pam_systemd_home: make sure we handle RefUnit() returning HomeBusy properly
RefUnit() only succeeds it a home dir is fully up. We already dealt with
it not being up at all, but let's also cover the case where it is
currently busy with changing state, and in that case fall back to
RefUnrestricted(), with the usual implications.
This has the effect that two subsequent ssh logins one-after-the-other
will work correctly.
pam_systemd_home: in ssh logins and similar, ask via fallback shall for home password
ssh runs PAM session hooks before they allocate a pty for the session.
(That's because they allow multiplexed connections, and hence might run
multiple ptys over the same same session). This means PAM modules cannot
interactively ask the user for additional information as they deem fit.
That's a problem for us, since generally during an SSH login no
authentication token (aka "password") is supplied to us which we could
use to unlock the user's home dir.
With this commit we implement a way out: we allow the login to proceed,
but without the home dir activated, and then override the user's shell
with our fallback shell, which will ask for the user's password and then
chainload the actual shell.
This will of course only work if the login actually involves invoking
the configured interactive shell of the user. For other logins (such as
sftp or so), this cannot work, and they'll see an empty home dir
instead.
This is very similar to ActivateHome() but will fail if the home
directory is not referenced yet. Or in other words, this doesn't add any
new reference, but simply is the other side of RefUnrestricted(): if we
allowed a home dir to be referenced without it actually being active,
then this can catch up with things and activated what was previously
referenced already.
This also relaxes access rights to that users can always activate their
own home dirs. This is useful once we allow user code to run without the
home dir being activated.
homed: add bus call that allows referencing a home without activating it
This is useful for allowing users to login without the ability to unlock
their home dir. Usecase is ssh: ssh might grant access without giving
us the chance to unlock the home dir for the user (because it doesn't
allow us asking questions during authentication), hence with this call
we can pin the home dir, but not activate it and then allow the
activation to be delayed until later.
user-record: add fields for a fallback home dir + shell
This adds fields to the user record logic to allow a "fallback" home
directory and shell to be set as part of the "status" section of the
user record, i.e. supplied by the manager of the user record.
The idea is that if the fallback homedir/shell is set it will take
precedence over the real one in most ways.
Usecase: let's try to make ssh logins into homed directories work.
systemd-homed would set a fallback shell/homedir for inactive home dirs.
Thus, when ssh logins take place via key auth, we can allow them, and
these fallback session params would be used because the real home cannot
be activated just yet becasue we cannot acquire any password for it from
the user.
pam-systemd: automatically enable "incomplete" user session if XDG_SESSION_INCOMPLETE env var is set
This allows earlier PAM modules (i.e. pam_systemd_home) to inform
pam_systemd that the session is not "complete" yet (i.e. doesn't have
the home dir set up properly yet).
Luca Boccassi [Tue, 13 Feb 2024 13:43:49 +0000 (13:43 +0000)]
meson: do not attempt to install tests when they are disabled
If -Dtests=false but -Dinstall-tests=true the build will fail, as some tests will
be pulled in the build but not their prerequisites. It doesn't make sense to ask
for tests to be installed if they are disabled.
FAILED: test-acd
cc -o test-acd test-acd.p/src_libsystemd-network_test-acd.c.o -flto -Wl,--as-needed -Wl,--no-undefined -pie -fstack-protector -Wl,-z,relro -specs=/usr/share/debhelper/dh_package_notes/debian-package-notes.specs -g -O2 -ffile-prefix-map=/tmp/s=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -ffat-lto-objects -Wdate-time -D_FORTIFY_SOURCE=2 '-Wl,-rpath,$ORIGIN/src/shared:XXXXXXXXXXXXXXX' -Wl,-rpath-link,/tmp/s/obj-x86_64-linux-gnu/src/shared -Wl,--start-group src/shared/libsystemd-shared-255.so src/libsystemd-network/libsystemd-network.a -Wl,--end-group -Wl,--fatal-warnings -Wl,-z,now -Wl,-z,relro -Wl,--warn-common -Wl,--gc-sections -Wl,--fatal-warnings -Wl,-z,now -Wl,-z,relro -Wl,--warn-common -Wl,--gc-sections
/usr/bin/ld: /tmp/cc0oYwFZ.ltrans0.ltrans.o: in function `main':
./obj-x86_64-linux-gnu/./obj-x86_64-linux-gnu/<artificial>:85:(.text.startup+0x33): undefined reference to `test_setup_logging'
collect2: error: ld returned 1 exit status
An UKI final command line is not just made of the content of .cmdline,
but also from the addons that are inserted in
/boot/efi/EFI/Linux/<UKI_NAME>.efi.extra.d (local addons) and /boot/efi/loader/addons
(global addons).
