]>
git.ipfire.org Git - thirdparty/systemd.git/blob - src/basic/user-util.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 This file is part of systemd.
5 Copyright 2010 Lennart Poettering
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
35 #include "alloc-util.h"
38 #include "format-util.h"
41 #include "parse-util.h"
42 #include "path-util.h"
43 #include "string-util.h"
45 #include "user-util.h"
48 bool uid_is_valid(uid_t uid
) {
50 /* Also see POSIX IEEE Std 1003.1-2008, 2016 Edition, 3.436. */
52 /* Some libc APIs use UID_INVALID as special placeholder */
53 if (uid
== (uid_t
) UINT32_C(0xFFFFFFFF))
56 /* A long time ago UIDs where 16bit, hence explicitly avoid the 16bit -1 too */
57 if (uid
== (uid_t
) UINT32_C(0xFFFF))
63 int parse_uid(const char *s
, uid_t
*ret
) {
69 assert_cc(sizeof(uid_t
) == sizeof(uint32_t));
70 r
= safe_atou32(s
, &uid
);
74 if (!uid_is_valid(uid
))
75 return -ENXIO
; /* we return ENXIO instead of EINVAL
76 * here, to make it easy to distuingish
77 * invalid numeric uids from invalid
86 char* getlogname_malloc(void) {
90 if (isatty(STDIN_FILENO
) && fstat(STDIN_FILENO
, &st
) >= 0)
95 return uid_to_name(uid
);
98 char *getusername_malloc(void) {
105 return uid_to_name(getuid());
109 const char **username
,
110 uid_t
*uid
, gid_t
*gid
,
112 const char **shell
) {
120 /* We enforce some special rules for uid=0 and uid=65534: in order to avoid NSS lookups for root we hardcode
121 * their user record data. */
123 if (STR_IN_SET(*username
, "root", "0")) {
140 if (synthesize_nobody() &&
141 STR_IN_SET(*username
, NOBODY_USER_NAME
, "65534")) {
142 *username
= NOBODY_USER_NAME
;
153 *shell
= "/sbin/nologin";
158 if (parse_uid(*username
, &u
) >= 0) {
162 /* If there are multiple users with the same id, make
163 * sure to leave $USER to the configured value instead
164 * of the first occurrence in the database. However if
165 * the uid was configured by a numeric uid, then let's
166 * pick the real username from /etc/passwd. */
168 *username
= p
->pw_name
;
171 p
= getpwnam(*username
);
175 return errno
> 0 ? -errno
: -ESRCH
;
178 if (!uid_is_valid(p
->pw_uid
))
185 if (!gid_is_valid(p
->pw_gid
))
195 *shell
= p
->pw_shell
;
200 int get_user_creds_clean(
201 const char **username
,
202 uid_t
*uid
, gid_t
*gid
,
204 const char **shell
) {
208 /* Like get_user_creds(), but resets home/shell to NULL if they don't contain anything relevant. */
210 r
= get_user_creds(username
, uid
, gid
, home
, shell
);
215 (isempty(*shell
) || PATH_IN_SET(*shell
,
219 "/usr/sbin/nologin")))
223 (isempty(*home
) || path_equal(*home
, "/")))
229 int get_group_creds(const char **groupname
, gid_t
*gid
) {
235 /* We enforce some special rules for gid=0: in order to avoid
236 * NSS lookups for root we hardcode its data. */
238 if (STR_IN_SET(*groupname
