]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/sysusers/sysusers.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Drop the text argument from assert_not_reached()
[thirdparty/systemd.git] / src / sysusers / sysusers.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include <getopt.h>
4 #include <utmp.h>
5
6 #include "alloc-util.h"
7 #include "conf-files.h"
8 #include "copy.h"
9 #include "creds-util.h"
10 #include "def.h"
11 #include "dissect-image.h"
12 #include "fd-util.h"
13 #include "fileio.h"
14 #include "format-util.h"
15 #include "fs-util.h"
16 #include "hashmap.h"
17 #include "libcrypt-util.h"
18 #include "main-func.h"
19 #include "memory-util.h"
20 #include "mount-util.h"
21 #include "nscd-flush.h"
22 #include "pager.h"
23 #include "parse-argument.h"
24 #include "path-util.h"
25 #include "pretty-print.h"
26 #include "selinux-util.h"
27 #include "set.h"
28 #include "smack-util.h"
29 #include "specifier.h"
30 #include "string-util.h"
31 #include "strv.h"
32 #include "tmpfile-util-label.h"
33 #include "uid-range.h"
34 #include "user-record.h"
35 #include "user-util.h"
36 #include "utf8.h"
37 #include "util.h"
38
39 typedef enum ItemType {
40 ADD_USER = 'u',
41 ADD_GROUP = 'g',
42 ADD_MEMBER = 'm',
43 ADD_RANGE = 'r',
44 } ItemType;
45
46 typedef struct Item {
47 ItemType type;
48
49 char *name;
50 char *group_name;
51 char *uid_path;
52 char *gid_path;
53 char *description;
54 char *home;
55 char *shell;
56
57 gid_t gid;
58 uid_t uid;
59
60 bool gid_set:1;
61
62 /* When set the group with the specified gid must exist
63 * and the check if a uid clashes with the gid is skipped.
64 */
65 bool id_set_strict:1;
66
67 bool uid_set:1;
68
69 bool todo_user:1;
70 bool todo_group:1;
71 } Item;
72
73 static char *arg_root = NULL;
74 static char *arg_image = NULL;
75 static bool arg_cat_config = false;
76 static const char *arg_replace = NULL;
77 static bool arg_inline = false;
78 static PagerFlags arg_pager_flags = 0;
79
80 static OrderedHashmap *users = NULL, *groups = NULL;
81 static OrderedHashmap *todo_uids = NULL, *todo_gids = NULL;
82 static OrderedHashmap *members = NULL;
83
84 static Hashmap *database_by_uid = NULL, *database_by_username = NULL;
85 static Hashmap *database_by_gid = NULL, *database_by_groupname = NULL;
86 static Set *database_users = NULL, *database_groups = NULL;
87
88 static uid_t search_uid = UID_INVALID;
89 static UidRange *uid_range = NULL;
90 static unsigned n_uid_range = 0;
91
92 static UGIDAllocationRange login_defs = {};
93 static bool login_defs_need_warning = false;
94
95 STATIC_DESTRUCTOR_REGISTER(groups, ordered_hashmap_freep);
96 STATIC_DESTRUCTOR_REGISTER(users, ordered_hashmap_freep);
97 STATIC_DESTRUCTOR_REGISTER(members, ordered_hashmap_freep);
98 STATIC_DESTRUCTOR_REGISTER(todo_uids, ordered_hashmap_freep);
99 STATIC_DESTRUCTOR_REGISTER(todo_gids, ordered_hashmap_freep);
100 STATIC_DESTRUCTOR_REGISTER(database_by_uid, hashmap_freep);
101 STATIC_DESTRUCTOR_REGISTER(database_by_username, hashmap_freep);
102 STATIC_DESTRUCTOR_REGISTER(database_users, set_free_freep);
103 STATIC_DESTRUCTOR_REGISTER(database_by_gid, hashmap_freep);
104 STATIC_DESTRUCTOR_REGISTER(database_by_groupname, hashmap_freep);
105 STATIC_DESTRUCTOR_REGISTER(database_groups, set_free_freep);
106 STATIC_DESTRUCTOR_REGISTER(uid_range, freep);
107 STATIC_DESTRUCTOR_REGISTER(arg_root, freep);
108 STATIC_DESTRUCTOR_REGISTER(arg_image, freep);
109
110 static int errno_is_not_exists(int code) {
111 /* See getpwnam(3) and getgrnam(3): those codes and others can be returned if the user or group are
112 * not found. */
113 return IN_SET(code, 0, ENOENT, ESRCH, EBADF, EPERM);
114 }
115
116 static void maybe_emit_login_defs_warning(void) {
117 if (!login_defs_need_warning)
118 return;
119
120 if (login_defs.system_alloc_uid_min != SYSTEM_ALLOC_UID_MIN ||
121 login_defs.system_uid_max != SYSTEM_UID_MAX)
122 log_warning("login.defs specifies UID allocation range "UID_FMT"–"UID_FMT
123 " that is different than the built-in defaults ("UID_FMT"–"UID_FMT")",
124 login_defs.system_alloc_uid_min, login_defs.system_uid_max,
125 SYSTEM_ALLOC_UID_MIN, SYSTEM_UID_MAX);
126 if (login_defs.system_alloc_gid_min != SYSTEM_ALLOC_GID_MIN ||
127 login_defs.system_gid_max != SYSTEM_GID_MAX)
128 log_warning("login.defs specifies GID allocation range "GID_FMT"–"GID_FMT
129 " that is different than the built-in defaults ("GID_FMT"–"GID_FMT")",
130 login_defs.system_alloc_gid_min, login_defs.system_gid_max,
131 SYSTEM_ALLOC_GID_MIN, SYSTEM_GID_MAX);
132
133 login_defs_need_warning = false;
134 }
135
136 static int load_user_database(void) {
137 _cleanup_fclose_ FILE *f = NULL;
138 const char *passwd_path;
139 struct passwd *pw;
140 int r;
141
142 passwd_path = prefix_roota(arg_root, "/etc/passwd");
143 f = fopen(passwd_path, "re");
144 if (!f)
145 return errno == ENOENT ? 0 : -errno;
146
147 r = hashmap_ensure_allocated(&database_by_username, &string_hash_ops);
148 if (r < 0)
149 return r;
150
151 r = hashmap_ensure_allocated(&database_by_uid, NULL);
152 if (r < 0)
153 return r;
154
155 r = set_ensure_allocated(&database_users, NULL);
156 if (r < 0)
157 return r;
158
159 while ((r = fgetpwent_sane(f, &pw)) > 0) {
160 char *n;
161 int k, q;
162
163 n = strdup(pw->pw_name);
164 if (!n)
165 return -ENOMEM;
166
167 k = set_put(database_users, n);
168 if (k < 0) {
169 free(n);
170 return k;
171 }
172
173 k = hashmap_put(database_by_username, n, UID_TO_PTR(pw->pw_uid));
174 if (k < 0 && k != -EEXIST)
175 return k;
176
177 q = hashmap_put(database_by_uid, UID_TO_PTR(pw->pw_uid), n);
178 if (q < 0 && q != -EEXIST)
179 return q;
180 }
181 return r;
182 }
183
184 static int load_group_database(void) {
185 _cleanup_fclose_ FILE *f = NULL;
186 const char *group_path;
187 struct group *gr;
188 int r;
189
190 group_path = prefix_roota(arg_root, "/etc/group");
191 f = fopen(group_path, "re");
192 if (!f)
193 return errno == ENOENT ? 0 : -errno;
194
195 r = hashmap_ensure_allocated(&database_by_groupname, &string_hash_ops);
196 if (r < 0)
197 return r;
198
199 r = hashmap_ensure_allocated(&database_by_gid, NULL);
200 if (r < 0)
201 return r;
202
203 r = set_ensure_allocated(&database_groups, NULL);
204 if (r < 0)
205 return r;
206
207 while ((r = fgetgrent_sane(f, &gr)) > 0) {
208 char *n;
209 int k, q;
210
211 n = strdup(gr->gr_name);
212 if (!n)
213 return -ENOMEM;
214
215 k = set_put(database_groups, n);
216 if (k < 0) {
217 free(n);
218 return k;
219 }
220
221 k = hashmap_put(database_by_groupname, n, GID_TO_PTR(gr->gr_gid));
222 if (k < 0 && k != -EEXIST)
223 return k;
224
225 q = hashmap_put(database_by_gid, GID_TO_PTR(gr->gr_gid), n);
226 if (q < 0 && q != -EEXIST)
227 return q;
228 }
229 return r;
230 }
231
232 static int make_backup(const char *target, const char *x) {
233 _cleanup_(unlink_and_freep) char *dst_tmp = NULL;
234 _cleanup_fclose_ FILE *dst = NULL;
235 _cleanup_close_ int src = -1;
236 const char *backup;
237 struct stat st;
238 int r;
239
