[thirdparty/systemd.git] / src / basic / user-util.h

/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once

#include <grp.h>
#if ENABLE_GSHADOW
#  include <gshadow.h>
#endif
#include <pwd.h>
#include <shadow.h>
#include <stdbool.h>
#include <stdint.h>
#include <sys/types.h>
#include <unistd.h>

/* Users managed by systemd-homed. See https://systemd.io/UIDS-GIDS for details how this range fits into the rest of the world */
#define HOME_UID_MIN ((uid_t) 60001)
#define HOME_UID_MAX ((uid_t) 60513)

/* Users mapped from host into a container */
#define MAP_UID_MIN ((uid_t) 60514)
#define MAP_UID_MAX ((uid_t) 60577)

bool uid_is_valid(uid_t uid);

static inline bool gid_is_valid(gid_t gid) {
        return uid_is_valid((uid_t) gid);
}

int parse_uid(const char *s, uid_t* ret_uid);
int parse_uid_range(const char *s, uid_t *ret_lower, uid_t *ret_upper);

static inline int parse_gid(const char *s, gid_t *ret_gid) {
        return parse_uid(s, (uid_t*) ret_gid);
}

char* getlogname_malloc(void);
char* getusername_malloc(void);

typedef enum UserCredsFlags {
        USER_CREDS_PREFER_NSS    = 1 << 0,  /* if set, only synthesize user records if database lacks them. Normally we bypass the userdb entirely for the records we can synthesize */
        USER_CREDS_ALLOW_MISSING = 1 << 1,  /* if a numeric UID string is resolved, be OK if there's no record for it */
        USER_CREDS_CLEAN         = 1 << 2,  /* try to clean up shell and home fields with invalid data */
} UserCredsFlags;

int get_user_creds(const char **username, uid_t *ret_uid, gid_t *ret_gid, const char **ret_home, const char **ret_shell, UserCredsFlags flags);
int get_group_creds(const char **groupname, gid_t *ret_gid, UserCredsFlags flags);

char* uid_to_name(uid_t uid);
char* gid_to_name(gid_t gid);

int in_gid(gid_t gid);
int in_group(const char *name);

int merge_gid_lists(const gid_t *list1, size_t size1, const gid_t *list2, size_t size2, gid_t **result);
int getgroups_alloc(gid_t** gids);

int get_home_dir(char **ret);
int get_shell(char **ret);

int fully_set_uid_gid(uid_t uid, gid_t gid, const gid_t supplementary_gids[], size_t n_supplementary_gids);
static inline int reset_uid_gid(void) {
        return fully_set_uid_gid(0, 0, NULL, 0);
}

int take_etc_passwd_lock(const char *root);

#define UID_INVALID ((uid_t) -1)
#define GID_INVALID ((gid_t) -1)

#define UID_NOBODY ((uid_t) 65534U)
#define GID_NOBODY ((gid_t) 65534U)

/* If REMOUNT_IDMAPPING_HOST_ROOT is set for remount_idmap() we'll include a mapping here that maps the host
 * root user accessing the idmapped mount to the this user ID on the backing fs. This is the last valid UID in
 * the *signed* 32-bit range. You might wonder why precisely use this specific UID for this purpose? Well, we
 * definitely cannot use the first 0…65536 UIDs for that, since in most cases that's precisely the file range
 * we intend to map to some high UID range, and since UID mappings have to be bijective we thus cannot use
 * them at all. Furthermore the UID range beyond INT32_MAX (i.e. the range above the signed 32-bit range) is
 * icky, since many APIs cannot use it (example: setfsuid() returns the old UID as signed integer). Following
 * our usual logic of assigning a 16-bit UID range to each container, so that the upper 16-bit of a 32-bit UID
 * value indicate kind of a "container ID" and the lower 16-bit map directly to the intended user you can read
 * this specific UID as the "nobody" user of the container with ID 0x7FFF, which is kinda nice. */
#define UID_MAPPED_ROOT ((uid_t) (INT32_MAX-1))
#define GID_MAPPED_ROOT ((gid_t) (INT32_MAX-1))

#define ETC_PASSWD_LOCK_FILENAME ".pwd.lock"
#define ETC_PASSWD_LOCK_PATH "/etc/" ETC_PASSWD_LOCK_FILENAME

