]>
git.ipfire.org Git - thirdparty/systemd.git/blob - src/basic/user-util.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 This file is part of systemd.
5 Copyright 2010 Lennart Poettering
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
35 #include "alloc-util.h"
38 #include "format-util.h"
41 #include "parse-util.h"
42 #include "path-util.h"
43 #include "string-util.h"
45 #include "user-util.h"
48 bool uid_is_valid(uid_t uid
) {
50 /* Also see POSIX IEEE Std 1003.1-2008, 2016 Edition, 3.436. */
52 /* Some libc APIs use UID_INVALID as special placeholder */
53 if (uid
== (uid_t
) UINT32_C(0xFFFFFFFF))
56 /* A long time ago UIDs where 16bit, hence explicitly avoid the 16bit -1 too */
57 if (uid
== (uid_t
) UINT32_C(0xFFFF))
63 int parse_uid(const char *s
, uid_t
*ret
) {
69 assert_cc(sizeof(uid_t
) == sizeof(uint32_t));
70 r
= safe_atou32(s
, &uid
);
74 if (!uid_is_valid(uid
))
75 return -ENXIO
; /* we return ENXIO instead of EINVAL
76 * here, to make it easy to distuingish
77 * invalid numeric uids from invalid
86 char* getlogname_malloc(void) {
90 if (isatty(STDIN_FILENO
) && fstat(STDIN_FILENO
, &st
) >= 0)
95 return uid_to_name(uid
);
98 char *getusername_malloc(void) {
105 return uid_to_name(getuid());
109 const char **username
,
110 uid_t
*uid
, gid_t
*gid
,
112 const char **shell
) {
120 /* We enforce some special rules for uid=0: in order to avoid
121 * NSS lookups for root we hardcode its data. */
123 if (streq(*username
, "root") || streq(*username
, "0")) {
141 if (parse_uid(*username
, &u
) >= 0) {
145 /* If there are multiple users with the same id, make
146 * sure to leave $USER to the configured value instead
147 * of the first occurrence in the database. However if
148 * the uid was configured by a numeric uid, then let's
149 * pick the real username from /etc/passwd. */
151 *username
= p
->pw_name
;
154 p
= getpwnam(*username
);
158 return errno
> 0 ? -errno
: -ESRCH
;
161 if (!uid_is_valid(p
->pw_uid
))
168 if (!gid_is_valid(p
->pw_gid
))
178 *shell
= p
->pw_shell
;
183 int get_user_creds_clean(
184 const char **username
,
185 uid_t
*uid
, gid_t
*gid
,
187 const char **shell
) {
191 /* Like get_user_creds(), but resets home/shell to NULL if they don't contain anything relevant. */
193 r
= get_user_creds(username
, uid
, gid
, home
, shell
);
198 (isempty(*shell
) || PATH_IN_SET(*shell
,
202 "/usr/sbin/nologin")))
206 (isempty(*home
) || path_equal(*home
, "/")))
212 int get_group_creds(const char **groupname
, gid_t
*gid
) {
218 /* We enforce some special rules for gid=0: in order to avoid
219 * NSS lookups for root we hardcode its data. */
221 if (streq(*groupname
, "root") || streq(*groupname
, "0")) {
230 if (parse_gid(*groupname
, &id
) >= 0) {
235 *groupname
= g
->gr_name
;
238 g
= getgrnam(*groupname
);
242 return errno
> 0 ? -errno
: -ESRCH
;
245 if (!gid_is_valid(g
->gr_gid
))
254 char* uid_to_name(uid_t uid
) {
258 /* Shortcut things to avoid NSS lookups */
260 return strdup("root");
262 if (uid_is_valid(uid
)) {
265 bufsize
= sysconf(_SC_GETPW_R_SIZE_MAX
);
270 struct passwd pwbuf
, *pw
= NULL
;
271 _cleanup_free_
char *buf
= NULL
;
273 buf
= malloc(bufsize
);
277 r
= getpwuid_r(uid
, &pwbuf
, buf
, (size_t) bufsize
, &pw
);
279 return strdup(pw
->pw_name
);
287 if (asprintf(&ret
, UID_FMT
, uid
) < 0)
293 char* gid_to_name(gid_t gid
) {
298 return strdup("root");
300 if (gid_is_valid(gid
)) {
303 bufsize
= sysconf(_SC_GETGR_R_SIZE_MAX
);
308 struct group grbuf
, *gr
= NULL
;
309 _cleanup_free_
char *buf
= NULL
;
311 buf
= malloc(bufsize
);
315 r
= getgrgid_r(gid
, &grbuf
, buf
, (size_t) bufsize
, &gr
);
317 return strdup(gr
->gr_name
);
325 if (asprintf(&ret
, GID_FMT
, gid
) < 0)
331 int in_gid(gid_t gid
) {
333 int ngroups_max
, r
, i
;
338 if (getegid() == gid
)
341 if (!gid_is_valid(gid
))
344 ngroups_max
= sysconf(_SC_NGROUPS_MAX
);
345 assert(ngroups_max
> 0);
347 gids
= alloca(sizeof(gid_t
) * ngroups_max
);
349 r
