summaryrefslogtreecommitdiff
path: root/src/login
AgeCommit message (Collapse)Author
2016-05-24Revert "rules: allow users to access frame buffer devices" (#3333)Zbigniew Jędrzejewski-Szmek
This reverts commit 483d8bbb4c0190f419bf9fba57fb0feb1a56bea6. In [1] Michel Dänzer and Daniel Vetter wrote: >> The scenario you describe isn't possible if the Wayland compositor >> directly uses the KMS API of /dev/dri/card*, but it may be possible if >> the Wayland compositor uses the fbdev API of /dev/fb* instead (e.g. if >> weston uses its fbdev backend). > > Yeah, if both weston and your screen grabber uses native fbdev API you can > now screenshot your desktop. And since fbdev has no concept of "current > owner of the display hw" like the drm master, I think this is not fixable. > At least not just in userspace. Also even with native KMS compositors > fbdev still doesn't have the concept of ownership, which is why it doesn't > bother clearing it's buffer before KMS takes over. I agree that this > should be reverted or at least hidden better. TBH, I think that privilege separation between processes running under the same UID is tenuous. Even with drm, in common setups any user process can ptrace the "current owner of the display" and call DROP_MASTER or do whatever. It *is* possible to prevent that, e.g. by disabling ptrace using yama.ptrace_scope, or selinux, and so on, but afaik this is not commonly done. E.g. all Fedora systems pull in elfutils-default-yama-scope.rpm through dependencies which sets yama.ptrace_scope=0. And even assuming that ptrace was disabled, it is trivial to modify files on disk, communicate through dbus, etc; there is just to many ways for a non-sandboxed process to interact maliciously with the display shell to close them all off. To achieve real protection, some sort of sandboxing must be implemented, and in that case there is no need to rely on access mode on the device files, since much more stringent measures have to be implemented anyway. The situation is similar for framebuffer devices. It is common to add framebuffer users to video group to allow them unlimited access to /dev/fb*. Using uaccess would be better solution in that case. Also, since there is no "current owner" limitation like in DRM, processes running under the same UID should be able to access /proc/<pid-of-display-server>/fd/* and gain access to the devices. Nevertheless, weston implements a suid wrapper to access the devices and then drop privileges, and this patch would make this daemon pointless. So if the weston developers feel that this change reduces security, I prefer to revert it. [1] https://lists.freedesktop.org/archives/wayland-devel/2016-May/029017.html
2016-05-11logind: introduce LockedHint and SetLockedHint (#3238)Victor Toso
Desktop environments can keep this property up to date to allow applications to easily track session's Lock status.
2016-05-09tree-wide: rename draw_special_char to special_glyphZbigniew Jędrzejewski-Szmek
That function doesn't draw anything on it's own, just returns a string, which sometimes is more than one character. Also remove "DRAW_" prefix from character names, TREE_* and ARROW and BLACK_CIRCLE are unambigous on their own, don't draw anything, and are always used as an argument to special_glyph(). Rename "DASH" to "MDASH", as there's more than one type of dash.
2016-05-07Merge pull request #3191 from poettering/cgroups-agent-dgramEvgeny Vereshchagin
core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification
2016-05-05logind: drop pointless UINT64_C() macro useLennart Poettering
2016-05-05logind: enforce a limit on inhibitors we hand outLennart Poettering
For similar reasons as the recent addition of a limit on sessions. Note that we don't enforce a limit on inhibitors per-user currently, but there's an implicit one, since each inhibitor takes up one fd, and fds are limited via RLIMIT_NOFILE, and the limit on the number of processes per user.
2016-05-05logind: expose more configuration settings as bus propertiesLennart Poettering
2016-05-05logind: don't include session lists in PropertyChanged messagesLennart Poettering
If we have a lot of simultaneous sessions we really shouldn't send the full list of active sessions with each PropertyChanged message for user and seat objects, as that can become quite substantial data, we probably shouldn't dump on the bus on each login and logout. Note that the global list of sessions doesn't send out changes like this either, it only supports requesting the session list with ListSessions(). If cients want to get notified about sessions coming and going they should subscribe to SessionNew and SessionRemoved signals, and clients generally do that already. This is kind of an API break, but then again the fact that this was included was never documented.
