9 files changed, 71 insertions, 12 deletions
diff --git a/Makefile.am b/Makefile.am
index f4b19589a1..b7a4681447 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1584,6 +1584,7 @@ nodist_systemunit_DATA += \
 
 dist_tmpfiles_DATA = \
 	tmpfiles.d/systemd.conf \
+	tmpfiles.d/systemd-nologin.conf \
 	tmpfiles.d/tmp.conf \
 	tmpfiles.d/x11.conf
 
diff --git a/man/systemd-tmpfiles.xml b/man/systemd-tmpfiles.xml
index c65636b0fe..9b8932c635 100644
--- a/man/systemd-tmpfiles.xml
+++ b/man/systemd-tmpfiles.xml
@@ -147,6 +147,12 @@
                                 removed.</para></listitem>
                         </varlistentry>
                         <varlistentry>
+                                <term><option>--unsafe</option></term>
+                                <listitem><para>Also execute lines
+                                with an exclamation mark.
+                                </para></listitem>
+                        </varlistentry>
+                        <varlistentry>
                                 <term><option>--prefix=PATH</option></term>
                                 <listitem><para>Only apply rules that
                                 apply to paths with the specified
diff --git a/man/tmpfiles.d.xml b/man/tmpfiles.d.xml
index 331fd1b472..0da52aedad 100644
--- a/man/tmpfiles.d.xml
+++ b/man/tmpfiles.d.xml
@@ -113,6 +113,9 @@ L    /tmp/foobar -    -    -    -   /dev/null</programlisting>
                 <refsect2>
                         <title>Type</title>
 
+                        <para>The type consists of a single letter and
+                        optionally an exclamation mark.</para>
+
                         <para>The following line types are understood:</para>
 
                         <variablelist>
@@ -262,6 +265,28 @@ L    /tmp/foobar -    -    -    -   /dev/null</programlisting>
                                         names.</para></listitem>
                                 </varlistentry>
                         </variablelist>
+
+                        <para>If the exclamation mark is used, this
+                        line is only safe of execute during boot, and
+                        can break a running system. Lines without the
+                        exclamation mark are presumed to be safe to
+                        execute at any time, e.g. on package upgrades.
+                        <command>systemd-tmpfiles</command> will
+                        execute line with an exclamation mark only if
+                        option <option>--unsafe</option> is given.
+                        </para>
+
+                        <para>For example:
+                        <programlisting>
+# Make sure these are created by default so that nobody else can
+d /tmp/.X11-unix 1777 root root 10d
+
+# Unlink the X11 lock files
+r! /tmp/.X[0-9]*-lock
+                        </programlisting>
+                        The second line in contrast to the first one
+                        would break a running system, and will only be
+                        executed with <option>--unsafe</option>.</para>
                 </refsect2>
 
                 <refsect2>
diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
index 02351e18f7..881c3b0d78 100644
--- a/src/tmpfiles/tmpfiles.c
+++ b/src/tmpfiles/tmpfiles.c
@@ -107,6 +107,7 @@ static Set *unix_sockets = NULL;
 static bool arg_create = false;
 static bool arg_clean = false;
 static bool arg_remove = false;
+static bool arg_unsafe = false;
 
 static char **include_prefixes = NULL;
 static char **exclude_prefixes = NULL;
@@ -1077,7 +1078,7 @@ static int parse_line(const char *fname, unsigned line, const char *buffer) {
         _cleanup_item_free_ Item *i = NULL;
         Item *existing;
         _cleanup_free_ char
-                *mode = NULL, *user = NULL, *group = NULL, *age = NULL, *path = NULL;
+                *action = NULL, *mode = NULL, *user = NULL, *group = NULL, *age = NULL, *path = NULL;
         char type;
         Hashmap *h;
         int r, n = -1;
@@ -1087,8 +1088,8 @@ static int parse_line(const char *fname, unsigned line, const char *buffer) {
         assert(buffer);
 
         r = sscanf(buffer,
-                   "%c %ms %ms %ms %ms %ms %n",
-                   &type,
+                   "%ms %ms %ms %ms %ms %ms %n",
+                   &action,
                    &path,
                    &mode,
                    &user,
@@ -1100,6 +1101,14 @@ static int parse_line(const char *fname, unsigned line, const char *buffer) {
                 return -EIO;
         }
 
