[thirdparty/systemd.git] / src / basic / user-util.c

/* SPDX-License-Identifier: LGPL-2.1+ */
/***
  This file is part of systemd.

  Copyright 2010 Lennart Poettering
***/

#include <alloca.h>
#include <errno.h>
#include <fcntl.h>
#include <grp.h>
#include <pwd.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <unistd.h>
#include <utmp.h>

#include "alloc-util.h"
#include "fd-util.h"
#include "fileio.h"
#include "format-util.h"
#include "macro.h"
#include "missing.h"
#include "parse-util.h"
#include "path-util.h"
#include "string-util.h"
#include "strv.h"
#include "user-util.h"
#include "utf8.h"

bool uid_is_valid(uid_t uid) {

        /* Also see POSIX IEEE Std 1003.1-2008, 2016 Edition, 3.436. */

        /* Some libc APIs use UID_INVALID as special placeholder */
        if (uid == (uid_t) UINT32_C(0xFFFFFFFF))
                return false;

        /* A long time ago UIDs where 16bit, hence explicitly avoid the 16bit -1 too */
        if (uid == (uid_t) UINT32_C(0xFFFF))
                return false;

        return true;
}

int parse_uid(const char *s, uid_t *ret) {
        uint32_t uid = 0;
        int r;

        assert(s);

        assert_cc(sizeof(uid_t) == sizeof(uint32_t));
        r = safe_atou32(s, &uid);
        if (r < 0)
                return r;

        if (!uid_is_valid(uid))
                return -ENXIO; /* we return ENXIO instead of EINVAL
                                * here, to make it easy to distuingish
                                * invalid numeric uids from invalid
                                * strings. */

        if (ret)
                *ret = uid;

        return 0;
}

char* getlogname_malloc(void) {
        uid_t uid;
        struct stat st;

        if (isatty(STDIN_FILENO) && fstat(STDIN_FILENO, &st) >= 0)
                uid = st.st_uid;
        else
                uid = getuid();

        return uid_to_name(uid);
}

char *getusername_malloc(void) {
        const char *e;

        e = getenv("USER");
        if (e)
                return strdup(e);

        return uid_to_name(getuid());
}

int get_user_creds(
                const char **username,
                uid_t *uid, gid_t *gid,
                const char **home,
                const char **shell) {

        struct passwd *p;
        uid_t u;

        assert(username);
        assert(*username);

        /* We enforce some special rules for uid=0 and uid=65534: in order to avoid NSS lookups for root we hardcode
         * their user record data. */

        if (STR_IN_SET(*username, "root", "0")) {
                *username = "root";

                if (uid)
                        *uid = 0;
                if (gid)
                        *gid = 0;

                if (home)
                        *home = "/root";

                if (shell)
                        *shell = "/bin/sh";

                return 0;
        }

        if (synthesize_nobody() &&
            STR_IN_SET(*username, NOBODY_USER_NAME, "65534")) {
                *username = NOBODY_USER_NAME;

                if (uid)
                        *uid = UID_NOBODY;
                if (gid)
                        *gid = GID_NOBODY;

                if (home)
                        *home = "/";

                if (shell)
                        *shell = "/sbin/nologin";

                return 0;
        }

        if (parse_uid(*username, &u) >= 0) {
                errno = 0;
                p = getpwuid(u);

                /* If there are multiple users with the same id, make
                 * sure to leave $USER to the configured value instead
                 * of the first occurrence in the database. However if
                 * the uid was configured by a numeric uid, then let's
                 * pick the real username from /etc/passwd. */
                if (p)
                        *username = p->pw_name;
        } else {
                errno = 0;
                p = getpwnam(*username);
        }

        if (!p)
                return errno > 0 ? -errno : -ESRCH;

        if (uid) {
                if (!uid_is_valid(p->pw_uid))
                        return -EBADMSG;

                *uid = p->pw_uid;
        }

        if (gid) {
                if (!gid_is_valid(p->pw_gid))
                        return -EBADMSG;

                *gid = p->pw_gid;
        }

        if (home)
                *home = p->pw_dir;

        if (shell)
                *shell = p->pw_shell;

        return 0;
}

static inline bool is_nologin_shell(const char *shell) {

        return PATH_IN_SET(shell,
                           /* 'nologin' is the friendliest way to disable logins for a user account. It prints a nice
                            * message and exits. Different distributions place the binary at different places though,
                            * hence let's list them all. */
                           "/bin/nologin",
                           "/sbin/nologin",
                           "/usr/bin/nologin",
                           "/usr/sbin/nologin",
                           /* 'true' and 'false' work too for the same purpose, but are less friendly as they don't do
                            * any message printing. Different distributions place the binary at various places but at
                            * least not in the 'sbin' directory. */
                           "/bin/false",
                           "/usr/bin/false",
                           "/bin/true",
                           "/usr/bin/true");
}

int get_user_creds_clean(
                const char **username,
                uid_t *uid, gid_t *gid,
                const char **home,
                const char **shell) {

        int r;

        /* Like get_user_creds(), but resets home/shell to NULL if they don't contain anything relevant. */

        r = get_user_creds(username, uid, gid, home, shell);
        if (r < 0)
                return r;

        if (shell &&
            (isempty(*shell) || is_nologin_shell(*shell)))
                *shell = NULL;

        if (home && empty_or_root(*home))
                *home = NULL;

        return 0;
}

int get_group_creds(const char **groupname, gid_t *gid) {
        struct group *g;
        gid_t id;

        assert(groupname);

        /* We enforce some special rules for gid=0: in order to avoid
         * NSS lookups for root we hardcode its data. */

        if (STR_IN_SET(*groupname, "root", "0")) {
                *groupname = "root";

                if (gid)
                        *gid = 0;

                return 0;
        }

        if (synthesize_nobody() &&
            STR_IN_SET(*groupname, NOBODY_GROUP_NAME, "65534")) {
                *groupname = NOBODY_GROUP_NAME;

                if (gid)
                        *gid = GID_NOBODY;

                return 0;
        }

        if (parse_gid(*groupname, &id) >= 0) {
                errno = 0;
                g = getgrgid(id);

                if (g)
                        *groupname = g->gr_name;
        } else {
                errno = 0;
                g = getgrnam(*groupname);
        }

        if (!g)
                return errno > 0 ? -errno : -ESRCH;

        if (gid) {
                if (!gid_is_valid(g->gr_gid))
                        return -EBADMSG;