/* The following macros add 1 when converting things, since UID 0 is a valid UID, while the pointer
 * NULL is special */
#define PTR_TO_UID(p) ((uid_t) (((uintptr_t) (p))-1))
#define UID_TO_PTR(u) ((void*) (((uintptr_t) (u))+1))

#define PTR_TO_GID(p) ((gid_t) (((uintptr_t) (p))-1))
#define GID_TO_PTR(u) ((void*) (((uintptr_t) (u))+1))

static inline bool userns_supported(void) {
        return access("/proc/self/uid_map", F_OK) >= 0;
}

typedef enum ValidUserFlags {
        VALID_USER_RELAX         = 1 << 0,
        VALID_USER_WARN          = 1 << 1,
        VALID_USER_ALLOW_NUMERIC = 1 << 2,
} ValidUserFlags;

bool valid_user_group_name(const char *u, ValidUserFlags flags);
bool valid_gecos(const char *d);
char* mangle_gecos(const char *d);
bool valid_home(const char *p);

static inline bool valid_shell(const char *p) {
        /* We have the same requirements, so just piggy-back on the home check.
         *
         * Let's ignore /etc/shells because this is only applicable to real and
         * not system users. It is also incompatible with the idea of empty /etc.
         */
        return valid_home(p);
}

int maybe_setgroups(size_t size, const gid_t *list);

bool synthesize_nobody(void);

int fgetpwent_sane(FILE *stream, struct passwd **pw);
int fgetspent_sane(FILE *stream, struct spwd **sp);
int fgetgrent_sane(FILE *stream, struct group **gr);
int putpwent_sane(const struct passwd *pw, FILE *stream);
int putspent_sane(const struct spwd *sp, FILE *stream);
int putgrent_sane(const struct group *gr, FILE *stream);
#if ENABLE_GSHADOW
int fgetsgent_sane(FILE *stream, struct sgrp **sg);
int putsgent_sane(const struct sgrp *sg, FILE *stream);
#endif

bool is_nologin_shell(const char *shell);
const char* default_root_shell_at(int rfd);
const char* default_root_shell(const char *root);

int is_this_me(const char *username);

const char* get_home_root(void);

static inline bool hashed_password_is_locked_or_invalid(const char *password) {
        return password && password[0] != '$';
}

/* A locked *and* invalid password for "struct spwd"'s .sp_pwdp and "struct passwd"'s .pw_passwd field */
#define PASSWORD_LOCKED_AND_INVALID "!*"

/* A password indicating "look in shadow file, please!" for "struct passwd"'s .pw_passwd */
#define PASSWORD_SEE_SHADOW "x"

/* A password indicating "hey, no password required for login" */
#define PASSWORD_NONE ""

/* Used by sysusers to indicate that the password should be filled in by firstboot.
 * Also see https://github.com/systemd/systemd/pull/24680#pullrequestreview-1439464325.
 */
#define PASSWORD_UNPROVISIONED "!unprovisioned"

int getpwuid_malloc(uid_t uid, struct passwd **ret);
int getpwnam_malloc(const char *name, struct passwd **ret);