, "root", "0")) {
247 if (synthesize_nobody() &&
248 STR_IN_SET(*groupname
, NOBODY_GROUP_NAME
, "65534")) {
249 *groupname
= NOBODY_GROUP_NAME
;
257 if (parse_gid(*groupname
, &id
) >= 0) {
262 *groupname
= g
->gr_name
;
265 g
= getgrnam(*groupname
);
269 return errno
> 0 ? -errno
: -ESRCH
;
272 if (!gid_is_valid(g
->gr_gid
))
281 char* uid_to_name(uid_t uid
) {
285 /* Shortcut things to avoid NSS lookups */
287 return strdup("root");
288 if (synthesize_nobody() &&
290 return strdup(NOBODY_USER_NAME
);
292 if (uid_is_valid(uid
)) {
295 bufsize
= sysconf(_SC_GETPW_R_SIZE_MAX
);
300 struct passwd pwbuf
, *pw
= NULL
;
301 _cleanup_free_
char *buf
= NULL
;
303 buf
= malloc(bufsize
);
307 r
= getpwuid_r(uid
, &pwbuf
, buf
, (size_t) bufsize
, &pw
);
309 return strdup(pw
->pw_name
);
317 if (asprintf(&ret
, UID_FMT
, uid
) < 0)
323 char* gid_to_name(gid_t gid
) {
328 return strdup("root");
329 if (synthesize_nobody() &&
331 return strdup(NOBODY_GROUP_NAME
);
333 if (gid_is_valid(gid
)) {
336 bufsize
= sysconf(_SC_GETGR_R_SIZE_MAX
);
341 struct group grbuf
, *gr
= NULL
;
342 _cleanup_free_
char *buf
= NULL
;
344 buf
= malloc(bufsize
);
348 r
= getgrgid_r(gid
, &grbuf
, buf
, (size_t) bufsize
, &gr
);
350 return strdup(gr
->gr_name
);
358 if (asprintf(&ret
, GID_FMT
, gid
) < 0)
364 int in_gid(gid_t gid
) {
372 if (getegid() == gid
)
375 if (!gid_is_valid(gid
))
378 ngroups_max
= sysconf(_SC_NGROUPS_MAX
);
379 assert(ngroups_max
> 0);
381 gids
= newa(gid_t
, ngroups_max
);
383 r
= getgroups(ngroups_max
, gids
);
387 for (i
= 0; i
< r
; i
++)
394 int in_group(const char *name
) {
398 r
= get_group_creds(&name
, &gid
);
405 int get_home_dir(char **_h
) {
413 /* Take the user specified one */
414 e
= secure_getenv("HOME");
415 if (e
&& path_is_absolute(e
)) {
424 /* Hardcode home directory for root and nobody to avoid NSS */
434 if (synthesize_nobody() &&
444 /* Check the database... */
448 return errno
> 0 ? -errno
: -ESRCH
;
450 if (!path_is_absolute(p
->pw_dir
))
453 h
= strdup(p
->pw_dir
);
461 int get_shell(char **_s
) {
469 /* Take the user specified one */
480 /* Hardcode shell for root and nobody to avoid NSS */
483 s
= strdup("/bin/sh");
490 if (synthesize_nobody() &&
492 s
= strdup("/sbin/nologin");
500 /* Check the database... */
504 return errno
> 0 ? -errno
: -ESRCH
;
506 if (!path_is_absolute(p
->pw_shell
))
509 s
= strdup(p
->pw_shell
);
517 int reset_uid_gid(void) {
520 r
= maybe_setgroups(0, NULL
);
524 if (setresgid(0, 0, 0) < 0)
527 if (setresuid(0, 0, 0) < 0)
533 int take_etc_passwd_lock(const char *root
) {
535 struct flock flock
= {
537 .l_whence
= SEEK_SET
,
545 /* This is roughly the same as lckpwdf(), but not as awful. We
546 * don't want to use alarm() and signals, hence we implement
547 * our own trivial version of this.