240 assert(target);
241 assert(x);
242
243 src = open(x, O_RDONLY|O_CLOEXEC|O_NOCTTY);
244 if (src < 0) {
245 if (errno == ENOENT) /* No backup necessary... */
246 return 0;
247
248 return -errno;
249 }
250
251 if (fstat(src, &st) < 0)
252 return -errno;
253
254 r = fopen_temporary_label(
255 target, /* The path for which to the lookup the label */
256 x, /* Where we want the file actually to end up */
257 &dst,
258 &dst_tmp /* The temporary file we write to */);
259 if (r < 0)
260 return r;
261
262 r = copy_bytes(src, fileno(dst), UINT64_MAX, COPY_REFLINK);
263 if (r < 0)
264 return r;
265
266 backup = strjoina(x, "-");
267
268 /* Copy over the access mask. Don't fail on chmod() or chown(). If it stays owned by us and/or
269 * unreadable by others, then it isn't too bad... */
270 r = fchmod_and_chown(fileno(dst), st.st_mode & 07777, st.st_uid, st.st_gid);
271 if (r < 0)
272 log_warning_errno(r, "Failed to change access mode or ownership of %s: %m", backup);
273
274 if (futimens(fileno(dst), (const struct timespec[2]) { st.st_atim, st.st_mtim }) < 0)
275 log_warning_errno(errno, "Failed to fix access and modification time of %s: %m", backup);
276
277 r = fsync_full(fileno(dst));
278 if (r < 0)
279 return r;
280
281 if (rename(dst_tmp, backup) < 0)
282 return errno;
283
284 dst_tmp = mfree(dst_tmp); /* disable the unlink_and_freep() hook now that the file has been renamed */
285 return 0;
286 }
287
288 static int putgrent_with_members(const struct group *gr, FILE *group) {
289 char **a;
290
291 assert(gr);
292 assert(group);
293
294 a = ordered_hashmap_get(members, gr->gr_name);
295 if (a) {
296 _cleanup_strv_free_ char **l = NULL;
297 bool added = false;
298 char **i;
299
300 l = strv_copy(gr->gr_mem);
301 if (!l)
302 return -ENOMEM;
303
304 STRV_FOREACH(i, a) {
305 if (strv_find(l, *i))
306 continue;
307
308 if (strv_extend(&l, *i) < 0)
309 return -ENOMEM;
310
311 added = true;
312 }
313
314 if (added) {
315 struct group t;
316 int r;
317
318 strv_uniq(l);
319 strv_sort(l);
320
321 t = *gr;
322 t.gr_mem = l;
323
324 r = putgrent_sane(&t, group);
325 return r < 0 ? r : 1;
326 }
327 }
328
329 return putgrent_sane(gr, group);
330 }
331
332 #if ENABLE_GSHADOW
333 static int putsgent_with_members(const struct sgrp *sg, FILE *gshadow) {
334 char **a;
335
336 assert(sg);
337 assert(gshadow);
338
339 a = ordered_hashmap_get(members, sg->sg_namp);
340 if (a) {
341 _cleanup_strv_free_ char **l = NULL;
342 bool added = false;
343 char **i;
344
345 l = strv_copy(sg->sg_mem);
346 if (!l)
347 return -ENOMEM;
348
349 STRV_FOREACH(i, a) {
350 if (strv_find(l, *i))
351 continue;
352
353 if (strv_extend(&l, *i) < 0)
354 return -ENOMEM;
355
356 added = true;
357 }
358
359 if (added) {
360 struct sgrp t;
361 int r;
362
363 strv_uniq(l);
364 strv_sort(l);
365
366 t = *sg;
367 t.sg_mem = l;
368
369 r = putsgent_sane(&t, gshadow);
370 return r < 0 ? r : 1;
371 }
372 }
373
374 return putsgent_sane(sg, gshadow);
375 }
376 #endif
377
378 static const char* default_shell(uid_t uid) {
379 return uid == 0 ? "/bin/sh" : NOLOGIN;
380 }
381
382 static int write_temporary_passwd(const char *passwd_path, FILE **tmpfile, char **tmpfile_path) {
383 _cleanup_fclose_ FILE *original = NULL, *passwd = NULL;
384 _cleanup_(unlink_and_freep) char *passwd_tmp = NULL;
385 struct passwd *pw = NULL;
386 Item *i;
387 int r;
388
389 if (ordered_hashmap_size(todo_uids) == 0)
390 return 0;
391
392 r = fopen_temporary_label("/etc/passwd", passwd_path, &passwd, &passwd_tmp);
393 if (r < 0)
394 return log_debug_errno(r, "Failed to open temporary copy of %s: %m", passwd_path);
395
396 original = fopen(passwd_path, "re");
397 if (original) {
398
399 /* Allow fallback path for when /proc is not mounted. On any normal system /proc will be
400 * mounted, but e.g. when 'dnf --installroot' is used, it might not be. There is no security
401 * relevance here, since the environment is ultimately trusted, and not requiring /proc makes
402 * it easier to depend on sysusers in packaging scripts and suchlike. */
403 r = copy_rights_with_fallback(fileno(original), fileno(passwd), passwd_tmp);
404 if (r < 0)
405 return log_debug_errno(r, "Failed to copy permissions from %s to %s: %m",
406 passwd_path, passwd_tmp);
407
408 while ((r = fgetpwent_sane(original, &pw)) > 0) {
409 i = ordered_hashmap_get(users, pw->pw_name);
410 if (i && i->todo_user)
411 return log_error_errno(SYNTHETIC_ERRNO(EEXIST),
412 "%s: User \"%s\" already exists.",
413 passwd_path, pw->pw_name);
414
415 if (ordered_hashmap_contains(todo_uids, UID_TO_PTR(pw->pw_uid)))
416 return log_error_errno(SYNTHETIC_ERRNO(EEXIST),
417 "%s: Detected collision for UID " UID_FMT ".",
418 passwd_path, pw->pw_uid);
419
420 /* Make sure we keep the NIS entries (if any) at the end. */
421 if (IN_SET(pw->pw_name[0], '+', '-'))
422 break;
423
424 r = putpwent_sane(pw, passwd);
425 if (r < 0)
426 return log_debug_errno(r, "Failed to add existing user \"%s\" to temporary passwd file: %m",
427 pw->pw_name);
428 }
429 if (r < 0)
430 return log_debug_errno(r, "Failed to read %s: %m", passwd_path);
431
432 } else {
433 if (errno != ENOENT)
434 return log_debug_errno(errno, "Failed to open %s: %m", passwd_path);
435 if (fchmod(fileno(passwd), 0644) < 0)
436 return log_debug_errno(errno, "Failed to fchmod %s: %m", passwd_tmp);
437 }
438
439 ORDERED_HASHMAP_FOREACH(i, todo_uids) {
440 _cleanup_free_ char *creds_shell = NULL, *cn = NULL;
441
442 struct passwd n = {
443 .pw_name = i->name,
444 .pw_uid = i->uid,
445 .pw_gid = i->gid,
446 .pw_gecos = i->description,
447
448 /* "x" means the password is stored in the shadow file */
449 .pw_passwd = (char*) PASSWORD_SEE_SHADOW,
450
451 /* We default to the root directory as home */
452 .pw_dir = i->home ?: (char*) "/",
453
454 /* Initialize the shell to nologin, with one exception:
455 * for root we patch in something special */
456 .pw_shell = i->shell ?: (char*) default_shell(i->uid),
457 };
458
459 /* Try to pick up the shell for this account via the credentials logic */
460 cn = strjoin("passwd.shell.", i->name);
461 if (!cn)
462 return -ENOMEM;
463
464 r = read_credential(cn, (void**) &creds_shell, NULL);
465 if (r < 0)
466 log_debug_errno(r, "Couldn't read credential '%s', ignoring: %m", cn);
467 else
468 n.pw_shell = creds_shell;
469
470 r = putpwent_sane(&n, passwd);
471 if (r < 0)
472 return log_debug_errno(r, "Failed to add new user \"%s\" to temporary passwd file: %m",
473 pw->pw_name);
474 }
475
476 /* Append the remaining NIS entries if any */
477 while (pw) {
478 r = putpwent_sane(pw, passwd);
479 if (r < 0)
480 return log_debug_errno(r, "Failed to add existing user \"%s\" to temporary passwd file: %m",
481 pw->pw_name);
482
483 r = fgetpwent_sane(original, &pw);
484 if (r < 0)
485 return log_debug_errno(r, "Failed to read %s: %m", passwd_path);
486 if (r == 0)
487 break;
488 }
489
490 r = fflush_and_check(passwd);
491 if (r < 0)
492 return log_debug_errno(r, "Failed to flush %s: %m", passwd_tmp);
493
