]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/nspawn/nspawn-setuid.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Update version and finalize NEWS for 256~rc4
[thirdparty/systemd.git] / src / nspawn / nspawn-setuid.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include <fcntl.h>
4 #include <sys/types.h>
5 #include <unistd.h>
6
7 #include "alloc-util.h"
8 #include "constants.h"
9 #include "errno.h"
10 #include "fd-util.h"
11 #include "fileio.h"
12 #include "mkdir.h"
13 #include "nspawn-setuid.h"
14 #include "process-util.h"
15 #include "signal-util.h"
16 #include "string-util.h"
17 #include "strv.h"
18 #include "user-util.h"
19
20 static int spawn_getent(const char *database, const char *key, pid_t *rpid) {
21 int pipe_fds[2], r;
22 pid_t pid;
23
24 assert(database);
25 assert(key);
26 assert(rpid);
27
28 if (pipe2(pipe_fds, O_CLOEXEC) < 0)
29 return log_error_errno(errno, "Failed to allocate pipe: %m");
30
31 r = safe_fork_full("(getent)",
32 (int[]) { -EBADF, pipe_fds[1], -EBADF }, NULL, 0,
33 FORK_RESET_SIGNALS|FORK_CLOSE_ALL_FDS|FORK_DEATHSIG_SIGTERM|FORK_REARRANGE_STDIO|FORK_LOG|FORK_RLIMIT_NOFILE_SAFE,
34 &pid);
35 if (r < 0) {
36 safe_close_pair(pipe_fds);
37 return r;
38 }
39 if (r == 0) {
40 execle("/usr/bin/getent", "getent", database, key, NULL, &(char*[1]){});
41 execle("/bin/getent", "getent", database, key, NULL, &(char*[1]){});
42 _exit(EXIT_FAILURE);
43 }
44
45 pipe_fds[1] = safe_close(pipe_fds[1]);
46
47 *rpid = pid;
48
49 return pipe_fds[0];
50 }
51
52 int change_uid_gid_raw(
53 uid_t uid,
54 gid_t gid,
55 const gid_t *supplementary_gids,
56 size_t n_supplementary_gids,
57 bool chown_stdio) {
58
59 int r;
60
61 if (!uid_is_valid(uid))
62 uid = 0;
63 if (!gid_is_valid(gid))
64 gid = 0;
65
66 if (chown_stdio) {
67 (void) fchown(STDIN_FILENO, uid, gid);
68 (void) fchown(STDOUT_FILENO, uid, gid);
69 (void) fchown(STDERR_FILENO, uid, gid);
70 }
71
72 r = fully_set_uid_gid(uid, gid, supplementary_gids, n_supplementary_gids);
73 if (r < 0)
74 return log_error_errno(r, "Changing privileges failed: %m");
75
76 return 0;
77 }
78
79 int change_uid_gid(const char *user, bool chown_stdio, char **ret_home) {
80 char *x, *u, *g, *h;
81 _cleanup_free_ gid_t *gids = NULL;
82 _cleanup_free_ char *home = NULL, *line = NULL;
83 _cleanup_fclose_ FILE *f = NULL;
84 _cleanup_close_ int fd = -EBADF;
85 unsigned n_gids = 0;
86 uid_t uid;
87 gid_t gid;
88 pid_t pid;
89 int r;
90
91 assert(ret_home);
92
93 if (!user || STR_IN_SET(user, "root", "0")) {
94 /* Reset everything fully to 0, just in case */
95
96 r = reset_uid_gid();
97 if (r < 0)
98 return log_error_errno(r, "Failed to become root: %m");
99
100 *ret_home = NULL;
101 return 0;
102 }
103
104 /* First, get user credentials */
105 fd = spawn_getent("passwd", user, &pid);
106 if (fd < 0)
107 return fd;
108
109 f = take_fdopen(&fd, "r");
110 if (!f)
111 return log_oom();
112
113 r = read_line(f, LONG_LINE_MAX, &line);
114 if (r == 0)
115 return log_error_errno(SYNTHETIC_ERRNO(ESRCH),
116 "Failed to resolve user %s.", user);
117 if (r < 0)
