[thirdparty/systemd.git] / src / shared / userdb-dropin.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include "errno-util.h"
#include "fd-util.h"
#include "fileio.h"
#include "format-util.h"
#include "path-util.h"
#include "stdio-util.h"
#include "user-util.h"
#include "userdb-dropin.h"

static int load_user(
                FILE *f,
                const char *path,
                const char *name,
                uid_t uid,
                UserDBFlags flags,
                UserRecord **ret) {

        _cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
        _cleanup_(user_record_unrefp) UserRecord *u = NULL;
        bool have_privileged;
        int r;

        assert(f);

        r = json_parse_file(f, path, 0, &v, NULL, NULL);
        if (r < 0)
                return r;

        if (FLAGS_SET(flags, USERDB_SUPPRESS_SHADOW) || !path || !(name || uid_is_valid(uid)))
                have_privileged = false;
        else {
                _cleanup_(json_variant_unrefp) JsonVariant *privileged_v = NULL;
                _cleanup_free_ char *d = NULL, *j = NULL;

                /* Let's load the "privileged" section from a companion file. But only if USERDB_AVOID_SHADOW
                 * is not set. After all, the privileged section kinda takes the role of the data from the
                 * shadow file, hence it makes sense to use the same flag here.
                 *
                 * The general assumption is that whoever provides these records makes the .user file
                 * world-readable, but the .privilege file readable to root and the assigned UID only. But we
                 * won't verify that here, as it would be too late. */

                r = path_extract_directory(path, &d);
                if (r < 0)
                        return r;

                if (name) {
                        j = strjoin(d, "/", name, ".user-privileged");
                        if (!j)
                                return -ENOMEM;
                } else {
                        assert(uid_is_valid(uid));
                        if (asprintf(&j, "%s/" UID_FMT ".user-privileged", d, uid) < 0)
                                return -ENOMEM;
                }

                r = json_parse_file(NULL, j, JSON_PARSE_SENSITIVE, &privileged_v, NULL, NULL);
                if (ERRNO_IS_NEG_PRIVILEGE(r))
                        have_privileged = false;
                else if (r == -ENOENT)
                        have_privileged = true; /* if the privileged file doesn't exist, we are complete */
                else if (r < 0)
                        return r;
                else {
                        r = json_variant_merge(&v, privileged_v);
                        if (r < 0)
                                return r;

                        have_privileged = true;
                }
        }

        u = user_record_new();
        if (!u)
                return -ENOMEM;

        r = user_record_load(
                        u, v,
                        USER_RECORD_REQUIRE_REGULAR|
                        USER_RECORD_ALLOW_PER_MACHINE|
                        USER_RECORD_ALLOW_BINDING|
                        USER_RECORD_ALLOW_SIGNATURE|
                        (have_privileged ? USER_RECORD_ALLOW_PRIVILEGED : 0)|
                        USER_RECORD_PERMISSIVE);
        if (r < 0)
                return r;

        if (name && !streq_ptr(name, u->user_name))
                return -EINVAL;

        if (uid_is_valid(uid) && uid != u->uid)
                return -EINVAL;

        u->incomplete = !have_privileged;

        if (ret)
                *ret = TAKE_PTR(u);

        return 0;
}

int dropin_user_record_by_name(const char *name, const char *path, UserDBFlags flags, UserRecord **ret) {
        _cleanup_free_ char *found_path = NULL;
        _cleanup_fclose_ FILE *f = NULL;
        int r;

        assert(name);

        if (path) {
                f = fopen(path, "re");
                if (!f)
                        return errno == ENOENT ? -ESRCH : -errno; /* We generally want ESRCH to indicate no such user */
        } else {
                const char *j;

                j = strjoina(name, ".user");
                if (!filename_is_valid(j)) /* Doesn't qualify as valid filename? Then it's definitely not provided as a drop-in */
                        return -ESRCH;

                r = search_and_fopen_nulstr(j, "re", NULL, USERDB_DROPIN_DIR_NULSTR("userdb"), &f, &found_path);
                if (r == -ENOENT)
                        return -ESRCH;
                if (r < 0)
                        return r;

