From: Ronan Pigott Date: Wed, 14 Aug 2024 18:42:03 +0000 (-0700) Subject: units: drop "-p" flag from agetty's login options X-Git-Tag: v257-rc1~699 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3d2157e;p=thirdparty%2Fsystemd.git units: drop "-p" flag from agetty's login options This flag was added in db6aedab9292 with the justification that locale environment variables should be preserved by the user session. However, the companion patch to drop the UnsetEnvironment= directive blocking these variables was never merged, so the intended change was never effected. While the patch was ineffective toward its stated goal, the "-p" option does have material negative consequences for the user session in systemd — environment variables to support the use of credentials and memory pressure directives, such as $CREDENTIALS_DIRECTORY and $MEMORY_PRESSURE_WATCH, which are now directly used by agetty and login, get leaked into the user session potentially breaking applications that rely on these values. E.g. systemd-ask-password fails from the tty when $CREDENTIALS_DIRECTORY has been leaked from agetty, because it expects to be able to access credentials in $CREDENTIALS_DIRECTORY. This effectively reverts db6aedab9292. References: db6aedab9292 (units: Tell login to preserve environment (#6023), 2017-05-24) --- diff --git a/units/console-getty.service.in b/units/console-getty.service.in index 841c4496f02..575a7770c9d 100644 --- a/units/console-getty.service.in +++ b/units/console-getty.service.in @@ -20,10 +20,9 @@ Before=getty.target ConditionPathExists=/dev/console [Service] -# The '-o' option value tells agetty to replace 'login' arguments with an -# option to preserve environment (-p), followed by '--' for safety, and then -# the entered username. -ExecStart=-/sbin/agetty -o '-p -- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 - ${TERM} +# The '-o' option value tells agetty to replace 'login' arguments with '--' for +# safety, and then the entered username. +ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 - ${TERM} Type=idle Restart=always UtmpIdentifier=cons diff --git a/units/container-getty@.service.in b/units/container-getty@.service.in index 1f633836419..6bee309bf5a 100644 --- a/units/container-getty@.service.in +++ b/units/container-getty@.service.in @@ -25,10 +25,9 @@ Conflicts=rescue.service Before=rescue.service [Service] -# The '-o' option value tells agetty to replace 'login' arguments with an -# option to preserve environment (-p), followed by '--' for safety, and then -# the entered username. -ExecStart=-/sbin/agetty -o '-p -- \\u' --noreset --noclear - ${TERM} +# The '-o' option value tells agetty to replace 'login' arguments with '--' for +# safety, and then the entered username. +ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear - ${TERM} Type=idle Restart=always RestartSec=0 diff --git a/units/getty@.service.in b/units/getty@.service.in index 983f6dba494..3ea95e1ee4f 100644 --- a/units/getty@.service.in +++ b/units/getty@.service.in @@ -34,10 +34,9 @@ Before=rescue.service ConditionPathExists=/dev/tty0 [Service] -# The '-o' option value tells agetty to replace 'login' arguments with an -# option to preserve environment (-p), followed by '--' for safety, and then -# the entered username. -ExecStart=-/sbin/agetty -o '-p -- \\u' --noreset --noclear - ${TERM} +# The '-o' option value tells agetty to replace 'login' arguments with '--' for +# safety, and then the entered username. +ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear - ${TERM} Type=idle Restart=always RestartSec=0 diff --git a/units/serial-getty@.service.in b/units/serial-getty@.service.in index afb8ad06a77..a071241ef90 100644 --- a/units/serial-getty@.service.in +++ b/units/serial-getty@.service.in @@ -30,10 +30,9 @@ Conflicts=rescue.service Before=rescue.service [Service] -# The '-o' option value tells agetty to replace 'login' arguments with an -# option to preserve environment (-p), followed by '--' for safety, and then -# the entered username. -ExecStart=-/sbin/agetty -o '-p -- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 - ${TERM} +# The '-o' option value tells agetty to replace 'login' arguments with '--' for +# safety, and then the entered username. +ExecStart=-/sbin/agetty -o '-- \\u' --noreset --noclear --keep-baud 115200,57600,38400,9600 - ${TERM} Type=idle Restart=always UtmpIdentifier=%I