]>
Commit | Line | Data |
---|---|---|
53e1b683 | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
ee645080 | 2 | |
ca78ad1d | 3 | #include <fcntl.h> |
07630cea | 4 | #include <grp.h> |
ee645080 LP |
5 | #include <sys/types.h> |
6 | #include <unistd.h> | |
ee645080 | 7 | |
b5efdb8a | 8 | #include "alloc-util.h" |
c5b82d86 | 9 | #include "def.h" |
dccca82b | 10 | #include "errno.h" |
3ffd4af2 | 11 | #include "fd-util.h" |
c5b82d86 | 12 | #include "fileio.h" |
ee645080 | 13 | #include "mkdir.h" |
3ffd4af2 | 14 | #include "nspawn-setuid.h" |
ee645080 | 15 | #include "process-util.h" |
595225af | 16 | #include "rlimit-util.h" |
07630cea LP |
17 | #include "signal-util.h" |
18 | #include "string-util.h" | |
5018c0c9 | 19 | #include "strv.h" |
b1d4f8e1 | 20 | #include "user-util.h" |
07630cea | 21 | #include "util.h" |
ee645080 LP |
22 | |
23 | static int spawn_getent(const char *database, const char *key, pid_t *rpid) { | |
4c253ed1 | 24 | int pipe_fds[2], r; |
ee645080 LP |
25 | pid_t pid; |
26 | ||
27 | assert(database); | |
28 | assert(key); | |
29 | assert(rpid); | |
30 | ||
31 | if (pipe2(pipe_fds, O_CLOEXEC) < 0) | |
32 | return log_error_errno(errno, "Failed to allocate pipe: %m"); | |
33 | ||
b6e1fff1 | 34 | r = safe_fork("(getent)", FORK_RESET_SIGNALS|FORK_DEATHSIG|FORK_LOG, &pid); |
05a8b330 LP |
35 | if (r < 0) { |
36 | safe_close_pair(pipe_fds); | |
b6e1fff1 | 37 | return r; |
05a8b330 | 38 | } |
4c253ed1 | 39 | if (r == 0) { |
ee645080 LP |
40 | char *empty_env = NULL; |
41 | ||
2b33ab09 | 42 | safe_close(pipe_fds[0]); |
ee645080 | 43 | |
2b33ab09 | 44 | if (rearrange_stdio(-1, pipe_fds[1], -1) < 0) |
ee645080 LP |
45 | _exit(EXIT_FAILURE); |
46 | ||
7acf581a | 47 | (void) close_all_fds(NULL, 0); |
ee645080 | 48 | |
595225af LP |
49 | (void) rlimit_nofile_safe(); |
50 | ||
ee645080 LP |
51 | execle("/usr/bin/getent", "getent", database, key, NULL, &empty_env); |
52 | execle("/bin/getent", "getent", database, key, NULL, &empty_env); | |
53 | _exit(EXIT_FAILURE); | |
54 | } | |
55 | ||
56 | pipe_fds[1] = safe_close(pipe_fds[1]); | |
57 | ||
58 | *rpid = pid; | |
59 | ||
60 | return pipe_fds[0]; | |
61 | } | |
62 | ||
61b44433 LP |
63 | int change_uid_gid_raw( |
64 | uid_t uid, | |
65 | gid_t gid, | |
66 | const gid_t *supplementary_gids, | |
67 | size_t n_supplementary_gids) { | |
68 | ||
69 | if (!uid_is_valid(uid)) | |
70 | uid = 0; | |
71 | if (!gid_is_valid(gid)) | |
72 | gid = 0; | |
73 | ||
74 | (void) fchown(STDIN_FILENO, uid, gid); | |
75 | (void) fchown(STDOUT_FILENO, uid, gid); | |
76 | (void) fchown(STDERR_FILENO, uid, gid); | |
77 | ||
78 | if (setgroups(n_supplementary_gids, supplementary_gids) < 0) | |
79 | return log_error_errno(errno, "Failed to set auxiliary groups: %m"); | |
80 | ||
81 | if (setresgid(gid, gid, gid) < 0) | |
