]>
Commit | Line | Data |
---|---|---|
db9ecf05 | 1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
ec8e4a0e LP |
2 | |
3 | #include <sys/auxv.h> | |
4 | ||
5 | #include "dirent-util.h" | |
037b0a47 | 6 | #include "dlfcn-util.h" |
ec8e4a0e LP |
7 | #include "errno-util.h" |
8 | #include "fd-util.h" | |
ec8e4a0e LP |
9 | #include "missing_syscall.h" |
10 | #include "parse-util.h" | |
11 | #include "set.h" | |
12 | #include "socket-util.h" | |
13 | #include "strv.h" | |
14 | #include "user-record-nss.h" | |
15 | #include "user-util.h" | |
16 | #include "userdb.h" | |
17 | #include "varlink.h" | |
18 | ||
19 | DEFINE_PRIVATE_HASH_OPS_WITH_VALUE_DESTRUCTOR(link_hash_ops, void, trivial_hash_func, trivial_compare_func, Varlink, varlink_unref); | |
20 | ||
21 | typedef enum LookupWhat { | |
22 | LOOKUP_USER, | |
23 | LOOKUP_GROUP, | |
24 | LOOKUP_MEMBERSHIP, | |
25 | _LOOKUP_WHAT_MAX, | |
26 | } LookupWhat; | |
27 | ||
28 | struct UserDBIterator { | |
29 | LookupWhat what; | |
7c674191 | 30 | UserDBFlags flags; |
ec8e4a0e LP |
31 | Set *links; |
32 | bool nss_covered:1; | |
33 | bool nss_iterating:1; | |
34 | bool synthesize_root:1; | |
35 | bool synthesize_nobody:1; | |
037b0a47 | 36 | bool nss_systemd_blocked:1; |
ec8e4a0e | 37 | int error; |
ec8e4a0e LP |
38 | unsigned n_found; |
39 | sd_event *event; | |
40 | UserRecord *found_user; /* when .what == LOOKUP_USER */ | |
41 | GroupRecord *found_group; /* when .what == LOOKUP_GROUP */ | |
42 | ||
43 | char *found_user_name, *found_group_name; /* when .what == LOOKUP_MEMBERSHIP */ | |
44 | char **members_of_group; | |
45 | size_t index_members_of_group; | |
46 | char *filter_user_name; | |
47 | }; | |
48 | ||
49 | UserDBIterator* userdb_iterator_free(UserDBIterator *iterator) { | |
50 | if (!iterator) | |
51 | return NULL; | |
52 | ||
53 | set_free(iterator->links); | |
54 | ||
55 | switch (iterator->what) { | |
56 | ||
57 | case LOOKUP_USER: | |
58 | user_record_unref(iterator->found_user); | |
59 | ||
60 | if (iterator->nss_iterating) | |
61 | endpwent(); | |
62 | ||
63 | break; | |
64 | ||
65 | case LOOKUP_GROUP: | |
66 | group_record_unref(iterator->found_group); | |
67 | ||
68 | if (iterator->nss_iterating) | |
69 | endgrent(); | |
70 | ||
71 | break; | |
72 | ||
73 | case LOOKUP_MEMBERSHIP: | |
74 | free(iterator->found_user_name); | |
75 | free(iterator->found_group_name); | |
76 | strv_free(iterator->members_of_group); | |
77 | free(iterator->filter_user_name); | |
78 | ||
79 | if (iterator->nss_iterating) | |
80 | endgrent(); | |
81 | ||
82 | break; | |
83 | ||
84 | default: | |
85 | assert_not_reached("Unexpected state?"); | |
86 | } | |
87 | ||
88 | sd_event_unref(iterator->event); | |
037b0a47 LP |
89 | |
90 | if (iterator->nss_systemd_blocked) | |
91 | assert_se(userdb_block_nss_systemd(false) >= 0); | |
ec8e4a0e LP |
92 | |
93 | return mfree(iterator); | |
94 | } | |
95 | ||
7c674191 | 96 | static UserDBIterator* userdb_iterator_new(LookupWhat what, UserDBFlags flags) { |
ec8e4a0e LP |
97 | UserDBIterator *i; |
98 | ||
99 | assert(what >= 0); | |
100 | assert(what < _LOOKUP_WHAT_MAX); | |
101 | ||
102 | i = new(UserDBIterator, 1); | |
103 | if (!i) | |
104 | return NULL; | |
105 | ||
106 | *i = (UserDBIterator) { | |
107 | .what = what, | |
7c674191 | 108 | .flags = flags, |
ec8e4a0e LP |
109 | }; |
110 | ||
111 | return i; | |
112 | } | |
113 | ||
037b0a47 LP |
114 | static int userdb_iterator_block_nss_systemd(UserDBIterator *iterator) { |
115 | int r; | |
116 | ||
117 | assert(iterator); | |
118 | ||
119 | if (iterator->nss_systemd_blocked) | |
120 | return 0; | |
121 | ||
122 | r = userdb_block_nss_systemd(true); | |
123 | if (r < 0) | |
124 | return r; | |
125 | ||
126 | iterator->nss_systemd_blocked = true; | |
127 | return 1; | |
128 | } | |
129 | ||
ec8e4a0e LP |
130 | struct user_group_data { |
131 | JsonVariant *record; | |
132 | bool incomplete; | |
133 | }; | |
134 | ||
135 | static void user_group_data_release(struct user_group_data *d) { | |
136 | json_variant_unref(d->record); | |
137 | } | |
138 | ||
139 | static int userdb_on_query_reply( | |
140 | Varlink *link, | |
141 | JsonVariant *parameters, | |
142 | const char *error_id, | |
143 | VarlinkReplyFlags flags, | |
144 | void *userdata) { | |
145 | ||
146 | UserDBIterator *iterator = userdata; | |
147 | int r; | |
148 | ||
149 | assert(iterator); | |
150 | ||
151 | if (error_id) { | |
152 | log_debug("Got lookup error: %s", error_id); | |
153 | ||
154 | if (STR_IN_SET(error_id, | |
155 | "io.systemd.UserDatabase.NoRecordFound", | |
156 | "io.systemd.UserDatabase.ConflictingRecordFound")) | |
157 | r = -ESRCH; | |
158 | else if (streq(error_id, "io.systemd.UserDatabase.ServiceNotAvailable")) | |
159 | r = -EHOSTDOWN; | |
56870d32 LP |
160 | else if (streq(error_id, "io.systemd.UserDatabase.EnumerationNotSupported")) |
161 | r = -EOPNOTSUPP; | |
ec8e4a0e LP |
162 | else if (streq(error_id, VARLINK_ERROR_TIMEOUT)) |
163 | r = -ETIMEDOUT; | |
164 | else | |
165 | r = -EIO; | |
166 | ||
167 | goto finish; | |
168 | } | |
169 | ||
170 | switch (iterator->what) { | |
171 | ||
172 | case LOOKUP_USER: { | |
173 | _cleanup_(user_group_data_release) struct user_group_data user_data = {}; | |
174 | ||
175 | static const JsonDispatch dispatch_table[] = { | |
176 | { "record", _JSON_VARIANT_TYPE_INVALID, json_dispatch_variant, offsetof(struct user_group_data, record), 0 }, | |
177 | { "incomplete", JSON_VARIANT_BOOLEAN, json_dispatch_boolean, offsetof(struct user_group_data, incomplete), 0 }, | |
