File passcredentials.patch of Package systemd.1408
From 42340ebe5f44c4102d73afeba72176c5704ef0ef Mon Sep 17 00:00:00 2001
From: Michal Schmidt <mschmidt@redhat.com>
Date: Tue, 29 Nov 2011 23:14:36 +0100
Subject: [PATCH 1/5] shutdownd: use PassCred=yes in the socket unit
Since Linux 3.2 in order to receive SCM_CREDENTIALS it is not sufficient
to set SO_PASSCRED just before recvmsg(). The option has to be already
set when the sender sends the message.
With socket activation it is too late to set the option in the service.
It must be set on the socket right from the start.
See the kernel commit:
16e57262 af_unix: dont send SCM_CREDENTIALS by default
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=757628
---
src/shutdownd.c | 6 ------
units/systemd-shutdownd.socket | 1 +
2 files changed, 1 insertions(+), 6 deletions(-)
diff --git a/src/shutdownd.c b/src/shutdownd.c
index 0ffa8b2..46856b0 100644
--- a/src/shutdownd.c
+++ b/src/shutdownd.c
@@ -173,7 +173,6 @@ int main(int argc, char *argv[]) {
};
int r = EXIT_FAILURE, n_fds;
- int one = 1;
struct shutdownd_command c;
struct pollfd pollfd[_FD_MAX];
bool exec_shutdown = false, unlink_nologin = false, failed = false;
@@ -205,11 +204,6 @@ int main(int argc, char *argv[]) {
return EXIT_FAILURE;
}
- if (setsockopt(SD_LISTEN_FDS_START, SOL_SOCKET, SO_PASSCRED, &one, sizeof(one)) < 0) {
- log_error("SO_PASSCRED failed: %m");
- return EXIT_FAILURE;
- }
-
zero(c);
zero(pollfd);
diff --git a/units/systemd-shutdownd.socket b/units/systemd-shutdownd.socket
index bc0358a..13b6c7a 100644
--- a/units/systemd-shutdownd.socket
+++ b/units/systemd-shutdownd.socket
@@ -15,3 +15,4 @@ Before=sockets.target
[Socket]
ListenDatagram=/run/systemd/shutdownd
SocketMode=0600
+PassCred=yes
--
1.7.7
From 8bf17cd8932e68ce25ec3ac386b840a7c48c0c36 Mon Sep 17 00:00:00 2001
From: Michal Schmidt <mschmidt@redhat.com>
Date: Wed, 30 Nov 2011 09:37:13 +0100
Subject: [PATCH 2/5] syslog: use PassCred=yes for the /dev/log socket
Both kmsg-syslogd and the real syslog service want to receive
SCM_CREDENTIALS. With socket activation it is too late to set
SO_PASSCRED in the services.
---
src/kmsg-syslogd.c | 5 +----
units/syslog.socket | 1 +
2 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/src/kmsg-syslogd.c b/src/kmsg-syslogd.c
index 0901a0e..7fd69f8 100644
--- a/src/kmsg-syslogd.c
+++ b/src/kmsg-syslogd.c
@@ -91,7 +91,7 @@ static int server_init(Server *s, unsigned n_sockets) {
}
for (i = 0; i < n_sockets; i++) {
- int fd, one = 1;
+ int fd;
fd = SD_LISTEN_FDS_START+i;
@@ -106,9 +106,6 @@ static int server_init(Server *s, unsigned n_sockets) {
goto fail;
}
- if (setsockopt(fd, SOL_SOCKET, SO_PASSCRED, &one, sizeof(one)) < 0)
- log_error("SO_PASSCRED failed: %m");
-
zero(ev);
ev.events = EPOLLIN;
ev.data.fd = fd;
diff --git a/units/syslog.socket b/units/syslog.socket
index 500bb7c..e74b559 100644
--- a/units/syslog.socket
+++ b/units/syslog.socket
@@ -18,6 +18,7 @@ Wants=syslog.target
[Socket]
ListenDatagram=/dev/log
SocketMode=0666
+PassCred=yes
# The service we activate on incoming traffic is
# systemd-kmsg-syslogd.service. That doesn't mean however, that this
--
1.7.7
From 9a968a81292e283f7107d057997eec99c264a58b Mon Sep 17 00:00:00 2001
From: Michal Schmidt <mschmidt@redhat.com>
Date: Wed, 30 Nov 2011 11:06:35 +0100
Subject: [PATCH 3/5] man: document the PassCred option
---
man/systemd.socket.xml | 11 +++++++++++
1 files changed, 11 insertions(+), 0 deletions(-)
diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml
index 28c8dc4..2f31242 100644
--- a/man/systemd.socket.xml
+++ b/man/systemd.socket.xml
@@ -525,6 +525,17 @@
</varlistentry>
<varlistentry>
+ <term><varname>PassCred=</varname></term>
+ <listitem><para>Takes a boolean
+ value. This controls the SO_PASSCRED
+ option, which allows UNIX sockets to
+ receive the credentials of the sending
+ process in an ancillary message.
