]>
Commit | Line | Data |
---|---|---|
53e1b683 | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
29206d46 LP |
2 | /*** |
3 | This file is part of systemd. | |
4 | ||
5 | Copyright 2016 Lennart Poettering | |
29206d46 LP |
6 | ***/ |
7 | ||
8 | #include <grp.h> | |
9 | #include <pwd.h> | |
10 | #include <sys/file.h> | |
11 | ||
98e4fcec | 12 | #include "clean-ipc.h" |
29206d46 LP |
13 | #include "dynamic-user.h" |
14 | #include "fd-util.h" | |
e6a7ec4b | 15 | #include "fileio.h" |
29206d46 | 16 | #include "fs-util.h" |
e6a7ec4b | 17 | #include "io-util.h" |
29206d46 LP |
18 | #include "parse-util.h" |
19 | #include "random-util.h" | |
57b7a260 | 20 | #include "socket-util.h" |
29206d46 LP |
21 | #include "stdio-util.h" |
22 | #include "string-util.h" | |
23 | #include "user-util.h" | |
29206d46 | 24 | |
29206d46 | 25 | /* Takes a value generated randomly or by hashing and turns it into a UID in the right range */ |
61755fda | 26 | #define UID_CLAMP_INTO_RANGE(rnd) (((uid_t) (rnd) % (DYNAMIC_UID_MAX - DYNAMIC_UID_MIN + 1)) + DYNAMIC_UID_MIN) |
29206d46 LP |
27 | |
28 | static DynamicUser* dynamic_user_free(DynamicUser *d) { | |
29 | if (!d) | |
30 | return NULL; | |
31 | ||
32 | if (d->manager) | |
33 | (void) hashmap_remove(d->manager->dynamic_users, d->name); | |
34 | ||
35 | safe_close_pair(d->storage_socket); | |
6b430fdb | 36 | return mfree(d); |
29206d46 LP |
37 | } |
38 | ||
39 | static int dynamic_user_add(Manager *m, const char *name, int storage_socket[2], DynamicUser **ret) { | |
40 | DynamicUser *d = NULL; | |
41 | int r; | |
42 | ||
43 | assert(m); | |
44 | assert(name); | |
45 | assert(storage_socket); | |
46 | ||
47 | r = hashmap_ensure_allocated(&m->dynamic_users, &string_hash_ops); | |
48 | if (r < 0) | |
49 | return r; | |
50 | ||
51 | d = malloc0(offsetof(DynamicUser, name) + strlen(name) + 1); | |
52 | if (!d) | |
53 | return -ENOMEM; | |
54 | ||
55 | strcpy(d->name, name); | |
56 | ||
57 | d->storage_socket[0] = storage_socket[0]; | |
58 | d->storage_socket[1] = storage_socket[1]; | |
59 | ||
60 | r = hashmap_put(m->dynamic_users, d->name, d); | |
61 | if (r < 0) { | |
62 | free(d); | |
63 | return r; | |
64 | } | |
65 | ||
66 | d->manager = m; | |
67 | ||
68 | if (ret) | |
69 | *ret = d; | |
70 | ||
71 | return 0; | |
72 | } | |
73 | ||
9da440b1 | 74 | static int dynamic_user_acquire(Manager *m, const char *name, DynamicUser** ret) { |
29206d46 LP |
75 | _cleanup_close_pair_ int storage_socket[2] = { -1, -1 }; |
76 | DynamicUser *d; | |
77 | int r; | |
78 | ||
79 | assert(m); | |
80 | assert(name); | |
81 | ||
82 | /* Return the DynamicUser structure for a specific user name. Note that this won't actually allocate a UID for | |
83 | * it, but just prepare the data structure for it. The UID is allocated only on demand, when it's really | |
84 | * needed, and in the child process we fork off, since allocation involves NSS checks which are not OK to do | |
85 | * from PID 1. To allow the children and PID 1 share information about allocated UIDs we use an anonymous | |
86 | * AF_UNIX/SOCK_DGRAM socket (called the "storage socket") that contains at most one datagram with the | |
87 | * allocated UID number, plus an fd referencing the lock file for the UID | |
88 | * (i.e. /run/systemd/dynamic-uid/$UID). Why involve the socket pair? So that PID 1 and all its children can | |
89 | * share the same storage for the UID and lock fd, simply by inheriting the storage socket fds. The socket pair | |
90 | * may exist in three different states: | |
91 | * | |
92 | * a) no datagram stored. This is the initial state. In this case the dynamic user was never realized. | |
93 | * | |
94 | * b) a datagram containing a UID stored, but no lock fd attached to it. In this case there was already a | |
95 | * statically assigned UID by the same name, which we are reusing. | |
96 | * | |
97 | * c) a datagram containing a UID stored, and a lock fd is attached to it. In this case we allocated a dynamic | |
98 | * UID and locked it in the file system, using the lock fd. | |
99 | * | |
100 | * As PID 1 and various children might access the socket pair simultaneously, and pop the datagram or push it | |
