]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/sysusers/sysusers.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge pull request #28384 from ldv-alt/ERRNO_IS
[thirdparty/systemd.git] / src / sysusers / sysusers.c
CommitLineData
db9ecf05 1/* SPDX-License-Identifier: LGPL-2.1-or-later */
1b992147 2
3f6fd1ba 3#include <getopt.h>
932ad62b 4#include <utmp.h>
1b992147 5
b5efdb8a 6#include "alloc-util.h"
d6b4d1c7 7#include "build.h"
f461a28d 8#include "chase.h"
1b992147 9#include "conf-files.h"
28db6fbf 10#include "constants.h"
1b992147 11#include "copy.h"
99e9f896 12#include "creds-util.h"
0c3ee127 13#include "dissect-image.h"
3fa8a114 14#include "env-util.h"
a0f29c76 15#include "fd-util.h"
ee228be1 16#include "fileio.h"
f97b34a6 17#include "format-util.h"
dcd5c891 18#include "fs-util.h"
3f6fd1ba 19#include "hashmap.h"
99e9f896 20#include "libcrypt-util.h"
71da1673 21#include "main-func.h"
99e9f896 22#include "memory-util.h"
0c3ee127 23#include "mount-util.h"
d481b830 24#include "nscd-flush.h"
dcd5c891 25#include "pager.h"
614b022c 26#include "parse-argument.h"
3f6fd1ba 27#include "path-util.h"
294bf0c3 28#include "pretty-print.h"
3f6fd1ba 29#include "selinux-util.h"
0c3ee127 30#include "set.h"
07630cea 31#include "smack-util.h"
3f6fd1ba 32#include "specifier.h"
5f465fda 33#include "stat-util.h"
07630cea 34#include "string-util.h"
3f6fd1ba 35#include "strv.h"
bf819d3a 36#include "sync-util.h"
e4de7287 37#include "tmpfile-util-label.h"
b085d224 38#include "uid-alloc-range.h"
3f6fd1ba 39#include "uid-range.h"
a0f29c76 40#include "user-util.h"
3f6fd1ba 41#include "utf8.h"
1b992147
LP		 42
43typedef enum ItemType {
9a5af4b7
ZJS		 44 ADD_USER = 'u',
45 ADD_GROUP = 'g',
a12b0cc3 46 ADD_MEMBER = 'm',
9a5af4b7 47 ADD_RANGE = 'r',
1b992147 48} ItemType;
dcd5c891 49
9a5af4b7
ZJS		 50static inline const char* item_type_to_string(ItemType t) {
51 switch (t) {
52 case ADD_USER:
53 return "user";
54 case ADD_GROUP:
55 return "group";
56 case ADD_MEMBER:
57 return "member";
58 case ADD_RANGE:
59 return "range";
60 default:
61 assert_not_reached();
62 }
63}
64
1b992147
LP		 65typedef struct Item {
66 ItemType type;
67
68 char *name;
649916d3 69 char *group_name;
1b992147
LP		 70 char *uid_path;
71 char *gid_path;
72 char *description;
7629889c 73 char *home;
7b1aaf66 74 char *shell;
1b992147
LP		 75
76 gid_t gid;
77 uid_t uid;
78
9a87bdd7
ZJS		 79 char *filename;
80 unsigned line;
81
616c5354 82 bool gid_set;
fb959f14 83
3f316701
ZJS		 84 /* When set the group with the specified GID must exist
85 * and the check if a UID clashes with the GID is skipped.
fb959f14 86 */
616c5354 87 bool id_set_strict;
fb959f14 88
616c5354 89 bool uid_set;
1b992147 90
616c5354
ZJS		 91 bool todo_user;
92 bool todo_group;
1b992147
LP		 93} Item;
94
95static char *arg_root = NULL;
0c3ee127 96static char *arg_image = NULL;
ec0327d6 97static bool arg_cat_config = false;
d16a1c1b 98static const char *arg_replace = NULL;
64fe1095 99static bool arg_dry_run = false;
1b600bd5 100static bool arg_inline = false;
0221d68a 101static PagerFlags arg_pager_flags = 0;
84be0c71 102static ImagePolicy *arg_image_policy = NULL;
1b992147 103
5bc9c980
MV		 104static OrderedHashmap *users = NULL, *groups = NULL;
105static OrderedHashmap *todo_uids = NULL, *todo_gids = NULL;
106static OrderedHashmap *members = NULL;
1b992147 107
71da1673
YW		 108static Hashmap *database_by_uid = NULL, *database_by_username = NULL;
109static Hashmap *database_by_gid = NULL, *database_by_groupname = NULL;
110static Set *database_users = NULL, *database_groups = NULL;
1b992147 111
fed1e721 112static uid_t search_uid = UID_INVALID;
8530dc44 113static UidRange *uid_range = NULL;
1b992147 114
4b6f9b20
ZJS		 115static UGIDAllocationRange login_defs = {};
116static bool login_defs_need_warning = false;
117
71da1673
YW		 118STATIC_DESTRUCTOR_REGISTER(groups, ordered_hashmap_freep);
119STATIC_DESTRUCTOR_REGISTER(users, ordered_hashmap_freep);
120STATIC_DESTRUCTOR_REGISTER(members, ordered_hashmap_freep);
121STATIC_DESTRUCTOR_REGISTER(todo_uids, ordered_hashmap_freep);
122STATIC_DESTRUCTOR_REGISTER(todo_gids, ordered_hashmap_freep);
123STATIC_DESTRUCTOR_REGISTER(database_by_uid, hashmap_freep);
124STATIC_DESTRUCTOR_REGISTER(database_by_username, hashmap_freep);
125STATIC_DESTRUCTOR_REGISTER(database_users, set_free_freep);
126STATIC_DESTRUCTOR_REGISTER(database_by_gid, hashmap_freep);
127STATIC_DESTRUCTOR_REGISTER(database_by_groupname, hashmap_freep);
128STATIC_DESTRUCTOR_REGISTER(database_groups, set_free_freep);
8dcc66ce 129STATIC_DESTRUCTOR_REGISTER(uid_range, uid_range_freep);
71da1673 130STATIC_DESTRUCTOR_REGISTER(arg_root, freep);
0c3ee127 131STATIC_DESTRUCTOR_REGISTER(arg_image, freep);
84be0c71 132STATIC_DESTRUCTOR_REGISTER(arg_image_policy, image_policy_freep);
71da1673 133
08c7c321
ZJS		 134static int errno_is_not_exists(int code) {
135 /* See getpwnam(3) and getgrnam(3): those codes and others can be returned if the user or group are
136 * not found. */
137 return IN_SET(code, 0, ENOENT, ESRCH, EBADF, EPERM);
138}
139
7519b880
ZJS		 140/* Note: the lifetime of the compound literal is the immediately surrounding block,
141 * see C11 §6.5.2.5, and
142 * https://stackoverflow.com/questions/34880638/compound-literal-lifetime-and-if-blocks */
143#define FORMAT_UID(is_set, uid) \
144 ((is_set) ? snprintf_ok((char[DECIMAL_STR_MAX(uid_t)]){}, DECIMAL_STR_MAX(uid_t), UID_FMT, uid) : "(unset)")
145#define FORMAT_GID(is_set, gid) \
146 ((is_set) ? snprintf_ok((char[DECIMAL_STR_MAX(gid_t)]){}, DECIMAL_STR_MAX(gid_t), GID_FMT, gid) : "(unset)")
147
4b6f9b20
ZJS		 148static void maybe_emit_login_defs_warning(void) {
149 if (!login_defs_need_warning)
150 return;
151
152 if (login_defs.system_alloc_uid_min != SYSTEM_ALLOC_UID_MIN ||
153 login_defs.system_uid_max != SYSTEM_UID_MAX)
154 log_warning("login.defs specifies UID allocation range "UID_FMT"–"UID_FMT
155 " that is different than the built-in defaults ("UID_FMT"–"UID_FMT")",
156 login_defs.system_alloc_uid_min, login_defs.system_uid_max,
2676befc 157 (uid_t) SYSTEM_ALLOC_UID_MIN, (uid_t) SYSTEM_UID_MAX);
4b6f9b20
ZJS		 158 if (login_defs.system_alloc_gid_min != SYSTEM_ALLOC_GID_MIN ||
159 login_defs.system_gid_max != SYSTEM_GID_MAX)
160 log_warning("login.defs specifies GID allocation range "GID_FMT"–"GID_FMT
161 " that is different than the built-in defaults ("GID_FMT"–"GID_FMT")",
162 login_defs.system_alloc_gid_min, login_defs.system_gid_max,
2676befc 163 (gid_t) SYSTEM_ALLOC_GID_MIN, (gid_t) SYSTEM_GID_MAX);
4b6f9b20
ZJS		 164
165 login_defs_need_warning = false;
166}
167
1b992147
LP		 168static int load_user_database(void) {
169 _cleanup_fclose_ FILE *f = NULL;
170 const char *passwd_path;
171 struct passwd *pw;
172 int r;
173
1d13f648 174 passwd_path = prefix_roota(arg_root, "/etc/passwd");
1b992147
LP		 175 f = fopen(passwd_path, "re");
176 if (!f)
177 return errno == ENOENT ? 0 : -errno;
178
71da1673 179 r = hashmap_ensure_allocated(&database_by_username, &string_hash_ops);
1b992147
LP		 180 if (r < 0)
181 return r;
182
71da1673 183 r = hashmap_ensure_allocated(&database_by_uid, NULL);
1b992147
LP		 184 if (r < 0)
185 return r;
186
71da1673 187 r = set_ensure_allocated(&database_users, NULL);
1b992147
LP		 188 if (r < 0)
189 return r;
190
100d5f6e 191 while ((r = fgetpwent_sane(f, &pw)) > 0) {
43e948ee 192 char *n;
340ac019 193 int k, q;
1b992147
LP		 194
195 n = strdup(pw->pw_name);
196 if (!n)
197 return -ENOMEM;
198
71da1673
YW		 199 k = set_put(database_users, n);
200 if (k < 0) {
1b992147
LP		 201 free(n);
202 return k;
203 }
204
71da1673
YW		 205 k = hashmap_put(database_by_username, n, UID_TO_PTR(pw->pw_uid));
206 if (k < 0 && k != -EEXIST)
207 return k;
1b992147 208
71da1673
YW		 209 q = hashmap_put(database_by_uid, UID_TO_PTR(pw->pw_uid), n);
210 if (q < 0 && q != -EEXIST)
211 return q;
1b992147 212 }
100d5f6e 213 return r;
1b992147
LP		 214}
215
216static int load_group_database(void) {
217 _cleanup_fclose_ FILE *f = NULL;
218 const char *group_path;
219 struct group *gr;
220 int r;
221
1d13f648 222 group_path = prefix_roota(arg_root, "/etc/group");
1b992147
LP		 223 f = fopen(group_path, "re");
224 if (!f)
225 return errno == ENOENT ? 0 : -errno;
226
71da1673 227 r = hashmap_ensure_allocated(&database_by_groupname, &string_hash_ops);
1b992147
LP		 228 if (r < 0)
229 return r;
230
71da1673 231 r = hashmap_ensure_allocated(&database_by_gid, NULL);
1b992147
LP		 232 if (r < 0)
233 return r;
234
71da1673 235 r = set_ensure_allocated(&database_groups, NULL);
1b992147
LP		 236 if (r < 0)
237 return r;
238
f030d36c 239 while ((r = fgetgrent_sane(f, &gr)) > 0) {
1b992147
LP		 240 char *n;
241 int k, q;
242
243 n = strdup(gr->gr_name);
244 if (!n)
245 return -ENOMEM;
246
71da1673
YW		 247 k = set_put(database_groups, n);
248 if (k < 0) {
1b992147
LP		 249 free(n);
250 return k;
251 }
252
71da1673
YW		 253 k = hashmap_put(database_by_groupname, n, GID_TO_PTR(gr->gr_gid));
254 if (k < 0 && k != -EEXIST)
255 return k;
1b992147 256
71da1673
YW		 257 q = hashmap_put(database_by_gid, GID_TO_PTR(gr->gr_gid), n);
258 if (q < 0 && q != -EEXIST)
259 return q;
1b992147 260 }
f030d36c 261 return r;
1b992147
LP		 262}
263
9f1c1940 264static int make_backup(const char *target, const char *x) {
62c03398 265 _cleanup_(unlink_and_freep) char *dst_tmp = NULL;
9f1c1940 266 _cleanup_fclose_ FILE *dst = NULL;
5bb1d7fb 267 _cleanup_close_ int src = -EBADF;
62c03398 268 const char *backup;
1b992147
LP		 269 struct stat st;
270 int r;
271
62c03398
LP		 272 assert(target);
273 assert(x);
274
1b992147
LP		 275 src = open(x, O_RDONLY|O_CLOEXEC|O_NOCTTY);
276 if (src < 0) {
277 if (errno == ENOENT) /* No backup necessary... */
278 return 0;
279
280 return -errno;
281 }
282
283 if (fstat(src, &st) < 0)
284 return -errno;
285
62c03398 286 r = fopen_temporary_label(
47fb161e 287 target, /* The path for which to the look up the label */
62c03398 288 x, /* Where we want the file actually to end up */
47fb161e
ZJS		 289 &dst, /* The temporary file we write to */
