logind: don't apply RemoveIPC= to system users

We shouldn't destroy IPC objects of system users on logout. http://lists.freedesktop.org/archives/systemd-devel/2014-April/018373.html This introduces SYSTEM_UID_MAX defined to the maximum UID of system users. This value is determined compile-time, either as configure switch or from /etc/login.defs. (We don't read that file at runtime, since this is really a choice for a system builder, not the end user.) While we are at it we then also update journald to use SYSTEM_UID_MAX when we decide whether to split out log data for a specific client.
author: Lennart Poettering <lennart@poettering.net> 2014-05-21 09:31:22 +0900
committer: Lennart Poettering <lennart@poettering.net> 2014-05-21 09:36:49 +0900
commit: f7dc3ab9f43b67abcbd34062b9352ab42debec49 (patch)
tree: 0a797055292a0741ef3f1cf473e3933926b42a74
parent: f5c0c00f400e6f1fa58c5faf8bc93ca9057d4463 (diff)
5 files changed, 30 insertions, 4 deletions
diff --git a/Makefile.am b/Makefile.am
index f2a3bbd024..1808f801cb 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -4879,7 +4879,9 @@ substitutions = \
        '|PYTHON=$(PYTHON)|' \
        '|PYTHON_BINARY=$(PYTHON_BINARY)|' \
        '|NTP_SERVERS=$(NTP_SERVERS)|' \
-       '|DNS_SERVERS=$(DNS_SERVERS)|'
+       '|DNS_SERVERS=$(DNS_SERVERS)|' \
+       '|systemuidmax=$(SYSTEM_UID_MAX)|' \
+       '|systemgidmax=$(SYSTEM_GID_MAX)|'
 
 SED_PROCESS = \
 	$(AM_V_GEN)$(MKDIR_P) $(dir $@) && \
diff --git a/configure.ac b/configure.ac
index 9a849ffe7b..c41f6c9a70 100644
--- a/configure.ac
+++ b/configure.ac
@@ -854,6 +854,26 @@ AC_ARG_WITH(time-epoch,
 AC_DEFINE_UNQUOTED(TIME_EPOCH, [$TIME_EPOCH], [Time Epoch])
 
 # ------------------------------------------------------------------------------
+AC_ARG_WITH(system-uid-max,
+        AS_HELP_STRING([--with-system-uid-max=UID]
+                [Maximum UID for system users]),
+        [SYSTEM_UID_MAX="$withval"],
+        [SYSTEM_UID_MAX="`awk 'BEGIN { uid=999 } /^\s*SYS_UID_MAX\s+/ { uid=$2 } END { print uid }' /etc/login.defs 2>/dev/null || echo 999`"])
+
+AC_DEFINE_UNQUOTED(SYSTEM_UID_MAX, [$SYSTEM_UID_MAX], [Maximum System UID])
+AC_SUBST(SYSTEM_UID_MAX)
+
+# ------------------------------------------------------------------------------
+AC_ARG_WITH(system-gid-max,
+        AS_HELP_STRING([--with-system-gid-max=GID]
+                [Maximum GID for system groups]),
+        [SYSTEM_GID_MAX="$withval"],
+        [SYSTEM_GID_MAX="`awk 'BEGIN { gid=999 } /^\s*SYS_GID_MAX\s+/ { gid=$2 } END { print gid }' /etc/login.defs 2>/dev/null || echo 999`"])
+
+AC_DEFINE_UNQUOTED(SYSTEM_GID_MAX, [$SYSTEM_GID_MAX], [Maximum System GID])
+AC_SUBST(SYSTEM_GID_MAX)
+
+# ------------------------------------------------------------------------------
 have_localed=no
 AC_ARG_ENABLE(localed, AS_HELP_STRING([--disable-localed], [disable locale daemon]))
 if test "x$enable_localed" != "xno"; then
@@ -1256,6 +1276,8 @@ AC_MSG_RESULT([
         Extra start script:      ${RC_LOCAL_SCRIPT_PATH_START}
         Extra stop script:       ${RC_LOCAL_SCRIPT_PATH_STOP}
         Debug shell:             ${SUSHELL} @ ${DEBUGTTY}
+        Maximum System UID:      ${SYSTEM_UID_MAX}
+        Maximum System GID:      ${SYSTEM_GID_MAX}
 
         CFLAGS:                  ${OUR_CFLAGS} ${CFLAGS}
         CPPFLAGS:                ${OUR_CPPFLAGS} ${CPPFLAGS}
diff --git a/src/core/systemd.pc.in b/src/core/systemd.pc.in
index de0f6494e9..f8bccb5d6a 100644
--- a/src/core/systemd.pc.in
+++ b/src/core/systemd.pc.in
@@ -19,6 +19,8 @@ systemduserunitpath=${systemduserconfdir}:/etc/systemd/user:/run/systemd/user:/u
 systemdsystemgeneratordir=@systemgeneratordir@
 systemdusergeneratordir=@usergeneratordir@
 catalogdir=@catalogdir@
+systemuidmax=@systemuidmax@
+systemgidmax=@systemgidmax@
 
 Name: systemd
 Description: systemd System and Service Manager
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index 0439caf909..381d80a938 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -258,7 +258,7 @@ static JournalFile* find_journal(Server *s, uid_t uid) {
         if (s->runtime_journal)
                 return s->runtime_journal;
 
-        if (uid <= 0)
+        if (uid <= SYSTEM_UID_MAX)
                 return s->system_journal;
 
         r = sd_id128_get_machine(&machine);
diff --git a/src/shared/clean-ipc.c b/src/shared/clean-ipc.c
index ddd42cc2b2..cb1722614e 100644
--- a/src/shared/clean-ipc.c
+++ b/src/shared/clean-ipc.c
@@ -332,8 +332,8 @@ fail:
 int clean_ipc(uid_t uid) {
         int ret = 0, r;
 
-        /* Refuse to clean IPC of the root user */
-        if (uid == 0)
+        /* Refuse to clean IPC of the root and system users */
+        if (uid <= SYSTEM_UID_MAX)
                 return 0;
 
         r = clean_sysvipc_shm(uid);
author	Lennart Poettering <lennart@poettering.net>	2014-05-21 09:31:22 +0900
committer	Lennart Poettering <lennart@poettering.net>	2014-05-21 09:36:49 +0900
commit	f7dc3ab9f43b67abcbd34062b9352ab42debec49 (patch)
tree	0a797055292a0741ef3f1cf473e3933926b42a74
parent	f5c0c00f400e6f1fa58c5faf8bc93ca9057d4463 (diff)