[systemd-devel] [PATCH] Split out /run/nologin creation into a separate service

Zbigniew Jędrzejewski-Szmek zbyszek at in.waw.pl
Fri Dec 20 19:45:46 PST 2013


This has come up before, and will come up again: running
systemd-tmpfiles --create kills user logins. In principle
this is documented, but in practice people don't always
read the documentation. Split out /run/nologin creation
so it's harder to do execute it by mistake.

https://bugzilla.redhat.com/show_bug.cgi?id=1043212
---
Hi Lennart,
this patch is essentially harmless, but not very pretty, so I'm
sending it to the mailing list in case you want to veto it.

Zbyszek

 Makefile-man.am                                   |  5 +++++
 Makefile.am                                       | 12 +++++++----
 man/systemd-tmpfiles.xml                          | 26 +++++++++++++++--------
 tmpfiles.d/systemd-forbid-user-logins.conf.noauto | 11 ++++++++++
 tmpfiles.d/systemd.conf                           |  2 --
 units/.gitignore                                  |  1 +
 units/systemd-forbid-user-logins.service.in       | 21 ++++++++++++++++++
 units/systemd-tmpfiles-setup.service.in           |  1 +
 8 files changed, 64 insertions(+), 15 deletions(-)
 create mode 100644 tmpfiles.d/systemd-forbid-user-logins.conf.noauto
 create mode 100644 units/systemd-forbid-user-logins.service.in

diff --git a/Makefile-man.am b/Makefile-man.am
index c5f73d4..c337d09 100644
--- a/Makefile-man.am
+++ b/Makefile-man.am
@@ -180,6 +180,7 @@ MANPAGES_ALIAS += \
 	man/systemd-ask-password-console.path.8 \
 	man/systemd-ask-password-wall.path.8 \
 	man/systemd-ask-password-wall.service.8 \
+	man/systemd-forbid-user-logins.service.8 \
 	man/systemd-fsck-root.service.8 \
 	man/systemd-fsck.8 \
 	man/systemd-hibernate.service.8 \
@@ -283,6 +284,7 @@ man/sd_notifyf.3: man/sd_notify.3
 man/systemd-ask-password-console.path.8: man/systemd-ask-password-console.service.8
 man/systemd-ask-password-wall.path.8: man/systemd-ask-password-console.service.8
 man/systemd-ask-password-wall.service.8: man/systemd-ask-password-console.service.8
+man/systemd-forbid-user-logins.service.8: man/systemd-tmpfiles.8
 man/systemd-fsck-root.service.8: man/systemd-fsck at .service.8
 man/systemd-fsck.8: man/systemd-fsck at .service.8
 man/systemd-hibernate.service.8: man/systemd-suspend.service.8
@@ -538,6 +540,9 @@ man/systemd-ask-password-wall.path.html: man/systemd-ask-password-console.servic
 man/systemd-ask-password-wall.service.html: man/systemd-ask-password-console.service.html
 	$(html-alias)
 
+man/systemd-forbid-user-logins.service.html: man/systemd-tmpfiles.html
+	$(html-alias)
+
 man/systemd-fsck-root.service.html: man/systemd-fsck at .service.html
 	$(html-alias)
 
diff --git a/Makefile.am b/Makefile.am
index 8507d8d..e1cd71f 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1578,12 +1578,14 @@ dist_systemunit_DATA += \
 nodist_systemunit_DATA += \
 	units/systemd-tmpfiles-setup-dev.service \
 	units/systemd-tmpfiles-setup.service \
-	units/systemd-tmpfiles-clean.service
+	units/systemd-tmpfiles-clean.service \
+	units/systemd-forbid-user-logins.service
 
 dist_tmpfiles_DATA = \
 	tmpfiles.d/systemd.conf \
 	tmpfiles.d/tmp.conf \
-	tmpfiles.d/x11.conf
+	tmpfiles.d/x11.conf \
+	tmpfiles.d/systemd-forbid-user-logins.conf.noauto
 
 if HAVE_SYSV_COMPAT
 dist_tmpfiles_DATA += \
@@ -1592,7 +1594,8 @@ endif
 
 SYSINIT_TARGET_WANTS += \
 	systemd-tmpfiles-setup-dev.service \
-	systemd-tmpfiles-setup.service
+	systemd-tmpfiles-setup.service \
+	systemd-forbid-user-logins.service
 
 dist_zshcompletion_DATA += \
 	shell-completion/zsh/_systemd-tmpfiles
@@ -1608,7 +1611,8 @@ endif
 EXTRA_DIST += \
 	units/systemd-tmpfiles-setup-dev.service.in \
 	units/systemd-tmpfiles-setup.service.in \
-	units/systemd-tmpfiles-clean.service.in
+	units/systemd-tmpfiles-clean.service.in \
+	units/systemd-forbid-user-logins.service.in
 
 # ------------------------------------------------------------------------------
 systemd_machine_id_setup_SOURCES = \
diff --git a/man/systemd-tmpfiles.xml b/man/systemd-tmpfiles.xml
index b90bd75..009c076 100644
--- a/man/systemd-tmpfiles.xml
+++ b/man/systemd-tmpfiles.xml
@@ -46,6 +46,7 @@
                 <refname>systemd-tmpfiles</refname>
                 <refname>systemd-tmpfiles-setup.service</refname>
                 <refname>systemd-tmpfiles-setup-dev.service</refname>
+                <refname>systemd-forbid-user-logins.service</refname>
                 <refname>systemd-tmpfiles-clean.service</refname>
                 <refname>systemd-tmpfiles-clean.timer</refname>
                 <refpurpose>Creates, deletes and cleans up volatile
@@ -54,11 +55,14 @@
 