178 | {} | |
179 | }; | |
180 | _cleanup_(user_record_unrefp) UserRecord *hr = NULL; | |
181 | ||
182 | assert_se(!iterator->found_user); | |
183 | ||
184 | r = json_dispatch(parameters, dispatch_table, NULL, 0, &user_data); | |
185 | if (r < 0) | |
186 | goto finish; | |
187 | ||
188 | if (!user_data.record) { | |
189 | r = log_debug_errno(SYNTHETIC_ERRNO(EIO), "Reply is missing record key"); | |
190 | goto finish; | |
191 | } | |
192 | ||
193 | hr = user_record_new(); | |
194 | if (!hr) { | |
195 | r = -ENOMEM; | |
196 | goto finish; | |
197 | } | |
198 | ||
199 | r = user_record_load(hr, user_data.record, USER_RECORD_LOAD_REFUSE_SECRET|USER_RECORD_PERMISSIVE); | |
200 | if (r < 0) | |
201 | goto finish; | |
202 | ||
203 | if (!hr->service) { | |
204 | r = log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "User record does not carry service information, refusing."); | |
205 | goto finish; | |
206 | } | |
207 | ||
208 | hr->incomplete = user_data.incomplete; | |
209 | ||
210 | /* We match the root user by the name since the name is our primary key. We match the nobody | |
211 | * use by UID though, since the name might differ on OSes */ | |
212 | if (streq_ptr(hr->user_name, "root")) | |
213 | iterator->synthesize_root = false; | |
214 | if (hr->uid == UID_NOBODY) | |
215 | iterator->synthesize_nobody = false; | |
216 | ||
217 | iterator->found_user = TAKE_PTR(hr); | |
218 | iterator->n_found++; | |
219 | ||
220 | /* More stuff coming? then let's just exit cleanly here */ | |
221 | if (FLAGS_SET(flags, VARLINK_REPLY_CONTINUES)) | |
222 | return 0; | |
223 | ||
224 | /* Otherwise, let's remove this link and exit cleanly then */ | |
225 | r = 0; | |
226 | goto finish; | |
227 | } | |
228 | ||
229 | case LOOKUP_GROUP: { | |
230 | _cleanup_(user_group_data_release) struct user_group_data group_data = {}; | |
231 | ||
232 | static const JsonDispatch dispatch_table[] = { | |
233 | { "record", _JSON_VARIANT_TYPE_INVALID, json_dispatch_variant, offsetof(struct user_group_data, record), 0 }, | |
234 | { "incomplete", JSON_VARIANT_BOOLEAN, json_dispatch_boolean, offsetof(struct user_group_data, incomplete), 0 }, | |
235 | {} | |
236 | }; | |
237 | _cleanup_(group_record_unrefp) GroupRecord *g = NULL; | |
238 | ||
239 | assert_se(!iterator->found_group); | |
240 | ||
241 | r = json_dispatch(parameters, dispatch_table, NULL, 0, &group_data); | |
242 | if (r < 0) | |
243 | goto finish; | |
244 | ||
245 | if (!group_data.record) { | |
246 | r = log_debug_errno(SYNTHETIC_ERRNO(EIO), "Reply is missing record key"); | |
247 | goto finish; | |
248 | } | |
249 | ||
250 | g = group_record_new(); | |
251 | if (!g) { | |
252 | r = -ENOMEM; | |
253 | goto finish; | |
254 | } | |
255 | ||
256 | r = group_record_load(g, group_data.record, USER_RECORD_LOAD_REFUSE_SECRET|USER_RECORD_PERMISSIVE); | |
257 | if (r < 0) | |
258 | goto finish; | |
259 | ||
260 | if (!g->service) { | |
261 | r = log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Group record does not carry service information, refusing."); | |
262 | goto finish; | |
263 | } | |
264 | ||
265 | g->incomplete = group_data.incomplete; | |
266 | ||
267 | if (streq_ptr(g->group_name, "root")) | |
268 | iterator->synthesize_root = false; | |
269 | if (g->gid == GID_NOBODY) | |
270 | iterator->synthesize_nobody = false; | |
271 | ||
272 | iterator->found_group = TAKE_PTR(g); | |
273 | iterator->n_found++; | |
274 | ||
275 | if (FLAGS_SET(flags, VARLINK_REPLY_CONTINUES)) | |
276 | return 0; | |
277 | ||
278 | r = 0; | |
279 | goto finish; | |
280 | } | |
281 | ||
282 | case LOOKUP_MEMBERSHIP: { | |
283 | struct membership_data { | |
284 | const char *user_name; | |
285 | const char *group_name; | |
286 | } membership_data = {}; | |
287 | ||
288 | static const JsonDispatch dispatch_table[] = { | |
289 | { "userName", JSON_VARIANT_STRING, json_dispatch_const_string, offsetof(struct membership_data, user_name), JSON_SAFE }, | |
290 | { "groupName", JSON_VARIANT_STRING, json_dispatch_const_string, offsetof(struct membership_data, group_name), JSON_SAFE }, | |
291 | {} | |
292 | }; | |
293 | ||
294 | assert(!iterator->found_user_name); | |
295 | assert(!iterator->found_group_name); | |
296 | ||
297 | r = json_dispatch(parameters, dispatch_table, NULL, 0, &membership_data); | |
298 | if (r < 0) | |
299 | goto finish; | |
300 | ||
301 | iterator->found_user_name = mfree(iterator->found_user_name); | |
302 | iterator->found_group_name = mfree(iterator->found_group_name); | |
303 | ||
304 | iterator->found_user_name = strdup(membership_data.user_name); | |
305 | if (!iterator->found_user_name) { | |
306 | r = -ENOMEM; | |
307 | goto finish; | |
308 | } | |
309 | ||
310 | iterator->found_group_name = strdup(membership_data.group_name); | |
311 | if (!iterator->found_group_name) { | |
312 | r = -ENOMEM; | |
313 | goto finish; | |
314 | } | |
315 | ||
316 | iterator->n_found++; | |
317 | ||
318 | if (FLAGS_SET(flags, VARLINK_REPLY_CONTINUES)) | |
319 | return 0; | |
320 | ||
321 | r = 0; | |
322 | goto finish; | |
323 | } | |
324 | ||
325 | default: | |
326 | assert_not_reached("unexpected lookup"); | |
327 | } | |
328 | ||
329 | finish: | |
330 | /* If we got one ESRCH, let that win. This way when we do a wild dump we won't be tripped up by bad | |
331 | * errors if at least one connection ended cleanly */ | |
332 | if (r == -ESRCH || iterator->error == 0) | |
333 | iterator->error = -r; | |
334 | ||