                path = found_path;
        }

        return load_user(f, path, name, UID_INVALID, flags, ret);
}

int dropin_user_record_by_uid(uid_t uid, const char *path, UserDBFlags flags, UserRecord **ret) {
        _cleanup_free_ char *found_path = NULL;
        _cleanup_fclose_ FILE *f = NULL;
        int r;

        assert(uid_is_valid(uid));

        if (path) {
                f = fopen(path, "re");
                if (!f)
                        return errno == ENOENT ? -ESRCH : -errno;
        } else {
                char buf[DECIMAL_STR_MAX(uid_t) + STRLEN(".user") + 1];

                xsprintf(buf, UID_FMT ".user", uid);
                /* Note that we don't bother to validate this as a filename, as this is generated from a decimal
                 * integer, i.e. is definitely OK as a filename */

                r = search_and_fopen_nulstr(buf, "re", NULL, USERDB_DROPIN_DIR_NULSTR("userdb"), &f, &found_path);
                if (r == -ENOENT)
                        return -ESRCH;
                if (r < 0)
                        return r;

                path = found_path;
        }

        return load_user(f, path, NULL, uid, flags, ret);
}

static int load_group(
                FILE *f,
                const char *path,
                const char *name,
                gid_t gid,
                UserDBFlags flags,
                GroupRecord **ret) {

        _cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
        _cleanup_(group_record_unrefp) GroupRecord *g = NULL;
        bool have_privileged;
        int r;

        assert(f);

        r = json_parse_file(f, path, 0, &v, NULL, NULL);
        if (r < 0)
                return r;

        if (FLAGS_SET(flags, USERDB_SUPPRESS_SHADOW) || !path || !(name || gid_is_valid(gid)))
                have_privileged = false;
        else {
                _cleanup_(json_variant_unrefp) JsonVariant *privileged_v = NULL;
                _cleanup_free_ char *d = NULL, *j = NULL;

                r = path_extract_directory(path, &d);
                if (r < 0)
                        return r;

                if (name) {
                        j = strjoin(d, "/", name, ".group-privileged");
                        if (!j)
                                return -ENOMEM;
                } else {
                        assert(gid_is_valid(gid));
                        if (asprintf(&j, "%s/" GID_FMT ".group-privileged", d, gid) < 0)
                                return -ENOMEM;
                }

                r = json_parse_file(NULL, j, JSON_PARSE_SENSITIVE, &privileged_v, NULL, NULL);
                if (ERRNO_IS_NEG_PRIVILEGE(r))
                        have_privileged = false;
                else if (r == -ENOENT)
                        have_privileged = true; /* if the privileged file doesn't exist, we are complete */
                else if (r < 0)
                        return r;
                else {
                        r = json_variant_merge(&v, privileged_v);
                        if (r < 0)
                                return r;

                        have_privileged = true;
                }
        }

        g = group_record_new();
        if (!g)
                return -ENOMEM;

        r = group_record_load(
                        g, v,
                        USER_RECORD_REQUIRE_REGULAR|
                        USER_RECORD_ALLOW_PER_MACHINE|
                        USER_RECORD_ALLOW_BINDING|
                        USER_RECORD_ALLOW_SIGNATURE|
                        (have_privileged ? USER_RECORD_ALLOW_PRIVILEGED : 0)|
                        USER_RECORD_PERMISSIVE);
        if (r < 0)
                return r;

        if (name && !streq_ptr(name, g->group_name))
                return -EINVAL;

        if (gid_is_valid(gid) && gid != g->gid)
                return -EINVAL;

        g->incomplete = !have_privileged;

        if (ret)
                *ret = TAKE_PTR(g);

        return 0;
}

int dropin_group_record_by_name(const char *name, const char *path, UserDBFlags flags, GroupRecord **ret) {
        _cleanup_free_ char *found_path = NULL;
        _cleanup_fclose_ FILE *f = NULL;
        int r;

        assert(name);

        if (path) {
                f = fopen(path, "re");
                if (!f)
                        return errno == ENOENT ? -ESRCH : -errno;
        } else {
                const char *j;

                j = strjoina(name, ".group");
                if (!filename_is_valid(j)) /* Doesn't qualify as valid filename? Then it's definitely not provided as a drop-in */
                        return -ESRCH;

