]>
Commit | Line | Data |
---|---|---|
53e1b683 | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
b1d4f8e1 | 2 | |
11c3a366 TA |
3 | #include <alloca.h> |
4 | #include <errno.h> | |
5 | #include <fcntl.h> | |
b1d4f8e1 | 6 | #include <grp.h> |
cf0fbc49 | 7 | #include <pwd.h> |
11c3a366 TA |
8 | #include <stddef.h> |
9 | #include <stdint.h> | |
10 | #include <stdio.h> | |
11 | #include <stdlib.h> | |
12 | #include <string.h> | |
13 | #include <sys/stat.h> | |
14 | #include <unistd.h> | |
e4631b48 | 15 | #include <utmp.h> |
b1d4f8e1 | 16 | |
b5efdb8a | 17 | #include "alloc-util.h" |
66855de7 | 18 | #include "errno-util.h" |
e929bee0 | 19 | #include "fd-util.h" |
36d85478 | 20 | #include "fileio.h" |
f97b34a6 | 21 | #include "format-util.h" |
b1d4f8e1 | 22 | #include "macro.h" |
be39ccf3 | 23 | #include "missing.h" |
6bedfcbb | 24 | #include "parse-util.h" |
b1d4f8e1 | 25 | #include "path-util.h" |
f2c5edbe | 26 | #include "random-util.h" |
6bedfcbb | 27 | #include "string-util.h" |
be39ccf3 | 28 | #include "strv.h" |
6bedfcbb | 29 | #include "user-util.h" |
e4631b48 | 30 | #include "utf8.h" |
b1d4f8e1 LP |
31 | |
32 | bool uid_is_valid(uid_t uid) { | |
33 | ||
1429dfe5 LP |
34 | /* Also see POSIX IEEE Std 1003.1-2008, 2016 Edition, 3.436. */ |
35 | ||
b1d4f8e1 | 36 | /* Some libc APIs use UID_INVALID as special placeholder */ |
b1d52773 | 37 | if (uid == (uid_t) UINT32_C(0xFFFFFFFF)) |
b1d4f8e1 LP |
38 | return false; |
39 | ||
40 | /* A long time ago UIDs where 16bit, hence explicitly avoid the 16bit -1 too */ | |
b1d52773 | 41 | if (uid == (uid_t) UINT32_C(0xFFFF)) |
b1d4f8e1 LP |
42 | return false; |
43 | ||
44 | return true; | |
45 | } | |
46 | ||
b1d52773 LP |
47 | int parse_uid(const char *s, uid_t *ret) { |
48 | uint32_t uid = 0; | |
b1d4f8e1 LP |
49 | int r; |
50 | ||
51 | assert(s); | |
52 | ||
b1d52773 LP |
53 | assert_cc(sizeof(uid_t) == sizeof(uint32_t)); |
54 | r = safe_atou32(s, &uid); | |
b1d4f8e1 LP |
55 | if (r < 0) |
56 | return r; | |
57 | ||
b1d4f8e1 LP |
58 | if (!uid_is_valid(uid)) |
59 | return -ENXIO; /* we return ENXIO instead of EINVAL | |
5238e957 | 60 | * here, to make it easy to distinguish |
ba60af86 | 61 | * invalid numeric uids from invalid |
b1d4f8e1 LP |
62 | * strings. */ |
63 | ||
b1d52773 LP |
64 | if (ret) |
65 | *ret = uid; | |
b1d4f8e1 LP |
66 | |
67 | return 0; | |
68 | } | |
69 | ||
b1d4f8e1 LP |
70 | char* getlogname_malloc(void) { |
71 | uid_t uid; | |
72 | struct stat st; | |
73 | ||
74 | if (isatty(STDIN_FILENO) && fstat(STDIN_FILENO, &st) >= 0) | |
75 | uid = st.st_uid; | |
76 | else | |
77 | uid = getuid(); | |
78 | ||
d0260817 | 79 | return uid_to_name(uid); |
b1d4f8e1 LP |
80 | } |
81 | ||
82 | char *getusername_malloc(void) { | |
83 | const char *e; | |
84 | ||
b2a3953f | 85 | e = secure_getenv("USER"); |
b1d4f8e1 LP |
86 | if (e) |
87 | return strdup(e); | |
88 | ||
d0260817 | 89 | return uid_to_name(getuid()); |
b1d4f8e1 LP |
90 | } |
91 | ||
a1e92eee | 92 | static bool is_nologin_shell(const char *shell) { |
fafff8f1 LP |
93 | |
94 | return PATH_IN_SET(shell, | |
95 | /* 'nologin' is the friendliest way to disable logins for a user account. It prints a nice | |
96 | * message and exits. Different distributions place the binary at different places though, | |
97 | * hence let's list them all. */ | |
98 | "/bin/nologin", | |
99 | "/sbin/nologin", | |
100 | "/usr/bin/nologin", | |
101 | "/usr/sbin/nologin", | |
102 | /* 'true' and 'false' work too for the same purpose, but are less friendly as they don't do | |
103 | * any message printing. Different distributions place the binary at various places but at | |
104 | * least not in the 'sbin' directory. */ | |