335 | assert_se(set_remove(iterator->links, link) == link); | |
336 | link = varlink_unref(link); | |
337 | return 0; | |
338 | } | |
339 | ||
340 | static int userdb_connect( | |
341 | UserDBIterator *iterator, | |
342 | const char *path, | |
343 | const char *method, | |
344 | bool more, | |
345 | JsonVariant *query) { | |
346 | ||
347 | _cleanup_(varlink_unrefp) Varlink *vl = NULL; | |
348 | int r; | |
349 | ||
350 | assert(iterator); | |
351 | assert(path); | |
352 | assert(method); | |
353 | ||
354 | r = varlink_connect_address(&vl, path); | |
355 | if (r < 0) | |
356 | return log_debug_errno(r, "Unable to connect to %s: %m", path); | |
357 | ||
358 | varlink_set_userdata(vl, iterator); | |
359 | ||
360 | if (!iterator->event) { | |
361 | r = sd_event_new(&iterator->event); | |
362 | if (r < 0) | |
363 | return log_debug_errno(r, "Unable to allocate event loop: %m"); | |
364 | } | |
365 | ||
366 | r = varlink_attach_event(vl, iterator->event, SD_EVENT_PRIORITY_NORMAL); | |
367 | if (r < 0) | |
368 | return log_debug_errno(r, "Failed to attach varlink connection to event loop: %m"); | |
369 | ||
370 | (void) varlink_set_description(vl, path); | |
371 | ||
372 | r = varlink_bind_reply(vl, userdb_on_query_reply); | |
373 | if (r < 0) | |
374 | return log_debug_errno(r, "Failed to bind reply callback: %m"); | |
375 | ||
376 | if (more) | |
377 | r = varlink_observe(vl, method, query); | |
378 | else | |
379 | r = varlink_invoke(vl, method, query); | |
380 | if (r < 0) | |
381 | return log_debug_errno(r, "Failed to invoke varlink method: %m"); | |
382 | ||
35e601d4 | 383 | r = set_ensure_consume(&iterator->links, &link_hash_ops, TAKE_PTR(vl)); |
ec8e4a0e LP |
384 | if (r < 0) |
385 | return log_debug_errno(r, "Failed to add varlink connection to set: %m"); | |
ec8e4a0e LP |
386 | return r; |
387 | } | |
388 | ||
389 | static int userdb_start_query( | |
390 | UserDBIterator *iterator, | |
391 | const char *method, | |
392 | bool more, | |
393 | JsonVariant *query, | |
394 | UserDBFlags flags) { | |
395 | ||
396 | _cleanup_(strv_freep) char **except = NULL, **only = NULL; | |
397 | _cleanup_(closedirp) DIR *d = NULL; | |
398 | struct dirent *de; | |
399 | const char *e; | |
400 | int r, ret = 0; | |
401 | ||
402 | assert(iterator); | |
403 | assert(method); | |
404 | ||
405 | e = getenv("SYSTEMD_BYPASS_USERDB"); | |
406 | if (e) { | |
407 | r = parse_boolean(e); | |
408 | if (r > 0) | |
409 | return -ENOLINK; | |
410 | if (r < 0) { | |
411 | except = strv_split(e, ":"); | |
412 | if (!except) | |
413 | return -ENOMEM; | |
414 | } | |
415 | } | |
416 | ||
417 | e = getenv("SYSTEMD_ONLY_USERDB"); | |
418 | if (e) { | |
419 | only = strv_split(e, ":"); | |
420 | if (!only) | |
421 | return -ENOMEM; | |
422 | } | |
423 | ||
424 | /* First, let's talk to the multiplexer, if we can */ | |
425 | if ((flags & (USERDB_AVOID_MULTIPLEXER|USERDB_AVOID_DYNAMIC_USER|USERDB_AVOID_NSS|USERDB_DONT_SYNTHESIZE)) == 0 && | |
426 | !strv_contains(except, "io.systemd.Multiplexer") && | |
427 | (!only || strv_contains(only, "io.systemd.Multiplexer"))) { | |
428 | _cleanup_(json_variant_unrefp) JsonVariant *patched_query = json_variant_ref(query); | |
429 | ||
430 | r = json_variant_set_field_string(&patched_query, "service", "io.systemd.Multiplexer"); | |
431 | if (r < 0) | |
432 | return log_debug_errno(r, "Unable to set service JSON field: %m"); | |
433 | ||
434 | r = userdb_connect(iterator, "/run/systemd/userdb/io.systemd.Multiplexer", method, more, patched_query); | |
435 | if (r >= 0) { | |
436 | iterator->nss_covered = true; /* The multiplexer does NSS */ | |
437 | return 0; | |
438 | } | |
439 | } | |
440 | ||
441 | d = opendir("/run/systemd/userdb/"); | |
442 | if (!d) { | |
443 | if (errno == ENOENT) | |
444 | return -ESRCH; | |
445 | ||
446 | return -errno; | |
447 | } | |
448 | ||
449 | FOREACH_DIRENT(de, d, return -errno) { | |
450 | _cleanup_(json_variant_unrefp) JsonVariant *patched_query = NULL; | |
451 | _cleanup_free_ char *p = NULL; | |
452 | bool is_nss; | |
453 | ||
454 | if (streq(de->d_name, "io.systemd.Multiplexer")) /* We already tried this above, don't try this again */ | |
455 | continue; | |
456 | ||
457 | if (FLAGS_SET(flags, USERDB_AVOID_DYNAMIC_USER) && | |
458 | streq(de->d_name, "io.systemd.DynamicUser")) | |
459 | continue; | |
460 | ||
461 | /* Avoid NSS is this is requested. Note that we also skip NSS when we were asked to skip the | |
462 | * multiplexer, since in that case it's safer to do NSS in the client side emulation below | |
463 | * (and when we run as part of systemd-userdbd.service we don't want to talk to ourselves | |
464 | * anyway). */ | |
465 | is_nss = streq(de->d_name, "io.systemd.NameServiceSwitch"); | |
466 | if ((flags & (USERDB_AVOID_NSS|USERDB_AVOID_MULTIPLEXER)) && is_nss) | |
467 | continue; | |
468 | ||
469 | if (strv_contains(except, de->d_name)) | |
470 | continue; | |
471 | ||
472 | if (only && !strv_contains(only, de->d_name)) | |
473 | continue; | |
474 | ||
475 | p = path_join("/run/systemd/userdb/", de->d_name); | |
476 | if (!p) | |
477 | return -ENOMEM; | |
478 | ||
479 | patched_query = json_variant_ref(query); | |
480 | r = json_variant_set_field_string(&patched_query, "service", de->d_name); | |
481 | if (r < 0) | |
482 | return log_debug_errno(r, "Unable to set service JSON field: %m"); | |
483 | ||
484 | r = userdb_connect(iterator, p, method, more, patched_query); | |
485 | if (is_nss && r >= 0) /* Turn off fallback NSS if we found the NSS service and could connect | |
