nologin: extend the /run/nologin descriptions a bit (#8244)

This is an attempt to improve #8228 a bit, by extending the /run/nologin
a bit, but still keeping it somewhat brief.

On purpose I used the vague wording "unprivileged user" rather than
"non-root user" so that pam_nologin can be updated to disable its
behaviour for members of the "wheel" group one day, and our messages
would still make sense.

See #8228.

5 files changed, 25 insertions, 15 deletions

diff --git a/src/basic/fileio-label.c b/src/basic/fileio-label.c
index bf5fec1faa..b832b6bf04 100644
--- a/src/basic/fileio-label.c
+++ b/src/basic/fileio-label.c
@@ -67,3 +67,19 @@ int fopen_temporary_label(const char *target,
 
         return r;
 }
+
+int create_shutdown_run_nologin_or_warn(void) {
+        int r;
+
+        /* This is used twice: once in systemd-user-sessions.service, in order to block logins when we actually go
+         * down, and once in systemd-logind.service when shutdowns are scheduled, and logins are to be turned off a bit
+         * in advance. We use the same wording of the message in both cases. */
+
+        r = write_string_file_atomic_label("/run/nologin",
+                                           "System is going down. Unprivileged users are not permitted to log in anymore. "
+                                           "For technical details, see pam_nologin(8).");
+        if (r < 0)
+                return log_error_errno(r, "Failed to create /run/nologin: %m");
+
+        return 0;
+}
diff --git a/src/basic/fileio-label.h b/src/basic/fileio-label.h
index 0adb895236..16d095f522 100644
--- a/src/basic/fileio-label.h
+++ b/src/basic/fileio-label.h
@@ -34,5 +34,6 @@ static inline int write_string_file_atomic_label(const char *fn, const char *lin
         return write_string_file_atomic_label_ts(fn, line, NULL);
 }
 int write_env_file_label(const char *fname, char **l);
-int fopen_temporary_label(const char *target,
-                          const char *path, FILE **f, char **temp_path);
+int fopen_temporary_label(const char *target, const char *path, FILE **f, char **temp_path);
+
+int create_shutdown_run_nologin_or_warn(void);
diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c
index aa4bbf7739..a8c1b71e7e 100644
--- a/src/login/logind-dbus.c
+++ b/src/login/logind-dbus.c
@@ -1930,15 +1930,11 @@ static int nologin_timeout_handler(
                         void *userdata) {
 
         Manager *m = userdata;
-        int r;
 
         log_info("Creating /run/nologin, blocking further logins...");
 
-        r = write_string_file_atomic_label("/run/nologin", "System is going down.");
-        if (r < 0)
-                log_error_errno(r, "Failed to create /run/nologin: %m");
-        else
-                m->unlink_nologin = true;
+        m->unlink_nologin =
+                create_shutdown_run_nologin_or_warn() >= 0;
 
         return 0;
 }
diff --git a/src/user-sessions/user-sessions.c b/src/user-sessions/user-sessions.c
index 5e02ede402..8e8d43e1d4 100644
--- a/src/user-sessions/user-sessions.c
+++ b/src/user-sessions/user-sessions.c
@@ -51,12 +51,9 @@ int main(int argc, char*argv[]) {
                 if (k < 0 && r >= 0)
                         r = k;
 
-        } else if (streq(argv[1], "stop")) {
-                r = write_string_file_atomic_label("/run/nologin", "System is going down.");
-                if (r < 0)
-                        log_error_errno(r, "Failed to create /run/nologin: %m");
-
-        } else {
+        } else if (streq(argv[1], "stop"))
+                r = create_shutdown_run_nologin_or_warn();
+        else {
                 log_error("Unknown verb '%s'.", argv[1]);
                 r = -EINVAL;
         }
diff --git a/tmpfiles.d/systemd-nologin.conf b/tmpfiles.d/systemd-nologin.conf
index a30a8da604..df4dd63272 100644
--- a/tmpfiles.d/systemd-nologin.conf
+++ b/tmpfiles.d/systemd-nologin.conf
@@ -8,4 +8,4 @@
 # See tmpfiles.d(5), systemd-user-session.service(5) and pam_nologin(8).
 # This file has special suffix so it is not run by mistake.
 
-F! /run/nologin 0644 - - - "System is booting up. See pam_nologin(8)"
+F! /run/nologin 0644 - - - "System is booting up. Unprivileged users are not permitted to log in yet. Please come back later. For technical details, see pam_nologin(8)."