101 | * back in any time, we also maintain a lock on the socket pair. Note one peculiarity regarding locking here: | |
102 | * the UID lock on disk is protected via a BSD file lock (i.e. an fd-bound lock), so that the lock is kept in | |
103 | * place as long as there's a reference to the fd open. The lock on the storage socket pair however is a POSIX | |
104 | * file lock (i.e. a process-bound lock), as all users share the same fd of this (after all it is anonymous, | |
105 | * nobody else could get any access to it except via our own fd) and we want to synchronize access between all | |
106 | * processes that have access to it. */ | |
107 | ||
108 | d = hashmap_get(m->dynamic_users, name); | |
109 | if (d) { | |
110 | /* We already have a structure for the dynamic user, let's increase the ref count and reuse it */ | |
111 | d->n_ref++; | |
112 | *ret = d; | |
113 | return 0; | |
114 | } | |
115 | ||
116 | if (!valid_user_group_name_or_id(name)) | |
117 | return -EINVAL; | |
118 | ||
119 | if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, storage_socket) < 0) | |
120 | return -errno; | |
121 | ||
122 | r = dynamic_user_add(m, name, storage_socket, &d); | |
123 | if (r < 0) | |
124 | return r; | |
125 | ||
126 | storage_socket[0] = storage_socket[1] = -1; | |
127 | ||
128 | if (ret) { | |
129 | d->n_ref++; | |
130 | *ret = d; | |
131 | } | |
132 | ||
133 | return 1; | |
134 | } | |
135 | ||
fd63e712 LP |
136 | static int make_uid_symlinks(uid_t uid, const char *name, bool b) { |
137 | ||
fbd0b64f | 138 | char path1[STRLEN("/run/systemd/dynamic-uid/direct:") + DECIMAL_STR_MAX(uid_t) + 1]; |
fd63e712 | 139 | const char *path2; |
986a34a6 | 140 | int r = 0, k; |
fd63e712 LP |
141 | |
142 | /* Add direct additional symlinks for direct lookups of dynamic UIDs and their names by userspace code. The | |
143 | * only reason we have this is because dbus-daemon cannot use D-Bus for resolving users and groups (since it | |
144 | * would be its own client then). We hence keep these world-readable symlinks in place, so that the | |
145 | * unprivileged dbus user can read the mappings when it needs them via these symlinks instead of having to go | |
146 | * via the bus. Ideally, we'd use the lock files we keep for this anyway, but we can't since we use BSD locks | |
147 | * on them and as those may be taken by any user with read access we can't make them world-readable. */ | |
148 | ||
149 | xsprintf(path1, "/run/systemd/dynamic-uid/direct:" UID_FMT, uid); | |
986a34a6 ZJS |
150 | if (unlink(path1) < 0 && errno != ENOENT) |
151 | r = -errno; | |
152 | ||
153 | if (b && symlink(name, path1) < 0) { | |
154 | k = log_warning_errno(errno, "Failed to symlink \"%s\": %m", path1); | |
155 | if (r == 0) | |
156 | r = k; | |
fd63e712 LP |
157 | } |
158 | ||
159 | path2 = strjoina("/run/systemd/dynamic-uid/direct:", name); | |
986a34a6 ZJS |
160 | if (unlink(path2) < 0 && errno != ENOENT) { |
161 | k = -errno; | |
162 | if (r == 0) | |
163 | r = k; | |
fd63e712 | 164 | } |
986a34a6 | 165 | |
fbd0b64f | 166 | if (b && symlink(path1 + STRLEN("/run/systemd/dynamic-uid/direct:"), path2) < 0) { |
986a34a6 ZJS |
167 | k = log_warning_errno(errno, "Failed to symlink \"%s\": %m", path2); |
168 | if (r == 0) | |
169 | r = k; | |
fd63e712 LP |
170 | } |
171 | ||
172 | return r; | |
173 | } | |
174 | ||
da50b85a LP |
175 | static int pick_uid(char **suggested_paths, const char *name, uid_t *ret_uid) { |
176 | ||
177 | /* Find a suitable free UID. We use the following strategy to find a suitable UID: | |
178 | * | |
179 | * 1. Initially, we try to read the UID of a number of specified paths. If any of these UIDs works, we use | |
180 | * them. We use in order to increase the chance of UID reuse, if StateDirectory=, CacheDirectory= or | |
181 | * LogDirectory= are used, as reusing the UID these directories are owned by saves us from having to | |
182 | * recursively chown() them to new users. | |
183 | * | |
184 | * 2. If that didn't yield a currently unused UID, we hash the user name, and try to use that. This should be | |