486 | * to it */ | |
487 | iterator->nss_covered = true; | |
488 | ||
489 | if (ret == 0 && r < 0) | |
490 | ret = r; | |
491 | } | |
492 | ||
493 | if (set_isempty(iterator->links)) | |
494 | return ret; /* propagate last error we saw if we couldn't connect to anything. */ | |
495 | ||
496 | /* We connected to some services, in this case, ignore the ones we failed on */ | |
497 | return 0; | |
498 | } | |
499 | ||
500 | static int userdb_process( | |
501 | UserDBIterator *iterator, | |
502 | UserRecord **ret_user_record, | |
503 | GroupRecord **ret_group_record, | |
504 | char **ret_user_name, | |
505 | char **ret_group_name) { | |
506 | ||
507 | int r; | |
508 | ||
509 | assert(iterator); | |
510 | ||
511 | for (;;) { | |
512 | if (iterator->what == LOOKUP_USER && iterator->found_user) { | |
513 | if (ret_user_record) | |
514 | *ret_user_record = TAKE_PTR(iterator->found_user); | |
515 | else | |
516 | iterator->found_user = user_record_unref(iterator->found_user); | |
517 | ||
518 | if (ret_group_record) | |
519 | *ret_group_record = NULL; | |
520 | if (ret_user_name) | |
521 | *ret_user_name = NULL; | |
522 | if (ret_group_name) | |
523 | *ret_group_name = NULL; | |
524 | ||
525 | return 0; | |
526 | } | |
527 | ||
528 | if (iterator->what == LOOKUP_GROUP && iterator->found_group) { | |
529 | if (ret_group_record) | |
530 | *ret_group_record = TAKE_PTR(iterator->found_group); | |
531 | else | |
532 | iterator->found_group = group_record_unref(iterator->found_group); | |
533 | ||
534 | if (ret_user_record) | |
535 | *ret_user_record = NULL; | |
536 | if (ret_user_name) | |
537 | *ret_user_name = NULL; | |
538 | if (ret_group_name) | |
539 | *ret_group_name = NULL; | |
540 | ||
541 | return 0; | |
542 | } | |
543 | ||
544 | if (iterator->what == LOOKUP_MEMBERSHIP && iterator->found_user_name && iterator->found_group_name) { | |
545 | if (ret_user_name) | |
546 | *ret_user_name = TAKE_PTR(iterator->found_user_name); | |
547 | else | |
548 | iterator->found_user_name = mfree(iterator->found_user_name); | |
549 | ||
550 | if (ret_group_name) | |
551 | *ret_group_name = TAKE_PTR(iterator->found_group_name); | |
552 | else | |
553 | iterator->found_group_name = mfree(iterator->found_group_name); | |
554 | ||
555 | if (ret_user_record) | |
556 | *ret_user_record = NULL; | |
557 | if (ret_group_record) | |
558 | *ret_group_record = NULL; | |
559 | ||
560 | return 0; | |
561 | } | |
562 | ||
563 | if (set_isempty(iterator->links)) { | |
564 | if (iterator->error == 0) | |
565 | return -ESRCH; | |
566 | ||
567 | return -abs(iterator->error); | |
568 | } | |
569 | ||
570 | if (!iterator->event) | |
571 | return -ESRCH; | |
572 | ||
573 | r = sd_event_run(iterator->event, UINT64_MAX); | |
574 | if (r < 0) | |
575 | return r; | |
576 | } | |
577 | } | |
578 | ||
579 | static int synthetic_root_user_build(UserRecord **ret) { | |
580 | return user_record_build( | |
581 | ret, | |
582 | JSON_BUILD_OBJECT(JSON_BUILD_PAIR("userName", JSON_BUILD_STRING("root")), | |
583 | JSON_BUILD_PAIR("uid", JSON_BUILD_UNSIGNED(0)), | |
584 | JSON_BUILD_PAIR("gid", JSON_BUILD_UNSIGNED(0)), | |
585 | JSON_BUILD_PAIR("homeDirectory", JSON_BUILD_STRING("/root")), | |
586 | JSON_BUILD_PAIR("disposition", JSON_BUILD_STRING("intrinsic")))); | |
587 | } | |
588 | ||
589 | static int synthetic_nobody_user_build(UserRecord **ret) { | |
590 | return user_record_build( | |
591 | ret, | |
592 | JSON_BUILD_OBJECT(JSON_BUILD_PAIR("userName", JSON_BUILD_STRING(NOBODY_USER_NAME)), | |
593 | JSON_BUILD_PAIR("uid", JSON_BUILD_UNSIGNED(UID_NOBODY)), | |
594 | JSON_BUILD_PAIR("gid", JSON_BUILD_UNSIGNED(GID_NOBODY)), | |
595 | JSON_BUILD_PAIR("shell", JSON_BUILD_STRING(NOLOGIN)), | |
596 | JSON_BUILD_PAIR("locked", JSON_BUILD_BOOLEAN(true)), | |
597 | JSON_BUILD_PAIR("disposition", JSON_BUILD_STRING("intrinsic")))); | |
598 | } | |
599 | ||
600 | int userdb_by_name(const char *name, UserDBFlags flags, UserRecord **ret) { | |
601 | _cleanup_(userdb_iterator_freep) UserDBIterator *iterator = NULL; | |
602 | _cleanup_(json_variant_unrefp) JsonVariant *query = NULL; | |
603 | int r; | |
604 | ||
7a8867ab | 605 | if (!valid_user_group_name(name, VALID_USER_RELAX)) |
ec8e4a0e LP |
606 | return -EINVAL; |
607 | ||
608 | r = json_build(&query, JSON_BUILD_OBJECT( | |
609 | JSON_BUILD_PAIR("userName", JSON_BUILD_STRING(name)))); | |
610 | if (r < 0) | |
611 | return r; | |
612 | ||
7c674191 | 613 | iterator = userdb_iterator_new(LOOKUP_USER, flags); |
ec8e4a0e LP |
614 | if (!iterator) |
615 | return -ENOMEM; | |
616 | ||
617 | r = userdb_start_query(iterator, "io.systemd.UserDatabase.GetUserRecord", false, query, flags); | |
618 | if (r >= 0) { | |
619 | r = userdb_process(iterator, ret, NULL, NULL, NULL); | |
620 | if (r >= 0) | |
621 | return r; | |
622 | } | |
623 | ||
037b0a47 LP |
624 | if (!FLAGS_SET(flags, USERDB_AVOID_NSS) && !iterator->nss_covered) { |
625 | /* Make sure the NSS lookup doesn't recurse back to us. */ | |
ec8e4a0e | 626 | |
037b0a47 LP |
627 | r = userdb_iterator_block_nss_systemd(iterator); |
628 | if (r >= 0) { | |
ec8e4a0e | 629 | /* Client-side NSS fallback */ |
ed30170e | 630 | r = nss_user_record_by_name(name, !FLAGS_SET(flags, USERDB_AVOID_SHADOW), ret); |
ec8e4a0e LP |
631 | if (r >= 0) |
632 | return r; | |
633 | } | |
634 | } | |
635 | ||
636 | if (!FLAGS_SET(flags, USERDB_DONT_SYNTHESIZE)) { | |
637 | if (streq(name, "root")) | |
638 | return synthetic_root_user_build(ret); | |
639 | ||
640 | if (streq(name, NOBODY_USER_NAME) && synthesize_nobody()) | |
641 | return synthetic_nobody_user_build(ret); | |
642 | } | |
643 | ||
644 | return r; | |
645 | } | |
646 | ||
647 | int userdb_by_uid(uid_t uid, UserDBFlags flags, UserRecord **ret) { | |
648 | _cleanup_(userdb_iterator_freep) UserDBIterator *iterator = NULL; | |
649 | _cleanup_(json_variant_unrefp) JsonVariant *query = NULL; | |
650 | int r; | |
651 | ||
652 | if (!uid_is_valid(uid)) | |
653 | return -EINVAL; | |
654 | ||
655 | r = json_build(&query, JSON_BUILD_OBJECT( | |
656 | JSON_BUILD_PAIR("uid", JSON_BUILD_UNSIGNED(uid)))); | |
657 | if (r < 0) | |
658 | return r; | |
659 | ||
7c674191 | 660 | iterator = userdb_iterator_new(LOOKUP_USER, flags); |
ec8e4a0e LP |
661 | if (!iterator) |
662 | return -ENOMEM; | |
663 | ||
664 | r = userdb_start_query(iterator, "io.systemd.UserDatabase.GetUserRecord", false, query, flags); | |
665 | if (r >= 0) { | |
666 | r = userdb_process(iterator, ret, NULL, NULL, NULL); | |
667 | if (r >= 0) | |
668 | return r; | |
669 | } | |
670 | ||
037b0a47 LP |
671 | if (!FLAGS_SET(flags, USERDB_AVOID_NSS) && !iterator->nss_covered) { |
672 | r = userdb_iterator_block_nss_systemd(iterator); | |
673 | if (r >= 0) { | |
ec8e4a0e | 674 | /* Client-side NSS fallback */ |
ed30170e | 675 | r = nss_user_record_by_uid(uid, !FLAGS_SET(flags, USERDB_AVOID_SHADOW), ret); |
ec8e4a0e LP |
676 | if (r >= 0) |
677 | return r; | |
678 | } | |
679 | } | |
680 | ||
681 | if (!FLAGS_SET(flags, USERDB_DONT_SYNTHESIZE)) { | |
682 | if (uid == 0) | |
683 | return synthetic_root_user_build(ret); | |
684 | ||
685 | if (uid == UID_NOBODY && synthesize_nobody()) | |
686 | return synthetic_nobody_user_build(ret); | |
687 | } | |
688 | ||
689 | return r; | |
690 | } | |
691 | ||
692 | int userdb_all(UserDBFlags flags, UserDBIterator **ret) { | |
693 | _cleanup_(userdb_iterator_freep) UserDBIterator *iterator = NULL; | |
694 | int r; | |
695 | ||
696 | assert(ret); | |
697 | ||
7c674191 | 698 | iterator = userdb_iterator_new(LOOKUP_USER, flags); |
ec8e4a0e LP |
699 | if (!iterator) |
700 | return -ENOMEM; | |
701 | ||
702 | iterator->synthesize_root = iterator->synthesize_nobody = !FLAGS_SET(flags, USERDB_DONT_SYNTHESIZE); | |
703 | ||
704 | r = userdb_start_query(iterator, "io.systemd.UserDatabase.GetUserRecord", true, NULL, flags); | |
705 | ||
706 | if (!FLAGS_SET(flags, USERDB_AVOID_NSS) && (r < 0 || !iterator->nss_covered)) { | |
037b0a47 LP |
707 | r = userdb_iterator_block_nss_systemd(iterator); |
708 | if (r < 0) | |
709 | return r; | |
ec8e4a0e LP |
710 | |
711 | setpwent(); | |
712 | iterator->nss_iterating = true; | |
662d74da YW |
713 | } else if (r < 0) |
714 | return r; | |
ec8e4a0e | 715 | |
ec8e4a0e LP |
716 | *ret = TAKE_PTR(iterator); |
717 | return 0; | |
718 | } | |
719 | ||
720 | int userdb_iterator_get(UserDBIterator *iterator, UserRecord **ret) { | |
721 | int r; | |
722 | ||
723 | assert(iterator); | |
724 | assert(iterator->what == LOOKUP_USER); | |
725 | ||
726 | if (iterator->nss_iterating) { | |
727 | struct passwd *pw; | |
728 | ||
729 | /* If NSS isn't covered elsewhere, let's iterate through it first, since it probably contains | |
730 | * the more traditional sources, which are probably good to show first. */ | |
731 | ||
732 | pw = getpwent(); | |
733 | if (pw) { | |
734 | _cleanup_free_ char *buffer = NULL; | |
735 | bool incomplete = false; | |
736 | struct spwd spwd; | |
737 | ||
738 | if (streq_ptr(pw->pw_name, "root")) | |
739 | iterator->synthesize_root = false; | |
740 | if (pw->pw_uid == UID_NOBODY) | |
741 | iterator->synthesize_nobody = false; | |
742 | ||
7c674191 LP |
743 | if (!FLAGS_SET(iterator->flags, USERDB_AVOID_SHADOW)) { |
744 | r = nss_spwd_for_passwd(pw, &spwd, &buffer); | |
745 | if (r < 0) { | |
746 | log_debug_errno(r, "Failed to acquire shadow entry for user %s, ignoring: %m", pw->pw_name); | |
747 | incomplete = ERRNO_IS_PRIVILEGE(r); | |
748 | } | |
749 | } else { | |
750 | r = -EUCLEAN; | |
751 | incomplete = true; | |
ec8e4a0e LP |
752 | } |
753 | ||
754 | r = nss_passwd_to_user_record(pw, r >= 0 ? &spwd : NULL, ret); | |
755 | if (r < 0) | |
756 | return r; | |
757 | ||
758 | if (ret) | |
759 | (*ret)->incomplete = incomplete; | |
27a5a22f LP |
760 | |
761 | iterator->n_found++; | |
ec8e4a0e LP |
762 | return r; |
763 | } | |
764 | ||
765 | if (errno != 0) | |
766 | log_debug_errno(errno, "Failure to iterate NSS user database, ignoring: %m"); | |
767 | ||
768 | iterator->nss_iterating = false; | |
769 | endpwent(); | |
770 | } | |
771 | ||
772 | r = userdb_process(iterator, ret, NULL, NULL, NULL); | |
773 | ||
774 | if (r < 0) { | |
775 | if (iterator->synthesize_root) { | |
776 | iterator->synthesize_root = false; | |
777 | iterator->n_found++; | |
778 | return synthetic_root_user_build(ret); | |
779 | } | |
780 | ||
781 | if (iterator->synthesize_nobody) { | |
782 | iterator->synthesize_nobody = false; | |
783 | iterator->n_found++; | |
784 | return synthetic_nobody_user_build(ret); | |
785 | } | |
ec8e4a0e | 786 | |
77fe7d15 LP |
787 | /* if we found at least one entry, then ignore errors and indicate that we reached the end */ |
788 | if (iterator->n_found > 0) | |
789 | return -ESRCH; | |
790 | } | |
ec8e4a0e LP |
791 | |
792 | return r; | |
793 | } | |
794 | ||
795 | static int synthetic_root_group_build(GroupRecord **ret) { | |
796 | return group_record_build( | |
797 | ret, | |