int getgrnam_malloc(const char *name, struct group **ret);
int getgrgid_malloc(gid_t gid, struct group **ret);
Commit	Line	Data
db9ecf05	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
b1d4f8e1 LP	2	#pragma once
b1d4f8e1 LP	3
100d5f6e	4	#include <grp.h>
66a5b5ce	5	#if ENABLE_GSHADOW
98dcb8f4	6	# include <gshadow.h>
66a5b5ce	7	#endif
100d5f6e FB	8	#include <pwd.h>
100d5f6e FB	9	#include <shadow.h>
b1d4f8e1	10	#include <stdbool.h>
61755fda	11	#include <stdint.h>
71d35b6b	12	#include <sys/types.h>
ccabee0d	13	#include <unistd.h>
b1d4f8e1	14
76ef5d04	15	/* Users managed by systemd-homed. See https://systemd.io/UIDS-GIDS for details how this range fits into the rest of the world */
63b98386 JJ	16	#define HOME_UID_MIN ((uid_t) 60001)
63b98386 JJ	17	#define HOME_UID_MAX ((uid_t) 60513)
76ef5d04 LP	18
76ef5d04 LP	19	/* Users mapped from host into a container */
63b98386 JJ	20	#define MAP_UID_MIN ((uid_t) 60514)
63b98386 JJ	21	#define MAP_UID_MAX ((uid_t) 60577)
76ef5d04	22
b1d4f8e1 LP	23	bool uid_is_valid(uid_t uid);
	24
	25	static inline bool gid_is_valid(gid_t gid) {
	26	return uid_is_valid((uid_t) gid);
	27	}
	28
	29	int parse_uid(const char s, uid_t ret_uid);
03de302a	30	int parse_uid_range(const char s, uid_t ret_lower, uid_t *ret_upper);
b1d4f8e1 LP	31
	32	static inline int parse_gid(const char s, gid_t ret_gid) {
	33	return parse_uid(s, (uid_t*) ret_gid);
	34	}
	35
b1d4f8e1 LP	36	char* getlogname_malloc(void);
	37	char* getusername_malloc(void);
	38
fafff8f1	39	typedef enum UserCredsFlags {
43ad3ad7 ZJS	40	USER_CREDS_PREFER_NSS = 1 << 0, /* if set, only synthesize user records if database lacks them. Normally we bypass the userdb entirely for the records we can synthesize */
	41	USER_CREDS_ALLOW_MISSING = 1 << 1, /* if a numeric UID string is resolved, be OK if there's no record for it */
	42	USER_CREDS_CLEAN = 1 << 2, /* try to clean up shell and home fields with invalid data */
fafff8f1 LP	43	} UserCredsFlags;
fafff8f1 LP	44
83e9b584 LP	45	int get_user_creds(const char *username, uid_t ret_uid, gid_t ret_gid, const char ret_home, const char *ret_shell, UserCredsFlags flags);
83e9b584 LP	46	int get_group_creds(const char *groupname, gid_t ret_gid, UserCredsFlags flags);
b1d4f8e1 LP	47
	48	char* uid_to_name(uid_t uid);
	49	char* gid_to_name(gid_t gid);
	50
	51	int in_gid(gid_t gid);
	52	int in_group(const char *name);
	53
0c5d6679 DG	54	int merge_gid_lists(const gid_t list1, size_t size1, const gid_t list2, size_t size2, gid_t **result);
	55	int getgroups_alloc(gid_t** gids);
	56
b1d4f8e1	57	int get_home_dir(char **ret);
8795d9ba	58	int get_shell(char **ret);
b1d4f8e1	59
6498a0c2 LP	60	int fully_set_uid_gid(uid_t uid, gid_t gid, const gid_t supplementary_gids[], size_t n_supplementary_gids);
	61	static inline int reset_uid_gid(void) {
	62	return fully_set_uid_gid(0, 0, NULL, 0);
	63	}
e929bee0 LP	64
e929bee0 LP	65	int take_etc_passwd_lock(const char *root);
ee104e11 LP	66
	67	#define UID_INVALID ((uid_t) -1)
	68	#define GID_INVALID ((gid_t) -1)
	69
3a664727 LP	70	#define UID_NOBODY ((uid_t) 65534U)
	71	#define GID_NOBODY ((gid_t) 65534U)
	72
1aa18710 QD	73	/* If REMOUNT_IDMAPPING_HOST_ROOT is set for remount_idmap() we'll include a mapping here that maps the host
1aa18710 QD	74	* root user accessing the idmapped mount to the this user ID on the backing fs. This is the last valid UID in
da890466	75	* the signed 32-bit range. You might wonder why precisely use this specific UID for this purpose? Well, we
50ae2966 LP	76	* definitely cannot use the first 0…65536 UIDs for that, since in most cases that's precisely the file range
50ae2966 LP	77	* we intend to map to some high UID range, and since UID mappings have to be bijective we thus cannot use
da890466	78	* them at all. Furthermore the UID range beyond INT32_MAX (i.e. the range above the signed 32-bit range) is
50ae2966	79	* icky, since many APIs cannot use it (example: setfsuid() returns the old UID as signed integer). Following
