source: general/sysutils/systemd.xml@ 998105a7

10.0 10.1 11.0 11.1 11.2 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind lazarus nosym perl-modules plabs/python-mods qt5new trunk upgradedb xry111/intltool xry111/soup3 xry111/test-20220226
Last change on this file since 998105a7 was 998105a7, checked in by Douglas R. Reno <renodr@…>, 6 years ago

Added a security patch for systemd

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@17842 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 11.3 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY systemd-download-http "http://anduin.linuxfromscratch.org/sources/other/systemd/systemd-&systemd-version;.tar.xz">
8 <!ENTITY systemd-download-ftp " ">
9 <!ENTITY systemd-md5sum "2647855c8f9cdf824953f1091db2d2b2">
10 <!ENTITY systemd-size "3,840 KB">
11 <!ENTITY systemd-buildsize "447 MB">
12 <!ENTITY systemd-time "6.4 SBU">
13
14]>
15
16<sect1 id="systemd" xreflabel="Systemd-&systemd-version;" revision="systemd">
17 <?dbhtml filename="systemd.html"?>
18
19 <sect1info>
20 <othername>$LastChangedBy$</othername>
21 <date>$Date$</date>
22 </sect1info>
23
24 <title>Systemd-&systemd-version;</title>
25
26 <indexterm zone="systemd">
27 <primary sortas="a-systemd">systemd</primary>
28 </indexterm>
29
30 <sect2 role="package">
31 <title>Introduction to systemd</title>
32
33 <para>
34 While <application>systemd</application> was installed when
35 building LFS, there are many features provided by the package that
36 were not included in the initial installation because
37 <application>Linux-PAM</application> was not yet installed.
38 The <application>systemd</application> package needs to be
39 rebuilt to provide a working <command>systemd-logind</command> service,
40 which provides many additional features for dependent packages.
41 </para>
42
43 &lfs7a_checked;
44
45 <bridgehead renderas="sect3">Package Information</bridgehead>
46 <itemizedlist spacing="compact">
47 <listitem>
48 <para>Download (HTTP): <ulink url="&systemd-download-http;"/></para>
49 </listitem>
50 <listitem>
51 <para>Download (FTP): <ulink url="&systemd-download-ftp;"/></para>
52 </listitem>
53 <listitem>
54 <para>Download MD5 sum: &systemd-md5sum;</para>
55 </listitem>
56 <listitem>
57 <para>Download size: &systemd-size;</para>
58 </listitem>
59 <listitem>
60 <para>Estimated disk space required: &systemd-buildsize;</para>
61 </listitem>
62 <listitem>
63 <para>Estimated build time: &systemd-time;</para>
64 </listitem>
65 </itemizedlist>
66
67 <bridgehead renderas="sect3">Additional Downloads</bridgehead>
68 <itemizedlist spacing="compact">
69 <listitem>
70 <para>
71 Required patch:
72 <ulink url="&patch-root;/systemd-&systemd-version;-security_fix-1.patch"/>
73 </para>
74 </listitem>
75 </itemizedlist>
76
77 <bridgehead renderas="sect3">systemd Dependencies</bridgehead>
78
79 <bridgehead renderas="sect4">Required</bridgehead>
80 <para role="required">
81 <xref linkend="linux-pam"/>
82 </para>
83
84 <bridgehead renderas="sect4">Recommended Runtime Dependency</bridgehead>
85 <para role="recommended">
86 <xref linkend="polkit"/>
87 </para>
88
89 <bridgehead renderas="sect4">Optional</bridgehead>
90 <para role="optional">
91 <xref linkend="cacerts"/>,
92 <xref linkend="curl"/>,
93 <xref linkend="elfutils"/>,
94 <xref linkend="gnutls"/>,
95 <xref linkend="iptables"/>,
96 <xref linkend="libgcrypt"/>,
97 <xref linkend="libidn"/>,
98 <xref linkend="libxkbcommon"/>,
99 <xref linkend="python2"/> or
100 <xref linkend="python3"/>,
101 <xref linkend="qemu"/>,
102 <xref linkend="valgrind"/>,
103 <xref linkend="zsh"/> (for the zsh completions),
104 <ulink url="https://www.kernel.org/pub/linux/utils/cryptsetup/">cryptsetup</ulink>,
105 <ulink url="http://sourceforge.net/projects/gnu-efi/">gnu-efi</ulink>,
106 <ulink url="https://www.kernel.org/pub/linux/utils/kernel/kexec/">kexec-tools</ulink>,
107 <ulink url="https://www.gnu.org/software/libmicrohttpd/">libmicrohttpd</ulink>,
108 <ulink url="http://sourceforge.net/projects/libseccomp/">libseccomp</ulink>,
109 <ulink url="http://lxml.de/">lxml</ulink> (Python Module),
110 <ulink url="https://github.com/Cyan4973/lz4">lz4</ulink>,
111 <ulink url="http://fukuchi.org/works/qrencode/">qrencode</ulink>,
112 <ulink url="http://sourceforge.net/projects/linuxquota/">quota-tools</ulink> and
113 <ulink url="https://pypi.python.org/pypi/Sphinx">Sphinx</ulink>
114 </para>
115
116 <note>
117 <para>
118 In order to build the <application>systemd</application>
119 <application>Python</application> module, the
120 <application>lxml</application> package
121 needs to be installed for the corresponding
122 <application>Python</application> version (2 or 3).