494 *tmpfile = TAKE_PTR(passwd);
495 *tmpfile_path = TAKE_PTR(passwd_tmp);
496
497 return 0;
498 }
499
500 static int write_temporary_shadow(const char *shadow_path, FILE **tmpfile, char **tmpfile_path) {
501 _cleanup_fclose_ FILE *original = NULL, *shadow = NULL;
502 _cleanup_(unlink_and_freep) char *shadow_tmp = NULL;
503 struct spwd *sp = NULL;
504 long lstchg;
505 Item *i;
506 int r;
507
508 if (ordered_hashmap_size(todo_uids) == 0)
509 return 0;
510
511 r = fopen_temporary_label("/etc/shadow", shadow_path, &shadow, &shadow_tmp);
512 if (r < 0)
513 return log_debug_errno(r, "Failed to open temporary copy of %s: %m", shadow_path);
514
515 lstchg = (long) (now(CLOCK_REALTIME) / USEC_PER_DAY);
516
517 original = fopen(shadow_path, "re");
518 if (original) {
519
520 r = copy_rights_with_fallback(fileno(original), fileno(shadow), shadow_tmp);
521 if (r < 0)
522 return log_debug_errno(r, "Failed to copy permissions from %s to %s: %m",
523 shadow_path, shadow_tmp);
524
525 while ((r = fgetspent_sane(original, &sp)) > 0) {
526 i = ordered_hashmap_get(users, sp->sp_namp);
527 if (i && i->todo_user) {
528 /* we will update the existing entry */
529 sp->sp_lstchg = lstchg;
530
531 /* only the /etc/shadow stage is left, so we can
532 * safely remove the item from the todo set */
533 i->todo_user = false;
534 ordered_hashmap_remove(todo_uids, UID_TO_PTR(i->uid));
535 }
536
537 /* Make sure we keep the NIS entries (if any) at the end. */
538 if (IN_SET(sp->sp_namp[0], '+', '-'))
539 break;
540
541 r = putspent_sane(sp, shadow);
542 if (r < 0)
543 return log_debug_errno(r, "Failed to add existing user \"%s\" to temporary shadow file: %m",
544 sp->sp_namp);
545
546 }
547 if (r < 0)
548 return log_debug_errno(r, "Failed to read %s: %m", shadow_path);
549
550 } else {
551 if (errno != ENOENT)
552 return log_debug_errno(errno, "Failed to open %s: %m", shadow_path);
553 if (fchmod(fileno(shadow), 0000) < 0)
554 return log_debug_errno(errno, "Failed to fchmod %s: %m", shadow_tmp);
555 }
556
557 ORDERED_HASHMAP_FOREACH(i, todo_uids) {
558 _cleanup_(erase_and_freep) char *creds_password = NULL;
559 _cleanup_free_ char *cn = NULL;
560
561 struct spwd n = {
562 .sp_namp = i->name,
563 .sp_pwdp = (char*) PASSWORD_LOCKED_AND_INVALID,
564 .sp_lstchg = lstchg,
565 .sp_min = -1,
566 .sp_max = -1,
567 .sp_warn = -1,
568 .sp_inact = -1,
569 .sp_expire = -1,
570 .sp_flag = ULONG_MAX, /* this appears to be what everybody does ... */
571 };
572
573 /* Try to pick up the password for this account via the credentials logic */
574 cn = strjoin("passwd.hashed-password.", i->name);
575 if (!cn)
576 return -ENOMEM;
577
578 r = read_credential(cn, (void**) &creds_password, NULL);
579 if (r == -ENOENT) {
580 _cleanup_(erase_and_freep) char *plaintext_password = NULL;
581
582 free(cn);
583 cn = strjoin("passwd.plaintext-password.", i->name);
584 if (!cn)
585 return -ENOMEM;
586
587 r = read_credential(cn, (void**) &plaintext_password, NULL);
588 if (r < 0)
589 log_debug_errno(r, "Couldn't read credential '%s', ignoring: %m", cn);
590 else {
591 r = hash_password(plaintext_password, &creds_password);
592 if (r < 0)
593 return log_debug_errno(r, "Failed to hash password: %m");
594 }
595 } else if (r < 0)
596 log_debug_errno(r, "Couldn't read credential '%s', ignoring: %m", cn);
597
598 if (creds_password)
599 n.sp_pwdp = creds_password;
600
601 r = putspent_sane(&n, shadow);
602 if (r < 0)
603 return log_debug_errno(r, "Failed to add new user \"%s\" to temporary shadow file: %m",
604 sp->sp_namp);
605 }
606
607 /* Append the remaining NIS entries if any */
608 while (sp) {
609 r = putspent_sane(sp, shadow);
610 if (r < 0)
611 return log_debug_errno(r, "Failed to add existing user \"%s\" to temporary shadow file: %m",
612 sp->sp_namp);
613
614 r = fgetspent_sane(original, &sp);
615 if (r < 0)
616 return log_debug_errno(r, "Failed to read %s: %m", shadow_path);
617 if (r == 0)
618 break;
619 }
620 if (!IN_SET(errno, 0, ENOENT))
621 return -errno;
622
623 r = fflush_sync_and_check(shadow);
624 if (r < 0)
625 return log_debug_errno(r, "Failed to flush %s: %m", shadow_tmp);
626
627 *tmpfile = TAKE_PTR(shadow);
628 *tmpfile_path = TAKE_PTR(shadow_tmp);
629
630 return 0;
631 }
632
633 static int write_temporary_group(const char *group_path, FILE **tmpfile, char **tmpfile_path) {
634 _cleanup_fclose_ FILE *original = NULL, *group = NULL;
635 _cleanup_(unlink_and_freep) char *group_tmp = NULL;
636 bool group_changed = false;
637 struct group *gr = NULL;
638 Item *i;
639 int r;
640
641 if (ordered_hashmap_size(todo_gids) == 0 && ordered_hashmap_size(members) == 0)
642 return 0;
643
644 r = fopen_temporary_label("/etc/group", group_path, &group, &group_tmp);
645 if (r < 0)
646 return log_debug_errno(r, "Failed to open temporary copy of %s: %m", group_path);
647
648 original = fopen(group_path, "re");
649 if (original) {
650
651 r = copy_rights_with_fallback(fileno(original), fileno(group), group_tmp);
652 if (r < 0)
653 return log_debug_errno(r, "Failed to copy permissions from %s to %s: %m",
654 group_path, group_tmp);
655
656 while ((r = fgetgrent_sane(original, &gr)) > 0) {
657 /* Safety checks against name and GID collisions. Normally,
658 * this should be unnecessary, but given that we look at the
659 * entries anyway here, let's make an extra verification
660 * step that we don't generate duplicate entries. */
661
662 i = ordered_hashmap_get(groups, gr->gr_name);
663 if (i && i->todo_group)
664 return log_error_errno(SYNTHETIC_ERRNO(EEXIST),
665 "%s: Group \"%s\" already exists.",
666 group_path, gr->gr_name);
667
668 if (ordered_hashmap_contains(todo_gids, GID_TO_PTR(gr->gr_gid)))
669 return log_error_errno(SYNTHETIC_ERRNO(EEXIST),
670 "%s: Detected collision for GID " GID_FMT ".",
671 group_path, gr->gr_gid);
672
673 /* Make sure we keep the NIS entries (if any) at the end. */
674 if (IN_SET(gr->gr_name[0], '+', '-'))
675 break;
676
677 r = putgrent_with_members(gr, group);
678 if (r < 0)
679 return log_debug_errno(r, "Failed to add existing group \"%s\" to temporary group file: %m",
680 gr->gr_name);
681 if (r > 0)
682 group_changed = true;
683 }
684 if (r < 0)
685 return log_debug_errno(r, "Failed to read %s: %m", group_path);
686
687 } else {
688 if (errno != ENOENT)
689 return log_debug_errno(errno, "Failed to open %s: %m", group_path);
690 if (fchmod(fileno(group), 0644) < 0)
691 return log_debug_errno(errno, "Failed to fchmod %s: %m", group_tmp);
692 }
693
694 ORDERED_HASHMAP_FOREACH(i, todo_gids) {
695 struct group n = {
696 .gr_name = i->name,
697 .gr_gid = i->gid,
698 .gr_passwd = (char*) PASSWORD_SEE_SHADOW,
699 };
700
701 r = putgrent_with_members(&n, group);
702 if (r < 0)
703 return log_debug_errno(r, "Failed to add new group \"%s\" to temporary group file: %m",
704 gr->gr_name);
705
706 group_changed = true;
707 }
708
709 /* Append the remaining NIS entries if any */
710 while (gr) {
711 r = putgrent_sane(gr, group);
712 if (r < 0)