185 | * pretty good, as the use ris by default derived from the unit name, and hence the same service and same | |
186 | * user should usually get the same UID as long as our hashing doesn't clash. | |
187 | * | |
188 | * 3. Finally, if that didn't work, we randomly pick UIDs, until we find one that is empty. | |
189 | * | |
190 | * Since the dynamic UID space is relatively small we'll stop trying after 100 iterations, giving up. */ | |
191 | ||
192 | enum { | |
193 | PHASE_SUGGESTED, /* the first phase, reusing directory ownership UIDs */ | |
194 | PHASE_HASHED, /* the second phase, deriving a UID from the username by hashing */ | |
195 | PHASE_RANDOM, /* the last phase, randomly picking UIDs */ | |
196 | } phase = PHASE_SUGGESTED; | |
29206d46 LP |
197 | |
198 | static const uint8_t hash_key[] = { | |
199 | 0x37, 0x53, 0x7e, 0x31, 0xcf, 0xce, 0x48, 0xf5, | |
200 | 0x8a, 0xbb, 0x39, 0x57, 0x8d, 0xd9, 0xec, 0x59 | |
201 | }; | |
202 | ||
da50b85a | 203 | unsigned n_tries = 100, current_suggested = 0; |
29206d46 LP |
204 | int r; |
205 | ||
29206d46 LP |
206 | (void) mkdir("/run/systemd/dynamic-uid", 0755); |
207 | ||
208 | for (;;) { | |
fbd0b64f | 209 | char lock_path[STRLEN("/run/systemd/dynamic-uid/") + DECIMAL_STR_MAX(uid_t) + 1]; |
29206d46 | 210 | _cleanup_close_ int lock_fd = -1; |
da50b85a | 211 | uid_t candidate; |
29206d46 LP |
212 | ssize_t l; |
213 | ||
214 | if (--n_tries <= 0) /* Give up retrying eventually */ | |
215 | return -EBUSY; | |
216 | ||
da50b85a LP |
217 | switch (phase) { |
218 | ||
219 | case PHASE_SUGGESTED: { | |
220 | struct stat st; | |
221 | ||
222 | if (!suggested_paths || !suggested_paths[current_suggested]) { | |
223 | /* We reached the end of the suggested paths list, let's try by hashing the name */ | |
224 | phase = PHASE_HASHED; | |
225 | continue; | |
226 | } | |
227 | ||
228 | if (stat(suggested_paths[current_suggested++], &st) < 0) | |
229 | continue; /* We can't read the UID of this path, but that doesn't matter, just try the next */ | |
230 | ||
231 | candidate = st.st_uid; | |
232 | break; | |
233 | } | |
234 | ||
235 | case PHASE_HASHED: | |
236 | /* A static user by this name does not exist yet. Let's find a free ID then, and use that. We | |
237 | * start with a UID generated as hash from the user name. */ | |
238 | candidate = UID_CLAMP_INTO_RANGE(siphash24(name, strlen(name), hash_key)); | |
239 | ||
240 | /* If this one fails, we should proceed with random tries */ | |
241 | phase = PHASE_RANDOM; | |
242 | break; | |
243 | ||
244 | case PHASE_RANDOM: | |
245 | ||
246 | /* Pick another random UID, and see if that works for us. */ | |
247 | random_bytes(&candidate, sizeof(candidate)); | |
248 | candidate = UID_CLAMP_INTO_RANGE(candidate); | |
249 | break; | |
250 | ||
251 | default: | |
252 | assert_not_reached("unknown phase"); | |
253 | } | |
254 | ||
255 | /* Make sure whatever we picked here actually is in the right range */ | |
61755fda | 256 | if (!uid_is_dynamic(candidate)) |
da50b85a | 257 | continue; |
29206d46 LP |
258 | |
259 | xsprintf(lock_path, "/run/systemd/dynamic-uid/" UID_FMT, candidate); | |
260 | ||
261 | for (;;) { | |
262 | struct stat st; | |
263 | ||
264 | lock_fd = open(lock_path, O_CREAT|O_RDWR|O_NOFOLLOW|O_CLOEXEC|O_NOCTTY, 0600); | |
265 | if (lock_fd < 0) | |
266 | return -errno; | |
267 | ||
268 | r = flock(lock_fd, LOCK_EX|LOCK_NB); /* Try to get a BSD file lock on the UID lock file */ | |
269 | if (r < 0) { | |
3742095b | 270 | if (IN_SET(errno, EBUSY, EAGAIN)) |
29206d46 LP |
271 | goto next; /* already in use */ |
272 | ||
273 | return -errno; | |
274 | } | |
275 | ||
276 | if (fstat(lock_fd, &st) < 0) | |
277 | return -errno; | |
278 | if (st.st_nlink > 0) | |
279 | break; | |
280 | ||
629ff674 | 281 | /* Oh, bummer, we got the lock, but the file was unlinked between the time we opened it and |
29206d46 LP |
282 | * got the lock. Close it, and try again. */ |
283 | lock_fd = safe_close(lock_fd); | |
284 | } | |
285 | ||
286 | /* Some superficial check whether this UID/GID might already be taken by some static user */ | |
98e4fcec LP |
