]>
Commit | Line | Data |
---|---|---|
29206d46 LP |
1 | /*** |
2 | This file is part of systemd. | |
3 | ||
4 | Copyright 2016 Lennart Poettering | |
5 | ||
6 | systemd is free software; you can redistribute it and/or modify it | |
7 | under the terms of the GNU Lesser General Public License as published by | |
8 | the Free Software Foundation; either version 2.1 of the License, or | |
9 | (at your option) any later version. | |
10 | ||
11 | systemd is distributed in the hope that it will be useful, but | |
12 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
14 | Lesser General Public License for more details. | |
15 | ||
16 | You should have received a copy of the GNU Lesser General Public License | |
17 | along with systemd; If not, see <http://www.gnu.org/licenses/>. | |
18 | ***/ | |
19 | ||
20 | #include <grp.h> | |
21 | #include <pwd.h> | |
22 | #include <sys/file.h> | |
23 | ||
24 | #include "dynamic-user.h" | |
25 | #include "fd-util.h" | |
26 | #include "fs-util.h" | |
27 | #include "parse-util.h" | |
28 | #include "random-util.h" | |
29 | #include "stdio-util.h" | |
30 | #include "string-util.h" | |
31 | #include "user-util.h" | |
32 | #include "fileio.h" | |
33 | ||
29206d46 | 34 | /* Takes a value generated randomly or by hashing and turns it into a UID in the right range */ |
61755fda | 35 | #define UID_CLAMP_INTO_RANGE(rnd) (((uid_t) (rnd) % (DYNAMIC_UID_MAX - DYNAMIC_UID_MIN + 1)) + DYNAMIC_UID_MIN) |
29206d46 LP |
36 | |
37 | static DynamicUser* dynamic_user_free(DynamicUser *d) { | |
38 | if (!d) | |
39 | return NULL; | |
40 | ||
41 | if (d->manager) | |
42 | (void) hashmap_remove(d->manager->dynamic_users, d->name); | |
43 | ||
44 | safe_close_pair(d->storage_socket); | |
6b430fdb | 45 | return mfree(d); |
29206d46 LP |
46 | } |
47 | ||
48 | static int dynamic_user_add(Manager *m, const char *name, int storage_socket[2], DynamicUser **ret) { | |
49 | DynamicUser *d = NULL; | |
50 | int r; | |
51 | ||
52 | assert(m); | |
53 | assert(name); | |
54 | assert(storage_socket); | |
55 | ||
56 | r = hashmap_ensure_allocated(&m->dynamic_users, &string_hash_ops); | |
57 | if (r < 0) | |
58 | return r; | |
59 | ||
60 | d = malloc0(offsetof(DynamicUser, name) + strlen(name) + 1); | |
61 | if (!d) | |
62 | return -ENOMEM; | |
63 | ||
64 | strcpy(d->name, name); | |
65 | ||
66 | d->storage_socket[0] = storage_socket[0]; | |
67 | d->storage_socket[1] = storage_socket[1]; | |
68 | ||
69 | r = hashmap_put(m->dynamic_users, d->name, d); | |
70 | if (r < 0) { | |
71 | free(d); | |
72 | return r; | |
73 | } | |
74 | ||
75 | d->manager = m; | |
76 | ||
77 | if (ret) | |
78 | *ret = d; | |
79 | ||
80 | return 0; | |
81 | } | |
82 | ||
83 | int dynamic_user_acquire(Manager *m, const char *name, DynamicUser** ret) { | |
84 | _cleanup_close_pair_ int storage_socket[2] = { -1, -1 }; | |
85 | DynamicUser *d; | |
86 | int r; | |
87 | ||
88 | assert(m); | |
89 | assert(name); | |
90 | ||
91 | /* Return the DynamicUser structure for a specific user name. Note that this won't actually allocate a UID for | |
92 | * it, but just prepare the data structure for it. The UID is allocated only on demand, when it's really | |
93 | * needed, and in the child process we fork off, since allocation involves NSS checks which are not OK to do | |
94 | * from PID 1. To allow the children and PID 1 share information about allocated UIDs we use an anonymous | |
95 | * AF_UNIX/SOCK_DGRAM socket (called the "storage socket") that contains at most one datagram with the | |
96 | * allocated UID number, plus an fd referencing the lock file for the UID | |