713 return log_debug_errno(r, "Failed to add existing group \"%s\" to temporary group file: %m",
714 gr->gr_name);
715
716 r = fgetgrent_sane(original, &gr);
717 if (r < 0)
718 return log_debug_errno(r, "Failed to read %s: %m", group_path);
719 if (r == 0)
720 break;
721 }
722
723 r = fflush_sync_and_check(group);
724 if (r < 0)
725 return log_debug_errno(r, "Failed to flush %s: %m", group_tmp);
726
727 if (group_changed) {
728 *tmpfile = TAKE_PTR(group);
729 *tmpfile_path = TAKE_PTR(group_tmp);
730 }
731 return 0;
732 }
733
734 static int write_temporary_gshadow(const char * gshadow_path, FILE **tmpfile, char **tmpfile_path) {
735 #if ENABLE_GSHADOW
736 _cleanup_fclose_ FILE *original = NULL, *gshadow = NULL;
737 _cleanup_(unlink_and_freep) char *gshadow_tmp = NULL;
738 bool group_changed = false;
739 Item *i;
740 int r;
741
742 if (ordered_hashmap_size(todo_gids) == 0 && ordered_hashmap_size(members) == 0)
743 return 0;
744
745 r = fopen_temporary_label("/etc/gshadow", gshadow_path, &gshadow, &gshadow_tmp);
746 if (r < 0)
747 return log_debug_errno(r, "Failed to open temporary copy of %s: %m", gshadow_path);
748
749 original = fopen(gshadow_path, "re");
750 if (original) {
751 struct sgrp *sg;
752
753 r = copy_rights_with_fallback(fileno(original), fileno(gshadow), gshadow_tmp);
754 if (r < 0)
755 return log_debug_errno(r, "Failed to copy permissions from %s to %s: %m",
756 gshadow_path, gshadow_tmp);
757
758 while ((r = fgetsgent_sane(original, &sg)) > 0) {
759
760 i = ordered_hashmap_get(groups, sg->sg_namp);
761 if (i && i->todo_group)
762 return log_error_errno(SYNTHETIC_ERRNO(EEXIST),
763 "%s: Group \"%s\" already exists.",
764 gshadow_path, sg->sg_namp);
765
766 r = putsgent_with_members(sg, gshadow);
767 if (r < 0)
768 return log_debug_errno(r, "Failed to add existing group \"%s\" to temporary gshadow file: %m",
769 sg->sg_namp);
770 if (r > 0)
771 group_changed = true;
772 }
773 if (r < 0)
774 return r;
775
776 } else {
777 if (errno != ENOENT)
778 return log_debug_errno(errno, "Failed to open %s: %m", gshadow_path);
779 if (fchmod(fileno(gshadow), 0000) < 0)
780 return log_debug_errno(errno, "Failed to fchmod %s: %m", gshadow_tmp);
781 }
782
783 ORDERED_HASHMAP_FOREACH(i, todo_gids) {
784 struct sgrp n = {
785 .sg_namp = i->name,
786 .sg_passwd = (char*) PASSWORD_LOCKED_AND_INVALID,
787 };
788
789 r = putsgent_with_members(&n, gshadow);
790 if (r < 0)
791 return log_debug_errno(r, "Failed to add new group \"%s\" to temporary gshadow file: %m",
792 n.sg_namp);
793
794 group_changed = true;
795 }
796
797 r = fflush_sync_and_check(gshadow);
798 if (r < 0)
799 return log_debug_errno(r, "Failed to flush %s: %m", gshadow_tmp);
800
801 if (group_changed) {
802 *tmpfile = TAKE_PTR(gshadow);
803 *tmpfile_path = TAKE_PTR(gshadow_tmp);
804 }
805 #endif
806 return 0;
807 }
808
809 static int write_files(void) {
810 _cleanup_fclose_ FILE *passwd = NULL, *group = NULL, *shadow = NULL, *gshadow = NULL;
811 _cleanup_(unlink_and_freep) char *passwd_tmp = NULL, *group_tmp = NULL, *shadow_tmp = NULL, *gshadow_tmp = NULL;
812 const char *passwd_path, *shadow_path, *group_path, *gshadow_path;
813 int r;
814
815 passwd_path = prefix_roota(arg_root, "/etc/passwd");
816 shadow_path = prefix_roota(arg_root, "/etc/shadow");
817 group_path = prefix_roota(arg_root, "/etc/group");
818 gshadow_path = prefix_roota(arg_root, "/etc/gshadow");
819
820 r = write_temporary_group(group_path, &group, &group_tmp);
821 if (r < 0)
822 return r;
823
824 r = write_temporary_gshadow(gshadow_path, &gshadow, &gshadow_tmp);
825 if (r < 0)
826 return r;
827
828 r = write_temporary_passwd(passwd_path, &passwd, &passwd_tmp);
829 if (r < 0)
830 return r;
831
832 r = write_temporary_shadow(shadow_path, &shadow, &shadow_tmp);
833 if (r < 0)
834 return r;
835
836 /* Make a backup of the old files */
837 if (group) {
838 r = make_backup("/etc/group", group_path);
839 if (r < 0)
840 return log_debug_errno(r, "Failed to make backup %s: %m", group_path);
841 }
842 if (gshadow) {
843 r = make_backup("/etc/gshadow", gshadow_path);
844 if (r < 0)
845 return log_debug_errno(r, "Failed to make backup %s: %m", gshadow_path);
846 }
847
848 if (passwd) {
849 r = make_backup("/etc/passwd", passwd_path);
850 if (r < 0)
851 return log_debug_errno(r, "Failed to make backup %s: %m", passwd_path);
852 }
853 if (shadow) {
854 r = make_backup("/etc/shadow", shadow_path);
855 if (r < 0)
856 return log_debug_errno(r, "Failed to make backup %s: %m", shadow_path);
857 }
858
859 /* And make the new files count */
860 if (group) {
861 r = rename_and_apply_smack_floor_label(group_tmp, group_path);
862 if (r < 0)
863 return log_debug_errno(r, "Failed to rename %s to %s: %m",
864 group_tmp, group_path);
865 group_tmp = mfree(group_tmp);
866
867 if (!arg_root && !arg_image)
868 (void) nscd_flush_cache(STRV_MAKE("group"));
869 }
870 if (gshadow) {
871 r = rename_and_apply_smack_floor_label(gshadow_tmp, gshadow_path);
872 if (r < 0)
873 return log_debug_errno(r, "Failed to rename %s to %s: %m",
874 gshadow_tmp, gshadow_path);
875
876 gshadow_tmp = mfree(gshadow_tmp);
877 }
878
879 if (passwd) {
880 r = rename_and_apply_smack_floor_label(passwd_tmp, passwd_path);
881 if (r < 0)
882 return log_debug_errno(r, "Failed to rename %s to %s: %m",
883 passwd_tmp, passwd_path);
884
885 passwd_tmp = mfree(passwd_tmp);
886
887 if (!arg_root && !arg_image)
888 (void) nscd_flush_cache(STRV_MAKE("passwd"));
889 }
890 if (shadow) {
891 r = rename_and_apply_smack_floor_label(shadow_tmp, shadow_path);
892 if (r < 0)
893 return log_debug_errno(r, "Failed to rename %s to %s: %m",
894 shadow_tmp, shadow_path);
895
896 shadow_tmp = mfree(shadow_tmp);
897 }
898
899 return 0;
900 }
901
902 static int uid_is_ok(uid_t uid, const char *name, bool check_with_gid) {
903
904 /* Let's see if we already have assigned the UID a second time */
905 if (ordered_hashmap_get(todo_uids, UID_TO_PTR(uid)))
906 return 0;
907
908 /* Try to avoid using uids that are already used by a group
909 * that doesn't have the same name as our new user. */
910 if (check_with_gid) {
911 Item *i;
912
913 i = ordered_hashmap_get(todo_gids, GID_TO_PTR(uid));
914 if (i && !streq(i->name, name))
915 return 0;
916 }
917
918 /* Let's check the files directly */
919 if (hashmap_contains(database_by_uid, UID_TO_PTR(uid)))
920 return 0;
921
922 if (check_with_gid) {
923 const char *n;
924
925 n = hashmap_get(database_by_gid, GID_TO_PTR(uid));
926 if (n && !streq(n, name))
927 return 0;
928 }
929
930 /* Let's also check via NSS, to avoid UID clashes over LDAP and such, just in case */
931 if (!arg_root) {
932 struct passwd *p;
933 struct group *g;
934
935 errno = 0;
936 p = getpwuid(uid);
937 if (p)
938 return 0;
939 if (!IN_SET(errno, 0, ENOENT))
940 return -errno;
941
942 if (check_with_gid) {
943 errno = 0;
944 g = getgrgid((gid_t) uid);
945 if (g) {
946 if (!streq(g->gr_name, name))
947 return 0;
948 } else if (!IN_SET(errno, 0, ENOENT))
949 return -errno;
950 }
951 }
952
953 return 1;
954 }
955
