Age | Commit message (Collapse) | Author |
|
No functional changes.
|
|
This makes path_is_mount_point() consistent with fd_is_mount_point() wrt.
flags.
|
|
Make Coverity happy and tell it we're not interested in the return
value of these two calls.
|
|
When a scheduled is cancelled, make sure to remove /run/nologin.
This is a regression from the recent shutdownd removal and logind rework.
|
|
|
|
A variety of changes:
- Make sure all our calls distuingish OOM from other errors if OOM is
not the only error possible.
- Be much stricter when parsing escaped paths, do not accept trailing or
leading escaped slashes.
- Change unit validation to take a bit mask for allowing plain names,
instance names or template names or an combination thereof.
- Refuse manipulating invalid unit name
|
|
If NULL is specified for the bus it is now automatically derived from
the passed in message.
This commit also changes a number of invocations of sd_bus_send() to
make use of this.
|
|
This should simplify the prototype a bit. The bus parameter is redundant
in most cases, and in the few where it matters it can be derived from
the message via sd_bus_message_get_bus().
|
|
log_error_errno() already adds a newline, so drop them.
|
|
Port over more code from shutdownd and teach logind to write /run/nologin at
least 5 minutes before the system is going down, and
/run/systemd/shutdown/scheduled when a shutdown is scheduled.
|
|
Add a timer to print UTMP wall messages so that it repeatedly informs users
about a scheduled shutdown:
* every 1 minute with less than 10 minutes to go
* every 15 minutes with less than 60 minutes to go
* every 30 minutes with less than 180 minutes (3 hours) to go
* every 60 minutes if more than that to go
This functionality only active if the .EnableWallMessages DBus property
is set to true. Also, a custom string can be added to the wall message,
set through the WallMessagePrefix property.
|
|
Add a method called ScheduleShutdown in org.freedesktop.login1.Manager
which adds a timer to shut down the system at a later point in time.
The first argument holds the type of the schedule that is about to
happen, and must be one of 'reboot', 'halt' or 'poweroff'.
The second argument specifies the absolute time, based on
CLOCK_REALTIME in nanoseconds, at which the the operation should be
executed.
To cancel a previously scheduled shutdown, the CancelScheduledShutdown()
can be called, which returns a bool, indicating whether a scheduled
timeout was cancelled.
Also add a new property called ScheduledShutdown which returns the
equivalent to what was passed in via ScheduleShutdown, as '(st)' type.
|
|
Factor out the code to ask polkit for authorization from
method_do_shutdown_or_sleep() into an own function called
verify_shutdown_creds().
This is needed in order to also use the same checks when shutdown
operations are scheduled. For that, it's also necessary to allow
NULL values for that action{,_multiple_sessions,_ignore_inhibit)
arguments, which will suppress the call if no action string is
passed.
|
|
make manager_gc(), manager_startup(), manager_new(), manager_free()
and manager_run() static, and kill their forward declarations.
|
|
Instead of open-coding the delayed action and inhibit timeout logic,
switch over to a real sd_event_source based implementation.
This is not only easier to read but also allows us to add more timers
in the future.
|
|
|
|
CID #996284.
|
|
|
|
|
|
|
|
Newer dbus versions have an "allow interactive authentication" bit in
the message header, hence it is not necessary to take a boolean for this
explicitly.
|
|
|
|
non-interactive
Interactive authorization should only happen asynchronously, hence
disallow it in synchronous bus_verify_polkit(), and rename it to
bus_test_polkit(). This way even if the bus message header asks for
interactive authorization, we'll ask for non-interactive authorization
which is actually the desired behaviour if CanSuspend, CanHibernate and
friends, which call this function.
|
|
Change cunescape() to return a normal error code, so that we can
distuingish OOM errors from parse errors.
This also adds a flags parameter to control whether "relaxed" or normal
parsing shall be done. If set no parse failures are generated, and the
only reason why cunescape() can fail is OOM.
|
|
- Move to its own file rm-rf.c
- Change parameters into a single flags parameter
- Remove "honour sticky" logic, it's unused these days
|
|
It allocates memory, so it can fail.
CID #1237527.
|
|
CID #1237545.
|
|
Replace ENOTSUP by EOPNOTSUPP as this is what linux actually uses.
|
|
CID #1256583.
|
|
This introduces 'HoldoffTimeoutSec' to logind.conf to make
IGNORE_LID_SWITCH_{SUSPEND,STARTUP}_USEC configurable.
