[thirdparty/systemd.git] / src / basic / user-util.h

/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once

#include <grp.h>
#if ENABLE_GSHADOW
#  include <gshadow.h>
#endif
#include <pwd.h>
#include <shadow.h>

#include "forward.h"

/* Users managed by systemd-homed. See https://systemd.io/UIDS-GIDS for details how this range fits into the rest of the world */
#define HOME_UID_MIN ((uid_t) 60001)
#define HOME_UID_MAX ((uid_t) 60513)

/* Users mapped from host into a container */
#define MAP_UID_MIN ((uid_t) 60514)
#define MAP_UID_MAX ((uid_t) 60577)

bool uid_is_valid(uid_t uid) _const_;

static inline bool gid_is_valid(gid_t gid) {
        return uid_is_valid((uid_t) gid);
}

int parse_uid(const char *s, uid_t* ret_uid);
int parse_uid_range(const char *s, uid_t *ret_lower, uid_t *ret_upper);

static inline int parse_gid(const char *s, gid_t *ret_gid) {
        return parse_uid(s, (uid_t*) ret_gid);
}

char* getlogname_malloc(void);
char* getusername_malloc(void);

const char* default_root_shell_at(int rfd);
const char* default_root_shell(const char *root);

bool is_nologin_shell(const char *shell) _pure_;
bool shell_is_placeholder(const char *shell) _pure_;

typedef enum UserCredsFlags {
        USER_CREDS_PREFER_NSS           = 1 << 0,  /* if set, only synthesize user records if database lacks them. Normally we bypass the userdb entirely for the records we can synthesize */
        USER_CREDS_ALLOW_MISSING        = 1 << 1,  /* if a numeric UID string is resolved, be OK if there's no record for it */
        USER_CREDS_CLEAN                = 1 << 2,  /* try to clean up shell and home fields with invalid data */
        USER_CREDS_SUPPRESS_PLACEHOLDER = 1 << 3,  /* suppress home and/or shell fields if value is placeholder (root/empty/nologin) */
} UserCredsFlags;

int get_user_creds(const char **username, uid_t *ret_uid, gid_t *ret_gid, const char **ret_home, const char **ret_shell, UserCredsFlags flags);
int get_group_creds(const char **groupname, gid_t *ret_gid, UserCredsFlags flags);

char* uid_to_name(uid_t uid);
char* gid_to_name(gid_t gid);

int in_gid(gid_t gid);
int in_group(const char *name);

int merge_gid_lists(const gid_t *list1, size_t size1, const gid_t *list2, size_t size2, gid_t **result);
int getgroups_alloc(gid_t **ret);

int get_home_dir(char **ret);
int get_shell(char **ret);

int fully_set_uid_gid(uid_t uid, gid_t gid, const gid_t supplementary_gids[], size_t n_supplementary_gids);
static inline int reset_uid_gid(void) {
        return fully_set_uid_gid(0, 0, NULL, 0);
}

int take_etc_passwd_lock(const char *root);

#define UID_INVALID ((uid_t) -1)
#define GID_INVALID ((gid_t) -1)

#define UID_NOBODY ((uid_t) 65534U)
#define GID_NOBODY ((gid_t) 65534U)

/* If REMOUNT_IDMAPPING_HOST_ROOT is set for remount_idmap() we'll include a mapping here that maps the host
 * root user accessing the idmapped mount to the this user ID on the backing fs. This is the last valid UID in
 * the *signed* 32-bit range. You might wonder why precisely use this specific UID for this purpose? Well, we
 * definitely cannot use the first 0…65536 UIDs for that, since in most cases that's precisely the file range
 * we intend to map to some high UID range, and since UID mappings have to be bijective we thus cannot use
 * them at all. Furthermore the UID range beyond INT32_MAX (i.e. the range above the signed 32-bit range) is
 * icky, since many APIs cannot use it (example: setfsuid() returns the old UID as signed integer). Following
 * our usual logic of assigning a 16-bit UID range to each container, so that the upper 16-bit of a 32-bit UID
 * value indicate kind of a "container ID" and the lower 16-bit map directly to the intended user you can read
 * this specific UID as the "nobody" user of the container with ID 0x7FFF, which is kinda nice. */
#define UID_MAPPED_ROOT ((uid_t) (INT32_MAX-1))
#define GID_MAPPED_ROOT ((gid_t) (INT32_MAX-1))