97 | * (i.e. /run/systemd/dynamic-uid/$UID). Why involve the socket pair? So that PID 1 and all its children can | |
98 | * share the same storage for the UID and lock fd, simply by inheriting the storage socket fds. The socket pair | |
99 | * may exist in three different states: | |
100 | * | |
101 | * a) no datagram stored. This is the initial state. In this case the dynamic user was never realized. | |
102 | * | |
103 | * b) a datagram containing a UID stored, but no lock fd attached to it. In this case there was already a | |
104 | * statically assigned UID by the same name, which we are reusing. | |
105 | * | |
106 | * c) a datagram containing a UID stored, and a lock fd is attached to it. In this case we allocated a dynamic | |
107 | * UID and locked it in the file system, using the lock fd. | |
108 | * | |
109 | * As PID 1 and various children might access the socket pair simultaneously, and pop the datagram or push it | |
110 | * back in any time, we also maintain a lock on the socket pair. Note one peculiarity regarding locking here: | |
111 | * the UID lock on disk is protected via a BSD file lock (i.e. an fd-bound lock), so that the lock is kept in | |
112 | * place as long as there's a reference to the fd open. The lock on the storage socket pair however is a POSIX | |
113 | * file lock (i.e. a process-bound lock), as all users share the same fd of this (after all it is anonymous, | |
114 | * nobody else could get any access to it except via our own fd) and we want to synchronize access between all | |
115 | * processes that have access to it. */ | |
116 | ||
117 | d = hashmap_get(m->dynamic_users, name); | |
118 | if (d) { | |
119 | /* We already have a structure for the dynamic user, let's increase the ref count and reuse it */ | |
120 | d->n_ref++; | |
121 | *ret = d; | |
122 | return 0; | |
123 | } | |
124 | ||
125 | if (!valid_user_group_name_or_id(name)) | |
126 | return -EINVAL; | |
127 | ||
128 | if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, storage_socket) < 0) | |
129 | return -errno; | |
130 | ||
131 | r = dynamic_user_add(m, name, storage_socket, &d); | |
132 | if (r < 0) | |
133 | return r; | |
134 | ||
135 | storage_socket[0] = storage_socket[1] = -1; | |
136 | ||
137 | if (ret) { | |
138 | d->n_ref++; | |
139 | *ret = d; | |
140 | } | |
141 | ||
142 | return 1; | |
143 | } | |
144 | ||
fd63e712 LP |
145 | static int make_uid_symlinks(uid_t uid, const char *name, bool b) { |
146 | ||
147 | char path1[strlen("/run/systemd/dynamic-uid/direct:") + DECIMAL_STR_MAX(uid_t) + 1]; | |
148 | const char *path2; | |
986a34a6 | 149 | int r = 0, k; |
fd63e712 LP |
150 | |
151 | /* Add direct additional symlinks for direct lookups of dynamic UIDs and their names by userspace code. The | |
152 | * only reason we have this is because dbus-daemon cannot use D-Bus for resolving users and groups (since it | |
153 | * would be its own client then). We hence keep these world-readable symlinks in place, so that the | |
154 | * unprivileged dbus user can read the mappings when it needs them via these symlinks instead of having to go | |
155 | * via the bus. Ideally, we'd use the lock files we keep for this anyway, but we can't since we use BSD locks | |
156 | * on them and as those may be taken by any user with read access we can't make them world-readable. */ | |
157 | ||
158 | xsprintf(path1, "/run/systemd/dynamic-uid/direct:" UID_FMT, uid); | |
986a34a6 ZJS |
159 | if (unlink(path1) < 0 && errno != ENOENT) |
160 | r = -errno; | |
161 | ||
162 | if (b && symlink(name, path1) < 0) { | |
