summaryrefslogtreecommitdiff
path: root/tmpfiles.d
AgeCommit message (Collapse)Author
2014-11-25tmpfiles.d: Fix directory nameMartin Pitt
The .service uses "/var/lib/container", not "containers".
2014-11-21tmpfiles.d: Create /var/lib/containersMartin Pitt
Create /var/lib/containers so that it exists with an appropriate mode. We want 0700 by default so that users on the host aren't able to call suid root binaries in the container. This becomes a security issue if a user can enter a container as root, create a suid root binary, and call that from the host. (This assumes that containers are caged by mandatory access control or are started as user).
2014-08-27tmpfiles: make resolv.conf entry conditional on resolved supportTom Gundersen
2014-07-29factory: install minimal PAM and nsswitch configKay Sievers
2014-07-15journal-remote: add units and read certs from default locationsZbigniew Jędrzejewski-Szmek
2014-06-30tmpfiles: explicitly set mode for /run/logLennart Poettering
2014-06-30tmpfiles: don't do automatic cleanup in $XDG_RUNTIME_DIRLennart Poettering
Now that logind will clean up all IPC resources of a user we should really consider $XDG_RUNTIME_DIR as just another kind of IPC with the same life-cycle logic as the other IPC resources. This should be safe now to do since every user gets his own $XDG_RUNTIME_DIR tmpfs instance with a fixed size limit, so that flooding of it will more effectively be averted.
2014-06-19tmpfiles: automatically clean up /var/lib/systemd/coredump after 3dLennart Poettering
2014-06-17tmpfiles: remove line for automatic clean-ups for /var/cache/man/Lennart Poettering
Management of /var/cache/man should move to the distribution package owning the directory (for example, man-db). As man pages are a non-essential part of the system and unnecessary for minimal setups, there's no point in having systemd ship these lines. Distribution packages should make sure the appropriate package for their distribution adopts this line. Ideally, the line is adopted by the upstream package. For Fedora I have filed this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1110274
2014-06-16tmpfiles: add new "L+" command as stronger version of "L", that removes the ↵Lennart Poettering
destination before creating a symlink Also, make use of this for mtab as long as mount insists on creating it even if we invoke it with "-n".
2014-06-15tmpfiles: create /etc/resolv.conf as link to networkd's version, if it ↵Lennart Poettering
doesn't exist If /etc/resolv.conf doesn't exist it's better than nothing to make it point to networkd's version.
2014-06-13tmpfiles: always use relative symlinks from tmpfiles snippetsLennart Poettering
2014-06-13tmpfiles: add minimal tmpfiles snippet to rebuild the most essential stuff ↵Lennart Poettering
from /etc
2014-06-11tmpfiles: don't allow read access to journal files to users not in ↵Lennart Poettering
systemd-journal Also, don't apply access mode recursively to /var/log/journal/*/, since that might be quite large, and should be correct anyway.
2014-06-11tmpfiles: don't apply sgid and executable bit to journal files, only the ↵Lennart Poettering
directories they are contained in
2014-06-11tmpfiles: if /var is mounted from tmpfs, we should adjust its access modeLennart Poettering
2014-06-11tmpfiles: always recreate the most basic directory structure in /varLennart Poettering
Let's allow booting up with /var empty. Only create the most basic directories to get to a working directory structure and symlink set in /var.
2014-06-10tmpfiles: get rid of "m" lines, make them redundant by "z"Lennart Poettering
"m" so far has been a non-globbing version of "z". Since this makes it quite redundant, let's get rid of it. Remove "m" from the man pages, beef up "z" docs instead, and make "m" nothing more than a compatibility alias for "z".
2014-06-03networkd: split runtime config dir from state dirTom Gundersen
Configuration will be in root:root /run/systemd/network and state will be in systemd-network:systemd-network /run/systemd/netif This matches what we do for logind's seat/session state.
2014-06-02tmpfiles: systemd.conf - fix ownership of network directoriesTom Gundersen
2014-05-22timesyncd: order after tmpfiles to get a working network monitorKay Sievers
2014-05-16network: always create /run/systemd/network/linksLennart Poettering
This ways the networkd client library should work even if networkd is not running. http://lists.freedesktop.org/archives/systemd-devel/2014-May/019242.html
2014-04-17tmpfiles: fix permissions on new journal filesGreg KH
When starting up journald on a new system, set the proper permissions on the system.journal files, not only on the journal directory.