                *gid = g->gr_gid;
        }

        return 0;
}

char* uid_to_name(uid_t uid) {
        char *ret;
        int r;

        /* Shortcut things to avoid NSS lookups */
        if (uid == 0)
                return strdup("root");
        if (synthesize_nobody() &&
            uid == UID_NOBODY)
                return strdup(NOBODY_USER_NAME);

        if (uid_is_valid(uid)) {
                long bufsize;

                bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
                if (bufsize <= 0)
                        bufsize = 4096;

                for (;;) {
                        struct passwd pwbuf, *pw = NULL;
                        _cleanup_free_ char *buf = NULL;

                        buf = malloc(bufsize);
                        if (!buf)
                                return NULL;

                        r = getpwuid_r(uid, &pwbuf, buf, (size_t) bufsize, &pw);
                        if (r == 0 && pw)
                                return strdup(pw->pw_name);
                        if (r != ERANGE)
                                break;

                        bufsize *= 2;
                }
        }

        if (asprintf(&ret, UID_FMT, uid) < 0)
                return NULL;

        return ret;
}

char* gid_to_name(gid_t gid) {
        char *ret;
        int r;

        if (gid == 0)
                return strdup("root");
        if (synthesize_nobody() &&
            gid == GID_NOBODY)
                return strdup(NOBODY_GROUP_NAME);

        if (gid_is_valid(gid)) {
                long bufsize;

                bufsize = sysconf(_SC_GETGR_R_SIZE_MAX);
                if (bufsize <= 0)
                        bufsize = 4096;

                for (;;) {
                        struct group grbuf, *gr = NULL;
                        _cleanup_free_ char *buf = NULL;

                        buf = malloc(bufsize);
                        if (!buf)
                                return NULL;

                        r = getgrgid_r(gid, &grbuf, buf, (size_t) bufsize, &gr);
                        if (r == 0 && gr)
                                return strdup(gr->gr_name);
                        if (r != ERANGE)
                                break;

                        bufsize *= 2;
                }
        }

        if (asprintf(&ret, GID_FMT, gid) < 0)
                return NULL;

        return ret;
}

int in_gid(gid_t gid) {
        long ngroups_max;
        gid_t *gids;
        int r, i;

        if (getgid() == gid)
                return 1;

        if (getegid() == gid)
                return 1;

        if (!gid_is_valid(gid))
                return -EINVAL;

        ngroups_max = sysconf(_SC_NGROUPS_MAX);
        assert(ngroups_max > 0);

        gids = newa(gid_t, ngroups_max);

        r = getgroups(ngroups_max, gids);
        if (r < 0)
                return -errno;

        for (i = 0; i < r; i++)
                if (gids[i] == gid)
                        return 1;

        return 0;
}

int in_group(const char *name) {
        int r;
        gid_t gid;

        r = get_group_creds(&name, &gid);
        if (r < 0)
                return r;

        return in_gid(gid);
}

int get_home_dir(char **_h) {
        struct passwd *p;
        const char *e;
        char *h;
        uid_t u;

        assert(_h);

        /* Take the user specified one */
        e = secure_getenv("HOME");
        if (e && path_is_absolute(e)) {
                h = strdup(e);
                if (!h)
                        return -ENOMEM;

                *_h = h;
                return 0;
        }

        /* Hardcode home directory for root and nobody to avoid NSS */
        u = getuid();
        if (u == 0) {
                h = strdup("/root");
                if (!h)
                        return -ENOMEM;

                *_h = h;
                return 0;
        }
        if (synthesize_nobody() &&
            u == UID_NOBODY) {
                h = strdup("/");
                if (!h)
                        return -ENOMEM;

                *_h = h;
                return 0;
        }

        /* Check the database... */
        errno = 0;
        p = getpwuid(u);
        if (!p)
                return errno > 0 ? -errno : -ESRCH;

        if (!path_is_absolute(p->pw_dir))
                return -EINVAL;

        h = strdup(p->pw_dir);
        if (!h)
                return -ENOMEM;

        *_h = h;
        return 0;
}

int get_shell(char **_s) {
        struct passwd *p;
        const char *e;
        char *s;
        uid_t u;

        assert(_s);

        /* Take the user specified one */
        e = getenv("SHELL");
        if (e) {
                s = strdup(e);
                if (!s)
                        return -ENOMEM;

                *_s = s;
                return 0;
        }

        /* Hardcode shell for root and nobody to avoid NSS */
        u = getuid();
        if (u == 0) {
                s = strdup("/bin/sh");
                if (!s)
                        return -ENOMEM;

                *_s = s;
                return 0;
        }
        if (synthesize_nobody() &&
            u == UID_NOBODY) {
                s = strdup("/sbin/nologin");
                if (!s)
                        return -ENOMEM;

                *_s = s;
                return 0;
        }

        /* Check the database... */
        errno = 0;
        p = getpwuid(u);
        if (!p)
                return errno > 0 ? -errno : -ESRCH;

        if (!path_is_absolute(p->pw_shell))
                return -EINVAL;

        s = strdup(p->pw_shell);
        if (!s)
                return -ENOMEM;

        *_s = s;
        return 0;
}

int reset_uid_gid(void) {
        int r;

        r = maybe_setgroups(0, NULL);
        if (r < 0)
                return r;

        if (setresgid(0, 0, 0) < 0)
                return -errno;

        if (setresuid(0, 0, 0) < 0)
                return -errno;

        return 0;
}

int take_etc_passwd_lock(const char *root) {

        struct flock flock = {
                .l_type = F_WRLCK,
                .l_whence = SEEK_SET,
                .l_start = 0,
                .l_len = 0,
        };

        const char *path;
        int fd, r;