163 | k = log_warning_errno(errno, "Failed to symlink \"%s\": %m", path1); | |
164 | if (r == 0) | |
165 | r = k; | |
fd63e712 LP |
166 | } |
167 | ||
168 | path2 = strjoina("/run/systemd/dynamic-uid/direct:", name); | |
986a34a6 ZJS |
169 | if (unlink(path2) < 0 && errno != ENOENT) { |
170 | k = -errno; | |
171 | if (r == 0) | |
172 | r = k; | |
fd63e712 | 173 | } |
986a34a6 ZJS |
174 | |
175 | if (b && symlink(path1 + strlen("/run/systemd/dynamic-uid/direct:"), path2) < 0) { | |
176 | k = log_warning_errno(errno, "Failed to symlink \"%s\": %m", path2); | |
177 | if (r == 0) | |
178 | r = k; | |
fd63e712 LP |
179 | } |
180 | ||
181 | return r; | |
182 | } | |
183 | ||
29206d46 LP |
184 | static int pick_uid(const char *name, uid_t *ret_uid) { |
185 | ||
186 | static const uint8_t hash_key[] = { | |
187 | 0x37, 0x53, 0x7e, 0x31, 0xcf, 0xce, 0x48, 0xf5, | |
188 | 0x8a, 0xbb, 0x39, 0x57, 0x8d, 0xd9, 0xec, 0x59 | |
189 | }; | |
190 | ||
191 | unsigned n_tries = 100; | |
192 | uid_t candidate; | |
193 | int r; | |
194 | ||
195 | /* A static user by this name does not exist yet. Let's find a free ID then, and use that. We start with a UID | |
196 | * generated as hash from the user name. */ | |
197 | candidate = UID_CLAMP_INTO_RANGE(siphash24(name, strlen(name), hash_key)); | |
198 | ||
199 | (void) mkdir("/run/systemd/dynamic-uid", 0755); | |
200 | ||
201 | for (;;) { | |
202 | char lock_path[strlen("/run/systemd/dynamic-uid/") + DECIMAL_STR_MAX(uid_t) + 1]; | |
203 | _cleanup_close_ int lock_fd = -1; | |
204 | ssize_t l; | |
205 | ||
206 | if (--n_tries <= 0) /* Give up retrying eventually */ | |
207 | return -EBUSY; | |
208 | ||
61755fda | 209 | if (!uid_is_dynamic(candidate)) |
29206d46 LP |
210 | goto next; |
211 | ||
212 | xsprintf(lock_path, "/run/systemd/dynamic-uid/" UID_FMT, candidate); | |
213 | ||
214 | for (;;) { | |
215 | struct stat st; | |
216 | ||
217 | lock_fd = open(lock_path, O_CREAT|O_RDWR|O_NOFOLLOW|O_CLOEXEC|O_NOCTTY, 0600); | |
218 | if (lock_fd < 0) | |
219 | return -errno; | |
220 | ||
221 | r = flock(lock_fd, LOCK_EX|LOCK_NB); /* Try to get a BSD file lock on the UID lock file */ | |
222 | if (r < 0) { | |
223 | if (errno == EBUSY || errno == EAGAIN) | |
224 | goto next; /* already in use */ | |
225 | ||
226 | return -errno; | |
227 | } | |
228 | ||
229 | if (fstat(lock_fd, &st) < 0) | |
230 | return -errno; | |
231 | if (st.st_nlink > 0) | |
232 | break; | |
233 | ||
629ff674 | 234 | /* Oh, bummer, we got the lock, but the file was unlinked between the time we opened it and |
29206d46 LP |
235 | * got the lock. Close it, and try again. */ |
236 | lock_fd = safe_close(lock_fd); | |
237 | } | |
238 | ||
239 | /* Some superficial check whether this UID/GID might already be taken by some static user */ | |
240 | if (getpwuid(candidate) || getgrgid((gid_t) candidate)) { | |
241 | (void) unlink(lock_path); | |
242 | goto next; | |
243 | } | |
244 | ||
245 | /* Let's store the user name in the lock file, so that we can use it for looking up the username for a UID */ | |
246 | l = pwritev(lock_fd, | |
247 | (struct iovec[2]) { | |
248 | { .iov_base = (char*) name, .iov_len = strlen(name) }, | |
249 | { .iov_base = (char[1]) { '\n' }, .iov_len = 1 } | |
250 | }, 2, 0); | |
251 | if (l < 0) { | |
252 | (void) unlink(lock_path); | |
253 | return -errno; | |
254 | } | |
255 | ||
256 | (void) ftruncate(lock_fd, l); | |
fd63e712 | 257 | (void) make_uid_symlinks(candidate, name, true); /* also add direct lookup symlinks */ |
29206d46 LP |
258 | |
259 | *ret_uid = candidate; | |
260 | r = lock_fd; | |
