# Locking Block Device Access
*TL;DR: Use BSD file locks
-[(`flock(2)`)](http://man7.org/linux/man-pages/man2/flock.2.html) on block
+[(`flock(2)`)](https://man7.org/linux/man-pages/man2/flock.2.html) on block
device nodes to synchronize access for partitioning and file system formatting
tools.*
from processing rules on it — and thus bar it from probing the device — by
taking a BSD file lock on the block device node. Specifically, whenever
`systemd-udevd` starts processing a block device it takes a `LOCK_SH|LOCK_NB`
-lock using [`flock(2)`](http://man7.org/linux/man-pages/man2/flock.2.html) on
+lock using [`flock(2)`](https://man7.org/linux/man-pages/man2/flock.2.html) on
the main block device (i.e. never on any partition block device, but on the
device the partition belongs to). If this lock cannot be taken (i.e. `flock()`
returns `EAGAIN`), it refrains from processing the device. If it manages to take
A unified kernel image is a single EFI PE executable combining an EFI stub
loader, a kernel image, an initramfs image, and the kernel command line. See
the description of the `--uefi` option in
-[dracut(8)](http://man7.org/linux/man-pages/man8/dracut.8.html). Such unified
+[dracut(8)](https://man7.org/linux/man-pages/man8/dracut.8.html). Such unified
images are installed in the`$BOOT/EFI/Linux/` and `$XBOOTLDR/EFI/Linux/`
directories and must have the extension `.efi`.
Support for images of this type is of course specific to systems with EFI
This will tell you the `/etc/passwd` and `/etc/shadow` entries for your
user. For details about the fields, see the respective man pages
- [passwd(5)](http://man7.org/linux/man-pages/man5/passwd.5.html) and
- [shadow(5)](http://man7.org/linux/man-pages/man5/shadow.5.html).
+ [passwd(5)](https://man7.org/linux/man-pages/man5/passwd.5.html) and
+ [shadow(5)](https://man7.org/linux/man-pages/man5/shadow.5.html).
The fourth field in the `getent passwd foobar` output tells you the GID of
your user's main group. Depending on your distribution it's a group private
* A Plymouth agent used for querying passwords during boot-up
* A console agent used in similar situations if Plymouth is not available
* A GNOME agent which can be run as part of the normal user session which pops up a notification message and icon which when clicked receives the passphrase from the user. This is useful and necessary in case an encrypted system hard-disk is plugged in when the machine is already up.
-* A [`wall(1)`](http://man7.org/linux/man-pages/man1/wall.1.html) agent which sends wall messages as soon as a password shall be entered.
+* A [`wall(1)`](https://man7.org/linux/man-pages/man1/wall.1.html) agent which sends wall messages as soon as a password shall be entered.
* A simple tty agent which is built into "`systemctl start`" (and similar commands) and asks passwords to the user during manual startup of a service
* A simple tty agent which can be run manually to respond to all queued passwords
The Linux kernel provides three relevant userspace APIs to request random data
from the kernel's entropy pool:
-* The [`getrandom()`](http://man7.org/linux/man-pages/man2/getrandom.2.html)
+* The [`getrandom()`](https://man7.org/linux/man-pages/man2/getrandom.2.html)
system call with its `flags` parameter set to 0. If invoked the calling
program will synchronously block until the random pool is fully initialized
and the requested bytes can be provided.
pool is not initialized yet.
* Reading from the
- [`/dev/urandom`](http://man7.org/linux/man-pages/man4/urandom.4.html)
+ [`/dev/urandom`](https://man7.org/linux/man-pages/man4/urandom.4.html)
pseudo-device will always return random bytes immediately, even if the pool
is not initialized. The provided random bytes will be of low quality in this
case however. Moreover the kernel will log about all programs using this
do use it in many cases, but not in all. Please read the above again!
2. *Why don't you use
- [getentropy()](http://man7.org/linux/man-pages/man3/getentropy.3.html)? That's
+ [getentropy()](https://man7.org/linux/man-pages/man3/getentropy.3.html)? That's
all you need!*
Same story. That call is just a different name for `getrandom()` with
are trying to address here.
3. *Why don't you generate your UUIDs with
- [`uuidd`](http://man7.org/linux/man-pages/man8/uuidd.8.html)? That's all you
+ [`uuidd`](https://man7.org/linux/man-pages/man8/uuidd.8.html)? That's all you
need!*
First of all, that's a system service, i.e. something that runs as "payload"
To protect yourself against these kinds of attacks Linux provides a couple of
APIs that help you avoiding guessable names. Specifically:
-1. Use [`mkstemp()`](http://man7.org/linux/man-pages/man3/mkstemp.3.html)
+1. Use [`mkstemp()`](https://man7.org/linux/man-pages/man3/mkstemp.3.html)
(POSIX), `mkostemp()` (glibc),
- [`mkdtemp()`](http://man7.org/linux/man-pages/man3/mkdtemp.3.html) (POSIX),
- [`tmpfile()`](http://man7.org/linux/man-pages/man3/tmpfile.3.html) (C89)
+ [`mkdtemp()`](https://man7.org/linux/man-pages/man3/mkdtemp.3.html) (POSIX),
+ [`tmpfile()`](https://man7.org/linux/man-pages/man3/tmpfile.3.html) (C89)
-2. Use [`open()`](http://man7.org/linux/man-pages/man2/open.2.html) with
+2. Use [`open()`](https://man7.org/linux/man-pages/man2/open.2.html) with
`O_TMPFILE` (Linux)
-3. [`memfd_create()`](http://man7.org/linux/man-pages/man2/memfd_create.2.html)
+3. [`memfd_create()`](https://man7.org/linux/man-pages/man2/memfd_create.2.html)
(Linux; this doesn't bother with `/tmp/` or `/var/tmp/` at all, but uses the
same RAM/swap backing as `tmpfs` uses, hence is very similar to `/tmp/`
semantics.)