        /* This is roughly the same as lckpwdf(), but not as awful. We
         * don't want to use alarm() and signals, hence we implement
         * our own trivial version of this.
         *
         * Note that shadow-utils also takes per-database locks in
         * addition to lckpwdf(). However, we don't given that they
         * are redundant as they invoke lckpwdf() first and keep
         * it during everything they do. The per-database locks are
         * awfully racy, and thus we just won't do them. */

        if (root)
                path = prefix_roota(root, ETC_PASSWD_LOCK_PATH);
        else
                path = ETC_PASSWD_LOCK_PATH;

        fd = open(path, O_WRONLY|O_CREAT|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW, 0600);
        if (fd < 0)
                return log_debug_errno(errno, "Cannot open %s: %m", path);

        r = fcntl(fd, F_SETLKW, &flock);
        if (r < 0) {
                safe_close(fd);
                return log_debug_errno(errno, "Locking %s failed: %m", path);
        }

        return fd;
}

bool valid_user_group_name(const char *u) {
        const char *i;
        long sz;

        /* Checks if the specified name is a valid user/group name. Also see POSIX IEEE Std 1003.1-2008, 2016 Edition,
         * 3.437. We are a bit stricter here however. Specifically we deviate from POSIX rules:
         *
         * - We don't allow any dots (this would break chown syntax which permits dots as user/group name separator)
         * - We require that names fit into the appropriate utmp field
         * - We don't allow empty user names
         *
         * Note that other systems are even more restrictive, and don't permit underscores or uppercase characters.
         */

        if (isempty(u))
                return false;

        if (!(u[0] >= 'a' && u[0] <= 'z') &&
            !(u[0] >= 'A' && u[0] <= 'Z') &&
            u[0] != '_')
                return false;

        for (i = u+1; *i; i++) {
                if (!(*i >= 'a' && *i <= 'z') &&
                    !(*i >= 'A' && *i <= 'Z') &&
                    !(*i >= '0' && *i <= '9') &&
                    !IN_SET(*i, '_', '-'))
                        return false;
        }

        sz = sysconf(_SC_LOGIN_NAME_MAX);
        assert_se(sz > 0);

        if ((size_t) (i-u) > (size_t) sz)
                return false;

        if ((size_t) (i-u) > UT_NAMESIZE - 1)
                return false;

        return true;
}

bool valid_user_group_name_or_id(const char *u) {

        /* Similar as above, but is also fine with numeric UID/GID specifications, as long as they are in the right
         * range, and not the invalid user ids. */

        if (isempty(u))
                return false;

        if (valid_user_group_name(u))
                return true;

        return parse_uid(u, NULL) >= 0;
}

bool valid_gecos(const char *d) {

        if (!d)
                return false;

        if (!utf8_is_valid(d))
                return false;

        if (string_has_cc(d, NULL))
                return false;

        /* Colons are used as field separators, and hence not OK */
        if (strchr(d, ':'))
                return false;

        return true;
}

bool valid_home(const char *p) {
        /* Note that this function is also called by valid_shell(), any
         * changes must account for that. */

        if (isempty(p))
                return false;

        if (!utf8_is_valid(p))
                return false;

        if (string_has_cc(p, NULL))
                return false;

        if (!path_is_absolute(p))
                return false;

        if (!path_is_normalized(p))
                return false;

        /* Colons are used as field separators, and hence not OK */
        if (strchr(p, ':'))
                return false;

        return true;
}

int maybe_setgroups(size_t size, const gid_t *list) {
        int r;

        /* Check if setgroups is allowed before we try to drop all the auxiliary groups */
        if (size == 0) { /* Dropping all aux groups? */
                _cleanup_free_ char *setgroups_content = NULL;
                bool can_setgroups;

                r = read_one_line_file("/proc/self/setgroups", &setgroups_content);
                if (r == -ENOENT)
                        /* Old kernels don't have /proc/self/setgroups, so assume we can use setgroups */
                        can_setgroups = true;
                else if (r < 0)
                        return r;
                else
                        can_setgroups = streq(setgroups_content, "allow");

                if (!can_setgroups) {
                        log_debug("Skipping setgroups(), /proc/self/setgroups is set to 'deny'");
                        return 0;
                }
        }

        if (setgroups(size, list) < 0)
                return -errno;

        return 0;
}

bool synthesize_nobody(void) {

#ifdef NOLEGACY
        return true;
#else
        /* Returns true when we shall synthesize the "nobody" user (which we do by default). This can be turned off by
         * touching /etc/systemd/dont-synthesize-nobody in order to provide upgrade compatibility with legacy systems
         * that used the "nobody" user name and group name for other UIDs/GIDs than 65534.
         *
         * Note that we do not employ any kind of synchronization on the following caching variable. If the variable is
         * accessed in multi-threaded programs in the worst case it might happen that we initialize twice, but that
         * shouldn't matter as each initialization should come to the same result. */
        static int cache = -1;

        if (cache < 0)
                cache = access("/etc/systemd/dont-synthesize-nobody", F_OK) < 0;

        return cache;
#endif
}

int putpwent_sane(const struct passwd *pw, FILE *stream) {
        assert(pw);
        assert(stream);

        errno = 0;
        if (putpwent(pw, stream) != 0)
                return errno > 0 ? -errno : -EIO;

        return 0;
}

int putspent_sane(const struct spwd *sp, FILE *stream) {
        assert(sp);
        assert(stream);

        errno = 0;
        if (putspent(sp, stream) != 0)
                return errno > 0 ? -errno : -EIO;

        return 0;
}

int putgrent_sane(const struct group *gr, FILE *stream) {
        assert(gr);
        assert(stream);

        errno = 0;
        if (putgrent(gr, stream) != 0)
                return errno > 0 ? -errno : -EIO;

        return 0;
}

#if ENABLE_GSHADOW
int putsgent_sane(const struct sgrp *sg, FILE *stream) {
        assert(sg);
        assert(stream);

        errno = 0;
        if (putsgent(sg, stream) != 0)
                return errno > 0 ? -errno : -EIO;

        return 0;
}
#endif

int fgetpwent_sane(FILE *stream, struct passwd **pw) {
        struct passwd *p;

        assert(pw);
        assert(stream);

        errno = 0;
        p = fgetpwent(stream);
        if (p == NULL && errno != ENOENT)
                return errno > 0 ? -errno : -EIO;