290 &dst_tmp);
9f1c1940
ZJS		 291 if (r < 0)
292 return r;
1b992147 293
f5fbe71d 294 r = copy_bytes(src, fileno(dst), UINT64_MAX, COPY_REFLINK);
1b992147 295 if (r < 0)
62c03398 296 return r;
9f1c1940 297
63c372cb 298 backup = strjoina(x, "-");
9f1c1940 299
62c03398
LP		 300 /* Copy over the access mask. Don't fail on chmod() or chown(). If it stays owned by us and/or
301 * unreadable by others, then it isn't too bad... */
b78d7f24 302 r = fchmod_and_chown_with_fallback(fileno(dst), dst_tmp, st.st_mode & 07777, st.st_uid, st.st_gid);
c039af23
YW		 303 if (r < 0)
304 log_warning_errno(r, "Failed to change access mode or ownership of %s: %m", backup);
1b992147 305
62c03398 306 if (futimens(fileno(dst), (const struct timespec[2]) { st.st_atim, st.st_mtim }) < 0)
56f64d95 307 log_warning_errno(errno, "Failed to fix access and modification time of %s: %m", backup);
1b992147 308
62c03398 309 r = fsync_full(fileno(dst));
0675e94a 310 if (r < 0)
62c03398 311 return r;
0675e94a 312
62c03398
LP		 313 if (rename(dst_tmp, backup) < 0)
314 return errno;
1b992147 315
7802194a 316 dst_tmp = mfree(dst_tmp); /* disable the unlink_and_freep() hook now that the file has been renamed */
1b992147 317 return 0;
1b992147
LP		 318}
319
a12b0cc3
LP		 320static int putgrent_with_members(const struct group *gr, FILE *group) {
321 char **a;
322
323 assert(gr);
324 assert(group);
325
5bc9c980 326 a = ordered_hashmap_get(members, gr->gr_name);
a12b0cc3
LP		 327 if (a) {
328 _cleanup_strv_free_ char **l = NULL;
329 bool added = false;
a12b0cc3
LP		 330
331 l = strv_copy(gr->gr_mem);
332 if (!l)
333 return -ENOMEM;
334
335 STRV_FOREACH(i, a) {
d29cc4d6 336 if (strv_contains(l, *i))
a12b0cc3
LP		 337 continue;
338
339 if (strv_extend(&l, *i) < 0)
340 return -ENOMEM;
341
342 added = true;
343 }
344
345 if (added) {
346 struct group t;
100d5f6e 347 int r;
a12b0cc3
LP		 348
349 strv_uniq(l);
350 strv_sort(l);
351
352 t = *gr;
353 t.gr_mem = l;
354
100d5f6e
FB		 355 r = putgrent_sane(&t, group);
356 return r < 0 ? r : 1;
a12b0cc3
LP		 357 }
358 }
359
100d5f6e 360 return putgrent_sane(gr, group);
a12b0cc3
LP		 361}
362
349cc4a5 363#if ENABLE_GSHADOW
9ab315cc
LP		 364static int putsgent_with_members(const struct sgrp *sg, FILE *gshadow) {
365 char **a;
366
367 assert(sg);
368 assert(gshadow);
369
5bc9c980 370 a = ordered_hashmap_get(members, sg->sg_namp);
9ab315cc
LP		 371 if (a) {
372 _cleanup_strv_free_ char **l = NULL;
373 bool added = false;
9ab315cc
LP		 374
375 l = strv_copy(sg->sg_mem);
376 if (!l)
377 return -ENOMEM;
378
379 STRV_FOREACH(i, a) {
d29cc4d6 380 if (strv_contains(l, *i))
9ab315cc
LP		 381 continue;
382
383 if (strv_extend(&l, *i) < 0)
384 return -ENOMEM;
385
386 added = true;
387 }
388
389 if (added) {
390 struct sgrp t;
100d5f6e 391 int r;
9ab315cc
LP		 392
393 strv_uniq(l);
394 strv_sort(l);
395
396 t = *sg;
397 t.sg_mem = l;
398
100d5f6e
FB		 399 r = putsgent_sane(&t, gshadow);
400 return r < 0 ? r : 1;
9ab315cc
LP		 401 }
402 }
403
100d5f6e 404 return putsgent_sane(sg, gshadow);
9ab315cc 405}
b14e1b43 406#endif
9ab315cc 407
5f465fda
ZJS		 408static const char* pick_shell(const Item *i) {
409 if (i->type != ADD_USER)
410 return NULL;
411 if (i->shell)
412 return i->shell;
413 if (i->uid_set && i->uid == 0)
8a7adccb 414 return default_root_shell(arg_root);
5f465fda 415 return NOLOGIN;
7b1aaf66
ZJS		 416}
417
9740e677 418static int write_temporary_passwd(const char *passwd_path, FILE **ret_tmpfile, char **ret_tmpfile_path) {
b20b0b66 419 _cleanup_fclose_ FILE *original = NULL, *passwd = NULL;
1dd98a71 420 _cleanup_(unlink_and_freep) char *passwd_tmp = NULL;
563dc6f8 421 struct passwd *pw = NULL;
1b992147
LP		 422 Item *i;
423 int r;
424
98167876 425 if (ordered_hashmap_isempty(todo_uids))
b20b0b66 426 return 0;
1b992147 427
64fe1095 428 if (arg_dry_run) {
28e5e1e9 429 log_info("Would write /etc/passwd%s", special_glyph(SPECIAL_GLYPH_ELLIPSIS));
64fe1095
ZJS		 430 return 0;
431 }
432
b20b0b66
FB		 433 r = fopen_temporary_label("/etc/passwd", passwd_path, &passwd, &passwd_tmp);
434 if (r < 0)
335f6ab4 435 return log_debug_errno(r, "Failed to open temporary copy of %s: %m", passwd_path);
b20b0b66
FB		 436
437 original = fopen(passwd_path, "re");
438 if (original) {
b20b0b66 439
82855aa6
ZJS		 440 /* Allow fallback path for when /proc is not mounted. On any normal system /proc will be
441 * mounted, but e.g. when 'dnf --installroot' is used, it might not be. There is no security
442 * relevance here, since the environment is ultimately trusted, and not requiring /proc makes
443 * it easier to depend on sysusers in packaging scripts and suchlike. */
444 r = copy_rights_with_fallback(fileno(original), fileno(passwd), passwd_tmp);
1b992147 445 if (r < 0)
335f6ab4
ZJS		 446 return log_debug_errno(r, "Failed to copy permissions from %s to %s: %m",
447 passwd_path, passwd_tmp);
1b992147 448
100d5f6e 449 while ((r = fgetpwent_sane(original, &pw)) > 0) {
5bc9c980 450 i = ordered_hashmap_get(users, pw->pw_name);
330d1def
ZJS		 451 if (i && i->todo_user)
452 return log_error_errno(SYNTHETIC_ERRNO(EEXIST),
453 "%s: User \"%s\" already exists.",
454 passwd_path, pw->pw_name);
e3c72c21 455
330d1def
ZJS		 456 if (ordered_hashmap_contains(todo_uids, UID_TO_PTR(pw->pw_uid)))
457 return log_error_errno(SYNTHETIC_ERRNO(EEXIST),
458 "%s: Detected collision for UID " UID_FMT ".",
459 passwd_path, pw->pw_uid);
b20b0b66 460
563dc6f8
FB		 461 /* Make sure we keep the NIS entries (if any) at the end. */
462 if (IN_SET(pw->pw_name[0], '+', '-'))
463 break;
464
100d5f6e
FB		 465 r = putpwent_sane(pw, passwd);
466 if (r < 0)
335f6ab4
ZJS		 467 return log_debug_errno(r, "Failed to add existing user \"%s\" to temporary passwd file: %m",
468 pw->pw_name);
b20b0b66 469 }
100d5f6e 470 if (r < 0)
335f6ab4 471 return log_debug_errno(r, "Failed to read %s: %m", passwd_path);
1dd98a71
FB		 472
473 } else {
474 if (errno != ENOENT)
335f6ab4 475 return log_debug_errno(errno, "Failed to open %s: %m", passwd_path);
1dd98a71 476 if (fchmod(fileno(passwd), 0644) < 0)
335f6ab4 477 return log_debug_errno(errno, "Failed to fchmod %s: %m", passwd_tmp);
b20b0b66
FB		 478 }
479
90e74a66 480 ORDERED_HASHMAP_FOREACH(i, todo_uids) {
99e9f896
LP		 481 _cleanup_free_ char *creds_shell = NULL, *cn = NULL;
482
b20b0b66
FB		 483 struct passwd n = {
484 .pw_name = i->name,
485 .pw_uid = i->uid,
486 .pw_gid = i->gid,
d610e142 487 .pw_gecos = (char*) strempty(i->description),
1b992147 488
b20b0b66 489 /* "x" means the password is stored in the shadow file */
53c25ac9 490 .pw_passwd = (char*) PASSWORD_SEE_SHADOW,
a12b0cc3 491
b20b0b66 492 /* We default to the root directory as home */
636e72bc 493 .pw_dir = i->home ?: (char*) "/",
1b992147 494
b20b0b66
FB		 495 /* Initialize the shell to nologin, with one exception:
496 * for root we patch in something special */
5f465fda 497 .pw_shell = (char*) pick_shell(i),
b20b0b66 498 };
9ab315cc 499
99e9f896
LP		 500 /* Try to pick up the shell for this account via the credentials logic */
501 cn = strjoin("passwd.shell.", i->name);
502 if (!cn)
503 return -ENOMEM;
504
505 r = read_credential(cn, (void**) &creds_shell, NULL);
506 if (r < 0)
507 log_debug_errno(r, "Couldn't read credential '%s', ignoring: %m", cn);
508 else
509 n.pw_shell = creds_shell;
510
100d5f6e
FB		 511 r = putpwent_sane(&n, passwd);
512 if (r < 0)
335f6ab4 513 return log_debug_errno(r, "Failed to add new user \"%s\" to temporary passwd file: %m",
7e4c6149 514 i->name);
b20b0b66
FB		 515 }
516
563dc6f8
FB		 517 /* Append the remaining NIS entries if any */
518 while (pw) {
100d5f6e
FB		 519 r = putpwent_sane(pw, passwd);
520 if (r < 0)
335f6ab4
ZJS		 521 return log_debug_errno(r, "Failed to add existing user \"%s\" to temporary passwd file: %m",
522 pw->pw_name);
563dc6f8 523
100d5f6e
FB		 524 r = fgetpwent_sane(original, &pw);
525 if (r < 0)
335f6ab4 526 return log_debug_errno(r, "Failed to read %s: %m", passwd_path);
100d5f6e
FB		 527 if (r == 0)
528 break;
563dc6f8 529 }
563dc6f8 530
19193b48 531 r = fflush_sync_and_check(passwd);
b20b0b66 532 if (r < 0)
335f6ab4 533 return log_debug_errno(r, "Failed to flush %s: %m", passwd_tmp);
b20b0b66 534
9740e677
ZJS		 535 *ret_tmpfile = TAKE_PTR(passwd);
536 *ret_tmpfile_path = TAKE_PTR(passwd_tmp);
1cc6c93a 537
b20b0b66 538 return 0;
b20b0b66
FB		 539}
540
3fa8a114
JSMR		 541static usec_t epoch_or_now(void) {
542 uint64_t epoch;
543
544 if (getenv_uint64_secure("SOURCE_DATE_EPOCH", &epoch) >= 0) {
545 if (epoch > UINT64_MAX/USEC_PER_SEC) /* Overflow check */
546 return USEC_INFINITY;
547 return (usec_t) epoch * USEC_PER_SEC;
548 }
549
550 return now(CLOCK_REALTIME);
551}
552
9740e677 553static int write_temporary_shadow(const char *shadow_path, FILE **ret_tmpfile, char **ret_tmpfile_path) {
b20b0b66 554 _cleanup_fclose_ FILE *original = NULL, *shadow = NULL;
1dd98a71 555 _cleanup_(unlink_and_freep) char *shadow_tmp = NULL;
19ec7de2 556 struct spwd *sp = NULL;
b20b0b66
FB		 557 long lstchg;
558 Item *i;
559 int r;
560
98167876 561 if (ordered_hashmap_isempty(todo_uids))
b20b0b66
FB		 562 return 0;
563
64fe1095 564 if (arg_dry_run) {
28e5e1e9 565 log_info("Would write /etc/shadow%s", special_glyph(SPECIAL_GLYPH_ELLIPSIS));
64fe1095
ZJS		 566 return 0;
567 }
568
b20b0b66
FB		 569 r = fopen_temporary_label("/etc/shadow", shadow_path, &shadow, &shadow_tmp);
570 if (r < 0)
335f6ab4 571 return log_debug_errno(r, "Failed to open temporary copy of %s: %m", shadow_path);
9ab315cc 572
3fa8a114 573 lstchg = (long) (epoch_or_now() / USEC_PER_DAY);
b20b0b66
FB		 574
575 original = fopen(shadow_path, "re");
576 if (original) {
b20b0b66 577
82855aa6 578 r = copy_rights_with_fallback(fileno(original), fileno(shadow), shadow_tmp);
9ab315cc 579 if (r < 0)
335f6ab4
ZJS		 580 return log_debug_errno(r, "Failed to copy permissions from %s to %s: %m",
581 shadow_path, shadow_tmp);
9ab315cc 582
100d5f6e 583 while ((r = fgetspent_sane(original, &sp)) > 0) {
5bc9c980 584 i = ordered_hashmap_get(users, sp->sp_namp);
b20b0b66
