]>
Commit | Line | Data |
---|---|---|
db9ecf05 | 1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
29206d46 | 2 | |
29206d46 | 3 | #include <sys/file.h> |
ca78ad1d ZJS |
4 | #include <sys/stat.h> |
5 | #include <sys/types.h> | |
29206d46 | 6 | |
98e4fcec | 7 | #include "clean-ipc.h" |
29206d46 LP |
8 | #include "dynamic-user.h" |
9 | #include "fd-util.h" | |
e6a7ec4b | 10 | #include "fileio.h" |
ca78ad1d | 11 | #include "format-util.h" |
29206d46 | 12 | #include "fs-util.h" |
bd1ae178 | 13 | #include "iovec-util.h" |
b4cbfa5f | 14 | #include "lock-util.h" |
460ec549 | 15 | #include "nscd-flush.h" |
29206d46 LP |
16 | #include "parse-util.h" |
17 | #include "random-util.h" | |
d68c645b | 18 | #include "serialize.h" |
57b7a260 | 19 | #include "socket-util.h" |
29206d46 LP |
20 | #include "stdio-util.h" |
21 | #include "string-util.h" | |
5cfa33e0 | 22 | #include "strv.h" |
8e1ac16b | 23 | #include "uid-classification.h" |
29206d46 | 24 | #include "user-util.h" |
29206d46 | 25 | |
29206d46 | 26 | /* Takes a value generated randomly or by hashing and turns it into a UID in the right range */ |
61755fda | 27 | #define UID_CLAMP_INTO_RANGE(rnd) (((uid_t) (rnd) % (DYNAMIC_UID_MAX - DYNAMIC_UID_MIN + 1)) + DYNAMIC_UID_MIN) |
29206d46 | 28 | |
154eb43f | 29 | DEFINE_TRIVIAL_REF_FUNC(DynamicUser, dynamic_user); |
8301aa0b | 30 | |
bb5232b6 | 31 | DynamicUser* dynamic_user_free(DynamicUser *d) { |
29206d46 LP |
32 | if (!d) |
33 | return NULL; | |
34 | ||
35 | if (d->manager) | |
36 | (void) hashmap_remove(d->manager->dynamic_users, d->name); | |
37 | ||
38 | safe_close_pair(d->storage_socket); | |
6b430fdb | 39 | return mfree(d); |
29206d46 LP |
40 | } |
41 | ||
3042bbeb | 42 | static int dynamic_user_add(Manager *m, const char *name, int storage_socket[static 2], DynamicUser **ret) { |
33430217 | 43 | DynamicUser *d; |
29206d46 LP |
44 | int r; |
45 | ||
154eb43f | 46 | assert(m || ret); |
29206d46 LP |
47 | assert(name); |
48 | assert(storage_socket); | |
49 | ||
154eb43f LB |
50 | if (m) { /* Might be called in sd-executor with no manager object */ |
51 | r = hashmap_ensure_allocated(&m->dynamic_users, &string_hash_ops); | |
52 | if (r < 0) | |
53 | return r; | |
54 | } | |
29206d46 LP |
55 | |
56 | d = malloc0(offsetof(DynamicUser, name) + strlen(name) + 1); | |
57 | if (!d) | |
58 | return -ENOMEM; | |
59 | ||
60 | strcpy(d->name, name); | |
61 | ||
62 | d->storage_socket[0] = storage_socket[0]; | |
63 | d->storage_socket[1] = storage_socket[1]; | |
64 | ||
154eb43f LB |
65 | if (m) { /* Might be called in sd-executor with no manager object */ |
66 | r = hashmap_put(m->dynamic_users, d->name, d); | |
67 | if (r < 0) { | |
68 | free(d); | |
69 | return r; | |
70 | } | |
29206d46 LP |
71 | } |
72 | ||
73 | d->manager = m; | |
74 | ||
75 | if (ret) | |
76 | *ret = d; | |
77 | ||
78 | return 0; | |
79 | } | |
80 | ||
9da440b1 | 81 | static int dynamic_user_acquire(Manager *m, const char *name, DynamicUser** ret) { |
71136404 | 82 | _cleanup_close_pair_ int storage_socket[2] = EBADF_PAIR; |
29206d46 LP |
83 | DynamicUser *d; |
84 | int r; | |
85 | ||
86 | assert(m); | |
87 | assert(name); | |
88 | ||
89 | /* Return the DynamicUser structure for a specific user name. Note that this won't actually allocate a UID for | |
90 | * it, but just prepare the data structure for it. The UID is allocated only on demand, when it's really | |
91 | * needed, and in the child process we fork off, since allocation involves NSS checks which are not OK to do | |
92 | * from PID 1. To allow the children and PID 1 share information about allocated UIDs we use an anonymous | |
93 | * AF_UNIX/SOCK_DGRAM socket (called the "storage socket") that contains at most one datagram with the | |
94 | * allocated UID number, plus an fd referencing the lock file for the UID | |
95 | * (i.e. /run/systemd/dynamic-uid/$UID). Why involve the socket pair? So that PID 1 and all its children can | |
96 | * share the same storage for the UID and lock fd, simply by inheriting the storage socket fds. The socket pair | |
97 | * may exist in three different states: | |
98 | * | |
99 | * a) no datagram stored. This is the initial state. In this case the dynamic user was never realized. | |
100 | * | |
101 | * b) a datagram containing a UID stored, but no lock fd attached to it. In this case there was already a | |
102 | * statically assigned UID by the same name, which we are reusing. | |
