| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
| |
Brief is sweet.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enabling these options when not running as root requires a user
namespace, so implicitly enable PrivateUsers=.
This has a side effect as it changes which users are visible to the unit.
However until now these options did not work at all for user units, and
in practice just a handful of user units in Fedora, Debian and Ubuntu
mistakenly used them (and they have been all fixed since).
This fixes the long-standing confusing issue that the user and system
units take the same options but the behaviour is wildly (and sometimes
silently) different depending on which is which, with user units
requiring manually specifiying PrivateUsers= in order for sandboxing
options to actually work and not be silently ignored.
|
|
|
|
|
|
|
|
|
|
|
|
| |
systemd-repart needs to find mkfs.ext4 for the test.
This is located in the directory /usr/sbin on openSUSE Tumbleweed.
But since the variable ALWAYS_SET_PATH in /etc/login.defs is set to yes,
su re-initializes the $PATH variable and removes /usr/sbin.
Hence, mkfs.ext4 is not found and the test fails.
Using setpriv instead of su fixes this issue and is more appropriate to
do the switch user task from root.
[zjs: move setpriv to $BASICTOOLS and force-push to retrigger CI]
|
|
|
|
|
|
|
|
|
|
| |
(The one case that is left unchanged is '< <(subcommand)'.)
This way, the style with no gap was already dominant. This way, the reader
immediately knows that ' < ' is a comparison operator and ' << ' is a shift.
In a few cases, replace custom EOF replacement by just EOF. There is no point
in using someting like "_EOL" unless "EOF" appears in the text.
|
| |
|
|
|
|
|
|
|
| |
Unprivileged overlayfs is supported since Linux 5.11. The only
change needed to get ExtensionDirectories to work is to avoid
hard-coding the staging directory to the system manager runtime
directory, everything else just works (TM).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The only piece missing was to somehow make /proc appear in the
new user+mount namespace. It is not possible to mount a new
/proc instance, not even with hidepid=invisible,subset=pid, in
a user namespace unless a PID namespace is created too (and also
at the same time as the other namespaces, it is not possible to
mount a new /proc in a child process that creates a PID namespace
forked from a parent that created a user+mount namespace, it has
to happen at the same time).
Use the host's /proc with a bind-mount as a fallback for this
case. User session services would already run with it, so
nothing is lost.
|
| |
|
| |
|
| |
|
|
|
|
| |
This should make the scripts more robust.
|
|
|
|
|
|
| |
We were invoking 'systemd-run bash', but the test invoked by bash
was not effective. When the result of that check is propagated, the
outer command fails.
|
|
|
|
|
| |
<< EOF → <<EOF
> foo < bar → >foo <bar
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Otherwise we might be checking results of such calls before they even
finish, causing nasty races like:
```
[ 15.656530] testsuite-43.sh[303]: + su testuser -s /bin/sh -c 'XDG_RUNTIME_DIR=/run/user/$UID exec "$@"' -- sh systemd-run --user --unit=test-unprotected-home -P touch /home/testuser/works.txt
...
[ 15.757744] testsuite-43.sh[324]: Running as unit: test-unprotected-home.service
[ 15.775611] systemd[296]: Started /usr/bin/touch /home/testuser/works.txt.
[ 15.783597] testsuite-43.sh[303]: + test -e /home/testuser/works.txt
[ 15.787542] systemd[296]: test-unprotected-home.service: Succeeded.
...
[ 15.787684] systemd[1]: Received SIGCHLD from PID 303 (bash).
[ 15.787790] systemd[1]: Child 303 (bash) died (code=exited, status=1/FAILURE)
[ 15.787881] systemd[1]: testsuite-43.service: Child 303 belongs to testsuite-43.service.
[ 15.788040] systemd[1]: testsuite-43.service: Main process exited, code=exited, status=1/FAILURE
[ 15.788224] systemd[1]: testsuite-43.service: Failed with result 'exit-code'.
[ 15.788333] systemd[1]: testsuite-43.service: Service will not restart (restart setting)
[ 15.788421] systemd[1]: testsuite-43.service: Changed start -> failed
[ 15.788790] systemd[1]: testsuite-43.service: Job 160 testsuite-43.service/start finished, result=failed
[ 15.788995] systemd[1]: Failed to start testsuite-43.service.
```
|
|
Setup of lingering is dropped. I don't think it's necessary for anything,
because the unit is still pulled in from the testsuite service.
|