]>
git.ipfire.org Git - thirdparty/systemd.git/blob - src/basic/user-util.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 This file is part of systemd.
5 Copyright 2010 Lennart Poettering
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
35 #include "alloc-util.h"
38 #include "format-util.h"
41 #include "parse-util.h"
42 #include "path-util.h"
43 #include "string-util.h"
45 #include "user-util.h"
48 bool uid_is_valid(uid_t uid
) {
50 /* Also see POSIX IEEE Std 1003.1-2008, 2016 Edition, 3.436. */
52 /* Some libc APIs use UID_INVALID as special placeholder */
53 if (uid
== (uid_t
) UINT32_C(0xFFFFFFFF))
56 /* A long time ago UIDs where 16bit, hence explicitly avoid the 16bit -1 too */
57 if (uid
== (uid_t
) UINT32_C(0xFFFF))
63 int parse_uid(const char *s
, uid_t
*ret
) {
69 assert_cc(sizeof(uid_t
) == sizeof(uint32_t));
70 r
= safe_atou32(s
, &uid
);
74 if (!uid_is_valid(uid
))
75 return -ENXIO
; /* we return ENXIO instead of EINVAL
76 * here, to make it easy to distuingish
77 * invalid numeric uids from invalid
86 char* getlogname_malloc(void) {
90 if (isatty(STDIN_FILENO
) && fstat(STDIN_FILENO
, &st
) >= 0)
95 return uid_to_name(uid
);
98 char *getusername_malloc(void) {
105 return uid_to_name(getuid());
109 const char **username
,
110 uid_t
*uid
, gid_t
*gid
,
112 const char **shell
) {
120 /* We enforce some special rules for uid=0 and uid=65534: in order to avoid NSS lookups for root we hardcode
121 * their user record data. */
123 if (STR_IN_SET(*username
, "root", "0")) {
140 if (STR_IN_SET(*username
, NOBODY_USER_NAME
, "65534")) {
141 *username
= NOBODY_USER_NAME
;
152 *shell
= "/sbin/nologin";
157 if (parse_uid(*username
, &u
) >= 0) {
161 /* If there are multiple users with the same id, make
162 * sure to leave $USER to the configured value instead
163 * of the first occurrence in the database. However if
164 * the uid was configured by a numeric uid, then let's
165 * pick the real username from /etc/passwd. */
167 *username
= p
->pw_name
;
170 p
= getpwnam(*username
);
174 return errno
> 0 ? -errno
: -ESRCH
;
177 if (!uid_is_valid(p
->pw_uid
))
184 if (!gid_is_valid(p
->pw_gid
))
194 *shell
= p
->pw_shell
;
199 int get_user_creds_clean(
200 const char **username
,
201 uid_t
*uid
, gid_t
*gid
,
203 const char **shell
) {
207 /* Like get_user_creds(), but resets home/shell to NULL if they don't contain anything relevant. */
209 r
= get_user_creds(username
, uid
, gid
, home
, shell
);
214 (isempty(*shell
) || PATH_IN_SET(*shell
,
218 "/usr/sbin/nologin")))
222 (isempty(*home
) || path_equal(*home
, "/")))
228 int get_group_creds(const char **groupname
, gid_t
*gid
) {
234 /* We enforce some special rules for gid=0: in order to avoid
235 * NSS lookups for root we hardcode its data. */
237 if (STR_IN_SET(*groupname
, "root", "0")) {
246 if (STR_IN_SET(*groupname
, NOBODY_GROUP_NAME
, "65534")) {
247 *groupname
= NOBODY_GROUP_NAME
;
255 if (parse_gid(*groupname
, &id
) >= 0) {
260 *groupname
= g
->gr_name
;
263 g
= getgrnam(*groupname
);
267 return errno
> 0 ? -errno
: -ESRCH
;
270 if (!gid_is_valid(g
->gr_gid
))
279 char* uid_to_name(uid_t uid
) {
283 /* Shortcut things to avoid NSS lookups */
285 return strdup("root");
286 if (uid
== UID_NOBODY
)
287 return strdup(NOBODY_USER_NAME
);
289 if (uid_is_valid(uid
)) {
292 bufsize
= sysconf(_SC_GETPW_R_SIZE_MAX
);
297 struct passwd pwbuf
, *pw
= NULL
;
298 _cleanup_free_
char *buf
= NULL
;
300 buf
= malloc(bufsize
);
304 r
= getpwuid_r(uid
, &pwbuf
, buf
, (size_t) bufsize
, &pw
);
306 return strdup(pw
->pw_name
);
314 if (asprintf(&ret
, UID_FMT
, uid
) < 0)
320 char* gid_to_name(gid_t gid
) {
325 return strdup("root");
326 if (gid
== GID_NOBODY
)
327 return strdup(NOBODY_GROUP_NAME
);
329 if (gid_is_valid(gid
)) {
332 bufsize
= sysconf(_SC_GETGR_R_SIZE_MAX
);
337 struct group grbuf
, *gr
= NULL
;
338 _cleanup_free_
char *buf
= NULL
;
340 buf
= malloc(bufsize
);
344 r
= getgrgid_r(gid
, &grbuf
, buf
, (size_t) bufsize
, &gr
);
346 return strdup(gr
->gr_name
);
354 if (asprintf(&ret
, GID_FMT
, gid
) < 0)
360 int in_gid(gid_t gid
) {
368 if (getegid() == gid
)
371 if (!gid_is_valid(gid
))
374 ngroups_max
