This has come up before, and will come up again: running systemd-tmpfiles --create kills user logins. In principle this is documented, but in practice people don't always read the documentation. Split out /run/nologin creation so it's harder to do execute it by mistake.
https://bugzilla.redhat.com/show_bug.cgi?id=1043212 --- Hi Lennart, this patch is essentially harmless, but not very pretty, so I'm sending it to the mailing list in case you want to veto it. Zbyszek Makefile-man.am | 5 +++++ Makefile.am | 12 +++++++---- man/systemd-tmpfiles.xml | 26 +++++++++++++++-------- tmpfiles.d/systemd-forbid-user-logins.conf.noauto | 11 ++++++++++ tmpfiles.d/systemd.conf | 2 -- units/.gitignore | 1 + units/systemd-forbid-user-logins.service.in | 21 ++++++++++++++++++ units/systemd-tmpfiles-setup.service.in | 1 + 8 files changed, 64 insertions(+), 15 deletions(-) create mode 100644 tmpfiles.d/systemd-forbid-user-logins.conf.noauto create mode 100644 units/systemd-forbid-user-logins.service.in diff --git a/Makefile-man.am b/Makefile-man.am index c5f73d4..c337d09 100644 --- a/Makefile-man.am +++ b/Makefile-man.am @@ -180,6 +180,7 @@ MANPAGES_ALIAS += \ man/systemd-ask-password-console.path.8 \ man/systemd-ask-password-wall.path.8 \ man/systemd-ask-password-wall.service.8 \ + man/systemd-forbid-user-logins.service.8 \ man/systemd-fsck-root.service.8 \ man/systemd-fsck.8 \ man/systemd-hibernate.service.8 \ @@ -283,6 +284,7 @@ man/sd_notifyf.3: man/sd_notify.3 man/systemd-ask-password-console.path.8: man/systemd-ask-password-console.service.8 man/systemd-ask-password-wall.path.8: man/systemd-ask-password-console.service.8 man/systemd-ask-password-wall.service.8: man/systemd-ask-password-console.service.8 +man/systemd-forbid-user-logins.service.8: man/systemd-tmpfiles.8 man/systemd-fsck-root.service.8: man/systemd-fsck@.service.8 man/systemd-fsck.8: man/systemd-fsck@.service.8 man/systemd-hibernate.service.8: man/systemd-suspend.service.8 @@ -538,6 +540,9 @@ man/systemd-ask-password-wall.path.html: man/systemd-ask-password-console.servic man/systemd-ask-password-wall.service.html: man/systemd-ask-password-console.service.html $(html-alias) +man/systemd-forbid-user-logins.service.html: man/systemd-tmpfiles.html + $(html-alias) + man/systemd-fsck-root.service.html: man/systemd-f...@.service.html $(html-alias) diff --git a/Makefile.am b/Makefile.am index 8507d8d..e1cd71f 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1578,12 +1578,14 @@ dist_systemunit_DATA += \ nodist_systemunit_DATA += \ units/systemd-tmpfiles-setup-dev.service \ units/systemd-tmpfiles-setup.service \ - units/systemd-tmpfiles-clean.service + units/systemd-tmpfiles-clean.service \ + units/systemd-forbid-user-logins.service dist_tmpfiles_DATA = \ tmpfiles.d/systemd.conf \ tmpfiles.d/tmp.conf \ - tmpfiles.d/x11.conf + tmpfiles.d/x11.conf \ + tmpfiles.d/systemd-forbid-user-logins.conf.noauto if HAVE_SYSV_COMPAT dist_tmpfiles_DATA += \ @@ -1592,7 +1594,8 @@ endif SYSINIT_TARGET_WANTS += \ systemd-tmpfiles-setup-dev.service \ - systemd-tmpfiles-setup.service + systemd-tmpfiles-setup.service \ + systemd-forbid-user-logins.service dist_zshcompletion_DATA += \ shell-completion/zsh/_systemd-tmpfiles @@ -1608,7 +1611,8 @@ endif EXTRA_DIST += \ units/systemd-tmpfiles-setup-dev.service.in \ units/systemd-tmpfiles-setup.service.in \ - units/systemd-tmpfiles-clean.service.in + units/systemd-tmpfiles-clean.service.in \ + units/systemd-forbid-user-logins.service.in # ------------------------------------------------------------------------------ systemd_machine_id_setup_SOURCES = \ diff --git a/man/systemd-tmpfiles.xml b/man/systemd-tmpfiles.xml index b90bd75..009c076 100644 --- a/man/systemd-tmpfiles.xml +++ b/man/systemd-tmpfiles.xml @@ -46,6 +46,7 @@ <refname>systemd-tmpfiles</refname> <refname>systemd-tmpfiles-setup.service</refname> <refname>systemd-tmpfiles-setup-dev.service</refname> + <refname>systemd-forbid-user-logins.service</refname> <refname>systemd-tmpfiles-clean.service</refname> <refname>systemd-tmpfiles-clean.timer</refname> <refpurpose>Creates, deletes and cleans up volatile @@ -54,11 +55,14 @@ <refsynopsisdiv> <cmdsynopsis> - <command>systemd-tmpfiles <arg choice="opt" rep="repeat">OPTIONS</arg> <arg choice="opt" rep="repeat">CONFIGURATION FILE</arg></command> + <command>systemd-tmpfiles</command> + <arg choice="opt" rep="repeat">OPTIONS</arg> + <arg