         <refsynopsisdiv>
                 <cmdsynopsis>
-                        <command>systemd-tmpfiles <arg choice="opt" rep="repeat">OPTIONS</arg> <arg choice="opt" rep="repeat">CONFIGURATION FILE</arg></command>
+                        <command>systemd-tmpfiles</command>
+                        <arg choice="opt" rep="repeat">OPTIONS</arg>
+                        <arg choice="opt" rep="repeat">CONFIGURATION FILE</arg>
                 </cmdsynopsis>
 
                 <para><filename>systemd-tmpfiles-setup.service</filename></para>
                 <para><filename>systemd-tmpfiles-setup-dev.service</filename></para>
+                <para><filename>systemd-forbid-user-logins.service</filename></para>
                 <para><filename>systemd-tmpfiles-clean.service</filename></para>
                 <para><filename>systemd-tmpfiles-clean.timer</filename></para>
         </refsynopsisdiv>
@@ -69,20 +73,24 @@
                 <para><command>systemd-tmpfiles</command> creates,
                 deletes and cleans up volatile and temporary files and
                 directories, based on the configuration file format and
-                location specified in <citerefentry>
-                        <refentrytitle>tmpfiles.d</refentrytitle>
-                        <manvolnum>5</manvolnum>
-                </citerefentry>.</para>
+                location specified in
+                <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+                </para>
 
                 <para>If invoked with no arguments, it applies all
                 directives from all configuration files. If one or
                 more filenames are passed on the command line, only
                 the directives in these files are applied. If only
                 the basename of a configuration file is specified,
-                all configuration directories as specified in <citerefentry>
-                        <refentrytitle>tmpfiles.d</refentrytitle>
-                        <manvolnum>5</manvolnum>
-                </citerefentry> are searched for a matching file.</para>
+                all configuration directories as specified in
+                <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+                are searched for a matching file.</para>
+
+                <para>During bootup,
+                <filename>systemd-forbid-user-logins.service</filename>
+                will create <filename>/run/nologin</filename> to
+                disable user logins until the system is ready.
+                </para>
         </refsect1>
 
         <refsect1>
diff --git a/tmpfiles.d/systemd-forbid-user-logins.conf.noauto b/tmpfiles.d/systemd-forbid-user-logins.conf.noauto
new file mode 100644
index 0000000..42ebc0b
--- /dev/null
+++ b/tmpfiles.d/systemd-forbid-user-logins.conf.noauto
@@ -0,0 +1,11 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+# See tmpfiles.d(5) and systemd-forbid-user-logins.service(5).
+# This file has special suffix so it is not run by mistake.
+
+F /run/nologin 0644 - - - "System is booting up. See pam_nologin(8)"
diff --git a/tmpfiles.d/systemd.conf b/tmpfiles.d/systemd.conf
index a05c657..e921c2b 100644
--- a/tmpfiles.d/systemd.conf
+++ b/tmpfiles.d/systemd.conf
@@ -22,8 +22,6 @@ d /run/systemd/users 0755 root root -
 d /run/systemd/machines 0755 root root -
 d /run/systemd/shutdown 0755 root root -
 
-F /run/nologin 0644 - - - "System is booting up. See pam_nologin(8)"
-
 m /var/log/journal 2755 root systemd-journal - -
 m /var/log/journal/%m 2755 root systemd-journal - -
 m /run/log/journal 2755 root systemd-journal - -
diff --git a/units/.gitignore b/units/.gitignore
index 76c4cb3..804daa3 100644
--- a/units/.gitignore
+++ b/units/.gitignore
@@ -24,6 +24,7 @@
 /systemd-binfmt.service
 /systemd-bus-driverd.service
 /systemd-bus-proxyd at .service
+/systemd-forbid-user-logins.service
 /systemd-fsck-root.service
 /systemd-fsck at .service
 /systemd-halt.service
diff --git a/units/systemd-forbid-user-logins.service.in b/units/systemd-forbid-user-logins.service.in
new file mode 100644
index 0000000..fe4a4d2
--- /dev/null
+++ b/units/systemd-forbid-user-logins.service.in
@@ -0,0 +1,21 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+[Unit]
+Description=Create /run/nologin
+DefaultDependencies=no
+Wants=local-fs.target
+Conflicts=shutdown.target
+After=systemd-readahead-collect.service systemd-readahead-replay.service local-fs.target
+Before=sysinit.target shutdown.target
+RefuseManualStart=yes
+RefuseManualStop=yes
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=@rootbindir@/systemd-tmpfiles --create @tmpfilesdir@/systemd-forbid-user-logins.conf.noauto
diff --git a/units/systemd-tmpfiles-setup.service.in b/units/systemd-tmpfiles-setup.service.in
index 6f98063..3405e28 100644
--- a/units/systemd-tmpfiles-setup.service.in
+++ b/units/systemd-tmpfiles-setup.service.in
@@ -14,6 +14,7 @@ Conflicts=shutdown.target
 After=systemd-readahead-collect.service systemd-readahead-replay.service local-fs.target
 Before=sysinit.target shutdown.target
 ConditionDirectoryNotEmpty=|/usr/lib/tmpfiles.d
+ConditionDirectoryNotEmpty=|/lib/tmpfiles.d
 ConditionDirectoryNotEmpty=|/usr/local/lib/tmpfiles.d
 ConditionDirectoryNotEmpty=|/etc/tmpfiles.d
 ConditionDirectoryNotEmpty=|/run/tmpfiles.d
-- 
1.8.1.rc0.194.gaf2e3a9



More information about the systemd-devel mailing list