[thirdparty/systemd.git] / src / basic / user-util.c

/***
  This file is part of systemd.

  Copyright 2010 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <alloca.h>
#include <errno.h>
#include <fcntl.h>
#include <grp.h>
#include <pwd.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <unistd.h>
#include <utmp.h>

#include "alloc-util.h"
#include "fd-util.h"
#include "fileio.h"
#include "formats-util.h"
#include "macro.h"
#include "missing.h"
#include "parse-util.h"
#include "path-util.h"
#include "string-util.h"
#include "strv.h"
#include "user-util.h"
#include "utf8.h"

bool uid_is_valid(uid_t uid) {

        /* Some libc APIs use UID_INVALID as special placeholder */
        if (uid == (uid_t) UINT32_C(0xFFFFFFFF))
                return false;

        /* A long time ago UIDs where 16bit, hence explicitly avoid the 16bit -1 too */
        if (uid == (uid_t) UINT32_C(0xFFFF))
                return false;

        return true;
}

int parse_uid(const char *s, uid_t *ret) {
        uint32_t uid = 0;
        int r;

        assert(s);

        assert_cc(sizeof(uid_t) == sizeof(uint32_t));
        r = safe_atou32(s, &uid);
        if (r < 0)
                return r;

        if (!uid_is_valid(uid))
                return -ENXIO; /* we return ENXIO instead of EINVAL
                                * here, to make it easy to distuingish
                                * invalid numeric uids from invalid
                                * strings. */

        if (ret)
                *ret = uid;

        return 0;
}

char* getlogname_malloc(void) {
        uid_t uid;
        struct stat st;

        if (isatty(STDIN_FILENO) && fstat(STDIN_FILENO, &st) >= 0)
                uid = st.st_uid;
        else
                uid = getuid();

        return uid_to_name(uid);
}

char *getusername_malloc(void) {
        const char *e;

        e = getenv("USER");
        if (e)
                return strdup(e);

        return uid_to_name(getuid());
}

int get_user_creds(
                const char **username,
                uid_t *uid, gid_t *gid,
                const char **home,
                const char **shell) {

        struct passwd *p;
        uid_t u;

        assert(username);
        assert(*username);

        /* We enforce some special rules for uid=0: in order to avoid
         * NSS lookups for root we hardcode its data. */

        if (streq(*username, "root") || streq(*username, "0")) {
                *username = "root";

                if (uid)
                        *uid = 0;

                if (gid)
                        *gid = 0;

                if (home)
                        *home = "/root";

                if (shell)
                        *shell = "/bin/sh";

                return 0;
        }

        if (parse_uid(*username, &u) >= 0) {
                errno = 0;
                p = getpwuid(u);

                /* If there are multiple users with the same id, make
                 * sure to leave $USER to the configured value instead
                 * of the first occurrence in the database. However if
                 * the uid was configured by a numeric uid, then let's
                 * pick the real username from /etc/passwd. */
                if (p)
                        *username = p->pw_name;
        } else {
                errno = 0;
                p = getpwnam(*username);
        }

        if (!p)
                return errno > 0 ? -errno : -ESRCH;

        if (uid) {
                if (!uid_is_valid(p->pw_uid))
                        return -EBADMSG;

                *uid = p->pw_uid;
        }

        if (gid) {
                if (!gid_is_valid(p->pw_gid))
                        return -EBADMSG;

                *gid = p->pw_gid;
        }

        if (home)
                *home = p->pw_dir;

        if (shell)
                *shell = p->pw_shell;

        return 0;
}

int get_user_creds_clean(
                const char **username,
                uid_t *uid, gid_t *gid,
                const char **home,
                const char **shell) {

        int r;

        /* Like get_user_creds(), but resets home/shell to NULL if they don't contain anything relevant. */

        r = get_user_creds(username, uid, gid, home, shell);
        if (r < 0)
                return r;

        if (shell &&
            (isempty(*shell) || PATH_IN_SET(*shell,
                                            "/bin/nologin",
                                            "/sbin/nologin",
                                            "/usr/bin/nologin",
                                            "/usr/sbin/nologin")))
                *shell = NULL;

        if (home &&
            (isempty(*home) || path_equal(*home, "/")))
                *home = NULL;

        return 0;
}

int get_group_creds(const char **groupname, gid_t *gid) {
        struct group *g;
        gid_t id;

        assert(groupname);