choice="opt" rep="repeat">CONFIGURATION FILE</arg> </cmdsynopsis> <para><filename>systemd-tmpfiles-setup.service</filename></para> <para><filename>systemd-tmpfiles-setup-dev.service</filename></para> + <para><filename>systemd-forbid-user-logins.service</filename></para> <para><filename>systemd-tmpfiles-clean.service</filename></para> <para><filename>systemd-tmpfiles-clean.timer</filename></para> </refsynopsisdiv> @@ -69,20 +73,24 @@ <para><command>systemd-tmpfiles</command> creates, deletes and cleans up volatile and temporary files and directories, based on the configuration file format and - location specified in <citerefentry> - <refentrytitle>tmpfiles.d</refentrytitle> - <manvolnum>5</manvolnum> - </citerefentry>.</para> + location specified in + <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>. + </para> <para>If invoked with no arguments, it applies all directives from all configuration files. If one or more filenames are passed on the command line, only the directives in these files are applied. If only the basename of a configuration file is specified, - all configuration directories as specified in <citerefentry> - <refentrytitle>tmpfiles.d</refentrytitle> - <manvolnum>5</manvolnum> - </citerefentry> are searched for a matching file.</para> + all configuration directories as specified in + <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> + are searched for a matching file.</para> + + <para>During bootup, + <filename>systemd-forbid-user-logins.service</filename> + will create <filename>/run/nologin</filename> to + disable user logins until the system is ready. + </para> </refsect1> <refsect1> diff --git a/tmpfiles.d/systemd-forbid-user-logins.conf.noauto b/tmpfiles.d/systemd-forbid-user-logins.conf.noauto new file mode 100644 index 0000000..42ebc0b --- /dev/null +++ b/tmpfiles.d/systemd-forbid-user-logins.conf.noauto @@ -0,0 +1,11 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +# See tmpfiles.d(5) and systemd-forbid-user-logins.service(5). +# This file has special suffix so it is not run by mistake. + +F /run/nologin 0644 - - - "System is booting up. See pam_nologin(8)" diff --git a/tmpfiles.d/systemd.conf b/tmpfiles.d/systemd.conf index a05c657..e921c2b 100644 --- a/tmpfiles.d/systemd.conf +++ b/tmpfiles.d/systemd.conf @@ -22,8 +22,6 @@ d /run/systemd/users 0755 root root - d /run/systemd/machines 0755 root root - d /run/systemd/shutdown 0755 root root - -F /run/nologin 0644 - - - "System is booting up. See pam_nologin(8)" - m /var/log/journal 2755 root systemd-journal - - m /var/log/journal/%m 2755 root systemd-journal - - m /run/log/journal 2755 root systemd-journal - - diff --git a/units/.gitignore b/units/.gitignore index 76c4cb3..804daa3 100644 --- a/units/.gitignore +++ b/units/.gitignore @@ -24,6 +24,7 @@ /systemd-binfmt.service /systemd-bus-driverd.service /systemd-bus-proxyd@.service +/systemd-forbid-user-logins.service /systemd-fsck-root.service /systemd-fsck@.service /systemd-halt.service diff --git a/units/systemd-forbid-user-logins.service.in b/units/systemd-forbid-user-logins.service.in new file mode 100644 index 0000000..fe4a4d2 --- /dev/null +++ b/units/systemd-forbid-user-logins.service.in @@ -0,0 +1,21 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Create /run/nologin +DefaultDependencies=no +Wants=local-fs.target +Conflicts=shutdown.target +After=systemd-readahead-collect.service systemd-readahead-replay.service local-fs.target +Before=sysinit.target shutdown.target +RefuseManualStart=yes +RefuseManualStop=yes + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=@rootbindir@/systemd-tmpfiles --create @tmpfilesdir@/systemd-forbid-user-logins.conf.noauto diff --git a/units/systemd-tmpfiles-setup.service.in b/units/systemd-tmpfiles-setup.service.in index 6f98063..3405e28 100644 --- a/units/systemd-tmpfiles-setup.service.in +++ b/units/systemd-tmpfiles-setup.service.in @@ -14,6 +14,7 @@ Conflicts=shutdown.target After=systemd-readahead-collect.service systemd-readahead-replay.service local-fs.target Before=sysinit.target shutdown.target ConditionDirectoryNotEmpty=|/usr/lib/tmpfiles.d +ConditionDirectoryNotEmpty=|/lib/tmpfiles.d ConditionDirectoryNotEmpty=|/usr/local/lib/tmpfiles.d ConditionDirectoryNotEmpty=|/etc/tmpfiles.d ConditionDirectoryNotEmpty=|/run/tmpfiles.d -- 1.8.1.rc0.194.gaf2e3a9 _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel