]>
git.ipfire.org Git - thirdparty/systemd.git/blob - src/basic/user-util.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 This file is part of systemd.
5 Copyright 2010 Lennart Poettering
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
35 #include "alloc-util.h"
38 #include "format-util.h"
41 #include "parse-util.h"
42 #include "path-util.h"
43 #include "string-util.h"
45 #include "user-util.h"
48 bool uid_is_valid(uid_t uid
) {
50 /* Also see POSIX IEEE Std 1003.1-2008, 2016 Edition, 3.436. */
52 /* Some libc APIs use UID_INVALID as special placeholder */
53 if (uid
== (uid_t
) UINT32_C(0xFFFFFFFF))
56 /* A long time ago UIDs where 16bit, hence explicitly avoid the 16bit -1 too */
57 if (uid
== (uid_t
) UINT32_C(0xFFFF))
63 int parse_uid(const char *s
, uid_t
*ret
) {
69 assert_cc(sizeof(uid_t
) == sizeof(uint32_t));
70 r
= safe_atou32(s
, &uid
);
74 if (!uid_is_valid(uid
))
75 return -ENXIO
; /* we return ENXIO instead of EINVAL
76 * here, to make it easy to distuingish
77 * invalid numeric uids from invalid
86 char* getlogname_malloc(void) {
90 if (isatty(STDIN_FILENO
) && fstat(STDIN_FILENO
, &st
) >= 0)
95 return uid_to_name(uid
);
98 char *getusername_malloc(void) {
105 return uid_to_name(getuid());
109 const char **username
,
110 uid_t
*uid
, gid_t
*gid
,
112 const char **shell
) {
120 /* We enforce some special rules for uid=0 and uid=65534: in order to avoid NSS lookups for root we hardcode
121 * their user record data. */
123 if (STR_IN_SET(*username
, "root", "0")) {
140 if (synthesize_nobody() &&
141 STR_IN_SET(*username
, NOBODY_USER_NAME
, "65534")) {
142 *username
= NOBODY_USER_NAME
;
153 *shell
= "/sbin/nologin";
158 if (parse_uid(*username
, &u
) >= 0) {
162 /* If there are multiple users with the same id, make
163 * sure to leave $USER to the configured value instead
164 * of the first occurrence in the database. However if
165 * the uid was configured by a numeric uid, then let's
166 * pick the real username from /etc/passwd. */
168 *username
= p
->pw_name
;
171 p
= getpwnam(*username
);
175 return errno
> 0 ? -errno
: -ESRCH
;
178 if (!uid_is_valid(p
->pw_uid
))
185 if (!gid_is_valid(p
->pw_gid
))
195 *shell
= p
->pw_shell
;
200 static inline bool is_nologin_shell(const char *shell
) {
202 return PATH_IN_SET(shell
,
203 /* 'nologin' is the friendliest way to disable logins for a user account. It prints a nice
204 * message and exits. Different distributions place the binary at different places though,
205 * hence let's list them all. */
210 /* 'true' and 'false' work too for the same purpose, but are less friendly as they don't do
211 * any message printing. Different distributions place the binary at various places but at
212 * least not in the 'sbin' directory. */
219 int get_user_creds_clean(
220 const char **username
,
221 uid_t
*uid
, gid_t
*gid
,
223 const char **shell
) {
227 /* Like get_user_creds(), but resets home/shell to NULL if they don't contain anything relevant. */
229 r
= get_user_creds(username
, uid
, gid
, home
, shell
);
234 (isempty(*shell
) || is_nologin_shell(*shell
)))
238 (isempty(*home
) || path_equal(*home
, "/")))
244 int get_group_creds(const char **groupname
, gid_t
*gid
) {
250 /* We enforce some special rules for gid=0: in order to avoid
251 * NSS lookups for root we hardcode its data. */
253 if (STR_IN_SET(*groupname
, "root", "0")) {
262 if (synthesize_nobody() &&
263 STR_IN_SET(*groupname
, NOBODY_GROUP_NAME
, "65534")) {
264 *groupname
= NOBODY_GROUP_NAME
;
272 if (parse_gid(*groupname
, &id
) >= 0) {
277 *groupname
= g
->gr_name
;
280 g
= getgrnam(*groupname
);
284 return errno
> 0 ? -errno
: -ESRCH
;
287 if (!gid_is_valid(g
->gr_gid
))