FB		 585 if (i && i->todo_user) {
586 /* we will update the existing entry */
587 sp->sp_lstchg = lstchg;
e3c72c21 588
b20b0b66
FB		 589 /* only the /etc/shadow stage is left, so we can
590 * safely remove the item from the todo set */
591 i->todo_user = false;
5bc9c980 592 ordered_hashmap_remove(todo_uids, UID_TO_PTR(i->uid));
9ab315cc 593 }
b20b0b66 594
19ec7de2
FB		 595 /* Make sure we keep the NIS entries (if any) at the end. */
596 if (IN_SET(sp->sp_namp[0], '+', '-'))
597 break;
598
100d5f6e
FB		 599 r = putspent_sane(sp, shadow);
600 if (r < 0)
335f6ab4
ZJS		 601 return log_debug_errno(r, "Failed to add existing user \"%s\" to temporary shadow file: %m",
602 sp->sp_namp);
603
b20b0b66 604 }
100d5f6e 605 if (r < 0)
335f6ab4 606 return log_debug_errno(r, "Failed to read %s: %m", shadow_path);
1dd98a71
FB		 607
608 } else {
609 if (errno != ENOENT)
335f6ab4 610 return log_debug_errno(errno, "Failed to open %s: %m", shadow_path);
1dd98a71 611 if (fchmod(fileno(shadow), 0000) < 0)
335f6ab4 612 return log_debug_errno(errno, "Failed to fchmod %s: %m", shadow_tmp);
b20b0b66 613 }
9ab315cc 614
90e74a66 615 ORDERED_HASHMAP_FOREACH(i, todo_uids) {
99e9f896 616 _cleanup_(erase_and_freep) char *creds_password = NULL;
ff86850b 617 bool is_hashed;
99e9f896 618
b20b0b66
FB		 619 struct spwd n = {
620 .sp_namp = i->name,
b20b0b66
FB		 621 .sp_lstchg = lstchg,
622 .sp_min = -1,
623 .sp_max = -1,
624 .sp_warn = -1,
625 .sp_inact = -1,
12c82937 626 .sp_expire = -1,
f5fbe71d 627 .sp_flag = ULONG_MAX, /* this appears to be what everybody does ... */
b20b0b66 628 };
9ab315cc 629
ff86850b
LN		 630 r = get_credential_user_password(i->name, &creds_password, &is_hashed);
631 if (r < 0)
632 log_debug_errno(r, "Couldn't read password credential for user '%s', ignoring: %m", i->name);
99e9f896 633
ff86850b
LN		 634 if (creds_password && !is_hashed) {
635 _cleanup_(erase_and_freep) char* plaintext_password = TAKE_PTR(creds_password);
636 r = hash_password(plaintext_password, &creds_password);
99e9f896 637 if (r < 0)
ff86850b
LN		 638 return log_debug_errno(r, "Failed to hash password: %m");
639 }
99e9f896
LP		 640
641 if (creds_password)
642 n.sp_pwdp = creds_password;
a777a592
ZJS		 643 else if (streq(i->name, "root"))
644 /* Let firstboot set the password later */
645 n.sp_pwdp = (char*) PASSWORD_UNPROVISIONED;
646 else
647 n.sp_pwdp = (char*) PASSWORD_LOCKED_AND_INVALID;
99e9f896 648
100d5f6e
FB		 649 r = putspent_sane(&n, shadow);
650 if (r < 0)
335f6ab4 651 return log_debug_errno(r, "Failed to add new user \"%s\" to temporary shadow file: %m",
7e4c6149 652 i->name);
1b992147 653 }
19ec7de2
FB		 654
655 /* Append the remaining NIS entries if any */
656 while (sp) {
100d5f6e
FB		 657 r = putspent_sane(sp, shadow);
658 if (r < 0)
335f6ab4
ZJS		 659 return log_debug_errno(r, "Failed to add existing user \"%s\" to temporary shadow file: %m",
660 sp->sp_namp);
19ec7de2 661
100d5f6e
FB		 662 r = fgetspent_sane(original, &sp);
663 if (r < 0)
335f6ab4 664 return log_debug_errno(r, "Failed to read %s: %m", shadow_path);
100d5f6e
FB		 665 if (r == 0)
666 break;
19ec7de2
FB		 667 }
668 if (!IN_SET(errno, 0, ENOENT))
669 return -errno;
1b992147 670
0675e94a 671 r = fflush_sync_and_check(shadow);
b20b0b66 672 if (r < 0)
335f6ab4 673 return log_debug_errno(r, "Failed to flush %s: %m", shadow_tmp);
b20b0b66 674
9740e677
ZJS		 675 *ret_tmpfile = TAKE_PTR(shadow);
676 *ret_tmpfile_path = TAKE_PTR(shadow_tmp);
1cc6c93a 677
b20b0b66 678 return 0;
b20b0b66 679}
1b992147 680
9740e677 681static int write_temporary_group(const char *group_path, FILE **ret_tmpfile, char **ret_tmpfile_path) {
b20b0b66 682 _cleanup_fclose_ FILE *original = NULL, *group = NULL;
1dd98a71 683 _cleanup_(unlink_and_freep) char *group_tmp = NULL;
b20b0b66 684 bool group_changed = false;
563dc6f8 685 struct group *gr = NULL;
b20b0b66
FB		 686 Item *i;
687 int r;
1b992147 688
98167876 689 if (ordered_hashmap_isempty(todo_gids) && ordered_hashmap_isempty(members))
b20b0b66 690 return 0;
e3c72c21 691
64fe1095 692 if (arg_dry_run) {
28e5e1e9 693 log_info("Would write /etc/group%s", special_glyph(SPECIAL_GLYPH_ELLIPSIS));
64fe1095
ZJS		 694 return 0;
695 }
696
b20b0b66
FB		 697 r = fopen_temporary_label("/etc/group", group_path, &group, &group_tmp);
698 if (r < 0)
4c795066 699 return log_error_errno(r, "Failed to open temporary copy of %s: %m", group_path);
b20b0b66
FB		 700
701 original = fopen(group_path, "re");
702 if (original) {
b20b0b66 703
82855aa6 704 r = copy_rights_with_fallback(fileno(original), fileno(group), group_tmp);
b20b0b66 705 if (r < 0)
4c795066 706 return log_error_errno(r, "Failed to copy permissions from %s to %s: %m",
335f6ab4 707 group_path, group_tmp);
b20b0b66 708
100d5f6e 709 while ((r = fgetgrent_sane(original, &gr)) > 0) {
b20b0b66
FB		 710 /* Safety checks against name and GID collisions. Normally,
711 * this should be unnecessary, but given that we look at the
712 * entries anyway here, let's make an extra verification
713 * step that we don't generate duplicate entries. */
714
5bc9c980 715 i = ordered_hashmap_get(groups, gr->gr_name);
330d1def
ZJS		 716 if (i && i->todo_group)
717 return log_error_errno(SYNTHETIC_ERRNO(EEXIST),
718 "%s: Group \"%s\" already exists.",
719 group_path, gr->gr_name);
b20b0b66 720
330d1def
ZJS		 721 if (ordered_hashmap_contains(todo_gids, GID_TO_PTR(gr->gr_gid)))
722 return log_error_errno(SYNTHETIC_ERRNO(EEXIST),
723 "%s: Detected collision for GID " GID_FMT ".",
724 group_path, gr->gr_gid);
1b992147 725
563dc6f8
FB		 726 /* Make sure we keep the NIS entries (if any) at the end. */
727 if (IN_SET(gr->gr_name[0], '+', '-'))
728 break;
729
b20b0b66
FB		 730 r = putgrent_with_members(gr, group);
731 if (r < 0)
4c795066 732 return log_error_errno(r, "Failed to add existing group \"%s\" to temporary group file: %m",
335f6ab4 733 gr->gr_name);
b20b0b66
FB		 734 if (r > 0)
735 group_changed = true;
b20b0b66 736 }
100d5f6e 737 if (r < 0)
4c795066 738 return log_error_errno(r, "Failed to read %s: %m", group_path);
1dd98a71
FB		 739
740 } else {
741 if (errno != ENOENT)
4c795066 742 return log_error_errno(errno, "Failed to open %s: %m", group_path);
1dd98a71 743 if (fchmod(fileno(group), 0644) < 0)
4c795066 744 return log_error_errno(errno, "Failed to fchmod %s: %m", group_tmp);
b20b0b66 745 }
7629889c 746
90e74a66 747 ORDERED_HASHMAP_FOREACH(i, todo_gids) {
b20b0b66
FB		 748 struct group n = {
749 .gr_name = i->name,
750 .gr_gid = i->gid,
53c25ac9 751 .gr_passwd = (char*) PASSWORD_SEE_SHADOW,
b20b0b66 752 };
1b992147 753
b20b0b66
FB		 754 r = putgrent_with_members(&n, group);
755 if (r < 0)
4c795066 756 return log_error_errno(r, "Failed to add new group \"%s\" to temporary group file: %m",
335f6ab4 757 gr->gr_name);
7629889c 758
b20b0b66
FB		 759 group_changed = true;
760 }
1b992147 761
563dc6f8
FB		 762 /* Append the remaining NIS entries if any */
763 while (gr) {
100d5f6e
FB		 764 r = putgrent_sane(gr, group);
765 if (r < 0)
4c795066 766 return log_error_errno(r, "Failed to add existing group \"%s\" to temporary group file: %m",
335f6ab4 767 gr->gr_name);
563dc6f8 768
100d5f6e
FB		 769 r = fgetgrent_sane(original, &gr);
770 if (r < 0)
4c795066 771 return log_error_errno(r, "Failed to read %s: %m", group_path);
100d5f6e
FB		 772 if (r == 0)
773 break;
563dc6f8 774 }
563dc6f8 775
0675e94a 776 r = fflush_sync_and_check(group);
b20b0b66 777 if (r < 0)
4c795066 778 return log_error_errno(r, "Failed to flush %s: %m", group_tmp);
1b992147 779
b20b0b66 780 if (group_changed) {
9740e677
ZJS		 781 *ret_tmpfile = TAKE_PTR(group);
782 *ret_tmpfile_path = TAKE_PTR(group_tmp);
b20b0b66
FB		 783 }
784 return 0;
b20b0b66
FB		 785}
786
9740e677 787static int write_temporary_gshadow(const char * gshadow_path, FILE **ret_tmpfile, char **ret_tmpfile_path) {
349cc4a5 788#if ENABLE_GSHADOW
b20b0b66 789 _cleanup_fclose_ FILE *original = NULL, *gshadow = NULL;
1dd98a71 790 _cleanup_(unlink_and_freep) char *gshadow_tmp = NULL;
b20b0b66 791 bool group_changed = false;
b20b0b66
FB		 792 Item *i;
793 int r;
794
98167876 795 if (ordered_hashmap_isempty(todo_gids) && ordered_hashmap_isempty(members))
b20b0b66
FB		 796 return 0;
797
64fe1095 798 if (arg_dry_run) {
28e5e1e9 799 log_info("Would write /etc/gshadow%s", special_glyph(SPECIAL_GLYPH_ELLIPSIS));
64fe1095
ZJS		 800 return 0;
801 }
802
b20b0b66
FB		 803 r = fopen_temporary_label("/etc/gshadow", gshadow_path, &gshadow, &gshadow_tmp);
804 if (r < 0)
4c795066 805 return log_error_errno(r, "Failed to open temporary copy of %s: %m", gshadow_path);
9ab315cc 806
b20b0b66
FB		 807 original = fopen(gshadow_path, "re");
808 if (original) {
809 struct sgrp *sg;
810
82855aa6 811 r = copy_rights_with_fallback(fileno(original), fileno(gshadow), gshadow_tmp);
1b992147 812 if (r < 0)
4c795066 813 return log_error_errno(r, "Failed to copy permissions from %s to %s: %m",
335f6ab4 814 gshadow_path, gshadow_tmp);
9ab315cc 815
100d5f6e 816 while ((r = fgetsgent_sane(original, &sg)) > 0) {
c5abf225 817
5bc9c980 818 i = ordered_hashmap_get(groups, sg->sg_namp);
330d1def
ZJS		 819 if (i && i->todo_group)
820 return log_error_errno(SYNTHETIC_ERRNO(EEXIST),
821 "%s: Group \"%s\" already exists.",
822 gshadow_path, sg->sg_namp);
9ab315cc 823
b20b0b66 824 r = putsgent_with_members(sg, gshadow);
fff19499 825 if (r < 0)
4c795066 826 return log_error_errno(r, "Failed to add existing group \"%s\" to temporary gshadow file: %m",
335f6ab4 827 sg->sg_namp);
b20b0b66
FB		 828 if (r > 0)
829 group_changed = true;
b20b0b66 830 }
100d5f6e
FB		 831 if (r < 0)
832 return r;
1dd98a71
FB		 833
834 } else {
835 if (errno != ENOENT)
4c795066 836 return log_error_errno(errno, "Failed to open %s: %m", gshadow_path);
1dd98a71 837 if (fchmod(fileno(gshadow), 0000) < 0)
4c795066 838 return log_error_errno(errno, "Failed to fchmod %s: %m", gshadow_tmp);
b20b0b66 839 }
9ab315cc 840
90e74a66 841 ORDERED_HASHMAP_FOREACH(i, todo_gids) {
b20b0b66
FB		 842 struct sgrp n = {
843 .sg_namp = i->name,
53c25ac9 844 .sg_passwd = (char*) PASSWORD_LOCKED_AND_INVALID,