da890466 ZJS	80	* our usual logic of assigning a 16-bit UID range to each container, so that the upper 16-bit of a 32-bit UID
da890466 ZJS	81	* value indicate kind of a "container ID" and the lower 16-bit map directly to the intended user you can read
50ae2966 LP	82	* this specific UID as the "nobody" user of the container with ID 0x7FFF, which is kinda nice. */
	83	#define UID_MAPPED_ROOT ((uid_t) (INT32_MAX-1))
	84	#define GID_MAPPED_ROOT ((gid_t) (INT32_MAX-1))
	85
fe585662 DDM	86	#define ETC_PASSWD_LOCK_FILENAME ".pwd.lock"
fe585662 DDM	87	#define ETC_PASSWD_LOCK_PATH "/etc/" ETC_PASSWD_LOCK_FILENAME
d1e4b8fd	88
61755fda ZJS	89	/* The following macros add 1 when converting things, since UID 0 is a valid UID, while the pointer
61755fda ZJS	90	* NULL is special */
ee104e11 LP	91	#define PTR_TO_UID(p) ((uid_t) (((uintptr_t) (p))-1))
	92	#define UID_TO_PTR(u) ((void*) (((uintptr_t) (u))+1))
	93
	94	#define PTR_TO_GID(p) ((gid_t) (((uintptr_t) (p))-1))
	95	#define GID_TO_PTR(u) ((void*) (((uintptr_t) (u))+1))
ccabee0d LP	96
	97	static inline bool userns_supported(void) {
	98	return access("/proc/self/uid_map", F_OK) >= 0;
	99	}
e4631b48	100
7a8867ab LP	101	typedef enum ValidUserFlags {
	102	VALID_USER_RELAX = 1 << 0,
	103	VALID_USER_WARN = 1 << 1,
	104	VALID_USER_ALLOW_NUMERIC = 1 << 2,
	105	} ValidUserFlags;
	106
	107	bool valid_user_group_name(const char *u, ValidUserFlags flags);
e4631b48	108	bool valid_gecos(const char *d);
78435d62	109	char* mangle_gecos(const char *d);
e4631b48	110	bool valid_home(const char *p);
36d85478	111
7b1aaf66 ZJS	112	static inline bool valid_shell(const char *p) {
	113	/* We have the same requirements, so just piggy-back on the home check.
	114	*
	115	* Let's ignore /etc/shells because this is only applicable to real and
	116	* not system users. It is also incompatible with the idea of empty /etc.
	117	*/
	118	return valid_home(p);
	119	}
	120
36d85478	121	int maybe_setgroups(size_t size, const gid_t *list);
24eccc34 LP	122
24eccc34 LP	123	bool synthesize_nobody(void);
100d5f6e FB	124
	125	int fgetpwent_sane(FILE stream, struct passwd *pw);
	126	int fgetspent_sane(FILE stream, struct spwd *sp);
	127	int fgetgrent_sane(FILE stream, struct group *gr);
	128	int putpwent_sane(const struct passwd pw, FILE stream);
	129	int putspent_sane(const struct spwd sp, FILE stream);
	130	int putgrent_sane(const struct group gr, FILE stream);
4f07ffa8	131	#if ENABLE_GSHADOW
100d5f6e FB	132	int fgetsgent_sane(FILE stream, struct sgrp *sg);
	133	int putsgent_sane(const struct sgrp sg, FILE stream);
	134	#endif
f2c5edbe	135
6093b2bb	136	bool is_nologin_shell(const char *shell);
bd595c10	137	const char* default_root_shell_at(int rfd);
8a7adccb	138	const char* default_root_shell(const char *root);
7bdbafc2 LP	139
7bdbafc2 LP	140	int is_this_me(const char *username);
53c25ac9	141
78435d62	142	const char* get_home_root(void);
2700fecd	143
cd933f14 P	144	static inline bool hashed_password_is_locked_or_invalid(const char *password) {
	145	return password && password[0] != '$';
	146	}
	147
53c25ac9 LP	148	/* A locked and invalid password for "struct spwd"'s .sp_pwdp and "struct passwd"'s .pw_passwd field */
	149	#define PASSWORD_LOCKED_AND_INVALID "!*"
	150
	151	/* A password indicating "look in shadow file, please!" for "struct passwd"'s .pw_passwd */
	152	#define PASSWORD_SEE_SHADOW "x"
	153
	154	/* A password indicating "hey, no password required for login" */
	155	#define PASSWORD_NONE ""
a777a592 ZJS	156
	157	/* Used by sysusers to indicate that the password should be filled in by firstboot.
	158	* Also see https://github.com/systemd/systemd/pull/24680#pullrequestreview-1439464325.
	159	*/
	160	#define PASSWORD_UNPROVISIONED "!unprovisioned"
75673cd8 LP	161
	162	int getpwuid_malloc(uid_t uid, struct passwd **ret);
	163	int getpwnam_malloc(const char name, struct passwd *ret);
	164
	165	int getgrnam_malloc(const char name, struct group *ret);
	166	int getgrgid_malloc(gid_t gid, struct group **ret);