261 | lock_fd = -1; | |
262 | ||
263 | return r; | |
264 | ||
265 | next: | |
266 | /* Pick another random UID, and see if that works for us. */ | |
267 | random_bytes(&candidate, sizeof(candidate)); | |
268 | candidate = UID_CLAMP_INTO_RANGE(candidate); | |
269 | } | |
270 | } | |
271 | ||
272 | static int dynamic_user_pop(DynamicUser *d, uid_t *ret_uid, int *ret_lock_fd) { | |
273 | uid_t uid = UID_INVALID; | |
274 | struct iovec iov = { | |
275 | .iov_base = &uid, | |
276 | .iov_len = sizeof(uid), | |
277 | }; | |
278 | union { | |
279 | struct cmsghdr cmsghdr; | |
280 | uint8_t buf[CMSG_SPACE(sizeof(int))]; | |
281 | } control = {}; | |
282 | struct msghdr mh = { | |
283 | .msg_control = &control, | |
284 | .msg_controllen = sizeof(control), | |
285 | .msg_iov = &iov, | |
286 | .msg_iovlen = 1, | |
287 | }; | |
288 | struct cmsghdr *cmsg; | |
289 | ||
290 | ssize_t k; | |
291 | int lock_fd = -1; | |
292 | ||
293 | assert(d); | |
294 | assert(ret_uid); | |
295 | assert(ret_lock_fd); | |
296 | ||
297 | /* Read the UID and lock fd that is stored in the storage AF_UNIX socket. This should be called with the lock | |
298 | * on the socket taken. */ | |
299 | ||
300 | k = recvmsg(d->storage_socket[0], &mh, MSG_DONTWAIT|MSG_NOSIGNAL|MSG_CMSG_CLOEXEC); | |
301 | if (k < 0) | |
302 | return -errno; | |
303 | ||
304 | cmsg = cmsg_find(&mh, SOL_SOCKET, SCM_RIGHTS, CMSG_LEN(sizeof(int))); | |
305 | if (cmsg) | |
306 | lock_fd = *(int*) CMSG_DATA(cmsg); | |
307 | else | |
308 | cmsg_close_all(&mh); /* just in case... */ | |
309 | ||
310 | *ret_uid = uid; | |
311 | *ret_lock_fd = lock_fd; | |
312 | ||
313 | return 0; | |
314 | } | |
315 | ||
316 | static int dynamic_user_push(DynamicUser *d, uid_t uid, int lock_fd) { | |
317 | struct iovec iov = { | |
318 | .iov_base = &uid, | |
319 | .iov_len = sizeof(uid), | |
320 | }; | |
321 | union { | |
322 | struct cmsghdr cmsghdr; | |
323 | uint8_t buf[CMSG_SPACE(sizeof(int))]; | |
324 | } control = {}; | |
325 | struct msghdr mh = { | |
326 | .msg_control = &control, | |
327 | .msg_controllen = sizeof(control), | |
328 | .msg_iov = &iov, | |
329 | .msg_iovlen = 1, | |
330 | }; | |
331 | ssize_t k; | |
332 | ||
333 | assert(d); | |
334 | ||
335 | /* Store the UID and lock_fd in the storage socket. This should be called with the socket pair lock taken. */ | |
336 | ||
337 | if (lock_fd >= 0) { | |
338 | struct cmsghdr *cmsg; | |
339 | ||
340 | cmsg = CMSG_FIRSTHDR(&mh); | |
341 | cmsg->cmsg_level = SOL_SOCKET; | |
342 | cmsg->cmsg_type = SCM_RIGHTS; | |
343 | cmsg->cmsg_len = CMSG_LEN(sizeof(int)); | |
344 | memcpy(CMSG_DATA(cmsg), &lock_fd, sizeof(int)); | |
345 | ||
346 | mh.msg_controllen = CMSG_SPACE(sizeof(int)); | |
347 | } else { | |
348 | mh.msg_control = NULL; | |
349 | mh.msg_controllen = 0; | |
350 | } | |
351 | ||
352 | k = sendmsg(d->storage_socket[1], &mh, MSG_DONTWAIT|MSG_NOSIGNAL); | |
353 | if (k < 0) | |
354 | return -errno; | |
355 | ||
356 | return 0; | |
357 | } | |
358 | ||
fd63e712 | 359 | static void unlink_uid_lock(int lock_fd, uid_t uid, const char *name) { |
29206d46 LP |
360 | char lock_path[strlen("/run/systemd/dynamic-uid/") + DECIMAL_STR_MAX(uid_t) + 1]; |
361 | ||
362 | if (lock_fd < 0) | |
363 | return; | |
364 | ||
365 | xsprintf(lock_path, "/run/systemd/dynamic-uid/" UID_FMT, uid); | |
fd63e712 LP |
366 | (void) unlink(lock_path); |
367 | ||
368 | (void) make_uid_symlinks(uid, name, false); /* remove direct lookup symlinks */ | |
29206d46 LP |
369 | } |
370 | ||
371 | int dynamic_user_realize(DynamicUser *d, uid_t *ret) { | |
372 | ||