#define ETC_PASSWD_LOCK_FILENAME ".pwd.lock"
#define ETC_PASSWD_LOCK_PATH "/etc/" ETC_PASSWD_LOCK_FILENAME

/* The following macros add 1 when converting things, since UID 0 is a valid UID, while the pointer
 * NULL is special */
#define PTR_TO_UID(p) ((uid_t) (((uintptr_t) (p))-1))
#define UID_TO_PTR(u) ((void*) (((uintptr_t) (u))+1))

#define PTR_TO_GID(p) ((gid_t) (((uintptr_t) (p))-1))
#define GID_TO_PTR(u) ((void*) (((uintptr_t) (u))+1))

typedef enum ValidUserFlags {
        VALID_USER_RELAX         = 1 << 0,
        VALID_USER_WARN          = 1 << 1,
        VALID_USER_ALLOW_NUMERIC = 1 << 2,
} ValidUserFlags;

bool valid_user_group_name(const char *u, ValidUserFlags flags);
bool valid_gecos(const char *d);
char* mangle_gecos(const char *d);
bool valid_home(const char *p);
bool valid_shell(const char *p);

int maybe_setgroups(size_t size, const gid_t *list);

bool synthesize_nobody(void);

int fgetpwent_sane(FILE *stream, struct passwd **pw);
int fgetspent_sane(FILE *stream, struct spwd **sp);
int fgetgrent_sane(FILE *stream, struct group **gr);
int putpwent_sane(const struct passwd *pw, FILE *stream);
int putspent_sane(const struct spwd *sp, FILE *stream);
int putgrent_sane(const struct group *gr, FILE *stream);
#if ENABLE_GSHADOW
int fgetsgent_sane(FILE *stream, struct sgrp **sg);
int putsgent_sane(const struct sgrp *sg, FILE *stream);
#endif

int is_this_me(const char *username);

const char* get_home_root(void);

static inline bool hashed_password_is_locked_or_invalid(const char *password) {
        return password && password[0] != '$';
}

/* A locked *and* invalid password for "struct spwd"'s .sp_pwdp and "struct passwd"'s .pw_passwd field */
#define PASSWORD_LOCKED_AND_INVALID "!*"

/* A password indicating "look in shadow file, please!" for "struct passwd"'s .pw_passwd */
#define PASSWORD_SEE_SHADOW "x"

/* A password indicating "hey, no password required for login" */
#define PASSWORD_NONE ""

/* Used by sysusers to indicate that the password should be filled in by firstboot.
 * Also see https://github.com/systemd/systemd/pull/24680#pullrequestreview-1439464325.
 */
#define PASSWORD_UNPROVISIONED "!unprovisioned"

int getpwuid_malloc(uid_t uid, struct passwd **ret);
int getpwnam_malloc(const char *name, struct passwd **ret);