= sysconf(_SC_NGROUPS_MAX
);
375 assert(ngroups_max
> 0);
377 gids
= newa(gid_t
, ngroups_max
);
379 r
= getgroups(ngroups_max
, gids
);
383 for (i
= 0; i
< r
; i
++)
390 int in_group(const char *name
) {
394 r
= get_group_creds(&name
, &gid
);
401 int get_home_dir(char **_h
) {
409 /* Take the user specified one */
410 e
= secure_getenv("HOME");
411 if (e
&& path_is_absolute(e
)) {
420 /* Hardcode home directory for root and nobody to avoid NSS */
430 if (u
== UID_NOBODY
) {
439 /* Check the database... */
443 return errno
> 0 ? -errno
: -ESRCH
;
445 if (!path_is_absolute(p
->pw_dir
))
448 h
= strdup(p
->pw_dir
);
456 int get_shell(char **_s
) {
464 /* Take the user specified one */
475 /* Hardcode shell for root and nobody to avoid NSS */
478 s
= strdup("/bin/sh");
485 if (u
== UID_NOBODY
) {
486 s
= strdup("/sbin/nologin");
494 /* Check the database... */
498 return errno
> 0 ? -errno
: -ESRCH
;
500 if (!path_is_absolute(p
->pw_shell
))
503 s
= strdup(p
->pw_shell
);
511 int reset_uid_gid(void) {
514 r
= maybe_setgroups(0, NULL
);
518 if (setresgid(0, 0, 0) < 0)
521 if (setresuid(0, 0, 0) < 0)
527 int take_etc_passwd_lock(const char *root
) {
529 struct flock flock
= {
531 .l_whence
= SEEK_SET
,
539 /* This is roughly the same as lckpwdf(), but not as awful. We
540 * don't want to use alarm() and signals, hence we implement
541 * our own trivial version of this.
543 * Note that shadow-utils also takes per-database locks in
544 * addition to lckpwdf(). However, we don't given that they
545 * are redundant as they invoke lckpwdf() first and keep
546 * it during everything they do. The per-database locks are
547 * awfully racy, and thus we just won't do them. */
550 path
= prefix_roota(root
, "/etc/.pwd.lock");
552 path
= "/etc/.pwd.lock";
554 fd
= open(path
, O_WRONLY
|O_CREAT
|O_CLOEXEC
|O_NOCTTY
|O_NOFOLLOW
, 0600);
558 r
= fcntl(fd
, F_SETLKW
, &flock
);
567 bool valid_user_group_name(const char *u
) {
571 /* Checks if the specified name is a valid user/group name. Also see POSIX IEEE Std 1003.1-2008, 2016 Edition,
572 * 3.437. We are a bit stricter here however. Specifically we deviate from POSIX rules:
574 * - We don't allow any dots (this would break chown syntax which permits dots as user/group name separator)
575 * - We require that names fit into the appropriate utmp field
576 * - We don't allow empty user names
578 * Note that other systems are even more restrictive, and don't permit underscores or uppercase characters.
584 if (!(u
[0] >= 'a' && u
[0] <= 'z') &&
585 !(u
[0] >= 'A' && u
[0] <= 'Z') &&
589 for (i
= u
+1; *i
; i
++) {
590 if (!(*i
>= 'a' && *i
<= 'z') &&
591 !(*i
>= 'A' && *i
<= 'Z') &&
592 !(*i
>= '0' && *i
<= '9') &&
593 !IN_SET(*i
, '_', '-'))
597 sz
= sysconf(_SC_LOGIN_NAME_MAX
);
600 if ((size_t) (i
-u
) > (size_t) sz
)
603 if ((size_t) (i
-u
) > UT_NAMESIZE
- 1)
609 bool valid_user_group_name_or_id(const char *u
) {
611 /* Similar as above, but is also fine with numeric UID/GID specifications, as long as they are in the right
612 * range, and not the invalid user ids. */
617 if (valid_user_group_name(u
))
620 return parse_uid(u
, NULL
) >= 0;
623 bool valid_gecos(const char *d
) {
628 if (!utf8_is_valid(d
))
631 if (string_has_cc(d
, NULL
))
634 /* Colons are used as field separators, and hence not OK */
641 bool valid_home(const char *p
) {
646 if (!utf8_is_valid(p
))
649 if (string_has_cc(p
, NULL
))
652 if (!path_is_absolute(p
))
655 if (!path_is_normalized(p
))
658 /* Colons are used as field separators, and hence not OK */
665 int maybe_setgroups(size_t size
, const gid_t
*list
) {
668 /* Check if setgroups is allowed before we try to drop all the auxiliary groups */
669 if (size
== 0) { /* Dropping all aux groups? */
670 _cleanup_free_
char *setgroups_content
= NULL
;
673 r
= read_one_line_file("/proc/self/setgroups", &setgroups_content
);
675 /* Old kernels don't have /proc/self/setgroups, so assume we can use setgroups */
676 can_setgroups
= true;
680 can_setgroups
= streq(setgroups_content
, "allow");
682 if (!can_setgroups
) {
683 log_debug("Skipping setgroups(), /proc/self/setgroups is set to 'deny'");
688 if (setgroups(size
, list
) < 0)