seatd 0.9.1 This release contains two important bugfixes: - libseat could end up not servicing seat enable/disable events if they were received immediately after a response, leading to the session deadlocking in a deactivated state. - Some protocol strings lacked validation of the NULL termination requirement. In seatd, this could lead to reading a fixed bit of stack memory past the end of the string as being part of it. seatd memory does not contain any secrets, and the resulting garbage string just leads to an early error. In libseat, a malicious seatd server could cause heap memory corruption in the display server using it, but doing so requires extensive pre-existing control of the system, such as controlling the display server execution and its environment, having filesystem access and having the ability to execute a malicious binary. In addition, it contains the version number bump which had sadly failed to make its way into the 0.9.0 tag. Kenny Levinsen (7): Bump version to 0.9.0 libseat/seatd: Remove read_and_execute libseat/seatd: Read remaining events after processing responses libseat/seatd: Cleanup of request error handling libseat/seatd: Set EINVAL if target session is invalid libseat/seatd: Set backend error if poll fails Bump version to 0.9.1 Martin Michaelis (2): seatd: Add validation of device path libseat/seatd: Add validation of seat_name seatd: Add strict message size comparison
seatd 0.9.0 This release contians 35 changes from 6 contributors. Some highlights of this release: - Improve session state tracking in the libseat logind backend, which could previously fail to notify the libseat client that the session had been deactivated. - Do not trigger a VT switch when starting a logind session, allowing sessions to be started in the background. - Improve error handling in some edgecases in the libseat seatd backend. - Apply more aggressive security policies to the included systemd unit. Adrien Demarez (1): seatd: fix small bug in assert Jack Mitchell (1): seatd: fix double close of file handle Kelvin C (10): systemd: lockdown the filesystem systemd: ensure no new privileges systemd: disable network access systemd: limit sys calls and arch systemd: limit access to kernel systemd: restrict namespace functionality systemd: restrict capabilities systemd: protect system clock systemd: protect hostname systemd: restrict access to devices Kenny Levinsen (21): seatd: Avoid unnecessary asserts connection: Add overflow edge-case test libseat/seatd: Error on unexpected response libseat/seatd: Dispatch utility cleanup seatd: Add responses for switch and disable common: Allow inserting inited linked list elem seatd: Init client link after removal libseat/seatd: Fix wrong dispatch reference logind: Skip session activation seat: Merge close_client with remove_client seat: Minor cleanup in device reuse, error logging seat: Add a bit of documentation libseat/logind: Check initial active state libseat/logind: Better naming and signatures libseat/logind: Move session_get_type up to its family logind: Remove match signal on seat object logind: Iterate through entire PropertiesChanged logind: Remove drm device tracking ci: Disable logind smoketest for now seatd: Add support for hidraw devices seatd: Minor evdev ifdef cleanup Morose (1): logind: Condition is always true Simon Ser (1): build: show whether man pages are enabled in summary
seatd 0.8.0 Alyssa Ross (1): meson: fix seatdpath with absolute bindir Anna (navi) Figueiredo Gomes (2): noop: Return seat0 as the seat name noop: Additional open flags for `open(2)` Chia-I Wu (1): noop: initialize initial_setup Jessica Clarke (1): drm: Support drm-subtree drivers on FreeBSD Kenny Levinsen (1): Bump version to 0.8.0 Simon Ser (2): man: document SEATD_VTBOUND man: add missing arg in -n syntax
seatd 0.7.0 This release contains 36 changes from 3 contributors. Some highlights of this release are: - Support for NetBSD and wscons devices - Fix for a polling bug in the logind libseat backend Breaking changes: - Removal of SEATD_SOCK and runtime socket path configuration - Removal of SEATD_LOGLEVEL, replaced by a command-line argument Kenny Levinsen (25): libseat: Use SOCK_CLOEXEC and SOCK_NONBLOCK logind: Always send ping if data is queued seatd: Remove SOCK_PATH and improve cleanup seatd: Ensure socket gets unlinked on error seatd-launch: Do not unlink socket path seatd: Fix usage rendering seatd-launch: Minor readability improvements seatd: Command-line argument for loglevel seatd: Handle socket unlink errors seatd: Remove runtime socket path configuration seatd: Change default log-level to info meson: Only set libseat defines for libseat itself builtin: Close other end of socketpair after fork seatd: Shut down on client disconnect in builtin builtin: Remove deathsig and log start/stop meson: Fix meson warnings Bump version to 0.7.0 ci: Set loglevel argument to debug readme: Mention NetBSD meson: library soversion arg should be string terminal: Revert FreeBSD behavior in set_keyboard wscons: Move to its own device type drm: Make dev_is_drm local to logind backend wscons: Fix STRLEN seatd-launch: Avoid argv[0] in help text Simon Ser (9): seatd: avoid overwriting errno in set_nonblock error handling seatd: don't log errno on EVENT_ERROR build: don't use cc.get_supported_arguments for defines build: use list for logind dep build: don't use sh for scdoc build: use meson.override_dependency readme: add irc:// link seatd: handle client_create failure seatd: refuse to compile with missing get_peer impl illiliti (2): Initial netbsd support ci: Add NetBSD
seatd 0.6.4 This release contains a security fix for a vulnerability in the seatd-launch executable. A user could specify a socket path that collides with an existing file. If seatd-launch had the SUID bit set and was owned by a privileged user, this could be used to remove files that the calling user itself did not have sufficient privileges to remove. seatd and libseat are not affected by this vulnerability. Kenny Levinsen (3): seatd-launch: Remove socket path command line arg seatd-launch: Use snprintf for socket path Bump version to 0.6.4