287 | if (getpwuid(candidate) || |
288 | getgrgid((gid_t) candidate) || | |
289 | search_ipc(candidate, (gid_t) candidate) != 0) { | |
29206d46 | 290 | (void) unlink(lock_path); |
da50b85a | 291 | continue; |
29206d46 LP |
292 | } |
293 | ||
294 | /* Let's store the user name in the lock file, so that we can use it for looking up the username for a UID */ | |
295 | l = pwritev(lock_fd, | |
296 | (struct iovec[2]) { | |
e6a7ec4b LP |
297 | IOVEC_INIT_STRING(name), |
298 | IOVEC_INIT((char[1]) { '\n' }, 1), | |
29206d46 LP |
299 | }, 2, 0); |
300 | if (l < 0) { | |
e53c42ca | 301 | r = -errno; |
29206d46 | 302 | (void) unlink(lock_path); |
e53c42ca | 303 | return r; |
29206d46 LP |
304 | } |
305 | ||
306 | (void) ftruncate(lock_fd, l); | |
fd63e712 | 307 | (void) make_uid_symlinks(candidate, name, true); /* also add direct lookup symlinks */ |
29206d46 LP |
308 | |
309 | *ret_uid = candidate; | |
c10d6bdb | 310 | return TAKE_FD(lock_fd); |
29206d46 LP |
311 | |
312 | next: | |
da50b85a | 313 | ; |
29206d46 LP |
314 | } |
315 | } | |
316 | ||
317 | static int dynamic_user_pop(DynamicUser *d, uid_t *ret_uid, int *ret_lock_fd) { | |
318 | uid_t uid = UID_INVALID; | |
e6a7ec4b | 319 | struct iovec iov = IOVEC_INIT(&uid, sizeof(uid)); |
29206d46 LP |
320 | union { |
321 | struct cmsghdr cmsghdr; | |
322 | uint8_t buf[CMSG_SPACE(sizeof(int))]; | |
323 | } control = {}; | |
324 | struct msghdr mh = { | |
325 | .msg_control = &control, | |
326 | .msg_controllen = sizeof(control), | |
327 | .msg_iov = &iov, | |
328 | .msg_iovlen = 1, | |
329 | }; | |
330 | struct cmsghdr *cmsg; | |
331 | ||
332 | ssize_t k; | |
333 | int lock_fd = -1; | |
334 | ||
335 | assert(d); | |
336 | assert(ret_uid); | |
337 | assert(ret_lock_fd); | |
338 | ||
339 | /* Read the UID and lock fd that is stored in the storage AF_UNIX socket. This should be called with the lock | |
340 | * on the socket taken. */ | |
341 | ||
342 | k = recvmsg(d->storage_socket[0], &mh, MSG_DONTWAIT|MSG_NOSIGNAL|MSG_CMSG_CLOEXEC); | |
343 | if (k < 0) | |
344 | return -errno; | |
345 | ||
346 | cmsg = cmsg_find(&mh, SOL_SOCKET, SCM_RIGHTS, CMSG_LEN(sizeof(int))); | |
347 | if (cmsg) | |
348 | lock_fd = *(int*) CMSG_DATA(cmsg); | |
349 | else | |
350 | cmsg_close_all(&mh); /* just in case... */ | |
351 | ||
352 | *ret_uid = uid; | |
353 | *ret_lock_fd = lock_fd; | |
354 | ||
355 | return 0; | |
356 | } | |
357 | ||
358 | static int dynamic_user_push(DynamicUser *d, uid_t uid, int lock_fd) { | |
e6a7ec4b | 359 | struct iovec iov = IOVEC_INIT(&uid, sizeof(uid)); |
29206d46 LP |
360 | union { |
361 | struct cmsghdr cmsghdr; | |
362 | uint8_t buf[CMSG_SPACE(sizeof(int))]; | |
363 | } control = {}; | |
364 | struct msghdr mh = { | |
365 | .msg_control = &control, | |
366 | .msg_controllen = sizeof(control), | |
367 | .msg_iov = &iov, | |
368 | .msg_iovlen = 1, | |
369 | }; | |
370 | ssize_t k; | |
371 | ||
372 | assert(d); | |
373 | ||
374 | /* Store the UID and lock_fd in the storage socket. This should be called with the socket pair lock taken. */ | |
375 | ||
376 | if (lock_fd >= 0) { | |
377 | struct cmsghdr *cmsg; | |
378 | ||
379 | cmsg = CMSG_FIRSTHDR(&mh); | |
380 | cmsg->cmsg_level = SOL_SOCKET; | |
381 | cmsg->cmsg_type = SCM_RIGHTS; | |
382 | cmsg->cmsg_len = CMSG_LEN(sizeof(int)); | |
383 | memcpy(CMSG_DATA(cmsg), &lock_fd, sizeof(int)); | |
384 | ||
385 | mh.msg_controllen = CMSG_SPACE(sizeof(int)); | |
386 | } else { | |
387 | mh.msg_control = NULL; | |
388 | mh.msg_controllen = 0; | |
389 | } | |
390 | ||
391 | k = sendmsg(d->storage_socket[1], &mh, MSG_DONTWAIT|MSG_NOSIGNAL); | |
392 | if (k < 0) | |
393 | return -errno; | |
394 | ||
395 | return 0; | |
396 | } | |
397 | ||
fd63e712 | 398 | static void unlink_uid_lock(int lock_fd, uid_t uid, const char *name) { |
fbd0b64f | 399 | char lock_path[STRLEN("/run/systemd/dynamic-uid/") + DECIMAL_STR_MAX(uid_t) + 1]; |
29206d46 LP |
400 | |
401 | if (lock_fd < 0) | |
402 | return; | |
403 | ||
404 | xsprintf(lock_path, "/run/systemd/dynamic-uid/" UID_FMT, uid); | |
fd63e712 LP |
405 | (void) unlink(lock_path); |
406 | ||