103 | * | |
104 | * c) a datagram containing a UID stored, and a lock fd is attached to it. In this case we allocated a dynamic | |
105 | * UID and locked it in the file system, using the lock fd. | |
106 | * | |
107 | * As PID 1 and various children might access the socket pair simultaneously, and pop the datagram or push it | |
108 | * back in any time, we also maintain a lock on the socket pair. Note one peculiarity regarding locking here: | |
109 | * the UID lock on disk is protected via a BSD file lock (i.e. an fd-bound lock), so that the lock is kept in | |
110 | * place as long as there's a reference to the fd open. The lock on the storage socket pair however is a POSIX | |
111 | * file lock (i.e. a process-bound lock), as all users share the same fd of this (after all it is anonymous, | |
112 | * nobody else could get any access to it except via our own fd) and we want to synchronize access between all | |
113 | * processes that have access to it. */ | |
114 | ||
115 | d = hashmap_get(m->dynamic_users, name); | |
116 | if (d) { | |
288ca7af YW |
117 | if (ret) { |
118 | /* We already have a structure for the dynamic user, let's increase the ref count and reuse it */ | |
119 | d->n_ref++; | |
120 | *ret = d; | |
121 | } | |
29206d46 LP |
122 | return 0; |
123 | } | |
124 | ||
7a8867ab | 125 | if (!valid_user_group_name(name, VALID_USER_ALLOW_NUMERIC)) |
29206d46 LP |
126 | return -EINVAL; |
127 | ||
128 | if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, storage_socket) < 0) | |
129 | return -errno; | |
130 | ||
131 | r = dynamic_user_add(m, name, storage_socket, &d); | |
132 | if (r < 0) | |
133 | return r; | |
134 | ||
5bb1d7fb | 135 | storage_socket[0] = storage_socket[1] = -EBADF; |
29206d46 LP |
136 | |
137 | if (ret) { | |
138 | d->n_ref++; | |
139 | *ret = d; | |
140 | } | |
141 | ||
142 | return 1; | |
143 | } | |
144 | ||
fd63e712 | 145 | static int make_uid_symlinks(uid_t uid, const char *name, bool b) { |
fbd0b64f | 146 | char path1[STRLEN("/run/systemd/dynamic-uid/direct:") + DECIMAL_STR_MAX(uid_t) + 1]; |
fd63e712 | 147 | const char *path2; |
986a34a6 | 148 | int r = 0, k; |
fd63e712 LP |
149 | |
150 | /* Add direct additional symlinks for direct lookups of dynamic UIDs and their names by userspace code. The | |
151 | * only reason we have this is because dbus-daemon cannot use D-Bus for resolving users and groups (since it | |
152 | * would be its own client then). We hence keep these world-readable symlinks in place, so that the | |
153 | * unprivileged dbus user can read the mappings when it needs them via these symlinks instead of having to go | |
154 | * via the bus. Ideally, we'd use the lock files we keep for this anyway, but we can't since we use BSD locks | |
155 | * on them and as those may be taken by any user with read access we can't make them world-readable. */ | |
156 | ||
157 | xsprintf(path1, "/run/systemd/dynamic-uid/direct:" UID_FMT, uid); | |
986a34a6 ZJS |
158 | if (unlink(path1) < 0 && errno != ENOENT) |
159 | r = -errno; | |
160 | ||
161 | if (b && symlink(name, path1) < 0) { | |
162 | k = log_warning_errno(errno, "Failed to symlink \"%s\": %m", path1); | |
163 | if (r == 0) | |
164 | r = k; | |
fd63e712 LP |
165 | } |
166 | ||
167 | path2 = strjoina("/run/systemd/dynamic-uid/direct:", name); | |
986a34a6 ZJS |
168 | if (unlink(path2) < 0 && errno != ENOENT) { |
169 | k = -errno; | |
170 | if (r == 0) | |
171 | r = k; | |
fd63e712 | 172 | } |
986a34a6 | 173 | |
fbd0b64f | 174 | if (b && symlink(path1 + STRLEN("/run/systemd/dynamic-uid/direct:"), path2) < 0) { |
986a34a6 ZJS |
175 | k = log_warning_errno(errno, "Failed to symlink \"%s\": %m", path2); |
176 | if (r == 0) | |
177 | r = k; | |
fd63e712 LP |
178 | } |
179 | ||
180 | return r; | |
181 | } | |
182 | ||
da50b85a LP |
183 | static int pick_uid(char **suggested_paths, const char *name, uid_t *ret_uid) { |
184 | ||
185 | /* Find a suitable free UID. We use the following strategy to find a suitable UID: | |
186 | * | |
187 | * 1. Initially, we try to read the UID of a number of specified paths. If any of these UIDs works, we use | |
188 | * them. We use in order to increase the chance of UID reuse, if StateDirectory=, CacheDirectory= or | |
d7ef1257 | 189 | * LogsDirectory= are used, as reusing the UID these directories are owned by saves us from having to |
da50b85a LP |
