Let's be helpful to static analyzers which care about whether we
knowingly ignore return values. We do in these cases, since they are
usually part of error paths.
If creation of the message failed, we'd write a bogus entry:
systemd-coredump[1400]: Cannot store coredump of 416 (systemd-journal): No space left on device
systemd-coredump[1400]: MESSAGE=Process 416 (systemd-journal) of user 0 dumped core.
systemd-coredump[1400]: Coredump diverted to
This fixes a crash where we would read the commandline, whose length is under
control of the sending program, and then crash when trying to create a stack
allocation for it.
CVE-2018-16864
https://bugzilla.redhat.com/show_bug.cgi?id=1653855
The message actually doesn't get written to disk, because
journal_file_append_entry() returns -E2BIG.
systemd-coredump[9982]: MESSAGE=Process 771 (systemd-journal) of user 0 dumped core.
systemd-coredump[9982]: Coredump diverted to /var/lib/systemd/coredump/core...
log_dispatch() calls log_dispatch_internal() which calls write_to_journal()
which appends MESSAGE= on its own.
fdopen doesn't accept "e", it's ignored. Let's not mislead people into
believing that it actually sets O_CLOEXEC.
From `man 3 fdopen`:
> e (since glibc 2.7):
> Open the file with the O_CLOEXEC flag. See open(2) for more information. This flag is ignored for fdopen()
As mentioned by @jlebon in #11131.
This splits out a bunch of functions from fileio.c that have to do with
temporary files. Simply to make the header files a bit shorter, and to
group things more nicely.
No code changes, just some rearranging of source files.
Similar to the previous commit: in many cases no further fd processing
needs to be done in forked of children before execve() or any of its
flavours are called. In those case we can use FORK_RLIMIT_NOFILE_SAFE
instead.
Ideally, coccinelle would strip unnecessary braces too. But I do not see any
option in coccinelle for this, so instead, I edited the patch text using
search&replace to remove the braces. Unfortunately this is not fully automatic,
in particular it didn't deal well with if-else-if-else blocks and ifdefs, so
there is an increased likelikehood be some bugs in such spots.
I also removed part of the patch that coccinelle generated for udev, where we
returns -1 for failure. This should be fixed independently.
$ valgrind --show-leak-kinds=all --leak-check=full build/coredumpctl dump --output /tmp/ff
...
==16431== HEAP SUMMARY:
==16431== in use at exit: 3,680 bytes in 13 blocks
==16431== total heap usage: 831 allocs, 818 frees, 197,776 bytes allocated
==16431==
==16431== 2 bytes in 1 blocks are still reachable in loss record 1 of 13
==16431== at 0x483880B: malloc (vg_replace_malloc.c:299)
==16431== by 0x4C4D5AD: strdup (strdup.c:42)
==16431== by 0x49B2387: bus_message_parse_fields (bus-message.c:5300)
==16431== by 0x49A23AF: bus_message_from_malloc (bus-message.c:560)
==16431== by 0x49C459B: bus_socket_make_message (bus-socket.c:1099)
==16431== by 0x49C4C5B: bus_socket_read_message (bus-socket.c:1213)
==16431== by 0x49CE4CE: bus_read_message (sd-bus.c:1777)
==16431== by 0x49CFA2C: sd_bus_call (sd-bus.c:2176)