118 return log_error_errno(r, "Failed to read from getent: %m");
119
120 (void) wait_for_terminate_and_check("getent passwd", pid, WAIT_LOG);
121
122 x = strchr(line, ':');
123 if (!x)
124 return log_error_errno(SYNTHETIC_ERRNO(EIO),
125 "/etc/passwd entry has invalid user field.");
126
127 u = strchr(x+1, ':');
128 if (!u)
129 return log_error_errno(SYNTHETIC_ERRNO(EIO),
130 "/etc/passwd entry has invalid password field.");
131
132 u++;
133 g = strchr(u, ':');
134 if (!g)
135 return log_error_errno(SYNTHETIC_ERRNO(EIO),
136 "/etc/passwd entry has invalid UID field.");
137
138 *g = 0;
139 g++;
140 x = strchr(g, ':');
141 if (!x)
142 return log_error_errno(SYNTHETIC_ERRNO(EIO),
143 "/etc/passwd entry has invalid GID field.");
144
145 *x = 0;
146 h = strchr(x+1, ':');
147 if (!h)
148 return log_error_errno(SYNTHETIC_ERRNO(EIO),
149 "/etc/passwd entry has invalid GECOS field.");
150
151 h++;
152 x = strchr(h, ':');
153 if (!x)
154 return log_error_errno(SYNTHETIC_ERRNO(EIO),
155 "/etc/passwd entry has invalid home directory field.");
156
157 *x = 0;
158
159 r = parse_uid(u, &uid);
160 if (r < 0)
161 return log_error_errno(SYNTHETIC_ERRNO(EIO),
162 "Failed to parse UID of user.");
163
164 r = parse_gid(g, &gid);
165 if (r < 0)
166 return log_error_errno(SYNTHETIC_ERRNO(EIO),
167 "Failed to parse GID of user.");
168
169 home = strdup(h);
170 if (!home)
171 return log_oom();
172
173 f = safe_fclose(f);
174 line = mfree(line);
175
176 /* Second, get group memberships */
177 fd = spawn_getent("initgroups", user, &pid);
178 if (fd < 0)
179 return fd;
180
181 f = take_fdopen(&fd, "r");
182 if (!f)
183 return log_oom();
184
185 r = read_line(f, LONG_LINE_MAX, &line);
186 if (r == 0)
187 return log_error_errno(SYNTHETIC_ERRNO(ESRCH),
188 "Failed to resolve user %s.", user);
189 if (r < 0)
190 return log_error_errno(r, "Failed to read from getent: %m");
191
192 (void) wait_for_terminate_and_check("getent initgroups", pid, WAIT_LOG);
193
194 /* Skip over the username and subsequent separator whitespace */
195 x = line;
196 x += strcspn(x, WHITESPACE);
197 x += strspn(x, WHITESPACE);
198
199 for (const char *p = x;;) {
200 _cleanup_free_ char *word = NULL;
201
202 r = extract_first_word(&p, &word, NULL, 0);
203 if (r < 0)
204 return log_error_errno(r, "Failed to parse group data from getent: %m");
205 if (r == 0)
206 break;
207
208 if (!GREEDY_REALLOC(gids, n_gids+1))
209 return log_oom();
210
211 r = parse_gid(word, &gids[n_gids++]);
212 if (r < 0)
213 return log_error_errno(r, "Failed to parse group data from getent: %m");
214 }
215
216 r = mkdir_parents(home, 0775);
217 if (r < 0)
218 return log_error_errno(r, "Failed to make home root directory: %m");
219
220 r = mkdir_safe(home, 0755, uid, gid, 0);
221 if (r < 0 && !IN_SET(r, -EEXIST, -ENOTDIR))
222 return log_error_errno(r, "Failed to make home directory: %m");
223
224 r = change_uid_gid_raw(uid, gid, gids, n_gids, chown_stdio);
225 if (r < 0)
226 return r;
227
228 if (ret_home)
229 *ret_home = TAKE_PTR(home);
230
231 return 0;
232 }
Unnamed repository; edit this file 'description' to name the repository.