82 | return log_error_errno(errno, "setresgid() failed: %m"); | |
83 | ||
84 | if (setresuid(uid, uid, uid) < 0) | |
85 | return log_error_errno(errno, "setresuid() failed: %m"); | |
86 | ||
87 | return 0; | |
88 | } | |
89 | ||
ee645080 | 90 | int change_uid_gid(const char *user, char **_home) { |
c5b82d86 | 91 | char *x, *u, *g, *h; |
ee645080 | 92 | const char *word, *state; |
61b44433 | 93 | _cleanup_free_ gid_t *gids = NULL; |
c5b82d86 | 94 | _cleanup_free_ char *home = NULL, *line = NULL; |
ee645080 LP |
95 | _cleanup_fclose_ FILE *f = NULL; |
96 | _cleanup_close_ int fd = -1; | |
61b44433 | 97 | unsigned n_gids = 0; |
ee645080 LP |
98 | size_t sz = 0, l; |
99 | uid_t uid; | |
100 | gid_t gid; | |
101 | pid_t pid; | |
102 | int r; | |
103 | ||
104 | assert(_home); | |
105 | ||
5018c0c9 | 106 | if (!user || STR_IN_SET(user, "root", "0")) { |
ee645080 LP |
107 | /* Reset everything fully to 0, just in case */ |
108 | ||
109 | r = reset_uid_gid(); | |
110 | if (r < 0) | |
111 | return log_error_errno(r, "Failed to become root: %m"); | |
112 | ||
113 | *_home = NULL; | |
114 | return 0; | |
115 | } | |
116 | ||
117 | /* First, get user credentials */ | |
118 | fd = spawn_getent("passwd", user, &pid); | |
119 | if (fd < 0) | |
120 | return fd; | |
121 | ||
e92aaed3 | 122 | f = fdopen(fd, "r"); |
ee645080 LP |
123 | if (!f) |
124 | return log_oom(); | |
125 | fd = -1; | |
126 | ||
c5b82d86 | 127 | r = read_line(f, LONG_LINE_MAX, &line); |
baaa35ad ZJS |
128 | if (r == 0) |
129 | return log_error_errno(SYNTHETIC_ERRNO(ESRCH), | |
130 | "Failed to resolve user %s.", user); | |
c5b82d86 LP |
131 | if (r < 0) |
132 | return log_error_errno(r, "Failed to read from getent: %m"); | |
ee645080 | 133 | |
7d4904fe | 134 | (void) wait_for_terminate_and_check("getent passwd", pid, WAIT_LOG); |
ee645080 LP |
135 | |
136 | x = strchr(line, ':'); | |
baaa35ad ZJS |
137 | if (!x) |
138 | return log_error_errno(SYNTHETIC_ERRNO(EIO), | |
139 | "/etc/passwd entry has invalid user field."); | |
ee645080 LP |
140 | |
141 | u = strchr(x+1, ':'); | |
baaa35ad ZJS |
142 | if (!u) |
143 | return log_error_errno(SYNTHETIC_ERRNO(EIO), | |
144 | "/etc/passwd entry has invalid password field."); | |
ee645080 LP |
145 | |
146 | u++; | |
147 | g = strchr(u, ':'); | |
baaa35ad ZJS |
148 | if (!g) |
149 | return log_error_errno(SYNTHETIC_ERRNO(EIO), | |
150 | "/etc/passwd entry has invalid UID field."); | |
ee645080 LP |
151 | |
152 | *g = 0; | |
153 | g++; | |
154 | x = strchr(g, ':'); | |
baaa35ad ZJS |
155 | if (!x) |
156 | return log_error_errno(SYNTHETIC_ERRNO(EIO), | |
157 | "/etc/passwd entry has invalid GID field."); | |
ee645080 LP |
158 | |
159 | *x = 0; | |
160 | h = strchr(x+1, ':'); | |
baaa35ad ZJS |
161 | if (!h) |
162 | return log_error_errno(SYNTHETIC_ERRNO(EIO), | |