2016-05-05logind: process session/inhibitor fds at higher priorityLennart Poettering
Let's make sure we process session and inhibitor pipe fds (that signal sessions/inhibtors going away) at a higher priority than new bus calls that might create new sessions or inhibitors. This helps ensuring that the number of open sessions stays minimal.
2016-05-05logind: enforce a limit on current user sessionsLennart Poettering
We really should put limits on all resources we manage, hence add one to the number of concurrent sessions, too. This was previously unbounded, hence set a relatively high limit of 8K by default. Note that most PAM setups will actually invoke pam_systemd prefixed with "-", so that the return code of pam_systemd is ignored, and the login attempt succeeds anyway. On systems like this the session will be created but is not tracked by systemd.
2016-05-05tree-wide: introduce new SOCKADDR_UN_LEN() macro, and use it everywhereLennart Poettering
The macro determines the right length of a AF_UNIX "struct sockaddr_un" to pass to connect() or bind(). It automatically figures out if the socket refers to an abstract namespace socket, or a socket in the file system, and properly handles the full length of the path field. This macro is not only safer, but also simpler to use, than the usual offsetof() + strlen() logic.
2016-04-26systemd --user: call pam_loginuid when creating user@.service (#3120)Zbigniew Jędrzejewski-Szmek
This way the user service will have a loginuid, and it will be inherited by child services. This shouldn't change anything as far as systemd itself is concerned, but is nice for various services spawned from by systemd --user that expect a loginuid. pam_loginuid(8) says that it should be enabled for "..., crond and atd". user@.service should behave similarly to those two as far as audit is concerned. https://bugzilla.redhat.com/show_bug.cgi?id=1328947#c28
2016-04-22shared: drop kernel_thread bool from cgroups show codeLennart Poettering
Make this an output flag instead, so that our function prototypes can lose one parameter
2016-04-22loginctl,machinectl: also make use of new GetProcesses() bus callLennart Poettering
This ports over machinectl and loginctl to also use the new GetProcesses() bus call to show the process tree of a container or login session. This is similar to how systemctl already has been ported over in a previous commit.
2016-04-21Merge pull request #3005 from keszybz/kill-user-procesesLennart Poettering
Kill user session scope by default
2016-04-21loginctl: show linger status in user-statusZbigniew Jędrzejewski-Szmek
zbyszek (1002) Since: Tue 2016-04-12 23:11:46 EDT; 23min ago State: active Sessions: *3 Linger: yes Unit: user-1002.slice ├─user@1002.service │ └─init.scope │ ├─38 /usr/lib/systemd/systemd --user │ └─39 (sd-pam) └─session-3.scope ├─ 31 login -- zbyszek ├─ 44 -bash ├─15076 loginctl user-status zbyszek └─15077 less
2016-04-21logind: allow any user to request lingeringZbigniew Jędrzejewski-Szmek
We enable lingering for anyone who wants this. It is still disabled by default to avoid keeping long-running processes accidentally. Admins might want to customize this policy on multi-user sites.
2016-04-21logind: make KillOnlyUsers override KillUserProcessesZbigniew Jędrzejewski-Szmek
Instead of KillOnlyUsers being a filter for KillUserProcesses, it can now be used to specify users to kill, independently of the KillUserProcesses setting. Having the settings orthogonal seems to make more sense. It also makes KillOnlyUsers symmetrical to KillExcludeUsers.