3. 🥇 Operate below a sub-directory of `/tmp/` and `/var/tmp/` you created, and
take a BSD file lock ([`flock(dir_fd,
- LOCK_SH)`](http://man7.org/linux/man-pages/man2/flock.2.html)) on that
+ LOCK_SH)`](https://man7.org/linux/man-pages/man2/flock.2.html)) on that
sub-directory. This is particularly interesting when operating on more than
a single file, or on file nodes that are not plain regular files, for
example when extracting a tarball to a temporary directory. The ageing
this when decompressing tarballs that contain files with old
modification/access times, as extracted files are otherwise immediately
candidates for deletion by the ageing algorithm. The
- [`flock`](http://man7.org/linux/man-pages/man1/flock.1.html) tool of the
+ [`flock`](https://man7.org/linux/man-pages/man1/flock.1.html) tool of the
`util-linux` packages makes this concept available to shell scripts. Note
that `systemd-tmpfiles` only checks for BSD file locks on directories, locks
on other types of file nodes (including regular files) are not considered.
not advisable however, as it offers no benefits over a private directory in
`/run/` as both are backed by the same concept: `tmpfs`. The directory
`/dev/shm/` exists to back POSIX shared memory (see
-[`shm_open()`](http://man7.org/linux/man-pages/man3/shm_open.3.html) and
+[`shm_open()`](https://man7.org/linux/man-pages/man3/shm_open.3.html) and
related calls), and not as a place for temporary files. `/dev/shm` is
problematic as it is world-writable and there's no automatic clean-up logic in
place.)
and [JSON Group Records](GROUP_RECORD.md) documents) that are defined on the
local system may be queried with a [Varlink](https://varlink.org/) API. This
API takes both the role of what
-[`getpwnam(3)`](http://man7.org/linux/man-pages/man3/getpwnam.3.html) and
+[`getpwnam(3)`](https://man7.org/linux/man-pages/man3/getpwnam.3.html) and
related calls are for `struct passwd`, as well as the interfaces modules
implementing the [glibc Name Service Switch
(NSS)](https://www.gnu.org/software/libc/manual/html_node/Name-Service-Switch.html)
`environment` → An array of strings, each containing an environment variable
and its value to set for the user's login session, in a format compatible with
-[`putenv()`](http://man7.org/linux/man-pages/man3/putenv.3.html). Any
+[`putenv()`](https://man7.org/linux/man-pages/man3/putenv.3.html). Any
environment variable listed here is automatically set by
[`pam_systemd`](https://www.freedesktop.org/software/systemd/man/pam_systemd.html)
for all login sessions of the user.
[`pam_systemd`](https://www.freedesktop.org/software/systemd/man/pam_systemd.html)
will automatically initialize the login process' nice level to this value with,
which is then inherited by all the user's processes, see
-[`setpriority()`](http://man7.org/linux/man-pages/man2/setpriority.2.html) for
+[`setpriority()`](https://man7.org/linux/man-pages/man2/setpriority.2.html) for
more information.
`resourceLimits` → An object, where each key refers to a Linux resource limit
[`pam_systemd`](https://www.freedesktop.org/software/systemd/man/pam_systemd.html)
will automatically initialize the login process' resource limits to these
values, which is then inherited by all the user's processes, see
-[`setrlimit()`](http://man7.org/linux/man-pages/man2/setrlimit.2.html) for more
+[`setrlimit()`](https://man7.org/linux/man-pages/man2/setrlimit.2.html) for more
information.
`locked` → A boolean value. If true, the user account is locked, the user may
`hashedPassword` → An array of strings, each containing a hashed UNIX password
string, in the format
-[`crypt(3)`](http://man7.org/linux/man-pages/man3/crypt.3.html) generates. This
+[`crypt(3)`](https://man7.org/linux/man-pages/man3/crypt.3.html) generates. This
corresponds with `sp_pwdp` field of `struct spwd` (and in a way the `pw_passwd`
field of `struct passwd`).
<xsl:template match="citerefentry[@project='man-pages'] | citerefentry[manvolnum='2'] | citerefentry[manvolnum='4']">
<a>
<xsl:attribute name="href">
- <xsl:text>http://man7.org/linux/man-pages/man</xsl:text>
+ <xsl:text>https://man7.org/linux/man-pages/man</xsl:text>
<xsl:value-of select="manvolnum"/>
<xsl:text>/</xsl:text>
<xsl:value-of select="refentrytitle"/>
The <varname>Key=</varname> is either a number or an IPv4 address-like dotted quad.
It is used as mark-configured SAD/SPD entry as part of the lookup key (both in data
and control path) in IP XFRM (framework used to implement IPsec protocol).
- See <ulink url="http://man7.org/linux/man-pages/man8/ip-xfrm.8.html">
+ See <ulink url="https://man7.org/linux/man-pages/man8/ip-xfrm.8.html">
ip-xfrm — transform configuration</ulink> for details. It is only used for VTI/VTI6,
GRE, GRETAP, and ERSPAN tunnels.</para>
</listitem>
projects / thirdparty / systemd.git / commitdiff
