parent
aa41892ec0
commit
c8fc9c39c7
@ -0,0 +1,117 @@
|
|||||||
|
From f896e672ec6101ccbb21108345946e834455a25f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Franck Bui <fbui@suse.com>
|
||||||
|
Date: Fri, 3 Apr 2020 10:00:25 +0200
|
||||||
|
Subject: [PATCH] pid1: by default make user units inherit their umask from the
|
||||||
|
user manager
|
||||||
|
|
||||||
|
This patch changes the way user managers set the default umask for the units it
|
||||||
|
manages.
|
||||||
|
|
||||||
|
Indeed one can expect that if user manager's umask is redefined through PAM
|
||||||
|
(via /etc/login.defs or pam_umask), all its children including the units it
|
||||||
|
spawns have their umask set to the new value.
|
||||||
|
|
||||||
|
Hence make user units inherit their umask value from their parent instead of
|
||||||
|
the hard coded value 0022 but allow them to override this value via their unit
|
||||||
|
file.
|
||||||
|
|
||||||
|
Note that reexecuting managers with 'systemctl daemon-reexec' after changing
|
||||||
|
UMask= has no effect. To take effect managers need to be restarted with
|
||||||
|
'systemct restart' instead. This behavior was already present before this
|
||||||
|
patch.
|
||||||
|
|
||||||
|
Fixes #6077.
|
||||||
|
|
||||||
|
(cherry picked from commit 5e37d1930b41b24c077ce37c6db0e36c745106c7)
|
||||||
|
|
||||||
|
Related: RHEL-28048
|
||||||
|
---
|
||||||
|
man/systemd.exec.xml | 9 +++++++--
|
||||||
|
src/basic/process-util.c | 17 +++++++++++++++++
|
||||||
|
src/basic/process-util.h | 1 +
|
||||||
|
src/core/unit.c | 12 ++++++++++--
|
||||||
|
4 files changed, 35 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
|
||||||
|
index b04b4ba552..844c1ce94b 100644
|
||||||
|
--- a/man/systemd.exec.xml
|
||||||
|
+++ b/man/systemd.exec.xml
|
||||||
|
@@ -590,8 +590,13 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
|
||||||
|
<term><varname>UMask=</varname></term>
|
||||||
|
|
||||||
|
<listitem><para>Controls the file mode creation mask. Takes an access mode in octal notation. See
|
||||||
|
- <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry> for details. Defaults
|
||||||
|
- to 0022.</para></listitem>
|
||||||
|
+ <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry> for
|
||||||
|
+ details. Defaults to 0022 for system units. For units of the user service manager the default value
|
||||||
|
+ is inherited from the user instance (whose default is inherited from the system service manager, and
|
||||||
|
+ thus also is 0022). Hence changing the default value of a user instance, either via
|
||||||
|
+ <varname>UMask=</varname> or via a PAM module, will affect the user instance itself and all user
|
||||||
|
+ units started by the user instance unless a user unit has specified its own
|
||||||
|
+ <varname>UMask=</varname>.</para></listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
diff --git a/src/basic/process-util.c b/src/basic/process-util.c
|
||||||
|
index 9e2237375d..af44bfab3e 100644
|
||||||
|
--- a/src/basic/process-util.c
|
||||||
|
+++ b/src/basic/process-util.c
|
||||||
|
@@ -657,6 +657,23 @@ int get_process_ppid(pid_t pid, pid_t *ret) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+int get_process_umask(pid_t pid, mode_t *umask) {
|
||||||
|
+ _cleanup_free_ char *m = NULL;
|
||||||
|
+ const char *p;
|
||||||
|
+ int r;
|
||||||
|
+
|
||||||
|
+ assert(umask);
|
||||||
|
+ assert(pid >= 0);
|
||||||
|
+
|
||||||
|
+ p = procfs_file_alloca(pid, "status");
|
||||||
|
+
|
||||||
|
+ r = get_proc_field(p, "Umask", WHITESPACE, &m);
|
||||||
|
+ if (r == -ENOENT)
|
||||||
|
+ return -ESRCH;
|
||||||
|
+
|
||||||
|
+ return parse_mode(m, umask);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int wait_for_terminate(pid_t pid, siginfo_t *status) {
|
||||||
|
siginfo_t dummy;
|
||||||
|
|
||||||
|
diff --git a/src/basic/process-util.h b/src/basic/process-util.h
|
||||||
|
index a3bd2851b4..9059aad4cc 100644
|
||||||
|
--- a/src/basic/process-util.h
|
||||||
|
+++ b/src/basic/process-util.h
|
||||||
|
@@ -41,6 +41,7 @@ int get_process_cwd(pid_t pid, char **cwd);
|
||||||
|
int get_process_root(pid_t pid, char **root);
|
||||||
|
int get_process_environ(pid_t pid, char **environ);
|
||||||
|
int get_process_ppid(pid_t pid, pid_t *ppid);
|
||||||
|
+int get_process_umask(pid_t pid, mode_t *umask);
|
||||||
|
|
||||||
|
int wait_for_terminate(pid_t pid, siginfo_t *status);
|
||||||
|
|
||||||
|
diff --git a/src/core/unit.c b/src/core/unit.c
|
||||||
|
index 76fb9f8075..d3459dcdd0 100644
|
||||||
|
--- a/src/core/unit.c
|
||||||
|
+++ b/src/core/unit.c
|
||||||
|
@@ -167,8 +167,16 @@ static void unit_init(Unit *u) {
|
||||||
|
if (ec) {
|
||||||
|
exec_context_init(ec);
|
||||||
|
|
||||||
|
- ec->keyring_mode = MANAGER_IS_SYSTEM(u->manager) ?