        *pw = p;
        return p != NULL;
}

int fgetspent_sane(FILE *stream, struct spwd **sp) {
        struct spwd *s;

        assert(sp);
        assert(stream);

        errno = 0;
        s = fgetspent(stream);
        if (s == NULL && errno != ENOENT)
                return errno > 0 ? -errno : -EIO;

        *sp = s;
        return s != NULL;
}

int fgetgrent_sane(FILE *stream, struct group **gr) {
        struct group *g;

        assert(gr);
        assert(stream);

        errno = 0;
        g = fgetgrent(stream);
        if (g == NULL && errno != ENOENT)
                return errno > 0 ? -errno : -EIO;

        *gr = g;
        return g != NULL;
}

#if ENABLE_GSHADOW
int fgetsgent_sane(FILE *stream, struct sgrp **sg) {
        struct sgrp *s;

        assert(sg);
        assert(stream);

        errno = 0;
        s = fgetsgent(stream);
        if (s == NULL && errno != ENOENT)
                return errno > 0 ? -errno : -EIO;

        *sg = s;
        return s != NULL;
}
#endif
Commit	Line	Data
53e1b683	1	/* SPDX-License-Identifier: LGPL-2.1+ */
b1d4f8e1 LP	2	/***
	3	This file is part of systemd.
	4
	5	Copyright 2010 Lennart Poettering
b1d4f8e1 LP	6	***/
b1d4f8e1 LP	7
11c3a366 TA	8	#include <alloca.h>
	9	#include <errno.h>
	10	#include <fcntl.h>
b1d4f8e1	11	#include <grp.h>
cf0fbc49	12	#include <pwd.h>
11c3a366 TA	13	#include <stddef.h>
	14	#include <stdint.h>
	15	#include <stdio.h>
	16	#include <stdlib.h>
	17	#include <string.h>
	18	#include <sys/stat.h>
	19	#include <unistd.h>
e4631b48	20	#include <utmp.h>
b1d4f8e1	21
b5efdb8a	22	#include "alloc-util.h"
e929bee0	23	#include "fd-util.h"
36d85478	24	#include "fileio.h"
f97b34a6	25	#include "format-util.h"
b1d4f8e1	26	#include "macro.h"
be39ccf3	27	#include "missing.h"
6bedfcbb	28	#include "parse-util.h"
b1d4f8e1	29	#include "path-util.h"
6bedfcbb	30	#include "string-util.h"
be39ccf3	31	#include "strv.h"
6bedfcbb	32	#include "user-util.h"
e4631b48	33	#include "utf8.h"
b1d4f8e1 LP	34
	35	bool uid_is_valid(uid_t uid) {
	36
1429dfe5 LP	37	/* Also see POSIX IEEE Std 1003.1-2008, 2016 Edition, 3.436. */
1429dfe5 LP	38
b1d4f8e1	39	/* Some libc APIs use UID_INVALID as special placeholder */
b1d52773	40	if (uid == (uid_t) UINT32_C(0xFFFFFFFF))
b1d4f8e1 LP	41	return false;
	42
	43	/* A long time ago UIDs where 16bit, hence explicitly avoid the 16bit -1 too */
b1d52773	44	if (uid == (uid_t) UINT32_C(0xFFFF))
b1d4f8e1 LP	45	return false;
	46
	47	return true;
	48	}
	49
b1d52773 LP	50	int parse_uid(const char s, uid_t ret) {
b1d52773 LP	51	uint32_t uid = 0;
b1d4f8e1 LP	52	int r;
	53
	54	assert(s);
	55
b1d52773 LP	56	assert_cc(sizeof(uid_t) == sizeof(uint32_t));
b1d52773 LP	57	r = safe_atou32(s, &uid);
b1d4f8e1 LP	58	if (r < 0)
	59	return r;
	60
b1d4f8e1 LP	61	if (!uid_is_valid(uid))
	62	return -ENXIO; /* we return ENXIO instead of EINVAL
	63	* here, to make it easy to distuingish
ba60af86	64	* invalid numeric uids from invalid
b1d4f8e1 LP	65	* strings. */
b1d4f8e1 LP	66
b1d52773 LP	67	if (ret)
b1d52773 LP	68	*ret = uid;
b1d4f8e1 LP	69
	70	return 0;
	71	}
	72
b1d4f8e1 LP	73	char* getlogname_malloc(void) {
	74	uid_t uid;
	75	struct stat st;
	76
	77	if (isatty(STDIN_FILENO) && fstat(STDIN_FILENO, &st) >= 0)
	78	uid = st.st_uid;
	79	else
	80	uid = getuid();
	81
d0260817	82	return uid_to_name(uid);
b1d4f8e1 LP	83	}
	84
	85	char *getusername_malloc(void) {
	86	const char *e;
	87
	88	e = getenv("USER");
	89	if (e)
	90	return strdup(e);
	91
d0260817	92	return uid_to_name(getuid());
b1d4f8e1 LP	93	}
	94
	95	int get_user_creds(
	96	const char **username,
	97	uid_t uid, gid_t gid,
	98	const char **home,
	99	const char **shell) {
	100
	101	struct passwd *p;
	102	uid_t u;
	103
	104	assert(username);
	105	assert(*username);
	106
7e61fd02 LP	107	/* We enforce some special rules for uid=0 and uid=65534: in order to avoid NSS lookups for root we hardcode
7e61fd02 LP	108	* their user record data. */
b1d4f8e1	109
7e61fd02	110	if (STR_IN_SET(*username, "root", "0")) {
b1d4f8e1 LP	111	*username = "root";
	112
	113	if (uid)
	114	*uid = 0;
b1d4f8e1 LP	115	if (gid)
	116	*gid = 0;
	117
	118	if (home)
	119	*home = "/root";
	120
	121	if (shell)
	122	*shell = "/bin/sh";
	123
	124	return 0;
	125	}
	126
24eccc34 LP	127	if (synthesize_nobody() &&
24eccc34 LP	128	STR_IN_SET(*username, NOBODY_USER_NAME, "65534")) {