Therefore bootclt "status" and "list" should also include these addons
when printing the UKI command line.
Support for /boot/efi/EFI/Linux/<UKI_NAME>.efi.extra.d is already present,
so now cover addons present in /boot/efi/loader/addons (global addons).
Example (assume UKI_NAME=devel):
$ bootctl
ukiCmdline: console=tty0 console=ttyS0
globalAddon: loader/addons/global.addon.efi
cmdline: └─quiet
localAddon: devel.efi.extra.d/rpm_addon.addon.efi
cmdline: └─this is a normal addon
finalCmdline: console=tty0 console=ttyS0 quiet this is a normal addon
An UKI final command line is not just made of the content of .cmdline,
but also from the addons that are inserted in
/boot/efi/EFI/Linux/<UKI_NAME>.efi.extra.d (local addons) and
/boot/efi/loader/addons (global addons).
Therefore bootclt "status" and "list" should also include these addons
when printing the UKI command line.
Right now, discover addons present in
/boot/efi/EFI/Linux/<UKI_NAME>.efi.extra.d.
Example output (assume UKI_NAME=devel):
$ bootctl
ukiCmdline: console=tty0 console=ttyS0
localAddon: devel.efi.extra.d/rpm_addon.addon.efi
cmdline: └─this is a normal addon
finalCmdline: console=tty0 console=ttyS0 this is a normal addon
Adrian Vovk [Fri, 19 Jan 2024 01:48:24 +0000 (20:48 -0500)]
hashmap: Add helper to dump sorted keys
Currently, hashmap_dump_sorted sorts by key and then returns the values
in order sorted by key. This commit adds another helper that does the
same but returns the sorted keys instead
Adrian Vovk [Sat, 20 Jan 2024 00:46:07 +0000 (19:46 -0500)]
env-util: Add helper to store current log level
This is useful after a fork but before an exec into a binary that uses
systemd's logging utilities. For example, this should be used in dbus
services that fork off worker processes: currently, the log level set by
the LogControl dbus API will be lost because of the exec, and the worker
process will not have the correct log level set.
Adrian Vovk [Fri, 2 Feb 2024 20:03:54 +0000 (15:03 -0500)]
format-utils: Expose FORMAT_UID and FORMAT_GID
This pulls this generally useful helper out of sysusers and into the
util lib, and updates the places throughout the codebase where it makes
sense to use it.
Adrian Vovk [Thu, 1 Feb 2024 16:16:44 +0000 (11:16 -0500)]
homed: Add some missing asserts
These functions expect secrets to be passed in (some even dereference
the variables), but fail to assert that they're non-null. So this commit
adds some assertions
Before the commit, if a conflicting address exists or already requested,
then the configuration of newly requested address (especially, prefix
length) is mostly ignored silently.
However, after the commit, even if there exists a conflicting address,
networkd anyway tries to configure the newly requested address, and
enter failed state. Such situation can be triggered, e.g. when the DHCPv6
client is started earlier than NDisc, by WithoutRA=solicit.
Adrian Vovk [Sun, 4 Feb 2024 17:27:01 +0000 (12:27 -0500)]
user-record: Add languages field
This field is like preferredLanguage, but takes a priority list of
languages instead. If an app isn't translated into a user's primary
language, it can fall back to one of the other languages in the list
thus making the app more accessible to the user.