==16431== by 0x1105F3: check_units_active (coredumpctl.c:1029)
==16431== by 0x110998: run (coredumpctl.c:1087)
==16431== by 0x110A45: main (coredumpctl.c:1100)
==16431==
==16431== 9 bytes in 1 blocks are still reachable in loss record 2 of 13
==16431== at 0x483880B: malloc (vg_replace_malloc.c:299)
==16431== by 0x4939067: malloc_multiply (alloc-util.h:78)
==16431== by 0x493921D: hexmem (hexdecoct.c:62)
==16431== by 0x49C2B75: bus_socket_start_auth_client (bus-socket.c:626)
==16431== by 0x49C2D78: bus_socket_start_auth (bus-socket.c:665)
==16431== by 0x49C3B09: bus_socket_connect (bus-socket.c:915)
==16431== by 0x49CBB08: bus_start_address (sd-bus.c:1103)
==16431== by 0x49CBFEA: sd_bus_start (sd-bus.c:1187)
==16431== by 0x49CC452: sd_bus_open_system_with_description (sd-bus.c:1294)
==16431== by 0x49CC4C6: sd_bus_open_system (sd-bus.c:1303)
==16431== by 0x49D4424: bus_default (sd-bus.c:3655)
==16431== by 0x49D44BC: sd_bus_default_system (sd-bus.c:3668)
==16431==
==16431== 9 bytes in 1 blocks are still reachable in loss record 3 of 13
==16431== at 0x483880B: malloc (vg_replace_malloc.c:299)
==16431== by 0x4C4D5AD: strdup (strdup.c:42)
==16431== by 0x497364E: free_and_strdup (string-util.c:1013)
==16431== by 0x49C9FB1: hello_callback (sd-bus.c:547)
==16431== by 0x49D0A3A: process_reply (sd-bus.c:2498)
==16431== by 0x49D13E0: process_message (sd-bus.c:2677)
==16431== by 0x49D165F: process_running (sd-bus.c:2739)
==16431== by 0x49D20DD: bus_process_internal (sd-bus.c:2957)
==16431== by 0x49D21E8: sd_bus_process (sd-bus.c:2984)
==16431== by 0x49CF21E: bus_ensure_running (sd-bus.c:2053)
==16431== by 0x49CF51F: sd_bus_call (sd-bus.c:2095)
==16431== by 0x1105F3: check_units_active (coredumpctl.c:1029)
==16431==
==16431== 24 bytes in 1 blocks are still reachable in loss record 4 of 13
==16431== at 0x483880B: malloc (vg_replace_malloc.c:299)
==16431== by 0x495CB0D: malloc_multiply (alloc-util.h:78)
==16431== by 0x495CB2A: prioq_new (prioq.c:35)
==16431== by 0x495CC02: prioq_ensure_allocated (prioq.c:60)
==16431== by 0x49CEF84: sd_bus_call_async (sd-bus.c:1995)
==16431== by 0x49CA0E6: bus_send_hello (sd-bus.c:581)
==16431== by 0x49CC019: sd_bus_start (sd-bus.c:1196)
==16431== by 0x49CC452: sd_bus_open_system_with_description (sd-bus.c:1294)
==16431== by 0x49CC4C6: sd_bus_open_system (sd-bus.c:1303)
==16431== by 0x49D4424: bus_default (sd-bus.c:3655)
==16431== by 0x49D44BC: sd_bus_default_system (sd-bus.c:3668)
==16431== by 0x110444: check_units_active (coredumpctl.c:1007)
==16431==
==16431== 38 bytes in 1 blocks are still reachable in loss record 5 of 13
==16431== at 0x483880B: malloc (vg_replace_malloc.c:299)
==16431== by 0x4C4D5AD: strdup (strdup.c:42)
==16431== by 0x497364E: free_and_strdup (string-util.c:1013)
==16431== by 0x49C7F97: sd_bus_set_address (sd-bus.c:269)
==16431== by 0x49CC314: bus_set_address_system (sd-bus.c:1262)
==16431== by 0x49CC3E0: sd_bus_open_system_with_description (sd-bus.c:1281)
==16431== by 0x49CC4C6: sd_bus_open_system (sd-bus.c:1303)
==16431== by 0x49D4424: bus_default (sd-bus.c:3655)
==16431== by 0x49D44BC: sd_bus_default_system (sd-bus.c:3668)
==16431== by 0x110444: check_units_active (coredumpctl.c:1007)