                r = search_and_fopen_nulstr(j, "re", NULL, USERDB_DROPIN_DIR_NULSTR("userdb"), &f, &found_path);
                if (r == -ENOENT)
                        return -ESRCH;
                if (r < 0)
                        return r;

                path = found_path;
        }

        return load_group(f, path, name, GID_INVALID, flags, ret);
}

int dropin_group_record_by_gid(gid_t gid, const char *path, UserDBFlags flags, GroupRecord **ret) {
        _cleanup_free_ char *found_path = NULL;
        _cleanup_fclose_ FILE *f = NULL;
        int r;

        assert(gid_is_valid(gid));

        if (path) {
                f = fopen(path, "re");
                if (!f)
                        return errno == ENOENT ? -ESRCH : -errno;
        } else {
                char buf[DECIMAL_STR_MAX(gid_t) + STRLEN(".group") + 1];

                xsprintf(buf, GID_FMT ".group", gid);

                r = search_and_fopen_nulstr(buf, "re", NULL, USERDB_DROPIN_DIR_NULSTR("userdb"), &f, &found_path);
                if (r == -ENOENT)
                        return -ESRCH;
                if (r < 0)
                        return r;

                path = found_path;
        }

        return load_group(f, path, NULL, gid, flags, ret);
}
Commit	Line	Data
85f088ab LP	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
	2
	3	#include "errno-util.h"
	4	#include "fd-util.h"
	5	#include "fileio.h"
	6	#include "format-util.h"
	7	#include "path-util.h"
	8	#include "stdio-util.h"
	9	#include "user-util.h"
	10	#include "userdb-dropin.h"
	11
	12	static int load_user(
	13	FILE *f,
	14	const char *path,
	15	const char *name,
	16	uid_t uid,
	17	UserDBFlags flags,
	18	UserRecord **ret) {
	19
	20	_cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
	21	_cleanup_(user_record_unrefp) UserRecord *u = NULL;
	22	bool have_privileged;
	23	int r;
	24
	25	assert(f);
	26
	27	r = json_parse_file(f, path, 0, &v, NULL, NULL);
	28	if (r < 0)
	29	return r;
	30
	31	if (FLAGS_SET(flags, USERDB_SUPPRESS_SHADOW) \|\| !path \|\| !(name \|\| uid_is_valid(uid)))
	32	have_privileged = false;
	33	else {
	34	_cleanup_(json_variant_unrefp) JsonVariant *privileged_v = NULL;
	35	_cleanup_free_ char d = NULL, j = NULL;
	36
	37	/* Let's load the "privileged" section from a companion file. But only if USERDB_AVOID_SHADOW
	38	* is not set. After all, the privileged section kinda takes the role of the data from the
	39	* shadow file, hence it makes sense to use the same flag here.
	40	*
	41	* The general assumption is that whoever provides these records makes the .user file
	42	* world-readable, but the .privilege file readable to root and the assigned UID only. But we
	43	* won't verify that here, as it would be too late. */
	44
	45	r = path_extract_directory(path, &d);
	46	if (r < 0)
	47	return r;
	48
	49	if (name) {
	50	j = strjoin(d, "/", name, ".user-privileged");
	51	if (!j)
	52	return -ENOMEM;
	53	} else {
	54	assert(uid_is_valid(uid));
	55	if (asprintf(&j, "%s/" UID_FMT ".user-privileged", d, uid) < 0)
	56	return -ENOMEM;
	57	}
	58
	59	r = json_parse_file(NULL, j, JSON_PARSE_SENSITIVE, &privileged_v, NULL, NULL);
bb44fd07 ZJS	60	if (ERRNO_IS_NEG_PRIVILEGE(r))
	61	have_privileged = false;
