This returns to the original approach proposed in
https://github.com/systemd/systemd/pull/17270. After review, the approach was
changed to use sd_pid_get_owner_uid() instead. Back then, when running in a
typical graphical session, sd_pid_get_owner_uid() would usually return the user
UID, and when running under sudo, geteuid() would return 0, so we'd trigger the
secure path.
sudo may allocate a new session if is invoked outside of a session (depending
on the PAM config). Since nowadays desktop environments usually start the user
shell through user units, the typical shell in a terminal emulator is not part
of a session, and when sudo is invoked, a new session is allocated, and
sd_pid_get_owner_uid() returns 0 too. Technically, the code still works as
documented in the man page, but in the common case, it doesn't do the expected
thing.
$ build/test-sd-login |& rg 'get_(owner_uid|cgroup|session)'
sd_pid_get_session(0) → No data available
sd_pid_get_owner_uid(0) → 1000
sd_pid_get_cgroup(0) → /user.slice/user-1000.slice/user@1000.service/app.slice/app-ghostty-transient-5088.scope/surfaces/556FAF50BA40.scope
I think it's worth checking for sudo because it is a common case used by users.
There obviously are other mechanims, so the man page is extended to say that
only some common mechanisms are supported, and to (again) recommend setting
SYSTEMD_LESSSECURE explicitly. The other option would be to set "secure mode"
by default. But this would create an inconvenience for users doing the right
thing, running systemctl and other tools directly, because then they can't run
privileged commands from the pager, e.g. to save the output to a file. (Or the
user would need to explicitly set SYSTEMD_LESSSECURE. One option would be to
set it always in the environment and to rely on sudo and other tools stripping
it from the environment before running privileged code. But that is also fairly
fragile and it obviously relies on the user doing a complicated setup to
support a fairly common use case. I think this decreases usability of the
system quite a bit. I don't think we should build solutions that work in
priniciple, but are painfully inconvenient in common cases.)
man: rework the description of $SYSTEMD_PAGER and $PAGER
$PAGER wasn't documented, but actually we treat it same as $SYSTEMD_PAGER,
except for lower priority. And the two variables can be used to disable the
pager, even if $SYSTEMD_PAGERSECURE is not set.
Behaviour is (obviously) not changed by this patch, it intentionally just
updates the docs to match the code.
man: reword the description of "secure pager" handling
The existing description was not *wrong*, but it was a bit muddled. Let's
reorder the text to give a short intro and then describe what the options
actually do and the clear "true" and "false" cases first, and then describe
autodetection.
Related to https://yeswehack.com/vulnerability-center/reports/346802.
exec-util: make missing agents a gracefull handled issues
Just downgrade the log message in case of ENOENT of agent binaries to
LOG_DEBUG. Do this in order to support distros which split off some
agent bianries into separate optional binaries.
Todd C. Miller [Tue, 6 May 2025 22:39:14 +0000 (16:39 -0600)]
flush_ports: flush POSIX message queues properly
On Linux, read() on a message queue descriptor returns the message
queue statistics, not the actual message queue data. We need to use
mq_receive() to drain the queues instead.
Fixes a problem where a POSIX message queue socket unit with messages
in the queue at shutdown time could result in a hang on reboot/shutdown.
Yu Watanabe [Wed, 7 May 2025 12:44:22 +0000 (21:44 +0900)]
units: enable IgnoreOnIsolate=yes on systemd-udevd-kernel.socket
Otherwise, initrd-cleanup.service requests isolation thus the socket
is stopped before switching root, and several early events after
switching root may be lost.
test-sd-login: add a "test" that just calls all sd_pid_get_* functions
As a test, it just increases our code coverage in a fake way.
When run manually, it can be used to conveniently print what logind
thinks about various processes:
$ build/test-sd-login
sd_pid_get_session(0) → No data available
sd_pid_get_unit(0) → user@1000.service
sd_pid_get_user_unit(0) → app-ghostty-transient-5088.scope
sd_pid_get_machine_name(0) → No such file or directory
sd_pid_get_slice(0) → user-1000.slice
sd_pid_get_user_slice(0) → app.slice
sd_pid_get_owner_uid(0) → 1000
sd_pid_get_cgroup(0) → /user.slice/user-1000.slice/user@1000.service/app.slice/app-ghostty-transient-5088.scope/surfaces/556FAF50BA40.scope
I initially wrote it this way, but then decided to implement a loop
limit, but forgot to drop the first approach in one place.
Fixup for 74cb65e45fbf3468cf6b522e4b4fa568d95f12c6.
man/systemd.exec: reword description of SystemCallFilter=
The existing text grew organically as features were added and was
not very organized. Reorder it and break into paragraphs grouped
by topic. The description of the :errno syntax is replaced by a short
reference to the SystemCallErrorNumber= setting. This makes the
text shorter and makes it easier to explain how the two settings combine.
damnkiwi6120 [Tue, 6 May 2025 18:53:32 +0000 (02:53 +0800)]
Replace reference URLs with working ones
The linuxfoundation.org entry at L50 goes 404, so I replace it with a working one from kernel.org.
Both links are checked with archive.org.
https://web.archive.org/web/20231114104223/https://lists.linuxfoundation.org/pipermail/virtualization/2015-August/030331.html
https://web.archive.org/web/20230503084037/https://docs.kernel.org/s390/pci.html
Daan De Meyer [Sun, 4 May 2025 11:31:07 +0000 (13:31 +0200)]
hashmap: Drop debug params
Passing in the func, file and line information complicates the
interface. On top of that, it prevents forward declaring Hashmap in
strv.h, as we need to pass the macros everywhere that we allocate a
hashmap, which means we have to include the hashmap header everywhere
we have a function that allocates a hashmap instead of just having to
forward declare Hashmap.
Let's drop the file, func and line information from the debug information.
Instead, in the future we can add a description field to hashmaps like we
already have in various other structs to describe the purpose of the hashmap
which should be much more useful than having the file, line and function where
the hashmap was allocated.
Daan De Meyer [Tue, 6 May 2025 07:53:56 +0000 (09:53 +0200)]
macro: Introduce ABS() macro and use it in header files
abs() requires including the entirety of stdlib.h just for a single
trivial function. Let's introduce the ABS() macro and use it in header
files instead so we can get rid of stdlib.h transitive includes in header
files in a later commit.
Daan De Meyer [Mon, 5 May 2025 20:06:17 +0000 (22:06 +0200)]
main-func: Reduce transitive includes
Let's move some logic from _DEFINE_MAIN_FUNCTION() and other places
in main-func.h into functions that we implement in main-func.c to
allow moving some included headers from the header to the .c file.
projects / thirdparty / systemd.git / log