b20b0b66 845 };
9ab315cc 846
b20b0b66 847 r = putsgent_with_members(&n, gshadow);
9ab315cc 848 if (r < 0)
4c795066 849 return log_error_errno(r, "Failed to add new group \"%s\" to temporary gshadow file: %m",
335f6ab4 850 n.sg_namp);
b20b0b66
FB		 851
852 group_changed = true;
9ab315cc
LP		 853 }
854
0675e94a 855 r = fflush_sync_and_check(gshadow);
b20b0b66 856 if (r < 0)
4c795066 857 return log_error_errno(r, "Failed to flush %s: %m", gshadow_tmp);
b20b0b66 858
9ab315cc 859 if (group_changed) {
9740e677
ZJS		 860 *ret_tmpfile = TAKE_PTR(gshadow);
861 *ret_tmpfile_path = TAKE_PTR(gshadow_tmp);
b20b0b66 862 }
b14e1b43 863#endif
62d1c93a 864 return 0;
b20b0b66
FB		 865}
866
867static int write_files(void) {
b20b0b66 868 _cleanup_fclose_ FILE *passwd = NULL, *group = NULL, *shadow = NULL, *gshadow = NULL;
1dd98a71 869 _cleanup_(unlink_and_freep) char *passwd_tmp = NULL, *group_tmp = NULL, *shadow_tmp = NULL, *gshadow_tmp = NULL;
62d1c93a 870 const char *passwd_path, *shadow_path, *group_path, *gshadow_path;
b20b0b66
FB		 871 int r;
872
873 passwd_path = prefix_roota(arg_root, "/etc/passwd");
874 shadow_path = prefix_roota(arg_root, "/etc/shadow");
875 group_path = prefix_roota(arg_root, "/etc/group");
876 gshadow_path = prefix_roota(arg_root, "/etc/gshadow");
877
878 r = write_temporary_group(group_path, &group, &group_tmp);
879 if (r < 0)
1dd98a71 880 return r;
b20b0b66
FB		 881
882 r = write_temporary_gshadow(gshadow_path, &gshadow, &gshadow_tmp);
883 if (r < 0)
1dd98a71 884 return r;
b20b0b66
FB		 885
886 r = write_temporary_passwd(passwd_path, &passwd, &passwd_tmp);
887 if (r < 0)
1dd98a71 888 return r;
b20b0b66
FB		 889
890 r = write_temporary_shadow(shadow_path, &shadow, &shadow_tmp);
891 if (r < 0)
1dd98a71 892 return r;
b20b0b66
FB		 893
894 /* Make a backup of the old files */
895 if (group) {
896 r = make_backup("/etc/group", group_path);
897 if (r < 0)
9740e677 898 return log_error_errno(r, "Failed to backup %s: %m", group_path);
b20b0b66
FB		 899 }
900 if (gshadow) {
901 r = make_backup("/etc/gshadow", gshadow_path);
902 if (r < 0)
9740e677 903 return log_error_errno(r, "Failed to backup %s: %m", gshadow_path);
1b992147
LP		 904 }
905
906 if (passwd) {
9f1c1940 907 r = make_backup("/etc/passwd", passwd_path);
1b992147 908 if (r < 0)
9740e677 909 return log_error_errno(r, "Failed to backup %s: %m", passwd_path);
1b992147 910 }
9ab315cc
LP		 911 if (shadow) {
912 r = make_backup("/etc/shadow", shadow_path);
913 if (r < 0)
9740e677 914 return log_error_errno(r, "Failed to backup %s: %m", shadow_path);
9ab315cc 915 }
1b992147
LP		 916
917 /* And make the new files count */
b20b0b66 918 if (group) {
2da3dc69 919 r = rename_and_apply_smack_floor_label(group_tmp, group_path);
b20b0b66 920 if (r < 0)
4c795066 921 return log_error_errno(r, "Failed to rename %s to %s: %m",
335f6ab4 922 group_tmp, group_path);
b20b0b66 923 group_tmp = mfree(group_tmp);
d481b830
FB		 924
925 if (!arg_root && !arg_image)
926 (void) nscd_flush_cache(STRV_MAKE("group"));
b20b0b66
FB		 927 }
928 if (gshadow) {
2da3dc69 929 r = rename_and_apply_smack_floor_label(gshadow_tmp, gshadow_path);
b20b0b66 930 if (r < 0)
4c795066 931 return log_error_errno(r, "Failed to rename %s to %s: %m",
335f6ab4 932 gshadow_tmp, gshadow_path);
1b992147 933
b20b0b66 934 gshadow_tmp = mfree(gshadow_tmp);
1b992147
LP		 935 }
936
937 if (passwd) {
2da3dc69 938 r = rename_and_apply_smack_floor_label(passwd_tmp, passwd_path);
c02e7b1e 939 if (r < 0)
4c795066 940 return log_error_errno(r, "Failed to rename %s to %s: %m",
335f6ab4 941 passwd_tmp, passwd_path);
1b992147 942
97b11eed 943 passwd_tmp = mfree(passwd_tmp);
d481b830
FB		 944
945 if (!arg_root && !arg_image)
946 (void) nscd_flush_cache(STRV_MAKE("passwd"));
1b992147 947 }
9ab315cc 948 if (shadow) {
2da3dc69 949 r = rename_and_apply_smack_floor_label(shadow_tmp, shadow_path);
c02e7b1e 950 if (r < 0)
4c795066 951 return log_error_errno(r, "Failed to rename %s to %s: %m",
335f6ab4 952 shadow_tmp, shadow_path);
9ab315cc 953
97b11eed 954 shadow_tmp = mfree(shadow_tmp);
9ab315cc 955 }
1b992147 956
1dd98a71 957 return 0;
1b992147
LP		 958}
959
b9ee05c2 960static int uid_is_ok(uid_t uid, const char *name, bool check_with_gid) {
1b992147
LP		 961
962 /* Let's see if we already have assigned the UID a second time */
5bc9c980 963 if (ordered_hashmap_get(todo_uids, UID_TO_PTR(uid)))
1b992147
LP		 964 return 0;
965
966 /* Try to avoid using uids that are already used by a group
967 * that doesn't have the same name as our new user. */
b9ee05c2 968 if (check_with_gid) {
62d1c93a
ZJS		 969 Item *i;
970
b9ee05c2
MV		 971 i = ordered_hashmap_get(todo_gids, GID_TO_PTR(uid));
972 if (i && !streq(i->name, name))
973 return 0;
974 }
1b992147
LP		 975
976 /* Let's check the files directly */
71da1673 977 if (hashmap_contains(database_by_uid, UID_TO_PTR(uid)))
1b992147
LP		 978 return 0;
979
b9ee05c2 980 if (check_with_gid) {
62d1c93a
ZJS		 981 const char *n;
982
71da1673 983 n = hashmap_get(database_by_gid, GID_TO_PTR(uid));
b9ee05c2
MV		 984 if (n && !streq(n, name))
985 return 0;
986 }
1b992147
LP		 987
988 /* Let's also check via NSS, to avoid UID clashes over LDAP and such, just in case */
989 if (!arg_root) {
62d1c93a
ZJS		 990 struct passwd *p;
991 struct group *g;
992
1b992147
LP		 993 errno = 0;
994 p = getpwuid(uid);
995 if (p)
996 return 0;
b0284aba 997 if (!IN_SET(errno, 0, ENOENT))
1b992147
LP		 998 return -errno;
999
b9ee05c2
MV		 1000 if (check_with_gid) {
1001 errno = 0;
1002 g = getgrgid((gid_t) uid);
1003 if (g) {
1004 if (!streq(g->gr_name, name))
1005 return 0;
1006 } else if (!IN_SET(errno, 0, ENOENT))
1007 return -errno;
1008 }
1b992147
LP		 1009 }
1010
1011 return 1;
1012}
1013
1014static int root_stat(const char *p, struct stat *st) {
1015 const char *fix;
1016
1d13f648 1017 fix = prefix_roota(arg_root, p);
7c248223 1018 return RET_NERRNO(stat(fix, st));
1b992147
LP		 1019}
1020
905ec0c0 1021static int read_id_from_file(Item *i, uid_t *ret_uid, gid_t *ret_gid) {
1b992147
LP		 1022 struct stat st;
1023 bool found_uid = false, found_gid = false;
56d21cde
PDS		 1024 uid_t uid = 0;
1025 gid_t gid = 0;
1b992147
LP		 1026
1027 assert(i);
1028
3f316701 1029 /* First, try to get the GID directly */
905ec0c0 1030 if (ret_gid && i->gid_path && root_stat(i->gid_path, &st) >= 0) {
1b992147
LP		 1031 gid = st.st_gid;
1032 found_gid = true;
1033 }
1034
3f316701 1035 /* Then, try to get the UID directly */
905ec0c0 1036 if ((ret_uid || (ret_gid && !found_gid))
1b992147
LP		 1037 && i->uid_path
1038 && root_stat(i->uid_path, &st) >= 0) {
1039
1040 uid = st.st_uid;
1041 found_uid = true;
1042
3f316701 1043 /* If we need the gid, but had no success yet, also derive it from the UID path */
905ec0c0 1044 if (ret_gid && !found_gid) {
1b992147
LP		 1045 gid = st.st_gid;
1046 found_gid = true;
1047 }
1048 }
1049
3f316701 1050 /* If that didn't work yet, then let's reuse the GID as UID */
905ec0c0 1051 if (ret_uid && !found_uid && i->gid_path) {
1b992147
LP		 1052
1053 if (found_gid) {
1054 uid = (uid_t) gid;
1055 found_uid = true;
1056 } else if (root_stat(i->gid_path, &st) >= 0) {
1057 uid = (uid_t) st.st_gid;
1058 found_uid = true;
1059 }
1060 }
1061
905ec0c0 1062 if (ret_uid) {
1b992147
LP		 1063 if (!found_uid)
1064 return 0;
1065
905ec0c0 1066 *ret_uid = uid;
1b992147
LP		 1067 }
1068
905ec0c0 1069 if (ret_gid) {
1b992147
LP		 1070 if (!found_gid)
1071 return 0;
1072
905ec0c0 1073 *ret_gid = gid;
1b992147
LP		 1074 }
1075
1076 return 1;
1077}
1078
1079static int add_user(Item *i) {
1080 void *z;
1081 int r;
1082
1083 assert(i);
1084
1085 /* Check the database directly */
71da1673 1086 z = hashmap_get(database_by_username, i->name);
1b992147
LP		 1087 if (z) {
1088 log_debug("User %s already exists.", i->name);
c1b6b04f 1089 i->uid = PTR_TO_UID(z);
1b992147
LP		 1090 i->uid_set = true;
1091 return 0;
1092 }
1093
1094 if (!arg_root) {
1095 struct passwd *p;
1b992147
LP		 1096
1097 /* Also check NSS */
1098 errno = 0;
1099 p = getpwnam(i->name);
1100 if (p) {
1101 log_debug("User %s already exists.", i->name);
1102 i->uid = p->pw_uid;
1103 i->uid_set = true;
1104
2fc09a9c
DM		 1105 r = free_and_strdup(&i->description, p->pw_gecos);
1106 if (r < 0)
1107 return log_oom();
1108
1b992147
LP		 1109 return 0;
1110 }
08c7c321 1111 if (!errno_is_not_exists(errno))
4a62c710 1112 return log_error_errno(errno, "Failed to check if user %s already exists: %m", i->name);
1b992147
LP		 1113 }
1114
3f316701 1115 /* Try to use the suggested numeric UID */
1b992147 1116 if (i->uid_set) {
b9ee05c2 1117 r = uid_is_ok(i->uid, i->name, !i->id_set_strict);
f647962d 1118 if (r < 0)
3f316701 1119 return log_error_errno(r, "Failed to verify UID " UID_FMT ": %m", i->uid);
1b992147 1120 if (r == 0) {
5374bc7c 1121 log_info("Suggested user ID " UID_FMT " for %s already used.", i->uid, i->name);
1b992147
LP		 1122 i->uid_set = false;
1123 }
1124 }
1125
1126 /* If that didn't work, try to read it from the specified path */
1127 if (!i->uid_set) {
1128 uid_t c;
1129
1130 if (read_id_from_file(i, &c, NULL) > 0) {
1131
8dcc66ce 1132 if (c <= 0 || !uid_range_contains(uid_range, c))
1b992147
LP		 1133 log_debug("User ID " UID_FMT " of file not suitable for %s.", c, i->name);
1134 else {
b9ee05c2 1135 r = uid_is_ok(c, i->name, true);
f647962d 1136 if (r < 0)
3f316701 1137 return log_error_errno(r, "Failed to verify UID " UID_FMT ": %m", i->uid);
f647962d 1138 else if (r > 0) {
1b992147
LP		 1139 i->uid = c;
1140 i->uid_set = true;
1141 } else
1142 log_debug("User ID " UID_FMT " of file for %s is already used.", c, i->name);
1143 }
1144 }
1145 }
1146
b938cb90 1147 /* Otherwise, try to reuse the group ID */
1b992147 1148 if (!i->uid_set && i->gid_set) {
b9ee05c2 1149 r = uid_is_ok((uid_t) i->gid, i->name, true);
f647962d 1150 if (r < 0)
3f316701 1151 return log_error_errno(r, "Failed to verify UID " UID_FMT ": %m", i->uid);
1b992147
LP		 1152 if (r > 0) {
1153 i->uid = (uid_t) i->gid;
1154 i->uid_set = true;
1155 }
1156 }
1157