	62	else if (r == -ENOENT)
	63	have_privileged = true; /* if the privileged file doesn't exist, we are complete */
	64	else if (r < 0)
	65	return r;
	66	else {
85f088ab LP	67	r = json_variant_merge(&v, privileged_v);
	68	if (r < 0)
	69	return r;
	70
	71	have_privileged = true;
	72	}
	73	}
	74
	75	u = user_record_new();
	76	if (!u)
	77	return -ENOMEM;
	78
	79	r = user_record_load(
	80	u, v,
	81	USER_RECORD_REQUIRE_REGULAR\|
	82	USER_RECORD_ALLOW_PER_MACHINE\|
	83	USER_RECORD_ALLOW_BINDING\|
	84	USER_RECORD_ALLOW_SIGNATURE\|
bfc0cc1a LP	85	(have_privileged ? USER_RECORD_ALLOW_PRIVILEGED : 0)\|
bfc0cc1a LP	86	USER_RECORD_PERMISSIVE);
85f088ab LP	87	if (r < 0)
	88	return r;
	89
	90	if (name && !streq_ptr(name, u->user_name))
	91	return -EINVAL;
	92
	93	if (uid_is_valid(uid) && uid != u->uid)
	94	return -EINVAL;
	95
	96	u->incomplete = !have_privileged;
	97
	98	if (ret)
	99	*ret = TAKE_PTR(u);
	100
	101	return 0;
	102	}
	103
	104	int dropin_user_record_by_name(const char name, const char path, UserDBFlags flags, UserRecord **ret) {
	105	_cleanup_free_ char *found_path = NULL;
	106	_cleanup_fclose_ FILE *f = NULL;
	107	int r;
	108
	109	assert(name);
	110
	111	if (path) {
	112	f = fopen(path, "re");
	113	if (!f)
	114	return errno == ENOENT ? -ESRCH : -errno; /* We generally want ESRCH to indicate no such user */
	115	} else {
	116	const char *j;
	117
	118	j = strjoina(name, ".user");
	119	if (!filename_is_valid(j)) /* Doesn't qualify as valid filename? Then it's definitely not provided as a drop-in */
	120	return -ESRCH;
	121
	122	r = search_and_fopen_nulstr(j, "re", NULL, USERDB_DROPIN_DIR_NULSTR("userdb"), &f, &found_path);
	123	if (r == -ENOENT)
	124	return -ESRCH;
	125	if (r < 0)
	126	return r;
	127
	128	path = found_path;
	129	}
	130
	131	return load_user(f, path, name, UID_INVALID, flags, ret);
	132	}
	133
	134	int dropin_user_record_by_uid(uid_t uid, const char path, UserDBFlags flags, UserRecord *ret) {
	135	_cleanup_free_ char *found_path = NULL;
	136	_cleanup_fclose_ FILE *f = NULL;
	137	int r;
	138
	139	assert(uid_is_valid(uid));
	140
	141	if (path) {
	142	f = fopen(path, "re");
	143	if (!f)
	144	return errno == ENOENT ? -ESRCH : -errno;
	145	} else {
	146	char buf[DECIMAL_STR_MAX(uid_t) + STRLEN(".user") + 1];
	147
	148	xsprintf(buf, UID_FMT ".user", uid);
	149	/* Note that we don't bother to validate this as a filename, as this is generated from a decimal
	150	* integer, i.e. is definitely OK as a filename */
151
152	r = search_and_fopen_nulstr(buf, "re", NULL, USERDB_DROPIN_DIR_NULSTR("userdb"), &f, &found_path);
153	if (r == -ENOENT)
154	return -ESRCH;
155	if (r < 0)
156	return r;
157
158	path = found_path;
159	}
160
161	return load_user(f, path, NULL, uid, flags, ret);
162	}
163
164	static int load_group(
165	FILE *f,
166	const char *path,
167	const char *name,
168	gid_t gid,
169	UserDBFlags flags,
170	GroupRecord **ret) {
171
172	_cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
173	_cleanup_(group_record_unrefp) GroupRecord *g = NULL;
174	bool have_privileged;
175	int r;
176
177	assert(f);
178
179	r = json_parse_file(f, path, 0, &v, NULL, NULL);
180	if (r < 0)
181	return r;
182
183	if (FLAGS_SET(flags, USERDB_SUPPRESS_SHADOW) \|\| !path \|\| !(name \|\| gid_is_valid(gid)))