956 static int root_stat(const char *p, struct stat *st) {
957 const char *fix;
958
959 fix = prefix_roota(arg_root, p);
960 if (stat(fix, st) < 0)
961 return -errno;
962
963 return 0;
964 }
965
966 static int read_id_from_file(Item *i, uid_t *_uid, gid_t *_gid) {
967 struct stat st;
968 bool found_uid = false, found_gid = false;
969 uid_t uid = 0;
970 gid_t gid = 0;
971
972 assert(i);
973
974 /* First, try to get the gid directly */
975 if (_gid && i->gid_path && root_stat(i->gid_path, &st) >= 0) {
976 gid = st.st_gid;
977 found_gid = true;
978 }
979
980 /* Then, try to get the uid directly */
981 if ((_uid || (_gid && !found_gid))
982 && i->uid_path
983 && root_stat(i->uid_path, &st) >= 0) {
984
985 uid = st.st_uid;
986 found_uid = true;
987
988 /* If we need the gid, but had no success yet, also derive it from the uid path */
989 if (_gid && !found_gid) {
990 gid = st.st_gid;
991 found_gid = true;
992 }
993 }
994
995 /* If that didn't work yet, then let's reuse the gid as uid */
996 if (_uid && !found_uid && i->gid_path) {
997
998 if (found_gid) {
999 uid = (uid_t) gid;
1000 found_uid = true;
1001 } else if (root_stat(i->gid_path, &st) >= 0) {
1002 uid = (uid_t) st.st_gid;
1003 found_uid = true;
1004 }
1005 }
1006
1007 if (_uid) {
1008 if (!found_uid)
1009 return 0;
1010
1011 *_uid = uid;
1012 }
1013
1014 if (_gid) {
1015 if (!found_gid)
1016 return 0;
1017
1018 *_gid = gid;
1019 }
1020
1021 return 1;
1022 }
1023
1024 static int add_user(Item *i) {
1025 void *z;
1026 int r;
1027
1028 assert(i);
1029
1030 /* Check the database directly */
1031 z = hashmap_get(database_by_username, i->name);
1032 if (z) {
1033 log_debug("User %s already exists.", i->name);
1034 i->uid = PTR_TO_UID(z);
1035 i->uid_set = true;
1036 return 0;
1037 }
1038
1039 if (!arg_root) {
1040 struct passwd *p;
1041
1042 /* Also check NSS */
1043 errno = 0;
1044 p = getpwnam(i->name);
1045 if (p) {
1046 log_debug("User %s already exists.", i->name);
1047 i->uid = p->pw_uid;
1048 i->uid_set = true;
1049
1050 r = free_and_strdup(&i->description, p->pw_gecos);
1051 if (r < 0)
1052 return log_oom();
1053
1054 return 0;
1055 }
1056 if (!errno_is_not_exists(errno))
1057 return log_error_errno(errno, "Failed to check if user %s already exists: %m", i->name);
1058 }
1059
1060 /* Try to use the suggested numeric uid */
1061 if (i->uid_set) {
1062 r = uid_is_ok(i->uid, i->name, !i->id_set_strict);
1063 if (r < 0)
1064 return log_error_errno(r, "Failed to verify uid " UID_FMT ": %m", i->uid);
1065 if (r == 0) {
1066 log_debug("Suggested user ID " UID_FMT " for %s already used.", i->uid, i->name);
1067 i->uid_set = false;
1068 }
1069 }
1070
1071 /* If that didn't work, try to read it from the specified path */
1072 if (!i->uid_set) {
1073 uid_t c;
1074
1075 if (read_id_from_file(i, &c, NULL) > 0) {
1076
1077 if (c <= 0 || !uid_range_contains(uid_range, n_uid_range, c))
1078 log_debug("User ID " UID_FMT " of file not suitable for %s.", c, i->name);
1079 else {
1080 r = uid_is_ok(c, i->name, true);
1081 if (r < 0)
1082 return log_error_errno(r, "Failed to verify uid " UID_FMT ": %m", i->uid);
1083 else if (r > 0) {
1084 i->uid = c;
1085 i->uid_set = true;
1086 } else
1087 log_debug("User ID " UID_FMT " of file for %s is already used.", c, i->name);
1088 }
1089 }
1090 }
1091
1092 /* Otherwise, try to reuse the group ID */
1093 if (!i->uid_set && i->gid_set) {
1094 r = uid_is_ok((uid_t) i->gid, i->name, true);
1095 if (r < 0)
1096 return log_error_errno(r, "Failed to verify uid " UID_FMT ": %m", i->uid);
1097 if (r > 0) {
1098 i->uid = (uid_t) i->gid;
1099 i->uid_set = true;
1100 }
1101 }
1102
1103 /* And if that didn't work either, let's try to find a free one */
1104 if (!i->uid_set) {
1105 maybe_emit_login_defs_warning();
1106
1107 for (;;) {
1108 r = uid_range_next_lower(uid_range, n_uid_range, &search_uid);
1109 if (r < 0)
1110 return log_error_errno(r, "No free user ID available for %s.", i->name);
1111
1112 r = uid_is_ok(search_uid, i->name, true);
1113 if (r < 0)
1114 return log_error_errno(r, "Failed to verify uid " UID_FMT ": %m", i->uid);
1115 else if (r > 0)
1116 break;
1117 }
1118
1119 i->uid_set = true;
1120 i->uid = search_uid;
1121 }
1122
1123 r = ordered_hashmap_ensure_put(&todo_uids, NULL, UID_TO_PTR(i->uid), i);
1124 if (r == -EEXIST)
1125 return log_error_errno(r, "Requested user %s with uid " UID_FMT " and gid" GID_FMT " to be created is duplicated "
1126 "or conflicts with another user.", i->name, i->uid, i->gid);
1127 if (r == -ENOMEM)
1128 return log_oom();
1129 if (r < 0)
1130 return log_error_errno(r, "Failed to store user %s with uid " UID_FMT " and gid " GID_FMT " to be created: %m",
1131 i->name, i->uid, i->gid);
1132
1133 i->todo_user = true;
1134 log_info("Creating user %s (%s) with uid " UID_FMT " and gid " GID_FMT ".",
1135 i->name, strna(i->description), i->uid, i->gid);
1136
1137 return 0;
1138 }
1139
1140 static int gid_is_ok(gid_t gid) {
1141 struct group *g;
1142 struct passwd *p;
1143
1144 if (ordered_hashmap_get(todo_gids, GID_TO_PTR(gid)))
1145 return 0;
1146
1147 /* Avoid reusing gids that are already used by a different user */
1148 if (ordered_hashmap_get(todo_uids, UID_TO_PTR(gid)))
1149 return 0;
1150
1151 if (hashmap_contains(database_by_gid, GID_TO_PTR(gid)))
1152 return 0;
1153
1154 if (hashmap_contains(database_by_uid, UID_TO_PTR(gid)))
1155 return 0;
1156
1157 if (!arg_root) {
1158 errno = 0;
1159 g = getgrgid(gid);
1160 if (g)
1161 return 0;
1162 if (!IN_SET(errno, 0, ENOENT))
1163 return -errno;
1164
1165 errno = 0;
1166 p = getpwuid((uid_t) gid);
1167 if (p)
1168 return 0;
1169 if (!IN_SET(errno, 0, ENOENT))
1170 return -errno;
1171 }
1172
1173 return 1;
1174 }
1175
1176 static int get_gid_by_name(const char *name, gid_t *gid) {
1177 void *z;
1178
1179 assert(gid);
1180
1181 /* Check the database directly */
1182 z = hashmap_get(database_by_groupname, name);
1183 if (z) {
1184 *gid = PTR_TO_GID(z);
1185 return 0;
1186 }
1187
1188 /* Also check NSS */
1189 if (!arg_root) {
1190 struct group *g;
1191
1192 errno = 0;
1193 g = getgrnam(name);
1194 if (g) {
1195 *gid = g->gr_gid;
1196 return 0;
1197 }
1198 if (!errno_is_not_exists(errno))
1199 return log_error_errno(errno, "Failed to check if group %s already exists: %m", name);
1200 }
1201
1202 return -ENOENT;
1203 }
1204
1205 static int add_group(Item *i) {
1206 int r;
1207
1208 assert(i);
1209
1210 r = get_gid_by_name(i->name, &i->gid);
1211 if (r != -ENOENT) {
1212 if (r < 0)
1213 return r;
1214 log_debug("Group %s already exists.", i->name);
1215 i->gid_set = true;
1216 return 0;
1217 }
1218
1219 /* Try to use the suggested numeric gid */
1220 if (i->gid_set) {
1221 r = gid_is_ok(i->gid);
1222 if (r < 0)
1223 return log_error_errno(r, "Failed to verify gid " GID_FMT ": %m", i->gid);
1224 if (i->id_set_strict) {
1225 /* If we require the gid to already exist we can return here:
1226 * r > 0: means the gid does not exist -> fail
1227 * r == 0: means the gid exists -> nothing more to do.