For instance: in my experience, many Ukrainians are fluent in Russian,
often significantly better than English (especially if they are of a
generation that grew up during the USSR). Such a person might set this
new variable to ["uk_UA.UTF-8", "ru_UA.UTF-8"] so that software that
lacks Ukrainian translations will first try Russian translations before
defaulting to English.
Adrian Vovk [Sun, 4 Feb 2024 17:18:08 +0000 (12:18 -0500)]
locale-util: Restrict valid locales
This further restricts the charset of locales to better reflect what
locales actually look like.
This allows us to safely join locale names using the `:` character, for
instance, which cannot appear in a locale name and is used by the
`$LANGUAGE` env var
Adrian Vovk [Sun, 4 Feb 2024 16:56:05 +0000 (11:56 -0500)]
pam_systemd: Let user record override env vars
The user record should be the source of truth for the user's environment
variables, and the user should be able to override them in much the same
way that they can if they simply append the variable to their ~/.profile
For example, before $LANG would never get set to the user's preferred
language, because the service manager always ensures that $LANG is set
to something (either the localed config, or a compiled-in default). Thus
the user's preferredLanguage setting was always ignored
Adrian Vovk [Sat, 13 Jan 2024 16:08:12 +0000 (11:08 -0500)]
basic: Add some sha256 helper functions
Adds a util function to sha256 an open fd (moved from dissect). Also
adds functions to check if a string contains a valid sha256 hash, and
parse it into a sha256 array.
Adrian Vovk [Wed, 17 Jan 2024 19:48:45 +0000 (14:48 -0500)]
fundamental: Add overflow-safe math helpers
ADD_SAFE/SUB_SAFE/MUL_SAFE do addition/subtraction/multiplication
respectively with an overflow check. If an overflow occurs these return
false, otherwise true. Example: (c = a + b) would become ADD_SAFE(&c, a,
b)
INC_SAFE/DEC_SAFE/MUL_ASSIGN_SAFE are like above but they also reassign
the first argument. Example: (a += b) would become INC_SAFE(&a, b)
Also update tools/meson-vcs-tag.sh to use carets instead of hyphens
for the git part of the version as carets are allowed to be part of
a version by pacman while hyphens are not and both sort higher than
a version without the git part.
Ondrej Kozina [Wed, 31 Jan 2024 12:11:21 +0000 (13:11 +0100)]
cryptsetup: Add optional support for linking volume key in keyring.
cryptsetup 2.7.0 adds feature to link effective volume key in custom
kernel keyring during device activation. It can be used later to pass
linked volume key to other services.
For example: kdump enabled systems installed on LUKS2 device.
This feature allows it to store volume key linked in a kernel keyring
to the kdump reserved memory and reuse it to reactivate LUKS2 device
in case of kernel crash.
cunshunxia [Wed, 24 Jan 2024 03:23:19 +0000 (11:23 +0800)]
Fix OOMPolicy= version in manpage of systemd.scope
OOMPolicy in scope units is separately supported in
version v253, so I think it cannot be directly used
in the manpage with the version from the service.
Franck Bui [Thu, 8 Feb 2024 15:12:41 +0000 (16:12 +0100)]
test/test-shutdown.py: optionally display the test I/Os in a dedicated log file
Given that the test involves screen(1), sending various control sequences to
resize/clear the screen, most of the logs sent from the python script were
nearly impossible to read or mixed with other messages sent to the console
hence making the debug harder when the test is run manually.
This patch introduces an option to redirect the pexpect IOs into a file (to be
used in $STATEDIR/TEST-69-SHUTDOWN/run-nspawn).
The pexpect logs are also enabled later so the boot logs are skipped since
those are already included in the journal.
btrfs-util: apparently btrfs ioctls return unaligned data. deal with it.