190 | * recursively chown() them to new users. |
191 | * | |
192 | * 2. If that didn't yield a currently unused UID, we hash the user name, and try to use that. This should be | |
193 | * pretty good, as the use ris by default derived from the unit name, and hence the same service and same | |
194 | * user should usually get the same UID as long as our hashing doesn't clash. | |
195 | * | |
196 | * 3. Finally, if that didn't work, we randomly pick UIDs, until we find one that is empty. | |
197 | * | |
198 | * Since the dynamic UID space is relatively small we'll stop trying after 100 iterations, giving up. */ | |
199 | ||
200 | enum { | |
201 | PHASE_SUGGESTED, /* the first phase, reusing directory ownership UIDs */ | |
202 | PHASE_HASHED, /* the second phase, deriving a UID from the username by hashing */ | |
203 | PHASE_RANDOM, /* the last phase, randomly picking UIDs */ | |
204 | } phase = PHASE_SUGGESTED; | |
29206d46 LP |
205 | |
206 | static const uint8_t hash_key[] = { | |
207 | 0x37, 0x53, 0x7e, 0x31, 0xcf, 0xce, 0x48, 0xf5, | |
208 | 0x8a, 0xbb, 0x39, 0x57, 0x8d, 0xd9, 0xec, 0x59 | |
209 | }; | |
210 | ||
da50b85a | 211 | unsigned n_tries = 100, current_suggested = 0; |
29206d46 LP |
212 | int r; |
213 | ||
29206d46 LP |
214 | (void) mkdir("/run/systemd/dynamic-uid", 0755); |
215 | ||
216 | for (;;) { | |
fbd0b64f | 217 | char lock_path[STRLEN("/run/systemd/dynamic-uid/") + DECIMAL_STR_MAX(uid_t) + 1]; |
254d1313 | 218 | _cleanup_close_ int lock_fd = -EBADF; |
da50b85a | 219 | uid_t candidate; |
29206d46 LP |
220 | ssize_t l; |
221 | ||
222 | if (--n_tries <= 0) /* Give up retrying eventually */ | |
223 | return -EBUSY; | |
224 | ||
da50b85a LP |
225 | switch (phase) { |
226 | ||
227 | case PHASE_SUGGESTED: { | |
228 | struct stat st; | |
229 | ||
230 | if (!suggested_paths || !suggested_paths[current_suggested]) { | |
231 | /* We reached the end of the suggested paths list, let's try by hashing the name */ | |
232 | phase = PHASE_HASHED; | |
233 | continue; | |
234 | } | |
235 | ||
236 | if (stat(suggested_paths[current_suggested++], &st) < 0) | |
237 | continue; /* We can't read the UID of this path, but that doesn't matter, just try the next */ | |
238 | ||
239 | candidate = st.st_uid; | |
240 | break; | |
241 | } | |
242 | ||
243 | case PHASE_HASHED: | |
244 | /* A static user by this name does not exist yet. Let's find a free ID then, and use that. We | |
245 | * start with a UID generated as hash from the user name. */ | |
246 | candidate = UID_CLAMP_INTO_RANGE(siphash24(name, strlen(name), hash_key)); | |
247 | ||
248 | /* If this one fails, we should proceed with random tries */ | |
249 | phase = PHASE_RANDOM; | |
250 | break; | |
251 | ||
252 | case PHASE_RANDOM: | |
253 | ||
254 | /* Pick another random UID, and see if that works for us. */ | |
255 | random_bytes(&candidate, sizeof(candidate)); | |
256 | candidate = UID_CLAMP_INTO_RANGE(candidate); | |
257 | break; | |
258 | ||
259 | default: | |
04499a70 | 260 | assert_not_reached(); |
da50b85a LP |
261 | } |
262 | ||
263 | /* Make sure whatever we picked here actually is in the right range */ | |
61755fda | 264 | if (!uid_is_dynamic(candidate)) |
da50b85a | 265 | continue; |
29206d46 LP |
266 | |
267 | xsprintf(lock_path, "/run/systemd/dynamic-uid/" UID_FMT, candidate); | |
268 | ||
269 | for (;;) { | |
270 | struct stat st; | |
271 | ||
272 | lock_fd = open(lock_path, O_CREAT|O_RDWR|O_NOFOLLOW|O_CLOEXEC|O_NOCTTY, 0600); | |
273 | if (lock_fd < 0) | |
274 | return -errno; | |
275 | ||
276 | r = flock(lock_fd, LOCK_EX|LOCK_NB); /* Try to get a BSD file lock on the UID lock file */ | |
277 | if (r < 0) { | |
3742095b | 278 | if (IN_SET(errno, EBUSY, EAGAIN)) |
29206d46 LP |
279 | goto next; /* already in use */ |
280 | ||
281 | return -errno; | |
282 | } | |
283 | ||
284 | if (fstat(lock_fd, &st) < 0) | |
285 | return -errno; | |
286 | if (st.st_nlink > 0) | |
287 | break; | |
288 | ||
629ff674 | 289 | /* Oh, bummer, we got the lock, but the file was unlinked between the time we opened it and |
29206d46 LP |
290 | * got the lock. Close it, and try again. */ |
291 | lock_fd = safe_close(lock_fd); | |
292 | } | |
293 | ||
294 | /* Some superficial check whether this UID/GID might already be taken by some static user */ | |
75673cd8 LP |
295 | if (getpwuid_malloc(candidate, /* ret= */ NULL) >= 0 || |
296 | getgrgid_malloc((gid_t) candidate, /* ret= */ NULL) >= 0 || | |