2016-04-21build-sys: add --without-kill-user-processes configure optionZbigniew Jędrzejewski-Szmek
2016-04-21logind: flip KillUserProcesses to on by defaultZbigniew Jędrzejewski-Szmek
This ensures that users sessions are properly cleaned up after. The admin can still enable or disable linger for specific users to allow them to run processes after they log out. Doing that through the user session is much cleaner and provides better control. dbus daemon can now be run in the user session (with --enable-user-session, added in 1.10.2), and most distributions opted to pick this configuration. In the normal case it makes a lot of sense to kill remaining processes. The exception is stuff like screen and tmux. But it's easy enough to work around, a simple example was added to the man page in previous commit. In the long run those services should integrate with the systemd users session on their own. https://bugs.freedesktop.org/show_bug.cgi?id=94508 https://github.com/systemd/systemd/issues/2900
2016-04-21logind: reload config on SIGHUPZbigniew Jędrzejewski-Szmek
v2: - fix setting of kill_user_processes and *_ignore_inhibited settings
2016-04-20logind: use type to determine graphical sessions (#3071)Michał Bartoszkiewicz
2016-04-13tree-wide: remove useless NULLs from strjoinaZbigniew Jędrzejewski-Szmek
The coccinelle patch didn't work in some places, I have no idea why.
2016-04-12tree-wide: add new SIGNAL_VALID() macro-like function that validates signal ↵Lennart Poettering
numbers And port all code over to use it.
2016-04-06Merge pull request #2962 from keszybz/value-optionLennart Poettering
Add `--value` option to systemctl and loginctl to only print values
2016-04-04loginctl: add --value optionZbigniew Jędrzejewski-Szmek
2016-04-04systemctl: add --value optionZbigniew Jędrzejewski-Szmek
With this option, systemctl will only print the rhs in show: $ systemctl show -p Wants,After systemd-journald --value systemd-journald.socket ... systemd-journald-dev-log.socket ... This is useful in scripts, because the need to call awk or similar is removed.
2016-03-24logind: fix crash when shutdown is not issued from a ttyMartin Pitt
It's possible that sd_bus_creds_get_tty() fails and thus scheduled_shutdown_tty is NULL in method_schedule_shutdown(). Fix logind_wall_tty_filter() to get along with that, by showing the message on all TTYs, instead of crashing in strcmp(). https://launchpad.net/bugs/1553040
2016-03-22Merge pull request #2844 from yarda/uaccess-3dprintersZbigniew Jędrzejewski-Szmek
Add support for 3D printers to uaccess (ID_3DPRINTER).
2016-03-22Added support for 3D printers to uaccess (ID_MAKER_TOOL)Jaroslav Škarvada
This is to support 3D printers, CNCs, laser cutters, 3D scanners, etc.
2016-03-17rules: allow users to access frame buffer devicesZbigniew Jędrzejewski-Szmek
For example it allows weston to be started unprivileged. Related discussion: https://bugs.freedesktop.org/show_bug.cgi?id=73782 https://lists.freedesktop.org/archives/wayland-devel/2015-May/022005.html https://bugzilla.redhat.com/show_bug.cgi?id=1226680
2016-03-01selinux: always try to load the full selinux dbZbigniew Jędrzejewski-Szmek
https://github.com/systemd/systemd/pull/2508#issuecomment-190901170 Maybe fixes https://bugzilla.redhat.com/show_bug.cgi?id=1308771.
2016-02-26tree-wide: merge pager_open_if_enabled() to the pager_open()Alexander Kuleshov
Many subsystems define own pager_open_if_enabled() function which checks '--no-pager' command line argument and open pager depends on its value. All implementations of pager_open_if_enabled() are the same. Let's merger this function with pager_open() from the shared/pager.c and remove pager_open_if_enabled() from all subsytems to prevent code duplication.
2016-02-15time-util: Rename and fix call of deserialize_timestamp_value()Benjamin Robin
The deserialize_timestamp_value() is renamed timestamp_deserialize() to be more consistent with dual_timestamp_deserialize() And add the NULL check back on realtime and monotonic
2016-02-16logind: use deserialize_timestamp_value()Alexander Kuleshov
which is introduced in the ebf30a086d commit.
2016-02-10tree-wide: remove Emacs lines from all filesDaniel Mack
This should be handled fine now by .dir-locals.el, so need to carry that stuff in every file.
2016-02-02logind: load SELinux labelling systemNicolas Iooss
systemd-logind uses mkdir_label and label_fix functions without calling first mac_selinux_init. This makes /run/user/$UID/ directories not labelled correctly on an Arch Linux system using SELinux. Fix this by calling mac_selinux_init("/run") early in systemd-logind. This makes files created in /etc/udev/rules.d and /var/lib/systemd to be labelled through transitions in the SELinux policy instead of using setfscreatecon (with mac_selinux_create_file_prepare).