        /* We enforce some special rules for gid=0: in order to avoid
         * NSS lookups for root we hardcode its data. */

        if (streq(*groupname, "root") || streq(*groupname, "0")) {
                *groupname = "root";

                if (gid)
                        *gid = 0;

                return 0;
        }

        if (parse_gid(*groupname, &id) >= 0) {
                errno = 0;
                g = getgrgid(id);

                if (g)
                        *groupname = g->gr_name;
        } else {
                errno = 0;
                g = getgrnam(*groupname);
        }

        if (!g)
                return errno > 0 ? -errno : -ESRCH;

        if (gid) {
                if (!gid_is_valid(g->gr_gid))
                        return -EBADMSG;

                *gid = g->gr_gid;
        }

        return 0;
}

char* uid_to_name(uid_t uid) {
        char *ret;
        int r;

        /* Shortcut things to avoid NSS lookups */
        if (uid == 0)
                return strdup("root");

        if (uid_is_valid(uid)) {
                long bufsize;

                bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
                if (bufsize <= 0)
                        bufsize = 4096;

                for (;;) {
                        struct passwd pwbuf, *pw = NULL;
                        _cleanup_free_ char *buf = NULL;

                        buf = malloc(bufsize);
                        if (!buf)
                                return NULL;

                        r = getpwuid_r(uid, &pwbuf, buf, (size_t) bufsize, &pw);
                        if (r == 0 && pw)
                                return strdup(pw->pw_name);
                        if (r != ERANGE)
                                break;

                        bufsize *= 2;
                }
        }

        if (asprintf(&ret, UID_FMT, uid) < 0)
                return NULL;

        return ret;
}

char* gid_to_name(gid_t gid) {
        char *ret;
        int r;

        if (gid == 0)
                return strdup("root");

        if (gid_is_valid(gid)) {
                long bufsize;

                bufsize = sysconf(_SC_GETGR_R_SIZE_MAX);
                if (bufsize <= 0)
                        bufsize = 4096;

                for (;;) {
                        struct group grbuf, *gr = NULL;
                        _cleanup_free_ char *buf = NULL;

                        buf = malloc(bufsize);
                        if (!buf)
                                return NULL;

                        r = getgrgid_r(gid, &grbuf, buf, (size_t) bufsize, &gr);
                        if (r == 0 && gr)
                                return strdup(gr->gr_name);
                        if (r != ERANGE)
                                break;

                        bufsize *= 2;
                }
        }

        if (asprintf(&ret, GID_FMT, gid) < 0)
                return NULL;

        return ret;
}

int in_gid(gid_t gid) {
        gid_t *gids;
        int ngroups_max, r, i;

        if (getgid() == gid)
                return 1;

        if (getegid() == gid)
                return 1;

        if (!gid_is_valid(gid))
                return -EINVAL;

        ngroups_max = sysconf(_SC_NGROUPS_MAX);
        assert(ngroups_max > 0);

        gids = alloca(sizeof(gid_t) * ngroups_max);

        r = getgroups(ngroups_max, gids);
        if (r < 0)
                return -errno;

        for (i = 0; i < r; i++)
                if (gids[i] == gid)
                        return 1;

        return 0;
}

int in_group(const char *name) {
        int r;
        gid_t gid;

        r = get_group_creds(&name, &gid);
        if (r < 0)
                return r;

        return in_gid(gid);
}

int get_home_dir(char **_h) {
        struct passwd *p;
        const char *e;
        char *h;
        uid_t u;

        assert(_h);

        /* Take the user specified one */
        e = secure_getenv("HOME");
        if (e && path_is_absolute(e)) {
                h = strdup(e);
                if (!h)
                        return -ENOMEM;

                *_h = h;
                return 0;
        }

        /* Hardcode home directory for root to avoid NSS */
        u = getuid();
        if (u == 0) {
                h = strdup("/root");
                if (!h)
                        return -ENOMEM;