105 | "/bin/false", | |
106 | "/usr/bin/false", | |
107 | "/bin/true", | |
108 | "/usr/bin/true"); | |
109 | } | |
110 | ||
111 | static int synthesize_user_creds( | |
b1d4f8e1 LP |
112 | const char **username, |
113 | uid_t *uid, gid_t *gid, | |
114 | const char **home, | |
fafff8f1 LP |
115 | const char **shell, |
116 | UserCredsFlags flags) { | |
b1d4f8e1 | 117 | |
7e61fd02 LP |
118 | /* We enforce some special rules for uid=0 and uid=65534: in order to avoid NSS lookups for root we hardcode |
119 | * their user record data. */ | |
b1d4f8e1 | 120 | |
7e61fd02 | 121 | if (STR_IN_SET(*username, "root", "0")) { |
b1d4f8e1 LP |
122 | *username = "root"; |
123 | ||
124 | if (uid) | |
125 | *uid = 0; | |
b1d4f8e1 LP |
126 | if (gid) |
127 | *gid = 0; | |
128 | ||
129 | if (home) | |
130 | *home = "/root"; | |
131 | ||
132 | if (shell) | |
133 | *shell = "/bin/sh"; | |
134 | ||
135 | return 0; | |
136 | } | |
137 | ||
24eccc34 LP |
138 | if (synthesize_nobody() && |
139 | STR_IN_SET(*username, NOBODY_USER_NAME, "65534")) { | |
7e61fd02 LP |
140 | *username = NOBODY_USER_NAME; |
141 | ||
142 | if (uid) | |
143 | *uid = UID_NOBODY; | |
144 | if (gid) | |
145 | *gid = GID_NOBODY; | |
146 | ||
147 | if (home) | |
fafff8f1 | 148 | *home = FLAGS_SET(flags, USER_CREDS_CLEAN) ? NULL : "/"; |
7e61fd02 LP |
149 | |
150 | if (shell) | |
6db90462 | 151 | *shell = FLAGS_SET(flags, USER_CREDS_CLEAN) ? NULL : NOLOGIN; |
7e61fd02 LP |
152 | |
153 | return 0; | |
154 | } | |
155 | ||
fafff8f1 LP |
156 | return -ENOMEDIUM; |
157 | } | |
158 | ||
159 | int get_user_creds( | |
160 | const char **username, | |
161 | uid_t *uid, gid_t *gid, | |
162 | const char **home, | |
163 | const char **shell, | |
164 | UserCredsFlags flags) { | |
165 | ||
166 | uid_t u = UID_INVALID; | |
167 | struct passwd *p; | |
168 | int r; | |
169 | ||
170 | assert(username); | |
171 | assert(*username); | |
172 | ||
43ad3ad7 | 173 | if (!FLAGS_SET(flags, USER_CREDS_PREFER_NSS) || |
fafff8f1 LP |
174 | (!home && !shell)) { |
175 | ||
176 | /* So here's the deal: normally, we'll try to synthesize all records we can synthesize, and override | |
43ad3ad7 | 177 | * the user database with that. However, if the user specifies USER_CREDS_PREFER_NSS then the |
fafff8f1 LP |
178 | * user database will override the synthetic records instead — except if the user is only interested in |
179 | * the UID and/or GID (but not the home directory, or the shell), in which case we'll always override | |
43ad3ad7 | 180 | * the user database (i.e. the USER_CREDS_PREFER_NSS flag has no effect in this case). Why? |
fafff8f1 LP |
181 | * Simply because there are valid usecase where the user might change the home directory or the shell |
182 | * of the relevant users, but changing the UID/GID mappings for them is something we explicitly don't | |
183 | * support. */ | |
184 | ||
185 | r = synthesize_user_creds(username, uid, gid, home, shell, flags); | |
186 | if (r >= 0) | |
187 | return 0; | |
188 | if (r != -ENOMEDIUM) /* not a username we can synthesize */ | |
189 | return r; | |
190 | } | |
191 | ||
b1d4f8e1 LP |
192 | if (parse_uid(*username, &u) >= 0) { |
193 | errno = 0; | |
194 | p = getpwuid(u); | |
195 | ||
fafff8f1 LP |
196 | /* If there are multiple users with the same id, make sure to leave $USER to the configured value |
197 | * instead of the first occurrence in the database. However if the uid was configured by a numeric uid, | |
198 | * then let's pick the real username from /etc/passwd. */ | |
b1d4f8e1 LP |
199 | if (p) |
200 | *username = p->pw_name; | |
fafff8f1 LP |
201 | else if (FLAGS_SET(flags, USER_CREDS_ALLOW_MISSING) && !gid && !home && !shell) { |
202 | ||