+ Defaults to
+ <option>false</option>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><varname>TCPCongestion=</varname></term>
<listitem><para>Takes a string
value. Controls the TCP congestion
--
1.7.7
From c204940ee9b430c7ff26779f0462b4250779484d Mon Sep 17 00:00:00 2001
From: Michal Schmidt <mschmidt@redhat.com>
Date: Tue, 29 Nov 2011 22:15:41 +0100
Subject: [PATCH 4/5] socket: add option for SO_PASSCRED
Add an option to enable SO_PASSCRED for unix sockets.
---
src/dbus-socket.c | 2 ++
src/load-fragment-gperf.gperf.m4 | 1 +
src/socket.c | 8 ++++++++
src/socket.h | 1 +
4 files changed, 12 insertions(+), 0 deletions(-)
diff --git a/src/dbus-socket.c b/src/dbus-socket.c
index 2a1a17d..37ab7eb 100644
--- a/src/dbus-socket.c
+++ b/src/dbus-socket.c
@@ -51,6 +51,7 @@
" <property name=\"FreeBind\" type=\"b\" access=\"read\"/>\n" \
" <property name=\"Transparent\" type=\"b\" access=\"read\"/>\n" \
" <property name=\"Broadcast\" type=\"b\" access=\"read\"/>\n" \
+ " <property name=\"PassCred\" type=\"b\" access=\"read\"/>\n" \
" <property name=\"Mark\" type=\"i\" access=\"read\"/>\n" \
" <property name=\"MaxConnections\" type=\"u\" access=\"read\"/>\n" \
" <property name=\"NAccepted\" type=\"u\" access=\"read\"/>\n" \
@@ -113,6 +114,7 @@ DBusHandlerResult bus_socket_message_handler(Unit *u, DBusConnection *c, DBusMes
{ "org.freedesktop.systemd1.Socket", "FreeBind", bus_property_append_bool, "b", &u->socket.free_bind },
{ "org.freedesktop.systemd1.Socket", "Transparent", bus_property_append_bool, "b", &u->socket.transparent },
{ "org.freedesktop.systemd1.Socket", "Broadcast", bus_property_append_bool, "b", &u->socket.broadcast },
+ { "org.freedesktop.systemd1.Socket", "PassCred", bus_property_append_bool, "b", &u->socket.pass_cred },
{ "org.freedesktop.systemd1.Socket", "Mark", bus_property_append_int, "i", &u->socket.mark },
{ "org.freedesktop.systemd1.Socket", "MaxConnections", bus_property_append_unsigned, "u", &u->socket.max_connections },
{ "org.freedesktop.systemd1.Socket", "NConnections", bus_property_append_unsigned, "u", &u->socket.n_connections },
diff --git a/src/load-fragment-gperf.gperf.m4 b/src/load-fragment-gperf.gperf.m4
index 41797d2..84ae28c 100644
--- a/src/load-fragment-gperf.gperf.m4
+++ b/src/load-fragment-gperf.gperf.m4
@@ -177,6 +177,7 @@ Socket.PipeSize, config_parse_size, 0,
Socket.FreeBind, config_parse_bool, 0, offsetof(Socket, free_bind)
Socket.Transparent, config_parse_bool, 0, offsetof(Socket, transparent)
Socket.Broadcast, config_parse_bool, 0, offsetof(Socket, broadcast)
+Socket.PassCred, config_parse_bool, 0, offsetof(Socket, pass_cred)
Socket.TCPCongestion, config_parse_string, 0, offsetof(Socket, tcp_congestion)
Socket.MessageQueueMaxMessages, config_parse_long, 0, offsetof(Socket, mq_maxmsg)
Socket.MessageQueueMessageSize, config_parse_long, 0, offsetof(Socket, mq_msgsize)
