/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#include "chase-symlinks.h"
#include "fd-util.h"
#include "fileio.h"
#include "format-util.h"
-#include "fs-util.h"
#include "nspawn-bind-user.h"
#include "nspawn.h"
#include "path-util.h"
#include "user-util.h"
#include "userdb.h"
-#define MAP_UID_START 60514
-#define MAP_UID_END 60577
-
static int check_etc_passwd_collisions(
const char *directory,
const char *name,
assert(directory);
assert(name || uid_is_valid(uid));
- r = chase_symlinks_and_fopen_unlocked("/etc/passwd", directory, CHASE_PREFIX_ROOT, "re", &f, NULL);
+ r = chase_symlinks_and_fopen_unlocked("/etc/passwd", directory, CHASE_PREFIX_ROOT, "re", NULL, &f);
if (r == -ENOENT)
return 0; /* no user database? then no user, hence no collision */
if (r < 0)
assert(directory);
assert(name || gid_is_valid(gid));
- r = chase_symlinks_and_fopen_unlocked("/etc/group", directory, CHASE_PREFIX_ROOT, "re", &f, NULL);
+ r = chase_symlinks_and_fopen_unlocked("/etc/group", directory, CHASE_PREFIX_ROOT, "re", NULL, &f);
if (r == -ENOENT)
return 0; /* no group database? then no group, hence no collision */
if (r < 0)
JSON_BUILD_PAIR("gid", JSON_BUILD_UNSIGNED(allocate_uid)),
JSON_BUILD_PAIR_CONDITION(u->disposition >= 0, "disposition", JSON_BUILD_STRING(user_disposition_to_string(u->disposition))),
JSON_BUILD_PAIR("homeDirectory", JSON_BUILD_STRING(h)),
- JSON_BUILD_PAIR("service", JSON_BUILD_STRING("io.systemd.NSpawn")),
+ JSON_BUILD_PAIR("service", JSON_BUILD_CONST_STRING("io.systemd.NSpawn")),
JSON_BUILD_PAIR_CONDITION(!strv_isempty(u->hashed_password), "privileged", JSON_BUILD_OBJECT(
JSON_BUILD_PAIR("hashedPassword", JSON_BUILD_VARIANT(hp))))));
if (r < 0)
JSON_BUILD_PAIR("groupName", JSON_BUILD_STRING(g->group_name)),
JSON_BUILD_PAIR("gid", JSON_BUILD_UNSIGNED(allocate_uid)),
JSON_BUILD_PAIR_CONDITION(g->disposition >= 0, "disposition", JSON_BUILD_STRING(user_disposition_to_string(g->disposition))),
- JSON_BUILD_PAIR("service", JSON_BUILD_STRING("io.systemd.NSpawn"))));
+ JSON_BUILD_PAIR("service", JSON_BUILD_CONST_STRING("io.systemd.NSpawn"))));
if (r < 0)
return log_error_errno(r, "Failed to build container group record: %m");
assert(current_uid);
for (;; (*current_uid) ++) {
- if (*current_uid > MAP_UID_END || *current_uid > max_uid)
+ if (*current_uid > MAP_UID_MAX || *current_uid > max_uid)
return log_error_errno(
SYNTHETIC_ERRNO(EBUSY),
"No suitable available UID in range " UID_FMT "…" UID_FMT " in container detected, can't map user.",
- MAP_UID_START, MAP_UID_END);
+ MAP_UID_MIN, MAP_UID_MAX);
r = check_etc_passwd_collisions(directory, NULL, *current_uid);
if (r < 0)
/* We want to use the UID also as GID, hence check for it in /etc/group too */
r = check_etc_group_collisions(directory, NULL, (gid_t) *current_uid);
- if (r < 0)
+ if (r <= 0)
return r;
- if (r == 0) /* free! yay! */
- return 0;
}
}
BindUserContext **ret) {
_cleanup_(bind_user_context_freep) BindUserContext *c = NULL;
- uid_t current_uid = MAP_UID_START;
- char **n;
+ uid_t current_uid = MAP_UID_MIN;
int r;
assert(custom_mounts);
USER_RECORD_STRIP_PRIVILEGED|
USER_RECORD_ALLOW_PER_MACHINE|
USER_RECORD_ALLOW_BINDING|
- USER_RECORD_ALLOW_SIGNATURE;
+ USER_RECORD_ALLOW_SIGNATURE|
+ USER_RECORD_PERMISSIVE;
static const UserRecordLoadFlags shadow_flags = /* Extracts privileged info */
USER_RECORD_STRIP_REGULAR|
USER_RECORD_ALLOW_PRIVILEGED|
USER_RECORD_STRIP_PER_MACHINE|
USER_RECORD_STRIP_BINDING|
USER_RECORD_STRIP_SIGNATURE|
- USER_RECORD_EMPTY_OK;
+ USER_RECORD_EMPTY_OK|
+ USER_RECORD_PERMISSIVE;
int r;
assert(root);