Background: If an external monitor is connected, or if the system is
docked, we want to ignore LID events. This is required to support setups
where a laptop is used with external peripherals while the LID is closed.
However, this requires us to probe all hot-plugged devices before reacting
to LID events. But with modern buses like USB, the standards do not impose
any timeout on the slots, so we have no chance to know whether a given
slot is used or not. Hence, after resume and startup, we have to wait a
fixed timeout to give the kernel a chance to probe devices. Our timeout
has always been generous enough to support even the slowest devices.
However, a lot of people didn't use these features and wanted to disable
the hold-off timer. Now we provide a knob to do that.
|
|
For daemons which have a main configuration file, there's
little reason for the administrator to use configuration snippets.
They are useful for packagers which need to override settings, but
we shouldn't advertise that as the main way of configuring those
services.
https://bugs.freedesktop.org/show_bug.cgi?id=89397
|
|
Suggested by Zbyszek on IRC.
[zj: /run/nologin is used with PAM. systemd-user-session is independent
of logind.]
|
|
|
|
This patch removes includes that are not used. The removals were found with
include-what-you-use which checks if any of the symbols from a header is
in use.
|
|
|
|
Also, allow clients to alter their own objects without any further
priviliges. i.e. this allows clients to kill and lock their own sessions
without involving PK.
|
|
|
|
After all it is now much more like strjoin() than strappend(). At the
same time, add support for NULL sentinels, even if they are normally not
necessary.
|
|
|
|
It may happen that you have several sessions with the same VT:
- Open a session c1 which leaves some processes around, and log out. The
session will stay in State=closing and become Active=no.
- Log back in on the same VT, get a new session "c2" which is State=active and
Active=yes.
When restarting logind after that, the first session that matches the current
VT becomes Active=yes, which will be c1; c2 thus is Active=no and does not get
the usual polkit/device ACL privileges.
Restore the "closing" state in session_load(), to avoid treating all restored
sessions as State=active. In seat_active_vt_changed(), prefer active sessions
over closing ones if more than one session matches the current VT.
Finally, fix the confusing comment in session_load() and explain it a bit
better.
https://launchpad.net/bugs/1415104
|
|
In containers without CAP_SYS_ADMIN, it is not possible to mount tmpfs
(or any filesystem for that matter) on top of /run/user/$UID.
Previously, logind just failed in such a situation.
Now, logind will resort to chown+chmod of the directory instead. This
allows logind still to work in those environments, although without the
guarantees it provides (i.e. users not being able to DOS /run or other
users' /run/user/$UID space) when CAP_SYS_ADMIN is available.
|
|
If setup of per-user runtime dir fails, clean up afterwards by removing
the directory before returning from the function, so we don't leave the
directory behind.
If this is not done, the second time the user logs in logind would
assume that the directory is already set up, even though it isn't.
|
|
If the third argument is non-null, the kernel will always error out with
EINVAL and devices won't get revoked.
Reported-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
|
Types used for pids and uids in various interfaces are unpredictable.
Too bad.
|
|
Whenever a process performs an action on an object, the kernel uses the
EUID of the process to do permission checks and to apply on any newly
created objects. The UID of a process is only used if someone *ELSE* acts
on the process. That is, the UID of a process defines who owns the
process, the EUID defines what privileges are used by this process when
performing an action.
Process limits, on the other hand, are always applied to the real UID, not
the effective UID. This is, because a process has a user object linked,
which always corresponds to its UID. A process never has a user object
linked for its EUID. Thus, accounting (and limits) is always done on the
real UID.
This commit fixes all sd-bus users to use the EUID when performing
privilege checks and alike. Furthermore, it fixes unix-creds to be parsed
as EUID, not UID (as the kernel always takes the EUID on UDS). Anyone
using UID (eg., to do user-accounting) has to fall back to the EUID as UDS
does not transmit the UID.
|
|
If the caller does not run in a session/seat or has no tracked user, hide
the /org/freedesktop/login1/.../self links in introspection data.
Otherwise, "busctl tree org.freedesktop.login1" tries to query those nodes
even though it cant.
|
|
The lifetime of compound literals is bound to the local scope, we hence
cannot refernce them outside of it.
|
|
imply calling session/user instead
This turns "lock-session", "activate", "unlock-session",
"enable-linger", "disable-linger" into commands that take no argument,
optionally in which case the callers session/user is implied.
|
|
|