                *_h = h;
                return 0;
        }

        /* Check the database... */
        errno = 0;
        p = getpwuid(u);
        if (!p)
                return errno > 0 ? -errno : -ESRCH;

        if (!path_is_absolute(p->pw_dir))
                return -EINVAL;

        h = strdup(p->pw_dir);
        if (!h)
                return -ENOMEM;

        *_h = h;
        return 0;
}

int get_shell(char **_s) {
        struct passwd *p;
        const char *e;
        char *s;
        uid_t u;

        assert(_s);

        /* Take the user specified one */
        e = getenv("SHELL");
        if (e) {
                s = strdup(e);
                if (!s)
                        return -ENOMEM;

                *_s = s;
                return 0;
        }

        /* Hardcode home directory for root to avoid NSS */
        u = getuid();
        if (u == 0) {
                s = strdup("/bin/sh");
                if (!s)
                        return -ENOMEM;

                *_s = s;
                return 0;
        }

        /* Check the database... */
        errno = 0;
        p = getpwuid(u);
        if (!p)
                return errno > 0 ? -errno : -ESRCH;

        if (!path_is_absolute(p->pw_shell))
                return -EINVAL;

        s = strdup(p->pw_shell);
        if (!s)
                return -ENOMEM;

        *_s = s;
        return 0;
}

int reset_uid_gid(void) {

        if (maybe_setgroups(0, NULL) < 0)
                return -errno;

        if (setresgid(0, 0, 0) < 0)
                return -errno;

        if (setresuid(0, 0, 0) < 0)
                return -errno;

        return 0;
}

int take_etc_passwd_lock(const char *root) {

        struct flock flock = {
                .l_type = F_WRLCK,
                .l_whence = SEEK_SET,
                .l_start = 0,
                .l_len = 0,
        };

        const char *path;
        int fd, r;

        /* This is roughly the same as lckpwdf(), but not as awful. We
         * don't want to use alarm() and signals, hence we implement
         * our own trivial version of this.
         *
         * Note that shadow-utils also takes per-database locks in
         * addition to lckpwdf(). However, we don't given that they
         * are redundant as they invoke lckpwdf() first and keep
         * it during everything they do. The per-database locks are
         * awfully racy, and thus we just won't do them. */

        if (root)
                path = prefix_roota(root, "/etc/.pwd.lock");
        else
                path = "/etc/.pwd.lock";

        fd = open(path, O_WRONLY|O_CREAT|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW, 0600);
        if (fd < 0)
                return -errno;

        r = fcntl(fd, F_SETLKW, &flock);
        if (r < 0) {
                safe_close(fd);
                return -errno;
        }

        return fd;
}

bool valid_user_group_name(const char *u) {
        const char *i;
        long sz;

        /* Checks if the specified name is a valid user/group name. */

        if (isempty(u))
                return false;

        if (!(u[0] >= 'a' && u[0] <= 'z') &&
            !(u[0] >= 'A' && u[0] <= 'Z') &&
            u[0] != '_')
                return false;

        for (i = u+1; *i; i++) {
                if (!(*i >= 'a' && *i <= 'z') &&
                    !(*i >= 'A' && *i <= 'Z') &&
                    !(*i >= '0' && *i <= '9') &&
                    *i != '_' &&
                    *i != '-')
                        return false;
        }

        sz = sysconf(_SC_LOGIN_NAME_MAX);
        assert_se(sz > 0);

        if ((size_t) (i-u) > (size_t) sz)
                return false;

        if ((size_t) (i-u) > UT_NAMESIZE - 1)
                return false;

        return true;
}

bool valid_user_group_name_or_id(const char *u) {

        /* Similar as above, but is also fine with numeric UID/GID specifications, as long as they are in the right
         * range, and not the invalid user ids. */

        if (isempty(u))
                return false;

        if (valid_user_group_name(u))
                return true;

        return parse_uid(u, NULL) >= 0;
}

bool valid_gecos(const char *d) {

        if (!d)
                return false;

        if (!utf8_is_valid(d))
                return false;

        if (string_has_cc(d, NULL))
                return false;