7e61fd02 LP	129	*username = NOBODY_USER_NAME;
	130
	131	if (uid)
	132	*uid = UID_NOBODY;
	133	if (gid)
	134	*gid = GID_NOBODY;
	135
	136	if (home)
	137	*home = "/";
	138
	139	if (shell)
	140	*shell = "/sbin/nologin";
	141
	142	return 0;
	143	}
	144
b1d4f8e1 LP	145	if (parse_uid(*username, &u) >= 0) {
	146	errno = 0;
	147	p = getpwuid(u);
	148
	149	/* If there are multiple users with the same id, make
	150	* sure to leave $USER to the configured value instead
	151	* of the first occurrence in the database. However if
	152	* the uid was configured by a numeric uid, then let's
	153	* pick the real username from /etc/passwd. */
	154	if (p)
	155	*username = p->pw_name;
	156	} else {
	157	errno = 0;
	158	p = getpwnam(*username);
	159	}
	160
	161	if (!p)
	162	return errno > 0 ? -errno : -ESRCH;
	163
67c7c892 LP	164	if (uid) {
	165	if (!uid_is_valid(p->pw_uid))
	166	return -EBADMSG;
	167
b1d4f8e1	168	*uid = p->pw_uid;
67c7c892 LP	169	}
	170
	171	if (gid) {
	172	if (!gid_is_valid(p->pw_gid))
	173	return -EBADMSG;
b1d4f8e1	174
b1d4f8e1	175	*gid = p->pw_gid;
67c7c892	176	}
b1d4f8e1 LP	177
	178	if (home)
	179	*home = p->pw_dir;
	180
	181	if (shell)
	182	*shell = p->pw_shell;
	183
	184	return 0;
	185	}
	186
7cb60911 LP	187	static inline bool is_nologin_shell(const char *shell) {
	188
	189	return PATH_IN_SET(shell,
	190	/* 'nologin' is the friendliest way to disable logins for a user account. It prints a nice
	191	* message and exits. Different distributions place the binary at different places though,
	192	* hence let's list them all. */
	193	"/bin/nologin",
	194	"/sbin/nologin",
	195	"/usr/bin/nologin",
	196	"/usr/sbin/nologin",
	197	/* 'true' and 'false' work too for the same purpose, but are less friendly as they don't do
	198	* any message printing. Different distributions place the binary at various places but at
	199	* least not in the 'sbin' directory. */
	200	"/bin/false",
	201	"/usr/bin/false",
	202	"/bin/true",
	203	"/usr/bin/true");
	204	}
	205
be39ccf3 LP	206	int get_user_creds_clean(
	207	const char **username,
	208	uid_t uid, gid_t gid,
	209	const char **home,
	210	const char **shell) {
	211
	212	int r;
	213
	214	/* Like get_user_creds(), but resets home/shell to NULL if they don't contain anything relevant. */
	215
	216	r = get_user_creds(username, uid, gid, home, shell);
	217	if (r < 0)
	218	return r;
	219
	220	if (shell &&
7cb60911	221	(isempty(shell) \|\| is_nologin_shell(shell)))
be39ccf3 LP	222	*shell = NULL;
be39ccf3 LP	223
57ea45e1	224	if (home && empty_or_root(*home))
be39ccf3 LP	225	*home = NULL;
	226
	227	return 0;
	228	}
	229
b1d4f8e1 LP	230	int get_group_creds(const char *groupname, gid_t gid) {
	231	struct group *g;
	232	gid_t id;
	233
	234	assert(groupname);
	235
	236	/* We enforce some special rules for gid=0: in order to avoid
	237	* NSS lookups for root we hardcode its data. */
	238
7e61fd02	239	if (STR_IN_SET(*groupname, "root", "0")) {
b1d4f8e1 LP	240	*groupname = "root";
	241
	242	if (gid)
	243	*gid = 0;
	244
	245	return 0;
	246	}
	247
24eccc34 LP	248	if (synthesize_nobody() &&
24eccc34 LP	249	STR_IN_SET(*groupname, NOBODY_GROUP_NAME, "65534")) {
7e61fd02 LP	250	*groupname = NOBODY_GROUP_NAME;
	251
	252	if (gid)
	253	*gid = GID_NOBODY;
	254
	255	return 0;
	256	}
	257
b1d4f8e1 LP	258	if (parse_gid(*groupname, &id) >= 0) {
	259	errno = 0;
	260	g = getgrgid(id);
	261
	262	if (g)
	263	*groupname = g->gr_name;
	264	} else {
	265	errno = 0;
	266	g = getgrnam(*groupname);
	267	}
	268
	269	if (!g)
	270	return errno > 0 ? -errno : -ESRCH;
	271
67c7c892 LP	272	if (gid) {
	273	if (!gid_is_valid(g->gr_gid))
	274	return -EBADMSG;
	275
b1d4f8e1	276	*gid = g->gr_gid;
67c7c892	277	}
b1d4f8e1 LP	278
	279	return 0;
	280	}
	281
	282	char* uid_to_name(uid_t uid) {
d0260817 LP	283	char *ret;
d0260817 LP	284	int r;
b1d4f8e1	285
d0260817	286	/* Shortcut things to avoid NSS lookups */
b1d4f8e1 LP	287	if (uid == 0)
b1d4f8e1 LP	288	return strdup("root");
24eccc34 LP	289	if (synthesize_nobody() &&
24eccc34 LP	290	uid == UID_NOBODY)
7e61fd02	291	return strdup(NOBODY_USER_NAME);
b1d4f8e1	292
d0260817 LP	293	if (uid_is_valid(uid)) {
	294	long bufsize;
	295
	296	bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
	297	if (bufsize <= 0)
	298	bufsize = 4096;
	299
	300	for (;;) {