diff --git a/src/socket.c b/src/socket.c
index 7ddf326..0864cce 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -406,6 +406,7 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) {
"%sFreeBind: %s\n"
"%sTransparent: %s\n"
"%sBroadcast: %s\n"
+ "%sPassCred: %s\n"
"%sTCPCongestion: %s\n",
prefix, socket_state_to_string(s->state),
prefix, socket_address_bind_ipv6_only_to_string(s->bind_ipv6_only),
@@ -416,6 +417,7 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) {
prefix, yes_no(s->free_bind),
prefix, yes_no(s->transparent),
prefix, yes_no(s->broadcast),
+ prefix, yes_no(s->pass_cred),
prefix, strna(s->tcp_congestion));
if (s->control_pid > 0)
@@ -657,6 +659,12 @@ static void socket_apply_socket_options(Socket *s, int fd) {
log_warning("SO_BROADCAST failed: %m");
}
+ if (s->pass_cred) {
+ int one = 1;
+ if (setsockopt(fd, SOL_SOCKET, SO_PASSCRED, &one, sizeof(one)) < 0)
+ log_warning("SO_PASSCRED failed: %m");
+ }
+
if (s->priority >= 0)
if (setsockopt(fd, SOL_SOCKET, SO_PRIORITY, &s->priority, sizeof(s->priority)) < 0)
log_warning("SO_PRIORITY failed: %m");
diff --git a/src/socket.h b/src/socket.h
index fd13ac4..fbd29da 100644
--- a/src/socket.h
+++ b/src/socket.h
@@ -118,6 +118,7 @@ struct Socket {
bool free_bind;
bool transparent;
bool broadcast;
+ bool pass_cred;
int priority;
int mark;
size_t receive_buffer;
--
1.7.7
From 5c358fc58ae2a512c3d1847888a08875dcb77f5a Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Sat, 31 Dec 2011 01:07:49 +0100
Subject: [PATCH 5/5] socket: rename the PassCred= option to PassCredentials=,
since we don't want to needlessly abbreviate options
unless they are very well established
---
man/systemd.socket.xml | 8 ++++----
src/dbus-socket.c | 4 ++--
src/load-fragment-gperf.gperf.m4 | 2 +-
src/socket.c | 2 +-
units/syslog.socket | 2 +-
units/systemd-shutdownd.socket | 2 +-
6 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml
index 2f31242..bf8f308 100644
--- a/man/systemd.socket.xml
+++ b/man/systemd.socket.xml
@@ -510,7 +510,7 @@
<term><varname>Transparent=</varname></term>
<listitem><para>Takes a boolean
value. Controls the IP_TRANSPARENT
- option. Defaults to
+ socket option. Defaults to
<option>false</option>.</para></listitem>
</varlistentry>
@@ -518,17 +518,17 @@
<term><varname>Broadcast=</varname></term>
<listitem><para>Takes a boolean
value. This controls the SO_BROADCAST
- option, which allows broadcast
+ socket option, which allows broadcast
datagrams to be sent from this
socket. Defaults to
<option>false</option>.</para></listitem>
</varlistentry>
<varlistentry>
- <term><varname>PassCred=</varname></term>
+ <term><varname>PassCredentials=</varname></term>
<listitem><para>Takes a boolean
value. This controls the SO_PASSCRED
- option, which allows UNIX sockets to
+ socket option, which allows UNIX sockets to
receive the credentials of the sending
process in an ancillary message.