|
||||||
|
- EXEC_KEYRING_SHARED : EXEC_KEYRING_INHERIT;
|
||||||
|
+ if (MANAGER_IS_SYSTEM(u->manager))
|
||||||
|
+ ec->keyring_mode = EXEC_KEYRING_SHARED;
|
||||||
|
+ else {
|
||||||
|
+ ec->keyring_mode = EXEC_KEYRING_INHERIT;
|
||||||
|
+
|
||||||
|
+ /* User manager might have its umask redefined by PAM or UMask=. In this
|
||||||
|
+ * case let the units it manages inherit this value by default. They can
|
||||||
|
+ * still tune this value through their own unit file */
|
||||||
|
+ (void) get_process_umask(getpid_cached(), &ec->umask);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
kc = unit_get_kill_context(u);
|
@ -0,0 +1,28 @@
|
|||||||
|
From 49dbe60d4b3c6f111911c8217bc5e7da5a4ba0d0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Michal Sekletar <msekleta@redhat.com>
|
||||||
|
Date: Wed, 31 May 2023 18:50:12 +0200
|
||||||
|
Subject: [PATCH] pam: add call to pam_umask
|
||||||
|
|
||||||
|
Setting umask for user sessions via UMASK setting in /etc/login.defs is
|
||||||
|
a well-known feature. Let's make sure that user manager also runs with
|
||||||
|
this umask value.
|
||||||
|
|
||||||
|
Follow-up for 5e37d1930b41b24c077ce37c6db0e36c745106c7.
|
||||||
|
|
||||||
|
(cherry picked from commit 159f1b78576ce91c3932f4867f07361a530875d3)
|
||||||
|
|
||||||
|
Resolves: RHEL-28048
|
||||||
|
---
|
||||||
|
src/login/systemd-user.m4 | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/src/login/systemd-user.m4 b/src/login/systemd-user.m4
|
||||||
|
index eb291beaed..a194a636d6 100644
|
||||||
|
--- a/src/login/systemd-user.m4
|
||||||
|
+++ b/src/login/systemd-user.m4
|
||||||
|
@@ -10,4 +10,5 @@ session required pam_selinux.so nottys open
|
||||||
|
session required pam_loginuid.so
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
session required pam_namespace.so
|
||||||
|
+session optional pam_umask.so silent
|
||||||
|
session optional pam_systemd.so
|
@ -0,0 +1,81 @@
|
|||||||
|
From 045ba12c6337760f0a7f8b0ceb9f998b309e025f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jan Macku <jamacku@redhat.com>
|
||||||
|
Date: Fri, 9 Feb 2024 14:48:02 +0100
|
||||||
|
Subject: [PATCH] ci: deploy systemd man to GitHub Pages
|
||||||
|
|
||||||
|
rhel-only
|
||||||
|
|
||||||
|
Related: RHEL-32494
|
||||||
|
|
||||||
|
Co-authored-by: Frantisek Sumsal <frantisek@sumsal.cz>
|
||||||
|
---
|
||||||
|
.github/workflows/deploy-man-pages.yml | 60 ++++++++++++++++++++++++++
|
||||||
|
1 file changed, 60 insertions(+)
|
||||||
|
create mode 100644 .github/workflows/deploy-man-pages.yml
|
||||||
|
|
||||||
|
diff --git a/.github/workflows/deploy-man-pages.yml b/.github/workflows/deploy-man-pages.yml
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000..9da38a1687
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/.github/workflows/deploy-man-pages.yml
|