98e4fcec | 297 | search_ipc(candidate, (gid_t) candidate) != 0) { |
29206d46 | 298 | (void) unlink(lock_path); |
da50b85a | 299 | continue; |
29206d46 LP |
300 | } |
301 | ||
302 | /* Let's store the user name in the lock file, so that we can use it for looking up the username for a UID */ | |
303 | l = pwritev(lock_fd, | |
304 | (struct iovec[2]) { | |
ce16d177 YW |
305 | IOVEC_MAKE_STRING(name), |
306 | IOVEC_MAKE((char[1]) { '\n' }, 1), | |
29206d46 LP |
307 | }, 2, 0); |
308 | if (l < 0) { | |
e53c42ca | 309 | r = -errno; |
29206d46 | 310 | (void) unlink(lock_path); |
e53c42ca | 311 | return r; |
29206d46 LP |
312 | } |
313 | ||
314 | (void) ftruncate(lock_fd, l); | |
fd63e712 | 315 | (void) make_uid_symlinks(candidate, name, true); /* also add direct lookup symlinks */ |
29206d46 LP |
316 | |
317 | *ret_uid = candidate; | |
c10d6bdb | 318 | return TAKE_FD(lock_fd); |
29206d46 LP |
319 | |
320 | next: | |
da50b85a | 321 | ; |
29206d46 LP |
322 | } |
323 | } | |
324 | ||
325 | static int dynamic_user_pop(DynamicUser *d, uid_t *ret_uid, int *ret_lock_fd) { | |
326 | uid_t uid = UID_INVALID; | |
ce16d177 | 327 | struct iovec iov = IOVEC_MAKE(&uid, sizeof(uid)); |
d34673ec | 328 | int lock_fd; |
29206d46 | 329 | ssize_t k; |
29206d46 LP |
330 | |
331 | assert(d); | |
332 | assert(ret_uid); | |
333 | assert(ret_lock_fd); | |
334 | ||
8b98cfb7 ZJS |
335 | /* Read the UID and lock fd that is stored in the storage AF_UNIX socket. This should be called with |
336 | * the lock on the socket taken. */ | |
29206d46 | 337 | |
d34673ec | 338 | k = receive_one_fd_iov(d->storage_socket[0], &iov, 1, MSG_DONTWAIT, &lock_fd); |
29206d46 | 339 | if (k < 0) |
d34673ec | 340 | return (int) k; |
29206d46 LP |
341 | |
342 | *ret_uid = uid; | |
343 | *ret_lock_fd = lock_fd; | |
344 | ||
345 | return 0; | |
346 | } | |
347 | ||
348 | static int dynamic_user_push(DynamicUser *d, uid_t uid, int lock_fd) { | |
ce16d177 | 349 | struct iovec iov = IOVEC_MAKE(&uid, sizeof(uid)); |
29206d46 LP |
350 | |
351 | assert(d); | |
352 | ||
353 | /* Store the UID and lock_fd in the storage socket. This should be called with the socket pair lock taken. */ | |
d34673ec | 354 | return send_one_fd_iov(d->storage_socket[1], lock_fd, &iov, 1, MSG_DONTWAIT); |
29206d46 LP |
355 | } |
356 | ||
fd63e712 | 357 | static void unlink_uid_lock(int lock_fd, uid_t uid, const char *name) { |
fbd0b64f | 358 | char lock_path[STRLEN("/run/systemd/dynamic-uid/") + DECIMAL_STR_MAX(uid_t) + 1]; |
29206d46 LP |
359 | |
360 | if (lock_fd < 0) | |
361 | return; | |
362 | ||
363 | xsprintf(lock_path, "/run/systemd/dynamic-uid/" UID_FMT, uid); | |
fd63e712 LP |
364 | (void) unlink(lock_path); |
365 | ||
366 | (void) make_uid_symlinks(uid, name, false); /* remove direct lookup symlinks */ | |
29206d46 LP |
367 | } |
368 | ||
c2983a7f ZJS |
369 | static int dynamic_user_realize( |
370 | DynamicUser *d, | |
371 | char **suggested_dirs, | |
372 | uid_t *ret_uid, gid_t *ret_gid, | |
373 | bool is_user) { | |
29206d46 | 374 | |
254d1313 ZJS |
375 | _cleanup_close_ int uid_lock_fd = -EBADF; |
376 | _cleanup_close_ int etc_passwd_lock_fd = -EBADF; | |
c2983a7f ZJS |
377 | uid_t num = UID_INVALID; /* a uid if is_user, and a gid otherwise */ |
378 | gid_t gid = GID_INVALID; /* a gid if is_user, ignored otherwise */ | |
460ec549 | 379 | bool flush_cache = false; |
29206d46 LP |
380 | int r; |
381 | ||
382 | assert(d); | |
c2983a7f ZJS |
383 | assert(is_user == !!ret_uid); |
384 | assert(ret_gid); | |
29206d46 LP |
385 | |
386 | /* Acquire a UID for the user name. This will allocate a UID for the user name if the user doesn't exist | |
387 | * yet. If it already exists its existing UID/GID will be reused. */ | |
388 | ||
1fe15cb7 | 389 | r = posix_lock(d->storage_socket[0], LOCK_EX); |
362d90b7 ZJS |
390 | if (r < 0) |
391 | return r; | |
29206d46 | 392 | |
1fe15cb7 | 393 | CLEANUP_POSIX_UNLOCK(d->storage_socket[0]); |
b4cbfa5f | 394 | |
c2983a7f | 395 | r = dynamic_user_pop(d, &num, &uid_lock_fd); |
29206d46 LP |
396 | if (r < 0) { |
397 | int new_uid_lock_fd; | |
398 | uid_t new_uid; | |
399 | ||
400 | if (r != -EAGAIN) | |
362d90b7 | 401 | return r; |
29206d46 LP |
402 | |
403 | /* OK, nothing stored yet, let's try to find something useful. While we are working on this release the | |
404 | * lock however, so that nobody else blocks on our NSS lookups. */ | |
1fe15cb7 | 405 | r = posix_lock(d->storage_socket[0], LOCK_UN); |