296 char* uid_to_name(uid_t uid
) {
300 /* Shortcut things to avoid NSS lookups */
302 return strdup("root");
303 if (synthesize_nobody() &&
305 return strdup(NOBODY_USER_NAME
);
307 if (uid_is_valid(uid
)) {
310 bufsize
= sysconf(_SC_GETPW_R_SIZE_MAX
);
315 struct passwd pwbuf
, *pw
= NULL
;
316 _cleanup_free_
char *buf
= NULL
;
318 buf
= malloc(bufsize
);
322 r
= getpwuid_r(uid
, &pwbuf
, buf
, (size_t) bufsize
, &pw
);
324 return strdup(pw
->pw_name
);
332 if (asprintf(&ret
, UID_FMT
, uid
) < 0)
338 char* gid_to_name(gid_t gid
) {
343 return strdup("root");
344 if (synthesize_nobody() &&
346 return strdup(NOBODY_GROUP_NAME
);
348 if (gid_is_valid(gid
)) {
351 bufsize
= sysconf(_SC_GETGR_R_SIZE_MAX
);
356 struct group grbuf
, *gr
= NULL
;
357 _cleanup_free_
char *buf
= NULL
;
359 buf
= malloc(bufsize
);
363 r
= getgrgid_r(gid
, &grbuf
, buf
, (size_t) bufsize
, &gr
);
365 return strdup(gr
->gr_name
);
373 if (asprintf(&ret
, GID_FMT
, gid
) < 0)
379 int in_gid(gid_t gid
) {
387 if (getegid() == gid
)
390 if (!gid_is_valid(gid
))
393 ngroups_max
= sysconf(_SC_NGROUPS_MAX
);
394 assert(ngroups_max
> 0);
396 gids
= newa(gid_t
, ngroups_max
);
398 r
= getgroups(ngroups_max
, gids
);
402 for (i
= 0; i
< r
; i
++)
409 int in_group(const char *name
) {
413 r
= get_group_creds(&name
, &gid
);
420 int get_home_dir(char **_h
) {
428 /* Take the user specified one */
429 e
= secure_getenv("HOME");
430 if (e
&& path_is_absolute(e
)) {
439 /* Hardcode home directory for root and nobody to avoid NSS */
449 if (synthesize_nobody() &&
459 /* Check the database... */
463 return errno
> 0 ? -errno
: -ESRCH
;
465 if (!path_is_absolute(p
->pw_dir
))
468 h
= strdup(p
->pw_dir
);
476 int get_shell(char **_s
) {
484 /* Take the user specified one */
495 /* Hardcode shell for root and nobody to avoid NSS */
498 s
= strdup("/bin/sh");
505 if (synthesize_nobody() &&
507 s
= strdup("/sbin/nologin");
515 /* Check the database... */
519 return errno
> 0 ? -errno
: -ESRCH
;
521 if (!path_is_absolute(p
->pw_shell
))
524 s
= strdup(p
->pw_shell
);
532 int reset_uid_gid(void) {
535 r
= maybe_setgroups(0, NULL
);
539 if (setresgid(0, 0, 0) < 0)
542 if (setresuid(0, 0, 0) < 0)
548 int take_etc_passwd_lock(const char *root
) {
550 struct flock flock
= {
552 .l_whence
= SEEK_SET
,
560 /* This is roughly the same as lckpwdf(), but not as awful. We
561 * don't want to use alarm() and signals, hence we implement
562 * our own trivial version of this.
564 * Note that shadow-utils also takes per-database locks in
565 * addition to lckpwdf(). However, we don't given that they
566 * are redundant as they invoke lckpwdf() first and keep
567 * it during everything they do. The per-database locks are
568 * awfully racy, and thus we just won't do them. */
571 path
= prefix_roota(root
, ETC_PASSWD_LOCK_PATH
);
573 path
= ETC_PASSWD_LOCK_PATH
;
575 fd
= open(path
, O_WRONLY
|O_CREAT
|O_CLOEXEC
|O_NOCTTY
|O_NOFOLLOW
, 0600);
577 return log_debug_errno(errno
, "Cannot open %s: %m", path
);
579 r
= fcntl(fd
, F_SETLKW
, &flock
);
582 return log_debug_errno(errno
, "Locking %s failed: %m", path
);
588 bool valid_user_group_name(const char *u
) {
592 /* Checks if the specified name is a valid user/group name. Also see POSIX IEEE Std 1003.1-2008, 2016 Edition,
593 * 3.437. We are a bit stricter here however. Specifically we deviate from POSIX rules:
595 * - We don't allow any dots (this would break chown syntax which permits dots as user/group name separator)
596 * - We require that names fit into the appropriate utmp field
597 * - We don't allow empty user names
599 * Note that other systems are even more restrictive, and don't permit underscores or uppercase characters.
