We had both uid-range.h and uid-alloc-range.h. The latter now contains helpers
like {uid,gid}_is_{system,dynamic,container}(), uid_for_system_journal(), so
the existing name is outdated. I think the uid-range.[ch] should stay separate
because it has a bunch of helpers for parsing and printing of uid ranges. So
let's rename as in $subject to better reflect the contents of the file and make
the two sets of files harder to confuse.
We don't "uncapitalize" parts of an already-capitalized name when concatenating
words. In particular, we had UidRange in basic/uid-range.h and UGIDAllocationRange
in basic/uid-alloc-range.h, which is annoying.
When looking at configuration, often a user wants to suppress the comments and
just look at the parts that actually configure something, roughly equivalent to
systemd-analyze cat-config … | rg -v '^(#|;|$)
This switch implements this natively, skipping lines that start with a comment
character or only contain whitespace.
For formats that have section headers, section headers are skipped, if only
followed by stuff that would be skipped. (The last section header is printed
when we're about to print some actual output.)
Note that the caller doesn't know if the format has headers or not. We do format
type detection in pretty-print.c. So the caller only specifies tldr=true|false, and
conf_files_cat() figures out if the format has headers and whether those should
be handled specially.
The comments that show the file name are always printed, even if all of the file
is suppressed.
This is a partial answer to the discussions in
https://github.com/systemd/systemd/pull/28919,
https://github.com/systemd/systemd/pull/29248. If the default config is shown in
config files, the user can conveniently use '--tldr' to show the relevant parts.
"static inline" makes sense in .h files. But in .c files it's useless
decoration, the compiler should just make its own decisions there, and
it can do that.
hence, replace all remaining uses of "static line" by a simple" static"
in all .c files (but keep them in .h files, where they make sense)
Our coding style says static variables suck except for very special
cases, i.e. things like the log level or very per-process stuff, such as
parsed version of cmdline args and such. sysusers departed from that as
one of the very few exceptions in our codebases: it keeps its
operational state in global variables.
Address that. Introduce a Context object that carries the fields that so
far have been global, and pass it around as needed.
This has the nice effect that state and configuration is clearly
separated in code, and we can very clearly see which functions mangle
state and which ones do not.
No actual codeflow changes, just refactoring.
The code was correct, but rather confusing: it used two sets with strings with
trivial_hash_ops to store strings used in other hashmaps. Let's add a bunch of
comments to explain what is happening. We also don't need two sets, using just
one saves a bit of memory.
While at it, let's add some debug messages if duplicate user/group names or
uids/gids are present.
By default, label_ops is initialized with a NULL pointer which translates
to noop labelling operations. In mac_selinux_init() and the new mac_smack_init(),
we initialize label_ops with a MAC specific LabelOps pointer.
We also introduce mac_init() to initialize any configured MACs and replace all
usages of mac_selinux_init() with mac_init().
We would create root account from sysusers or from firstboot, depending on
which one ran earlier. Since firstboot offers more options, in particular can
set the root password, we needed to order it earlier. This created an ugly
ordering requirement:
systemd-sysusers.service > systemd-firstboot.service > ... >
systemd-remount-fs.service > systemd-tmpfiles-setup-dev.service >
systemd-sysusers.service
We want sysusers.service to create basic users, so we can create nodes in dev,
so we can operate on block devices and such, so that we can resize and remount
things. But at the same time, systemd-firstboot.service can only work if it is
run early, before systemd-sysusers.service has created /etc/passwd. We can't
have it both ways: the units that want to have a fully writable root file
system cannot be ordered before units which are required to do file system
preparation.
Instead of trying to order firstboot very early, let's let it do its thing even
if it is started later. Instead of refusing to create to the root account if
/etc/passwd and /etc/shadow exist, actually check if the account is configured.
Now sysusers writes root account with password PASSWORD_UNPROVISIONED
("!unprovisioned"), and then firstboot checks for this, and will configure root
in this case.
This allows sysusers to be executed earlier (or accounts to be set up earlier
in another way).
This effectively reverts b825ab1a99.
Let's use the same common directory as the unit logic uses.
This means we have less to clean up, and opens the door to eventually
allow unprivileged operation of the
mount_image_privately_interactively() logic.
Chasing symlinks is a core function that's used in a lot of places
so it deservers a less verbose names so let's rename it to chase()
and chaseat().