seatd 0.6.3 This release fixes an issue where an interaction between how events fired from libseat's seatd backend and libinput as of version 1.19 could cause a compositor to segfault. It also introduces support in libseat's logind backend for correctly opening an inactive seat while the logind session is inactive. Kenny Levinsen (8): seatd: Implement ping request to wake up later logind: Send ping to wake us up later clang-format: Fix alignment ci: Inline smoketest into build scripts logind: Improve error handling in open_seat ci: Add logind smoketest to arch logind: Set userdata for ping_handler Bump version to 0.6.3 Simon Ser (2): logind: check if session is active on startup examples/simpletest: check for libseat_dispatch failures
seatd 0.6.2 This relase contains a security fix for a vulnerability in the seatd-launch executable. A user could manipulate the PATH environment variable to cause seatd-launch to load a different executable than seatd. If seatd-launch had the SUID bit set and was owned by a privileged user, this could be used to mount a privilege escalation attack. seatd and libseat are not affected by this vulnerability. Kenny Levinsen (4): ci: Install seatd instead of manipulating PATH seatd-launch: Use absolute path for seatd seatd-launch: Specify exact environment to seatd Bump version to 0.6.2
seatd 0.6.1 This bugfix release addresses usability issues with seatd-launch. Jan Beich (1): seatd-launch: respect PATH when looking for command Kenny Levinsen (4): man: Add seatd-launch(1) to SEE ALSO of seatd(1) seatd-launch: Use optind to find the command man/seatd-launch: Make mssage about root clearer Bump version to 0.6.1 Simon Ser (2): seatd-launch: exit with status >128 if child is signalled seatd-launch: print unlink/kill errors
seatd 0.6.0 This release contains 54 changes from 6 contributors. Some highlights of this release are: - s6-style readiness notification support for seatd - seatd-launch, which handles starting seatd and a consumer together, has been introduced as a superior alternative to the builtin libseat backend and as a convenient way to use seatd outside a service manager - The builtin backend no longer blocks root from using it - Meson options have been renamed to indicate what component they target - Various fixes and improvements Fabrice Fontaine (1): meson.build: fix build with gcc < 7 Greg Depoire--Ferrer (2): Revert "libseat: Check euid before using builtin" libseat: Update builtin backend root requirement documentation Jan Beich (1): client: enable cr_pid on FreeBSD >= 12.3 Kenny Levinsen (34): meson: Fix logind backend auto mode meson: Minor cleanup Correct minor misspellings meson: Disable examples by default ci: Reduce test runs from 5 to 2 ci: Remove unnecessary env vars contrib: Add Documentation to systemd unit readme: Remove alpha label Avoid a clang-format quirk ci: Use 'auto' for arch linux logind meson: make 'logind' var always available contrib/systemd: Use a different group meson: Support building builtin without seatd readme: Update discuss section libseat/seatd: Return executed events libseat/seatd: Add dispatch_pending_and_execute libseat: Rename dispatch_background in backends seatd: We shouldn't poll if predispatch > 0 seatd: s6-style readiness notification support seatd: Only set UID/GID when specified seatd-launch: Add seatd launch wrapper ci: Use seatd-launch ci: Fix meson flags seatd-launch: Command line argument support seatd: Improve socket permission error handling seatd: Use path in chmod/chown operations logind: Remove redundant null check libseat: Fix build of builtin backend seat: Avoid holding a tty fd seat: Allow new clients when active is pending ack seatd-launch: Set socket permissions directly man: Add simple seatd-launch(1) page seatd-launch: Fix chmod error goto Bump version to 0.6.0 Simeon Schaub (1): link with rt Simon Ser (15): Add no-op session meson: declare libseat dependency build: add explicit logind provider option, auto-detect by default build: fix logind feature summary when auto-detected build: don't explicitly search for sh build: don't allow "auto" for seatd, builtin, server and examples build: disable logind on -Dauto_features=disabled -Dlogind=auto build: set pkgconfig/dependency variables for features libseat/seatd: downgrade ENOENT log to info build: add prefix to libseat options seatd-launch: propagate child exit status seatd-launch: don't use gotos in child processes seatd-launch: check for getpwuid errors Make libseat_seat_listener const Add .editorconfig
seatd 0.5.0 Aleksei Bavshin (1): meson: ignore 'man-pages' if 'server' is disabled Isaac Freund (1): libseat: log error when failing to open socket Kenny Levinsen (29): ci: Clean up build manifests poller: Retry poll immediately on EINTR client: More robust handling of client links terminal: Improve logging logind: switch_session should return 0 on success client: Do not use SOL_SOCKET for LOCAL_PEERCRED client: Use cr_pid if available client: Fix typo in cr_pid usage simpletest: Close fd after closing device logind: Send ReleaseControl when closing seat seat: Remove unused arg from seat_deactive_device client: Replace pending_disable with state enum seatd: Tear down VT when disabled client closes libseat: Fix typo in doc string logind: Fix return values from close_device/get_fd seatd: Set errno in seat_add_client Convert a few debug logs to error logs seatd: Clean up debug logs a bit client: Remove link if seat_add_client succeeds seatd: Close cur_ttyfd in seat_destroy clang-format log: Remove function name from log Normalize log texts a bit log: Include debug logs in release builds meson: Clean up test declarations a bit meson: Make summary prettier meson: Fix indentation ci: Add clang-extra-tools to alpine Bump version to 0.5.0 Simon Ser (1): libseat/backend/logind: stop waiting for CanGraphical