int getgrnam_malloc(const char *name, struct group **ret);
int getgrgid_malloc(gid_t gid, struct group **ret);
Commit	Line	Data
db9ecf05	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
b1d4f8e1 LP	2	#pragma once
b1d4f8e1 LP	3
100d5f6e	4	#include <grp.h>
66a5b5ce	5	#if ENABLE_GSHADOW
98dcb8f4	6	# include <gshadow.h>
66a5b5ce	7	#endif
100d5f6e FB	8	#include <pwd.h>
100d5f6e FB	9	#include <shadow.h>
b1d4f8e1	10
0c15577a	11	#include "forward.h"
579ce77e	12
76ef5d04	13	/* Users managed by systemd-homed. See https://systemd.io/UIDS-GIDS for details how this range fits into the rest of the world */
63b98386 JJ	14	#define HOME_UID_MIN ((uid_t) 60001)
63b98386 JJ	15	#define HOME_UID_MAX ((uid_t) 60513)
76ef5d04 LP	16
76ef5d04 LP	17	/* Users mapped from host into a container */
63b98386 JJ	18	#define MAP_UID_MIN ((uid_t) 60514)
63b98386 JJ	19	#define MAP_UID_MAX ((uid_t) 60577)
76ef5d04	20
180341e7	21	bool uid_is_valid(uid_t uid) _const_;
b1d4f8e1 LP	22
	23	static inline bool gid_is_valid(gid_t gid) {
	24	return uid_is_valid((uid_t) gid);
	25	}
	26
	27	int parse_uid(const char s, uid_t ret_uid);
03de302a	28	int parse_uid_range(const char s, uid_t ret_lower, uid_t *ret_upper);
b1d4f8e1 LP	29
	30	static inline int parse_gid(const char s, gid_t ret_gid) {
	31	return parse_uid(s, (uid_t*) ret_gid);
	32	}
	33
b1d4f8e1 LP	34	char* getlogname_malloc(void);
	35	char* getusername_malloc(void);
	36
579ce77e MY	37	const char* default_root_shell_at(int rfd);
	38	const char* default_root_shell(const char *root);
	39
180341e7	40	bool is_nologin_shell(const char *shell) _pure_;
0c15577a	41	bool shell_is_placeholder(const char *shell) _pure_;
579ce77e	42
fafff8f1	43	typedef enum UserCredsFlags {
eea9d3eb MY	44	USER_CREDS_PREFER_NSS = 1 << 0, /* if set, only synthesize user records if database lacks them. Normally we bypass the userdb entirely for the records we can synthesize */
	45	USER_CREDS_ALLOW_MISSING = 1 << 1, /* if a numeric UID string is resolved, be OK if there's no record for it */
	46	USER_CREDS_CLEAN = 1 << 2, /* try to clean up shell and home fields with invalid data */
	47	USER_CREDS_SUPPRESS_PLACEHOLDER = 1 << 3, /* suppress home and/or shell fields if value is placeholder (root/empty/nologin) */
fafff8f1 LP	48	} UserCredsFlags;
fafff8f1 LP	49
83e9b584 LP	50	int get_user_creds(const char *username, uid_t ret_uid, gid_t ret_gid, const char ret_home, const char *ret_shell, UserCredsFlags flags);
83e9b584 LP	51	int get_group_creds(const char *groupname, gid_t ret_gid, UserCredsFlags flags);
b1d4f8e1 LP	52
	53	char* uid_to_name(uid_t uid);
	54	char* gid_to_name(gid_t gid);
	55
	56	int in_gid(gid_t gid);
	57	int in_group(const char *name);
	58
0c5d6679	59	int merge_gid_lists(const gid_t list1, size_t size1, const gid_t list2, size_t size2, gid_t **result);
f0e8db76	60	int getgroups_alloc(gid_t **ret);
0c5d6679	61
b1d4f8e1	62	int get_home_dir(char **ret);
8795d9ba	63	int get_shell(char **ret);
b1d4f8e1	64
6498a0c2 LP	65	int fully_set_uid_gid(uid_t uid, gid_t gid, const gid_t supplementary_gids[], size_t n_supplementary_gids);
	66	static inline int reset_uid_gid(void) {
	67	return fully_set_uid_gid(0, 0, NULL, 0);
	68	}
e929bee0 LP	69
e929bee0 LP	70	int take_etc_passwd_lock(const char *root);
ee104e11 LP	71
	72	#define UID_INVALID ((uid_t) -1)
	73	#define GID_INVALID ((gid_t) -1)
	74
3a664727 LP	75	#define UID_NOBODY ((uid_t) 65534U)
	76	#define GID_NOBODY ((gid_t) 65534U)
	77
1aa18710 QD	78	/* If REMOUNT_IDMAPPING_HOST_ROOT is set for remount_idmap() we'll include a mapping here that maps the host
1aa18710 QD	79	* root user accessing the idmapped mount to the this user ID on the backing fs. This is the last valid UID in
da890466	80	* the signed 32-bit range. You might wonder why precisely use this specific UID for this purpose? Well, we