        /* Colons are used as field separators, and hence not OK */
        if (strchr(d, ':'))
                return false;

        return true;
}

bool valid_home(const char *p) {

        if (isempty(p))
                return false;

        if (!utf8_is_valid(p))
                return false;

        if (string_has_cc(p, NULL))
                return false;

        if (!path_is_absolute(p))
                return false;

        if (!path_is_safe(p))
                return false;

        /* Colons are used as field separators, and hence not OK */
        if (strchr(p, ':'))
                return false;

        return true;
}

int maybe_setgroups(size_t size, const gid_t *list) {
        static int cached_can_setgroups = -1;
        /* check if setgroups is allowed before we try to drop all the auxiliary groups */
        if (size == 0) {
                if (cached_can_setgroups < 0) {
                        _cleanup_free_ char *setgroups_content = NULL;
                        int r = read_one_line_file("/proc/self/setgroups", &setgroups_content);
                        if (r < 0 && errno != ENOENT)
                                return r;
                        if (r < 0) {
                                /* old kernels don't have /proc/self/setgroups, so assume we can use setgroups */
                                cached_can_setgroups = true;
                        } else {
                                cached_can_setgroups = streq(setgroups_content, "allow");
                                if (!cached_can_setgroups)
                                        log_debug("skip setgroups, /proc/self/setgroups is set to 'deny'");
                        }
                }
                if (!cached_can_setgroups)
                        return 0;
        }
        return setgroups(size, list);
}
Commit	Line	Data
b1d4f8e1 LP	1	/***
	2	This file is part of systemd.
	3
	4	Copyright 2010 Lennart Poettering
	5
	6	systemd is free software; you can redistribute it and/or modify it
	7	under the terms of the GNU Lesser General Public License as published by
	8	the Free Software Foundation; either version 2.1 of the License, or
	9	(at your option) any later version.
	10
	11	systemd is distributed in the hope that it will be useful, but
	12	WITHOUT ANY WARRANTY; without even the implied warranty of
	13	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	14	Lesser General Public License for more details.
	15
	16	You should have received a copy of the GNU Lesser General Public License
	17	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	18	***/
	19
11c3a366 TA	20	#include <alloca.h>
	21	#include <errno.h>
	22	#include <fcntl.h>
b1d4f8e1	23	#include <grp.h>
cf0fbc49	24	#include <pwd.h>
11c3a366 TA	25	#include <stddef.h>
	26	#include <stdint.h>
	27	#include <stdio.h>
	28	#include <stdlib.h>
	29	#include <string.h>
	30	#include <sys/stat.h>
	31	#include <unistd.h>
e4631b48	32	#include <utmp.h>
b1d4f8e1	33
b5efdb8a	34	#include "alloc-util.h"
e929bee0	35	#include "fd-util.h"
36d85478	36	#include "fileio.h"
93cc7779	37	#include "formats-util.h"
b1d4f8e1	38	#include "macro.h"
be39ccf3	39	#include "missing.h"
6bedfcbb	40	#include "parse-util.h"
b1d4f8e1	41	#include "path-util.h"
