= Proposed System Wide Change: KillUserProcesses=yes by default =
https://fedoraproject.org/wiki/Changes/KillUserProcesses_by_default
Change owner(s):
* Zbigniew Jędrzejewski-Szmek <zbyszek(a)in.waw.pl>
Set the default policy to terminate processes in session scope when
the user logs out. Specifically, systemd-logind's KillUserProcesses
setting, which currently is set to "no" to override the upstream
default, will be removed to follow the upstream default of "yes".
== Detailed Description ==
Since the introduction of systemd-logind a few years back, when a
session is created, systemd hooks into the PAM session creation step
to move the process that starts the session into a separate cgroup.
This means that processes which are started as part of the session can
be reliably tracked, even if they detach from the terminal and
daemonize. When a user session terminates, various processes started
as part of the user session (initally) remain alive. When the session
is terminated, remaining processes receive a HUP signal (*), which can
be and often is ignored.
Under the proposed setting of KillUserProcesses=yes, systemd will
forcibly terminate (using SIGTERM and then SIGKILL) all processes
which are part of the session scope (the cgroup created for the login
session) when the user logs out. In order for a process to avoid being
killed it has to be part of a different systemd unit. For user
processes this can be achieved in two primary ways: by starting the
unit as a service (e.g. 'systemd-run --user /usr/bin/foo', or creating
a dedicated user service unit), or by telling systemd to create a new
scope unit to encompass a specific process (e.g. 'systemd-run --user
--scope /usr/bin/foo', or making a dbus call to create a scope unit
directly). This step can be integrated directly into programs when
this makes sense for their primary use case, e.g. screen.
(*) Whether SIGHUP is sent depends on a few factors: bash sends it
children, tcsh does not, and the kernel also sends SIGHUP to processes
which have a terminal open.
== Scope ==
* Proposal owners:
- work upstream to clarify what is the best way for programs to mark
themselves to survive logout
- update the documentation with more explanations and examples, as we
learn what people find confusing in the current scheme of things
- evaluate a "permissive" mode for KillUserProcesses, to make it
easier to debug processes which stay around after a session terminates
- remove the compile-time override in the systemd package
- work with upstream authors and Fedora maintainers of programs like
screen and tmux to implement the ability to automatically start them
in a way that survives a user session, and if the system policy does
not allow that, to warn the user.
* Other developers:
- cooperate on the last item from previous point
- identify additional services which need to adapt to the changed default.
Different services might merit different handling here: some might be
updated them to start through the non-session-specific dbus instance,
some might need documentation changes, while others possibly should be
handled like tmux and screen.
* Release engineering: N/A
* List of deliverables: N/A (not a System Wide Change)
* Policies and guidelines:
- a Fedora Magazine article or similar to publicize the change would be nice
* Trademark approval: N/A (not needed for this Change)
--
Jan Kuřík
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
Hi,
I've realized that the Fedora defensive guide [0] is the only guide we
have to introduce the C TLS and crypto libraries we have, as well as
provide a defensive style in using them. However, it is quite out-
dated, and misses information which may be standard requirement in the
future (e.g., support for HSMs). For that, I've taken the liberty to
update the text on crypto libraries, as well as the TLS libraries,
i.e., gnutls, Bob Relyea reviewed text on NSS, and we added a section
on using Hardware Security Modules with openssl, gnutls and NSS.
The existing updates are in:
https://pagure.io/defensive-coding-guide/pu
ll-requests
However, what is missing now, is updating the code samples for openssl with code that is safe to use with both 1.1.0 and 1.0.0, review the section on HSMs+openssl, and add a section on setting up a server with openssl. Anyone who knows openssl well enough to volunteer for any of the tasks above?
regards,
Nikos
[0]. https://docs.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Defensive_…
Hi,
The upstream projects libp11 and engine_pkcs11 have been merged under
the libp11 umbrella. As such, I plan to retire engine_pkcs11, and merge
it with libp11. The only drawback that I see from that move, is that
one would not find the engine_pkcs11 package at the packagedb search
https://admin.fedoraproject.org/pkgdb/
regards,
Nikos