798 | JSON_BUILD_OBJECT(JSON_BUILD_PAIR("groupName", JSON_BUILD_STRING("root")), | |
799 | JSON_BUILD_PAIR("gid", JSON_BUILD_UNSIGNED(0)), | |
800 | JSON_BUILD_PAIR("disposition", JSON_BUILD_STRING("intrinsic")))); | |
801 | } | |
802 | ||
803 | static int synthetic_nobody_group_build(GroupRecord **ret) { | |
804 | return group_record_build( | |
805 | ret, | |
806 | JSON_BUILD_OBJECT(JSON_BUILD_PAIR("groupName", JSON_BUILD_STRING(NOBODY_GROUP_NAME)), | |
807 | JSON_BUILD_PAIR("gid", JSON_BUILD_UNSIGNED(GID_NOBODY)), | |
808 | JSON_BUILD_PAIR("disposition", JSON_BUILD_STRING("intrinsic")))); | |
809 | } | |
810 | ||
811 | int groupdb_by_name(const char *name, UserDBFlags flags, GroupRecord **ret) { | |
812 | _cleanup_(userdb_iterator_freep) UserDBIterator *iterator = NULL; | |
813 | _cleanup_(json_variant_unrefp) JsonVariant *query = NULL; | |
814 | int r; | |
815 | ||
7a8867ab | 816 | if (!valid_user_group_name(name, VALID_USER_RELAX)) |
ec8e4a0e LP |
817 | return -EINVAL; |
818 | ||
819 | r = json_build(&query, JSON_BUILD_OBJECT( | |
820 | JSON_BUILD_PAIR("groupName", JSON_BUILD_STRING(name)))); | |
821 | if (r < 0) | |
822 | return r; | |
823 | ||
7c674191 | 824 | iterator = userdb_iterator_new(LOOKUP_GROUP, flags); |
ec8e4a0e LP |
825 | if (!iterator) |
826 | return -ENOMEM; | |
827 | ||
828 | r = userdb_start_query(iterator, "io.systemd.UserDatabase.GetGroupRecord", false, query, flags); | |
829 | if (r >= 0) { | |
830 | r = userdb_process(iterator, NULL, ret, NULL, NULL); | |
831 | if (r >= 0) | |
832 | return r; | |
833 | } | |
834 | ||
835 | if (!FLAGS_SET(flags, USERDB_AVOID_NSS) && !(iterator && iterator->nss_covered)) { | |
037b0a47 LP |
836 | r = userdb_iterator_block_nss_systemd(iterator); |
837 | if (r >= 0) { | |
ed30170e | 838 | r = nss_group_record_by_name(name, !FLAGS_SET(flags, USERDB_AVOID_SHADOW), ret); |
ec8e4a0e LP |
839 | if (r >= 0) |
840 | return r; | |
841 | } | |
842 | } | |
843 | ||
844 | if (!FLAGS_SET(flags, USERDB_DONT_SYNTHESIZE)) { | |
845 | if (streq(name, "root")) | |
846 | return synthetic_root_group_build(ret); | |
847 | ||
848 | if (streq(name, NOBODY_GROUP_NAME) && synthesize_nobody()) | |
849 | return synthetic_nobody_group_build(ret); | |
850 | } | |
851 | ||
852 | return r; | |
853 | } | |
854 | ||
855 | int groupdb_by_gid(gid_t gid, UserDBFlags flags, GroupRecord **ret) { | |
856 | _cleanup_(userdb_iterator_freep) UserDBIterator *iterator = NULL; | |
857 | _cleanup_(json_variant_unrefp) JsonVariant *query = NULL; | |
858 | int r; | |
859 | ||
860 | if (!gid_is_valid(gid)) | |
861 | return -EINVAL; | |
862 | ||
863 | r = json_build(&query, JSON_BUILD_OBJECT( | |
864 | JSON_BUILD_PAIR("gid", JSON_BUILD_UNSIGNED(gid)))); | |
865 | if (r < 0) | |
866 | return r; | |
867 | ||
7c674191 | 868 | iterator = userdb_iterator_new(LOOKUP_GROUP, flags); |
ec8e4a0e LP |
869 | if (!iterator) |
870 | return -ENOMEM; | |
871 | ||
872 | r = userdb_start_query(iterator, "io.systemd.UserDatabase.GetGroupRecord", false, query, flags); | |
873 | if (r >= 0) { | |
874 | r = userdb_process(iterator, NULL, ret, NULL, NULL); | |
875 | if (r >= 0) | |
876 | return r; | |
877 | } | |
878 | ||
879 | if (!FLAGS_SET(flags, USERDB_AVOID_NSS) && !(iterator && iterator->nss_covered)) { | |
037b0a47 LP |
880 | r = userdb_iterator_block_nss_systemd(iterator); |
881 | if (r >= 0) { | |
ed30170e | 882 | r = nss_group_record_by_gid(gid, !FLAGS_SET(flags, USERDB_AVOID_SHADOW), ret); |
ec8e4a0e LP |
883 | if (r >= 0) |
884 | return r; | |
885 | } | |
886 | } | |
887 | ||
888 | if (!FLAGS_SET(flags, USERDB_DONT_SYNTHESIZE)) { | |
889 | if (gid == 0) | |
890 | return synthetic_root_group_build(ret); | |
891 | ||
892 | if (gid == GID_NOBODY && synthesize_nobody()) | |
893 | return synthetic_nobody_group_build(ret); | |
894 | } | |
895 | ||
896 | return r; | |
897 | } | |
898 | ||
899 | int groupdb_all(UserDBFlags flags, UserDBIterator **ret) { | |
900 | _cleanup_(userdb_iterator_freep) UserDBIterator *iterator = NULL; | |
901 | int r; | |
902 | ||
903 | assert(ret); | |
904 | ||
7c674191 | 905 | iterator = userdb_iterator_new(LOOKUP_GROUP, flags); |
ec8e4a0e LP |
906 | if (!iterator) |
907 | return -ENOMEM; | |
908 | ||
909 | iterator->synthesize_root = iterator->synthesize_nobody = !FLAGS_SET(flags, USERDB_DONT_SYNTHESIZE); | |
910 | ||
911 | r = userdb_start_query(iterator, "io.systemd.UserDatabase.GetGroupRecord", true, NULL, flags); | |
912 | ||
913 | if (!FLAGS_SET(flags, USERDB_AVOID_NSS) && (r < 0 || !iterator->nss_covered)) { | |
037b0a47 LP |
914 | r = userdb_iterator_block_nss_systemd(iterator); |
915 | if (r < 0) | |
916 | return r; | |
ec8e4a0e LP |
917 | |
918 | setgrent(); | |
919 | iterator->nss_iterating = true; | |
d4f560df LP |
920 | } else if (r < 0) |
921 | return r; | |
ec8e4a0e | 922 | |
ec8e4a0e LP |
923 | *ret = TAKE_PTR(iterator); |
924 | return 0; | |
925 | } | |
926 | ||
927 | int groupdb_iterator_get(UserDBIterator *iterator, GroupRecord **ret) { | |
928 | int r; | |
929 | ||
930 | assert(iterator); | |
931 | assert(iterator->what == LOOKUP_GROUP); | |
932 | ||
933 | if (iterator->nss_iterating) { | |
934 | struct group *gr; | |
935 | ||
936 | errno = 0; | |
937 | gr = getgrent(); | |
938 | if (gr) { | |
939 | _cleanup_free_ char *buffer = NULL; | |
940 | bool incomplete = false; | |
941 | struct sgrp sgrp; | |
942 | ||
943 | if (streq_ptr(gr->gr_name, "root")) | |
944 | iterator->synthesize_root = false; | |
945 | if (gr->gr_gid == GID_NOBODY) | |
946 | iterator->synthesize_nobody = false; | |