2016-01-26logind: update documentation for cf7d1a30e44Mantas Mikulėnas
2016-01-25logind,machined: bump TasksMax=Lennart Poettering
Issue #2388 suggests the current TasksMax= setting for user processes is to low. Bump it to 12K. Also, bump the container TasksMax= from 8K to 16K, so that it remains higher than the one for user processes. (Compare: the kernel default limit for processes system-wide is 32K). Fixes #2388
2016-01-20basic/terminal-util: introduce SYSTEMD_COLORS environment variableJan Synacek
... to determine if color output should be enabled. If the variable is not set, fall back to using on_tty(). Also, rewrite existing code to use colors_enabled() where appropriate.
2016-01-18logind: simplify job variable handlingZbigniew Jędrzejewski-Szmek
manager_{start,stop}_{slice,scope,unit} functions had an optional job output parameter. But all callers specified job, so make the parameter mandatory, add asserts. Also extract common job variable handling to a helper function to avoid duplication. Avoids gcc warning about job being unitialized.
2016-01-18logind: do not use an uninitialized variableZbigniew Jędrzejewski-Szmek
We requested various fields using SD_BUS_CREDS_AUGMENT but at least sd_bus_creds_get_tty can fail with ENXIO, not setting the output variable.
2016-01-13tree-wide: check if errno is greater than zero (2)Zbigniew Jędrzejewski-Szmek
Compare errno with zero in a way that tells gcc that (if the condition is true) errno is positive.
2016-01-13tree-wide: check if errno is greater then zeroZbigniew Jędrzejewski-Szmek
gcc is confused by the common idiom of return errno ? -errno : -ESOMETHING and thinks a positive value may be returned. Replace this condition with errno > 0 to help gcc and avoid many spurious warnings. I filed a gcc rfe a long time ago, but it hard to say if it will ever be implemented [1]. Both conventions were used in the codebase, this change makes things more consistent. This is a follow up to bcb161b0230f. [1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61846
2016-01-12tree-wide: use xsprintf() where applicableDaniel Mack
Also add a coccinelle receipt to help with such transitions.
2015-12-19Fix typo on logind-dbus.cJoost Bremmer
method_schedule_shutdown referenced org.freedesktop.login1.poweroff* which is never registered in polkit. Now refers to org.freedesktop.login1.power-off* Signed-off-by: Joost Bremmer <toost.b@gmail.com>
2015-12-04login: make sure /run/nologin has correct SELinux labelMichal Sekletar
2015-11-27tree-wide: expose "p"-suffix unref calls in public APIs to make gcc cleanup easyLennart Poettering
GLIB has recently started to officially support the gcc cleanup attribute in its public API, hence let's do the same for our APIs. With this patch we'll define an xyz_unrefp() call for each public xyz_unref() call, to make it easy to use inside a __attribute__((cleanup())) expression. Then, all code is ported over to make use of this. The new calls are also documented in the man pages, with examples how to use them (well, I only added docs where the _unref() call itself already had docs, and the examples, only cover sd_bus_unrefp() and sd_event_unrefp()). This also renames sd_lldp_free() to sd_lldp_unref(), since that's how we tend to call our destructors these days. Note that this defines no public macro that wraps gcc's attribute and makes it easier to use. While I think it's our duty in the library to make our stuff easy to use, I figure it's not our duty to make gcc's own features easy to use on its own. Most likely, client code which wants to make use of this should define its own: #define _cleanup_(function) __attribute__((cleanup(function))) Or similar, to make the gcc feature easier to use. Making this logic public has the benefit that we can remove three header files whose only purpose was to define these functions internally. See #2008.
2015-11-18tree-wide: sort includes in *.hThomas Hindoe Paaboel Andersen
This is a continuation of the previous include sort patch, which only sorted for .c files.
2015-11-17Merge pull request #1926 from phomes/include-order-libudevDaniel Mack
tree-wide: group include of libudev.h with sd-*