6bedfcbb	42	#include "string-util.h"
be39ccf3	43	#include "strv.h"
6bedfcbb	44	#include "user-util.h"
e4631b48	45	#include "utf8.h"
b1d4f8e1 LP	46
	47	bool uid_is_valid(uid_t uid) {
	48
	49	/* Some libc APIs use UID_INVALID as special placeholder */
b1d52773	50	if (uid == (uid_t) UINT32_C(0xFFFFFFFF))
b1d4f8e1 LP	51	return false;
	52
	53	/* A long time ago UIDs where 16bit, hence explicitly avoid the 16bit -1 too */
b1d52773	54	if (uid == (uid_t) UINT32_C(0xFFFF))
b1d4f8e1 LP	55	return false;
	56
	57	return true;
	58	}
	59
b1d52773 LP	60	int parse_uid(const char s, uid_t ret) {
b1d52773 LP	61	uint32_t uid = 0;
b1d4f8e1 LP	62	int r;
	63
	64	assert(s);
	65
b1d52773 LP	66	assert_cc(sizeof(uid_t) == sizeof(uint32_t));
b1d52773 LP	67	r = safe_atou32(s, &uid);
b1d4f8e1 LP	68	if (r < 0)
	69	return r;
	70
b1d4f8e1 LP	71	if (!uid_is_valid(uid))
	72	return -ENXIO; /* we return ENXIO instead of EINVAL
	73	* here, to make it easy to distuingish
ba60af86	74	* invalid numeric uids from invalid
b1d4f8e1 LP	75	* strings. */
b1d4f8e1 LP	76
b1d52773 LP	77	if (ret)
b1d52773 LP	78	*ret = uid;
b1d4f8e1 LP	79
	80	return 0;
	81	}
	82
b1d4f8e1 LP	83	char* getlogname_malloc(void) {
	84	uid_t uid;
	85	struct stat st;
	86
	87	if (isatty(STDIN_FILENO) && fstat(STDIN_FILENO, &st) >= 0)
	88	uid = st.st_uid;
	89	else
	90	uid = getuid();
	91
d0260817	92	return uid_to_name(uid);
b1d4f8e1 LP	93	}
	94
	95	char *getusername_malloc(void) {
	96	const char *e;
	97
	98	e = getenv("USER");
	99	if (e)
	100	return strdup(e);
	101
d0260817	102	return uid_to_name(getuid());
b1d4f8e1 LP	103	}
	104
	105	int get_user_creds(
	106	const char **username,
	107	uid_t uid, gid_t gid,
	108	const char **home,
	109	const char **shell) {
	110
	111	struct passwd *p;
	112	uid_t u;
	113
	114	assert(username);
	115	assert(*username);
	116
	117	/* We enforce some special rules for uid=0: in order to avoid
	118	* NSS lookups for root we hardcode its data. */
	119
	120	if (streq(username, "root") \|\| streq(username, "0")) {
	121	*username = "root";
	122
	123	if (uid)
	124	*uid = 0;
	125
	126	if (gid)
	127	*gid = 0;
	128
	129	if (home)
	130	*home = "/root";
	131
	132	if (shell)
	133	*shell = "/bin/sh";
	134
	135	return 0;
	136	}
	137
	138	if (parse_uid(*username, &u) >= 0) {
	139	errno = 0;
	140	p = getpwuid(u);
	141
	142	/* If there are multiple users with the same id, make
	143	* sure to leave $USER to the configured value instead
	144	* of the first occurrence in the database. However if
	145	* the uid was configured by a numeric uid, then let's
	146	* pick the real username from /etc/passwd. */
	147	if (p)
	148	*username = p->pw_name;
	149	} else {
	150	errno = 0;
	151	p = getpwnam(*username);
	152	}
	153
	154	if (!p)
	155	return errno > 0 ? -errno : -ESRCH;
	156
67c7c892 LP	157	if (uid) {
	158	if (!uid_is_valid(p->pw_uid))
	159	return -EBADMSG;
	160
b1d4f8e1	161	*uid = p->pw_uid;
67c7c892 LP	162	}
	163
	164	if (gid) {
	165	if (!gid_is_valid(p->pw_gid))
	166	return -EBADMSG;
b1d4f8e1	167
b1d4f8e1	168	*gid = p->pw_gid;
67c7c892	169	}
b1d4f8e1 LP	170
	171	if (home)
	172	*home = p->pw_dir;
	173
	174	if (shell)
	175	*shell = p->pw_shell;
	176
	177	return 0;
	178	}
	179
be39ccf3 LP	180	int get_user_creds_clean(
	181	const char **username,