373 | _cleanup_close_ int etc_passwd_lock_fd = -1, uid_lock_fd = -1; | |
374 | uid_t uid = UID_INVALID; | |
375 | int r; | |
376 | ||
377 | assert(d); | |
378 | ||
379 | /* Acquire a UID for the user name. This will allocate a UID for the user name if the user doesn't exist | |
380 | * yet. If it already exists its existing UID/GID will be reused. */ | |
381 | ||
382 | if (lockf(d->storage_socket[0], F_LOCK, 0) < 0) | |
383 | return -errno; | |
384 | ||
385 | r = dynamic_user_pop(d, &uid, &uid_lock_fd); | |
386 | if (r < 0) { | |
387 | int new_uid_lock_fd; | |
388 | uid_t new_uid; | |
389 | ||
390 | if (r != -EAGAIN) | |
391 | goto finish; | |
392 | ||
393 | /* OK, nothing stored yet, let's try to find something useful. While we are working on this release the | |
394 | * lock however, so that nobody else blocks on our NSS lookups. */ | |
395 | (void) lockf(d->storage_socket[0], F_ULOCK, 0); | |
396 | ||
397 | /* Let's see if a proper, static user or group by this name exists. Try to take the lock on | |
398 | * /etc/passwd, if that fails with EROFS then /etc is read-only. In that case it's fine if we don't | |
399 | * take the lock, given that users can't be added there anyway in this case. */ | |
400 | etc_passwd_lock_fd = take_etc_passwd_lock(NULL); | |
401 | if (etc_passwd_lock_fd < 0 && etc_passwd_lock_fd != -EROFS) | |
402 | return etc_passwd_lock_fd; | |
403 | ||
404 | /* First, let's parse this as numeric UID */ | |
405 | r = parse_uid(d->name, &uid); | |
406 | if (r < 0) { | |
407 | struct passwd *p; | |
408 | struct group *g; | |
409 | ||
410 | /* OK, this is not a numeric UID. Let's see if there's a user by this name */ | |
411 | p = getpwnam(d->name); | |
412 | if (p) | |
413 | uid = p->pw_uid; | |
414 | ||
415 | /* Let's see if there's a group by this name */ | |
416 | g = getgrnam(d->name); | |
417 | if (g) { | |
418 | /* If the UID/GID of the user/group of the same don't match, refuse operation */ | |
419 | if (uid != UID_INVALID && uid != (uid_t) g->gr_gid) | |
420 | return -EILSEQ; | |
421 | ||
422 | uid = (uid_t) g->gr_gid; | |
423 | } | |
424 | } | |
425 | ||
426 | if (uid == UID_INVALID) { | |
427 | /* No static UID assigned yet, excellent. Let's pick a new dynamic one, and lock it. */ | |
428 | ||
429 | uid_lock_fd = pick_uid(d->name, &uid); | |
430 | if (uid_lock_fd < 0) | |
431 | return uid_lock_fd; | |
432 | } | |
433 | ||
434 | /* So, we found a working UID/lock combination. Let's see if we actually still need it. */ | |
435 | if (lockf(d->storage_socket[0], F_LOCK, 0) < 0) { | |
fd63e712 | 436 | unlink_uid_lock(uid_lock_fd, uid, d->name); |
29206d46 LP |
437 | return -errno; |
438 | } | |
439 | ||
440 | r = dynamic_user_pop(d, &new_uid, &new_uid_lock_fd); | |
441 | if (r < 0) { | |
442 | if (r != -EAGAIN) { | |
443 | /* OK, something bad happened, let's get rid of the bits we acquired. */ | |
fd63e712 | 444 | unlink_uid_lock(uid_lock_fd, uid, d->name); |
29206d46 LP |
445 | goto finish; |
446 | } | |
447 | ||
448 | /* Great! Nothing is stored here, still. Store our newly acquired data. */ | |
449 | } else { | |
450 | /* Hmm, so as it appears there's now something stored in the storage socket. Throw away what we | |
451 | * acquired, and use what's stored now. */ | |
452 | ||
fd63e712 | 453 | unlink_uid_lock(uid_lock_fd, uid, d->name); |
29206d46 LP |
454 | safe_close(uid_lock_fd); |
455 | ||
456 | uid = new_uid; | |
457 | uid_lock_fd = new_uid_lock_fd; | |
458 | } | |
459 | } | |
460 | ||
461 | /* If the UID/GID was already allocated dynamically, push the data we popped out back in. If it was already | |
