sshd is not installed."); log_info("Disabling SSH generator logic, since sshd is not installed.");
return 0; return 0;
} }
if (r < 0) if (r < 0)

View File

@ -724,7 +724,7 @@ static void print_status_info(
printf(" Tasks: %" PRIu64, i->tasks_current); printf(" Tasks: %" PRIu64, i->tasks_current);
if (i->tasks_max != UINT64_MAX) if (i->tasks_max != UINT64_MAX)
printf("%s (limit: %" PRIu64 ")%s\n", ansi_grey(), i->tasks_max, ansi_normal()); printf(" (limit: %" PRIu64 ")\n", i->tasks_max);
else else
printf("\n"); printf("\n");
} }

View File

@ -105,9 +105,9 @@ int main(void) {
} }
for (j = 0; symbols_from_source[j].name; j++) { for (j = 0; symbols_from_source[j].name; j++) {
struct symbol *n = bsearch(symbols_from_source+j, symbols_from_sym, sizeof(symbols_from_sym)/sizeof(symbols_from_sym[0])-1, sizeof(symbols_from_sym[0]), sort_callback); struct symbol*n = bsearch(symbols_from_source+j, symbols_from_source, sizeof(symbols_from_sym)/sizeof(symbols_from_sym[0])-1, sizeof(symbols_from_sym[0]), sort_callback);
if (!n) if (!n)
printf("Found in sources, but not in symbol file: %s\\n", symbols_from_source[j].name); printf("Found in sources, but not in symbol file: %s\\n", symbols_from_source[i].name);
} }
return i == j ? EXIT_SUCCESS : EXIT_FAILURE; return i == j ? EXIT_SUCCESS : EXIT_FAILURE;

View File

@ -9,7 +9,7 @@
({ \ ({ \
typeof(ret) _r = (ret); \ typeof(ret) _r = (ret); \
user_record_unref(*_r); \ user_record_unref(*_r); \
assert_se(user_record_build((ret), SD_JSON_BUILD_OBJECT(SD_JSON_BUILD_PAIR_STRING("disposition", "regular"), __VA_ARGS__)) >= 0); \ assert_se(user_record_build((ret), SD_JSON_BUILD_OBJECT(__VA_ARGS__)) >= 0); \
0; \ 0; \
}) })

View File

@ -2182,10 +2182,6 @@ static int run_virtual_machine(int kvm_device_fd, int vhost_device_fd) {
(void) sd_event_add_signal(event, NULL, (SIGRTMIN+18) | SD_EVENT_SIGNAL_PROCMASK, sigrtmin18_handler, NULL); (void) sd_event_add_signal(event, NULL, (SIGRTMIN+18) | SD_EVENT_SIGNAL_PROCMASK, sigrtmin18_handler, NULL);
r = sd_event_add_memory_pressure(event, NULL, NULL, NULL);
if (r < 0)
log_debug_errno(r, "Failed allocate memory pressure event source, ignoring: %m");
/* Exit when the child exits */ /* Exit when the child exits */
(void) event_add_child_pidref(event, NULL, &child_pidref, WEXITED, on_child_exit, NULL); (void) event_add_child_pidref(event, NULL, &child_pidref, WEXITED, on_child_exit, NULL);

View File

@ -1,20 +0,0 @@
#!/usr/bin/env bash
# SPDX-License-Identifier: LGPL-2.1-or-later
set -eux
set -o pipefail
# shellcheck source=test/units/util.sh
. "$(dirname "$0")"/util.sh
(! systemd-run --wait -p DynamicUser=yes \
-p EnvironmentFile=-/usr/lib/systemd/systemd-asan-env \
-p WorkingDirectory='~' true)
assert_eq "$(systemd-run --pipe --uid=root -p WorkingDirectory='~' pwd)" "/root"
assert_eq "$(systemd-run --pipe --uid=nobody -p WorkingDirectory='~' pwd)" "/"
assert_eq "$(systemd-run --pipe --uid=testuser -p WorkingDirectory='~' pwd)" "/home/testuser"
(! systemd-run --wait -p DynamicUser=yes -p User=testuser \
-p EnvironmentFile=-/usr/lib/systemd/systemd-asan-env \
-p WorkingDirectory='~' true)

View File

@ -16,7 +16,6 @@ ConditionDirectoryNotEmpty=|/run/confexts
ConditionDirectoryNotEmpty=|/var/lib/confexts ConditionDirectoryNotEmpty=|/var/lib/confexts
ConditionDirectoryNotEmpty=|/usr/local/lib/confexts ConditionDirectoryNotEmpty=|/usr/local/lib/confexts
ConditionDirectoryNotEmpty=|/usr/lib/confexts ConditionDirectoryNotEmpty=|/usr/lib/confexts
ConditionDirectoryNotEmpty=|/.extra/confext
DefaultDependencies=no DefaultDependencies=no
After=local-fs.target After=local-fs.target