	182	uid_t uid, gid_t gid,
	183	const char **home,
	184	const char **shell) {
	185
	186	int r;
	187
	188	/* Like get_user_creds(), but resets home/shell to NULL if they don't contain anything relevant. */
	189
	190	r = get_user_creds(username, uid, gid, home, shell);
	191	if (r < 0)
	192	return r;
	193
	194	if (shell &&
	195	(isempty(shell) \|\| PATH_IN_SET(shell,
	196	"/bin/nologin",
	197	"/sbin/nologin",
	198	"/usr/bin/nologin",
	199	"/usr/sbin/nologin")))
	200	*shell = NULL;
	201
	202	if (home &&
	203	(isempty(home) \|\| path_equal(home, "/")))
	204	*home = NULL;
	205
	206	return 0;
	207	}
	208
b1d4f8e1 LP	209	int get_group_creds(const char *groupname, gid_t gid) {
	210	struct group *g;
	211	gid_t id;
	212
	213	assert(groupname);
	214
	215	/* We enforce some special rules for gid=0: in order to avoid
	216	* NSS lookups for root we hardcode its data. */
	217
	218	if (streq(groupname, "root") \|\| streq(groupname, "0")) {
	219	*groupname = "root";
	220
	221	if (gid)
	222	*gid = 0;
	223
	224	return 0;
	225	}
	226
	227	if (parse_gid(*groupname, &id) >= 0) {
	228	errno = 0;
	229	g = getgrgid(id);
	230
	231	if (g)
	232	*groupname = g->gr_name;
	233	} else {
	234	errno = 0;
	235	g = getgrnam(*groupname);
	236	}
	237
	238	if (!g)
	239	return errno > 0 ? -errno : -ESRCH;
	240
67c7c892 LP	241	if (gid) {
	242	if (!gid_is_valid(g->gr_gid))
	243	return -EBADMSG;
	244
b1d4f8e1	245	*gid = g->gr_gid;
67c7c892	246	}
b1d4f8e1 LP	247
	248	return 0;
	249	}
	250
	251	char* uid_to_name(uid_t uid) {
d0260817 LP	252	char *ret;
d0260817 LP	253	int r;
b1d4f8e1	254
d0260817	255	/* Shortcut things to avoid NSS lookups */
b1d4f8e1 LP	256	if (uid == 0)
	257	return strdup("root");
	258
d0260817 LP	259	if (uid_is_valid(uid)) {
	260	long bufsize;
	261
	262	bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
	263	if (bufsize <= 0)
	264	bufsize = 4096;
	265
	266	for (;;) {
	267	struct passwd pwbuf, *pw = NULL;
	268	_cleanup_free_ char *buf = NULL;
	269
	270	buf = malloc(bufsize);
	271	if (!buf)
	272	return NULL;
	273
	274	r = getpwuid_r(uid, &pwbuf, buf, (size_t) bufsize, &pw);
	275	if (r == 0 && pw)
	276	return strdup(pw->pw_name);
	277	if (r != ERANGE)
	278	break;
	279
	280	bufsize *= 2;
	281	}
	282	}
b1d4f8e1	283
d0260817	284	if (asprintf(&ret, UID_FMT, uid) < 0)
b1d4f8e1 LP	285	return NULL;
b1d4f8e1 LP	286
d0260817	287	return ret;
b1d4f8e1 LP	288	}
	289
	290	char* gid_to_name(gid_t gid) {
d0260817 LP	291	char *ret;
d0260817 LP	292	int r;
b1d4f8e1 LP	293
	294	if (gid == 0)
	295	return strdup("root");
	296
d0260817 LP	297	if (gid_is_valid(gid)) {
	298	long bufsize;
	299
	300	bufsize = sysconf(_SC_GETGR_R_SIZE_MAX);
	301	if (bufsize <= 0)
	302	bufsize = 4096;
	303
	304	for (;;) {
	305	struct group grbuf, *gr = NULL;
	306	_cleanup_free_ char *buf = NULL;
	307
	308	buf = malloc(bufsize);
	309	if (!buf)
	310	return NULL;
	311
	312	r = getgrgid_r(gid, &grbuf, buf, (size_t) bufsize, &gr);
	313	if (r == 0 && gr)
	314	return strdup(gr->gr_name);
	315	if (r != ERANGE)
	316	break;
	317
	318	bufsize *= 2;
	319	}
	320	}
b1d4f8e1	321
d0260817	322	if (asprintf(&ret, GID_FMT, gid) < 0)
b1d4f8e1 LP	323	return NULL;
b1d4f8e1 LP	324
d0260817	325	return ret;
b1d4f8e1 LP	326	}
	327
	328	int in_gid(gid_t gid) {