163 | "/etc/passwd entry has invalid GECOS field."); | |
ee645080 LP |
164 | |
165 | h++; | |
166 | x = strchr(h, ':'); | |
baaa35ad ZJS |
167 | if (!x) |
168 | return log_error_errno(SYNTHETIC_ERRNO(EIO), | |
169 | "/etc/passwd entry has invalid home directory field."); | |
ee645080 LP |
170 | |
171 | *x = 0; | |
172 | ||
173 | r = parse_uid(u, &uid); | |
baaa35ad ZJS |
174 | if (r < 0) |
175 | return log_error_errno(SYNTHETIC_ERRNO(EIO), | |
176 | "Failed to parse UID of user."); | |
ee645080 LP |
177 | |
178 | r = parse_gid(g, &gid); | |
baaa35ad ZJS |
179 | if (r < 0) |
180 | return log_error_errno(SYNTHETIC_ERRNO(EIO), | |
181 | "Failed to parse GID of user."); | |
ee645080 LP |
182 | |
183 | home = strdup(h); | |
184 | if (!home) | |
185 | return log_oom(); | |
186 | ||
c5b82d86 LP |
187 | f = safe_fclose(f); |
188 | line = mfree(line); | |
189 | ||
ee645080 LP |
190 | /* Second, get group memberships */ |
191 | fd = spawn_getent("initgroups", user, &pid); | |
192 | if (fd < 0) | |
193 | return fd; | |
194 | ||
e92aaed3 | 195 | f = fdopen(fd, "r"); |
ee645080 LP |
196 | if (!f) |
197 | return log_oom(); | |
198 | fd = -1; | |
199 | ||
c5b82d86 | 200 | r = read_line(f, LONG_LINE_MAX, &line); |
baaa35ad ZJS |
201 | if (r == 0) |
202 | return log_error_errno(SYNTHETIC_ERRNO(ESRCH), | |
203 | "Failed to resolve user %s.", user); | |
c5b82d86 LP |
204 | if (r < 0) |
205 | return log_error_errno(r, "Failed to read from getent: %m"); | |
ee645080 | 206 | |
7d4904fe | 207 | (void) wait_for_terminate_and_check("getent initgroups", pid, WAIT_LOG); |
ee645080 LP |
208 | |
209 | /* Skip over the username and subsequent separator whitespace */ | |
210 | x = line; | |
211 | x += strcspn(x, WHITESPACE); | |
212 | x += strspn(x, WHITESPACE); | |
213 | ||
214 | FOREACH_WORD(word, l, x, state) { | |
215 | char c[l+1]; | |
216 | ||
217 | memcpy(c, word, l); | |
218 | c[l] = 0; | |
219 | ||
61b44433 | 220 | if (!GREEDY_REALLOC(gids, sz, n_gids+1)) |
ee645080 LP |
221 | return log_oom(); |
222 | ||
61b44433 | 223 | r = parse_gid(c, &gids[n_gids++]); |
c7f9a8d2 LP |
224 | if (r < 0) |
225 | return log_error_errno(r, "Failed to parse group data from getent: %m"); | |
ee645080 LP |
226 | } |
227 | ||
228 | r = mkdir_parents(home, 0775); | |
229 | if (r < 0) | |
230 | return log_error_errno(r, "Failed to make home root directory: %m"); | |
231 | ||
d50b5839 | 232 | r = mkdir_safe(home, 0755, uid, gid, 0); |
37c1d5e9 | 233 | if (r < 0 && !IN_SET(r, -EEXIST, -ENOTDIR)) |
ee645080 LP |
234 | return log_error_errno(r, "Failed to make home directory: %m"); |
235 | ||
61b44433 LP |
236 | r = change_uid_gid_raw(uid, gid, gids, n_gids); |
237 | if (r < 0) | |
238 | return r; | |
ee645080 | 239 | |
1cc6c93a YW |
240 | if (_home) |
241 | *_home = TAKE_PTR(home); | |
ee645080 LP |
242 | |
243 | return 0; | |
244 | } |