407 | (void) make_uid_symlinks(uid, name, false); /* remove direct lookup symlinks */ | |
29206d46 LP |
408 | } |
409 | ||
362d90b7 ZJS |
410 | static int lockfp(int fd, int *fd_lock) { |
411 | if (lockf(fd, F_LOCK, 0) < 0) | |
412 | return -errno; | |
413 | *fd_lock = fd; | |
414 | return 0; | |
415 | } | |
416 | ||
417 | static void unlockfp(int *fd_lock) { | |
418 | if (*fd_lock < 0) | |
419 | return; | |
420 | lockf(*fd_lock, F_ULOCK, 0); | |
421 | *fd_lock = -1; | |
422 | } | |
423 | ||
c2983a7f ZJS |
424 | static int dynamic_user_realize( |
425 | DynamicUser *d, | |
426 | char **suggested_dirs, | |
427 | uid_t *ret_uid, gid_t *ret_gid, | |
428 | bool is_user) { | |
29206d46 | 429 | |
362d90b7 ZJS |
430 | _cleanup_(unlockfp) int storage_socket0_lock = -1; |
431 | _cleanup_close_ int uid_lock_fd = -1; | |
432 | _cleanup_close_ int etc_passwd_lock_fd = -1; | |
c2983a7f ZJS |
433 | uid_t num = UID_INVALID; /* a uid if is_user, and a gid otherwise */ |
434 | gid_t gid = GID_INVALID; /* a gid if is_user, ignored otherwise */ | |
29206d46 LP |
435 | int r; |
436 | ||
437 | assert(d); | |
c2983a7f ZJS |
438 | assert(is_user == !!ret_uid); |
439 | assert(ret_gid); | |
29206d46 LP |
440 | |
441 | /* Acquire a UID for the user name. This will allocate a UID for the user name if the user doesn't exist | |
442 | * yet. If it already exists its existing UID/GID will be reused. */ | |
443 | ||
362d90b7 ZJS |
444 | r = lockfp(d->storage_socket[0], &storage_socket0_lock); |
445 | if (r < 0) | |
446 | return r; | |
29206d46 | 447 | |
c2983a7f | 448 | r = dynamic_user_pop(d, &num, &uid_lock_fd); |
29206d46 LP |
449 | if (r < 0) { |
450 | int new_uid_lock_fd; | |
451 | uid_t new_uid; | |
452 | ||
453 | if (r != -EAGAIN) | |
362d90b7 | 454 | return r; |
29206d46 LP |
455 | |
456 | /* OK, nothing stored yet, let's try to find something useful. While we are working on this release the | |
457 | * lock however, so that nobody else blocks on our NSS lookups. */ | |
362d90b7 | 458 | unlockfp(&storage_socket0_lock); |
29206d46 LP |
459 | |
460 | /* Let's see if a proper, static user or group by this name exists. Try to take the lock on | |
461 | * /etc/passwd, if that fails with EROFS then /etc is read-only. In that case it's fine if we don't | |
462 | * take the lock, given that users can't be added there anyway in this case. */ | |
463 | etc_passwd_lock_fd = take_etc_passwd_lock(NULL); | |
464 | if (etc_passwd_lock_fd < 0 && etc_passwd_lock_fd != -EROFS) | |
465 | return etc_passwd_lock_fd; | |
466 | ||
467 | /* First, let's parse this as numeric UID */ | |
c2983a7f | 468 | r = parse_uid(d->name, &num); |
29206d46 LP |
469 | if (r < 0) { |
470 | struct passwd *p; | |
471 | struct group *g; | |
472 | ||
9ec655cb YW |
473 | if (is_user) { |
474 | /* OK, this is not a numeric UID. Let's see if there's a user by this name */ | |
475 | p = getpwnam(d->name); | |
c2983a7f ZJS |
476 | if (p) { |
477 | num = p->pw_uid; | |
478 | gid = p->pw_gid; | |
479 | } else { | |
9ec655cb YW |
480 | /* if the user does not exist but the group with the same name exists, refuse operation */ |
481 | g = getgrnam(d->name); | |
482 | if (g) | |
483 | return -EILSEQ; | |
484 | } | |
485 | } else { | |
486 | /* Let's see if there's a group by this name */ | |
487 | g = getgrnam(d->name); | |
488 | if (g) | |
c2983a7f | 489 | num = (uid_t) g->gr_gid; |
9ec655cb YW |
490 | else { |
491 | /* if the group does not exist but the user with the same name exists, refuse operation */ | |
492 | p = getpwnam(d->name); | |
493 | if (p) | |
494 | return -EILSEQ; | |
495 | } | |
29206d46 LP |
496 | } |
497 | } | |
498 | ||
c2983a7f | 499 | if (num == UID_INVALID) { |
29206d46 LP |
500 | /* No static UID assigned yet, excellent. Let's pick a new dynamic one, and lock it. */ |
501 | ||
c2983a7f | 502 | uid_lock_fd = pick_uid(suggested_dirs, d->name, &num); |
29206d46 LP |
503 | if (uid_lock_fd < 0) |
504 | return uid_lock_fd; | |
505 | } | |
506 | ||
507 | /* So, we found a working UID/lock combination. Let's see if we actually still need it. */ | |
362d90b7 ZJS |
508 | r = lockfp(d->storage_socket[0], &storage_socket0_lock); |