947 | ||
7c674191 LP |
948 | if (!FLAGS_SET(iterator->flags, USERDB_AVOID_SHADOW)) { |
949 | r = nss_sgrp_for_group(gr, &sgrp, &buffer); | |
950 | if (r < 0) { | |
951 | log_debug_errno(r, "Failed to acquire shadow entry for group %s, ignoring: %m", gr->gr_name); | |
952 | incomplete = ERRNO_IS_PRIVILEGE(r); | |
953 | } | |
954 | } else { | |
955 | r = -EUCLEAN; | |
956 | incomplete = true; | |
ec8e4a0e LP |
957 | } |
958 | ||
959 | r = nss_group_to_group_record(gr, r >= 0 ? &sgrp : NULL, ret); | |
960 | if (r < 0) | |
961 | return r; | |
962 | ||
963 | if (ret) | |
964 | (*ret)->incomplete = incomplete; | |
27a5a22f LP |
965 | |
966 | iterator->n_found++; | |
ec8e4a0e LP |
967 | return r; |
968 | } | |
969 | ||
970 | if (errno != 0) | |
971 | log_debug_errno(errno, "Failure to iterate NSS group database, ignoring: %m"); | |
972 | ||
973 | iterator->nss_iterating = false; | |
974 | endgrent(); | |
975 | } | |
976 | ||
977 | r = userdb_process(iterator, NULL, ret, NULL, NULL); | |
978 | if (r < 0) { | |
979 | if (iterator->synthesize_root) { | |
980 | iterator->synthesize_root = false; | |
981 | iterator->n_found++; | |
982 | return synthetic_root_group_build(ret); | |
983 | } | |
984 | ||
985 | if (iterator->synthesize_nobody) { | |
986 | iterator->synthesize_nobody = false; | |
987 | iterator->n_found++; | |
988 | return synthetic_nobody_group_build(ret); | |
989 | } | |
ec8e4a0e | 990 | |
77fe7d15 LP |
991 | /* if we found at least one entry, then ignore errors and indicate that we reached the end */ |
992 | if (iterator->n_found > 0) | |
993 | return -ESRCH; | |
994 | } | |
ec8e4a0e LP |
995 | |
996 | return r; | |
997 | } | |
998 | ||
999 | int membershipdb_by_user(const char *name, UserDBFlags flags, UserDBIterator **ret) { | |
1000 | _cleanup_(userdb_iterator_freep) UserDBIterator *iterator = NULL; | |
1001 | _cleanup_(json_variant_unrefp) JsonVariant *query = NULL; | |
1002 | int r; | |
1003 | ||
1004 | assert(ret); | |
1005 | ||
7a8867ab | 1006 | if (!valid_user_group_name(name, VALID_USER_RELAX)) |
ec8e4a0e LP |
1007 | return -EINVAL; |
1008 | ||
1009 | r = json_build(&query, JSON_BUILD_OBJECT( | |
1010 | JSON_BUILD_PAIR("userName", JSON_BUILD_STRING(name)))); | |
1011 | if (r < 0) | |
1012 | return r; | |
1013 | ||
7c674191 | 1014 | iterator = userdb_iterator_new(LOOKUP_MEMBERSHIP, flags); |
ec8e4a0e LP |
1015 | if (!iterator) |
1016 | return -ENOMEM; | |
1017 | ||
1018 | r = userdb_start_query(iterator, "io.systemd.UserDatabase.GetMemberships", true, query, flags); | |
1019 | if ((r >= 0 && iterator->nss_covered) || FLAGS_SET(flags, USERDB_AVOID_NSS)) | |
1020 | goto finish; | |
1021 | ||
037b0a47 LP |
1022 | r = userdb_iterator_block_nss_systemd(iterator); |
1023 | if (r < 0) | |
1024 | return r; | |
ec8e4a0e LP |
1025 | |
1026 | iterator->filter_user_name = strdup(name); | |
1027 | if (!iterator->filter_user_name) | |
1028 | return -ENOMEM; | |
1029 | ||
1030 | setgrent(); | |
1031 | iterator->nss_iterating = true; | |
1032 | ||
1033 | r = 0; | |
1034 | ||
1035 | finish: | |
1036 | if (r >= 0) | |
1037 | *ret = TAKE_PTR(iterator); | |
1038 | return r; | |
1039 | } | |
1040 | ||
1041 | int membershipdb_by_group(const char *name, UserDBFlags flags, UserDBIterator **ret) { | |
1042 | _cleanup_(userdb_iterator_freep) UserDBIterator *iterator = NULL; | |
1043 | _cleanup_(json_variant_unrefp) JsonVariant *query = NULL; | |
1044 | _cleanup_(group_record_unrefp) GroupRecord *gr = NULL; | |
1045 | int r; | |
1046 | ||
1047 | assert(ret); | |
1048 | ||
7a8867ab | 1049 | if (!valid_user_group_name(name, VALID_USER_RELAX)) |
ec8e4a0e LP |
1050 | return -EINVAL; |
1051 | ||
1052 | r = json_build(&query, JSON_BUILD_OBJECT( | |
1053 | JSON_BUILD_PAIR("groupName", JSON_BUILD_STRING(name)))); | |
1054 | if (r < 0) | |
1055 | return r; | |
1056 | ||
7c674191 | 1057 | iterator = userdb_iterator_new(LOOKUP_MEMBERSHIP, flags); |
ec8e4a0e LP |
1058 | if (!iterator) |
1059 | return -ENOMEM; | |
1060 | ||
1061 | r = userdb_start_query(iterator, "io.systemd.UserDatabase.GetMemberships", true, query, flags); | |
1062 | if ((r >= 0 && iterator->nss_covered) || FLAGS_SET(flags, USERDB_AVOID_NSS)) | |
1063 | goto finish; | |
1064 | ||
037b0a47 LP |
1065 | r = userdb_iterator_block_nss_systemd(iterator); |
1066 | if (r < 0) | |
1067 | return r; | |
ec8e4a0e LP |
1068 | |
1069 | /* We ignore all errors here, since the group might be defined by a userdb native service, and we queried them already above. */ | |
ed30170e | 1070 | (void) nss_group_record_by_name(name, false, &gr); |
ec8e4a0e LP |
1071 | if (gr) { |
1072 | iterator->members_of_group = strv_copy(gr->members); | |
1073 | if (!iterator->members_of_group) | |
1074 | return -ENOMEM; | |
1075 | ||
1076 | iterator->index_members_of_group = 0; | |
1077 | ||
1078 | iterator->found_group_name = strdup(name); | |
1079 | if (!iterator->found_group_name) | |
1080 | return -ENOMEM; | |
1081 | } | |
1082 | ||
1083 | r = 0; | |
1084 | ||
1085 | finish: | |
1086 | if (r >= 0) | |
1087 | *ret = TAKE_PTR(iterator); | |
1088 | ||
1089 | return r; | |
1090 | } | |
1091 | ||
1092 | int membershipdb_all(UserDBFlags flags, UserDBIterator **ret) { | |
1093 | _cleanup_(userdb_iterator_freep) UserDBIterator *iterator = NULL; | |
1094 | int r; | |
1095 | ||
1096 | assert(ret); | |
1097 | ||
7c674191 | 1098 | iterator = userdb_iterator_new(LOOKUP_MEMBERSHIP, flags); |
ec8e4a0e LP |
1099 | if (!iterator) |
1100 | return -ENOMEM; | |
1101 | ||
