summaryrefslogtreecommitdiff
path: root/src/login/logind-user.c
AgeCommit message (Collapse)Author
2015-07-29tree-wide: port everything over to fflush_and_check()Lennart Poettering
Some places invoked fflush() directly with their own manual error checking, let's unify all that by using fflush_and_check(). This also unifies the general error paths of fflush()+rename() file writers.
2015-06-17Merge pull request #265 from smcv/logind-runtimedir-race-write-earlierLennart Poettering
logind: save /run/systemd/users/UID before starting user@.service
2015-06-17logind: save /run/systemd/users/UID before starting user@.serviceSimon McVittie
Previously, this had a race condition during a user's first login. Some component calls CreateSession (most likely by a PAM service other than 'systemd-user' running pam_systemd), with the following results: - logind: * create the user's XDG_RUNTIME_DIR * tell pid 1 to create user-UID.slice * tell pid 1 to start user@UID.service Then these two processes race: - logind: * save information including XDG_RUNTIME_DIR to /run/systemd/users/UID - the subprocess of pid 1 responsible for user@service: * start a 'systemd-user' PAM session, which reads XDG_RUNTIME_DIR and puts it in the environment * run systemd --user, which requires XDG_RUNTIME_DIR in the environment If logind wins the race, which usually happens, everything is fine; but if the subprocesses of pid 1 win the race, which can happen under load, then systemd --user exits unsuccessfully. To avoid this race, we have to write out /run/systemd/users/UID even though the service has not "officially" started yet; previously this did an early-return without saving anything. Record its state as OPENING in this case. Bug: https://github.com/systemd/systemd/issues/232 Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
2015-06-17logind: apply selinux label to XDG_RUNTIME_DIRLennart Poettering
As discussed in #257: we should ensure the selinux label is correctly applied to each user's XDG_RUNTIME_DIR.
2015-06-16everywhere: actually make use of DUAL_TIMESTAMP_NULL macroLennart Poettering
Let's use it as initializer where appropriate.
2015-06-15login: fix potential null pointer dereferenceRonny Chevalier
Fix CID 1304686: Dereference after null check (FORWARD_NULL) However, this commit does not fix any bug in logind. It helps to keep the elect_display_compare() function generic.
2015-06-10logind,sd-event: drop spurious new-linesLennart Poettering
2015-06-05logind: Fix user_elect_display() to be more stablePhilip Withnall
The previous implementation of user_elect_display() could easily end up overwriting the user’s valid graphical session with a new TTY session. For example, consider the situation where there is one session: c1, type = SESSION_X11, !stopping, class = SESSION_USER it is initially elected as the user’s display (i.e. u->display = c1). If another session is started, on a different VT, the sessions_by_user list becomes: c1, type = SESSION_X11, !stopping, class = SESSION_USER c2, type = SESSION_TTY, !stopping, class = SESSION_USER In the previous code, graphical = c1 and text = c2, as expected. However, neither graphical nor text fulfil the conditions for setting u->display = graphical (because neither is better than u->display), so the code falls through to check the text variable. The conditions for this match, as u->display->type != SESSION_TTY (it’s actually SESSION_X11). Hence u->display is set to c2, which is incorrect, because session c1 is still valid. Refactor user_elect_display() to use a more explicit filter and pre-order comparison over the sessions. This can be demonstrated to be stable and only ever ‘upgrade’ the session to a more graphical one. https://bugs.freedesktop.org/show_bug.cgi?id=90769
2015-05-29path-util: Change path_is_mount_point() symlink arg from bool to flagsMartin Pitt
This makes path_is_mount_point() consistent with fd_is_mount_point() wrt. flags.
2015-05-05core: rework unit name validation and manipulation logicLennart Poettering
A variety of changes: - Make sure all our calls distuingish OOM from other errors if OOM is not the only error possible. - Be much stricter when parsing escaped paths, do not accept trailing or leading escaped slashes. - Change unit validation to take a bit mask for allowing plain names, instance names or template names or an combination thereof. - Refuse manipulating invalid unit name
2015-04-10shared: add formats-util.hRonny Chevalier
2015-04-06util: rework rm_rf() logicLennart Poettering
- Move to its own file rm-rf.c - Change parameters into a single flags parameter - Remove "honour sticky" logic, it's unused these days
2015-02-23remove unused includesThomas Hindoe Paaboel Andersen
This patch removes includes that are not used. The removals were found with include-what-you-use which checks if any of the symbols from a header is in use.
2015-02-10logind: tell Coverity that we knowingly ignore mkdir()'s return valueLennart Poettering
2015-02-03util: rework strappenda(), and rename it strjoina()Lennart Poettering
After all it is now much more like strjoin() than strappend(). At the same time, add support for NULL sentinels, even if they are normally not necessary.