b4cbfa5f DDM |
406 | if (r < 0) |
407 | return r; | |
29206d46 LP |
408 | |
409 | /* Let's see if a proper, static user or group by this name exists. Try to take the lock on | |
410 | * /etc/passwd, if that fails with EROFS then /etc is read-only. In that case it's fine if we don't | |
411 | * take the lock, given that users can't be added there anyway in this case. */ | |
412 | etc_passwd_lock_fd = take_etc_passwd_lock(NULL); | |
413 | if (etc_passwd_lock_fd < 0 && etc_passwd_lock_fd != -EROFS) | |
414 | return etc_passwd_lock_fd; | |
415 | ||
416 | /* First, let's parse this as numeric UID */ | |
c2983a7f | 417 | r = parse_uid(d->name, &num); |
29206d46 | 418 | if (r < 0) { |
75673cd8 LP |
419 | _cleanup_free_ struct passwd *p = NULL; |
420 | _cleanup_free_ struct group *g = NULL; | |
29206d46 | 421 | |
9ec655cb YW |
422 | if (is_user) { |
423 | /* OK, this is not a numeric UID. Let's see if there's a user by this name */ | |
75673cd8 | 424 | if (getpwnam_malloc(d->name, &p) >= 0) { |
c2983a7f ZJS |
425 | num = p->pw_uid; |
426 | gid = p->pw_gid; | |
427 | } else { | |
9ec655cb | 428 | /* if the user does not exist but the group with the same name exists, refuse operation */ |
75673cd8 | 429 | if (getgrnam_malloc(d->name, /* ret= */ NULL) >= 0) |
9ec655cb YW |
430 | return -EILSEQ; |
431 | } | |
432 | } else { | |
433 | /* Let's see if there's a group by this name */ | |
75673cd8 | 434 | if (getgrnam_malloc(d->name, &g) >= 0) |
c2983a7f | 435 | num = (uid_t) g->gr_gid; |
9ec655cb YW |
436 | else { |
437 | /* if the group does not exist but the user with the same name exists, refuse operation */ | |
75673cd8 | 438 | if (getpwnam_malloc(d->name, /* ret= */ NULL) >= 0) |
9ec655cb YW |
439 | return -EILSEQ; |
440 | } | |
29206d46 LP |
441 | } |
442 | } | |
443 | ||
c2983a7f | 444 | if (num == UID_INVALID) { |
29206d46 LP |
445 | /* No static UID assigned yet, excellent. Let's pick a new dynamic one, and lock it. */ |
446 | ||
c2983a7f | 447 | uid_lock_fd = pick_uid(suggested_dirs, d->name, &num); |
29206d46 LP |
448 | if (uid_lock_fd < 0) |
449 | return uid_lock_fd; | |
450 | } | |
451 | ||
452 | /* So, we found a working UID/lock combination. Let's see if we actually still need it. */ | |
1fe15cb7 | 453 | r = posix_lock(d->storage_socket[0], LOCK_EX); |
362d90b7 | 454 | if (r < 0) { |
c2983a7f | 455 | unlink_uid_lock(uid_lock_fd, num, d->name); |
362d90b7 | 456 | return r; |
29206d46 LP |
457 | } |
458 | ||
459 | r = dynamic_user_pop(d, &new_uid, &new_uid_lock_fd); | |
460 | if (r < 0) { | |
461 | if (r != -EAGAIN) { | |
462 | /* OK, something bad happened, let's get rid of the bits we acquired. */ | |
c2983a7f | 463 | unlink_uid_lock(uid_lock_fd, num, d->name); |
362d90b7 | 464 | return r; |
29206d46 LP |
465 | } |
466 | ||
467 | /* Great! Nothing is stored here, still. Store our newly acquired data. */ | |
460ec549 | 468 | flush_cache = true; |
29206d46 LP |
469 | } else { |
470 | /* Hmm, so as it appears there's now something stored in the storage socket. Throw away what we | |
471 | * acquired, and use what's stored now. */ | |
472 | ||
c2983a7f | 473 | unlink_uid_lock(uid_lock_fd, num, d->name); |
29206d46 LP |
474 | safe_close(uid_lock_fd); |
475 | ||
c2983a7f | 476 | num = new_uid; |
29206d46 LP |
477 | uid_lock_fd = new_uid_lock_fd; |
478 | } | |
25a1df7c | 479 | } else if (is_user && !uid_is_dynamic(num)) { |
75673cd8 | 480 | _cleanup_free_ struct passwd *p = NULL; |
25a1df7c YW |
481 | |
482 | /* Statically allocated user may have different uid and gid. So, let's obtain the gid. */ | |
75673cd8 LP |
483 | r = getpwuid_malloc(num, &p); |
484 | if (r < 0) | |
485 | return r; | |
25a1df7c YW |
486 | |
487 | gid = p->pw_gid; | |
29206d46 LP |
488 | } |
489 | ||
490 | /* If the UID/GID was already allocated dynamically, push the data we popped out back in. If it was already | |
491 | * allocated statically, push the UID back too, but do not push the lock fd in. If we allocated the UID | |
492 | * dynamically right here, push that in along with the lock fd for it. */ | |
c2983a7f | 493 | r = dynamic_user_push(d, num, uid_lock_fd); |
29206d46 | 494 | if (r < 0) |
362d90b7 | 495 | return r; |
29206d46 | 496 | |
460ec549 LP |
497 | if (flush_cache) { |
498 | /* If we allocated a new dynamic UID, refresh nscd, so that it forgets about potentially cached | |