1158 /* And if that didn't work either, let's try to find a free one */
1159 if (!i->uid_set) {
4b6f9b20
ZJS		 1160 maybe_emit_login_defs_warning();
1161
8530dc44 1162 for (;;) {
8dcc66ce 1163 r = uid_range_next_lower(uid_range, &search_uid);
330d1def
ZJS		 1164 if (r < 0)
1165 return log_error_errno(r, "No free user ID available for %s.", i->name);
1b992147 1166
b9ee05c2 1167 r = uid_is_ok(search_uid, i->name, true);
f647962d 1168 if (r < 0)
3f316701 1169 return log_error_errno(r, "Failed to verify UID " UID_FMT ": %m", i->uid);
f647962d 1170 else if (r > 0)
1b992147
LP		 1171 break;
1172 }
1173
1b992147
LP		 1174 i->uid_set = true;
1175 i->uid = search_uid;
1b992147
LP		 1176 }
1177
1dfb9321
SS		 1178 r = ordered_hashmap_ensure_put(&todo_uids, NULL, UID_TO_PTR(i->uid), i);
1179 if (r == -EEXIST)
3f316701 1180 return log_error_errno(r, "Requested user %s with UID " UID_FMT " and gid" GID_FMT " to be created is duplicated "
1dfb9321
SS		 1181 "or conflicts with another user.", i->name, i->uid, i->gid);
1182 if (r == -ENOMEM)
1b992147 1183 return log_oom();
1b992147 1184 if (r < 0)
3f316701 1185 return log_error_errno(r, "Failed to store user %s with UID " UID_FMT " and GID " GID_FMT " to be created: %m",
1dfb9321 1186 i->name, i->uid, i->gid);
1b992147 1187
c1b6b04f 1188 i->todo_user = true;
9a5af4b7 1189 log_info("Creating user '%s' (%s) with UID " UID_FMT " and GID " GID_FMT ".",
62d1c93a 1190 i->name, strna(i->description), i->uid, i->gid);
1b992147
LP		 1191
1192 return 0;
1193}
1194
4ae3e8c9 1195static int gid_is_ok(gid_t gid, const char *groupname, bool check_with_uid) {
1b992147
LP		 1196 struct group *g;
1197 struct passwd *p;
4ae3e8c9
LB		 1198 Item *user;
1199 char *username;
1200
1201 assert(groupname);
1b992147 1202
5bc9c980 1203 if (ordered_hashmap_get(todo_gids, GID_TO_PTR(gid)))
1b992147
LP		 1204 return 0;
1205
1206 /* Avoid reusing gids that are already used by a different user */
4ae3e8c9
LB		 1207 if (check_with_uid) {
1208 user = ordered_hashmap_get(todo_uids, UID_TO_PTR(gid));
1209 if (user && !streq(user->name, groupname))
1210 return 0;
1211 }
1b992147 1212
71da1673 1213 if (hashmap_contains(database_by_gid, GID_TO_PTR(gid)))
1b992147
LP		 1214 return 0;
1215
4ae3e8c9
LB		 1216 if (check_with_uid) {
1217 username = hashmap_get(database_by_uid, UID_TO_PTR(gid));
1218 if (username && !streq(username, groupname))
1219 return 0;
1220 }
1b992147
LP		 1221
1222 if (!arg_root) {
1223 errno = 0;
1224 g = getgrgid(gid);
1225 if (g)
1226 return 0;
b0284aba 1227 if (!IN_SET(errno, 0, ENOENT))
1b992147
LP		 1228 return -errno;
1229
6b6e45eb
LB		 1230 if (check_with_uid) {
1231 errno = 0;
1232 p = getpwuid((uid_t) gid);
1233 if (p)
1234 return 0;
1235 if (!IN_SET(errno, 0, ENOENT))
1236 return -errno;
1237 }
1b992147
LP		 1238 }
1239
1240 return 1;
1241}
1242
649916d3 1243static int get_gid_by_name(const char *name, gid_t *gid) {
1b992147 1244 void *z;
1b992147 1245
649916d3 1246 assert(gid);
1b992147
LP		 1247
1248 /* Check the database directly */
649916d3 1249 z = hashmap_get(database_by_groupname, name);
1b992147 1250 if (z) {
649916d3 1251 *gid = PTR_TO_GID(z);
1b992147
LP		 1252 return 0;
1253 }
1254
1255 /* Also check NSS */
1256 if (!arg_root) {
1257 struct group *g;
1258
1259 errno = 0;
649916d3 1260 g = getgrnam(name);
1b992147 1261 if (g) {
649916d3 1262 *gid = g->gr_gid;
1b992147
LP		 1263 return 0;
1264 }
08c7c321 1265 if (!errno_is_not_exists(errno))
649916d3
DM		 1266 return log_error_errno(errno, "Failed to check if group %s already exists: %m", name);
1267 }
1268
1269 return -ENOENT;
1270}
1271
1272static int add_group(Item *i) {
1273 int r;
1274
1275 assert(i);
1276
1277 r = get_gid_by_name(i->name, &i->gid);
1278 if (r != -ENOENT) {
1279 if (r < 0)
1280 return r;
1281 log_debug("Group %s already exists.", i->name);
1282 i->gid_set = true;
1283 return 0;
1b992147
LP		 1284 }
1285
3f316701 1286 /* Try to use the suggested numeric GID */
1b992147 1287 if (i->gid_set) {
4ae3e8c9 1288 r = gid_is_ok(i->gid, i->name, false);
f647962d 1289 if (r < 0)
3f316701 1290 return log_error_errno(r, "Failed to verify GID " GID_FMT ": %m", i->gid);
b9ee05c2 1291 if (i->id_set_strict) {
3f316701
ZJS		 1292 /* If we require the GID to already exist we can return here:
1293 * r > 0: means the GID does not exist -> fail
1294 * r == 0: means the GID exists -> nothing more to do.
28e7fad7 1295 */
baaa35ad
ZJS		 1296 if (r > 0)
1297 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
c0f86d66 1298 "Failed to create %s: please create GID " GID_FMT,
baaa35ad 1299 i->name, i->gid);
28e7fad7
MV		 1300 if (r == 0)
1301 return 0;
1302 }
1b992147 1303 if (r == 0) {
5374bc7c 1304 log_info("Suggested group ID " GID_FMT " for %s already used.", i->gid, i->name);
1b992147
LP		 1305 i->gid_set = false;
1306 }
1307 }
1308
1309 /* Try to reuse the numeric uid, if there's one */
1310 if (!i->gid_set && i->uid_set) {
4ae3e8c9 1311 r = gid_is_ok((gid_t) i->uid, i->name, true);
f647962d 1312 if (r < 0)
3f316701 1313 return log_error_errno(r, "Failed to verify GID " GID_FMT ": %m", i->gid);
1b992147
LP		 1314 if (r > 0) {
1315 i->gid = (gid_t) i->uid;
1316 i->gid_set = true;
1317 }
1318 }
1319
1320 /* If that didn't work, try to read it from the specified path */
1321 if (!i->gid_set) {
1322 gid_t c;
1323
1324 if (read_id_from_file(i, NULL, &c) > 0) {
1325
8dcc66ce 1326 if (c <= 0 || !uid_range_contains(uid_range, c))
1b992147
LP		 1327 log_debug("Group ID " GID_FMT " of file not suitable for %s.", c, i->name);
1328 else {
4ae3e8c9 1329 r = gid_is_ok(c, i->name, true);
f647962d 1330 if (r < 0)
3f316701 1331 return log_error_errno(r, "Failed to verify GID " GID_FMT ": %m", i->gid);
f647962d 1332 else if (r > 0) {
1b992147
LP		 1333 i->gid = c;
1334 i->gid_set = true;
1335 } else
1336 log_debug("Group ID " GID_FMT " of file for %s already used.", c, i->name);
1337 }
1338 }
1339 }
1340
1341 /* And if that didn't work either, let's try to find a free one */
1342 if (!i->gid_set) {
4b6f9b20
ZJS		 1343 maybe_emit_login_defs_warning();
1344
8530dc44
LP		 1345 for (;;) {
1346 /* We look for new GIDs in the UID pool! */
8dcc66ce 1347 r = uid_range_next_lower(uid_range, &search_uid);
330d1def
ZJS		 1348 if (r < 0)
1349 return log_error_errno(r, "No free group ID available for %s.", i->name);
8530dc44 1350
4ae3e8c9 1351 r = gid_is_ok(search_uid, i->name, true);
f647962d 1352 if (r < 0)
3f316701 1353 return log_error_errno(r, "Failed to verify GID " GID_FMT ": %m", i->gid);
f647962d 1354 else if (r > 0)
1b992147
LP		 1355 break;
1356 }
1357
1b992147 1358 i->gid_set = true;
8530dc44 1359 i->gid = search_uid;
1b992147
LP		 1360 }
1361
1dfb9321
SS		 1362 r = ordered_hashmap_ensure_put(&todo_gids, NULL, GID_TO_PTR(i->gid), i);
1363 if (r == -EEXIST)
3f316701 1364 return log_error_errno(r, "Requested group %s with GID "GID_FMT " to be created is duplicated or conflicts with another user.", i->name, i->gid);
1dfb9321 1365 if (r == -ENOMEM)
1b992147 1366 return log_oom();
1b992147 1367 if (r < 0)
3f316701 1368 return log_error_errno(r, "Failed to store group %s with GID " GID_FMT " to be created: %m", i->name, i->gid);
1b992147 1369
c1b6b04f 1370 i->todo_group = true;
9a5af4b7 1371 log_info("Creating group '%s' with GID " GID_FMT ".", i->name, i->gid);
1b992147
LP		 1372
1373 return 0;
1374}
1375
1376static int process_item(Item *i) {
1377 int r;
1378
1379 assert(i);
1380
1381 switch (i->type) {
1382
b5327d0a 1383 case ADD_USER: {
5ed47c4d
LB		 1384 Item *j = NULL;
1385
1386 if (!i->gid_set)
1387 j = ordered_hashmap_get(groups, i->group_name ?: i->name);
b5327d0a 1388
b5327d0a 1389 if (j && j->todo_group) {
649916d3 1390 /* When a group with the target name is already in queue,
b5327d0a
YW		 1391 * use the information about the group and do not create
1392 * duplicated group entry. */
1393 i->gid_set = j->gid_set;
1394 i->gid = j->gid;
1395 i->id_set_strict = true;
649916d3
DM		 1396 } else if (i->group_name) {
1397 /* When a group name was given instead of a GID and it's
1398 * not in queue, then it must already exist. */
1399 r = get_gid_by_name(i->group_name, &i->gid);
1400 if (r < 0)
1401 return log_error_errno(r, "Group %s not found.", i->group_name);
1402 i->gid_set = true;
1403 i->id_set_strict = true;
b5327d0a
YW		 1404 } else {
1405 r = add_group(i);
1406 if (r < 0)
1407 return r;
1408 }
1b992147
LP		 1409
1410 return add_user(i);
b5327d0a 1411 }
1b992147 1412
e2c2060f 1413 case ADD_GROUP:
1b992147 1414 return add_group(i);
1b992147 1415
a12b0cc3 1416 default:
04499a70 1417 assert_not_reached();
a12b0cc3 1418 }
1b992147
LP		 1419}
1420
71da1673 1421static Item* item_free(Item *i) {
1b992147 1422 if (!i)
71da1673 1423 return NULL;
1b992147
LP		 1424
1425 free(i->name);
649916d3 1426 free(i->group_name);
1b992147
LP		 1427 free(i->uid_path);
1428 free(i->gid_path);
1429 free(i->description);
d9b8ea54 1430 free(i->home);
7b1aaf66 1431 free(i->shell);
9a87bdd7 1432 free(i->filename);
71da1673 1433 return mfree(i);
1b992147
LP		 1434}
1435
1436DEFINE_TRIVIAL_CLEANUP_FUNC(Item*, item_free);
71da1673 1437DEFINE_PRIVATE_HASH_OPS_WITH_VALUE_DESTRUCTOR(item_hash_ops, char, string_hash_func, string_compare_func, Item, item_free);
1b992147 1438
9a87bdd7
ZJS		 1439static Item* item_new(ItemType type, const char *name, const char *filename, unsigned line) {
1440 assert(name);
1441 assert(!!filename == (line > 0));
1442
1443 _cleanup_(item_freep) Item *new = new(Item, 1);
1444 if (!new)
1445 return NULL;
1446
1447 *new = (Item) {
1448 .type = type,
1449 .line = line,
1450 };
1451
1452 if (free_and_strdup(&new->name, name) < 0 ||
1453 free_and_strdup(&new->filename, filename) < 0)
1454 return NULL;
1455
1456 return TAKE_PTR(new);
1457}
1458
a12b0cc3
LP		 1459static int add_implicit(void) {
1460 char *g, **l;
a12b0cc3
LP		 1461 int r;
1462
1463 /* Implicitly create additional users and groups, if they were listed in "m" lines */
90e74a66 1464 ORDERED_HASHMAP_FOREACH_KEY(l, g, members) {
d4f0412d
YW		 1465 STRV_FOREACH(m, l)
1466 if (!ordered_hashmap_get(users, *m)) {