1228 */
1229 if (r > 0)
1230 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
1231 "Failed to create %s: please create GID %d",
1232 i->name, i->gid);
1233 if (r == 0)
1234 return 0;
1235 }
1236 if (r == 0) {
1237 log_debug("Suggested group ID " GID_FMT " for %s already used.", i->gid, i->name);
1238 i->gid_set = false;
1239 }
1240 }
1241
1242 /* Try to reuse the numeric uid, if there's one */
1243 if (!i->gid_set && i->uid_set) {
1244 r = gid_is_ok((gid_t) i->uid);
1245 if (r < 0)
1246 return log_error_errno(r, "Failed to verify gid " GID_FMT ": %m", i->gid);
1247 if (r > 0) {
1248 i->gid = (gid_t) i->uid;
1249 i->gid_set = true;
1250 }
1251 }
1252
1253 /* If that didn't work, try to read it from the specified path */
1254 if (!i->gid_set) {
1255 gid_t c;
1256
1257 if (read_id_from_file(i, NULL, &c) > 0) {
1258
1259 if (c <= 0 || !uid_range_contains(uid_range, n_uid_range, c))
1260 log_debug("Group ID " GID_FMT " of file not suitable for %s.", c, i->name);
1261 else {
1262 r = gid_is_ok(c);
1263 if (r < 0)
1264 return log_error_errno(r, "Failed to verify gid " GID_FMT ": %m", i->gid);
1265 else if (r > 0) {
1266 i->gid = c;
1267 i->gid_set = true;
1268 } else
1269 log_debug("Group ID " GID_FMT " of file for %s already used.", c, i->name);
1270 }
1271 }
1272 }
1273
1274 /* And if that didn't work either, let's try to find a free one */
1275 if (!i->gid_set) {
1276 maybe_emit_login_defs_warning();
1277
1278 for (;;) {
1279 /* We look for new GIDs in the UID pool! */
1280 r = uid_range_next_lower(uid_range, n_uid_range, &search_uid);
1281 if (r < 0)
1282 return log_error_errno(r, "No free group ID available for %s.", i->name);
1283
1284 r = gid_is_ok(search_uid);
1285 if (r < 0)
1286 return log_error_errno(r, "Failed to verify gid " GID_FMT ": %m", i->gid);
1287 else if (r > 0)
1288 break;
1289 }
1290
1291 i->gid_set = true;
1292 i->gid = search_uid;
1293 }
1294
1295 r = ordered_hashmap_ensure_put(&todo_gids, NULL, GID_TO_PTR(i->gid), i);
1296 if (r == -EEXIST)
1297 return log_error_errno(r, "Requested group %s with gid "GID_FMT " to be created is duplicated or conflicts with another user.", i->name, i->gid);
1298 if (r == -ENOMEM)
1299 return log_oom();
1300 if (r < 0)
1301 return log_error_errno(r, "Failed to store group %s with gid " GID_FMT " to be created: %m", i->name, i->gid);
1302
1303 i->todo_group = true;
1304 log_info("Creating group %s with gid " GID_FMT ".", i->name, i->gid);
1305
1306 return 0;
1307 }
1308
1309 static int process_item(Item *i) {
1310 int r;
1311
1312 assert(i);
1313
1314 switch (i->type) {
1315
1316 case ADD_USER: {
1317 Item *j;
1318
1319 j = ordered_hashmap_get(groups, i->group_name ?: i->name);
1320 if (j && j->todo_group) {
1321 /* When a group with the target name is already in queue,
1322 * use the information about the group and do not create
1323 * duplicated group entry. */
1324 i->gid_set = j->gid_set;
1325 i->gid = j->gid;
1326 i->id_set_strict = true;
1327 } else if (i->group_name) {
1328 /* When a group name was given instead of a GID and it's
1329 * not in queue, then it must already exist. */
1330 r = get_gid_by_name(i->group_name, &i->gid);
1331 if (r < 0)
1332 return log_error_errno(r, "Group %s not found.", i->group_name);
1333 i->gid_set = true;
1334 i->id_set_strict = true;
1335 } else {
1336 r = add_group(i);
1337 if (r < 0)
1338 return r;
1339 }
1340
1341 return add_user(i);
1342 }
1343
1344 case ADD_GROUP:
1345 return add_group(i);
1346
1347 default:
1348 assert_not_reached();
1349 }
1350 }
1351
1352 static Item* item_free(Item *i) {
1353 if (!i)
1354 return NULL;
1355
1356 free(i->name);
1357 free(i->group_name);
1358 free(i->uid_path);
1359 free(i->gid_path);
1360 free(i->description);
1361 free(i->home);
1362 free(i->shell);
1363 return mfree(i);
1364 }
1365
1366 DEFINE_TRIVIAL_CLEANUP_FUNC(Item*, item_free);
1367 DEFINE_PRIVATE_HASH_OPS_WITH_VALUE_DESTRUCTOR(item_hash_ops, char, string_hash_func, string_compare_func, Item, item_free);
1368
1369 static int add_implicit(void) {
1370 char *g, **l;
1371 int r;
1372
1373 /* Implicitly create additional users and groups, if they were listed in "m" lines */
1374 ORDERED_HASHMAP_FOREACH_KEY(l, g, members) {
1375 char **m;
1376
1377 STRV_FOREACH(m, l)
1378 if (!ordered_hashmap_get(users, *m)) {
1379 _cleanup_(item_freep) Item *j = NULL;
1380
1381 j = new0(Item, 1);
1382 if (!j)
1383 return log_oom();
1384
1385 j->type = ADD_USER;
1386 j->name = strdup(*m);
1387 if (!j->name)
1388 return log_oom();
1389
1390 r = ordered_hashmap_ensure_put(&users, &item_hash_ops, j->name, j);
1391 if (r == -ENOMEM)
1392 return log_oom();
1393 if (r < 0)
1394 return log_error_errno(r, "Failed to add implicit user '%s': %m", j->name);
1395
1396 log_debug("Adding implicit user '%s' due to m line", j->name);
1397 TAKE_PTR(j);
1398 }
1399
1400 if (!(ordered_hashmap_get(users, g) ||
1401 ordered_hashmap_get(groups, g))) {
1402 _cleanup_(item_freep) Item *j = NULL;
1403
1404 j = new0(Item, 1);
1405 if (!j)
1406 return log_oom();
1407
1408 j->type = ADD_GROUP;
1409 j->name = strdup(g);
1410 if (!j->name)
1411 return log_oom();
1412
1413 r = ordered_hashmap_ensure_put(&groups, &item_hash_ops, j->name, j);
1414 if (r == -ENOMEM)
1415 return log_oom();
1416 if (r < 0)
1417 return log_error_errno(r, "Failed to add implicit group '%s': %m", j->name);
1418
1419 log_debug("Adding implicit group '%s' due to m line", j->name);
1420 TAKE_PTR(j);
1421 }
1422 }
1423
1424 return 0;
1425 }
1426
1427 static bool item_equal(Item *a, Item *b) {
1428 assert(a);
1429 assert(b);
1430
1431 if (a->type != b->type)
1432 return false;
1433
1434 if (!streq_ptr(a->name, b->name))
1435 return false;
1436
1437 if (!streq_ptr(a->uid_path, b->uid_path))
1438 return false;
1439
1440 if (!streq_ptr(a->gid_path, b->gid_path))
1441 return false;
1442
1443 if (!streq_ptr(a->description, b->description))
1444 return false;
1445
1446 if (a->uid_set != b->uid_set)
1447 return false;
1448
1449 if (a->uid_set && a->uid != b->uid)
1450 return false;
1451
1452 if (a->gid_set != b->gid_set)
1453 return false;
1454
1455 if (a->gid_set && a->gid != b->gid)
1456 return false;
1457
1458 if (!streq_ptr(a->home, b->home))
1459 return false;
1460
1461 if (!streq_ptr(a->shell, b->shell))
1462 return false;
1463
1464 return true;
1465 }
1466
1467 static int parse_line(const char *fname, unsigned line, const char *buffer) {
1468
1469 _cleanup_free_ char *action = NULL,
1470 *name = NULL, *resolved_name = NULL,
1471 *id = NULL, *resolved_id = NULL,
1472 *description = NULL, *resolved_description = NULL,
1473 *home = NULL, *resolved_home = NULL,
1474 *shell = NULL, *resolved_shell = NULL;
1475 _cleanup_(item_freep) Item *i = NULL;
1476 Item *existing;
1477 OrderedHashmap *h;
1478 int r;
1479 const char *p;
1480
1481 assert(fname);
1482 assert(line >= 1);
1483 assert(buffer);
1484
1485 /* Parse columns */
1486 p = buffer;
1487 r = extract_many_words(&p, NULL, EXTRACT_UNQUOTE,
1488 &action, &name, &id, &description, &home, &shell, NULL);
1489 if (r < 0)
1490 return log_error_errno(r, "[%s:%u] Syntax error.", fname, line);
1491 if (r < 2)
1492 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
1493 "[%s:%u] Missing action and name columns.", fname, line);
1494 if (!isempty(p))
1495 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
1496 "[%s:%u] Trailing garbage.", fname, line);
1497
1498 /* Verify action */
1499 if (strlen(action) != 1)
1500 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
1501 "[%s:%u] Unknown modifier '%s'", fname, line, action);
1502
1503 if (!IN_SET(action[0], ADD_USER, ADD_GROUP, ADD_MEMBER, ADD_RANGE))
1504 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG),
1505 "[%s:%u] Unknown command type '%c'.", fname, line, action[0]);
1506
1507 /* Verify name */
1508 if (empty_or_dash(name))
1509 name = mfree(name);
1510
1511 if (name) {
1512 r = specifier_printf(name, NAME_MAX, system_and_tmp_specifier_table, arg_root, NULL, &resolved_name);
1513 if (r < 0)
1514 return log_error_errno(r, "[%s:%u] Failed to replace specifiers in '%s': %m", fname, line, name);
1515
1516 if (!valid_user_group_name(resolved_name, 0))
1517 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
1518 "[%s:%u] '%s' is not a valid user or group name.",
1519 fname, line, resolved_name);
1520 }
1521
1522 /* Verify id */
1523 if (empty_or_dash(id))
1524 id = mfree(id);
1525
1526 if (id) {
1527 r = specifier_printf(id, PATH_MAX-1, system_and_tmp_specifier_table, arg_root, NULL, &resolved_id);