509 | if (r < 0) { | |
c2983a7f | 510 | unlink_uid_lock(uid_lock_fd, num, d->name); |
362d90b7 | 511 | return r; |
29206d46 LP |
512 | } |
513 | ||
514 | r = dynamic_user_pop(d, &new_uid, &new_uid_lock_fd); | |
515 | if (r < 0) { | |
516 | if (r != -EAGAIN) { | |
517 | /* OK, something bad happened, let's get rid of the bits we acquired. */ | |
c2983a7f | 518 | unlink_uid_lock(uid_lock_fd, num, d->name); |
362d90b7 | 519 | return r; |
29206d46 LP |
520 | } |
521 | ||
522 | /* Great! Nothing is stored here, still. Store our newly acquired data. */ | |
523 | } else { | |
524 | /* Hmm, so as it appears there's now something stored in the storage socket. Throw away what we | |
525 | * acquired, and use what's stored now. */ | |
526 | ||
c2983a7f | 527 | unlink_uid_lock(uid_lock_fd, num, d->name); |
29206d46 LP |
528 | safe_close(uid_lock_fd); |
529 | ||
c2983a7f | 530 | num = new_uid; |
29206d46 LP |
531 | uid_lock_fd = new_uid_lock_fd; |
532 | } | |
533 | } | |
534 | ||
535 | /* If the UID/GID was already allocated dynamically, push the data we popped out back in. If it was already | |
536 | * allocated statically, push the UID back too, but do not push the lock fd in. If we allocated the UID | |
537 | * dynamically right here, push that in along with the lock fd for it. */ | |
c2983a7f | 538 | r = dynamic_user_push(d, num, uid_lock_fd); |
29206d46 | 539 | if (r < 0) |
362d90b7 | 540 | return r; |
29206d46 | 541 | |
c2983a7f ZJS |
542 | if (is_user) { |
543 | *ret_uid = num; | |
544 | *ret_gid = gid != GID_INVALID ? gid : num; | |
545 | } else | |
546 | *ret_gid = num; | |
547 | ||
362d90b7 | 548 | return 0; |
29206d46 LP |
549 | } |
550 | ||
f9bfa696 | 551 | int dynamic_user_current(DynamicUser *d, uid_t *ret) { |
362d90b7 | 552 | _cleanup_(unlockfp) int storage_socket0_lock = -1; |
29206d46 LP |
553 | _cleanup_close_ int lock_fd = -1; |
554 | uid_t uid; | |
555 | int r; | |
556 | ||
557 | assert(d); | |
558 | assert(ret); | |
559 | ||
560 | /* Get the currently assigned UID for the user, if there's any. This simply pops the data from the storage socket, and pushes it back in right-away. */ | |
561 | ||
362d90b7 ZJS |
562 | r = lockfp(d->storage_socket[0], &storage_socket0_lock); |
563 | if (r < 0) | |
564 | return r; | |
29206d46 LP |
565 | |
566 | r = dynamic_user_pop(d, &uid, &lock_fd); | |
567 | if (r < 0) | |
362d90b7 | 568 | return r; |
29206d46 LP |
569 | |
570 | r = dynamic_user_push(d, uid, lock_fd); | |
571 | if (r < 0) | |
362d90b7 | 572 | return r; |
29206d46 LP |
573 | |
574 | *ret = uid; | |
362d90b7 | 575 | return 0; |
29206d46 LP |
576 | } |
577 | ||
9da440b1 | 578 | static DynamicUser* dynamic_user_ref(DynamicUser *d) { |
29206d46 LP |
579 | if (!d) |
580 | return NULL; | |
581 | ||
582 | assert(d->n_ref > 0); | |
583 | d->n_ref++; | |
584 | ||
585 | return d; | |
586 | } | |
587 | ||
9da440b1 | 588 | static DynamicUser* dynamic_user_unref(DynamicUser *d) { |
29206d46 LP |
589 | if (!d) |
590 | return NULL; | |
591 | ||
592 | /* Note that this doesn't actually release any resources itself. If a dynamic user should be fully destroyed | |
593 | * and its UID released, use dynamic_user_destroy() instead. NB: the dynamic user table may contain entries | |
594 | * with no references, which is commonly the case right before a daemon reload. */ | |
595 | ||
596 | assert(d->n_ref > 0); | |
597 | d->n_ref--; | |
598 | ||
599 | return NULL; | |
600 | } | |
601 | ||
602 | static int dynamic_user_close(DynamicUser *d) { | |
362d90b7 | 603 | _cleanup_(unlockfp) int storage_socket0_lock = -1; |
29206d46 LP |
604 | _cleanup_close_ int lock_fd = -1; |
605 | uid_t uid; | |
606 | int r; | |
607 | ||
608 | /* Release the user ID, by releasing the lock on it, and emptying the storage socket. After this the user is | |
609 | * unrealized again, much like it was after it the DynamicUser object was first allocated. */ | |
610 | ||
362d90b7 ZJS |
611 | r = lockfp(d->storage_socket[0], &storage_socket0_lock); |
612 | if (r < 0) | |
613 | return r; | |
29206d46 LP |
614 | |
615 | r = dynamic_user_pop(d, &uid, &lock_fd); | |
362d90b7 | 616 | if (r == -EAGAIN) |