	329	gid_t *gids;
	330	int ngroups_max, r, i;
	331
	332	if (getgid() == gid)
	333	return 1;
	334
	335	if (getegid() == gid)
	336	return 1;
	337
67c7c892 LP	338	if (!gid_is_valid(gid))
	339	return -EINVAL;
	340
b1d4f8e1 LP	341	ngroups_max = sysconf(_SC_NGROUPS_MAX);
	342	assert(ngroups_max > 0);
	343
	344	gids = alloca(sizeof(gid_t) * ngroups_max);
	345
	346	r = getgroups(ngroups_max, gids);
	347	if (r < 0)
	348	return -errno;
	349
	350	for (i = 0; i < r; i++)
	351	if (gids[i] == gid)
	352	return 1;
	353
	354	return 0;
	355	}
	356
	357	int in_group(const char *name) {
	358	int r;
	359	gid_t gid;
	360
	361	r = get_group_creds(&name, &gid);
	362	if (r < 0)
	363	return r;
	364
	365	return in_gid(gid);
	366	}
	367
	368	int get_home_dir(char **_h) {
	369	struct passwd *p;
	370	const char *e;
	371	char *h;
	372	uid_t u;
	373
	374	assert(_h);
	375
	376	/* Take the user specified one */
	377	e = secure_getenv("HOME");
	378	if (e && path_is_absolute(e)) {
	379	h = strdup(e);
	380	if (!h)
	381	return -ENOMEM;
	382
	383	*_h = h;
	384	return 0;
	385	}
	386
	387	/* Hardcode home directory for root to avoid NSS */
	388	u = getuid();
	389	if (u == 0) {
	390	h = strdup("/root");
	391	if (!h)
	392	return -ENOMEM;
	393
	394	*_h = h;
	395	return 0;
	396	}
	397
	398	/* Check the database... */
	399	errno = 0;
	400	p = getpwuid(u);
	401	if (!p)
	402	return errno > 0 ? -errno : -ESRCH;
	403
	404	if (!path_is_absolute(p->pw_dir))
405	return -EINVAL;
406
407	h = strdup(p->pw_dir);
408	if (!h)
409	return -ENOMEM;
410
411	*_h = h;
412	return 0;
413	}
414
415	int get_shell(char **_s) {
416	struct passwd *p;
417	const char *e;
418	char *s;
419	uid_t u;
420
421	assert(_s);
422
423	/* Take the user specified one */
424	e = getenv("SHELL");
425	if (e) {
426	s = strdup(e);
427	if (!s)
428	return -ENOMEM;
429
430	*_s = s;
431	return 0;
432	}
433
434	/* Hardcode home directory for root to avoid NSS */
435	u = getuid();
436	if (u == 0) {
437	s = strdup("/bin/sh");
438	if (!s)
439	return -ENOMEM;
440
441	*_s = s;
442	return 0;
443	}
444
445	/* Check the database... */
446	errno = 0;
447	p = getpwuid(u);
448	if (!p)
449	return errno > 0 ? -errno : -ESRCH;
450
451	if (!path_is_absolute(p->pw_shell))
452	return -EINVAL;
453
454	s = strdup(p->pw_shell);
455	if (!s)
456	return -ENOMEM;
457
458	*_s = s;
459	return 0;
460	}
461
462	int reset_uid_gid(void) {
463
36d85478	464	if (maybe_setgroups(0, NULL) < 0)
b1d4f8e1 LP	465	return -errno;
	466
	467	if (setresgid(0, 0, 0) < 0)
	468	return -errno;
	469
	470	if (setresuid(0, 0, 0) < 0)
	471	return -errno;
	472
	473	return 0;
	474	}
e929bee0 LP	475
	476	int take_etc_passwd_lock(const char *root) {
	477
	478	struct flock flock = {
	479	.l_type = F_WRLCK,
	480	.l_whence = SEEK_SET,
	481	.l_start = 0,
	482	.l_len = 0,
	483	};
	484
	485	const char *path;
	486	int fd, r;
	487
	488	/* This is roughly the same as lckpwdf(), but not as awful. We
	489	* don't want to use alarm() and signals, hence we implement
	490	* our own trivial version of this.
	491	*
	492	* Note that shadow-utils also takes per-database locks in
	493	* addition to lckpwdf(). However, we don't given that they
61233823	494	* are redundant as they invoke lckpwdf() first and keep
