[systemd-devel] [PATCH] Split out /run/nologin creation into a separate service
Zbigniew Jędrzejewski-Szmek
zbyszek at in.waw.pl
Fri Dec 20 19:45:46 PST 2013
This has come up before, and will come up again: running
systemd-tmpfiles --create kills user logins. In principle
this is documented, but in practice people don't always
read the documentation. Split out /run/nologin creation
so it's harder to do execute it by mistake.
https://bugzilla.redhat.com/show_bug.cgi?id=1043212
---
Hi Lennart,
this patch is essentially harmless, but not very pretty, so I'm
sending it to the mailing list in case you want to veto it.
Zbyszek
Makefile-man.am | 5 +++++
Makefile.am | 12 +++++++----
man/systemd-tmpfiles.xml | 26 +++++++++++++++--------
tmpfiles.d/systemd-forbid-user-logins.conf.noauto | 11 ++++++++++
tmpfiles.d/systemd.conf | 2 --
units/.gitignore | 1 +
units/systemd-forbid-user-logins.service.in | 21 ++++++++++++++++++
units/systemd-tmpfiles-setup.service.in | 1 +
8 files changed, 64 insertions(+), 15 deletions(-)
create mode 100644 tmpfiles.d/systemd-forbid-user-logins.conf.noauto
create mode 100644 units/systemd-forbid-user-logins.service.in
diff --git a/Makefile-man.am b/Makefile-man.am
index c5f73d4..c337d09 100644
--- a/Makefile-man.am
+++ b/Makefile-man.am
@@ -180,6 +180,7 @@ MANPAGES_ALIAS += \
man/systemd-ask-password-console.path.8 \
man/systemd-ask-password-wall.path.8 \
man/systemd-ask-password-wall.service.8 \
+ man/systemd-forbid-user-logins.service.8 \
man/systemd-fsck-root.service.8 \
man/systemd-fsck.8 \
man/systemd-hibernate.service.8 \
@@ -283,6 +284,7 @@ man/sd_notifyf.3: man/sd_notify.3
man/systemd-ask-password-console.path.8: man/systemd-ask-password-console.service.8
man/systemd-ask-password-wall.path.8: man/systemd-ask-password-console.service.8
man/systemd-ask-password-wall.service.8: man/systemd-ask-password-console.service.8
+man/systemd-forbid-user-logins.service.8: man/systemd-tmpfiles.8
man/systemd-fsck-root.service.8: man/systemd-fsck at .service.8
man/systemd-fsck.8: man/systemd-fsck at .service.8
man/systemd-hibernate.service.8: man/systemd-suspend.service.8
@@ -538,6 +540,9 @@ man/systemd-ask-password-wall.path.html: man/systemd-ask-password-console.servic
man/systemd-ask-password-wall.service.html: man/systemd-ask-password-console.service.html
$(html-alias)
+man/systemd-forbid-user-logins.service.html: man/systemd-tmpfiles.html
+ $(html-alias)
+
man/systemd-fsck-root.service.html: man/systemd-fsck at .service.html
$(html-alias)
diff --git a/Makefile.am b/Makefile.am
index 8507d8d..e1cd71f 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1578,12 +1578,14 @@ dist_systemunit_DATA += \
nodist_systemunit_DATA += \
units/systemd-tmpfiles-setup-dev.service \
units/systemd-tmpfiles-setup.service \
- units/systemd-tmpfiles-clean.service
+ units/systemd-tmpfiles-clean.service \
+ units/systemd-forbid-user-logins.service
dist_tmpfiles_DATA = \
tmpfiles.d/systemd.conf \
tmpfiles.d/tmp.conf \
- tmpfiles.d/x11.conf
+ tmpfiles.d/x11.conf \
+ tmpfiles.d/systemd-forbid-user-logins.conf.noauto
if HAVE_SYSV_COMPAT
dist_tmpfiles_DATA += \
@@ -1592,7 +1594,8 @@ endif
SYSINIT_TARGET_WANTS += \
systemd-tmpfiles-setup-dev.service \
- systemd-tmpfiles-setup.service
+ systemd-tmpfiles-setup.service \
+ systemd-forbid-user-logins.service
dist_zshcompletion_DATA += \
shell-completion/zsh/_systemd-tmpfiles
@@ -1608,7 +1611,8 @@ endif
EXTRA_DIST += \
units/systemd-tmpfiles-setup-dev.service.in \
units/systemd-tmpfiles-setup.service.in \
- units/systemd-tmpfiles-clean.service.in
+ units/systemd-tmpfiles-clean.service.in \
+ units/systemd-forbid-user-logins.service.in
# ------------------------------------------------------------------------------
systemd_machine_id_setup_SOURCES = \
diff --git a/man/systemd-tmpfiles.xml b/man/systemd-tmpfiles.xml
index b90bd75..009c076 100644
--- a/man/systemd-tmpfiles.xml
+++ b/man/systemd-tmpfiles.xml
@@ -46,6 +46,7 @@
<refname>systemd-tmpfiles</refname>
<refname>systemd-tmpfiles-setup.service</refname>
<refname>systemd-tmpfiles-setup-dev.service</refname>
+ <refname>systemd-forbid-user-logins.service</refname>
<refname>systemd-tmpfiles-clean.service</refname>
<refname>systemd-tmpfiles-clean.timer</refname>
<refpurpose>Creates, deletes and cleans up volatile
@@ -54,11 +55,14 @@
<refsynopsisdiv>
<cmdsynopsis>
- <command>systemd-tmpfiles <arg choice="opt" rep="repeat">OPTIONS</arg> <arg choice="opt" rep="repeat">CONFIGURATION FILE</arg></command>