2013-12-24tmpfiles: introduce the concept of unsafe operationsZbigniew Jędrzejewski-Szmek
Various operations done by systemd-tmpfiles may only be safely done at boot (e.g. removal of X lockfiles in /tmp, creation of /run/nologin). Other operations may be done at any point in time (e.g. setting the ownership on /{run,var}/log/journal). This distinction is largely orthogonal to the type of operation. A new switch --unsafe is added, and operations which should only be executed during bootup are marked with an exclamation mark in the configuration files. systemd-tmpfiles.service is modified to use this switch, and guards are added so it is hard to re-start it by mistake. If we install a new version of systemd, we actually want to enforce some changes to tmpfiles configuration immediately. This should now be possible to do safely, so distribution packages can be modified to execute the "safe" subset at package installation time. /run/nologin creation is split out into a separate service, to make it easy to override. https://bugzilla.redhat.com/show_bug.cgi?id=1043212 https://bugzilla.redhat.com/show_bug.cgi?id=1045849
2013-12-13namespace: include boot id in private tmp directoriesLennart Poettering
This way it is easy to only exclude directories from the current boot from automatic clean up in /var/tmp. Also, pick a longer name for the directories so that are globs in tmp.conf can be simpler yet equally accurate.
2013-11-16tmpfiles: adjust excludes for the new per-service private dirsZbigniew Jędrzejewski-Szmek
In d8c9d3a (systemd: use unit name in PrivateTmp directories) I forgot to update the tmpfiles config.
2013-10-02tmpfiles.d: include setgid perms for /run/log/journalDave Reisner
4608af4333d0f7f5 set permissions for journal storage on persistent disk but not the volatile storage. ref: https://bugs.archlinux.org/task/37170
2013-09-27Add a bit more explicit message, to help confused usersMichael Scherer
Seeing http://www.happyassassin.net/2013/09/27/further-sysadmin-adventures-wheres-my-freeipa-badge/ it seems that the default message is a bit confusing for people who never encountered it before, so adding a link to the manpage could help them.
2013-09-17journald: avoid NSS in journaldLennart Poettering
In order to avoid a deadlock between journald looking up the "systemd-journal" group name, and nscd (or anyother NSS backing daemon) logging something back to the journal avoid all NSS in journald the same way as we avoid it from PID 1. With this change we rely on the kernel file system logic to adjust the group of created journal files via the SETGID bit on the journal directory. To ensure that it is always set, even after the user created it with a simply "mkdir" on the shell we fix it up via tmpfiles on boot.
2013-07-02machined: split out machine registration stuff from logindLennart Poettering
Embedded folks don't need the machine registration stuff, hence it's nice to make this optional. Also, I'd expect that machinectl will grow additional commands quickly, for example to join existing containers and suchlike, hence it's better keeping that separate from loginctl.
2013-03-20Make PrivateTmp dirs also inaccessible from the outsideZbigniew Jędrzejewski-Szmek
Currently, PrivateTmp=yes means that the service cannot see the /tmp shared by rest of the system and is isolated from other services using PrivateTmp, but users can access and modify /tmp as seen by the service. Move the private /tmp and /var/tmp directories into a 0077-mode directory. This way unpriviledged users on the system cannot see (or modify) /tmp as seen by the service.
2013-01-26tmpfiles: exclude /var/tmp/systemd-private-* tooZbigniew Jędrzejewski-Szmek
2013-01-25tmpfiles: exclude /tmp/systemd-private-* from cleanupZbigniew Jędrzejewski-Szmek
See http://thread.gmane.org/gmane.comp.sysutils.systemd.devel/6874/focus=6891 Should fix https://bugzilla.redhat.com/show_bug.cgi?id=866693
2013-01-19tmpfiles: do not make /run/nologin executableMichał Bartoszkiewicz
2013-01-07tmpfiles: move legacy flag-files handling to legacy.confTom Gundersen
2012-06-25tmpfiles: write /run/nologin during early boot to disallow too early user loginsLennart Poettering
systemd-user-sessoins.service will later on remove the flag file, thus permitting user logins when the time has come.