= getgroups(ngroups_max
, gids
);
353 for (i
= 0; i
< r
; i
++)
360 int in_group(const char *name
) {
364 r
= get_group_creds(&name
, &gid
);
371 int get_home_dir(char **_h
) {
379 /* Take the user specified one */
380 e
= secure_getenv("HOME");
381 if (e
&& path_is_absolute(e
)) {
390 /* Hardcode home directory for root to avoid NSS */
401 /* Check the database... */
405 return errno
> 0 ? -errno
: -ESRCH
;
407 if (!path_is_absolute(p
->pw_dir
))
410 h
= strdup(p
->pw_dir
);
418 int get_shell(char **_s
) {
426 /* Take the user specified one */
437 /* Hardcode home directory for root to avoid NSS */
440 s
= strdup("/bin/sh");
448 /* Check the database... */
452 return errno
> 0 ? -errno
: -ESRCH
;
454 if (!path_is_absolute(p
->pw_shell
))
457 s
= strdup(p
->pw_shell
);
465 int reset_uid_gid(void) {
468 r
= maybe_setgroups(0, NULL
);
472 if (setresgid(0, 0, 0) < 0)
475 if (setresuid(0, 0, 0) < 0)
481 int take_etc_passwd_lock(const char *root
) {
483 struct flock flock
= {
485 .l_whence
= SEEK_SET
,
493 /* This is roughly the same as lckpwdf(), but not as awful. We
494 * don't want to use alarm() and signals, hence we implement
495 * our own trivial version of this.
497 * Note that shadow-utils also takes per-database locks in
498 * addition to lckpwdf(). However, we don't given that they
499 * are redundant as they invoke lckpwdf() first and keep
500 * it during everything they do. The per-database locks are
501 * awfully racy, and thus we just won't do them. */
504 path
= prefix_roota(root
, "/etc/.pwd.lock");
506 path
= "/etc/.pwd.lock";
508 fd
= open(path
, O_WRONLY
|O_CREAT
|O_CLOEXEC
|O_NOCTTY
|O_NOFOLLOW
, 0600);
512 r
= fcntl(fd
, F_SETLKW
, &flock
);
521 bool valid_user_group_name(const char *u
) {
525 /* Checks if the specified name is a valid user/group name. Also see POSIX IEEE Std 1003.1-2008, 2016 Edition,
526 * 3.437. We are a bit stricter here however. Specifically we deviate from POSIX rules:
528 * - We don't allow any dots (this would break chown syntax which permits dots as user/group name separator)
529 * - We require that names fit into the appropriate utmp field
530 * - We don't allow empty user names
532 * Note that other systems are even more restrictive, and don't permit underscores or uppercase characters.
538 if (!(u
[0] >= 'a' && u
[0] <= 'z') &&
539 !(u
[0] >= 'A' && u
[0] <= 'Z') &&
543 for (i
= u
+1; *i
; i
++) {
544 if (!(*i
>= 'a' && *i
<= 'z') &&
545 !(*i
>= 'A' && *i
<= 'Z') &&
546 !(*i
>= '0' && *i
<= '9') &&
547 !IN_SET(*i
, '_', '-'))
551 sz
= sysconf(_SC_LOGIN_NAME_MAX
);
554 if ((size_t) (i
-u
) > (size_t) sz
)
557 if ((size_t) (i
-u
) > UT_NAMESIZE
- 1)
563 bool valid_user_group_name_or_id(const char *u
) {
565 /* Similar as above, but is also fine with numeric UID/GID specifications, as long as they are in the right
566 * range, and not the invalid user ids. */
571 if (valid_user_group_name(u
))
574 return parse_uid(u
, NULL
) >= 0;
577 bool valid_gecos(const char *d
) {
582 if (!utf8_is_valid(d
))
585 if (string_has_cc(d
, NULL
))
588 /* Colons are used as field separators, and hence not OK */
595 bool valid_home(const char *p
) {
600 if (!utf8_is_valid(p
))
603 if (string_has_cc(p
, NULL
))
606 if (!path_is_absolute(p
))
609 if (!path_is_normalized(p
))
612 /* Colons are used as field separators, and hence not OK */
619 int maybe_setgroups(size_t size
, const gid_t
*list
) {
622 /* Check if setgroups is allowed before we try to drop all the auxiliary groups */
623 if (size
== 0) { /* Dropping all aux groups? */
624 _cleanup_free_
char *setgroups_content
= NULL
;
627 r
= read_one_line_file("/proc/self/setgroups", &setgroups_content
);
629 /* Old kernels don't have /proc/self/setgroups, so assume we can use setgroups */
630 can_setgroups
= true;
634 can_setgroups
= streq(setgroups_content
, "allow");
636 if (!can_setgroups
) {
637 log_debug("Skipping setgroups(), /proc/self/setgroups is set to 'deny'");
642 if (setgroups(size
, list
) < 0)