9a87bdd7
ZJS		 1467 _cleanup_(item_freep) Item *j =
1468 item_new(ADD_USER, *m, /* filename= */ NULL, /* line= */ 0);
a12b0cc3
LP		 1469 if (!j)
1470 return log_oom();
1471
f334deba
SS		 1472 r = ordered_hashmap_ensure_put(&users, &item_hash_ops, j->name, j);
1473 if (r == -ENOMEM)
a12b0cc3 1474 return log_oom();
f334deba
SS		 1475 if (r < 0)
1476 return log_error_errno(r, "Failed to add implicit user '%s': %m", j->name);
a12b0cc3
LP		 1477
1478 log_debug("Adding implicit user '%s' due to m line", j->name);
f334deba 1479 TAKE_PTR(j);
a12b0cc3 1480 }
d4f0412d
YW		 1481
1482 if (!(ordered_hashmap_get(users, g) ||
1483 ordered_hashmap_get(groups, g))) {
9a87bdd7
ZJS		 1484 _cleanup_(item_freep) Item *j =
1485 item_new(ADD_GROUP, g, /* filename= */ NULL, /* line= */ 0);
d4f0412d
YW		 1486 if (!j)
1487 return log_oom();
1488
f334deba
SS		 1489 r = ordered_hashmap_ensure_put(&groups, &item_hash_ops, j->name, j);
1490 if (r == -ENOMEM)
d4f0412d 1491 return log_oom();
f334deba
SS		 1492 if (r < 0)
1493 return log_error_errno(r, "Failed to add implicit group '%s': %m", j->name);
d4f0412d
YW		 1494
1495 log_debug("Adding implicit group '%s' due to m line", j->name);
f334deba 1496 TAKE_PTR(j);
a12b0cc3
LP		 1497 }
1498 }
1499
1500 return 0;
1501}
1502
5f465fda
ZJS		 1503static int item_equivalent(Item *a, Item *b) {
1504 int r;
1505
1b992147
LP		 1506 assert(a);
1507 assert(b);
1508
7519b880
ZJS		 1509 if (a->type != b->type) {
1510 log_syntax(NULL, LOG_DEBUG, a->filename, a->line, 0,
1511 "Item not equivalent because types differ");
1b992147 1512 return false;
7519b880 1513 }
1b992147 1514
7519b880
ZJS		 1515 if (!streq_ptr(a->name, b->name)) {
1516 log_syntax(NULL, LOG_DEBUG, a->filename, a->line, 0,
1517 "Item not equivalent because names differ ('%s' vs. '%s')",
1518 a->name, b->name);
1b992147 1519 return false;
7519b880 1520 }
1b992147 1521
5f465fda 1522 /* Paths were simplified previously, so we can use streq. */
7519b880
ZJS		 1523 if (!streq_ptr(a->uid_path, b->uid_path)) {
1524 log_syntax(NULL, LOG_DEBUG, a->filename, a->line, 0,
1525 "Item not equivalent because UID paths differ (%s vs. %s)",
1526 a->uid_path ?: "(unset)", b->uid_path ?: "(unset)");
1b992147 1527 return false;
7519b880 1528 }
1b992147 1529
7519b880
ZJS		 1530 if (!streq_ptr(a->gid_path, b->gid_path)) {
1531 log_syntax(NULL, LOG_DEBUG, a->filename, a->line, 0,
1532 "Item not equivalent because GID paths differ (%s vs. %s)",
1533 a->gid_path ?: "(unset)", b->gid_path ?: "(unset)");
1b992147 1534 return false;
7519b880 1535 }
1b992147 1536
7519b880
ZJS		 1537 if (!streq_ptr(a->description, b->description)) {
1538 log_syntax(NULL, LOG_DEBUG, a->filename, a->line, 0,
1539 "Item not equivalent because descriptions differ ('%s' vs. '%s')",
1540 strempty(a->description), strempty(b->description));
1b992147 1541 return false;
7519b880 1542 }
1b992147 1543
7519b880
ZJS		 1544 if ((a->uid_set != b->uid_set) ||
1545 (a->uid_set && a->uid != b->uid)) {
1546 log_syntax(NULL, LOG_DEBUG, a->filename, a->line, 0,
1547 "Item not equivalent because UIDs differ (%s vs. %s)",
1548 FORMAT_UID(a->uid_set, a->uid), FORMAT_UID(b->uid_set, b->uid));
1b992147 1549 return false;
7519b880 1550 }
1b992147 1551
7519b880
ZJS		 1552 if ((a->gid_set != b->gid_set) ||
1553 (a->gid_set && a->gid != b->gid)) {
1554 log_syntax(NULL, LOG_DEBUG, a->filename, a->line, 0,
1555 "Item not equivalent because GIDs differ (%s vs. %s)",
1556 FORMAT_GID(a->gid_set, a->gid), FORMAT_GID(b->gid_set, b->gid));
1b992147 1557 return false;
7519b880 1558 }
1b992147 1559
7519b880
ZJS		 1560 if (!streq_ptr(a->home, b->home)) {
1561 log_syntax(NULL, LOG_DEBUG, a->filename, a->line, 0,
1562 "Item not equivalent because home directories differ ('%s' vs. '%s')",
1563 strempty(a->description), strempty(b->description));
7629889c 1564 return false;
7519b880 1565 }
7629889c 1566
5f465fda
ZJS		 1567 /* Check if the two paths refer to the same file.
1568 * If the paths are equal (after normalization), it's obviously the same file.
1569 * If both paths specify a nologin shell, treat them as the same (e.g. /bin/true and /bin/false).
1570 * Otherwise, try to resolve the paths, and see if we get the same result, (e.g. /sbin/nologin and
1571 * /usr/sbin/nologin).
1572 * If we can't resolve something, treat different paths as different. */
1573
1574 const char *a_shell = pick_shell(a),
1575 *b_shell = pick_shell(b);
1576 if (!path_equal_ptr(a_shell, b_shell) &&
1577 !(is_nologin_shell(a_shell) && is_nologin_shell(b_shell))) {
1578 _cleanup_free_ char *pa = NULL, *pb = NULL;
1579
f461a28d 1580 r = chase(a_shell, arg_root, CHASE_PREFIX_ROOT | CHASE_NONEXISTENT, &pa, NULL);
5f465fda
ZJS		 1581 if (r < 0) {
1582 log_full_errno(ERRNO_IS_RESOURCE(r) ? LOG_ERR : LOG_DEBUG,
1583 r, "Failed to look up path '%s%s%s': %m",
1584 strempty(arg_root), arg_root ? "/" : "", a_shell);
1585 return ERRNO_IS_RESOURCE(r) ? r : false;
1586 }
1587
f461a28d 1588 r = chase(b_shell, arg_root, CHASE_PREFIX_ROOT | CHASE_NONEXISTENT, &pb, NULL);
5f465fda
ZJS		 1589 if (r < 0) {
1590 log_full_errno(ERRNO_IS_RESOURCE(r) ? LOG_ERR : LOG_DEBUG,
1591 r, "Failed to look up path '%s%s%s': %m",
1592 strempty(arg_root), arg_root ? "/" : "", b_shell);
1593 return ERRNO_IS_RESOURCE(r) ? r : false;
1594 }
1595
7519b880
ZJS		 1596 if (!path_equal(pa, pb)) {
1597 log_syntax(NULL, LOG_DEBUG, a->filename, a->line, 0,
1598 "Item not equivalent because shells differ ('%s' vs. '%s')",
1599 pa, pb);
5f465fda 1600 return false;
7519b880 1601 }
5f465fda 1602 }
7b1aaf66 1603
1b992147
LP		 1604 return true;
1605}
1606
1b992147 1607static int parse_line(const char *fname, unsigned line, const char *buffer) {
7b1aaf66
ZJS		 1608 _cleanup_free_ char *action = NULL,
1609 *name = NULL, *resolved_name = NULL,
1610 *id = NULL, *resolved_id = NULL,
b8bed700
YW		 1611 *description = NULL, *resolved_description = NULL,
1612 *home = NULL, *resolved_home = NULL,
71fb1588 1613 *shell = NULL, *resolved_shell = NULL;
1b992147
LP		 1614 _cleanup_(item_freep) Item *i = NULL;
1615 Item *existing;
5bc9c980 1616 OrderedHashmap *h;
7629889c
LP		 1617 int r;
1618 const char *p;
1b992147
LP		 1619
1620 assert(fname);
1621 assert(line >= 1);
1622 assert(buffer);
1623
7629889c
LP		 1624 /* Parse columns */
1625 p = buffer;
4ec85141 1626 r = extract_many_words(&p, NULL, EXTRACT_UNQUOTE,
7b1aaf66 1627 &action, &name, &id, &description, &home, &shell, NULL);
330d1def 1628 if (r < 0)
87c696f2 1629 return log_syntax(NULL, LOG_ERR, fname, line, r, "Syntax error.");
330d1def 1630 if (r < 2)
87c696f2
ZJS		 1631 return log_syntax(NULL, LOG_ERR, fname, line, SYNTHETIC_ERRNO(EINVAL),
1632 "Missing action and name columns.");
330d1def 1633 if (!isempty(p))
87c696f2
ZJS		 1634 return log_syntax(NULL, LOG_ERR, fname, line, SYNTHETIC_ERRNO(EINVAL),
1635 "Trailing garbage.");
1b992147 1636
7629889c 1637 /* Verify action */
330d1def 1638 if (strlen(action) != 1)
87c696f2
ZJS		 1639 return log_syntax(NULL, LOG_ERR, fname, line, SYNTHETIC_ERRNO(EINVAL),
1640 "Unknown modifier '%s'.", action);
1b992147 1641
330d1def 1642 if (!IN_SET(action[0], ADD_USER, ADD_GROUP, ADD_MEMBER, ADD_RANGE))
87c696f2
ZJS		 1643 return log_syntax(NULL, LOG_ERR, fname, line, SYNTHETIC_ERRNO(EBADMSG),
1644 "Unknown command type '%c'.", action[0]);
1b992147 1645
7629889c 1646 /* Verify name */
e7b88b7b 1647 if (empty_or_dash(name))
97b11eed 1648 name = mfree(name);
1b992147 1649
8530dc44 1650 if (name) {
de61a04b 1651 r = specifier_printf(name, NAME_MAX, system_and_tmp_specifier_table, arg_root, NULL, &resolved_name);
330d1def 1652 if (r < 0)
87c696f2 1653 return log_syntax(NULL, LOG_ERR, fname, line, r, "Failed to replace specifiers in '%s': %m", name);
8530dc44 1654
7a8867ab 1655 if (!valid_user_group_name(resolved_name, 0))
87c696f2
ZJS		 1656 return log_syntax(NULL, LOG_ERR, fname, line, SYNTHETIC_ERRNO(EINVAL),
1657 "'%s' is not a valid user or group name.", resolved_name);
1b992147
LP		 1658 }
1659
8530dc44 1660 /* Verify id */
e7b88b7b 1661 if (empty_or_dash(id))
97b11eed 1662 id = mfree(id);
7629889c 1663
8530dc44 1664 if (id) {
de61a04b 1665 r = specifier_printf(id, PATH_MAX-1, system_and_tmp_specifier_table, arg_root, NULL, &resolved_id);
330d1def 1666 if (r < 0)
87c696f2
ZJS		 1667 return log_syntax(NULL, LOG_ERR, fname, line, r,
1668 "Failed to replace specifiers in '%s': %m", name);
8530dc44
LP		 1669 }
1670
1671 /* Verify description */
e7b88b7b 1672 if (empty_or_dash(description))
97b11eed 1673 description = mfree(description);
1b992147 1674
8530dc44 1675 if (description) {
de61a04b 1676 r = specifier_printf(description, LONG_LINE_MAX, system_and_tmp_specifier_table, arg_root, NULL, &resolved_description);
330d1def 1677 if (r < 0)
87c696f2
ZJS		 1678 return log_syntax(NULL, LOG_ERR, fname, line, r,
1679 "Failed to replace specifiers in '%s': %m", description);
b8bed700 1680
330d1def 1681 if (!valid_gecos(resolved_description))
87c696f2
ZJS		 1682 return log_syntax(NULL, LOG_ERR, fname, line, SYNTHETIC_ERRNO(EINVAL),
1683 "'%s' is not a valid GECOS field.", resolved_description);
8530dc44
LP		 1684 }
1685
1686 /* Verify home */
e7b88b7b 1687 if (empty_or_dash(home))
97b11eed 1688 home = mfree(home);
1b992147 1689
8530dc44 1690 if (home) {
de61a04b 1691 r = specifier_printf(home, PATH_MAX-1, system_and_tmp_specifier_table, arg_root, NULL, &resolved_home);
330d1def 1692 if (r < 0)
87c696f2
ZJS		 1693 return log_syntax(NULL, LOG_ERR, fname, line, r,
1694 "Failed to replace specifiers in '%s': %m", home);
b8bed700 1695
eef74f91
ZJS		 1696 path_simplify(resolved_home);
1697
330d1def 1698 if (!valid_home(resolved_home))
87c696f2
ZJS		 1699 return log_syntax(NULL, LOG_ERR, fname, line, SYNTHETIC_ERRNO(EINVAL),
1700 "'%s' is not a valid home directory field.", resolved_home);
8530dc44
LP		 1701 }
1702
7b1aaf66 1703 /* Verify shell */
e7b88b7b 1704 if (empty_or_dash(shell))
7b1aaf66
ZJS		 1705 shell = mfree(shell);
1706
1707 if (shell) {
de61a04b 1708 r = specifier_printf(shell, PATH_MAX-1, system_and_tmp_specifier_table, arg_root, NULL, &resolved_shell);