499 | * negative entries. But let's do so after we release the /etc/passwd lock, so that there's no | |
500 | * potential for nscd wanting to lock that for completing the invalidation. */ | |
501 | etc_passwd_lock_fd = safe_close(etc_passwd_lock_fd); | |
502 | (void) nscd_flush_cache(STRV_MAKE("passwd", "group")); | |
503 | } | |
504 | ||
c2983a7f ZJS |
505 | if (is_user) { |
506 | *ret_uid = num; | |
507 | *ret_gid = gid != GID_INVALID ? gid : num; | |
508 | } else | |
509 | *ret_gid = num; | |
510 | ||
362d90b7 | 511 | return 0; |
29206d46 LP |
512 | } |
513 | ||
f9bfa696 | 514 | int dynamic_user_current(DynamicUser *d, uid_t *ret) { |
254d1313 | 515 | _cleanup_close_ int lock_fd = -EBADF; |
29206d46 LP |
516 | uid_t uid; |
517 | int r; | |
518 | ||
519 | assert(d); | |
29206d46 | 520 | |
8b98cfb7 ZJS |
521 | /* Get the currently assigned UID for the user, if there's any. This simply pops the data from the |
522 | * storage socket, and pushes it back in right-away. */ | |
29206d46 | 523 | |
1fe15cb7 | 524 | r = posix_lock(d->storage_socket[0], LOCK_EX); |
362d90b7 ZJS |
525 | if (r < 0) |
526 | return r; | |
29206d46 | 527 | |
1fe15cb7 | 528 | CLEANUP_POSIX_UNLOCK(d->storage_socket[0]); |
b4cbfa5f | 529 | |
29206d46 LP |
530 | r = dynamic_user_pop(d, &uid, &lock_fd); |
531 | if (r < 0) | |
362d90b7 | 532 | return r; |
29206d46 LP |
533 | |
534 | r = dynamic_user_push(d, uid, lock_fd); | |
535 | if (r < 0) | |
362d90b7 | 536 | return r; |
29206d46 | 537 | |
4bad7eed LP |
538 | if (ret) |
539 | *ret = uid; | |
540 | ||
362d90b7 | 541 | return 0; |
29206d46 LP |
542 | } |
543 | ||
9da440b1 | 544 | static DynamicUser* dynamic_user_unref(DynamicUser *d) { |
29206d46 LP |
545 | if (!d) |
546 | return NULL; | |
547 | ||
8b98cfb7 ZJS |
548 | /* Note that this doesn't actually release any resources itself. If a dynamic user should be fully |
549 | * destroyed and its UID released, use dynamic_user_destroy() instead. NB: the dynamic user table may | |
550 | * contain entries with no references, which is commonly the case right before a daemon reload. */ | |
29206d46 LP |
551 | |
552 | assert(d->n_ref > 0); | |
553 | d->n_ref--; | |
554 | ||
555 | return NULL; | |
556 | } | |
557 | ||
558 | static int dynamic_user_close(DynamicUser *d) { | |
254d1313 | 559 | _cleanup_close_ int lock_fd = -EBADF; |
29206d46 LP |
560 | uid_t uid; |
561 | int r; | |
562 | ||
8b98cfb7 ZJS |
563 | /* Release the user ID, by releasing the lock on it, and emptying the storage socket. After this the |
564 | * user is unrealized again, much like it was after it the DynamicUser object was first allocated. */ | |
29206d46 | 565 | |
1fe15cb7 | 566 | r = posix_lock(d->storage_socket[0], LOCK_EX); |
362d90b7 ZJS |
567 | if (r < 0) |
568 | return r; | |
29206d46 | 569 | |
1fe15cb7 | 570 | CLEANUP_POSIX_UNLOCK(d->storage_socket[0]); |
b4cbfa5f | 571 | |
29206d46 | 572 | r = dynamic_user_pop(d, &uid, &lock_fd); |
362d90b7 | 573 | if (r == -EAGAIN) |
29206d46 | 574 | /* User wasn't realized yet, nothing to do. */ |
362d90b7 | 575 | return 0; |
29206d46 | 576 | if (r < 0) |
362d90b7 | 577 | return r; |
29206d46 LP |
578 | |
579 | /* This dynamic user was realized and dynamically allocated. In this case, let's remove the lock file. */ | |
fd63e712 | 580 | unlink_uid_lock(lock_fd, uid, d->name); |
460ec549 LP |
581 | |
582 | (void) nscd_flush_cache(STRV_MAKE("passwd", "group")); | |
362d90b7 | 583 | return 1; |
29206d46 LP |
584 | } |
585 | ||
9da440b1 | 586 | static DynamicUser* dynamic_user_destroy(DynamicUser *d) { |
29206d46 LP |
587 | if (!d) |
588 | return NULL; | |
589 | ||
590 | /* Drop a reference to a DynamicUser object, and destroy the user completely if this was the last | |
591 | * reference. This is called whenever a service is shut down and wants its dynamic UID gone. Note that | |
592 | * dynamic_user_unref() is what is called whenever a service is simply freed, for example during a reload | |
593 | * cycle, where the dynamic users should not be destroyed, but our datastructures should. */ | |
594 | ||
595 | dynamic_user_unref(d); | |
596 | ||
597 | if (d->n_ref > 0) | |
598 | return NULL; | |
599 | ||
600 | (void) dynamic_user_close(d); | |
601 | return dynamic_user_free(d); | |
602 | } | |
603 | ||
154eb43f LB |
604 | int dynamic_user_serialize_one(DynamicUser *d, const char *key, FILE *f, FDSet *fds) { |
605 | int copy0, copy1; | |
29206d46 | 606 | |
154eb43f | 607 | assert(key); |