203 | /* If the specified user is a numeric UID and it isn't in the user database, and the caller | |
204 | * passed USER_CREDS_ALLOW_MISSING and was only interested in the UID, then juts return that | |
205 | * and don't complain. */ | |
206 | ||
207 | if (uid) | |
208 | *uid = u; | |
209 | ||
210 | return 0; | |
211 | } | |
b1d4f8e1 LP |
212 | } else { |
213 | errno = 0; | |
214 | p = getpwnam(*username); | |
215 | } | |
fafff8f1 | 216 | if (!p) { |
66855de7 | 217 | r = errno_or_else(ESRCH); |
b1d4f8e1 | 218 | |
fafff8f1 | 219 | /* If the user requested that we only synthesize as fallback, do so now */ |
43ad3ad7 | 220 | if (FLAGS_SET(flags, USER_CREDS_PREFER_NSS)) { |
fafff8f1 LP |
221 | if (synthesize_user_creds(username, uid, gid, home, shell, flags) >= 0) |
222 | return 0; | |
223 | } | |
224 | ||
225 | return r; | |
226 | } | |
b1d4f8e1 | 227 | |
67c7c892 LP |
228 | if (uid) { |
229 | if (!uid_is_valid(p->pw_uid)) | |
230 | return -EBADMSG; | |
231 | ||
b1d4f8e1 | 232 | *uid = p->pw_uid; |
67c7c892 LP |
233 | } |
234 | ||
235 | if (gid) { | |
236 | if (!gid_is_valid(p->pw_gid)) | |
237 | return -EBADMSG; | |
b1d4f8e1 | 238 | |
b1d4f8e1 | 239 | *gid = p->pw_gid; |
67c7c892 | 240 | } |
b1d4f8e1 | 241 | |
fafff8f1 | 242 | if (home) { |
71ae7b57 LP |
243 | if (FLAGS_SET(flags, USER_CREDS_CLEAN) && |
244 | (empty_or_root(p->pw_dir) || | |
245 | !path_is_valid(p->pw_dir) || | |
246 | !path_is_absolute(p->pw_dir))) | |
247 | *home = NULL; /* Note: we don't insist on normalized paths, since there are setups that have /./ in the path */ | |
fafff8f1 LP |
248 | else |
249 | *home = p->pw_dir; | |
250 | } | |
be39ccf3 | 251 | |
fafff8f1 | 252 | if (shell) { |
71ae7b57 LP |
253 | if (FLAGS_SET(flags, USER_CREDS_CLEAN) && |
254 | (isempty(p->pw_shell) || | |
255 | !path_is_valid(p->pw_dir) || | |
256 | !path_is_absolute(p->pw_shell) || | |
257 | is_nologin_shell(p->pw_shell))) | |
fafff8f1 LP |
258 | *shell = NULL; |
259 | else | |
260 | *shell = p->pw_shell; | |
261 | } | |
be39ccf3 LP |
262 | |
263 | return 0; | |
264 | } | |
265 | ||
fafff8f1 | 266 | int get_group_creds(const char **groupname, gid_t *gid, UserCredsFlags flags) { |
b1d4f8e1 LP |
267 | struct group *g; |
268 | gid_t id; | |
269 | ||
270 | assert(groupname); | |
271 | ||
fafff8f1 | 272 | /* We enforce some special rules for gid=0: in order to avoid NSS lookups for root we hardcode its data. */ |
b1d4f8e1 | 273 | |
7e61fd02 | 274 | if (STR_IN_SET(*groupname, "root", "0")) { |
b1d4f8e1 LP |
275 | *groupname = "root"; |
276 | ||
277 | if (gid) | |
278 | *gid = 0; | |
279 | ||
280 | return 0; | |
281 | } | |
282 | ||
24eccc34 LP |
283 | if (synthesize_nobody() && |
284 | STR_IN_SET(*groupname, NOBODY_GROUP_NAME, "65534")) { | |
7e61fd02 LP |
285 | *groupname = NOBODY_GROUP_NAME; |
286 | ||
287 | if (gid) | |
288 | *gid = GID_NOBODY; | |
289 | ||
290 | return 0; | |
291 | } | |
292 | ||
b1d4f8e1 LP |
293 | if (parse_gid(*groupname, &id) >= 0) { |
294 | errno = 0; | |
295 | g = getgrgid(id); | |
296 | ||
297 | if (g) | |
298 | *groupname = g->gr_name; | |
fafff8f1 LP |
299 | else if (FLAGS_SET(flags, USER_CREDS_ALLOW_MISSING)) { |
300 | if (gid) | |
301 | *gid = id; | |
302 | ||
303 | return 0; | |
304 | } | |
b1d4f8e1 LP |
305 | } else { |
306 | errno = 0; | |
307 | g = getgrnam(*groupname); | |
308 | } | |
309 | ||
310 | if (!g) | |
66855de7 | 311 | return errno_or_else(ESRCH); |
b1d4f8e1 | 312 | |
67c7c892 LP |
313 | if (gid) { |
314 | if (!gid_is_valid(g->gr_gid)) | |
315 | return -EBADMSG; | |
316 | ||
b1d4f8e1 | 317 | *gid = g->gr_gid; |
67c7c892 | 318 | } |
b1d4f8e1 LP |
319 | |
320 | return 0; | |
321 | } | |
322 | ||
323 | char* uid_to_name(uid_t uid) { | |