	301	struct passwd pwbuf, *pw = NULL;
	302	_cleanup_free_ char *buf = NULL;
	303
	304	buf = malloc(bufsize);
	305	if (!buf)
	306	return NULL;
	307
	308	r = getpwuid_r(uid, &pwbuf, buf, (size_t) bufsize, &pw);
	309	if (r == 0 && pw)
	310	return strdup(pw->pw_name);
	311	if (r != ERANGE)
	312	break;
	313
	314	bufsize *= 2;
	315	}
	316	}
b1d4f8e1	317
d0260817	318	if (asprintf(&ret, UID_FMT, uid) < 0)
b1d4f8e1 LP	319	return NULL;
b1d4f8e1 LP	320
d0260817	321	return ret;
b1d4f8e1 LP	322	}
	323
	324	char* gid_to_name(gid_t gid) {
d0260817 LP	325	char *ret;
d0260817 LP	326	int r;
b1d4f8e1 LP	327
	328	if (gid == 0)
	329	return strdup("root");
24eccc34 LP	330	if (synthesize_nobody() &&
24eccc34 LP	331	gid == GID_NOBODY)
7e61fd02	332	return strdup(NOBODY_GROUP_NAME);
b1d4f8e1	333
d0260817 LP	334	if (gid_is_valid(gid)) {
	335	long bufsize;
	336
	337	bufsize = sysconf(_SC_GETGR_R_SIZE_MAX);
	338	if (bufsize <= 0)
	339	bufsize = 4096;
	340
	341	for (;;) {
	342	struct group grbuf, *gr = NULL;
	343	_cleanup_free_ char *buf = NULL;
	344
	345	buf = malloc(bufsize);
	346	if (!buf)
	347	return NULL;
	348
	349	r = getgrgid_r(gid, &grbuf, buf, (size_t) bufsize, &gr);
	350	if (r == 0 && gr)
	351	return strdup(gr->gr_name);
	352	if (r != ERANGE)
	353	break;
	354
	355	bufsize *= 2;
	356	}
	357	}
b1d4f8e1	358
d0260817	359	if (asprintf(&ret, GID_FMT, gid) < 0)
b1d4f8e1 LP	360	return NULL;
b1d4f8e1 LP	361
d0260817	362	return ret;
b1d4f8e1 LP	363	}
	364
	365	int in_gid(gid_t gid) {
2dc89454	366	long ngroups_max;
b1d4f8e1	367	gid_t *gids;
2dc89454	368	int r, i;
b1d4f8e1 LP	369
	370	if (getgid() == gid)
	371	return 1;
	372
	373	if (getegid() == gid)
	374	return 1;
	375
67c7c892 LP	376	if (!gid_is_valid(gid))
	377	return -EINVAL;
	378
b1d4f8e1 LP	379	ngroups_max = sysconf(_SC_NGROUPS_MAX);
	380	assert(ngroups_max > 0);
	381
2dc89454	382	gids = newa(gid_t, ngroups_max);
b1d4f8e1 LP	383
	384	r = getgroups(ngroups_max, gids);
	385	if (r < 0)
	386	return -errno;
	387
	388	for (i = 0; i < r; i++)
	389	if (gids[i] == gid)
	390	return 1;
	391
	392	return 0;
	393	}
	394
	395	int in_group(const char *name) {
	396	int r;
	397	gid_t gid;
	398
	399	r = get_group_creds(&name, &gid);
	400	if (r < 0)
	401	return r;
	402
	403	return in_gid(gid);
	404	}
	405
	406	int get_home_dir(char **_h) {
	407	struct passwd *p;
	408	const char *e;
	409	char *h;
	410	uid_t u;
	411
	412	assert(_h);
	413
	414	/* Take the user specified one */
	415	e = secure_getenv("HOME");
	416	if (e && path_is_absolute(e)) {
	417	h = strdup(e);
	418	if (!h)
	419	return -ENOMEM;
	420
	421	*_h = h;
	422	return 0;
	423	}
	424
7e61fd02	425	/* Hardcode home directory for root and nobody to avoid NSS */
b1d4f8e1 LP	426	u = getuid();
	427	if (u == 0) {
	428	h = strdup("/root");
	429	if (!h)
	430	return -ENOMEM;
	431
	432	*_h = h;
	433	return 0;
	434	}
24eccc34 LP	435	if (synthesize_nobody() &&
24eccc34 LP	436	u == UID_NOBODY) {
7e61fd02 LP	437	h = strdup("/");
	438	if (!h)
	439	return -ENOMEM;
	440
	441	*_h = h;
	442	return 0;
	443	}
b1d4f8e1 LP	444
	445	/* Check the database... */
	446	errno = 0;
	447	p = getpwuid(u);
	448	if (!p)
	449	return errno > 0 ? -errno : -ESRCH;
	450
	451	if (!path_is_absolute(p->pw_dir))
	452	return -EINVAL;
	453
	454	h = strdup(p->pw_dir);
	455	if (!h)
	456	return -ENOMEM;
	457
	458	*_h = h;
	459	return 0;
	460	}
	461
	462	int get_shell(char **_s) {
	463	struct passwd *p;
	464	const char *e;
	465	char *s;
	466	uid_t u;
	467
	468	assert(_s);
	469
	470	/* Take the user specified one */
	471	e = getenv("SHELL");
	472	if (e) {
	473	s = strdup(e);
	474	if (!s)
	475	return -ENOMEM;
	476
	477	*_s = s;
	478	return 0;
	479	}
	480
7e61fd02	481	/* Hardcode shell for root and nobody to avoid NSS */
b1d4f8e1 LP	482	u = getuid();
	483	if (u == 0) {
	484	s = strdup("/bin/sh");
	485	if (!s)
	486	return -ENOMEM;
	487
	488	*_s = s;
	489	return 0;
	490	}
24eccc34 LP	491	if (synthesize_nobody() &&
24eccc34 LP	492	u == UID_NOBODY) {
7e61fd02 LP	493	s = strdup("/sbin/nologin");
	494	if (!s)
	495	return -ENOMEM;
	496
	497	*_s = s;
	498	return 0;
	499	}
b1d4f8e1 LP	500
	501	/* Check the database... */
	502	errno = 0;
	503	p = getpwuid(u);
	504	if (!p)
	505	return errno > 0 ? -errno : -ESRCH;
	506
	507	if (!path_is_absolute(p->pw_shell))
	508	return -EINVAL;
	509
	510	s = strdup(p->pw_shell);