Kinda sad, that interfaces like this exist in 2024. But let's deal with
it: before we access "struct btrfs_ioctl_search_header" let's copy it
out, and access it only in the aligned copy.
btrfs-util: use memdup_suffix0() instead of strndup() at one more place
The structure we copy this out is a large (unaligned) binary blob, hence
let's better use the memdup_suffix0() so that gcc doesn't make
assumption about the source being a valid string.
missing: change our close_range() syscall wrapper to map glibc's
So glibc exposes a close_range() syscall wrapper now, but they decided
to use "unsigned" as type for the fds. Which is a bit weird, because fds
are universally understood to be "int". The kernel internally uses
"unsigned", both for close() and for close_range(), but weirdly,
userspace didn't fix that for close_range() unlike what they did for
close()... Weird.
But anyway, let's follow suit, and make our wrapper match glibc's.
The idea is simple: skip the final operation that creates or removes things
or changes the attributes, but otherwise go through the rest of the code.
This results in quite a lot of fairly repetitive conditions in the low-level
code. Another approach would be to print earlier, at a higher level, but then
we'd have less precise information about what is about to happen.
Michal Koutný [Fri, 9 Feb 2024 15:03:00 +0000 (16:03 +0100)]
service: Demote log level of NotifyAccess= messages to debug
The situation is a service like
Type=notify
NotifyAccess=main
and the service uses some of the systemd helper utilities, e.g.
coredumpctl. The service process will pass NOTIFY_SOCKET to the helper
child (accidentally) and the result is a spurious notification and
the warning message:
> Jan 18 09:38:01 host systemd[1]: sdnotify.service: Got notification message from PID 13736, but reception only permitted for main PID 13549
Notification from helpers seem like an unintentional composition of the
commit c118b577fa ("coredumpctl: define main through macro") and commit 6b636c2d27 ("main-func: send main exit code to parent via sd_notify() on
exit"). The former used the handy macro for a main function, the latter
equipped any main function with the notification. (Further extended in
the commit 623a00020f ("notify: Add EXIT_STATUS field").)
Since notification from systemd utitilities are meant to extend
rudimentary exit()/wait() pair generally, they may happen to land into
service's NOTIFY_SOCKET. Tone down messages of notification that won't
match NotifyAccess=.
For the other verbs turning off JSON mode makes sense, but for "call"
not so much, after all the contents of a method call reply is JSON we
couldn't really show any other way.
Hence, when JSON output was not configured otherwise in "call", default
to the same as -j.
It exposes the varlink_collect() call we internally provide: it collects
all responses of a method call that is issued with the "more" method
call flag. It then returns the result as a single JSON array.
This reworks varlink_collect() so that it is not just a wrapper around
varlink_observe(), varlink_bind_reply() and others. It becomes a first
class operation.
This has various benefits:
1. Memory management is normalized: the reply json variant is now
tracked as part of the varlink object, and thus we do not pass
ownership to the caller. This is just like we do it for simple method
calls and removes a lot of confusion.
2. The bind reply/user data pointer can be used for user stuff, we'll
not silently override this.
3. We enforce an overall time-out operation on the whole thing, so that
this synchronous operation does no longer block forever.
units: enable MaxConnectionsPerSocket= for all our Accept=yes units
Let's make sure that user's cannot DoS services for other users so
easily, and enable MaxConnectionsPerSocket= by default for all of them.
Note that this is mostly paranoia for systemd-pcrextend.socket and
systemd-sysext.socket: the socket is only accessible to root anyway,
hence the accounting shouldn#t change anything. But this is just a
safety net, in preparation that we open up some functionality of these
services sooner or later.
pid1: make MaxConnectionsPerSource= also work for AF_UNIX sockets
The setting currently puts limits on connections per IP address and
AF_UNIX CID. Let's extend it to cover AF_UNIX too, where it puts a limit
on connections per UID.
This is particularly useful for the various Accept=yes Varlink services
we now have, as it means, the number of per-user instance services
cannot grow without bounds.