330d1def 1709 if (r < 0)
87c696f2
ZJS		 1710 return log_syntax(NULL, LOG_ERR, fname, line, r,
1711 "Failed to replace specifiers in '%s': %m", shell);
7b1aaf66 1712
eef74f91
ZJS		 1713 path_simplify(resolved_shell);
1714
330d1def 1715 if (!valid_shell(resolved_shell))
87c696f2
ZJS		 1716 return log_syntax(NULL, LOG_ERR, fname, line, SYNTHETIC_ERRNO(EINVAL),
1717 "'%s' is not a valid login shell field.", resolved_shell);
7b1aaf66
ZJS		 1718 }
1719
a12b0cc3 1720 switch (action[0]) {
1b992147 1721
8530dc44 1722 case ADD_RANGE:
330d1def 1723 if (resolved_name)
87c696f2
ZJS		 1724 return log_syntax(NULL, LOG_ERR, fname, line, SYNTHETIC_ERRNO(EINVAL),
1725 "Lines of type 'r' don't take a name field.");
330d1def
ZJS		 1726
1727 if (!resolved_id)
87c696f2
ZJS		 1728 return log_syntax(NULL, LOG_ERR, fname, line, SYNTHETIC_ERRNO(EINVAL),
1729 "Lines of type 'r' require an ID range in the third field.");
330d1def
ZJS		 1730
1731 if (description || home || shell)
87c696f2
ZJS		 1732 return log_syntax(NULL, LOG_ERR, fname, line, SYNTHETIC_ERRNO(EINVAL),
1733 "Lines of type '%c' don't take a %s field.",
1734 action[0],
1735 description ? "GECOS" : home ? "home directory" : "login shell");
7629889c 1736
8dcc66ce 1737 r = uid_range_add_str(&uid_range, resolved_id);
330d1def 1738 if (r < 0)
87c696f2
ZJS		 1739 return log_syntax(NULL, LOG_ERR, fname, line, SYNTHETIC_ERRNO(EINVAL),
1740 "Invalid UID range %s.", resolved_id);
1b992147 1741
8530dc44
LP		 1742 return 0;
1743
1744 case ADD_MEMBER: {
8530dc44 1745 /* Try to extend an existing member or group item */
330d1def 1746 if (!name)
87c696f2
ZJS		 1747 return log_syntax(NULL, LOG_ERR, fname, line, SYNTHETIC_ERRNO(EINVAL),
1748 "Lines of type 'm' require a user name in the second field.");
330d1def
ZJS		 1749
1750 if (!resolved_id)
87c696f2
ZJS		 1751 return log_syntax(NULL, LOG_ERR, fname, line, SYNTHETIC_ERRNO(EINVAL),
1752 "Lines of type 'm' require a group name in the third field.");
330d1def 1753
7a8867ab 1754 if (!valid_user_group_name(resolved_id, 0))
87c696f2
ZJS		 1755 return log_syntax(NULL, LOG_ERR, fname, line, SYNTHETIC_ERRNO(EINVAL),
1756 "'%s' is not a valid user or group name.", resolved_id);
330d1def
ZJS		 1757
1758 if (description || home || shell)
87c696f2
ZJS		 1759 return log_syntax(NULL, LOG_ERR, fname, line, SYNTHETIC_ERRNO(EINVAL),
1760 "Lines of type '%c' don't take a %s field.",
1761 action[0],
1762 description ? "GECOS" : home ? "home directory" : "login shell");
8530dc44 1763
cde79109 1764 r = string_strv_ordered_hashmap_put(&members, resolved_id, resolved_name);
7629889c 1765 if (r < 0)
cde79109 1766 return log_error_errno(r, "Failed to store mapping for %s: %m", resolved_id);
a12b0cc3
LP		 1767
1768 return 0;
1b992147
LP		 1769 }
1770
a12b0cc3 1771 case ADD_USER:
330d1def 1772 if (!name)
87c696f2
ZJS		 1773 return log_syntax(NULL, LOG_ERR, fname, line, SYNTHETIC_ERRNO(EINVAL),
1774 "Lines of type 'u' require a user name in the second field.");
8530dc44 1775
71da1673 1776 r = ordered_hashmap_ensure_allocated(&users, &item_hash_ops);
a12b0cc3
LP		 1777 if (r < 0)
1778 return log_oom();
1779
9a87bdd7 1780 i = item_new(ADD_USER, resolved_name, fname, line);
a12b0cc3
LP		 1781 if (!i)
1782 return log_oom();
1783
8530dc44 1784 if (resolved_id) {
9a87bdd7
ZJS		 1785 if (path_is_absolute(resolved_id))
1786 i->uid_path = path_simplify(TAKE_PTR(resolved_id));
1787 else {
4cb41413
MV		 1788 _cleanup_free_ char *uid = NULL, *gid = NULL;
1789 if (split_pair(resolved_id, ":", &uid, &gid) == 0) {
1790 r = parse_gid(gid, &i->gid);
649916d3 1791 if (r < 0) {
7a8867ab 1792 if (valid_user_group_name(gid, 0))
649916d3
DM		 1793 i->group_name = TAKE_PTR(gid);
1794 else
87c696f2
ZJS		 1795 return log_syntax(NULL, LOG_ERR, fname, line, r,
1796 "Failed to parse GID: '%s': %m", id);
649916d3
DM		 1797 } else {
1798 i->gid_set = true;
1799 i->id_set_strict = true;
1800 }
4cb41413 1801 free_and_replace(resolved_id, uid);
a12b0cc3 1802 }
1825c909
MV		 1803 if (!streq(resolved_id, "-")) {
1804 r = parse_uid(resolved_id, &i->uid);
1805 if (r < 0)
87c696f2
ZJS		 1806 return log_syntax(NULL, LOG_ERR, fname, line, r,
1807 "Failed to parse UID: '%s': %m", id);
1825c909
MV		 1808 i->uid_set = true;
1809 }
a12b0cc3
LP		 1810 }
1811 }
1812
b8bed700
YW		 1813 i->description = TAKE_PTR(resolved_description);
1814 i->home = TAKE_PTR(resolved_home);
1cc6c93a 1815 i->shell = TAKE_PTR(resolved_shell);
7b1aaf66 1816
1b992147 1817 h = users;
a12b0cc3
LP		 1818 break;
1819
1820 case ADD_GROUP:
330d1def 1821 if (!name)
87c696f2
ZJS		 1822 return log_syntax(NULL, LOG_ERR, fname, line, SYNTHETIC_ERRNO(EINVAL),
1823 "Lines of type 'g' require a user name in the second field.");
a12b0cc3 1824
330d1def 1825 if (description || home || shell)
87c696f2
ZJS		 1826 return log_syntax(NULL, LOG_ERR, fname, line, SYNTHETIC_ERRNO(EINVAL),
1827 "Lines of type '%c' don't take a %s field.",
1828 action[0],
1829 description ? "GECOS" : home ? "home directory" : "login shell");
7629889c 1830
71da1673 1831 r = ordered_hashmap_ensure_allocated(&groups, &item_hash_ops);
7629889c
LP		 1832 if (r < 0)
1833 return log_oom();
1834
9a87bdd7 1835 i = item_new(ADD_GROUP, resolved_name, fname, line);
a12b0cc3
LP		 1836 if (!i)
1837 return log_oom();
1838
8530dc44 1839 if (resolved_id) {
9a87bdd7
ZJS		 1840 if (path_is_absolute(resolved_id))
1841 i->gid_path = path_simplify(TAKE_PTR(resolved_id));
1842 else {
8530dc44 1843 r = parse_gid(resolved_id, &i->gid);
4cb41413 1844 if (r < 0)
87c696f2
ZJS		 1845 return log_syntax(NULL, LOG_ERR, fname, line, r,
1846 "Failed to parse GID: '%s': %m", id);
a12b0cc3
LP		 1847
1848 i->gid_set = true;
1849 }
1850 }
1851
1b992147 1852 h = groups;
a12b0cc3 1853 break;
8530dc44 1854
bce415ed 1855 default:
9a87bdd7 1856 assert_not_reached();
1b992147 1857 }
a12b0cc3 1858
5bc9c980 1859 existing = ordered_hashmap_get(h, i->name);
1b992147 1860 if (existing) {
5f465fda 1861 /* Two functionally-equivalent items are fine */
7519b880 1862 r = item_equivalent(i, existing);
5f465fda
ZJS		 1863 if (r < 0)
1864 return r;
9a87bdd7
ZJS		 1865 if (r == 0) {
1866 if (existing->filename)
1867 log_syntax(NULL, LOG_WARNING, fname, line, 0,
1868 "Conflict with earlier configuration for %s '%s' in %s:%u, ignoring line.",
1869 item_type_to_string(i->type),
1870 i->name,
1871 existing->filename, existing->line);
1872 else
1873 log_syntax(NULL, LOG_WARNING, fname, line, 0,
1874 "Conflict with earlier configuration for %s '%s', ignoring line.",
1875 item_type_to_string(i->type),
1876 i->name);
1877 }
1b992147
LP		 1878
1879 return 0;
1880 }
1881
5bc9c980 1882 r = ordered_hashmap_put(h, i->name, i);
a12b0cc3
LP		 1883 if (r < 0)
1884 return log_oom();
1b992147
LP		 1885
1886 i = NULL;
1887 return 0;
1888}
1889
1890static int read_config_file(const char *fn, bool ignore_enoent) {
dfc87cbf 1891 _cleanup_fclose_ FILE *rf = NULL;
2708160c 1892 _cleanup_free_ char *pp = NULL;
dfc87cbf 1893 FILE *f = NULL;
1b992147 1894 unsigned v = 0;
c4640902 1895 int r = 0;
1b992147
LP		 1896
1897 assert(fn);
1898
dfc87cbf
LP		 1899 if (streq(fn, "-"))
1900 f = stdin;
1901 else {
2708160c 1902 r = search_and_fopen(fn, "re", arg_root, (const char**) CONF_PATHS_STRV("sysusers.d"), &rf, &pp);
dfc87cbf
LP		 1903 if (r < 0) {
1904 if (ignore_enoent && r == -ENOENT)
1905 return 0;
1b992147 1906
8d3d7072 1907 return log_error_errno(r, "Failed to open '%s', ignoring: %m", fn);
dfc87cbf
LP		 1908 }
1909
1910 f = rf;
2708160c 1911 fn = pp;
1b992147
LP		 1912 }
1913
050ca299
LP		 1914 for (;;) {
1915 _cleanup_free_ char *line = NULL;
1b992147
LP		 1916 char *l;
1917 int k;
1918
050ca299
LP		 1919 k = read_line(f, LONG_LINE_MAX, &line);
1920 if (k < 0)
1921 return log_error_errno(k, "Failed to read '%s': %m", fn);
1922 if (k == 0)
1923 break;
1924
1b992147
LP		 1925 v++;
1926
1927 l = strstrip(line);
4c701096 1928 if (IN_SET(*l, 0, '#'))
1b992147
LP		 1929 continue;
1930
1931 k = parse_line(fn, v, l);
1932 if (k < 0 && r == 0)
1933 r = k;
1934 }
1935
1936 if (ferror(f)) {
56f64d95 1937 log_error_errno(errno, "Failed to read from file %s: %m", fn);
1b992147
LP		 1938 if (r == 0)
1939 r = -EIO;
1940 }
1941
1942 return r;
1943}
1944
ec0327d6
ZJS		 1945static int cat_config(void) {
1946 _cleanup_strv_free_ char **files = NULL;
ec0327d6
ZJS		 1947 int r;
1948
a826d4f7 1949 r = conf_files_list_with_replacement(arg_root, CONF_PATHS_STRV("sysusers.d"), arg_replace, &files, NULL);
ec0327d6
ZJS		 1950 if (r < 0)
1951 return r;
1952
384c2c32 1953 pager_open(arg_pager_flags);
dcd5c891 1954
ec0327d6
ZJS		 1955 return cat_files(NULL, files, 0);
1956}
1957
37ec0fdd
LP		 1958static int help(void) {
1959 _cleanup_free_ char *link = NULL;
1960 int r;
1961
1962 r = terminal_urlify_man("systemd-sysusers.service", "8", &link);
1963 if (r < 0)
1964 return log_oom();
1965
1b992147
LP		 1966 printf("%s [OPTIONS...] [CONFIGURATION FILE...]\n\n"
1967 "Creates system user accounts.\n\n"
1968 " -h --help Show this help\n"
1969 " --version Show package version\n"
ec0327d6 1970 " --cat-config Show configuration files\n"
601185b4 1971 " --root=PATH Operate on an alternate filesystem root\n"
0c3ee127 1972 " --image=PATH Operate on disk image as filesystem root\n"
84be0c71 1973 " --image-policy=POLICY Specify disk image dissection policy\n"
d16a1c1b 1974 " --replace=PATH Treat arguments as replacement for PATH\n"
64fe1095 1975 " --dry-run Just print what would be done\n"
1b600bd5 1976 " --inline Treat arguments as configuration lines\n"
dcd5c891 1977 " --no-pager Do not pipe output into a pager\n"
bc556335
DDM		 1978 "\nSee the %s for details.\n",
1979 program_invocation_short_name,
1980 link);
37ec0fdd
LP		 1981
1982 return 0;
1b992147
LP		 1983}
1984
1985static int parse_argv(int argc, char *argv[]) {
1986
1987 enum {
1988 ARG_VERSION = 0x100,
ec0327d6 1989 ARG_CAT_CONFIG,
1b992147 1990 ARG_ROOT,
0c3ee127 1991 ARG_IMAGE,
06e78680 1992 ARG_IMAGE_POLICY,
d16a1c1b 1993 ARG_REPLACE,
64fe1095 1994 ARG_DRY_RUN,
1b600bd5 1995 ARG_INLINE,
