]>
git.ipfire.org Git - thirdparty/systemd.git/blob - src/nspawn/nspawn-setuid.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
7 #include "alloc-util.h"
13 #include "nspawn-setuid.h"
14 #include "process-util.h"
15 #include "rlimit-util.h"
16 #include "signal-util.h"
17 #include "string-util.h"
19 #include "user-util.h"
22 static int spawn_getent(const char *database
, const char *key
, pid_t
*rpid
) {
30 if (pipe2(pipe_fds
, O_CLOEXEC
) < 0)
31 return log_error_errno(errno
, "Failed to allocate pipe: %m");
33 r
= safe_fork("(getent)", FORK_RESET_SIGNALS
|FORK_DEATHSIG
|FORK_LOG
, &pid
);
35 safe_close_pair(pipe_fds
);
39 char *empty_env
= NULL
;
41 safe_close(pipe_fds
[0]);
43 if (rearrange_stdio(-1, pipe_fds
[1], -1) < 0)
46 (void) close_all_fds(NULL
, 0);
48 (void) rlimit_nofile_safe();
50 execle("/usr/bin/getent", "getent", database
, key
, NULL
, &empty_env
);
51 execle("/bin/getent", "getent", database
, key
, NULL
, &empty_env
);
55 pipe_fds
[1] = safe_close(pipe_fds
[1]);
62 int change_uid_gid_raw(
65 const gid_t
*supplementary_gids
,
66 size_t n_supplementary_gids
,
69 if (!uid_is_valid(uid
))
71 if (!gid_is_valid(gid
))
75 (void) fchown(STDIN_FILENO
, uid
, gid
);
76 (void) fchown(STDOUT_FILENO
, uid
, gid
);
77 (void) fchown(STDERR_FILENO
, uid
, gid
);
80 if (setgroups(n_supplementary_gids
, supplementary_gids
) < 0)
81 return log_error_errno(errno
, "Failed to set auxiliary groups: %m");
83 if (setresgid(gid
, gid
, gid
) < 0)
84 return log_error_errno(errno
, "setresgid() failed: %m");
86 if (setresuid(uid
, uid
, uid
) < 0)
87 return log_error_errno(errno
, "setresuid() failed: %m");
92 int change_uid_gid(const char *user
, bool chown_stdio
, char **ret_home
) {
94 _cleanup_free_ gid_t
*gids
= NULL
;
95 _cleanup_free_
char *home
= NULL
, *line
= NULL
;
96 _cleanup_fclose_
FILE *f
= NULL
;
97 _cleanup_close_
int fd
= -1;
107 if (!user
|| STR_IN_SET(user
, "root", "0")) {
108 /* Reset everything fully to 0, just in case */
112 return log_error_errno(r
, "Failed to become root: %m");
118 /* First, get user credentials */
119 fd
= spawn_getent("passwd", user
, &pid
);
123 f
= take_fdopen(&fd
, "r");
127 r
= read_line(f
, LONG_LINE_MAX
, &line
);
129 return log_error_errno(SYNTHETIC_ERRNO(ESRCH
),
130 "Failed to resolve user %s.", user
);
132 return log_error_errno(r
, "Failed to read from getent: %m");
134 (void) wait_for_terminate_and_check("getent passwd", pid
, WAIT_LOG
);
136 x
= strchr(line
, ':');
138 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
139 "/etc/passwd entry has invalid user field.");
141 u
= strchr(x
+1, ':');
143 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
144 "/etc/passwd entry has invalid password field.");
149 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
150 "/etc/passwd entry has invalid UID field.");
156 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
157 "/etc/passwd entry has invalid GID field.");
160 h
= strchr(x
+1, ':');
162 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
163 "/etc/passwd entry has invalid GECOS field.");
168 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
169 "/etc/passwd entry has invalid home directory field.");
173 r
= parse_uid(u
, &uid
);
175 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
176 "Failed to parse UID of user.");
178 r
= parse_gid(g
, &gid
);
180 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
181 "Failed to parse GID of user.");
190 /* Second, get group memberships */
191 fd
= spawn_getent("initgroups", user
, &pid
);
195 f
= take_fdopen(&fd
, "r");
199 r
= read_line(f
, LONG_LINE_MAX
, &line
);
201 return log_error_errno(SYNTHETIC_ERRNO(ESRCH
),
202 "Failed to resolve user %s.", user
);
204 return log_error_errno(r
, "Failed to read from getent: %m");
206 (void) wait_for_terminate_and_check("getent initgroups", pid
, WAIT_LOG
);
208 /* Skip over the username and subsequent separator whitespace */
210 x
+= strcspn(x
, WHITESPACE
);
211 x
+= strspn(x
, WHITESPACE
);
213 for (const char *p
= x
;;) {
214 _cleanup_free_
char *word
= NULL
;
216 r
= extract_first_word(&p
, &word
, NULL
, 0);
218 return log_error_errno(r
, "Failed to parse group data from getent: %m");
222 if (!GREEDY_REALLOC(gids
, sz
, n_gids
+1))
225 r
= parse_gid(word
, &gids
[n_gids
++]);
227 return log_error_errno(r
, "Failed to parse group data from getent: %m");
230 r
= mkdir_parents(home
, 0775);
232 return log_error_errno(r
, "Failed to make home root directory: %m");
234 r
= mkdir_safe(home
, 0755, uid
, gid
, 0);
235 if (r
< 0 && !IN_SET(r
, -EEXIST
, -ENOTDIR
))
236 return log_error_errno(r
, "Failed to make home directory: %m");
238 r
= change_uid_gid_raw(uid
, gid
, gids
, n_gids
, chown_stdio
);
243 *ret_home
= TAKE_PTR(home
);