+ <command>systemd-tmpfiles</command>
+ <arg choice="opt" rep="repeat">OPTIONS</arg>
+ <arg choice="opt" rep="repeat">CONFIGURATION FILE</arg>
</cmdsynopsis>
<para><filename>systemd-tmpfiles-setup.service</filename></para>
<para><filename>systemd-tmpfiles-setup-dev.service</filename></para>
+ <para><filename>systemd-forbid-user-logins.service</filename></para>
<para><filename>systemd-tmpfiles-clean.service</filename></para>
<para><filename>systemd-tmpfiles-clean.timer</filename></para>
</refsynopsisdiv>
@@ -69,20 +73,24 @@
<para><command>systemd-tmpfiles</command> creates,
deletes and cleans up volatile and temporary files and
directories, based on the configuration file format and
- location specified in <citerefentry>
- <refentrytitle>tmpfiles.d</refentrytitle>
- <manvolnum>5</manvolnum>
- </citerefentry>.</para>
+ location specified in
+ <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ </para>
<para>If invoked with no arguments, it applies all
directives from all configuration files. If one or
more filenames are passed on the command line, only
the directives in these files are applied. If only
the basename of a configuration file is specified,
- all configuration directories as specified in <citerefentry>
- <refentrytitle>tmpfiles.d</refentrytitle>
- <manvolnum>5</manvolnum>
- </citerefentry> are searched for a matching file.</para>
+ all configuration directories as specified in
+ <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ are searched for a matching file.</para>
+
+ <para>During bootup,
+ <filename>systemd-forbid-user-logins.service</filename>
+ will create <filename>/run/nologin</filename> to
+ disable user logins until the system is ready.
+ </para>
</refsect1>
<refsect1>
diff --git a/tmpfiles.d/systemd-forbid-user-logins.conf.noauto b/tmpfiles.d/systemd-forbid-user-logins.conf.noauto
new file mode 100644
index 0000000..42ebc0b
--- /dev/null
+++ b/tmpfiles.d/systemd-forbid-user-logins.conf.noauto
@@ -0,0 +1,11 @@
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+# See tmpfiles.d(5) and systemd-forbid-user-logins.service(5).
+# This file has special suffix so it is not run by mistake.
+
+F /run/nologin 0644 - - - "System is booting up. See pam_nologin(8)"
diff --git a/tmpfiles.d/systemd.conf b/tmpfiles.d/systemd.conf
index a05c657..e921c2b 100644
--- a/tmpfiles.d/systemd.conf
+++ b/tmpfiles.d/systemd.conf
@@ -22,8 +22,6 @@ d /run/systemd/users 0755 root root -
d /run/systemd/machines 0755 root root -
d /run/systemd/shutdown 0755 root root -
-F /run/nologin 0644 - - - "System is booting up. See pam_nologin(8)"
-
m /var/log/journal 2755 root systemd-journal - -
m /var/log/journal/%m 2755 root systemd-journal - -
m /run/log/journal 2755 root systemd-journal - -
diff --git a/units/.gitignore b/units/.gitignore
index 76c4cb3..804daa3 100644
--- a/units/.gitignore
+++ b/units/.gitignore
@@ -24,6 +24,7 @@
/systemd-binfmt.service
/systemd-bus-driverd.service
/systemd-bus-proxyd at .service
+/systemd-forbid-user-logins.service
/systemd-fsck-root.service
/systemd-fsck at .service
/systemd-halt.service
diff --git a/units/systemd-forbid-user-logins.service.in b/units/systemd-forbid-user-logins.service.in
new file mode 100644
index 0000000..fe4a4d2
--- /dev/null
+++ b/units/systemd-forbid-user-logins.service.in
@@ -0,0 +1,21 @@
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Create /run/nologin
+DefaultDependencies=no
+Wants=local-fs.target
+Conflicts=shutdown.target
+After=systemd-readahead-collect.service systemd-readahead-replay.service local-fs.target
+Before=sysinit.target shutdown.target
+RefuseManualStart=yes
+RefuseManualStop=yes
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=@rootbindir@/systemd-tmpfiles --create @tmpfilesdir@/systemd-forbid-user-logins.conf.noauto
diff --git a/units/systemd-tmpfiles-setup.service.in b/units/systemd-tmpfiles-setup.service.in
index 6f98063..3405e28 100644
--- a/units/systemd-tmpfiles-setup.service.in
+++ b/units/systemd-tmpfiles-setup.service.in
@@ -14,6 +14,7 @@ Conflicts=shutdown.target
After=systemd-readahead-collect.service systemd-readahead-replay.service local-fs.target
Before=sysinit.target shutdown.target
ConditionDirectoryNotEmpty=|/usr/lib/tmpfiles.d
+ConditionDirectoryNotEmpty=|/lib/tmpfiles.d
ConditionDirectoryNotEmpty=|/usr/local/lib/tmpfiles.d
ConditionDirectoryNotEmpty=|/etc/tmpfiles.d
ConditionDirectoryNotEmpty=|/run/tmpfiles.d
--
1.8.1.rc0.194.gaf2e3a9
More information about the systemd-devel
mailing list