29206d46 | 617 | /* User wasn't realized yet, nothing to do. */ |
362d90b7 | 618 | return 0; |
29206d46 | 619 | if (r < 0) |
362d90b7 | 620 | return r; |
29206d46 LP |
621 | |
622 | /* This dynamic user was realized and dynamically allocated. In this case, let's remove the lock file. */ | |
fd63e712 | 623 | unlink_uid_lock(lock_fd, uid, d->name); |
362d90b7 | 624 | return 1; |
29206d46 LP |
625 | } |
626 | ||
9da440b1 | 627 | static DynamicUser* dynamic_user_destroy(DynamicUser *d) { |
29206d46 LP |
628 | if (!d) |
629 | return NULL; | |
630 | ||
631 | /* Drop a reference to a DynamicUser object, and destroy the user completely if this was the last | |
632 | * reference. This is called whenever a service is shut down and wants its dynamic UID gone. Note that | |
633 | * dynamic_user_unref() is what is called whenever a service is simply freed, for example during a reload | |
634 | * cycle, where the dynamic users should not be destroyed, but our datastructures should. */ | |
635 | ||
636 | dynamic_user_unref(d); | |
637 | ||
638 | if (d->n_ref > 0) | |
639 | return NULL; | |
640 | ||
641 | (void) dynamic_user_close(d); | |
642 | return dynamic_user_free(d); | |
643 | } | |
644 | ||
645 | int dynamic_user_serialize(Manager *m, FILE *f, FDSet *fds) { | |
646 | DynamicUser *d; | |
647 | Iterator i; | |
648 | ||
649 | assert(m); | |
650 | assert(f); | |
651 | assert(fds); | |
652 | ||
653 | /* Dump the dynamic user database into the manager serialization, to deal with daemon reloads. */ | |
654 | ||
655 | HASHMAP_FOREACH(d, m->dynamic_users, i) { | |
656 | int copy0, copy1; | |
657 | ||
658 | copy0 = fdset_put_dup(fds, d->storage_socket[0]); | |
659 | if (copy0 < 0) | |
660 | return copy0; | |
661 | ||
662 | copy1 = fdset_put_dup(fds, d->storage_socket[1]); | |
663 | if (copy1 < 0) | |
664 | return copy1; | |
665 | ||
666 | fprintf(f, "dynamic-user=%s %i %i\n", d->name, copy0, copy1); | |
667 | } | |
668 | ||
669 | return 0; | |
670 | } | |
671 | ||
672 | void dynamic_user_deserialize_one(Manager *m, const char *value, FDSet *fds) { | |
673 | _cleanup_free_ char *name = NULL, *s0 = NULL, *s1 = NULL; | |
674 | int r, fd0, fd1; | |
675 | ||
676 | assert(m); | |
677 | assert(value); | |
678 | assert(fds); | |
679 | ||
680 | /* Parse the serialization again, after a daemon reload */ | |
681 | ||
682 | r = extract_many_words(&value, NULL, 0, &name, &s0, &s1, NULL); | |
683 | if (r != 3 || !isempty(value)) { | |
684 | log_debug("Unable to parse dynamic user line."); | |
685 | return; | |
686 | } | |
687 | ||
688 | if (safe_atoi(s0, &fd0) < 0 || !fdset_contains(fds, fd0)) { | |
689 | log_debug("Unable to process dynamic user fd specification."); | |
690 | return; | |
691 | } | |
692 | ||
693 | if (safe_atoi(s1, &fd1) < 0 || !fdset_contains(fds, fd1)) { | |
694 | log_debug("Unable to process dynamic user fd specification."); | |
695 | return; | |
696 | } | |
697 | ||
698 | r = dynamic_user_add(m, name, (int[]) { fd0, fd1 }, NULL); | |
699 | if (r < 0) { | |
700 | log_debug_errno(r, "Failed to add dynamic user: %m"); | |
701 | return; | |
702 | } | |
703 | ||
704 | (void) fdset_remove(fds, fd0); | |
705 | (void) fdset_remove(fds, fd1); | |
706 | } | |
707 | ||
708 | void dynamic_user_vacuum(Manager *m, bool close_user) { | |
709 | DynamicUser *d; | |
710 | Iterator i; | |
711 | ||
712 | assert(m); | |
713 | ||
714 | /* Empty the dynamic user database, optionally cleaning up orphaned dynamic users, i.e. destroy and free users | |
715 | * to which no reference exist. This is called after a daemon reload finished, in order to destroy users which | |
716 | * might not be referenced anymore. */ | |
717 | ||
718 | HASHMAP_FOREACH(d, m->dynamic_users, i) { | |
719 | if (d->n_ref > 0) | |
720 | continue; | |
721 | ||
722 | if (close_user) { | |
723 | log_debug("Removing orphaned dynamic user %s", d->name); | |
724 | (void) dynamic_user_close(d); | |
725 | } | |
726 | ||
727 | dynamic_user_free(d); | |
728 | } | |
729 | } | |
730 | ||
731 | int dynamic_user_lookup_uid(Manager *m, uid_t uid, char **ret) { | |
fbd0b64f | 732 | char lock_path[STRLEN("/run/systemd/dynamic-uid/") + DECIMAL_STR_MAX(uid_t) + 1]; |