	511	if (!s)
	512	return -ENOMEM;
	513
	514	*_s = s;
	515	return 0;
	516	}
	517
	518	int reset_uid_gid(void) {
97f0e76f	519	int r;
b1d4f8e1	520
97f0e76f LP	521	r = maybe_setgroups(0, NULL);
	522	if (r < 0)
	523	return r;
b1d4f8e1 LP	524
	525	if (setresgid(0, 0, 0) < 0)
	526	return -errno;
	527
	528	if (setresuid(0, 0, 0) < 0)
	529	return -errno;
	530
	531	return 0;
	532	}
e929bee0 LP	533
	534	int take_etc_passwd_lock(const char *root) {
	535
	536	struct flock flock = {
	537	.l_type = F_WRLCK,
	538	.l_whence = SEEK_SET,
	539	.l_start = 0,
	540	.l_len = 0,
	541	};
	542
	543	const char *path;
	544	int fd, r;
	545
	546	/* This is roughly the same as lckpwdf(), but not as awful. We
	547	* don't want to use alarm() and signals, hence we implement
	548	* our own trivial version of this.
	549	*
	550	* Note that shadow-utils also takes per-database locks in
	551	* addition to lckpwdf(). However, we don't given that they
61233823	552	* are redundant as they invoke lckpwdf() first and keep
e929bee0 LP	553	* it during everything they do. The per-database locks are
	554	* awfully racy, and thus we just won't do them. */
	555
	556	if (root)
d1e4b8fd	557	path = prefix_roota(root, ETC_PASSWD_LOCK_PATH);
e929bee0	558	else
d1e4b8fd	559	path = ETC_PASSWD_LOCK_PATH;
e929bee0 LP	560
	561	fd = open(path, O_WRONLY\|O_CREAT\|O_CLOEXEC\|O_NOCTTY\|O_NOFOLLOW, 0600);
	562	if (fd < 0)
d1e4b8fd	563	return log_debug_errno(errno, "Cannot open %s: %m", path);
e929bee0 LP	564
	565	r = fcntl(fd, F_SETLKW, &flock);
	566	if (r < 0) {
	567	safe_close(fd);
d1e4b8fd	568	return log_debug_errno(errno, "Locking %s failed: %m", path);
e929bee0 LP	569	}
	570
	571	return fd;
	572	}
e4631b48 LP	573
	574	bool valid_user_group_name(const char *u) {
	575	const char *i;
	576	long sz;
	577
1429dfe5 LP	578	/* Checks if the specified name is a valid user/group name. Also see POSIX IEEE Std 1003.1-2008, 2016 Edition,
	579	* 3.437. We are a bit stricter here however. Specifically we deviate from POSIX rules:
	580	*
	581	* - We don't allow any dots (this would break chown syntax which permits dots as user/group name separator)
	582	* - We require that names fit into the appropriate utmp field
	583	* - We don't allow empty user names
	584	*
	585	* Note that other systems are even more restrictive, and don't permit underscores or uppercase characters.
	586	*/
e4631b48 LP	587
	588	if (isempty(u))
	589	return false;
	590
	591	if (!(u[0] >= 'a' && u[0] <= 'z') &&
	592	!(u[0] >= 'A' && u[0] <= 'Z') &&
	593	u[0] != '_')
	594	return false;
	595
	596	for (i = u+1; *i; i++) {
	597	if (!(i >= 'a' && i <= 'z') &&
	598	!(i >= 'A' && i <= 'Z') &&
	599	!(i >= '0' && i <= '9') &&
4c701096	600	!IN_SET(*i, '_', '-'))
e4631b48 LP	601	return false;
	602	}
	603
	604	sz = sysconf(_SC_LOGIN_NAME_MAX);
	605	assert_se(sz > 0);
	606
	607	if ((size_t) (i-u) > (size_t) sz)
	608	return false;
	609
	610	if ((size_t) (i-u) > UT_NAMESIZE - 1)
	611	return false;
	612
	613	return true;
	614	}
	615
	616	bool valid_user_group_name_or_id(const char *u) {
	617
	618	/* Similar as above, but is also fine with numeric UID/GID specifications, as long as they are in the right
	619	* range, and not the invalid user ids. */
	620
	621	if (isempty(u))
	622	return false;
	623
	624	if (valid_user_group_name(u))
	625	return true;
	626
	627	return parse_uid(u, NULL) >= 0;
	628	}
	629
	630	bool valid_gecos(const char *d) {
	631
	632	if (!d)
	633	return false;
	634
	635	if (!utf8_is_valid(d))
	636	return false;
	637
	638	if (string_has_cc(d, NULL))
	639	return false;
	640
	641	/* Colons are used as field separators, and hence not OK */
	642	if (strchr(d, ':'))
	643	return false;
	644
	645	return true;
	646	}
	647
	648	bool valid_home(const char *p) {
7b1aaf66 ZJS	649	/* Note that this function is also called by valid_shell(), any
7b1aaf66 ZJS	650	* changes must account for that. */
e4631b48 LP	651
	652	if (isempty(p))
	653	return false;
	654
	655	if (!utf8_is_valid(p))
	656	return false;
	657
	658	if (string_has_cc(p, NULL))
	659	return false;
	660
	661	if (!path_is_absolute(p))
	662	return false;
	663
99be45a4	664	if (!path_is_normalized(p))
e4631b48 LP	665	return false;
	666
	667	/* Colons are used as field separators, and hence not OK */
	668	if (strchr(p, ':'))
	669	return false;
	670