2015-01-27logind: chown+chmod /run/user/$UID if mount(tmpfs) fails with EPERMChristian Seiler
In containers without CAP_SYS_ADMIN, it is not possible to mount tmpfs (or any filesystem for that matter) on top of /run/user/$UID. Previously, logind just failed in such a situation. Now, logind will resort to chown+chmod of the directory instead. This allows logind still to work in those environments, although without the guarantees it provides (i.e. users not being able to DOS /run or other users' /run/user/$UID space) when CAP_SYS_ADMIN is available.
2015-01-27logind: remove per-user runtime dir again if setup failsChristian Seiler
If setup of per-user runtime dir fails, clean up afterwards by removing the directory before returning from the function, so we don't leave the directory behind. If this is not done, the second time the user logs in logind would assume that the directory is already set up, even though it isn't.
2015-01-09logind: unify how we cast between uid_t and pointers for hashmap keysLennart Poettering
2014-11-28treewide: use log_*_errno whenever %m is in the format stringMichal Schmidt
If the format string contains %m, clearly errno must have a meaningful value, so we might as well use log_*_errno to have ERRNO= logged. Using: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\((".*%m.*")/log_\1_errno(errno, \2/' Plus some whitespace, linewrap, and indent adjustments.
2014-11-28treewide: yet more log_*_errno + return simplificationsMichal Schmidt
Using: find . -name '*.[ch]' | while read f; do perl -i.mmm -e \ 'local $/; local $_=<>; s/(if\s*\([^\n]+\))\s*{\n(\s*)(log_[a-z_]*_errno\(\s*([->a-zA-Z_]+)\s*,[^;]+);\s*return\s+\g4;\s+}/\1\n\2return \3;/msg; print;' $f done And a couple of manual whitespace fixups.
2014-11-28treewide: no need to negate errno for log_*_errno()Michal Schmidt
It corrrectly handles both positive and negative errno values.
2014-11-28treewide: auto-convert the simple cases to log_*_errno()Michal Schmidt
As a followup to 086891e5c1 "log: add an "error" parameter to all low-level logging calls and intrdouce log_error_errno() as log calls that take error numbers", use sed to convert the simple cases to use the new macros: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\("(.*)%s"(.*), strerror\(-([a-zA-Z_]+)\)\);/log_\1_errno(-\4, "\2%m"\3);/' Multi-line log_*() invocations are not covered. And we also should add log_unit_*_errno().
2014-10-23mac: also rename use_{smack,selinux,apparmor}() calls so that they share the ↵Lennart Poettering
new mac_{smack,selinux,apparmor}_xyz() convention
2014-10-09logind: mount per-user tmpfs with 'smackfsroot=*' for smack enabled systemsLukasz Skalski
2014-08-14logind: add new session type "web" for PAM web clients, such as cockpitLennart Poettering
On request of Stef Walter.
2014-05-19logind: fix Display property of user objectsLennart Poettering
When we dropped support for creating a per-user to the "main" X11 display we stopped returning useful data in the "Display" user property. With this change this is fixed and we again expose an appropriate (graphical session) in the property that is useful as the "main" one, if one is needed.
2014-05-15Remove unnecessary casts in printfsZbigniew Jędrzejewski-Szmek
No functional change expected :)
2014-03-14logind: automatically remove SysV + POSIX IPC objects when the users owning ↵Lennart Poettering
them fully log out
2014-03-04logind: make $XDG_RUNTIME_DIR a per-user tmpfsLennart Poettering
This way each user allocates from his own pool, with its own size limit. This puts the size limit by default to 10% of the physical RAM size but makes it configurable in logind.conf.
2014-02-13logind: make sure to terminate systemd user on logoutsDjalal Harouni
Currently if the user logs out, the GC may never call user_stop(), this will not terminate the systemd user and (sd-pam) of that user. To fix this, remove the USER_CLOSING state check that is blocking the GC from calling user_stop(). Since if user_check_gc() returns false this means that all the sessions of the user were removed which will make user_get_state() return USER_CLOSING. Conclusion: that test will never be statisfied. So we remove the USER_CLOSING check and replace it with a check inside user_stop() this way we know that user_stop() has already queued stop jobs, no need to redo. This ensures that the GC will get its two steps correctly as pointed out by Lennart: http://lists.freedesktop.org/archives/systemd-devel/2014-February/016825.html Note: this also fixes another bug that prevents creating the user private dbus socket which will break communications with the user manager.
2014-02-11logind: always kill session when termination is requestedZbigniew Jędrzejewski-Szmek
KillUserProcesses=yes/no should be ignored when termination is explicitly requested.
2014-02-11logind: use session_get_state() to get sessions state of the userDjalal Harouni
In function user_get_state() remove the session_is_active() check, just count on the session_get_state() function to get the correct session state. session_is_active() may return true before starting the session scope and user service, this means it will return true even before the creation of the session fifo_fd which will produce incorrect states. So be consistent and just use session_get_state().