==16431== by 0x110998: run (coredumpctl.c:1087)
==16431== by 0x110A45: main (coredumpctl.c:1100)
==16431==
==16431== 64 bytes in 1 blocks are still reachable in loss record 6 of 13
==16431== at 0x4838748: malloc (vg_replace_malloc.c:298)
==16431== by 0x483AD63: realloc (vg_replace_malloc.c:826)
==16431== by 0x4902663: greedy_realloc (alloc-util.c:55)
==16431== by 0x49C7D7D: sd_bus_new (sd-bus.c:255)
==16431== by 0x49CC398: sd_bus_open_system_with_description (sd-bus.c:1271)
==16431== by 0x49CC4C6: sd_bus_open_system (sd-bus.c:1303)
==16431== by 0x49D4424: bus_default (sd-bus.c:3655)
==16431== by 0x49D44BC: sd_bus_default_system (sd-bus.c:3668)
==16431== by 0x110444: check_units_active (coredumpctl.c:1007)
==16431== by 0x110998: run (coredumpctl.c:1087)
==16431== by 0x110A45: main (coredumpctl.c:1100)
==16431==
==16431== 64 bytes in 1 blocks are still reachable in loss record 7 of 13
==16431== at 0x4838748: malloc (vg_replace_malloc.c:298)
==16431== by 0x483AD63: realloc (vg_replace_malloc.c:826)
==16431== by 0x4902663: greedy_realloc (alloc-util.c:55)
==16431== by 0x49CE54E: bus_rqueue_make_room (sd-bus.c:1786)
==16431== by 0x49C44FC: bus_socket_make_message (bus-socket.c:1087)
==16431== by 0x49C4C5B: bus_socket_read_message (bus-socket.c:1213)
==16431== by 0x49CE4CE: bus_read_message (sd-bus.c:1777)
==16431== by 0x49CE6AF: dispatch_rqueue (sd-bus.c:1814)
==16431== by 0x49D162E: process_running (sd-bus.c:2733)
==16431== by 0x49D20DD: bus_process_internal (sd-bus.c:2957)
==16431== by 0x49D21E8: sd_bus_process (sd-bus.c:2984)
==16431== by 0x49CF21E: bus_ensure_running (sd-bus.c:2053)
==16431==
==16431== 65 bytes in 1 blocks are still reachable in loss record 8 of 13
==16431== at 0x483AB1A: calloc (vg_replace_malloc.c:752)
==16431== by 0x496E5D6: getpeersec (socket-util.c:969)
==16431== by 0x49C291C: bus_get_peercred (bus-socket.c:594)
==16431== by 0x49C2CB2: bus_socket_start_auth (bus-socket.c:650)
==16431== by 0x49C3B09: bus_socket_connect (bus-socket.c:915)
==16431== by 0x49CBB08: bus_start_address (sd-bus.c:1103)
==16431== by 0x49CBFEA: sd_bus_start (sd-bus.c:1187)
==16431== by 0x49CC452: sd_bus_open_system_with_description (sd-bus.c:1294)
==16431== by 0x49CC4C6: sd_bus_open_system (sd-bus.c:1303)
==16431== by 0x49D4424: bus_default (sd-bus.c:3655)
==16431== by 0x49D44BC: sd_bus_default_system (sd-bus.c:3668)
==16431== by 0x110444: check_units_active (coredumpctl.c:1007)
==16431==
==16431== 181 bytes in 1 blocks are still reachable in loss record 9 of 13
==16431== at 0x483AD19: realloc (vg_replace_malloc.c:826)
==16431== by 0x49C4791: bus_socket_read_message (bus-socket.c:1143)
==16431== by 0x49CE4CE: bus_read_message (sd-bus.c:1777)
==16431== by 0x49CFA2C: sd_bus_call (sd-bus.c:2176)
==16431== by 0x1105F3: check_units_active (coredumpctl.c:1029)
==16431== by 0x110998: run (coredumpctl.c:1087)
==16431== by 0x110A45: main (coredumpctl.c:1100)
==16431==
==16431== 256 bytes in 1 blocks are still reachable in loss record 10 of 13
==16431== at 0x483880B: malloc (vg_replace_malloc.c:299)
==16431== by 0x496E740: getpeergroups (socket-util.c:998)