1528 if (r < 0)
1529 return log_error_errno(r, "[%s:%u] Failed to replace specifiers in '%s': %m",
1530 fname, line, name);
1531 }
1532
1533 /* Verify description */
1534 if (empty_or_dash(description))
1535 description = mfree(description);
1536
1537 if (description) {
1538 r = specifier_printf(description, LONG_LINE_MAX, system_and_tmp_specifier_table, arg_root, NULL, &resolved_description);
1539 if (r < 0)
1540 return log_error_errno(r, "[%s:%u] Failed to replace specifiers in '%s': %m",
1541 fname, line, description);
1542
1543 if (!valid_gecos(resolved_description))
1544 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
1545 "[%s:%u] '%s' is not a valid GECOS field.",
1546 fname, line, resolved_description);
1547 }
1548
1549 /* Verify home */
1550 if (empty_or_dash(home))
1551 home = mfree(home);
1552
1553 if (home) {
1554 r = specifier_printf(home, PATH_MAX-1, system_and_tmp_specifier_table, arg_root, NULL, &resolved_home);
1555 if (r < 0)
1556 return log_error_errno(r, "[%s:%u] Failed to replace specifiers in '%s': %m",
1557 fname, line, home);
1558
1559 if (!valid_home(resolved_home))
1560 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
1561 "[%s:%u] '%s' is not a valid home directory field.",
1562 fname, line, resolved_home);
1563 }
1564
1565 /* Verify shell */
1566 if (empty_or_dash(shell))
1567 shell = mfree(shell);
1568
1569 if (shell) {
1570 r = specifier_printf(shell, PATH_MAX-1, system_and_tmp_specifier_table, arg_root, NULL, &resolved_shell);
1571 if (r < 0)
1572 return log_error_errno(r, "[%s:%u] Failed to replace specifiers in '%s': %m",
1573 fname, line, shell);
1574
1575 if (!valid_shell(resolved_shell))
1576 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
1577 "[%s:%u] '%s' is not a valid login shell field.",
1578 fname, line, resolved_shell);
1579 }
1580
1581 switch (action[0]) {
1582
1583 case ADD_RANGE:
1584 if (resolved_name)
1585 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
1586 "[%s:%u] Lines of type 'r' don't take a name field.",
1587 fname, line);
1588
1589 if (!resolved_id)
1590 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
1591 "[%s:%u] Lines of type 'r' require an ID range in the third field.",
1592 fname, line);
1593
1594 if (description || home || shell)
1595 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
1596 "[%s:%u] Lines of type '%c' don't take a %s field.",
1597 fname, line, action[0],
1598 description ? "GECOS" : home ? "home directory" : "login shell");
1599
1600 r = uid_range_add_str(&uid_range, &n_uid_range, resolved_id);
1601 if (r < 0)
1602 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
1603 "[%s:%u] Invalid UID range %s.", fname, line, resolved_id);
1604
1605 return 0;
1606
1607 case ADD_MEMBER: {
1608 /* Try to extend an existing member or group item */
1609 if (!name)
1610 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
1611 "[%s:%u] Lines of type 'm' require a user name in the second field.",
1612 fname, line);
1613
1614 if (!resolved_id)
1615 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
1616 "[%s:%u] Lines of type 'm' require a group name in the third field.",
1617 fname, line);
1618
1619 if (!valid_user_group_name(resolved_id, 0))
1620 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
1621 "[%s:%u] '%s' is not a valid user or group name.",
1622 fname, line, resolved_id);
1623
1624 if (description || home || shell)
1625 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
1626 "[%s:%u] Lines of type '%c' don't take a %s field.",
1627 fname, line, action[0],
1628 description ? "GECOS" : home ? "home directory" : "login shell");
1629
1630 r = string_strv_ordered_hashmap_put(&members, resolved_id, resolved_name);
1631 if (r < 0)
1632 return log_error_errno(r, "Failed to store mapping for %s: %m", resolved_id);
1633
1634 return 0;
1635 }
1636
1637 case ADD_USER:
1638 if (!name)
1639 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
1640 "[%s:%u] Lines of type 'u' require a user name in the second field.",
1641 fname, line);
1642
1643 r = ordered_hashmap_ensure_allocated(&users, &item_hash_ops);
1644 if (r < 0)
1645 return log_oom();
1646
1647 i = new0(Item, 1);
1648 if (!i)
1649 return log_oom();
1650
1651 if (resolved_id) {
1652 if (path_is_absolute(resolved_id)) {
1653 i->uid_path = TAKE_PTR(resolved_id);
1654 path_simplify(i->uid_path);
1655 } else {
1656 _cleanup_free_ char *uid = NULL, *gid = NULL;
1657 if (split_pair(resolved_id, ":", &uid, &gid) == 0) {
1658 r = parse_gid(gid, &i->gid);
1659 if (r < 0) {
1660 if (valid_user_group_name(gid, 0))
1661 i->group_name = TAKE_PTR(gid);
1662 else
1663 return log_error_errno(r, "Failed to parse GID: '%s': %m", id);
1664 } else {
1665 i->gid_set = true;
1666 i->id_set_strict = true;
1667 }
1668 free_and_replace(resolved_id, uid);
1669 }
1670 if (!streq(resolved_id, "-")) {
1671 r = parse_uid(resolved_id, &i->uid);
1672 if (r < 0)
1673 return log_error_errno(r, "Failed to parse UID: '%s': %m", id);
1674 i->uid_set = true;
1675 }
1676 }
1677 }
1678
1679 i->description = TAKE_PTR(resolved_description);
1680 i->home = TAKE_PTR(resolved_home);
1681 i->shell = TAKE_PTR(resolved_shell);
1682
1683 h = users;
1684 break;
1685
1686 case ADD_GROUP:
1687 if (!name)
1688 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
1689 "[%s:%u] Lines of type 'g' require a user name in the second field.",
1690 fname, line);
1691
1692 if (description || home || shell)
1693 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
1694 "[%s:%u] Lines of type '%c' don't take a %s field.",
1695 fname, line, action[0],
1696 description ? "GECOS" : home ? "home directory" : "login shell");
1697
1698 r = ordered_hashmap_ensure_allocated(&groups, &item_hash_ops);
1699 if (r < 0)
1700 return log_oom();
1701
1702 i = new0(Item, 1);
1703 if (!i)
1704 return log_oom();
1705
1706 if (resolved_id) {
1707 if (path_is_absolute(resolved_id)) {
1708 i->gid_path = TAKE_PTR(resolved_id);
1709 path_simplify(i->gid_path);
1710 } else {
1711 r = parse_gid(resolved_id, &i->gid);
1712 if (r < 0)
1713 return log_error_errno(r, "Failed to parse GID: '%s': %m", id);
1714
1715 i->gid_set = true;
1716 }
1717 }
1718
1719 h = groups;
1720 break;
1721
1722 default:
1723 return -EBADMSG;
1724 }
1725
1726 i->type = action[0];
1727 i->name = TAKE_PTR(resolved_name);
1728
1729 existing = ordered_hashmap_get(h, i->name);
1730 if (existing) {
1731 /* Two identical items are fine */
1732 if (!item_equal(existing, i))
1733 log_warning("Two or more conflicting lines for %s configured, ignoring.", i->name);
1734
1735 return 0;
1736 }
1737
1738 r = ordered_hashmap_put(h, i->name, i);
1739 if (r < 0)
1740 return log_oom();
1741
1742 i = NULL;
1743 return 0;
1744 }
1745
1746 static int read_config_file(const char *fn, bool ignore_enoent) {
1747 _cleanup_fclose_ FILE *rf = NULL;
1748 _cleanup_free_ char *pp = NULL;
1749 FILE *f = NULL;
1750 unsigned v = 0;
1751 int r = 0;
1752
1753 assert(fn);
1754
1755 if (streq(fn, "-"))
1756 f = stdin;
1757 else {
1758 r = search_and_fopen(fn, "re", arg_root, (const char**) CONF_PATHS_STRV("sysusers.d"), &rf, &pp);
1759 if (r < 0) {
1760 if (ignore_enoent && r == -ENOENT)
1761 return 0;
1762
1763 return log_error_errno(r, "Failed to open '%s', ignoring: %m", fn);
1764 }
1765
1766 f = rf;
1767 fn = pp;
1768 }
1769
1770 for (;;) {
1771 _cleanup_free_ char *line = NULL;
1772 char *l;
1773 int k;
1774
1775 k = read_line(f, LONG_LINE_MAX, &line);
1776 if (k < 0)
1777 return log_error_errno(k, "Failed to read '%s': %m", fn);
1778 if (k == 0)
1779 break;
1780
1781 v++;
1782
1783 l = strstrip(line);
1784 if (IN_SET(*l, 0, '#'))
1785 continue;
1786
1787 k = parse_line(fn, v, l);
1788 if (k < 0 && r == 0)
1789 r = k;
1790 }
1791
1792 if (ferror(f)) {
1793 log_error_errno(errno, "Failed to read from file %s: %m", fn);
1794 if (r == 0)
1795 r = -EIO;
1796 }
1797
1798 return r;
1799 }
1800
1801 static int cat_config(void) {
1802 _cleanup_strv_free_ char **files = NULL;
1803 int r;
1804
1805 r = conf_files_list_with_replacement(arg_root, CONF_PATHS_STRV("sysusers.d"), arg_replace, &files, NULL);
1806 if (r < 0)
1807 return r;
1808
1809 (void) pager_open(arg_pager_flags);
1810
1811 return cat_files(NULL, files, 0);
1812 }
1813
1814 static int help(void) {
1815 _cleanup_free_ char *link = NULL;
1816 int r;
1817
1818 r = terminal_urlify_man("systemd-sysusers.service", "8", &link);
1819 if (r < 0)
1820 return log_oom();
1821
1822 printf("%s [OPTIONS...] [CONFIGURATION FILE...]\n\n"
