Go to file
Lennart Poettering 6c47cd7d3b execute: make StateDirectory= and friends compatible with DynamicUser=1 and RootDirectory=/RootImage=
Let's clean up the interaction of StateDirectory= (and friends) to
DynamicUser=1: instead of creating these directories directly below
/var/lib, place them in /var/lib/private instead if DynamicUser=1 is
set, making that directory 0700 and owned by root:root. This way, if a
dynamic UID is later reused, access to the old run's state directory is
prohibited for that user. Then, use file system namespacing inside the
service to make /var/lib/private a readable tmpfs, hiding all state
directories that are not listed in StateDirectory=, and making access to
the actual state directory possible. Mount all directories listed in
StateDirectory= to the same places inside the service (which means
they'll now be mounted into the tmpfs instance). Finally, add a symlink
from the state directory name in /var/lib/ to the one in
/var/lib/private, so that both the host and the service can access the
path under the same location.

Here's an example: let's say a service runs with StateDirectory=foo.
When DynamicUser=0 is set, it will get the following setup, and no
difference between what the unit and what the host sees:

        /var/lib/foo (created as directory)

Now, if DynamicUser=1 is set, we'll instead get this on the host:

        /var/lib/private (created as directory with mode 0700, root:root)
        /var/lib/private/foo (created as directory)
        /var/lib/foo → private/foo (created as symlink)

And from inside the unit:

        /var/lib/private (a tmpfs mount with mode 0755, root:root)
        /var/lib/private/foo (bind mounted from the host)
        /var/lib/foo → private/foo (the same symlink as above)

This takes inspiration from how container trees are protected below
/var/lib/machines: they generally reuse UIDs/GIDs of the host, but
because /var/lib/machines itself is set to 0700 host users cannot access
files in the container tree even if the UIDs/GIDs are reused. However,
for this commit we add one further trick: inside and outside of the unit
/var/lib/private is a different thing: outside it is a plain,
inaccessible directory, and inside it is a world-readable tmpfs mount
with only the whitelisted subdirs below it, bind mounte din.  This
means, from the outside the dir acts as an access barrier, but from the
inside it does not. And the symlink created in /var/lib/foo itself
points across the barrier in both cases, so that root and the unit's
user always have access to these dirs without knowing the details of
this mounting magic.

This logic resolves a major shortcoming of DynamicUser=1 units:
previously they couldn't safely store persistant data. With this change
they can have their own private state, log and data directories, which
they can write to, but which are protected from UID recycling.