==16431== by 0x49C29BD: bus_get_peercred (bus-socket.c:599)
==16431== by 0x49C2CB2: bus_socket_start_auth (bus-socket.c:650)
==16431== by 0x49C3B09: bus_socket_connect (bus-socket.c:915)
==16431== by 0x49CBB08: bus_start_address (sd-bus.c:1103)
==16431== by 0x49CBFEA: sd_bus_start (sd-bus.c:1187)
==16431== by 0x49CC452: sd_bus_open_system_with_description (sd-bus.c:1294)
==16431== by 0x49CC4C6: sd_bus_open_system (sd-bus.c:1303)
==16431== by 0x49D4424: bus_default (sd-bus.c:3655)
==16431== by 0x49D44BC: sd_bus_default_system (sd-bus.c:3668)
==16431== by 0x110444: check_units_active (coredumpctl.c:1007)
==16431==
==16431== 256 bytes in 1 blocks are still reachable in loss record 11 of 13
==16431== at 0x4838748: malloc (vg_replace_malloc.c:298)
==16431== by 0x483AD63: realloc (vg_replace_malloc.c:826)
==16431== by 0x495D1A0: prioq_put (prioq.c:162)
==16431== by 0x49CF0EA: sd_bus_call_async (sd-bus.c:2023)
==16431== by 0x49CA0E6: bus_send_hello (sd-bus.c:581)
==16431== by 0x49CC019: sd_bus_start (sd-bus.c:1196)
==16431== by 0x49CC452: sd_bus_open_system_with_description (sd-bus.c:1294)
==16431== by 0x49CC4C6: sd_bus_open_system (sd-bus.c:1303)
==16431== by 0x49D4424: bus_default (sd-bus.c:3655)
==16431== by 0x49D44BC: sd_bus_default_system (sd-bus.c:3668)
==16431== by 0x110444: check_units_active (coredumpctl.c:1007)
==16431== by 0x110998: run (coredumpctl.c:1087)
==16431==
==16431== 856 bytes in 1 blocks are still reachable in loss record 12 of 13
==16431== at 0x483AB1A: calloc (vg_replace_malloc.c:752)
==16431== by 0x49A1F33: bus_message_from_header (bus-message.c:458)
==16431== by 0x49A22B1: bus_message_from_malloc (bus-message.c:535)
==16431== by 0x49C459B: bus_socket_make_message (bus-socket.c:1099)
==16431== by 0x49C4C5B: bus_socket_read_message (bus-socket.c:1213)
==16431== by 0x49CE4CE: bus_read_message (sd-bus.c:1777)
==16431== by 0x49CFA2C: sd_bus_call (sd-bus.c:2176)
==16431== by 0x1105F3: check_units_active (coredumpctl.c:1029)
==16431== by 0x110998: run (coredumpctl.c:1087)
==16431== by 0x110A45: main (coredumpctl.c:1100)
==16431==
==16431== 1,856 bytes in 1 blocks are still reachable in loss record 13 of 13
==16431== at 0x483880B: malloc (vg_replace_malloc.c:299)
==16431== by 0x49C6EDF: malloc_multiply (alloc-util.h:78)
==16431== by 0x49C7C81: sd_bus_new (sd-bus.c:235)
==16431== by 0x49CC398: sd_bus_open_system_with_description (sd-bus.c:1271)
==16431== by 0x49CC4C6: sd_bus_open_system (sd-bus.c:1303)
==16431== by 0x49D4424: bus_default (sd-bus.c:3655)
==16431== by 0x49D44BC: sd_bus_default_system (sd-bus.c:3668)
==16431== by 0x110444: check_units_active (coredumpctl.c:1007)
==16431== by 0x110998: run (coredumpctl.c:1087)
==16431== by 0x110A45: main (coredumpctl.c:1100)
==16431==
==16431== LEAK SUMMARY:
==16431== definitely lost: 0 bytes in 0 blocks
==16431== indirectly lost: 0 bytes in 0 blocks
==16431== possibly lost: 0 bytes in 0 blocks
==16431== still reachable: 3,680 bytes in 13 blocks
==16431== suppressed: 0 bytes in 0 blocks
==16431==
We want to propagate the return value from gdb, hence this commit makes
use of the liberalization of DEFINE_MAIN_FUNCTION_WITH_POSITIVE_FAILURE()
in previous commit.