1823 "Creates system user accounts.\n\n"
1824 " -h --help Show this help\n"
1825 " --version Show package version\n"
1826 " --cat-config Show configuration files\n"
1827 " --root=PATH Operate on an alternate filesystem root\n"
1828 " --image=PATH Operate on disk image as filesystem root\n"
1829 " --replace=PATH Treat arguments as replacement for PATH\n"
1830 " --inline Treat arguments as configuration lines\n"
1831 " --no-pager Do not pipe output into a pager\n"
1832 "\nSee the %s for details.\n",
1833 program_invocation_short_name,
1834 link);
1835
1836 return 0;
1837 }
1838
1839 static int parse_argv(int argc, char *argv[]) {
1840
1841 enum {
1842 ARG_VERSION = 0x100,
1843 ARG_CAT_CONFIG,
1844 ARG_ROOT,
1845 ARG_IMAGE,
1846 ARG_REPLACE,
1847 ARG_INLINE,
1848 ARG_NO_PAGER,
1849 };
1850
1851 static const struct option options[] = {
1852 { "help", no_argument, NULL, 'h' },
1853 { "version", no_argument, NULL, ARG_VERSION },
1854 { "cat-config", no_argument, NULL, ARG_CAT_CONFIG },
1855 { "root", required_argument, NULL, ARG_ROOT },
1856 { "image", required_argument, NULL, ARG_IMAGE },
1857 { "replace", required_argument, NULL, ARG_REPLACE },
1858 { "inline", no_argument, NULL, ARG_INLINE },
1859 { "no-pager", no_argument, NULL, ARG_NO_PAGER },
1860 {}
1861 };
1862
1863 int c, r;
1864
1865 assert(argc >= 0);
1866 assert(argv);
1867
1868 while ((c = getopt_long(argc, argv, "h", options, NULL)) >= 0)
1869
1870 switch (c) {
1871
1872 case 'h':
1873 return help();
1874
1875 case ARG_VERSION:
1876 return version();
1877
1878 case ARG_CAT_CONFIG:
1879 arg_cat_config = true;
1880 break;
1881
1882 case ARG_ROOT:
1883 r = parse_path_argument(optarg, /* suppress_root= */ false, &arg_root);
1884 if (r < 0)
1885 return r;
1886 break;
1887
1888 case ARG_IMAGE:
1889 #ifdef STANDALONE
1890 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
1891 "This systemd-sysusers version is compiled without support for --image=.");
1892 #else
1893 r = parse_path_argument(optarg, /* suppress_root= */ false, &arg_image);
1894 if (r < 0)
1895 return r;
1896 break;
1897 #endif
1898
1899 case ARG_REPLACE:
1900 if (!path_is_absolute(optarg) ||
1901 !endswith(optarg, ".conf"))
1902 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
1903 "The argument to --replace= must an absolute path to a config file");
1904
1905 arg_replace = optarg;
1906 break;
1907
1908 case ARG_INLINE:
1909 arg_inline = true;
1910 break;
1911
1912 case ARG_NO_PAGER:
1913 arg_pager_flags |= PAGER_DISABLE;
1914 break;
1915
1916 case '?':
1917 return -EINVAL;
1918
1919 default:
1920 assert_not_reached();
1921 }
1922
1923 if (arg_replace && arg_cat_config)
1924 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
1925 "Option --replace= is not supported with --cat-config");
1926
1927 if (arg_replace && optind >= argc)
1928 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
1929 "When --replace= is given, some configuration items must be specified");
1930
1931 if (arg_image && arg_root)
1932 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Please specify either --root= or --image=, the combination of both is not supported.");
1933
1934 return 1;
1935 }
1936
1937 static int parse_arguments(char **args) {
1938 char **arg;
1939 unsigned pos = 1;
1940 int r;
1941
1942 STRV_FOREACH(arg, args) {
1943 if (arg_inline)
1944 /* Use (argument):n, where n==1 for the first positional arg */
1945 r = parse_line("(argument)", pos, *arg);
1946 else
1947 r = read_config_file(*arg, false);
1948 if (r < 0)
1949 return r;
1950
1951 pos++;
1952 }
1953
1954 return 0;
1955 }
1956
1957 static int read_config_files(char **args) {
1958 _cleanup_strv_free_ char **files = NULL;
1959 _cleanup_free_ char *p = NULL;
1960 char **f;
1961 int r;
1962
1963 r = conf_files_list_with_replacement(arg_root, CONF_PATHS_STRV("sysusers.d"), arg_replace, &files, &p);
1964 if (r < 0)
1965 return r;
1966
1967 STRV_FOREACH(f, files)
1968 if (p && path_equal(*f, p)) {
1969 log_debug("Parsing arguments at position \"%s\"…", *f);
1970
1971 r = parse_arguments(args);
1972 if (r < 0)
1973 return r;
1974 } else {
1975 log_debug("Reading config file \"%s\"…", *f);
1976
1977 /* Just warn, ignore result otherwise */
1978 (void) read_config_file(*f, true);
1979 }
1980
1981 return 0;
1982 }
1983
1984 static int run(int argc, char *argv[]) {
1985 #ifndef STANDALONE
1986 _cleanup_(loop_device_unrefp) LoopDevice *loop_device = NULL;
1987 _cleanup_(decrypted_image_unrefp) DecryptedImage *decrypted_image = NULL;
1988 _cleanup_(umount_and_rmdir_and_freep) char *unlink_dir = NULL;
1989 #endif
1990 _cleanup_close_ int lock = -1;
1991 Item *i;
1992 int r;
1993
1994 r = parse_argv(argc, argv);
1995 if (r <= 0)
1996 return r;
1997
1998 log_setup();
1999
2000 if (arg_cat_config)
2001 return cat_config();
2002
2003 umask(0022);
2004
2005 r = mac_selinux_init();
2006 if (r < 0)
2007 return r;
2008
2009 #ifndef STANDALONE
2010 if (arg_image) {
2011 assert(!arg_root);
2012
2013 r = mount_image_privately_interactively(
2014 arg_image,
2015 DISSECT_IMAGE_GENERIC_ROOT |
2016 DISSECT_IMAGE_REQUIRE_ROOT |
2017 DISSECT_IMAGE_VALIDATE_OS |
2018 DISSECT_IMAGE_RELAX_VAR_CHECK |
2019 DISSECT_IMAGE_FSCK |
2020 DISSECT_IMAGE_GROWFS,
2021 &unlink_dir,
2022 &loop_device,
2023 &decrypted_image);
2024 if (r < 0)
2025 return r;
2026
2027 arg_root = strdup(unlink_dir);
2028 if (!arg_root)
2029 return log_oom();
2030 }
2031 #else
2032 assert(!arg_image);
2033 #endif
2034
2035 /* If command line arguments are specified along with --replace, read all
2036 * configuration files and insert the positional arguments at the specified
2037 * place. Otherwise, if command line arguments are specified, execute just
2038 * them, and finally, without --replace= or any positional arguments, just
2039 * read configuration and execute it.
2040 */
2041 if (arg_replace || optind >= argc)
2042 r = read_config_files(argv + optind);
2043 else
2044 r = parse_arguments(argv + optind);
2045 if (r < 0)
2046 return r;
2047
2048 /* Let's tell nss-systemd not to synthesize the "root" and "nobody" entries for it, so that our detection
2049 * whether the names or UID/GID area already used otherwise doesn't get confused. After all, even though
2050 * nss-systemd synthesizes these users/groups, they should still appear in /etc/passwd and /etc/group, as the
2051 * synthesizing logic is merely supposed to be fallback for cases where we run with a completely unpopulated
2052 * /etc. */
2053 if (setenv("SYSTEMD_NSS_BYPASS_SYNTHETIC", "1", 1) < 0)
2054 return log_error_errno(errno, "Failed to set SYSTEMD_NSS_BYPASS_SYNTHETIC environment variable: %m");
2055
2056 if (!uid_range) {
2057 /* Default to default range of SYSTEMD_UID_MIN..SYSTEM_UID_MAX. */
2058 r = read_login_defs(&login_defs, NULL, arg_root);
2059 if (r < 0)
2060 return log_error_errno(r, "Failed to read %s%s: %m",
2061 strempty(arg_root), "/etc/login.defs");
2062
2063 login_defs_need_warning = true;
2064
2065 /* We pick a range that very conservative: we look at compiled-in maximum and the value in
2066 * /etc/login.defs. That way the uids/gids which we allocate will be interpreted correctly,
2067 * even if /etc/login.defs is removed later. (The bottom bound doesn't matter much, since
2068 * it's only used during allocation, so we use the configured value directly). */
2069 uid_t begin = login_defs.system_alloc_uid_min,
2070 end = MIN3((uid_t) SYSTEM_UID_MAX, login_defs.system_uid_max, login_defs.system_gid_max);
2071 if (begin < end) {
2072 r = uid_range_add(&uid_range, &n_uid_range, begin, end - begin + 1);
2073 if (r < 0)
2074 return log_oom();
2075 }
2076 }
2077
2078 r = add_implicit();
2079 if (r < 0)
2080 return r;
2081
2082 lock = take_etc_passwd_lock(arg_root);
2083 if (lock < 0)
2084 return log_error_errno(lock, "Failed to take /etc/passwd lock: %m");
2085
2086 r = load_user_database();
2087 if (r < 0)
2088 return log_error_errno(r, "Failed to load user database: %m");
2089
2090 r = load_group_database();
2091 if (r < 0)
2092 return log_error_errno(r, "Failed to read group database: %m");
2093
2094 ORDERED_HASHMAP_FOREACH(i, groups)
2095 (void) process_item(i);
2096
2097 ORDERED_HASHMAP_FOREACH(i, users)
2098 (void) process_item(i);
2099
2100 r = write_files();
2101 if (r < 0)
2102 return log_error_errno(r, "Failed to write files: %m");
2103
2104 return 0;
2105 }
2106
2107 DEFINE_MAIN_FUNCTION(run);
Unnamed repository; edit this file 'description' to name the repository.