diff options
| author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2023-03-25 11:34:47 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2023-04-03 12:32:56 +0200 |
| commit | a78413baae0e999384b535d327203ebf417b1e24 (patch) | |
| tree | 25a291248447fe7b56b91fa5140a33065ae362bc /src/shared/fileio-label.c | |
| parent | dc2b3f94690bc02c2c1b6bdeca0d362f3639d7f0 (diff) | |
| download | systemd-a78413baae0e999384b535d327203ebf417b1e24.tar.gz | |
user-sessions: do not remove /etc/nologin
pam_nologin looks for /etc/nologin and /run/nologin.
user-sessions creates (and removes) /run/nologin, but also removes
/etc/nologin. (This behaviour is unchanged since the introduction
of the binary in e92787416c691c3f34f47349e5eae3fa68eae856.)
By not removing pam_nologin we fully drop compatibility with PAM < 1.1.
This has the advantage that now /etc/nologin can be used by administrator to
disable user logins, e.g. for extended maintanance. We already specified
PAM >= 1.1.2 as dependency, so this was already covered.
The makes the code match the man page.
Fixes #26965.
Diffstat (limited to 'src/shared/fileio-label.c')
| -rw-r--r-- | src/shared/fileio-label.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/src/shared/fileio-label.c b/src/shared/fileio-label.c index d03b0548ec..572b8f62ad 100644 --- a/src/shared/fileio-label.c +++ b/src/shared/fileio-label.c @@ -23,9 +23,15 @@ int write_string_file_atomic_label_ts(const char *fn, const char *line, struct t int create_shutdown_run_nologin_or_warn(void) { int r; - /* This is used twice: once in systemd-user-sessions.service, in order to block logins when we actually go - * down, and once in systemd-logind.service when shutdowns are scheduled, and logins are to be turned off a bit - * in advance. We use the same wording of the message in both cases. */ + /* This is used twice: once in systemd-user-sessions.service, in order to block logins when we + * actually go down, and once in systemd-logind.service when shutdowns are scheduled, and logins are + * to be turned off a bit in advance. We use the same wording of the message in both cases. + * + * Traditionally, there was only /etc/nologin, and we managed that. Then, in PAM 1.1 + * support for /run/nologin was added as alternative + * (https://github.com/linux-pam/linux-pam/commit/e9e593f6ddeaf975b7fe8446d184e6bc387d450b). + * 13 years later we stopped managing /etc/nologin, leaving it for the administrator to manage. + */ r = write_string_file_atomic_label("/run/nologin", "System is going down. Unprivileged users are not permitted to log in anymore. " |