+        if (strlen(action) > 2 || (strlen(action) > 1 && action[1] != '!')) {
+                log_error("[%s:%u] Unknown modifier '%s'", fname, line, action);
+                return -EINVAL;
+        } else if (strlen(action) > 1 && !arg_unsafe)
+                return 0;
+
+        type = action[0];
+
         i = new0(Item, 1);
         if (!i)
                 return log_oom();
@@ -1271,6 +1280,7 @@ static int help(void) {
                "     --create               Create marked files/directories\n"
                "     --clean                Clean up marked directories\n"
                "     --remove               Remove marked files/directories\n"
+               "     --unsafe               Execute actions only safe at boot\n"
                "     --prefix=PATH          Only apply rules that apply to paths with the specified prefix\n"
                "     --exclude-prefix=PATH  Ignore rules that apply to paths with the specified prefix\n",
                program_invocation_short_name);
@@ -1285,6 +1295,7 @@ static int parse_argv(int argc, char *argv[]) {
                 ARG_CREATE,
                 ARG_CLEAN,
                 ARG_REMOVE,
+                ARG_UNSAFE,
                 ARG_PREFIX,
                 ARG_EXCLUDE_PREFIX,
         };
@@ -1295,6 +1306,7 @@ static int parse_argv(int argc, char *argv[]) {
                 { "create",         no_argument,         NULL, ARG_CREATE         },
                 { "clean",          no_argument,         NULL, ARG_CLEAN          },
                 { "remove",         no_argument,         NULL, ARG_REMOVE         },
+                { "unsafe",         no_argument,         NULL, ARG_UNSAFE         },
                 { "prefix",         required_argument,   NULL, ARG_PREFIX         },
                 { "exclude-prefix", required_argument,   NULL, ARG_EXCLUDE_PREFIX },
                 {}
@@ -1329,6 +1341,10 @@ static int parse_argv(int argc, char *argv[]) {
                         arg_remove = true;
                         break;
 
+                case ARG_UNSAFE:
+                        arg_unsafe = true;
+                        break;
+
                 case ARG_PREFIX:
                         if (strv_extend(&include_prefixes, optarg) < 0)
                                 return log_oom();
diff --git a/tmpfiles.d/legacy.conf b/tmpfiles.d/legacy.conf
index 3fff347db4..a1656873da 100644
--- a/tmpfiles.d/legacy.conf
+++ b/tmpfiles.d/legacy.conf
@@ -29,6 +29,6 @@ d /run/lock/lockdev 0775 root lock -
 # kernel command line options 'fsck.mode=force', 'fsck.mode=skip' and
 # 'quotacheck.mode=force'
 
-r /forcefsck
-r /fastboot
-r /forcequotacheck
+r! /forcefsck
+r! /fastboot
+r! /forcequotacheck
diff --git a/tmpfiles.d/systemd-nologin.conf b/tmpfiles.d/systemd-nologin.conf
new file mode 100644
index 0000000000..d61232b534
--- /dev/null
+++ b/tmpfiles.d/systemd-nologin.conf
@@ -0,0 +1,11 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+# See tmpfiles.d(5) and systemd-forbid-user-logins.service(5).
+# This file has special suffix so it is not run by mistake.
+
+F! /run/nologin 0644 - - - "System is booting up. See pam_nologin(8)"
diff --git a/tmpfiles.d/systemd.conf b/tmpfiles.d/systemd.conf
index a05c6577d2..7c6d6b9099 100644
--- a/tmpfiles.d/systemd.conf
+++ b/tmpfiles.d/systemd.conf
@@ -8,7 +8,7 @@
 # See tmpfiles.d(5) for details
 
 d /run/user 0755 root root ~10d
-F /run/utmp 0664 root utmp -
+F! /run/utmp 0664 root utmp -
 
 f /var/log/wtmp 0664 root utmp -
 f /var/log/btmp 0600 root utmp -
@@ -22,8 +22,6 @@ d /run/systemd/users 0755 root root -
 d /run/systemd/machines 0755 root root -
 d /run/systemd/shutdown 0755 root root -
 
-F /run/nologin 0644 - - - "System is booting up. See pam_nologin(8)"
-
 m /var/log/journal 2755 root systemd-journal - -
 m /var/log/journal/%m 2755 root systemd-journal - -
 m /run/log/journal 2755 root systemd-journal - -
diff --git a/tmpfiles.d/x11.conf b/tmpfiles.d/x11.conf
index ece6a5ce98..4c96a54a13 100644
--- a/tmpfiles.d/x11.conf
+++ b/tmpfiles.d/x11.conf
@@ -15,4 +15,4 @@ d /tmp/.font-unix 1777 root root 10d
 d /tmp/.Test-unix 1777 root root 10d
 
 # Unlink the X11 lock files
-r /tmp/.X[0-9]*-lock
+r! /tmp/.X[0-9]*-lock
diff --git a/units/systemd-tmpfiles-setup.service.in b/units/systemd-tmpfiles-setup.service.in
index 3405e2842c..c2dcae0e13 100644
--- a/units/systemd-tmpfiles-setup.service.in
+++ b/units/systemd-tmpfiles-setup.service.in
@@ -6,7 +6,7 @@
 #  (at your option) any later version.
 
 [Unit]
-Description=Recreate Volatile Files and Directories
+Description=Create Volatile Files and Directories
 Documentation=man:tmpfiles.d(5) man:systemd-tmpfiles(8)
 DefaultDependencies=no
 Wants=local-fs.target
@@ -18,8 +18,10 @@ ConditionDirectoryNotEmpty=|/lib/tmpfiles.d
 ConditionDirectoryNotEmpty=|/usr/local/lib/tmpfiles.d
 ConditionDirectoryNotEmpty=|/etc/tmpfiles.d
 ConditionDirectoryNotEmpty=|/run/tmpfiles.d
+RefuseManualStart=yes
+RefuseManualStop=yes
 
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-ExecStart=@rootbindir@/systemd-tmpfiles --create --remove --exclude-prefix=/dev
+ExecStart=@rootbindir@/systemd-tmpfiles --create --remove --unsafe --exclude-prefix=/dev