From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 17 Mar 2025 21:37:14 +0000 (+0100)
Subject: tree-wide: refuse user/group records lacking UID or GID
X-Git-Tag: v258-rc1~1060^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F36776%2Fhead;p=thirdparty%2Fsystemd.git

tree-wide: refuse user/group records lacking UID or GID

userdb allows user/group records without UID/GID (it only really
requires a name), in order to permit "unfixated" records. But that means
we cannot just rely on the field to be valid. And we mostly got that
right, but not everywhere. Fix that.
---

diff --git a/src/login/logind-core.c b/src/login/logind-core.c
index 98d3718c86e..f3102c31994 100644
--- a/src/login/logind-core.c
+++ b/src/login/logind-core.c
@@ -195,6 +195,9 @@ int manager_add_user_by_name(
         if (r < 0)
                 return r;
 
+        if (!uid_is_valid(ur->uid)) /* Refuse users without UID */
+                return -ESRCH;
+
         return manager_add_user(m, ur, ret_user);
 }
 
diff --git a/src/login/pam_systemd.c b/src/login/pam_systemd.c
index a50d1228c2a..c4f35e3a558 100644
--- a/src/login/pam_systemd.c
+++ b/src/login/pam_systemd.c
@@ -241,6 +241,11 @@ static int acquire_user_record(
                         return PAM_USER_UNKNOWN;
                 }
 
+                if (!uid_is_valid(ur->uid)) {
+                        pam_syslog_errno(handle, LOG_ERR, r, "User record of user '%s' has no UID, refusing: %m", username);
+                        return PAM_USER_UNKNOWN;
+                }
+
                 r = sd_json_variant_format(ur->json, 0, &formatted);
                 if (r < 0)
                         return pam_syslog_errno(handle, LOG_ERR, r, "Failed to format user JSON: %m");
diff --git a/src/nspawn/nspawn-bind-user.c b/src/nspawn/nspawn-bind-user.c
index 725208a1d49..373a05af3e9 100644
--- a/src/nspawn/nspawn-bind-user.c
+++ b/src/nspawn/nspawn-bind-user.c
@@ -244,9 +244,13 @@ int bind_user_prepare(
                  * UID is safer. */
                 if (user_record_is_root(u))
                         return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Mapping 'root' user not supported, sorry.");
+
                 if (user_record_is_nobody(u))
                         return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Mapping 'nobody' user not supported, sorry.");
 
+                if (!uid_is_valid(u->uid))
+                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Cannot bind user with no UID, refusing.");
+
                 if (u->uid >= uid_shift && u->uid < uid_shift + uid_range)
                         return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "UID of user '%s' to map is already in container UID range, refusing.", u->user_name);