29206d46 LP |
608 | assert(f); |
609 | assert(fds); | |
610 | ||
154eb43f LB |
611 | if (!d) |
612 | return 0; | |
29206d46 | 613 | |
154eb43f LB |
614 | if (d->storage_socket[0] < 0 || d->storage_socket[1] < 0) |
615 | return 0; | |
29206d46 | 616 | |
154eb43f LB |
617 | copy0 = fdset_put_dup(fds, d->storage_socket[0]); |
618 | if (copy0 < 0) | |
619 | return log_error_errno(copy0, "Failed to add dynamic user storage fd to serialization: %m"); | |
29206d46 | 620 | |
154eb43f LB |
621 | copy1 = fdset_put_dup(fds, d->storage_socket[1]); |
622 | if (copy1 < 0) | |
623 | return log_error_errno(copy1, "Failed to add dynamic user storage fd to serialization: %m"); | |
29206d46 | 624 | |
154eb43f LB |
625 | (void) serialize_item_format(f, key, "%s %i %i", d->name, copy0, copy1); |
626 | ||
627 | return 0; | |
628 | } | |
629 | ||
630 | int dynamic_user_serialize(Manager *m, FILE *f, FDSet *fds) { | |
631 | DynamicUser *d; | |
632 | ||
633 | assert(m); | |
634 | ||
635 | /* Dump the dynamic user database into the manager serialization, to deal with daemon reloads. */ | |
636 | ||
637 | HASHMAP_FOREACH(d, m->dynamic_users) | |
638 | (void) dynamic_user_serialize_one(d, "dynamic-user", f, fds); | |
29206d46 LP |
639 | |
640 | return 0; | |
641 | } | |
642 | ||
154eb43f | 643 | void dynamic_user_deserialize_one(Manager *m, const char *value, FDSet *fds, DynamicUser **ret) { |
29206d46 | 644 | _cleanup_free_ char *name = NULL, *s0 = NULL, *s1 = NULL; |
dff9808a LP |
645 | _cleanup_close_ int fd0 = -EBADF, fd1 = -EBADF; |
646 | int r; | |
29206d46 | 647 | |
29206d46 LP |
648 | assert(value); |
649 | assert(fds); | |
650 | ||
651 | /* Parse the serialization again, after a daemon reload */ | |
652 | ||
4f495126 | 653 | r = extract_many_words(&value, NULL, 0, &name, &s0, &s1); |
29206d46 LP |
654 | if (r != 3 || !isempty(value)) { |
655 | log_debug("Unable to parse dynamic user line."); | |
656 | return; | |
657 | } | |
658 | ||
dff9808a LP |
659 | fd0 = deserialize_fd(fds, s0); |
660 | if (fd0 < 0) | |
29206d46 | 661 | return; |
29206d46 | 662 | |
dff9808a LP |
663 | fd1 = deserialize_fd(fds, s1); |
664 | if (fd1 < 0) | |
29206d46 | 665 | return; |
29206d46 | 666 | |
154eb43f | 667 | r = dynamic_user_add(m, name, (int[]) { fd0, fd1 }, ret); |
29206d46 LP |
668 | if (r < 0) { |
669 | log_debug_errno(r, "Failed to add dynamic user: %m"); | |
670 | return; | |
671 | } | |
672 | ||
dff9808a LP |
673 | TAKE_FD(fd0); |
674 | TAKE_FD(fd1); | |
154eb43f LB |
675 | |
676 | if (ret) /* If the caller uses it directly, increment the refcount */ | |
677 | (*ret)->n_ref++; | |
29206d46 LP |
678 | } |
679 | ||
680 | void dynamic_user_vacuum(Manager *m, bool close_user) { | |
681 | DynamicUser *d; | |
29206d46 LP |
682 | |
683 | assert(m); | |
684 | ||
685 | /* Empty the dynamic user database, optionally cleaning up orphaned dynamic users, i.e. destroy and free users | |
686 | * to which no reference exist. This is called after a daemon reload finished, in order to destroy users which | |
687 | * might not be referenced anymore. */ | |
688 | ||
90e74a66 | 689 | HASHMAP_FOREACH(d, m->dynamic_users) { |
29206d46 LP |
690 | if (d->n_ref > 0) |
691 | continue; | |
692 | ||
693 | if (close_user) { | |
694 | log_debug("Removing orphaned dynamic user %s", d->name); | |
695 | (void) dynamic_user_close(d); | |
696 | } | |
697 | ||
698 | dynamic_user_free(d); | |
699 | } | |
700 | } | |
701 | ||
702 | int dynamic_user_lookup_uid(Manager *m, uid_t uid, char **ret) { | |
fbd0b64f | 703 | char lock_path[STRLEN("/run/systemd/dynamic-uid/") + DECIMAL_STR_MAX(uid_t) + 1]; |
29206d46 LP |
704 | _cleanup_free_ char *user = NULL; |
705 | uid_t check_uid; | |
706 | int r; | |
707 | ||
708 | assert(m); | |
709 | assert(ret); | |
710 | ||
61755fda ZJS |
711 | /* A friendly way to translate a dynamic user's UID into a name. */ |
712 | if (!uid_is_dynamic(uid)) | |
29206d46 LP |
713 | return -ESRCH; |
714 | ||
715 | xsprintf(lock_path, "/run/systemd/dynamic-uid/" UID_FMT, uid); | |
716 | r = read_one_line_file(lock_path, &user); | |
a2176045 | 717 | if (IN_SET(r, -ENOENT, 0)) |
29206d46 LP |
718 | return -ESRCH; |
719 | if (r < 0) | |
720 | return r; | |
721 | ||
722 | /* The lock file might be stale, hence let's verify the data before we return it */ | |
723 | r = dynamic_user_lookup_name(m, user, &check_uid); | |
724 | if (r < 0) | |
725 | return r; | |
