]>
git.ipfire.org Git - thirdparty/systemd.git/blob - src/nspawn/nspawn-setuid.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 This file is part of systemd.
5 Copyright 2015 Lennart Poettering
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22 #include <sys/types.h>
25 #include "alloc-util.h"
31 #include "nspawn-setuid.h"
32 #include "process-util.h"
33 #include "signal-util.h"
34 #include "string-util.h"
36 #include "user-util.h"
39 static int spawn_getent(const char *database
, const char *key
, pid_t
*rpid
) {
47 if (pipe2(pipe_fds
, O_CLOEXEC
) < 0)
48 return log_error_errno(errno
, "Failed to allocate pipe: %m");
50 r
= safe_fork("(getent)", FORK_RESET_SIGNALS
|FORK_DEATHSIG
|FORK_LOG
, &pid
);
55 char *empty_env
= NULL
;
57 if (dup3(pipe_fds
[1], STDOUT_FILENO
, 0) < 0)
61 safe_close(pipe_fds
[0]);
63 safe_close(pipe_fds
[1]);
65 nullfd
= open("/dev/null", O_RDWR
);
69 if (dup3(nullfd
, STDIN_FILENO
, 0) < 0)
72 if (dup3(nullfd
, STDERR_FILENO
, 0) < 0)
78 close_all_fds(NULL
, 0);
80 execle("/usr/bin/getent", "getent", database
, key
, NULL
, &empty_env
);
81 execle("/bin/getent", "getent", database
, key
, NULL
, &empty_env
);
85 pipe_fds
[1] = safe_close(pipe_fds
[1]);
92 int change_uid_gid(const char *user
, char **_home
) {
94 const char *word
, *state
;
95 _cleanup_free_ uid_t
*uids
= NULL
;
96 _cleanup_free_
char *home
= NULL
, *line
= NULL
;
97 _cleanup_fclose_
FILE *f
= NULL
;
98 _cleanup_close_
int fd
= -1;
108 if (!user
|| STR_IN_SET(user
, "root", "0")) {
109 /* Reset everything fully to 0, just in case */
113 return log_error_errno(r
, "Failed to become root: %m");
119 /* First, get user credentials */
120 fd
= spawn_getent("passwd", user
, &pid
);
124 f
= fdopen(fd
, "re");
129 r
= read_line(f
, LONG_LINE_MAX
, &line
);
131 log_error("Failed to resolve user %s.", user
);
135 return log_error_errno(r
, "Failed to read from getent: %m");
137 (void) wait_for_terminate_and_check("getent passwd", pid
, WAIT_LOG
);
139 x
= strchr(line
, ':');
141 log_error("/etc/passwd entry has invalid user field.");
145 u
= strchr(x
+1, ':');
147 log_error("/etc/passwd entry has invalid password field.");
154 log_error("/etc/passwd entry has invalid UID field.");
162 log_error("/etc/passwd entry has invalid GID field.");
167 h
= strchr(x
+1, ':');
169 log_error("/etc/passwd entry has invalid GECOS field.");
176 log_error("/etc/passwd entry has invalid home directory field.");
182 r
= parse_uid(u
, &uid
);
184 log_error("Failed to parse UID of user.");
188 r
= parse_gid(g
, &gid
);
190 log_error("Failed to parse GID of user.");
201 /* Second, get group memberships */
202 fd
= spawn_getent("initgroups", user
, &pid
);
206 f
= fdopen(fd
, "re");
211 r
= read_line(f
, LONG_LINE_MAX
, &line
);
213 log_error("Failed to resolve user %s.", user
);
217 return log_error_errno(r
, "Failed to read from getent: %m");
219 (void) wait_for_terminate_and_check("getent initgroups", pid
, WAIT_LOG
);
221 /* Skip over the username and subsequent separator whitespace */
223 x
+= strcspn(x
, WHITESPACE
);
224 x
+= strspn(x
, WHITESPACE
);
226 FOREACH_WORD(word
, l
, x
, state
) {
232 if (!GREEDY_REALLOC(uids
, sz
, n_uids
+1))
235 r
= parse_uid(c
, &uids
[n_uids
++]);
237 return log_error_errno(r
, "Failed to parse group data from getent: %m");
240 r
= mkdir_parents(home
, 0775);
242 return log_error_errno(r
, "Failed to make home root directory: %m");
244 r
= mkdir_safe(home
, 0755, uid
, gid
, false);
245 if (r
< 0 && r
!= -EEXIST
)
246 return log_error_errno(r
, "Failed to make home directory: %m");
248 (void) fchown(STDIN_FILENO
, uid
, gid
);
249 (void) fchown(STDOUT_FILENO
, uid
, gid
);
250 (void) fchown(STDERR_FILENO
, uid
, gid
);
252 if (setgroups(n_uids
, uids
) < 0)
253 return log_error_errno(errno
, "Failed to set auxiliary groups: %m");
255 if (setresgid(gid
, gid
, gid
) < 0)
256 return log_error_errno(errno
, "setresgid() failed: %m");
258 if (setresuid(uid
, uid
, uid
) < 0)
259 return log_error_errno(errno
, "setresuid() failed: %m");