29206d46 LP |
733 | _cleanup_free_ char *user = NULL; |
734 | uid_t check_uid; | |
735 | int r; | |
736 | ||
737 | assert(m); | |
738 | assert(ret); | |
739 | ||
61755fda ZJS |
740 | /* A friendly way to translate a dynamic user's UID into a name. */ |
741 | if (!uid_is_dynamic(uid)) | |
29206d46 LP |
742 | return -ESRCH; |
743 | ||
744 | xsprintf(lock_path, "/run/systemd/dynamic-uid/" UID_FMT, uid); | |
745 | r = read_one_line_file(lock_path, &user); | |
746 | if (r == -ENOENT) | |
747 | return -ESRCH; | |
748 | if (r < 0) | |
749 | return r; | |
750 | ||
751 | /* The lock file might be stale, hence let's verify the data before we return it */ | |
752 | r = dynamic_user_lookup_name(m, user, &check_uid); | |
753 | if (r < 0) | |
754 | return r; | |
755 | if (check_uid != uid) /* lock file doesn't match our own idea */ | |
756 | return -ESRCH; | |
757 | ||
ae2a15bc | 758 | *ret = TAKE_PTR(user); |
29206d46 LP |
759 | |
760 | return 0; | |
761 | } | |
762 | ||
763 | int dynamic_user_lookup_name(Manager *m, const char *name, uid_t *ret) { | |
764 | DynamicUser *d; | |
765 | int r; | |
766 | ||
767 | assert(m); | |
768 | assert(name); | |
769 | assert(ret); | |
770 | ||
771 | /* A friendly call for translating a dynamic user's name into its UID */ | |
772 | ||
773 | d = hashmap_get(m->dynamic_users, name); | |
774 | if (!d) | |
775 | return -ESRCH; | |
776 | ||
777 | r = dynamic_user_current(d, ret); | |
778 | if (r == -EAGAIN) /* not realized yet? */ | |
779 | return -ESRCH; | |
780 | ||
781 | return r; | |
782 | } | |
783 | ||
784 | int dynamic_creds_acquire(DynamicCreds *creds, Manager *m, const char *user, const char *group) { | |
785 | bool acquired = false; | |
786 | int r; | |
787 | ||
788 | assert(creds); | |
789 | assert(m); | |
790 | ||
791 | /* A DynamicUser object encapsulates an allocation of both a UID and a GID for a specific name. However, some | |
792 | * services use different user and groups. For cases like that there's DynamicCreds containing a pair of user | |
793 | * and group. This call allocates a pair. */ | |
794 | ||
795 | if (!creds->user && user) { | |
796 | r = dynamic_user_acquire(m, user, &creds->user); | |
797 | if (r < 0) | |
798 | return r; | |
799 | ||
800 | acquired = true; | |
801 | } | |
802 | ||
803 | if (!creds->group) { | |
804 | ||
805 | if (creds->user && (!group || streq_ptr(user, group))) | |
806 | creds->group = dynamic_user_ref(creds->user); | |
807 | else { | |
808 | r = dynamic_user_acquire(m, group, &creds->group); | |
809 | if (r < 0) { | |
810 | if (acquired) | |
811 | creds->user = dynamic_user_unref(creds->user); | |
812 | return r; | |
813 | } | |
814 | } | |
815 | } | |
816 | ||
817 | return 0; | |
818 | } | |
819 | ||
da50b85a | 820 | int dynamic_creds_realize(DynamicCreds *creds, char **suggested_paths, uid_t *uid, gid_t *gid) { |
29206d46 LP |
821 | uid_t u = UID_INVALID; |
822 | gid_t g = GID_INVALID; | |
823 | int r; | |
824 | ||
825 | assert(creds); | |
826 | assert(uid); | |
827 | assert(gid); | |
828 | ||
829 | /* Realize both the referenced user and group */ | |
830 | ||
831 | if (creds->user) { | |
c2983a7f | 832 | r = dynamic_user_realize(creds->user, suggested_paths, &u, &g, true); |
29206d46 LP |
833 | if (r < 0) |
834 | return r; | |
835 | } | |
836 | ||
837 | if (creds->group && creds->group != creds->user) { | |
c2983a7f | 838 | r = dynamic_user_realize(creds->group, suggested_paths, NULL, &g, false); |
29206d46 LP |
839 | if (r < 0) |
840 | return r; | |
c2983a7f | 841 | } |
29206d46 LP |
842 | |
843 | *uid = u; | |
844 | *gid = g; | |
29206d46 LP |
845 | return 0; |
846 | } | |
847 | ||
848 | void dynamic_creds_unref(DynamicCreds *creds) { | |
849 | assert(creds); | |
850 | ||
851 | creds->user = dynamic_user_unref(creds->user); | |
852 | creds->group = dynamic_user_unref(creds->group); | |
853 | } | |
854 | ||
855 | void dynamic_creds_destroy(DynamicCreds *creds) { | |
856 | assert(creds); | |
857 | ||
858 | creds->user = dynamic_user_destroy(creds->user); | |
859 | creds->group = dynamic_user_destroy(creds->group); | |
860 | } |