462 | * allocated statically, push the UID back too, but do not push the lock fd in. If we allocated the UID | |
463 | * dynamically right here, push that in along with the lock fd for it. */ | |
464 | r = dynamic_user_push(d, uid, uid_lock_fd); | |
465 | if (r < 0) | |
466 | goto finish; | |
467 | ||
468 | *ret = uid; | |
469 | r = 0; | |
470 | ||
471 | finish: | |
472 | (void) lockf(d->storage_socket[0], F_ULOCK, 0); | |
473 | return r; | |
474 | } | |
475 | ||
476 | int dynamic_user_current(DynamicUser *d, uid_t *ret) { | |
477 | _cleanup_close_ int lock_fd = -1; | |
478 | uid_t uid; | |
479 | int r; | |
480 | ||
481 | assert(d); | |
482 | assert(ret); | |
483 | ||
484 | /* Get the currently assigned UID for the user, if there's any. This simply pops the data from the storage socket, and pushes it back in right-away. */ | |
485 | ||
486 | if (lockf(d->storage_socket[0], F_LOCK, 0) < 0) | |
487 | return -errno; | |
488 | ||
489 | r = dynamic_user_pop(d, &uid, &lock_fd); | |
490 | if (r < 0) | |
491 | goto finish; | |
492 | ||
493 | r = dynamic_user_push(d, uid, lock_fd); | |
494 | if (r < 0) | |
495 | goto finish; | |
496 | ||
497 | *ret = uid; | |
498 | r = 0; | |
499 | ||
500 | finish: | |
501 | (void) lockf(d->storage_socket[0], F_ULOCK, 0); | |
502 | return r; | |
503 | } | |
504 | ||
505 | DynamicUser* dynamic_user_ref(DynamicUser *d) { | |
506 | if (!d) | |
507 | return NULL; | |
508 | ||
509 | assert(d->n_ref > 0); | |
510 | d->n_ref++; | |
511 | ||
512 | return d; | |
513 | } | |
514 | ||
515 | DynamicUser* dynamic_user_unref(DynamicUser *d) { | |
516 | if (!d) | |
517 | return NULL; | |
518 | ||
519 | /* Note that this doesn't actually release any resources itself. If a dynamic user should be fully destroyed | |
520 | * and its UID released, use dynamic_user_destroy() instead. NB: the dynamic user table may contain entries | |
521 | * with no references, which is commonly the case right before a daemon reload. */ | |
522 | ||
523 | assert(d->n_ref > 0); | |
524 | d->n_ref--; | |
525 | ||
526 | return NULL; | |
527 | } | |
528 | ||
529 | static int dynamic_user_close(DynamicUser *d) { | |
530 | _cleanup_close_ int lock_fd = -1; | |
531 | uid_t uid; | |
532 | int r; | |
533 | ||
534 | /* Release the user ID, by releasing the lock on it, and emptying the storage socket. After this the user is | |
535 | * unrealized again, much like it was after it the DynamicUser object was first allocated. */ | |
536 | ||
537 | if (lockf(d->storage_socket[0], F_LOCK, 0) < 0) | |
538 | return -errno; | |
539 | ||
540 | r = dynamic_user_pop(d, &uid, &lock_fd); | |
541 | if (r == -EAGAIN) { | |
542 | /* User wasn't realized yet, nothing to do. */ | |
543 | r = 0; | |
544 | goto finish; | |
545 | } | |
546 | if (r < 0) | |
547 | goto finish; | |
548 | ||
549 | /* This dynamic user was realized and dynamically allocated. In this case, let's remove the lock file. */ | |
fd63e712 | 550 | unlink_uid_lock(lock_fd, uid, d->name); |
29206d46 LP |
551 | r = 1; |
552 | ||
553 | finish: | |
554 | (void) lockf(d->storage_socket[0], F_ULOCK, 0); | |
555 | return r; | |
556 | } | |
557 | ||
558 | DynamicUser* dynamic_user_destroy(DynamicUser *d) { | |
559 | if (!d) | |
560 | return NULL; | |
561 | ||
562 | /* Drop a reference to a DynamicUser object, and destroy the user completely if this was the last | |
563 | * reference. This is called whenever a service is shut down and wants its dynamic UID gone. Note that | |
564 | * dynamic_user_unref() is what is called whenever a service is simply freed, for example during a reload | |