123 Note that <command>configure</command> defaults to
124 <application>Python 2</application>. In order to build
125 the module for <application>Python 3</application>,
126 make sure you pass the <envar>PYTHON=python3</envar>
127 environment variable to the <command>configure</command>
128 command below.
129 </para>
130 </note>
131
132 <bridgehead renderas="sect4">Optional (to rebuild the manual pages)</bridgehead>
133 <para role="optional">
134 <xref linkend="DocBook"/>,
135 <xref linkend="docbook-xsl"/> and
136 <xref linkend="libxslt"/>
137 </para>
138
139 <para condition="html" role="usernotes">User Notes:
140 <ulink url="&blfs-wiki;/systemd"/>
141 </para>
142 </sect2>
143
144 <sect2 role="installation">
145 <title>Installation of systemd</title>
146
147<!-- Not needed as of v231 -renodr
148 <para>First, fix a potential security issue with framebuffer
149 devices:</para>
150
151<screen><userinput>sed -e 's@DRI and frame buffer@DRI@' \
152 -e '/SUBSYSTEM==\"graphics\", KERNEL==\"fb\*\"/d' \
153 -i src/login/70-uaccess.rules</userinput></screen>
154-->
155
156 <para>
157 Apply a patch that fixes a security issue.
158 </para>
159
160<screen><userinput>patch -Np1 -i ../systemd-&systemd-version;-security_fix-1.patch</userinput></screen>
161
162 <para>
163 Disable two tests that always fail:
164 </para>
165
166<screen><userinput>sed -e 's:test/udev-test.pl ::g' \
167 -e 's:test-copy$(EXEEXT) ::g' \
168 -i Makefile.in</userinput></screen>
169
170 <para>
171 Rebuild <application>systemd</application> by running the
172 following commands:
173 </para>
174
175<screen><userinput>cc_cv_CFLAGS__flto=no \
176XSLTPROC="/usr/bin/xsltproc" \
177./configure --prefix=/usr \
178 --sysconfdir=/etc \
179 --localstatedir=/var \
180 --with-rootprefix= \
181 --with-rootlibdir=/lib \
182 --enable-split-usr \
183 --disable-firstboot \
184 --disable-ldconfig \
185 --disable-sysusers \
186 --without-python \
187 --with-default-dnssec=no \
188 --docdir=/usr/share/doc/systemd-&systemd-version; &amp;&amp;
189make</userinput></screen>
190
191 <note>
192 <para>
193 For the best results, make sure you run the testsuite from
194 a system that is booted by the same
195 <application>systemd</application> version you are rebuilding.
196 </para>
197 </note>
198
199 <para>
200 To test the results, issue: <command>make -k check</command>.
201 </para>
202
203 <warning>
204 <para>
205 Installing the package will overwrite all files installed by
206 <application>systemd</application> in LFS. It is critical that
207 nothing uses either <application>systemd</application> or
208 <application>Udev</application> libraries during the installation.