We would open the file very early, which is not nice, if we e.g. fail when
parsing later options. Let's do the usual thing and just open it just before
writing, and close immediately after writing.
This way, we can extend the macro a bit with stuff pulled in from other
headers without this affecting everything which pulls in macro.h, which
is one of our most basic headers.
This is just refactoring, no change in behaviour, in prepartion for
later changes.
Pretty much everything uses just the first argument, and this doesn't make this
common pattern more complicated, but makes it simpler to pass multiple options.
This makes use of rlimit_nofile_bump() in all tools that access the
journal. In some cases this replaces older code to achieve this, and
others we add it in where it was missing.
Let's fold get_user_creds_clean() into get_user_creds(), and introduce a
flags argument for it to select "clean" behaviour. This flags parameter
also learns to other new flags:
- USER_CREDS_SYNTHESIZE_FALLBACK: in this mode the user records for
root/nobody are only synthesized as fallback. Normally, the synthesized
records take precedence over what is in the user database. With this
flag set this is reversed, and the user database takes precedence, and
the synthesized records are only used if they are missing there. This
flag should be set in cases where doing NSS is deemed safe, and where
there's interest in knowing the correct shell, for example if the
admin changed root's shell to zsh or suchlike.
- USER_CREDS_ALLOW_MISSING: if set, and a UID/GID is specified by
numeric value, and there's no user/group record for it accept it
anyway. This allows us to fix#9767
This then also ports all users to set the most appropriate flags.
Fixes: #9767
[zj: remove one isempty() call]
This is a bit like the info link in most of GNU's --help texts, but we
don't do info but man pages, and we make them properly clickable on
terminal supporting that, because awesome.
I think it's generally advisable to link up our (brief) --help texts and
our (more comprehensive) man pages a bit, so this should be an easy and
straight-forward way to do it.
These lines are generally out-of-date, incomplete and unnecessary. With
SPDX and git repository much more accurate and fine grained information
about licensing and authorship is available, hence let's drop the
per-file copyright notice. Of course, removing copyright lines of others
is problematic, hence this commit only removes my own lines and leaves
all others untouched. It might be nicer if sooner or later those could
go away too, making git the only and accurate source of authorship
information.
This part of the copyright blurb stems from the GPL use recommendations:
https://www.gnu.org/licenses/gpl-howto.en.html
The concept appears to originate in times where version control was per
file, instead of per tree, and was a way to glue the files together.
Ultimately, we nowadays don't live in that world anymore, and this
information is entirely useless anyway, as people are very welcome to
copy these files into any projects they like, and they shouldn't have to
change bits that are part of our copyright header for that.
hence, let's just get rid of this old cruft, and shorten our codebase a
bit.
Files which are installed as-is (any .service and other unit files, .conf
files, .policy files, etc), are left as is. My assumption is that SPDX
identifiers are not yet that well known, so it's better to retain the
extended header to avoid any doubt.
I also kept any copyright lines. We can probably remove them, but it'd nice to
obtain explicit acks from all involved authors before doing that.
This macro will read a pointer of any type, return it, and set the
pointer to NULL. This is useful as an explicit concept of passing
ownership of a memory area between pointers.
This takes inspiration from Rust:
https://doc.rust-lang.org/std/option/enum.Option.html#method.take
and was suggested by Alan Jenkins (@sourcejedi).
It drops ~160 lines of code from our codebase, which makes me like it.
Also, I think it clarifies passing of ownership, and thus helps
readability a bit (at least for the initiated who know the new macro)
Even if pager_open() fails, in general, we should continue the operations.
All erroneous cases in pager_open() show log message in the function.
So, it is not necessary to check the returned value.