dcd5c891 1996 ARG_NO_PAGER,
1b992147
LP		 1997 };
1998
1999 static const struct option options[] = {
84be0c71
LP		 2000 { "help", no_argument, NULL, 'h' },
2001 { "version", no_argument, NULL, ARG_VERSION },
2002 { "cat-config", no_argument, NULL, ARG_CAT_CONFIG },
2003 { "root", required_argument, NULL, ARG_ROOT },
2004 { "image", required_argument, NULL, ARG_IMAGE },
06e78680 2005 { "image-policy", required_argument, NULL, ARG_IMAGE_POLICY },
84be0c71
LP		 2006 { "replace", required_argument, NULL, ARG_REPLACE },
2007 { "dry-run", no_argument, NULL, ARG_DRY_RUN },
2008 { "inline", no_argument, NULL, ARG_INLINE },
2009 { "no-pager", no_argument, NULL, ARG_NO_PAGER },
1b992147
LP		 2010 {}
2011 };
2012
0f474365 2013 int c, r;
1b992147
LP		 2014
2015 assert(argc >= 0);
2016 assert(argv);
2017
601185b4 2018 while ((c = getopt_long(argc, argv, "h", options, NULL)) >= 0)
1b992147
LP		 2019
2020 switch (c) {
2021
2022 case 'h':
37ec0fdd 2023 return help();
1b992147
LP		 2024
2025 case ARG_VERSION:
3f6fd1ba 2026 return version();
1b992147 2027
ec0327d6
ZJS		 2028 case ARG_CAT_CONFIG:
2029 arg_cat_config = true;
2030 break;
2031
1b992147 2032 case ARG_ROOT:
614b022c 2033 r = parse_path_argument(optarg, /* suppress_root= */ false, &arg_root);
0f474365 2034 if (r < 0)
0f03c2a4 2035 return r;
1b992147
LP		 2036 break;
2037
0c3ee127 2038 case ARG_IMAGE:
3537577c
ZJS		 2039#ifdef STANDALONE
2040 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
2041 "This systemd-sysusers version is compiled without support for --image=.");
2042#else
614b022c 2043 r = parse_path_argument(optarg, /* suppress_root= */ false, &arg_image);
0c3ee127
LP		 2044 if (r < 0)
2045 return r;
2046 break;
3537577c 2047#endif
0c3ee127 2048
06e78680
YW		 2049 case ARG_IMAGE_POLICY:
2050 r = parse_image_policy_argument(optarg, &arg_image_policy);
2051 if (r < 0)
2052 return r;
2053 break;
2054
d16a1c1b
ZJS		 2055 case ARG_REPLACE:
2056 if (!path_is_absolute(optarg) ||
baaa35ad
ZJS		 2057 !endswith(optarg, ".conf"))
2058 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
2059 "The argument to --replace= must an absolute path to a config file");
d16a1c1b
ZJS		 2060
2061 arg_replace = optarg;
2062 break;
2063
64fe1095
ZJS		 2064 case ARG_DRY_RUN:
2065 arg_dry_run = true;
2066 break;
2067
1b600bd5
ZJS		 2068 case ARG_INLINE:
2069 arg_inline = true;
2070 break;
2071
dcd5c891 2072 case ARG_NO_PAGER:
0221d68a 2073 arg_pager_flags |= PAGER_DISABLE;
dcd5c891
LP		 2074 break;
2075
1b992147
LP		 2076 case '?':
2077 return -EINVAL;
2078
2079 default:
04499a70 2080 assert_not_reached();
1b992147 2081 }
1b992147 2082
baaa35ad
ZJS		 2083 if (arg_replace && arg_cat_config)
2084 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
2085 "Option --replace= is not supported with --cat-config");
ec0327d6 2086
baaa35ad
ZJS		 2087 if (arg_replace && optind >= argc)
2088 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
2089 "When --replace= is given, some configuration items must be specified");
d16a1c1b 2090
0c3ee127
LP		 2091 if (arg_image && arg_root)
2092 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Please specify either --root= or --image=, the combination of both is not supported.");
2093
1b992147
LP		 2094 return 1;
2095}
2096
d16a1c1b 2097static int parse_arguments(char **args) {
d16a1c1b
ZJS		 2098 unsigned pos = 1;
2099 int r;
2100
2101 STRV_FOREACH(arg, args) {
2102 if (arg_inline)
2103 /* Use (argument):n, where n==1 for the first positional arg */
2104 r = parse_line("(argument)", pos, *arg);
2105 else
3acb6ede 2106 r = read_config_file(*arg, /* ignore_enoent= */ false);
d16a1c1b
ZJS		 2107 if (r < 0)
2108 return r;
2109
2110 pos++;
2111 }
2112
2113 return 0;
2114}
2115
ec0327d6 2116static int read_config_files(char **args) {
d16a1c1b
ZJS		 2117 _cleanup_strv_free_ char **files = NULL;
2118 _cleanup_free_ char *p = NULL;
d16a1c1b
ZJS		 2119 int r;
2120
a826d4f7 2121 r = conf_files_list_with_replacement(arg_root, CONF_PATHS_STRV("sysusers.d"), arg_replace, &files, &p);
d16a1c1b 2122 if (r < 0)
ec0327d6 2123 return r;
d16a1c1b
ZJS		 2124
2125 STRV_FOREACH(f, files)
2126 if (p && path_equal(*f, p)) {
28e5e1e9 2127 log_debug("Parsing arguments at position \"%s\"%s", *f, special_glyph(SPECIAL_GLYPH_ELLIPSIS));
d16a1c1b
ZJS		 2128
2129 r = parse_arguments(args);
2130 if (r < 0)
2131 return r;
2132 } else {
28e5e1e9 2133 log_debug("Reading config file \"%s\"%s", *f, special_glyph(SPECIAL_GLYPH_ELLIPSIS));
d16a1c1b
ZJS		 2134
2135 /* Just warn, ignore result otherwise */
3acb6ede 2136 (void) read_config_file(*f, /* ignore_enoent= */ true);
d16a1c1b
ZJS		 2137 }
2138
2139 return 0;
2140}
2141
3acb6ede
LP		 2142static int read_credential_lines(void) {
2143 _cleanup_free_ char *j = NULL;
2144 const char *d;
2145 int r;
2146
2147 r = get_credentials_dir(&d);
2148 if (r == -ENXIO)
2149 return 0;
2150 if (r < 0)
2151 return log_error_errno(r, "Failed to get credentials directory: %m");
2152
2153 j = path_join(d, "sysusers.extra");
2154 if (!j)
2155 return log_oom();
2156
2157 (void) read_config_file(j, /* ignore_enoent= */ true);
2158 return 0;
2159}
2160
71da1673 2161static int run(int argc, char *argv[]) {
3537577c 2162#ifndef STANDALONE
0c3ee127 2163 _cleanup_(loop_device_unrefp) LoopDevice *loop_device = NULL;
a4b3e942 2164 _cleanup_(umount_and_freep) char *mounted_dir = NULL;
3537577c 2165#endif
5bb1d7fb 2166 _cleanup_close_ int lock = -EBADF;
1b992147 2167 Item *i;
dd2fd972 2168 int r;
1b992147
LP		 2169
2170 r = parse_argv(argc, argv);
2171 if (r <= 0)
71da1673 2172 return r;
1b992147 2173
d2acb93d 2174 log_setup();
1b992147 2175
71da1673
YW		 2176 if (arg_cat_config)
2177 return cat_config();
ec0327d6 2178
1b992147
LP		 2179 umask(0022);
2180
a452c807 2181 r = mac_init();
71da1673 2182 if (r < 0)
a9ba0e32 2183 return r;
1b992147 2184
3537577c 2185#ifndef STANDALONE
0c3ee127
LP		 2186 if (arg_image) {
2187 assert(!arg_root);
2188
2189 r = mount_image_privately_interactively(
2190 arg_image,
84be0c71 2191 arg_image_policy,
4b5de5dd
LP		 2192 DISSECT_IMAGE_GENERIC_ROOT |
2193 DISSECT_IMAGE_REQUIRE_ROOT |
2194 DISSECT_IMAGE_VALIDATE_OS |
2195 DISSECT_IMAGE_RELAX_VAR_CHECK |
c65f854a
LP		 2196 DISSECT_IMAGE_FSCK |
2197 DISSECT_IMAGE_GROWFS,
a4b3e942 2198 &mounted_dir,
a133d2c3 2199 /* ret_dir_fd= */ NULL,
e330f97a 2200 &loop_device);
0c3ee127
LP		 2201 if (r < 0)
2202 return r;
2203
a4b3e942 2204 arg_root = strdup(mounted_dir);
0c3ee127
LP		 2205 if (!arg_root)
2206 return log_oom();
2207 }
3537577c
ZJS		 2208#else
2209 assert(!arg_image);
2210#endif
0c3ee127 2211
3acb6ede
LP		 2212 /* If command line arguments are specified along with --replace, read all configuration files and
2213 * insert the positional arguments at the specified place. Otherwise, if command line arguments are
2214 * specified, execute just them, and finally, without --replace= or any positional arguments, just
2215 * read configuration and execute it. */
d16a1c1b 2216 if (arg_replace || optind >= argc)
ec0327d6 2217 r = read_config_files(argv + optind);
d16a1c1b
ZJS		 2218 else
2219 r = parse_arguments(argv + optind);
2220 if (r < 0)
71da1673 2221 return r;
1b992147 2222
3acb6ede
LP		 2223 r = read_credential_lines();
2224 if (r < 0)
2225 return r;
2226
2227 /* Let's tell nss-systemd not to synthesize the "root" and "nobody" entries for it, so that our
2228 * detection whether the names or UID/GID area already used otherwise doesn't get confused. After
2229 * all, even though nss-systemd synthesizes these users/groups, they should still appear in
2230 * /etc/passwd and /etc/group, as the synthesizing logic is merely supposed to be fallback for cases
2231 * where we run with a completely unpopulated /etc. */
71da1673
YW		 2232 if (setenv("SYSTEMD_NSS_BYPASS_SYNTHETIC", "1", 1) < 0)
2233 return log_error_errno(errno, "Failed to set SYSTEMD_NSS_BYPASS_SYNTHETIC environment variable: %m");
fe102d6a 2234
8530dc44 2235 if (!uid_range) {
aa25270c 2236 /* Default to default range of SYSTEMD_UID_MIN..SYSTEM_UID_MAX. */
4b6f9b20 2237 r = read_login_defs(&login_defs, NULL, arg_root);
71da1673 2238 if (r < 0)
aa25270c
ZJS		 2239 return log_error_errno(r, "Failed to read %s%s: %m",
2240 strempty(arg_root), "/etc/login.defs");
2241
4b6f9b20
ZJS		 2242 login_defs_need_warning = true;
2243
aa25270c 2244 /* We pick a range that very conservative: we look at compiled-in maximum and the value in
3f316701 2245 * /etc/login.defs. That way the UIDs/GIDs which we allocate will be interpreted correctly,
aa25270c
ZJS		 2246 * even if /etc/login.defs is removed later. (The bottom bound doesn't matter much, since
2247 * it's only used during allocation, so we use the configured value directly). */
4b6f9b20
ZJS		 2248 uid_t begin = login_defs.system_alloc_uid_min,
2249 end = MIN3((uid_t) SYSTEM_UID_MAX, login_defs.system_uid_max, login_defs.system_gid_max);
aa25270c 2250 if (begin < end) {
8dcc66ce 2251 r = uid_range_add(&uid_range, begin, end - begin + 1);
aa25270c
ZJS		 2252 if (r < 0)
2253 return log_oom();
2254 }
8530dc44
LP		 2255 }
2256
a12b0cc3
LP		 2257 r = add_implicit();
2258 if (r < 0)
71da1673 2259 return r;
a12b0cc3 2260
64fe1095
ZJS		 2261 if (!arg_dry_run) {
2262 lock = take_etc_passwd_lock(arg_root);
2263 if (lock < 0)
2264 return log_error_errno(lock, "Failed to take /etc/passwd lock: %m");
2265 }
1b992147
LP		 2266
2267 r = load_user_database();
71da1673
YW		 2268 if (r < 0)
2269 return log_error_errno(r, "Failed to load user database: %m");
1b992147
LP		 2270
2271 r = load_group_database();
71da1673
YW		 2272 if (r < 0)
2273 return log_error_errno(r, "Failed to read group database: %m");
1b992147 2274
90e74a66 2275 ORDERED_HASHMAP_FOREACH(i, groups)
c1a32819 2276 (void) process_item(i);
1b992147 2277
90e74a66 2278 ORDERED_HASHMAP_FOREACH(i, users)
c1a32819 2279 (void) process_item(i);
1b992147 2280
4c795066 2281 return write_files();
1b992147 2282}
71da1673
YW		 2283
2284DEFINE_MAIN_FUNCTION(run);
Unnamed repository; edit this file 'description' to name the repository.