e929bee0 LP	495	* it during everything they do. The per-database locks are
	496	* awfully racy, and thus we just won't do them. */
	497
	498	if (root)
	499	path = prefix_roota(root, "/etc/.pwd.lock");
	500	else
	501	path = "/etc/.pwd.lock";
	502
	503	fd = open(path, O_WRONLY\|O_CREAT\|O_CLOEXEC\|O_NOCTTY\|O_NOFOLLOW, 0600);
	504	if (fd < 0)
	505	return -errno;
	506
	507	r = fcntl(fd, F_SETLKW, &flock);
	508	if (r < 0) {
	509	safe_close(fd);
	510	return -errno;
	511	}
	512
	513	return fd;
	514	}
e4631b48 LP	515
	516	bool valid_user_group_name(const char *u) {
	517	const char *i;
	518	long sz;
	519
	520	/* Checks if the specified name is a valid user/group name. */
	521
	522	if (isempty(u))
	523	return false;
	524
	525	if (!(u[0] >= 'a' && u[0] <= 'z') &&
	526	!(u[0] >= 'A' && u[0] <= 'Z') &&
	527	u[0] != '_')
	528	return false;
	529
	530	for (i = u+1; *i; i++) {
	531	if (!(i >= 'a' && i <= 'z') &&
	532	!(i >= 'A' && i <= 'Z') &&
	533	!(i >= '0' && i <= '9') &&
	534	*i != '_' &&
	535	*i != '-')
	536	return false;
	537	}
	538
	539	sz = sysconf(_SC_LOGIN_NAME_MAX);
	540	assert_se(sz > 0);
	541
	542	if ((size_t) (i-u) > (size_t) sz)
	543	return false;
	544
	545	if ((size_t) (i-u) > UT_NAMESIZE - 1)
	546	return false;
	547
	548	return true;
	549	}
	550
	551	bool valid_user_group_name_or_id(const char *u) {
	552
	553	/* Similar as above, but is also fine with numeric UID/GID specifications, as long as they are in the right
	554	* range, and not the invalid user ids. */
	555
	556	if (isempty(u))
	557	return false;
	558
	559	if (valid_user_group_name(u))
	560	return true;
	561
	562	return parse_uid(u, NULL) >= 0;
	563	}
	564
	565	bool valid_gecos(const char *d) {
	566
	567	if (!d)
	568	return false;
	569
	570	if (!utf8_is_valid(d))
	571	return false;
	572
	573	if (string_has_cc(d, NULL))
	574	return false;
	575
	576	/* Colons are used as field separators, and hence not OK */
	577	if (strchr(d, ':'))
	578	return false;
579
580	return true;
581	}
582
583	bool valid_home(const char *p) {
584
585	if (isempty(p))
586	return false;
587
588	if (!utf8_is_valid(p))
589	return false;
590
591	if (string_has_cc(p, NULL))
592	return false;
593
594	if (!path_is_absolute(p))
595	return false;
596
597	if (!path_is_safe(p))
598	return false;
599
600	/* Colons are used as field separators, and hence not OK */
601	if (strchr(p, ':'))
602	return false;
603
604	return true;
605	}
36d85478 GS	606
	607	int maybe_setgroups(size_t size, const gid_t *list) {
	608	static int cached_can_setgroups = -1;
	609	/* check if setgroups is allowed before we try to drop all the auxiliary groups */
	610	if (size == 0) {
	611	if (cached_can_setgroups < 0) {
	612	_cleanup_free_ char *setgroups_content = NULL;
	613	int r = read_one_line_file("/proc/self/setgroups", &setgroups_content);
	614	if (r < 0 && errno != ENOENT)
	615	return r;
	616	if (r < 0) {
	617	/* old kernels don't have /proc/self/setgroups, so assume we can use setgroups */
	618	cached_can_setgroups = true;
	619	} else {
	620	cached_can_setgroups = streq(setgroups_content, "allow");
	621	if (!cached_can_setgroups)
	622	log_debug("skip setgroups, /proc/self/setgroups is set to 'deny'");
	623	}
	624	}
	625	if (!cached_can_setgroups)
	626	return 0;
	627	}
	628	return setgroups(size, list);
	629	}