549 * Note that shadow-utils also takes per-database locks in
550 * addition to lckpwdf(). However, we don't given that they
551 * are redundant as they invoke lckpwdf() first and keep
552 * it during everything they do. The per-database locks are
553 * awfully racy, and thus we just won't do them. */
556 path
= prefix_roota(root
, ETC_PASSWD_LOCK_PATH
);
558 path
= ETC_PASSWD_LOCK_PATH
;
560 fd
= open(path
, O_WRONLY
|O_CREAT
|O_CLOEXEC
|O_NOCTTY
|O_NOFOLLOW
, 0600);
562 return log_debug_errno(errno
, "Cannot open %s: %m", path
);
564 r
= fcntl(fd
, F_SETLKW
, &flock
);
567 return log_debug_errno(errno
, "Locking %s failed: %m", path
);
573 bool valid_user_group_name(const char *u
) {
577 /* Checks if the specified name is a valid user/group name. Also see POSIX IEEE Std 1003.1-2008, 2016 Edition,
578 * 3.437. We are a bit stricter here however. Specifically we deviate from POSIX rules:
580 * - We don't allow any dots (this would break chown syntax which permits dots as user/group name separator)
581 * - We require that names fit into the appropriate utmp field
582 * - We don't allow empty user names
584 * Note that other systems are even more restrictive, and don't permit underscores or uppercase characters.
590 if (!(u
[0] >= 'a' && u
[0] <= 'z') &&
591 !(u
[0] >= 'A' && u
[0] <= 'Z') &&
595 for (i
= u
+1; *i
; i
++) {
596 if (!(*i
>= 'a' && *i
<= 'z') &&
597 !(*i
>= 'A' && *i
<= 'Z') &&
598 !(*i
>= '0' && *i
<= '9') &&
599 !IN_SET(*i
, '_', '-'))
603 sz
= sysconf(_SC_LOGIN_NAME_MAX
);
606 if ((size_t) (i
-u
) > (size_t) sz
)
609 if ((size_t) (i
-u
) > UT_NAMESIZE
- 1)
615 bool valid_user_group_name_or_id(const char *u
) {
617 /* Similar as above, but is also fine with numeric UID/GID specifications, as long as they are in the right
618 * range, and not the invalid user ids. */
623 if (valid_user_group_name(u
))
626 return parse_uid(u
, NULL
) >= 0;
629 bool valid_gecos(const char *d
) {
634 if (!utf8_is_valid(d
))
637 if (string_has_cc(d
, NULL
))
640 /* Colons are used as field separators, and hence not OK */
647 bool valid_home(const char *p
) {
652 if (!utf8_is_valid(p
))
655 if (string_has_cc(p
, NULL
))
658 if (!path_is_absolute(p
))
661 if (!path_is_normalized(p
))
664 /* Colons are used as field separators, and hence not OK */
671 int maybe_setgroups(size_t size
, const gid_t
*list
) {
674 /* Check if setgroups is allowed before we try to drop all the auxiliary groups */
675 if (size
== 0) { /* Dropping all aux groups? */
676 _cleanup_free_
char *setgroups_content
= NULL
;
679 r
= read_one_line_file("/proc/self/setgroups", &setgroups_content
);
681 /* Old kernels don't have /proc/self/setgroups, so assume we can use setgroups */
682 can_setgroups
= true;
686 can_setgroups
= streq(setgroups_content
, "allow");
688 if (!can_setgroups
) {
689 log_debug("Skipping setgroups(), /proc/self/setgroups is set to 'deny'");
694 if (setgroups(size
, list
) < 0)
700 bool synthesize_nobody(void) {
705 /* Returns true when we shall synthesize the "nobody" user (which we do by default). This can be turned off by
706 * touching /etc/systemd/dont-synthesize-nobody in order to provide upgrade compatibility with legacy systems
707 * that used the "nobody" user name and group name for other UIDs/GIDs than 65534.
709 * Note that we do not employ any kind of synchronization on the following caching variable. If the variable is
710 * accessed in multi-threaded programs in the worst case it might happen that we initialize twice, but that
711 * shouldn't matter as each initialization should come to the same result. */
712 static int cache
= -1;
715 cache
= access("/etc/systemd/dont-synthesize-nobody", F_OK
) < 0;