d0260817 LP |
324 | char *ret; |
325 | int r; | |
b1d4f8e1 | 326 | |
d0260817 | 327 | /* Shortcut things to avoid NSS lookups */ |
b1d4f8e1 LP |
328 | if (uid == 0) |
329 | return strdup("root"); | |
24eccc34 LP |
330 | if (synthesize_nobody() && |
331 | uid == UID_NOBODY) | |
7e61fd02 | 332 | return strdup(NOBODY_USER_NAME); |
b1d4f8e1 | 333 | |
d0260817 LP |
334 | if (uid_is_valid(uid)) { |
335 | long bufsize; | |
336 | ||
337 | bufsize = sysconf(_SC_GETPW_R_SIZE_MAX); | |
338 | if (bufsize <= 0) | |
339 | bufsize = 4096; | |
340 | ||
341 | for (;;) { | |
342 | struct passwd pwbuf, *pw = NULL; | |
343 | _cleanup_free_ char *buf = NULL; | |
344 | ||
345 | buf = malloc(bufsize); | |
346 | if (!buf) | |
347 | return NULL; | |
348 | ||
349 | r = getpwuid_r(uid, &pwbuf, buf, (size_t) bufsize, &pw); | |
350 | if (r == 0 && pw) | |
351 | return strdup(pw->pw_name); | |
352 | if (r != ERANGE) | |
353 | break; | |
354 | ||
47436d30 LP |
355 | if (bufsize > LONG_MAX/2) /* overflow check */ |
356 | return NULL; | |
357 | ||
d0260817 LP |
358 | bufsize *= 2; |
359 | } | |
360 | } | |
b1d4f8e1 | 361 | |
d0260817 | 362 | if (asprintf(&ret, UID_FMT, uid) < 0) |
b1d4f8e1 LP |
363 | return NULL; |
364 | ||
d0260817 | 365 | return ret; |
b1d4f8e1 LP |
366 | } |
367 | ||
368 | char* gid_to_name(gid_t gid) { | |
d0260817 LP |
369 | char *ret; |
370 | int r; | |
b1d4f8e1 LP |
371 | |
372 | if (gid == 0) | |
373 | return strdup("root"); | |
24eccc34 LP |
374 | if (synthesize_nobody() && |
375 | gid == GID_NOBODY) | |
7e61fd02 | 376 | return strdup(NOBODY_GROUP_NAME); |
b1d4f8e1 | 377 | |
d0260817 LP |
378 | if (gid_is_valid(gid)) { |
379 | long bufsize; | |
380 | ||
381 | bufsize = sysconf(_SC_GETGR_R_SIZE_MAX); | |
382 | if (bufsize <= 0) | |
383 | bufsize = 4096; | |
384 | ||
385 | for (;;) { | |
386 | struct group grbuf, *gr = NULL; | |
387 | _cleanup_free_ char *buf = NULL; | |
388 | ||
389 | buf = malloc(bufsize); | |
390 | if (!buf) | |
391 | return NULL; | |
392 | ||
393 | r = getgrgid_r(gid, &grbuf, buf, (size_t) bufsize, &gr); | |
394 | if (r == 0 && gr) | |
395 | return strdup(gr->gr_name); | |
396 | if (r != ERANGE) | |
397 | break; | |
398 | ||
47436d30 LP |
399 | if (bufsize > LONG_MAX/2) /* overflow check */ |
400 | return NULL; | |
401 | ||
d0260817 LP |
402 | bufsize *= 2; |
403 | } | |
404 | } | |
b1d4f8e1 | 405 | |
d0260817 | 406 | if (asprintf(&ret, GID_FMT, gid) < 0) |
b1d4f8e1 LP |
407 | return NULL; |
408 | ||
d0260817 | 409 | return ret; |
b1d4f8e1 LP |
410 | } |
411 | ||
412 | int in_gid(gid_t gid) { | |
2dc89454 | 413 | long ngroups_max; |
b1d4f8e1 | 414 | gid_t *gids; |
2dc89454 | 415 | int r, i; |
b1d4f8e1 LP |
416 | |
417 | if (getgid() == gid) | |
418 | return 1; | |
419 | ||
420 | if (getegid() == gid) | |
421 | return 1; | |
422 | ||
67c7c892 LP |
423 | if (!gid_is_valid(gid)) |
424 | return -EINVAL; | |
425 | ||
b1d4f8e1 LP |
426 | ngroups_max = sysconf(_SC_NGROUPS_MAX); |
427 | assert(ngroups_max > 0); | |
428 | ||
2dc89454 | 429 | gids = newa(gid_t, ngroups_max); |
b1d4f8e1 LP |
430 | |
431 | r = getgroups(ngroups_max, gids); | |
432 | if (r < 0) | |
433 | return -errno; | |
434 | ||
435 | for (i = 0; i < r; i++) | |
436 | if (gids[i] == gid) | |
437 | return 1; | |
438 | ||
439 | return 0; | |
440 | } | |
441 | ||
442 | int in_group(const char *name) { | |
443 | int r; | |
444 | gid_t gid; | |
445 | ||
fafff8f1 | 446 | r = get_group_creds(&name, &gid, 0); |
b1d4f8e1 LP |
447 | if (r < 0) |
448 | return r; | |
449 | ||
450 | return in_gid(gid); | |
451 | } | |
452 | ||
453 | int get_home_dir(char **_h) { | |
454 | struct passwd *p; | |
455 | const char *e; | |
456 | char *h; | |
