]>
git.ipfire.org Git - thirdparty/systemd.git/blob - src/nspawn/nspawn-setuid.c
1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2015 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
23 #include <sys/types.h>
28 #include "nspawn-setuid.h"
29 #include "process-util.h"
30 #include "signal-util.h"
31 #include "string-util.h"
32 #include "user-util.h"
35 static int spawn_getent(const char *database
, const char *key
, pid_t
*rpid
) {
43 if (pipe2(pipe_fds
, O_CLOEXEC
) < 0)
44 return log_error_errno(errno
, "Failed to allocate pipe: %m");
48 return log_error_errno(errno
, "Failed to fork getent child: %m");
51 char *empty_env
= NULL
;
53 if (dup3(pipe_fds
[1], STDOUT_FILENO
, 0) < 0)
57 safe_close(pipe_fds
[0]);
59 safe_close(pipe_fds
[1]);
61 nullfd
= open("/dev/null", O_RDWR
);
65 if (dup3(nullfd
, STDIN_FILENO
, 0) < 0)
68 if (dup3(nullfd
, STDERR_FILENO
, 0) < 0)
74 (void) reset_all_signal_handlers();
75 (void) reset_signal_mask();
76 close_all_fds(NULL
, 0);
78 execle("/usr/bin/getent", "getent", database
, key
, NULL
, &empty_env
);
79 execle("/bin/getent", "getent", database
, key
, NULL
, &empty_env
);
83 pipe_fds
[1] = safe_close(pipe_fds
[1]);
90 int change_uid_gid(const char *user
, char **_home
) {
91 char line
[LINE_MAX
], *x
, *u
, *g
, *h
;
92 const char *word
, *state
;
93 _cleanup_free_ uid_t
*uids
= NULL
;
94 _cleanup_free_
char *home
= NULL
;
95 _cleanup_fclose_
FILE *f
= NULL
;
96 _cleanup_close_
int fd
= -1;
106 if (!user
|| streq(user
, "root") || streq(user
, "0")) {
107 /* Reset everything fully to 0, just in case */
111 return log_error_errno(r
, "Failed to become root: %m");
117 /* First, get user credentials */
118 fd
= spawn_getent("passwd", user
, &pid
);
127 if (!fgets(line
, sizeof(line
), f
)) {
130 log_error("Failed to resolve user %s.", user
);
134 log_error_errno(errno
, "Failed to read from getent: %m");
140 wait_for_terminate_and_warn("getent passwd", pid
, true);
142 x
= strchr(line
, ':');
144 log_error("/etc/passwd entry has invalid user field.");
148 u
= strchr(x
+1, ':');
150 log_error("/etc/passwd entry has invalid password field.");
157 log_error("/etc/passwd entry has invalid UID field.");
165 log_error("/etc/passwd entry has invalid GID field.");
170 h
= strchr(x
+1, ':');
172 log_error("/etc/passwd entry has invalid GECOS field.");
179 log_error("/etc/passwd entry has invalid home directory field.");
185 r
= parse_uid(u
, &uid
);
187 log_error("Failed to parse UID of user.");
191 r
= parse_gid(g
, &gid
);
193 log_error("Failed to parse GID of user.");
201 /* Second, get group memberships */
202 fd
= spawn_getent("initgroups", user
, &pid
);
212 if (!fgets(line
, sizeof(line
), f
)) {
214 log_error("Failed to resolve user %s.", user
);
218 log_error_errno(errno
, "Failed to read from getent: %m");
224 wait_for_terminate_and_warn("getent initgroups", pid
, true);
226 /* Skip over the username and subsequent separator whitespace */
228 x
+= strcspn(x
, WHITESPACE
);
229 x
+= strspn(x
, WHITESPACE
);
231 FOREACH_WORD(word
, l
, x
, state
) {
237 if (!GREEDY_REALLOC(uids
, sz
, n_uids
+1))
240 r
= parse_uid(c
, &uids
[n_uids
++]);
242 log_error("Failed to parse group data from getent.");
247 r
= mkdir_parents(home
, 0775);
249 return log_error_errno(r
, "Failed to make home root directory: %m");
251 r
= mkdir_safe(home
, 0755, uid
, gid
);
252 if (r
< 0 && r
!= -EEXIST
)
253 return log_error_errno(r
, "Failed to make home directory: %m");
255 (void) fchown(STDIN_FILENO
, uid
, gid
);
256 (void) fchown(STDOUT_FILENO
, uid
, gid
);
257 (void) fchown(STDERR_FILENO
, uid
, gid
);
259 if (setgroups(n_uids
, uids
) < 0)
260 return log_error_errno(errno
, "Failed to set auxiliary groups: %m");
262 if (setresgid(gid
, gid
, gid
) < 0)
263 return log_error_errno(errno
, "setregid() failed: %m");
265 if (setresuid(uid
, uid
, uid
) < 0)
266 return log_error_errno(errno
, "setreuid() failed: %m");