	671	return true;
	672	}
36d85478 GS	673
36d85478 GS	674	int maybe_setgroups(size_t size, const gid_t *list) {
97f0e76f LP	675	int r;
	676
	677	/* Check if setgroups is allowed before we try to drop all the auxiliary groups */
	678	if (size == 0) { /* Dropping all aux groups? */
	679	_cleanup_free_ char *setgroups_content = NULL;
	680	bool can_setgroups;
	681
	682	r = read_one_line_file("/proc/self/setgroups", &setgroups_content);
	683	if (r == -ENOENT)
	684	/* Old kernels don't have /proc/self/setgroups, so assume we can use setgroups */
	685	can_setgroups = true;
	686	else if (r < 0)
	687	return r;
	688	else
	689	can_setgroups = streq(setgroups_content, "allow");
	690
	691	if (!can_setgroups) {
	692	log_debug("Skipping setgroups(), /proc/self/setgroups is set to 'deny'");
36d85478	693	return 0;
97f0e76f	694	}
36d85478	695	}
97f0e76f LP	696
	697	if (setgroups(size, list) < 0)
	698	return -errno;
	699
	700	return 0;
36d85478	701	}
24eccc34 LP	702
	703	bool synthesize_nobody(void) {
	704
	705	#ifdef NOLEGACY
	706	return true;
	707	#else
	708	/* Returns true when we shall synthesize the "nobody" user (which we do by default). This can be turned off by
	709	* touching /etc/systemd/dont-synthesize-nobody in order to provide upgrade compatibility with legacy systems
	710	* that used the "nobody" user name and group name for other UIDs/GIDs than 65534.
	711	*
	712	* Note that we do not employ any kind of synchronization on the following caching variable. If the variable is
	713	* accessed in multi-threaded programs in the worst case it might happen that we initialize twice, but that
	714	* shouldn't matter as each initialization should come to the same result. */
	715	static int cache = -1;
	716
	717	if (cache < 0)
	718	cache = access("/etc/systemd/dont-synthesize-nobody", F_OK) < 0;
	719
	720	return cache;
	721	#endif
	722	}
100d5f6e FB	723
	724	int putpwent_sane(const struct passwd pw, FILE stream) {
	725	assert(pw);
	726	assert(stream);
	727
	728	errno = 0;
	729	if (putpwent(pw, stream) != 0)
	730	return errno > 0 ? -errno : -EIO;
	731
	732	return 0;
	733	}
	734
	735	int putspent_sane(const struct spwd sp, FILE stream) {
	736	assert(sp);
	737	assert(stream);
	738
	739	errno = 0;
	740	if (putspent(sp, stream) != 0)
	741	return errno > 0 ? -errno : -EIO;
	742
	743	return 0;
	744	}
	745
	746	int putgrent_sane(const struct group gr, FILE stream) {
	747	assert(gr);
	748	assert(stream);
	749
	750	errno = 0;
	751	if (putgrent(gr, stream) != 0)
	752	return errno > 0 ? -errno : -EIO;
	753
	754	return 0;
	755	}
	756
	757	#if ENABLE_GSHADOW
	758	int putsgent_sane(const struct sgrp sg, FILE stream) {
	759	assert(sg);
	760	assert(stream);
	761
	762	errno = 0;
	763	if (putsgent(sg, stream) != 0)
	764	return errno > 0 ? -errno : -EIO;
	765
	766	return 0;
	767	}
	768	#endif
	769
	770	int fgetpwent_sane(FILE stream, struct passwd *pw) {
	771	struct passwd *p;
	772
	773	assert(pw);
	774	assert(stream);
	775
	776	errno = 0;
	777	p = fgetpwent(stream);
80359410	778	if (p == NULL && errno != ENOENT)
100d5f6e	779	return errno > 0 ? -errno : -EIO;
100d5f6e FB	780
100d5f6e FB	781	*pw = p;
80359410	782	return p != NULL;
100d5f6e FB	783	}
	784
	785	int fgetspent_sane(FILE stream, struct spwd *sp) {
	786	struct spwd *s;
	787
	788	assert(sp);
	789	assert(stream);
	790
	791	errno = 0;
	792	s = fgetspent(stream);
80359410	793	if (s == NULL && errno != ENOENT)
100d5f6e	794	return errno > 0 ? -errno : -EIO;
100d5f6e FB	795
100d5f6e FB	796	*sp = s;
80359410	797	return s != NULL;
100d5f6e FB	798	}
	799
	800	int fgetgrent_sane(FILE stream, struct group *gr) {
	801	struct group *g;
	802
	803	assert(gr);
	804	assert(stream);
	805
	806	errno = 0;
	807	g = fgetgrent(stream);
80359410	808	if (g == NULL && errno != ENOENT)
100d5f6e	809	return errno > 0 ? -errno : -EIO;
100d5f6e FB	810
100d5f6e FB	811	*gr = g;
80359410	812	return g != NULL;
100d5f6e FB	813	}
	814
	815	#if ENABLE_GSHADOW
	816	int fgetsgent_sane(FILE stream, struct sgrp *sg) {
	817	struct sgrp *s;
	818
	819	assert(sg);
	820	assert(stream);
	821
	822	errno = 0;
	823	s = fgetsgent(stream);
80359410	824	if (s == NULL && errno != ENOENT)
100d5f6e	825	return errno > 0 ? -errno : -EIO;
100d5f6e FB	826
100d5f6e FB	827	*sg = s;
80359410	828	return s != NULL;
100d5f6e FB	829	}
100d5f6e FB	830	#endif