605 if (!(u
[0] >= 'a' && u
[0] <= 'z') &&
606 !(u
[0] >= 'A' && u
[0] <= 'Z') &&
610 for (i
= u
+1; *i
; i
++) {
611 if (!(*i
>= 'a' && *i
<= 'z') &&
612 !(*i
>= 'A' && *i
<= 'Z') &&
613 !(*i
>= '0' && *i
<= '9') &&
614 !IN_SET(*i
, '_', '-'))
618 sz
= sysconf(_SC_LOGIN_NAME_MAX
);
621 if ((size_t) (i
-u
) > (size_t) sz
)
624 if ((size_t) (i
-u
) > UT_NAMESIZE
- 1)
630 bool valid_user_group_name_or_id(const char *u
) {
632 /* Similar as above, but is also fine with numeric UID/GID specifications, as long as they are in the right
633 * range, and not the invalid user ids. */
638 if (valid_user_group_name(u
))
641 return parse_uid(u
, NULL
) >= 0;
644 bool valid_gecos(const char *d
) {
649 if (!utf8_is_valid(d
))
652 if (string_has_cc(d
, NULL
))
655 /* Colons are used as field separators, and hence not OK */
662 bool valid_home(const char *p
) {
663 /* Note that this function is also called by valid_shell(), any
664 * changes must account for that. */
669 if (!utf8_is_valid(p
))
672 if (string_has_cc(p
, NULL
))
675 if (!path_is_absolute(p
))
678 if (!path_is_normalized(p
))
681 /* Colons are used as field separators, and hence not OK */
688 int maybe_setgroups(size_t size
, const gid_t
*list
) {
691 /* Check if setgroups is allowed before we try to drop all the auxiliary groups */
692 if (size
== 0) { /* Dropping all aux groups? */
693 _cleanup_free_
char *setgroups_content
= NULL
;
696 r
= read_one_line_file("/proc/self/setgroups", &setgroups_content
);
698 /* Old kernels don't have /proc/self/setgroups, so assume we can use setgroups */
699 can_setgroups
= true;
703 can_setgroups
= streq(setgroups_content
, "allow");
705 if (!can_setgroups
) {
706 log_debug("Skipping setgroups(), /proc/self/setgroups is set to 'deny'");
711 if (setgroups(size
, list
) < 0)
717 bool synthesize_nobody(void) {
722 /* Returns true when we shall synthesize the "nobody" user (which we do by default). This can be turned off by
723 * touching /etc/systemd/dont-synthesize-nobody in order to provide upgrade compatibility with legacy systems
724 * that used the "nobody" user name and group name for other UIDs/GIDs than 65534.
726 * Note that we do not employ any kind of synchronization on the following caching variable. If the variable is
727 * accessed in multi-threaded programs in the worst case it might happen that we initialize twice, but that
728 * shouldn't matter as each initialization should come to the same result. */
729 static int cache
= -1;
732 cache
= access("/etc/systemd/dont-synthesize-nobody", F_OK
) < 0;
738 int putpwent_sane(const struct passwd
*pw
, FILE *stream
) {
743 if (putpwent(pw
, stream
) != 0)
744 return errno
> 0 ? -errno
: -EIO
;
749 int putspent_sane(const struct spwd
*sp
, FILE *stream
) {
754 if (putspent(sp
, stream
) != 0)
755 return errno
> 0 ? -errno
: -EIO
;
760 int putgrent_sane(const struct group
*gr
, FILE *stream
) {
765 if (putgrent(gr
, stream
) != 0)
766 return errno
> 0 ? -errno
: -EIO
;
772 int putsgent_sane(const struct sgrp
*sg
, FILE *stream
) {
777 if (putsgent(sg
, stream
) != 0)
778 return errno
> 0 ? -errno
: -EIO
;
784 int fgetpwent_sane(FILE *stream
, struct passwd
**pw
) {
791 p
= fgetpwent(stream
);
795 return errno
> 0 ? -errno
: -EIO
;
802 int fgetspent_sane(FILE *stream
, struct spwd
**sp
) {
809 s
= fgetspent(stream
);
813 return errno
> 0 ? -errno
: -EIO
;
820 int fgetgrent_sane(FILE *stream
, struct group
**gr
) {
827 g
= fgetgrent(stream
);
831 return errno
> 0 ? -errno
: -EIO
;
839 int fgetsgent_sane(FILE *stream
, struct sgrp
**sg
) {
846 s
= fgetsgent(stream
);
850 return errno
> 0 ? -errno
: -EIO
;