184	have_privileged = false;
185	else {
186	_cleanup_(json_variant_unrefp) JsonVariant *privileged_v = NULL;
187	_cleanup_free_ char d = NULL, j = NULL;
188
189	r = path_extract_directory(path, &d);
190	if (r < 0)
191	return r;
192
193	if (name) {
194	j = strjoin(d, "/", name, ".group-privileged");
195	if (!j)
196	return -ENOMEM;
197	} else {
198	assert(gid_is_valid(gid));
199	if (asprintf(&j, "%s/" GID_FMT ".group-privileged", d, gid) < 0)
200	return -ENOMEM;
201	}
202
203	r = json_parse_file(NULL, j, JSON_PARSE_SENSITIVE, &privileged_v, NULL, NULL);
bb44fd07 ZJS	204	if (ERRNO_IS_NEG_PRIVILEGE(r))
	205	have_privileged = false;
	206	else if (r == -ENOENT)
	207	have_privileged = true; /* if the privileged file doesn't exist, we are complete */
	208	else if (r < 0)
	209	return r;
	210	else {
85f088ab LP	211	r = json_variant_merge(&v, privileged_v);
	212	if (r < 0)
	213	return r;
	214
	215	have_privileged = true;
	216	}
	217	}
	218
	219	g = group_record_new();
	220	if (!g)
	221	return -ENOMEM;
	222
	223	r = group_record_load(
	224	g, v,
	225	USER_RECORD_REQUIRE_REGULAR\|
	226	USER_RECORD_ALLOW_PER_MACHINE\|
	227	USER_RECORD_ALLOW_BINDING\|
	228	USER_RECORD_ALLOW_SIGNATURE\|
bfc0cc1a LP	229	(have_privileged ? USER_RECORD_ALLOW_PRIVILEGED : 0)\|
bfc0cc1a LP	230	USER_RECORD_PERMISSIVE);
85f088ab LP	231	if (r < 0)
	232	return r;
	233
	234	if (name && !streq_ptr(name, g->group_name))
	235	return -EINVAL;
	236
	237	if (gid_is_valid(gid) && gid != g->gid)
	238	return -EINVAL;
	239
	240	g->incomplete = !have_privileged;
	241
	242	if (ret)
	243	*ret = TAKE_PTR(g);
	244
	245	return 0;
	246	}
	247
	248	int dropin_group_record_by_name(const char name, const char path, UserDBFlags flags, GroupRecord **ret) {
	249	_cleanup_free_ char *found_path = NULL;
	250	_cleanup_fclose_ FILE *f = NULL;
	251	int r;
	252
	253	assert(name);
	254
	255	if (path) {
	256	f = fopen(path, "re");
	257	if (!f)
	258	return errno == ENOENT ? -ESRCH : -errno;
	259	} else {
	260	const char *j;
	261
	262	j = strjoina(name, ".group");
	263	if (!filename_is_valid(j)) /* Doesn't qualify as valid filename? Then it's definitely not provided as a drop-in */
	264	return -ESRCH;
	265
	266	r = search_and_fopen_nulstr(j, "re", NULL, USERDB_DROPIN_DIR_NULSTR("userdb"), &f, &found_path);
	267	if (r == -ENOENT)
	268	return -ESRCH;
	269	if (r < 0)
	270	return r;
	271
	272	path = found_path;
	273	}
	274
	275	return load_group(f, path, name, GID_INVALID, flags, ret);
	276	}
	277
	278	int dropin_group_record_by_gid(gid_t gid, const char path, UserDBFlags flags, GroupRecord *ret) {
	279	_cleanup_free_ char *found_path = NULL;
	280	_cleanup_fclose_ FILE *f = NULL;
	281	int r;
	282
	283	assert(gid_is_valid(gid));
	284
	285	if (path) {
	286	f = fopen(path, "re");
	287	if (!f)
	288	return errno == ENOENT ? -ESRCH : -errno;
	289	} else {
	290	char buf[DECIMAL_STR_MAX(gid_t) + STRLEN(".group") + 1];
	291
	292	xsprintf(buf, GID_FMT ".group", gid);
	293
	294	r = search_and_fopen_nulstr(buf, "re", NULL, USERDB_DROPIN_DIR_NULSTR("userdb"), &f, &found_path);
295	if (r == -ENOENT)
296	return -ESRCH;
297	if (r < 0)
298	return r;
299
300	path = found_path;
301	}
302
303	return load_group(f, path, NULL, gid, flags, ret);
304	}