2014-02-07logind: rework session shutdown logicLennart Poettering
Simplify the shutdown logic a bit: - Keep the session FIFO around in the PAM module, even after the session shutdown hook has been finished. This allows logind to track precisely when the PAM handler goes away. - In the ReleaseSession() call start a timer, that will stop terminate the session when elapsed. - Never fiddle with the KillMode of scopes to configure whether user processes should be killed or not. Instead, simply leave the scope units around when we terminate a session whose processes should not be killed. - When killing is enabled, stop the session scope on FIFO EOF or after the ReleaseSession() timeout. When killing is disabled, simply tell PID 1 to abandon the scope. Because the scopes stay around and hence all processes are always member of a scope, the system shutdown logic should be more robust, as the scopes can be shutdown as part of the usual shutdown logic.
2014-02-05Update some message formatsZbigniew Jędrzejewski-Szmek
Use PID_FMT/USEC_FMT/... in more places. Also update logind error messages to print the full path to a file that failed. This should make debugging easier for people who do not know off the top of their head where logind stores it state.
2013-12-21logind: remove dead variableZbigniew Jędrzejewski-Szmek
Noticed-by: Jan Alexander Steffens <jan.steffens@gmail.com>
2013-12-18login: Don't stop a running user manager from garbage-collecting the user.Thomas Bächler
With the current logic, a user will never be garbage-collected, since its manager will always be around. Change the logic such that a user is garbage-collected when it has no sessions and linger is disabled.
2013-11-05logind: expose linger state on User objectLennart Poettering
2013-11-05logind: port logind to libsystemd-busLennart Poettering
2013-10-14list: make our list macros a bit easier to use by not requring type spec on ↵Lennart Poettering
each invocation We can determine the list entry type via the typeof() gcc construct, and so we should to make the macros much shorter to use.
2013-08-13logind: restore logic to kill user processes when session endsLennart Poettering
2013-07-02logind: after deserializatio readd systemd units to unit-to-object hashmap ↵Lennart Poettering
correctly
2013-07-02machined: split out machine registration stuff from logindLennart Poettering
Embedded folks don't need the machine registration stuff, hence it's nice to make this optional. Also, I'd expect that machinectl will grow additional commands quickly, for example to join existing containers and suchlike, hence it's better keeping that separate from loginctl.
2013-07-02logind: port over to use scopes+slices for all cgroup stuffLennart Poettering
In order to prepare things for the single-writer cgroup scheme, let's make logind use systemd's own primitives for cgroup management. Every login user now gets his own private slice unit, in which his sessions live in a scope unit each. Also, add user@$UID.service to the same slice, and implicitly start it on first login.
2013-06-27core: general cgroup reworkLennart Poettering
Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-06-20logind: add infrastructure to keep track of machines, and move to slicesLennart Poettering
- This changes all logind cgroup objects to use slice objects rather than fixed croup locations. - logind can now collect minimal information about running VMs/containers. As fixed cgroup locations can no longer be used we need an entity that keeps track of machine cgroups in whatever slice they might be located. Since logind already keeps track of users, sessions and seats this is a trivial addition. - nspawn will now register with logind and pass various bits of metadata along. A new option "--slice=" has been added to place the container in a specific slice. - loginctl gained commands to list, introspect and terminate machines. - user.slice and machine.slice will now be pulled in by logind.service, since only logind.service requires this slice.
2013-04-22cgroup: make sure all our cgroup objects have a suffix and are properly escapedLennart Poettering
Session objects will now get the .session suffix, user objects the .user suffix, nspawn containers the .nspawn suffix. This also changes the user cgroups to be named after the numeric UID rather than the username, since this allows us the parse these paths standalone without requiring access to the cgroup file system. This also changes the mapping of instanced units to cgroups. Instead of mapping foo@bar.service to the cgroup path /user/foo@.service/bar we will now map it to /user/foo@.service/foo@bar.service, in order to ensure that all our objects are properly suffixed in the tree.
2013-04-15core: always create /user and /machine top-level cgroup dirsLennart Poettering
This allows clients to put inotify watches on these trees to watch for state changes, without having to wait until these dirs are created. This introduces the new top-level /machine cgroup dir as canonical location where OS containers and VMs shall be located (as discussed with the libvirt folks).
2013-02-14honor SELinux labels, when creating and writing config filesHarald Hoyer
Also split out some fileio functions to fileio.c and provide a SELinux aware pendant in fileio-label.c see https://bugzilla.redhat.com/show_bug.cgi?id=881577
2012-09-21logind: check return value, log warning on errorVáclav Pavlín
2012-09-12logind: Add a two new variables to the user session tracking file.Colin Guthrie
This counts 'online sessions' in addition to 'active sessions' and 'sessions'. In this context, an 'online session' covers all session in the 'active' state in addition to the explicit 'online' state. This provides an easy machanism to determin all relevant sessions easily (i.e. those that are not 'closing') and adds new semantics to the sd-login.c APIs sd_uid_get_sessions() and sd_uid_get_seats() where the require_active argument can be supplied as a value 2 which only lists sessions which are 'online'. This functionality should allow client applications to avoid deadlocks where they only exit when all sessions are complete, such as a the problem where PulseAudio will not exit until all sessions are gone, but in itself prevents the session from exiting.