209 The best way to ensure that these libraries are not being used is to
210 run the installation in rescue mode. To switch to rescue mode,
211 run the following command as the
212 <systemitem class="username">root</systemitem> user (from a TTY):
213 </para>
214
215<screen role="root"><userinput>systemctl start rescue.target</userinput></screen>
216 </warning>
217
218 <para>
219 Now, as the <systemitem class="username">root</systemitem> user:
220 </para>
221
222<screen role="root"><userinput>make install</userinput></screen>
223
224 <para>
225 Move the NSS libraries to <filename class="directory">/lib</filename>
226 by running the following command as the <systemitem
227 class="username">root</systemitem> user:
228 </para>
229
230<screen role="root"><userinput>mv -v /usr/lib/libnss_{myhostname,mymachines,resolve}.so.2 /lib</userinput></screen>
231
232 <para>
233 Remove an unnecessary directory by running the following command
234 as the <systemitem class="username">root</systemitem> user:
235 </para>
236
237<screen role="root"><userinput>rm -rfv /usr/lib/rpm</userinput></screen>
238
239 </sect2>
240
241 <sect2 role="configuration">
242 <title>Configuring systemd</title>
243
244 <para>
245 The <filename>/etc/pam.d/system-sesion</filename> file needs to
246 be modified and a new file needs to be created in order for
247 <command>systemd-logind</command> to work correctly. Run the following
248 commands as the <systemitem class="username">root</systemitem> user:
249 </para>
250
251<screen role="root"><userinput>cat &gt;&gt; /etc/pam.d/system-session &lt;&lt; "EOF"
252<literal># Begin Systemd addition
253
254session required pam_loginuid.so
255session optional pam_systemd.so
256
257# End Systemd addition</literal>
258EOF
259
260cat &gt; /etc/pam.d/systemd-user &lt;&lt; "EOF"
261<literal># Begin /etc/pam.d/systemd-user
262
263account required pam_access.so
264account include system-account
265
266session required pam_env.so
267session required pam_limits.so
268session include system-session
269
270auth required pam_deny.so
271password required pam_deny.so
272
273# End /etc/pam.d/systemd-user</literal>
274EOF</userinput></screen>
275
276 <para>
277 At this point, you should reload the systemd daemon, and reenter
278 multi-user mode with the following commands (as the
279 <systemitem class="username">root</systemitem> user):
280 </para>
281
282<screen role="root"><userinput>systemctl daemon-reload
283systemctl start multi-user.target</userinput></screen>
284
285 <warning><para>If upgrading from a previous version of systemd and an
286 initrd is used for system boot, you should generate a new initrd before
287 rebooting the system.</para></warning>
288
289 </sect2>
290
291 <sect2 role="content">
292 <title>Contents</title>
293
294 <para>
295 A list of the installed files, along with their short
296 descriptions can be found at
297 <ulink url="&lfs-root;/chapter06/systemd.html#contents-systemd"/>.
298 </para>
299
300 <para>
301 Listed below are the newly installed libraries and directories
302 along with short descriptions.
303 </para>
304
305 <segmentedlist>
306 <segtitle>Installed Programs</segtitle>
307 <segtitle>Installed Libraries</segtitle>
308 <segtitle>Installed Directories</segtitle>
309
310 <seglistitem>
311 <seg>
312 None
313 </seg>
314 <seg>
315 pam_systemd.so
316 (in <filename class="directory">/lib/security</filename>)
317 </seg>
318 <seg>
319 None
320 </seg>
321 </seglistitem>
322 </segmentedlist>
323
324 <variablelist>
325 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
326 <?dbfo list-presentation="list"?>
327 <?dbhtml list-presentation="table"?>
328
329 <varlistentry id="pam_systemd">
330 <term><filename class="libraryfile">pam_systemd.so</filename></term>
331 <listitem>
332 <para>
333 is a PAM module used to register user sessions with the
334 <application>systemd</application> login manager,
335 <command>systemd-logind</command>.
336 </para>
337 <indexterm zone="systemd pam_systemd">
338 <primary sortas="c-pam_systemd">pam_systemd.so</primary>
339 </indexterm>
340 </listitem>
341 </varlistentry>
342
343 </variablelist>
344
345 </sect2>
346
347</sect1>
Note: See TracBrowser for help on using the repository browser.