726 | if (check_uid != uid) /* lock file doesn't match our own idea */ | |
727 | return -ESRCH; | |
728 | ||
ae2a15bc | 729 | *ret = TAKE_PTR(user); |
29206d46 LP |
730 | |
731 | return 0; | |
732 | } | |
733 | ||
734 | int dynamic_user_lookup_name(Manager *m, const char *name, uid_t *ret) { | |
735 | DynamicUser *d; | |
736 | int r; | |
737 | ||
738 | assert(m); | |
739 | assert(name); | |
29206d46 LP |
740 | |
741 | /* A friendly call for translating a dynamic user's name into its UID */ | |
742 | ||
743 | d = hashmap_get(m->dynamic_users, name); | |
744 | if (!d) | |
745 | return -ESRCH; | |
746 | ||
747 | r = dynamic_user_current(d, ret); | |
748 | if (r == -EAGAIN) /* not realized yet? */ | |
749 | return -ESRCH; | |
750 | ||
751 | return r; | |
752 | } | |
753 | ||
15220772 DDM |
754 | int dynamic_creds_make(Manager *m, const char *user, const char *group, DynamicCreds **ret) { |
755 | _cleanup_(dynamic_creds_unrefp) DynamicCreds *creds = NULL; | |
29206d46 LP |
756 | int r; |
757 | ||
29206d46 | 758 | assert(m); |
15220772 DDM |
759 | assert(ret); |
760 | ||
761 | if (!user && !group) { | |
762 | *ret = NULL; | |
763 | return 0; | |
764 | } | |
765 | ||
766 | creds = new0(DynamicCreds, 1); | |
767 | if (!creds) | |
768 | return -ENOMEM; | |
29206d46 LP |
769 | |
770 | /* A DynamicUser object encapsulates an allocation of both a UID and a GID for a specific name. However, some | |
771 | * services use different user and groups. For cases like that there's DynamicCreds containing a pair of user | |
772 | * and group. This call allocates a pair. */ | |
773 | ||
15220772 | 774 | if (user) { |
29206d46 LP |
775 | r = dynamic_user_acquire(m, user, &creds->user); |
776 | if (r < 0) | |
777 | return r; | |
29206d46 LP |
778 | } |
779 | ||
f2859ba5 | 780 | if (group && !streq_ptr(user, group)) { |
15220772 | 781 | r = dynamic_user_acquire(m, group, &creds->group); |
f2859ba5 | 782 | if (r < 0) |
15220772 | 783 | return r; |
f2859ba5 MY |
784 | } else |
785 | creds->group = ASSERT_PTR(dynamic_user_ref(creds->user)); | |
29206d46 | 786 | |
15220772 DDM |
787 | *ret = TAKE_PTR(creds); |
788 | ||
29206d46 LP |
789 | return 0; |
790 | } | |
791 | ||
da50b85a | 792 | int dynamic_creds_realize(DynamicCreds *creds, char **suggested_paths, uid_t *uid, gid_t *gid) { |
29206d46 LP |
793 | uid_t u = UID_INVALID; |
794 | gid_t g = GID_INVALID; | |
795 | int r; | |
796 | ||
797 | assert(creds); | |
798 | assert(uid); | |
799 | assert(gid); | |
800 | ||
801 | /* Realize both the referenced user and group */ | |
802 | ||
803 | if (creds->user) { | |
c2983a7f | 804 | r = dynamic_user_realize(creds->user, suggested_paths, &u, &g, true); |
29206d46 LP |
805 | if (r < 0) |
806 | return r; | |
807 | } | |
808 | ||
809 | if (creds->group && creds->group != creds->user) { | |
c2983a7f | 810 | r = dynamic_user_realize(creds->group, suggested_paths, NULL, &g, false); |
29206d46 LP |
811 | if (r < 0) |
812 | return r; | |
c2983a7f | 813 | } |
29206d46 LP |
814 | |
815 | *uid = u; | |
816 | *gid = g; | |
29206d46 LP |
817 | return 0; |
818 | } | |
819 | ||
15220772 DDM |
820 | DynamicCreds* dynamic_creds_unref(DynamicCreds *creds) { |
821 | if (!creds) | |
822 | return NULL; | |
29206d46 LP |
823 | |
824 | creds->user = dynamic_user_unref(creds->user); | |
825 | creds->group = dynamic_user_unref(creds->group); | |
15220772 DDM |
826 | |
827 | return mfree(creds); | |
29206d46 LP |
828 | } |
829 | ||
15220772 DDM |
830 | DynamicCreds* dynamic_creds_destroy(DynamicCreds *creds) { |
831 | if (!creds) | |
832 | return NULL; | |
29206d46 LP |
833 | |
834 | creds->user = dynamic_user_destroy(creds->user); | |
835 | creds->group = dynamic_user_destroy(creds->group); | |
15220772 DDM |
836 | |
837 | return mfree(creds); | |
29206d46 | 838 | } |
bb5232b6 LB |
839 | |
840 | void dynamic_creds_done(DynamicCreds *creds) { | |
841 | if (!creds) | |
842 | return; | |
843 | ||
844 | if (creds->group != creds->user) | |
845 | dynamic_user_free(creds->group); | |
846 | creds->group = creds->user = dynamic_user_free(creds->user); | |
847 | } | |
7b6d3dcd LB |
848 | |
849 | void dynamic_creds_close(DynamicCreds *creds) { | |
850 | if (!creds) | |
851 | return; | |
852 | ||
853 | if (creds->user) | |
854 | safe_close_pair(creds->user->storage_socket); | |
855 | ||
856 | if (creds->group && creds->group != creds->user) | |
857 | safe_close_pair(creds->group->storage_socket); | |
858 | } |