457 | uid_t u; | |
458 | ||
459 | assert(_h); | |
460 | ||
461 | /* Take the user specified one */ | |
462 | e = secure_getenv("HOME"); | |
d575f88b | 463 | if (e && path_is_valid(e) && path_is_absolute(e)) { |
b1d4f8e1 LP |
464 | h = strdup(e); |
465 | if (!h) | |
466 | return -ENOMEM; | |
467 | ||
db246781 | 468 | *_h = path_simplify(h, true); |
b1d4f8e1 LP |
469 | return 0; |
470 | } | |
471 | ||
7e61fd02 | 472 | /* Hardcode home directory for root and nobody to avoid NSS */ |
b1d4f8e1 LP |
473 | u = getuid(); |
474 | if (u == 0) { | |
475 | h = strdup("/root"); | |
476 | if (!h) | |
477 | return -ENOMEM; | |
478 | ||
479 | *_h = h; | |
480 | return 0; | |
481 | } | |
24eccc34 LP |
482 | if (synthesize_nobody() && |
483 | u == UID_NOBODY) { | |
7e61fd02 LP |
484 | h = strdup("/"); |
485 | if (!h) | |
486 | return -ENOMEM; | |
487 | ||
488 | *_h = h; | |
489 | return 0; | |
490 | } | |
b1d4f8e1 LP |
491 | |
492 | /* Check the database... */ | |
493 | errno = 0; | |
494 | p = getpwuid(u); | |
495 | if (!p) | |
66855de7 | 496 | return errno_or_else(ESRCH); |
b1d4f8e1 | 497 | |
d575f88b LP |
498 | if (!path_is_valid(p->pw_dir) || |
499 | !path_is_absolute(p->pw_dir)) | |
b1d4f8e1 LP |
500 | return -EINVAL; |
501 | ||
502 | h = strdup(p->pw_dir); | |
503 | if (!h) | |
504 | return -ENOMEM; | |
505 | ||
db246781 | 506 | *_h = path_simplify(h, true); |
b1d4f8e1 LP |
507 | return 0; |
508 | } | |
509 | ||
510 | int get_shell(char **_s) { | |
511 | struct passwd *p; | |
512 | const char *e; | |
513 | char *s; | |
514 | uid_t u; | |
515 | ||
516 | assert(_s); | |
517 | ||
518 | /* Take the user specified one */ | |
b2a3953f | 519 | e = secure_getenv("SHELL"); |
d575f88b | 520 | if (e && path_is_valid(e) && path_is_absolute(e)) { |
b1d4f8e1 LP |
521 | s = strdup(e); |
522 | if (!s) | |
523 | return -ENOMEM; | |
524 | ||
db246781 | 525 | *_s = path_simplify(s, true); |
b1d4f8e1 LP |
526 | return 0; |
527 | } | |
528 | ||
7e61fd02 | 529 | /* Hardcode shell for root and nobody to avoid NSS */ |
b1d4f8e1 LP |
530 | u = getuid(); |
531 | if (u == 0) { | |
532 | s = strdup("/bin/sh"); | |
533 | if (!s) | |
534 | return -ENOMEM; | |
535 | ||
536 | *_s = s; | |
537 | return 0; | |
538 | } | |
24eccc34 LP |
539 | if (synthesize_nobody() && |
540 | u == UID_NOBODY) { | |
6db90462 | 541 | s = strdup(NOLOGIN); |
7e61fd02 LP |
542 | if (!s) |
543 | return -ENOMEM; | |
544 | ||
545 | *_s = s; | |
546 | return 0; | |
547 | } | |
b1d4f8e1 LP |
548 | |
549 | /* Check the database... */ | |
550 | errno = 0; | |
551 | p = getpwuid(u); | |
552 | if (!p) | |
66855de7 | 553 | return errno_or_else(ESRCH); |
b1d4f8e1 | 554 | |
d575f88b LP |
555 | if (!path_is_valid(p->pw_shell) || |
556 | !path_is_absolute(p->pw_shell)) | |
b1d4f8e1 LP |
557 | return -EINVAL; |
558 | ||
559 | s = strdup(p->pw_shell); | |
560 | if (!s) | |
561 | return -ENOMEM; | |
562 | ||
db246781 | 563 | *_s = path_simplify(s, true); |
b1d4f8e1 LP |
564 | return 0; |
565 | } | |
566 | ||
567 | int reset_uid_gid(void) { | |
97f0e76f | 568 | int r; |
b1d4f8e1 | 569 | |
97f0e76f LP |
570 | r = maybe_setgroups(0, NULL); |
571 | if (r < 0) | |
572 | return r; | |
b1d4f8e1 LP |
573 | |
574 | if (setresgid(0, 0, 0) < 0) | |
575 | return -errno; | |
576 | ||
577 | if (setresuid(0, 0, 0) < 0) | |
578 | return -errno; | |
579 | ||
580 | return 0; | |
581 | } | |
e929bee0 LP |
582 | |
583 | int take_etc_passwd_lock(const char *root) { | |
584 | ||
585 | struct flock flock = { | |
586 | .l_type = F_WRLCK, | |
587 | .l_whence = SEEK_SET, | |
588 | .l_start = 0, | |
589 | .l_len = 0, | |
590 | }; | |
591 | ||
592 | const char *path; | |
593 | int fd, r; | |
594 | ||