50ae2966 LP	81	* definitely cannot use the first 0…65536 UIDs for that, since in most cases that's precisely the file range
50ae2966 LP	82	* we intend to map to some high UID range, and since UID mappings have to be bijective we thus cannot use
da890466	83	* them at all. Furthermore the UID range beyond INT32_MAX (i.e. the range above the signed 32-bit range) is
50ae2966	84	* icky, since many APIs cannot use it (example: setfsuid() returns the old UID as signed integer). Following
da890466 ZJS	85	* our usual logic of assigning a 16-bit UID range to each container, so that the upper 16-bit of a 32-bit UID
da890466 ZJS	86	* value indicate kind of a "container ID" and the lower 16-bit map directly to the intended user you can read
50ae2966 LP	87	* this specific UID as the "nobody" user of the container with ID 0x7FFF, which is kinda nice. */
	88	#define UID_MAPPED_ROOT ((uid_t) (INT32_MAX-1))
	89	#define GID_MAPPED_ROOT ((gid_t) (INT32_MAX-1))
	90
fe585662 DDM	91	#define ETC_PASSWD_LOCK_FILENAME ".pwd.lock"
fe585662 DDM	92	#define ETC_PASSWD_LOCK_PATH "/etc/" ETC_PASSWD_LOCK_FILENAME
d1e4b8fd	93
61755fda ZJS	94	/* The following macros add 1 when converting things, since UID 0 is a valid UID, while the pointer
61755fda ZJS	95	* NULL is special */
ee104e11 LP	96	#define PTR_TO_UID(p) ((uid_t) (((uintptr_t) (p))-1))
	97	#define UID_TO_PTR(u) ((void*) (((uintptr_t) (u))+1))
	98
	99	#define PTR_TO_GID(p) ((gid_t) (((uintptr_t) (p))-1))
	100	#define GID_TO_PTR(u) ((void*) (((uintptr_t) (u))+1))
ccabee0d	101
7a8867ab LP	102	typedef enum ValidUserFlags {
	103	VALID_USER_RELAX = 1 << 0,
	104	VALID_USER_WARN = 1 << 1,
	105	VALID_USER_ALLOW_NUMERIC = 1 << 2,
	106	} ValidUserFlags;
	107
	108	bool valid_user_group_name(const char *u, ValidUserFlags flags);
e4631b48	109	bool valid_gecos(const char *d);
78435d62	110	char* mangle_gecos(const char *d);
e4631b48	111	bool valid_home(const char *p);
4167e9e2	112	bool valid_shell(const char *p);
7b1aaf66	113
36d85478	114	int maybe_setgroups(size_t size, const gid_t *list);
24eccc34 LP	115
24eccc34 LP	116	bool synthesize_nobody(void);
100d5f6e FB	117
	118	int fgetpwent_sane(FILE stream, struct passwd *pw);
	119	int fgetspent_sane(FILE stream, struct spwd *sp);
	120	int fgetgrent_sane(FILE stream, struct group *gr);
	121	int putpwent_sane(const struct passwd pw, FILE stream);
	122	int putspent_sane(const struct spwd sp, FILE stream);
	123	int putgrent_sane(const struct group gr, FILE stream);
4f07ffa8	124	#if ENABLE_GSHADOW
100d5f6e FB	125	int fgetsgent_sane(FILE stream, struct sgrp *sg);
	126	int putsgent_sane(const struct sgrp sg, FILE stream);
	127	#endif
f2c5edbe	128
7bdbafc2	129	int is_this_me(const char *username);
53c25ac9	130
78435d62	131	const char* get_home_root(void);
2700fecd	132
cd933f14 P	133	static inline bool hashed_password_is_locked_or_invalid(const char *password) {
	134	return password && password[0] != '$';
	135	}
	136
53c25ac9 LP	137	/* A locked and invalid password for "struct spwd"'s .sp_pwdp and "struct passwd"'s .pw_passwd field */
	138	#define PASSWORD_LOCKED_AND_INVALID "!*"
	139
	140	/* A password indicating "look in shadow file, please!" for "struct passwd"'s .pw_passwd */
	141	#define PASSWORD_SEE_SHADOW "x"
	142
	143	/* A password indicating "hey, no password required for login" */
	144	#define PASSWORD_NONE ""
a777a592 ZJS	145
	146	/* Used by sysusers to indicate that the password should be filled in by firstboot.
	147	* Also see https://github.com/systemd/systemd/pull/24680#pullrequestreview-1439464325.
	148	*/
	149	#define PASSWORD_UNPROVISIONED "!unprovisioned"
75673cd8 LP	150
	151	int getpwuid_malloc(uid_t uid, struct passwd **ret);
	152	int getpwnam_malloc(const char name, struct passwd *ret);
	153
	154	int getgrnam_malloc(const char name, struct group *ret);
	155	int getgrgid_malloc(gid_t gid, struct group **ret);