Defaults to
diff --git a/src/dbus-socket.c b/src/dbus-socket.c
index 37ab7eb..c428189 100644
--- a/src/dbus-socket.c
+++ b/src/dbus-socket.c
@@ -51,7 +51,7 @@
" <property name=\"FreeBind\" type=\"b\" access=\"read\"/>\n" \
" <property name=\"Transparent\" type=\"b\" access=\"read\"/>\n" \
" <property name=\"Broadcast\" type=\"b\" access=\"read\"/>\n" \
- " <property name=\"PassCred\" type=\"b\" access=\"read\"/>\n" \
+ " <property name=\"PassCredentials\" type=\"b\" access=\"read\"/>\n" \
" <property name=\"Mark\" type=\"i\" access=\"read\"/>\n" \
" <property name=\"MaxConnections\" type=\"u\" access=\"read\"/>\n" \
" <property name=\"NAccepted\" type=\"u\" access=\"read\"/>\n" \
@@ -114,7 +114,7 @@ DBusHandlerResult bus_socket_message_handler(Unit *u, DBusConnection *c, DBusMes
{ "org.freedesktop.systemd1.Socket", "FreeBind", bus_property_append_bool, "b", &u->socket.free_bind },
{ "org.freedesktop.systemd1.Socket", "Transparent", bus_property_append_bool, "b", &u->socket.transparent },
{ "org.freedesktop.systemd1.Socket", "Broadcast", bus_property_append_bool, "b", &u->socket.broadcast },
- { "org.freedesktop.systemd1.Socket", "PassCred", bus_property_append_bool, "b", &u->socket.pass_cred },
+ { "org.freedesktop.systemd1.Socket", "PassCredentials",bus_property_append_bool, "b", &u->socket.pass_cred },
{ "org.freedesktop.systemd1.Socket", "Mark", bus_property_append_int, "i", &u->socket.mark },
{ "org.freedesktop.systemd1.Socket", "MaxConnections", bus_property_append_unsigned, "u", &u->socket.max_connections },
{ "org.freedesktop.systemd1.Socket", "NConnections", bus_property_append_unsigned, "u", &u->socket.n_connections },
diff --git a/src/load-fragment-gperf.gperf.m4 b/src/load-fragment-gperf.gperf.m4
index 84ae28c..2ff06ef 100644
--- a/src/load-fragment-gperf.gperf.m4
+++ b/src/load-fragment-gperf.gperf.m4
@@ -177,7 +177,7 @@ Socket.PipeSize, config_parse_size, 0,
Socket.FreeBind, config_parse_bool, 0, offsetof(Socket, free_bind)
Socket.Transparent, config_parse_bool, 0, offsetof(Socket, transparent)
Socket.Broadcast, config_parse_bool, 0, offsetof(Socket, broadcast)
-Socket.PassCred, config_parse_bool, 0, offsetof(Socket, pass_cred)
+Socket.PassCredentials, config_parse_bool, 0, offsetof(Socket, pass_cred)
Socket.TCPCongestion, config_parse_string, 0, offsetof(Socket, tcp_congestion)
Socket.MessageQueueMaxMessages, config_parse_long, 0, offsetof(Socket, mq_maxmsg)
Socket.MessageQueueMessageSize, config_parse_long, 0, offsetof(Socket, mq_msgsize)
diff --git a/src/socket.c b/src/socket.c
index 0864cce..bbfc842 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -406,7 +406,7 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) {
"%sFreeBind: %s\n"
"%sTransparent: %s\n"
"%sBroadcast: %s\n"
- "%sPassCred: %s\n"
+ "%sPassCrededentials: %s\n"
"%sTCPCongestion: %s\n",
prefix, socket_state_to_string(s->state),
prefix, socket_address_bind_ipv6_only_to_string(s->bind_ipv6_only),
diff --git a/units/syslog.socket b/units/syslog.socket
index e74b559..ccf79fe 100644
--- a/units/syslog.socket
+++ b/units/syslog.socket
@@ -18,7 +18,7 @@ Wants=syslog.target
[Socket]
ListenDatagram=/dev/log
SocketMode=0666
-PassCred=yes
+PassCredentials=yes
# The service we activate on incoming traffic is
# systemd-kmsg-syslogd.service. That doesn't mean however, that this
diff --git a/units/systemd-shutdownd.socket b/units/systemd-shutdownd.socket
index 13b6c7a..532a6f0 100644
--- a/units/systemd-shutdownd.socket
+++ b/units/systemd-shutdownd.socket
@@ -15,4 +15,4 @@ Before=sockets.target
[Socket]
ListenDatagram=/run/systemd/shutdownd
SocketMode=0600
-PassCred=yes
+PassCredentials=yes
--
1.7.7
From ede3deb4256742c6dfb3be515436209c1b088ac6 Mon Sep 17 00:00:00 2001
From: Michal Schmidt <mschmidt@redhat.com>
Date: Tue, 31 Jan 2012 23:58:15 +0100
Subject: [PATCH] socket: typo in dump output
---
src/socket.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/socket.c b/src/socket.c
index 67cd0cc..244b124 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -415,7 +415,7 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) {
"%sFreeBind: %s\n"
"%sTransparent: %s\n"
"%sBroadcast: %s\n"
- "%sPassCrededentials: %s\n"
+ "%sPassCredentials: %s\n"
"%sTCPCongestion: %s\n",
prefix, socket_state_to_string(s->state),
prefix, socket_address_bind_ipv6_only_to_string(s->bind_ipv6_only),
--
1.7.7