595 | /* This is roughly the same as lckpwdf(), but not as awful. We | |
596 | * don't want to use alarm() and signals, hence we implement | |
597 | * our own trivial version of this. | |
598 | * | |
599 | * Note that shadow-utils also takes per-database locks in | |
600 | * addition to lckpwdf(). However, we don't given that they | |
61233823 | 601 | * are redundant as they invoke lckpwdf() first and keep |
e929bee0 LP |
602 | * it during everything they do. The per-database locks are |
603 | * awfully racy, and thus we just won't do them. */ | |
604 | ||
605 | if (root) | |
d1e4b8fd | 606 | path = prefix_roota(root, ETC_PASSWD_LOCK_PATH); |
e929bee0 | 607 | else |
d1e4b8fd | 608 | path = ETC_PASSWD_LOCK_PATH; |
e929bee0 LP |
609 | |
610 | fd = open(path, O_WRONLY|O_CREAT|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW, 0600); | |
611 | if (fd < 0) | |
d1e4b8fd | 612 | return log_debug_errno(errno, "Cannot open %s: %m", path); |
e929bee0 LP |
613 | |
614 | r = fcntl(fd, F_SETLKW, &flock); | |
615 | if (r < 0) { | |
616 | safe_close(fd); | |
d1e4b8fd | 617 | return log_debug_errno(errno, "Locking %s failed: %m", path); |
e929bee0 LP |
618 | } |
619 | ||
620 | return fd; | |
621 | } | |
e4631b48 | 622 | |
1a29610f | 623 | bool valid_user_group_name_full(const char *u, bool strict) { |
e4631b48 LP |
624 | const char *i; |
625 | long sz; | |
626 | ||
1429dfe5 LP |
627 | /* Checks if the specified name is a valid user/group name. Also see POSIX IEEE Std 1003.1-2008, 2016 Edition, |
628 | * 3.437. We are a bit stricter here however. Specifically we deviate from POSIX rules: | |
629 | * | |
1429dfe5 LP |
630 | * - We require that names fit into the appropriate utmp field |
631 | * - We don't allow empty user names | |
1a29610f ZJS |
632 | * - No dots or digits in the first character |
633 | * | |
634 | * If strict==true, additionally: | |
635 | * - We don't allow any dots (this conflicts with chown syntax which permits dots as user/group name separator) | |
1429dfe5 LP |
636 | * |
637 | * Note that other systems are even more restrictive, and don't permit underscores or uppercase characters. | |
638 | */ | |
e4631b48 LP |
639 | |
640 | if (isempty(u)) | |
641 | return false; | |
642 | ||
643 | if (!(u[0] >= 'a' && u[0] <= 'z') && | |
644 | !(u[0] >= 'A' && u[0] <= 'Z') && | |
645 | u[0] != '_') | |
646 | return false; | |
647 | ||
88e2ed0b ZJS |
648 | bool warned = false; |
649 | ||
650 | for (i = u+1; *i; i++) { | |
651 | if (((*i >= 'a' && *i <= 'z') || | |
652 | (*i >= 'A' && *i <= 'Z') || | |
653 | (*i >= '0' && *i <= '9') || | |
654 | IN_SET(*i, '_', '-'))) | |
655 | continue; | |
656 | ||
657 | if (*i == '.' && !strict) { | |
658 | if (!warned) { | |
659 | log_warning("Bad user or group name \"%s\", accepting for compatibility.", u); | |
660 | warned = true; | |
661 | } | |
662 | ||
663 | continue; | |
664 | } | |
665 | ||
666 | return false; | |
667 | } | |
e4631b48 LP |
668 | |
669 | sz = sysconf(_SC_LOGIN_NAME_MAX); | |
670 | assert_se(sz > 0); | |
671 | ||
672 | if ((size_t) (i-u) > (size_t) sz) | |
673 | return false; | |
674 | ||
675 | if ((size_t) (i-u) > UT_NAMESIZE - 1) | |
676 | return false; | |
677 | ||
678 | return true; | |
679 | } | |
680 | ||
1a29610f | 681 | bool valid_user_group_name_or_id_full(const char *u, bool strict) { |
e4631b48 | 682 | |
1a29610f ZJS |
683 | /* Similar as above, but is also fine with numeric UID/GID specifications, as long as they are in the |
684 | * right range, and not the invalid user ids. */ | |
e4631b48 LP |
685 | |
686 | if (isempty(u)) | |
687 | return false; | |
688 | ||
1a29610f | 689 | if (valid_user_group_name_full(u, strict)) |
e4631b48 LP |
690 | return true; |
691 | ||