1102 | r = userdb_start_query(iterator, "io.systemd.UserDatabase.GetMemberships", true, NULL, flags); | |
1103 | if ((r >= 0 && iterator->nss_covered) || FLAGS_SET(flags, USERDB_AVOID_NSS)) | |
1104 | goto finish; | |
1105 | ||
037b0a47 LP |
1106 | r = userdb_iterator_block_nss_systemd(iterator); |
1107 | if (r < 0) | |
1108 | return r; | |
ec8e4a0e LP |
1109 | |
1110 | setgrent(); | |
1111 | iterator->nss_iterating = true; | |
1112 | ||
1113 | r = 0; | |
1114 | ||
1115 | finish: | |
1116 | if (r >= 0) | |
1117 | *ret = TAKE_PTR(iterator); | |
1118 | ||
1119 | return r; | |
1120 | } | |
1121 | ||
1122 | int membershipdb_iterator_get( | |
1123 | UserDBIterator *iterator, | |
1124 | char **ret_user, | |
1125 | char **ret_group) { | |
1126 | ||
1127 | int r; | |
1128 | ||
1129 | assert(iterator); | |
1130 | ||
1131 | for (;;) { | |
d9f5f2a1 | 1132 | /* If we are iterating through NSS acquire a new group entry if we haven't acquired one yet. */ |
ec8e4a0e LP |
1133 | if (!iterator->members_of_group) { |
1134 | struct group *g; | |
1135 | ||
1136 | if (!iterator->nss_iterating) | |
1137 | break; | |
1138 | ||
1139 | assert(!iterator->found_user_name); | |
1140 | do { | |
1141 | errno = 0; | |
1142 | g = getgrent(); | |
1143 | if (!g) { | |
1144 | if (errno != 0) | |
1145 | log_debug_errno(errno, "Failure during NSS group iteration, ignoring: %m"); | |
1146 | break; | |
1147 | } | |
1148 | ||
1149 | } while (iterator->filter_user_name ? !strv_contains(g->gr_mem, iterator->filter_user_name) : | |
1150 | strv_isempty(g->gr_mem)); | |
1151 | ||
1152 | if (g) { | |
1153 | r = free_and_strdup(&iterator->found_group_name, g->gr_name); | |
1154 | if (r < 0) | |
1155 | return r; | |
1156 | ||
1157 | if (iterator->filter_user_name) | |
1158 | iterator->members_of_group = strv_new(iterator->filter_user_name); | |
1159 | else | |
1160 | iterator->members_of_group = strv_copy(g->gr_mem); | |
1161 | if (!iterator->members_of_group) | |
1162 | return -ENOMEM; | |
1163 | ||
1164 | iterator->index_members_of_group = 0; | |
1165 | } else { | |
1166 | iterator->nss_iterating = false; | |
1167 | endgrent(); | |
1168 | break; | |
1169 | } | |
1170 | } | |
1171 | ||
1172 | assert(iterator->found_group_name); | |
1173 | assert(iterator->members_of_group); | |
1174 | assert(!iterator->found_user_name); | |
1175 | ||
1176 | if (iterator->members_of_group[iterator->index_members_of_group]) { | |
1177 | _cleanup_free_ char *cu = NULL, *cg = NULL; | |
1178 | ||
1179 | if (ret_user) { | |
1180 | cu = strdup(iterator->members_of_group[iterator->index_members_of_group]); | |
1181 | if (!cu) | |
1182 | return -ENOMEM; | |
1183 | } | |
1184 | ||
1185 | if (ret_group) { | |
1186 | cg = strdup(iterator->found_group_name); | |
1187 | if (!cg) | |
1188 | return -ENOMEM; | |
1189 | } | |
1190 | ||
1191 | if (ret_user) | |
1192 | *ret_user = TAKE_PTR(cu); | |
1193 | ||
1194 | if (ret_group) | |
1195 | *ret_group = TAKE_PTR(cg); | |
1196 | ||
1197 | iterator->index_members_of_group++; | |
1198 | return 0; | |
1199 | } | |
1200 | ||
1201 | iterator->members_of_group = strv_free(iterator->members_of_group); | |
1202 | iterator->found_group_name = mfree(iterator->found_group_name); | |
1203 | } | |
1204 | ||
1205 | r = userdb_process(iterator, NULL, NULL, ret_user, ret_group); | |
1206 | if (r < 0 && iterator->n_found > 0) | |
1207 | return -ESRCH; | |
1208 | ||
1209 | return r; | |
1210 | } | |
1211 | ||
1212 | int membershipdb_by_group_strv(const char *name, UserDBFlags flags, char ***ret) { | |
1213 | _cleanup_(userdb_iterator_freep) UserDBIterator *iterator = NULL; | |
1214 | _cleanup_strv_free_ char **members = NULL; | |
1215 | int r; | |
1216 | ||
1217 | assert(name); | |
1218 | assert(ret); | |
1219 | ||
1220 | r = membershipdb_by_group(name, flags, &iterator); | |
1221 | if (r < 0) | |
1222 | return r; | |
1223 | ||
1224 | for (;;) { | |
1225 | _cleanup_free_ char *user_name = NULL; | |
1226 | ||
1227 | r = membershipdb_iterator_get(iterator, &user_name, NULL); | |
1228 | if (r == -ESRCH) | |
1229 | break; | |
1230 | if (r < 0) | |
1231 | return r; | |
1232 | ||
1233 | r = strv_consume(&members, TAKE_PTR(user_name)); | |
1234 | if (r < 0) | |
1235 | return r; | |
1236 | } | |
1237 | ||
1238 | strv_sort(members); | |
1239 | strv_uniq(members); | |
1240 | ||
1241 | *ret = TAKE_PTR(members); | |
1242 | return 0; | |
1243 | } | |
1244 | ||
037b0a47 LP |
1245 | int userdb_block_nss_systemd(int b) { |
1246 | _cleanup_(dlclosep) void *dl = NULL; | |
1247 | int (*call)(bool b); | |
ec8e4a0e | 1248 | |
037b0a47 | 1249 | /* Note that we might be called from libnss_systemd.so.2 itself, but that should be fine, really. */ |
ec8e4a0e | 1250 | |
a127c620 | 1251 | dl = dlopen(ROOTLIBDIR "/libnss_systemd.so.2", RTLD_LAZY|RTLD_NODELETE); |
037b0a47 LP |
1252 | if (!dl) { |
1253 | /* If the file isn't installed, don't complain loudly */ | |
1254 | log_debug("Failed to dlopen(libnss_systemd.so.2), ignoring: %s", dlerror()); | |
1255 | return 0; | |
ec8e4a0e LP |
1256 | } |
1257 | ||
037b0a47 LP |
1258 | call = (int (*)(bool b)) dlsym(dl, "_nss_systemd_block"); |
1259 | if (!call) | |
fa027117 | 1260 | /* If the file is installed but lacks the symbol we expect, things are weird, let's complain */ |
037b0a47 LP |
1261 | return log_debug_errno(SYNTHETIC_ERRNO(ELIBBAD), |
1262 | "Unable to find symbol _nss_systemd_block in libnss_systemd.so.2: %s", dlerror()); | |
ec8e4a0e | 1263 | |
037b0a47 | 1264 | return call(b); |
ec8e4a0e | 1265 | } |