]>
git.ipfire.org Git - thirdparty/systemd.git/blob - src/nspawn/nspawn-setuid.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
7 #include "alloc-util.h"
13 #include "nspawn-setuid.h"
14 #include "process-util.h"
15 #include "rlimit-util.h"
16 #include "signal-util.h"
17 #include "string-util.h"
19 #include "user-util.h"
21 static int spawn_getent(const char *database
, const char *key
, pid_t
*rpid
) {
29 if (pipe2(pipe_fds
, O_CLOEXEC
) < 0)
30 return log_error_errno(errno
, "Failed to allocate pipe: %m");
32 r
= safe_fork("(getent)", FORK_RESET_SIGNALS
|FORK_DEATHSIG
|FORK_LOG
, &pid
);
34 safe_close_pair(pipe_fds
);
38 char *empty_env
= NULL
;
40 pipe_fds
[0] = safe_close(pipe_fds
[0]);
42 if (rearrange_stdio(-EBADF
, TAKE_FD(pipe_fds
[1]), -EBADF
) < 0)
45 (void) close_all_fds(NULL
, 0);
47 (void) rlimit_nofile_safe();
49 execle("/usr/bin/getent", "getent", database
, key
, NULL
, &empty_env
);
50 execle("/bin/getent", "getent", database
, key
, NULL
, &empty_env
);
54 pipe_fds
[1] = safe_close(pipe_fds
[1]);
61 int change_uid_gid_raw(
64 const gid_t
*supplementary_gids
,
65 size_t n_supplementary_gids
,
68 if (!uid_is_valid(uid
))
70 if (!gid_is_valid(gid
))
74 (void) fchown(STDIN_FILENO
, uid
, gid
);
75 (void) fchown(STDOUT_FILENO
, uid
, gid
);
76 (void) fchown(STDERR_FILENO
, uid
, gid
);
79 if (setgroups(n_supplementary_gids
, supplementary_gids
) < 0)
80 return log_error_errno(errno
, "Failed to set auxiliary groups: %m");
82 if (setresgid(gid
, gid
, gid
) < 0)
83 return log_error_errno(errno
, "setresgid() failed: %m");
85 if (setresuid(uid
, uid
, uid
) < 0)
86 return log_error_errno(errno
, "setresuid() failed: %m");
91 int change_uid_gid(const char *user
, bool chown_stdio
, char **ret_home
) {
93 _cleanup_free_ gid_t
*gids
= NULL
;
94 _cleanup_free_
char *home
= NULL
, *line
= NULL
;
95 _cleanup_fclose_
FILE *f
= NULL
;
96 _cleanup_close_
int fd
= -EBADF
;
105 if (!user
|| STR_IN_SET(user
, "root", "0")) {
106 /* Reset everything fully to 0, just in case */
110 return log_error_errno(r
, "Failed to become root: %m");
116 /* First, get user credentials */
117 fd
= spawn_getent("passwd", user
, &pid
);
121 f
= take_fdopen(&fd
, "r");
125 r
= read_line(f
, LONG_LINE_MAX
, &line
);
127 return log_error_errno(SYNTHETIC_ERRNO(ESRCH
),
128 "Failed to resolve user %s.", user
);
130 return log_error_errno(r
, "Failed to read from getent: %m");
132 (void) wait_for_terminate_and_check("getent passwd", pid
, WAIT_LOG
);
134 x
= strchr(line
, ':');
136 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
137 "/etc/passwd entry has invalid user field.");
139 u
= strchr(x
+1, ':');
141 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
142 "/etc/passwd entry has invalid password field.");
147 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
148 "/etc/passwd entry has invalid UID field.");
154 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
155 "/etc/passwd entry has invalid GID field.");
158 h
= strchr(x
+1, ':');
160 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
161 "/etc/passwd entry has invalid GECOS field.");
166 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
167 "/etc/passwd entry has invalid home directory field.");
171 r
= parse_uid(u
, &uid
);
173 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
174 "Failed to parse UID of user.");
176 r
= parse_gid(g
, &gid
);
178 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
179 "Failed to parse GID of user.");
188 /* Second, get group memberships */
189 fd
= spawn_getent("initgroups", user
, &pid
);
193 f
= take_fdopen(&fd
, "r");
197 r
= read_line(f
, LONG_LINE_MAX
, &line
);
199 return log_error_errno(SYNTHETIC_ERRNO(ESRCH
),
200 "Failed to resolve user %s.", user
);
202 return log_error_errno(r
, "Failed to read from getent: %m");
204 (void) wait_for_terminate_and_check("getent initgroups", pid
, WAIT_LOG
);
206 /* Skip over the username and subsequent separator whitespace */
208 x
+= strcspn(x
, WHITESPACE
);
209 x
+= strspn(x
, WHITESPACE
);
211 for (const char *p
= x
;;) {
212 _cleanup_free_
char *word
= NULL
;
214 r
= extract_first_word(&p
, &word
, NULL
, 0);
216 return log_error_errno(r
, "Failed to parse group data from getent: %m");
220 if (!GREEDY_REALLOC(gids
, n_gids
+1))
223 r
= parse_gid(word
, &gids
[n_gids
++]);
225 return log_error_errno(r
, "Failed to parse group data from getent: %m");
228 r
= mkdir_parents(home
, 0775);
230 return log_error_errno(r
, "Failed to make home root directory: %m");
232 r
= mkdir_safe(home
, 0755, uid
, gid
, 0);
233 if (r
< 0 && !IN_SET(r
, -EEXIST
, -ENOTDIR
))
234 return log_error_errno(r
, "Failed to make home directory: %m");
236 r
= change_uid_gid_raw(uid
, gid
, gids
, n_gids
, chown_stdio
);
241 *ret_home
= TAKE_PTR(home
);