We also slightly change the pattern used for the chaseat() helpers
so we get chase_and_openat() and similar.
The usual story:
$ diff -u <(pahole build/systemd-sysusers.0) <(pahole build/systemd-sysusers)
/* size: 80, cachelines: 2, members: 15 */
- /* sum members: 68, holes: 1, sum holes: 4 */
- /* sum bitfield members: 5 bits (0 bytes) */
- /* padding: 7 */
- /* bit_padding: 3 bits */
+ /* sum members: 73, holes: 1, sum holes: 4 */
+ /* padding: 3 */
/* last cacheline: 16 bytes */
Effectively, because of padding, we were not saving anything. We're not putting
struct Item in arrays, but when allocating on the heap, we're going to round up to
normal alignment too.
The code becomes shorter (and quicker):
$ size build/systemd-sysusers{,.0}
text data bss dec hex filename
79967 2040 264 82271 1415f build/systemd-sysusers.0
79726 2040 264 82030 1406e build/systemd-sysusers
(In case you're wondering, I wrote this long commit message for a very simple
change on purpose: I want to deflate the bitfield cargo cult a bit.)
The name "def.h" originates from before the rule of "no needless abbreviations"
was established. Let's rename the file to clarify that it contains a collection
of various semi-related constants.
This adds an additional name check when cross-matching new group
entries against existing users, which allows coalescing entries
matching both ID and name.
It provides a small idempotence enhancement when creating groups
in cases where matching user entries are in place. By fine-tuning
the conflict detection logic, this avoids picking up new random
IDs and correctly prefers configuration values instead.
This renames UidRange -> UidRangeEntry, and reintroduces UidRange which
contains the array of UidRangeEntry and its size.
No fucntional changes, just refactoring.
We have fairly nice error messages for specific operations, but only at debug
level. Instead, we'd print a fairly useless generic message:
Before:
Failed to write files: Invalid argument
After:
Failed to add existing group "users" to temporary group file: Invalid argument
Fixes#10241.
/bin/sh as a shell is punishing. There is no good reason to make
the occasional root login unpleasant.
Since /bin/sh is usually /bin/bash in compat mode, i.e. if one is
available, the other will be too, /bin/bash is almost as good as a default.
But to avoid a regression in the situation where /bin/bash (or
DEFAULT_USER_SHELL) is not installed, we check with access() and fall back
to /bin/sh. This should make this change in behaviour less risky.
(FWIW, e.g. Fedora/RHEL use /bin/bash as default for root.)
This is a follow-up of sorts for 53350c7bba,
which added the default-user-shell option, but most likely with the idea
of using /bin/bash less ;)
Fixes#24369.
We'd warn that "-" and "/sbin/nologin" are different, even even though
"/sbin/nologin" is the default we'd use. So let's stop warning in all cases
where the config would lead to the same file, also under different paths,
or when both shells are nologin shells.
The general idea is to avoid warnings when sysusers config is moved between
packages (and not exactly the same), or when it is generated from some template
and the details change in an unimportant way.
We try to chase symlinks. This means that on unmerged-usr systems we'll find
that e.g. /usr/bin/bash and /bin/bash are equivalent if the basic fs structure
is already in place (bash doesn't actually have to be installed, enough that
the /bin symlink exists). I think this is a good result: after all, /bin/bash
and /usr/bin/bash *may* be different things on an unmerged-usr system.
Fixes#24215.
/home/zbyszek/src/systemd-work/testcase.conf:3: '//sbin//nologin' is not a valid login shell field.
This isn't very useful. The usual argument holds: people use templates to
construct config, so paths may have doubled slashes and similar. Let's simplify
paths so that the value that is pushed to /etc/passwd is nice and clean.
https://github.com/systemd/systemd/pull/6636 added `fsync()` when
temporary shadow, group, and gshadow files are created, but it was
not added for passwd. As far as I can tell, this seems to have been
an oversight. I'm seeing real world issues where a blank /etc/passwd
file is being created if a machine loses power early in the boot process.
This tweaks user creation logic to properly take into consideration
an explicitly requested GID.
It fixes a bug where the creation flow would mistakenly fall back
to use the username instead, resulting in wrong lookups in case of
users and groups using the same name.
This relaxes the availability check when creating a group, if an
explicit GID has been requested.
It avoids mixing up users and groups entries with valid and unique
UIDs/GIDs, but each having the same ID number.
