]>
git.ipfire.org Git - thirdparty/systemd.git/blob - src/nspawn/nspawn-setuid.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
7 #include "alloc-util.h"
13 #include "nspawn-setuid.h"
14 #include "process-util.h"
15 #include "rlimit-util.h"
16 #include "signal-util.h"
17 #include "string-util.h"
19 #include "user-util.h"
22 static int spawn_getent(const char *database
, const char *key
, pid_t
*rpid
) {
30 if (pipe2(pipe_fds
, O_CLOEXEC
) < 0)
31 return log_error_errno(errno
, "Failed to allocate pipe: %m");
33 r
= safe_fork("(getent)", FORK_RESET_SIGNALS
|FORK_DEATHSIG
|FORK_LOG
, &pid
);
35 safe_close_pair(pipe_fds
);
39 char *empty_env
= NULL
;
41 safe_close(pipe_fds
[0]);
43 if (rearrange_stdio(-1, pipe_fds
[1], -1) < 0)
46 (void) close_all_fds(NULL
, 0);
48 (void) rlimit_nofile_safe();
50 execle("/usr/bin/getent", "getent", database
, key
, NULL
, &empty_env
);
51 execle("/bin/getent", "getent", database
, key
, NULL
, &empty_env
);
55 pipe_fds
[1] = safe_close(pipe_fds
[1]);
62 int change_uid_gid_raw(
65 const gid_t
*supplementary_gids
,
66 size_t n_supplementary_gids
) {
68 if (!uid_is_valid(uid
))
70 if (!gid_is_valid(gid
))
73 (void) fchown(STDIN_FILENO
, uid
, gid
);
74 (void) fchown(STDOUT_FILENO
, uid
, gid
);
75 (void) fchown(STDERR_FILENO
, uid
, gid
);
77 if (setgroups(n_supplementary_gids
, supplementary_gids
) < 0)
78 return log_error_errno(errno
, "Failed to set auxiliary groups: %m");
80 if (setresgid(gid
, gid
, gid
) < 0)
81 return log_error_errno(errno
, "setresgid() failed: %m");
83 if (setresuid(uid
, uid
, uid
) < 0)
84 return log_error_errno(errno
, "setresuid() failed: %m");
89 int change_uid_gid(const char *user
, char **_home
) {
91 _cleanup_free_ gid_t
*gids
= NULL
;
92 _cleanup_free_
char *home
= NULL
, *line
= NULL
;
93 _cleanup_fclose_
FILE *f
= NULL
;
94 _cleanup_close_
int fd
= -1;
104 if (!user
|| STR_IN_SET(user
, "root", "0")) {
105 /* Reset everything fully to 0, just in case */
109 return log_error_errno(r
, "Failed to become root: %m");
115 /* First, get user credentials */
116 fd
= spawn_getent("passwd", user
, &pid
);
120 f
= take_fdopen(&fd
, "r");
124 r
= read_line(f
, LONG_LINE_MAX
, &line
);
126 return log_error_errno(SYNTHETIC_ERRNO(ESRCH
),
127 "Failed to resolve user %s.", user
);
129 return log_error_errno(r
, "Failed to read from getent: %m");
131 (void) wait_for_terminate_and_check("getent passwd", pid
, WAIT_LOG
);
133 x
= strchr(line
, ':');
135 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
136 "/etc/passwd entry has invalid user field.");
138 u
= strchr(x
+1, ':');
140 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
141 "/etc/passwd entry has invalid password field.");
146 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
147 "/etc/passwd entry has invalid UID field.");
153 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
154 "/etc/passwd entry has invalid GID field.");
157 h
= strchr(x
+1, ':');
159 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
160 "/etc/passwd entry has invalid GECOS field.");
165 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
166 "/etc/passwd entry has invalid home directory field.");
170 r
= parse_uid(u
, &uid
);
172 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
173 "Failed to parse UID of user.");
175 r
= parse_gid(g
, &gid
);
177 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
178 "Failed to parse GID of user.");
187 /* Second, get group memberships */
188 fd
= spawn_getent("initgroups", user
, &pid
);
192 f
= take_fdopen(&fd
, "r");
196 r
= read_line(f
, LONG_LINE_MAX
, &line
);
198 return log_error_errno(SYNTHETIC_ERRNO(ESRCH
),
199 "Failed to resolve user %s.", user
);
201 return log_error_errno(r
, "Failed to read from getent: %m");
203 (void) wait_for_terminate_and_check("getent initgroups", pid
, WAIT_LOG
);
205 /* Skip over the username and subsequent separator whitespace */
207 x
+= strcspn(x
, WHITESPACE
);
208 x
+= strspn(x
, WHITESPACE
);
210 for (const char *p
= x
;;) {
211 _cleanup_free_
char *word
= NULL
;
213 r
= extract_first_word(&p
, &word
, NULL
, 0);
215 return log_error_errno(r
, "Failed to parse group data from getent: %m");
219 if (!GREEDY_REALLOC(gids
, sz
, n_gids
+1))
222 r
= parse_gid(word
, &gids
[n_gids
++]);
224 return log_error_errno(r
, "Failed to parse group data from getent: %m");
227 r
= mkdir_parents(home
, 0775);
229 return log_error_errno(r
, "Failed to make home root directory: %m");
231 r
= mkdir_safe(home
, 0755, uid
, gid
, 0);
232 if (r
< 0 && !IN_SET(r
, -EEXIST
, -ENOTDIR
))
233 return log_error_errno(r
, "Failed to make home directory: %m");
235 r
= change_uid_gid_raw(uid
, gid
, gids
, n_gids
);
240 *_home
= TAKE_PTR(home
);