692 | return parse_uid(u, NULL) >= 0; | |
693 | } | |
694 | ||
695 | bool valid_gecos(const char *d) { | |
696 | ||
697 | if (!d) | |
698 | return false; | |
699 | ||
700 | if (!utf8_is_valid(d)) | |
701 | return false; | |
702 | ||
703 | if (string_has_cc(d, NULL)) | |
704 | return false; | |
705 | ||
706 | /* Colons are used as field separators, and hence not OK */ | |
707 | if (strchr(d, ':')) | |
708 | return false; | |
709 | ||
710 | return true; | |
711 | } | |
712 | ||
713 | bool valid_home(const char *p) { | |
7b1aaf66 ZJS |
714 | /* Note that this function is also called by valid_shell(), any |
715 | * changes must account for that. */ | |
e4631b48 LP |
716 | |
717 | if (isempty(p)) | |
718 | return false; | |
719 | ||
720 | if (!utf8_is_valid(p)) | |
721 | return false; | |
722 | ||
723 | if (string_has_cc(p, NULL)) | |
724 | return false; | |
725 | ||
726 | if (!path_is_absolute(p)) | |
727 | return false; | |
728 | ||
99be45a4 | 729 | if (!path_is_normalized(p)) |
e4631b48 LP |
730 | return false; |
731 | ||
732 | /* Colons are used as field separators, and hence not OK */ | |
733 | if (strchr(p, ':')) | |
734 | return false; | |
735 | ||
736 | return true; | |
737 | } | |
36d85478 GS |
738 | |
739 | int maybe_setgroups(size_t size, const gid_t *list) { | |
97f0e76f LP |
740 | int r; |
741 | ||
742 | /* Check if setgroups is allowed before we try to drop all the auxiliary groups */ | |
743 | if (size == 0) { /* Dropping all aux groups? */ | |
744 | _cleanup_free_ char *setgroups_content = NULL; | |
745 | bool can_setgroups; | |
746 | ||
747 | r = read_one_line_file("/proc/self/setgroups", &setgroups_content); | |
748 | if (r == -ENOENT) | |
749 | /* Old kernels don't have /proc/self/setgroups, so assume we can use setgroups */ | |
750 | can_setgroups = true; | |
751 | else if (r < 0) | |
752 | return r; | |
753 | else | |
754 | can_setgroups = streq(setgroups_content, "allow"); | |
755 | ||
756 | if (!can_setgroups) { | |
757 | log_debug("Skipping setgroups(), /proc/self/setgroups is set to 'deny'"); | |
36d85478 | 758 | return 0; |
97f0e76f | 759 | } |
36d85478 | 760 | } |
97f0e76f LP |
761 | |
762 | if (setgroups(size, list) < 0) | |
763 | return -errno; | |
764 | ||
765 | return 0; | |
36d85478 | 766 | } |
24eccc34 LP |
767 | |
768 | bool synthesize_nobody(void) { | |
24eccc34 LP |
769 | /* Returns true when we shall synthesize the "nobody" user (which we do by default). This can be turned off by |
770 | * touching /etc/systemd/dont-synthesize-nobody in order to provide upgrade compatibility with legacy systems | |
771 | * that used the "nobody" user name and group name for other UIDs/GIDs than 65534. | |
772 | * | |
773 | * Note that we do not employ any kind of synchronization on the following caching variable. If the variable is | |
774 | * accessed in multi-threaded programs in the worst case it might happen that we initialize twice, but that | |
775 | * shouldn't matter as each initialization should come to the same result. */ | |
776 | static int cache = -1; | |
777 | ||
778 | if (cache < 0) | |
779 | cache = access("/etc/systemd/dont-synthesize-nobody", F_OK) < 0; | |
780 | ||
781 | return cache; | |
24eccc34 | 782 | } |
100d5f6e FB |
783 | |
784 | int putpwent_sane(const struct passwd *pw, FILE *stream) { | |
785 | assert(pw); | |
786 | assert(stream); | |
787 | ||
788 | errno = 0; | |
789 | if (putpwent(pw, stream) != 0) | |
66855de7 | 790 | return errno_or_else(EIO); |
100d5f6e FB |
791 | |
792 | return 0; | |
793 | } | |
794 | ||
795 | int putspent_sane(const struct spwd *sp, FILE *stream) { | |
796 | assert(sp); | |
797 | assert(stream); | |
798 | ||
799 | errno = 0; | |