||||||
|
@@ -0,0 +1,60 @@
|
||||||
|
+name: Deploy systemd man to Pages
|
||||||
|
+
|
||||||
|
+on:
|
||||||
|
+ push:
|
||||||
|
+ branches: [ rhel-8.10.0 ]
|
||||||
|
+ paths:
|
||||||
|
+ - man/*
|
||||||
|
+ - .github/workflows/deploy-man-pages.yml
|
||||||
|
+ schedule:
|
||||||
|
+ # Run every Monday at 4:00 AM UTC
|
||||||
|
+ - cron: 0 4 * * 1
|
||||||
|
+ workflow_dispatch:
|
||||||
|
+
|
||||||
|
+permissions:
|
||||||
|
+ contents: read
|
||||||
|
+
|
||||||
|
+# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
|
||||||
|
+# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
|
||||||
|
+concurrency:
|
||||||
|
+ group: pages
|
||||||
|
+ cancel-in-progress: false
|
||||||
|
+
|
||||||
|
+jobs:
|
||||||
|
+ # Single deploy job since we're just deploying
|
||||||
|
+ deploy:
|
||||||
|
+ environment:
|
||||||
|
+ name: github-pages
|
||||||
|
+ url: ${{ steps.deployment.outputs.page_url }}
|
||||||
|
+ runs-on: ubuntu-latest
|
||||||
|
+
|
||||||
|
+ permissions:
|
||||||
|
+ pages: write
|
||||||
|
+ id-token: write
|
||||||
|
+
|
||||||
|
+ steps:
|
||||||
|
+ - uses: actions/checkout@v4
|
||||||
|
+
|
||||||
|
+ - name: Install dependencies
|
||||||
|
+ run: |
|
||||||
|
+ RELEASE="$(lsb_release -cs)"
|
||||||
|
+ sudo add-apt-repository -y --no-update --enable-source
|
||||||
|
+ sudo apt-get -y update
|
||||||
|
+ sudo apt-get -y build-dep systemd
|
||||||
|
+
|
||||||
|
+ - name: Build HTML man pages
|
||||||
|
+ run: |
|
||||||
|
+ meson setup build
|
||||||
|
+ ninja -C build man/html
|
||||||
|
+
|
||||||
|
+ - name: Setup Pages
|
||||||
|
+ uses: actions/configure-pages@v4
|
||||||
|
+
|
||||||
|
+ - name: Upload artifact
|
||||||
|
+ uses: actions/upload-pages-artifact@v3
|
||||||
|
+ with:
|
||||||
|
+ path: ./build/man
|
||||||
|
+
|
||||||
|
+ - name: Deploy to GitHub Pages
|
||||||
|
+ id: deployment
|
||||||
|
+ uses: actions/deploy-pages@v4
|
@ -0,0 +1,24 @@
|
|||||||
|
From 604d2f1c8b6ecb46be7f70c5be7ae6fc6be04cab Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jan Macku <jamacku@redhat.com>
|
||||||
|
Date: Thu, 11 Apr 2024 10:14:51 +0200
|
||||||
|
Subject: [PATCH] ci(src-git): update list of supported products
|
||||||
|
|
||||||
|
rhel-only
|
||||||
|
|
||||||
|
Related: RHEL-32494
|
||||||
|
---
|
||||||
|
.github/tracker-validator.yml | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/.github/tracker-validator.yml b/.github/tracker-validator.yml
|
||||||
|
index b09f702dd9..1bb684e722 100644
|
||||||
|
--- a/.github/tracker-validator.yml
|
||||||
|
+++ b/.github/tracker-validator.yml
|
||||||
|
@@ -16,5 +16,5 @@ products:
|
||||||
|
- rhel-8.8.0.z
|
||||||
|
- rhel-8.9.0
|
||||||
|
- rhel-8.9.0.z
|
||||||
|
- - rhel-8.10.0
|
||||||
|
- - rhel-8.10.0.z
|
||||||
|
+ - rhel-8.10
|
||||||
|
+ - rhel-8.10.z
|
Loading…
Reference in new issue