2012-06-20tmpfiles: exclude the first level directories in /run/user from automatic ↵Lennart Poettering
clean up It's logind's job to maintain those user dirs, so avoid automatic clean up for them. However, we do cover everything within them.
2012-04-12relicense to LGPLv2.1 (with exceptions)Lennart Poettering
We finally got the OK from all contributors with non-trivial commits to relicense systemd from GPL2+ to LGPL2.1+. Some udev bits continue to be GPL2+ for now, but we are looking into relicensing them too, to allow free copy/paste of all code within systemd. The bits that used to be MIT continue to be MIT. The big benefit of the relicensing is that closed source code may now link against libsystemd-login.so and friends.
2012-04-11shutdownd: rework interface, allow subscribing to scheduled shutdownsLennart Poettering
This extends the shutdownd interface to expose schedule shutdown information in /run/systemd/shutdown/schedule. This also cleans up the shutdownd protocol and documents it in a header file sd-shutdown.h. This is supposed to be used by client code that wants to control and monitor scheduled shutdown.
2011-10-07journal: add preliminary incomplete implementationLennart Poettering
2011-08-24tmpfiles: Move /tmp and /var/tmp to a separate tmpfiles.d file to ease ↵Josh Triplett
overrides via /etc Many people prefer to avoid clearing /tmp and /var/tmp, and distributions often have explicit settings for how often to clear them if at all. Overriding those with systemd currently requires overriding all of /usr/lib/tmpfiles.d/systemd.conf via /etc/tmpfiles.d/systemd.conf, copying across all the other entries, and updating that override when systemd.conf changes. Move the /tmp and /var/tmp entries from systemd.conf to a separate tmp.conf, making them easier to override without affecting the rest of systemd.conf.
2011-08-24tmpfiles: Remove X11 lock files for displays :10 and higher tooJosh Triplett
2011-07-22sd-login: beef up login api, to add monitoring and enumeratingLennart Poettering
2011-04-10path: optionally, create watched directories in .path unitsLennart Poettering
2011-04-03move /var/lock to HAVE_SYSV_COMPATKay Sievers
2011-04-02tmpfiles: split off rules for legacy systems into legacy.confLennart Poettering
2011-04-01tmpfiles: enforce new /var/lock semanticsLennart Poettering
http://lists.freedesktop.org/archives/systemd-devel/2011-March/001823.html
2011-03-29tmpfiles fix /run/lock permissionsKay Sievers
<mbiebl> kay: just wondering: d /run/lock 0755 root lock - <mbiebl> shouldn't that rather be 0775? <mbiebl> otherwise it doesn't make sense
2011-03-28use /run instead of /dev/.runKay Sievers
Instead of the /dev/.run trick we have currently implemented, we decided to move the early-boot runtime dir to /run. An existing /var/run directory is bind-mounted to /run. If /var/run is already a symlink, no action is taken. An existing /var/lock directory is bind-mounted to /run/lock. If /var/lock is already a symlink, no action is taken. To implement the directory vs. symlink logic, we have a: ConditionPathIsDirectory= now, which is used in the mount units. Skipped mount unit in case of symlink: $ systemctl status var-run.mount var-run.mount - Runtime Directory Loaded: loaded (/lib/systemd/system/var-run.mount) Active: inactive (dead) start condition failed at Fri, 25 Mar 2011 04:51:41 +0100; 6min ago Where: /var/run What: /run CGroup: name=systemd:/system/var-run.mount The systemd rpm needs to make sure to add something like: %pre mkdir -p -m0755 /run >/dev/null 2>&1 || : or it needs to be added to filesystem.rpm. Udev -git already uses /run if that exists, and is writable at bootup. Otherwise it falls back to the current /dev/.udev. Dracut and plymouth need to be adopted to switch from /dev/.run to run too. Cheers, Kay
2011-02-13tmpfiles: simplify default tmpfiles configuration by using globsLennart Poettering