565 | * cycle, where the dynamic users should not be destroyed, but our datastructures should. */ | |
566 | ||
567 | dynamic_user_unref(d); | |
568 | ||
569 | if (d->n_ref > 0) | |
570 | return NULL; | |
571 | ||
572 | (void) dynamic_user_close(d); | |
573 | return dynamic_user_free(d); | |
574 | } | |
575 | ||
576 | int dynamic_user_serialize(Manager *m, FILE *f, FDSet *fds) { | |
577 | DynamicUser *d; | |
578 | Iterator i; | |
579 | ||
580 | assert(m); | |
581 | assert(f); | |
582 | assert(fds); | |
583 | ||
584 | /* Dump the dynamic user database into the manager serialization, to deal with daemon reloads. */ | |
585 | ||
586 | HASHMAP_FOREACH(d, m->dynamic_users, i) { | |
587 | int copy0, copy1; | |
588 | ||
589 | copy0 = fdset_put_dup(fds, d->storage_socket[0]); | |
590 | if (copy0 < 0) | |
591 | return copy0; | |
592 | ||
593 | copy1 = fdset_put_dup(fds, d->storage_socket[1]); | |
594 | if (copy1 < 0) | |
595 | return copy1; | |
596 | ||
597 | fprintf(f, "dynamic-user=%s %i %i\n", d->name, copy0, copy1); | |
598 | } | |
599 | ||
600 | return 0; | |
601 | } | |
602 | ||
603 | void dynamic_user_deserialize_one(Manager *m, const char *value, FDSet *fds) { | |
604 | _cleanup_free_ char *name = NULL, *s0 = NULL, *s1 = NULL; | |
605 | int r, fd0, fd1; | |
606 | ||
607 | assert(m); | |
608 | assert(value); | |
609 | assert(fds); | |
610 | ||
611 | /* Parse the serialization again, after a daemon reload */ | |
612 | ||
613 | r = extract_many_words(&value, NULL, 0, &name, &s0, &s1, NULL); | |
614 | if (r != 3 || !isempty(value)) { | |
615 | log_debug("Unable to parse dynamic user line."); | |
616 | return; | |
617 | } | |
618 | ||
619 | if (safe_atoi(s0, &fd0) < 0 || !fdset_contains(fds, fd0)) { | |
620 | log_debug("Unable to process dynamic user fd specification."); | |
621 | return; | |
622 | } | |
623 | ||
624 | if (safe_atoi(s1, &fd1) < 0 || !fdset_contains(fds, fd1)) { | |
625 | log_debug("Unable to process dynamic user fd specification."); | |
626 | return; | |
627 | } | |
628 | ||
629 | r = dynamic_user_add(m, name, (int[]) { fd0, fd1 }, NULL); | |
630 | if (r < 0) { | |
631 | log_debug_errno(r, "Failed to add dynamic user: %m"); | |
632 | return; | |
633 | } | |
634 | ||
635 | (void) fdset_remove(fds, fd0); | |
636 | (void) fdset_remove(fds, fd1); | |
637 | } | |
638 | ||
639 | void dynamic_user_vacuum(Manager *m, bool close_user) { | |
640 | DynamicUser *d; | |
641 | Iterator i; | |
642 | ||
643 | assert(m); | |
644 | ||
645 | /* Empty the dynamic user database, optionally cleaning up orphaned dynamic users, i.e. destroy and free users | |
646 | * to which no reference exist. This is called after a daemon reload finished, in order to destroy users which | |
647 | * might not be referenced anymore. */ | |
648 | ||
649 | HASHMAP_FOREACH(d, m->dynamic_users, i) { | |
650 | if (d->n_ref > 0) | |
651 | continue; | |
652 | ||
653 | if (close_user) { | |
654 | log_debug("Removing orphaned dynamic user %s", d->name); | |
655 | (void) dynamic_user_close(d); | |
656 | } | |
657 | ||
658 | dynamic_user_free(d); | |
659 | } | |
660 | } | |
661 | ||
662 | int dynamic_user_lookup_uid(Manager *m, uid_t uid, char **ret) { | |
663 | char lock_path[strlen("/run/systemd/dynamic-uid/") + DECIMAL_STR_MAX(uid_t) + 1]; | |
664 | _cleanup_free_ char *user = NULL; | |
665 | uid_t check_uid; | |
666 | int r; | |
667 | ||
668 | assert(m); | |
669 | assert(ret); | |
670 | ||
61755fda ZJS |
671 | /* A friendly way to translate a dynamic user's UID into a name. */ |
672 | if (!uid_is_dynamic(uid)) | |
29206d46 LP |
673 | return -ESRCH; |
674 | ||