800 | if (putspent(sp, stream) != 0) | |
66855de7 | 801 | return errno_or_else(EIO); |
100d5f6e FB |
802 | |
803 | return 0; | |
804 | } | |
805 | ||
806 | int putgrent_sane(const struct group *gr, FILE *stream) { | |
807 | assert(gr); | |
808 | assert(stream); | |
809 | ||
810 | errno = 0; | |
811 | if (putgrent(gr, stream) != 0) | |
66855de7 | 812 | return errno_or_else(EIO); |
100d5f6e FB |
813 | |
814 | return 0; | |
815 | } | |
816 | ||
817 | #if ENABLE_GSHADOW | |
818 | int putsgent_sane(const struct sgrp *sg, FILE *stream) { | |
819 | assert(sg); | |
820 | assert(stream); | |
821 | ||
822 | errno = 0; | |
823 | if (putsgent(sg, stream) != 0) | |
66855de7 | 824 | return errno_or_else(EIO); |
100d5f6e FB |
825 | |
826 | return 0; | |
827 | } | |
828 | #endif | |
829 | ||
830 | int fgetpwent_sane(FILE *stream, struct passwd **pw) { | |
831 | struct passwd *p; | |
832 | ||
833 | assert(pw); | |
834 | assert(stream); | |
835 | ||
836 | errno = 0; | |
837 | p = fgetpwent(stream); | |
ad80c6a6 | 838 | if (!p && errno != ENOENT) |
66855de7 | 839 | return errno_or_else(EIO); |
100d5f6e FB |
840 | |
841 | *pw = p; | |
ad80c6a6 | 842 | return !!p; |
100d5f6e FB |
843 | } |
844 | ||
845 | int fgetspent_sane(FILE *stream, struct spwd **sp) { | |
846 | struct spwd *s; | |
847 | ||
848 | assert(sp); | |
849 | assert(stream); | |
850 | ||
851 | errno = 0; | |
852 | s = fgetspent(stream); | |
ad80c6a6 | 853 | if (!s && errno != ENOENT) |
66855de7 | 854 | return errno_or_else(EIO); |
100d5f6e FB |
855 | |
856 | *sp = s; | |
ad80c6a6 | 857 | return !!s; |
100d5f6e FB |
858 | } |
859 | ||
860 | int fgetgrent_sane(FILE *stream, struct group **gr) { | |
861 | struct group *g; | |
862 | ||
863 | assert(gr); | |
864 | assert(stream); | |
865 | ||
866 | errno = 0; | |
867 | g = fgetgrent(stream); | |
ad80c6a6 | 868 | if (!g && errno != ENOENT) |
66855de7 | 869 | return errno_or_else(EIO); |
100d5f6e FB |
870 | |
871 | *gr = g; | |
ad80c6a6 | 872 | return !!g; |
100d5f6e FB |
873 | } |
874 | ||
875 | #if ENABLE_GSHADOW | |
876 | int fgetsgent_sane(FILE *stream, struct sgrp **sg) { | |
877 | struct sgrp *s; | |
878 | ||
879 | assert(sg); | |
880 | assert(stream); | |
881 | ||
882 | errno = 0; | |
883 | s = fgetsgent(stream); | |
ad80c6a6 | 884 | if (!s && errno != ENOENT) |
66855de7 | 885 | return errno_or_else(EIO); |
100d5f6e FB |
886 | |
887 | *sg = s; | |
ad80c6a6 | 888 | return !!s; |
100d5f6e FB |
889 | } |
890 | #endif | |
f2c5edbe LP |
891 | |
892 | int make_salt(char **ret) { | |
893 | static const char table[] = | |
894 | "abcdefghijklmnopqrstuvwxyz" | |
895 | "ABCDEFGHIJKLMNOPQRSTUVWXYZ" | |
896 | "0123456789" | |
897 | "./"; | |
898 | ||
899 | uint8_t raw[16]; | |
900 | char *salt, *j; | |
901 | size_t i; | |
902 | int r; | |
903 | ||
904 | /* This is a bit like crypt_gensalt_ra(), but doesn't require libcrypt, and doesn't do anything but | |
905 | * SHA512, i.e. is legacy-free and minimizes our deps. */ | |
906 | ||
907 | assert_cc(sizeof(table) == 64U + 1U); | |
908 | ||
909 | /* Insist on the best randomness by setting RANDOM_BLOCK, this is about keeping passwords secret after all. */ | |
910 | r = genuine_random_bytes(raw, sizeof(raw), RANDOM_BLOCK); | |
911 | if (r < 0) | |
912 | return r; | |
913 | ||
914 | salt = new(char, 3+sizeof(raw)+1+1); | |
915 | if (!salt) | |
916 | return -ENOMEM; | |
917 | ||
918 | /* We only bother with SHA512 hashed passwords, the rest is legacy, and we don't do legacy. */ | |
919 | j = stpcpy(salt, "$6$"); | |
920 | for (i = 0; i < sizeof(raw); i++) | |
921 | j[i] = table[raw[i] & 63]; | |
922 | j[i++] = '$'; | |
923 | j[i] = 0; | |
924 | ||
925 | *ret = salt; | |
926 | return 0; | |
927 | } |