With this change, if RootDirectory= or RootImage= are used it is ensured
that the specified state/log/cache directories are always mounted in
from the host. This change of semantics I think is much preferable since
this means the root directory/image logic can be used easily for
read-only resource bundling (as all writable data resides outside of the
image). Note that this is a change of behaviour, but given that we
haven't released any systemd version with StateDirectory= and friends
implemented this should be a safe change to make (in particular as
previously it wasn't clear what would actually happen when used in
combination). Moreover, by making this change we can later add a "+"
modifier to these setings too working similar to the same modifier in
ReadOnlyPaths= and friends, making specified paths relative to the
container itself.
2017-10-02 17:41:44 +02:00
.github CONTRIBUTING: stop mentioning "make check" 2017-08-21 09:47:07 +02:00
.mkosi mkosi.arch: fix comment (#6470) 2017-07-28 09:24:12 +02:00
catalog catalog: update Polish translation (#6947) 2017-09-30 14:39:29 +02:00
coccinelle tree-wide: use !IN_SET(..) for a != b && a != c && … 2017-10-02 13:09:56 +02:00
docs build-sys: drop gitignore patterns for in-tree builds 2017-07-18 10:05:06 -04:00
factory/etc factory: remove broken pam_limits 2014-07-30 15:21:54 +02:00
hwdb hwdb: sort usb classes and vendors 2017-10-02 13:19:23 +02:00
man man: document that PAMName= and NotifyAccess=all don't mix well. 2017-10-02 12:58:42 +02:00
modprobe.d modprobe.d: ship drop-in to set bonding max_bonds to 0 (#6448) 2017-08-02 08:41:18 -04:00
network build-sys: drop automake support 2017-07-18 10:04:44 -04:00
po Added Romanian Translation (#6674) 2017-08-28 18:24:09 +02:00
rules fix path in btrfs rule (#6844) 2017-09-15 21:28:24 +02:00
shell-completion analyze: add get-log-level, get-log-target verbs 2017-09-07 23:55:59 +02:00
src execute: make StateDirectory= and friends compatible with DynamicUser=1 and RootDirectory=/RootImage= 2017-10-02 17:41:44 +02:00
sysctl.d build-sys: drop gitignore patterns for in-tree builds 2017-07-18 10:05:06 -04:00
system-preset build-sys: drop automake support 2017-07-18 10:04:44 -04:00
sysusers.d units,sysusers: use DynamicUser= for journal-gatewayd and drop user systemd-journal-gateway from sysusers 2017-07-28 13:37:10 +09:00
test sys-script: remove output directory if it exists 2017-09-29 12:28:25 +02:00
tmpfiles.d tmpfiles.d/journal-nocow: fix typo (#6804) 2017-09-12 13:28:21 -03:00
tools hwdb: update 2017-10-02 13:19:21 +02:00
units Revert "units: don't kill the emergency shell when sysinit.target is triggered (#6765)" (#6904) 2017-09-26 19:47:50 +02:00
xorg login: support user-bus on dbus1 2015-08-31 18:12:37 +02:00
.dir-locals.el meson: also indent scripts with 8 spaces 2017-04-25 08:49:16 -04:00
.editorconfig editorconfig: add rule for meson.build files (#6671) 2017-08-28 16:37:23 +02:00
.gitattributes git: indicate that tabs are never OK in the systemd tree 2013-10-30 02:25:38 +01:00
.gitignore build-sys: drop gitignore patterns for in-tree builds 2017-07-18 10:05:06 -04:00
.mailmap mailmap: add entry to fix encoding issues 2017-09-15 17:18:29 +02:00
.travis.yml remove gudev and gtk-doc 2015-06-03 00:22:53 +02:00
.vimrc vimrc: fix indentation logic for our docbook xml files 2016-04-29 12:23:34 +02:00
.ycm_extra_conf.py ycm: update flag blacklist 2014-06-04 15:41:10 -04:00
CODING_STYLE tree-wide: set SA_RESTART for signal handlers we install 2016-12-01 12:41:17 +01:00
configure build-sys: add basic support for ./configure && make && make install 2017-07-18 10:05:06 -04:00
DISTRO_PORTING DISTRO_PORTING: document that distros may/should change fallback DNS as well as fallback NTP if they wish 2017-07-24 11:49:16 +02:00
ENVIRONMENT.md documentation: document nss-systemd's internal environment variables in ENVIRONMENT.md 2017-09-22 15:24:55 +02:00
HACKING HACKING: update for meson 2017-07-18 10:05:06 -04:00
LICENSE.GPL2 relicense to LGPLv2.1 (with exceptions) 2012-04-12 00:24:39 +02:00
LICENSE.LGPL2.1 licence: remove references to old FSF address 2012-12-17 11:41:31 +01:00
Makefile build-sys: Fix Makefile wrapper for install target (#6548) 2017-08-07 11:29:20 +02:00
meson_options.txt Merge pull request #6420 from keszybz/gateway-name 2017-08-01 09:43:41 +02:00
meson.build meson: move library version defines to the top (#6939) 2017-09-28 19:24:16 +02:00
mkosi.build mkosi: when the build fails, show its log output, and propagate error 2017-09-22 15:24:55 +02:00
mkosi.default mkosi: create .mkosi directory 2016-10-06 11:53:58 -04:00
NEWS prepare NEWS for 235 2017-09-28 11:26:02 +02:00
README build-sys: require libmount >= 2.30 (#6795) 2017-09-15 14:47:57 +02:00
README.md README: include small graphs of open issues and pull requests (#5576) 2017-03-13 08:10:04 +01:00
TODO add some more things to TODO 2017-09-28 11:26:11 +02:00

systemd - System and Service Manager

Count of open issues over time Count of open pull requests over time Build Status
Coverity Scan Status

Details

General information about systemd can be found in the systemd Wiki.

Information about build requirements are provided in the README file.

Consult our NEWS file for information about what's new in the most recent systemd versions.

Please see the HACKING file for information how to hack on systemd and test your modifications.

Please see our Contribution Guidelines for more information about filing GitHub Issues and posting GitHub Pull Requests.

When preparing patches for systemd, please follow our Coding Style Guidelines.

If you are looking for support, please contact our mailing list or join our IRC channel.