675 | xsprintf(lock_path, "/run/systemd/dynamic-uid/" UID_FMT, uid); | |
676 | r = read_one_line_file(lock_path, &user); | |
677 | if (r == -ENOENT) | |
678 | return -ESRCH; | |
679 | if (r < 0) | |
680 | return r; | |
681 | ||
682 | /* The lock file might be stale, hence let's verify the data before we return it */ | |
683 | r = dynamic_user_lookup_name(m, user, &check_uid); | |
684 | if (r < 0) | |
685 | return r; | |
686 | if (check_uid != uid) /* lock file doesn't match our own idea */ | |
687 | return -ESRCH; | |
688 | ||
689 | *ret = user; | |
690 | user = NULL; | |
691 | ||
692 | return 0; | |
693 | } | |
694 | ||
695 | int dynamic_user_lookup_name(Manager *m, const char *name, uid_t *ret) { | |
696 | DynamicUser *d; | |
697 | int r; | |
698 | ||
699 | assert(m); | |
700 | assert(name); | |
701 | assert(ret); | |
702 | ||
703 | /* A friendly call for translating a dynamic user's name into its UID */ | |
704 | ||
705 | d = hashmap_get(m->dynamic_users, name); | |
706 | if (!d) | |
707 | return -ESRCH; | |
708 | ||
709 | r = dynamic_user_current(d, ret); | |
710 | if (r == -EAGAIN) /* not realized yet? */ | |
711 | return -ESRCH; | |
712 | ||
713 | return r; | |
714 | } | |
715 | ||
716 | int dynamic_creds_acquire(DynamicCreds *creds, Manager *m, const char *user, const char *group) { | |
717 | bool acquired = false; | |
718 | int r; | |
719 | ||
720 | assert(creds); | |
721 | assert(m); | |
722 | ||
723 | /* A DynamicUser object encapsulates an allocation of both a UID and a GID for a specific name. However, some | |
724 | * services use different user and groups. For cases like that there's DynamicCreds containing a pair of user | |
725 | * and group. This call allocates a pair. */ | |
726 | ||
727 | if (!creds->user && user) { | |
728 | r = dynamic_user_acquire(m, user, &creds->user); | |
729 | if (r < 0) | |
730 | return r; | |
731 | ||
732 | acquired = true; | |
733 | } | |
734 | ||
735 | if (!creds->group) { | |
736 | ||
737 | if (creds->user && (!group || streq_ptr(user, group))) | |
738 | creds->group = dynamic_user_ref(creds->user); | |
739 | else { | |
740 | r = dynamic_user_acquire(m, group, &creds->group); | |
741 | if (r < 0) { | |
742 | if (acquired) | |
743 | creds->user = dynamic_user_unref(creds->user); | |
744 | return r; | |
745 | } | |
746 | } | |
747 | } | |
748 | ||
749 | return 0; | |
750 | } | |
751 | ||
752 | int dynamic_creds_realize(DynamicCreds *creds, uid_t *uid, gid_t *gid) { | |
753 | uid_t u = UID_INVALID; | |
754 | gid_t g = GID_INVALID; | |
755 | int r; | |
756 | ||
757 | assert(creds); | |
758 | assert(uid); | |
759 | assert(gid); | |
760 | ||
761 | /* Realize both the referenced user and group */ | |
762 | ||
763 | if (creds->user) { | |
764 | r = dynamic_user_realize(creds->user, &u); | |
765 | if (r < 0) | |
766 | return r; | |
767 | } | |
768 | ||
769 | if (creds->group && creds->group != creds->user) { | |
770 | r = dynamic_user_realize(creds->group, &g); | |
771 | if (r < 0) | |
772 | return r; | |
773 | } else | |
774 | g = u; | |
775 | ||
776 | *uid = u; | |
777 | *gid = g; | |
778 | ||
779 | return 0; | |
780 | } | |
781 | ||
782 | void dynamic_creds_unref(DynamicCreds *creds) { | |
783 | assert(creds); | |
784 | ||
785 | creds->user = dynamic_user_unref(creds->user); | |
786 | creds->group = dynamic_user_unref(creds->group); | |
787 | } | |
788 | ||
789 | void dynamic_creds_destroy(DynamicCreds *creds) { | |
790 | assert(creds); | |
791 | ||
792 | creds->user = dynamic_user_destroy(creds->user); | |
793 | creds->group = dynamic_user_destroy(creds->group); | |
794 | } |