]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/dynamic-user.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
core: pass the correct error to the caller
[thirdparty/systemd.git] / src / core / dynamic-user.c
1 /***
2 This file is part of systemd.
3
4 Copyright 2016 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18 ***/
19
20 #include <grp.h>
21 #include <pwd.h>
22 #include <sys/file.h>
23
24 #include "dynamic-user.h"
25 #include "fd-util.h"
26 #include "fileio.h"
27 #include "fs-util.h"
28 #include "io-util.h"
29 #include "parse-util.h"
30 #include "random-util.h"
31 #include "stdio-util.h"
32 #include "string-util.h"
33 #include "user-util.h"
34
35 /* Takes a value generated randomly or by hashing and turns it into a UID in the right range */
36 #define UID_CLAMP_INTO_RANGE(rnd) (((uid_t) (rnd) % (DYNAMIC_UID_MAX - DYNAMIC_UID_MIN + 1)) + DYNAMIC_UID_MIN)
37
38 static DynamicUser* dynamic_user_free(DynamicUser *d) {
39 if (!d)
40 return NULL;
41
42 if (d->manager)
43 (void) hashmap_remove(d->manager->dynamic_users, d->name);
44
45 safe_close_pair(d->storage_socket);
46 return mfree(d);
47 }
48
49 static int dynamic_user_add(Manager *m, const char *name, int storage_socket[2], DynamicUser **ret) {
50 DynamicUser *d = NULL;
51 int r;
52
53 assert(m);
54 assert(name);
55 assert(storage_socket);
56
57 r = hashmap_ensure_allocated(&m->dynamic_users, &string_hash_ops);
58 if (r < 0)
59 return r;
60
61 d = malloc0(offsetof(DynamicUser, name) + strlen(name) + 1);
62 if (!d)
63 return -ENOMEM;
64
65 strcpy(d->name, name);
66
67 d->storage_socket[0] = storage_socket[0];
68 d->storage_socket[1] = storage_socket[1];
69
70 r = hashmap_put(m->dynamic_users, d->name, d);
71 if (r < 0) {
72 free(d);
73 return r;
74 }
75
76 d->manager = m;
77
78 if (ret)
79 *ret = d;
80
81 return 0;
82 }
83
84 int dynamic_user_acquire(Manager *m, const char *name, DynamicUser** ret) {
85 _cleanup_close_pair_ int storage_socket[2] = { -1, -1 };
86 DynamicUser *d;
87 int r;
88
89 assert(m);
90 assert(name);
91
92 /* Return the DynamicUser structure for a specific user name. Note that this won't actually allocate a UID for
93 * it, but just prepare the data structure for it. The UID is allocated only on demand, when it's really
94 * needed, and in the child process we fork off, since allocation involves NSS checks which are not OK to do
95 * from PID 1. To allow the children and PID 1 share information about allocated UIDs we use an anonymous
96 * AF_UNIX/SOCK_DGRAM socket (called the "storage socket") that contains at most one datagram with the
97 * allocated UID number, plus an fd referencing the lock file for the UID
98 * (i.e. /run/systemd/dynamic-uid/$UID). Why involve the socket pair? So that PID 1 and all its children can
99 * share the same storage for the UID and lock fd, simply by inheriting the storage socket fds. The socket pair
100 * may exist in three different states:
101 *
102 * a) no datagram stored. This is the initial state. In this case the dynamic user was never realized.
103 *
104 * b) a datagram containing a UID stored, but no lock fd attached to it. In this case there was already a
105 * statically assigned UID by the same name, which we are reusing.
106 *
107 * c) a datagram containing a UID stored, and a lock fd is attached to it. In this case we allocated a dynamic
108 * UID and locked it in the file system, using the lock fd.
109 *
110 * As PID 1 and various children might access the socket pair simultaneously, and pop the datagram or push it
111 * back in any time, we also maintain a lock on the socket pair. Note one peculiarity regarding locking here:
112 * the UID lock on disk is protected via a BSD file lock (i.e. an fd-bound lock), so that the lock is kept in
113 * place as long as there's a reference to the fd open. The lock on the storage socket pair however is a POSIX
114 * file lock (i.e. a process-bound lock), as all users share the same fd of this (after all it is anonymous,
115 * nobody else could get any access to it except via our own fd) and we want to synchronize access between all
116 * processes that have access to it. */
117
118 d = hashmap_get(m->dynamic_users, name);
119 if (d) {
120 /* We already have a structure for the dynamic user, let's increase the ref count and reuse it */
121 d->n_ref++;
122 *ret = d;
123 return 0;
124 }
125
126 if (!valid_user_group_name_or_id(name))
127 return -EINVAL;
128
129 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, storage_socket) < 0)
130 return -errno;
131
132 r = dynamic_user_add(m, name, storage_socket, &d);
133 if (r < 0)
134 return r;
135
136 storage_socket[0] = storage_socket[1] = -1;
137
138 if (ret) {
139 d->n_ref++;
140 *ret = d;
141 }
142
143 return 1;
144 }
145
146 static int make_uid_symlinks(uid_t uid, const char *name, bool b) {
147
148 char path1[strlen("/run/systemd/dynamic-uid/direct:") + DECIMAL_STR_MAX(uid_t) + 1];
149 const char *path2;
150 int r = 0, k;
151
152 /* Add direct additional symlinks for direct lookups of dynamic UIDs and their names by userspace code. The
153 * only reason we have this is because dbus-daemon cannot use D-Bus for resolving users and groups (since it
154 * would be its own client then). We hence keep these world-readable symlinks in place, so that the
155 * unprivileged dbus user can read the mappings when it needs them via these symlinks instead of having to go
156 * via the bus. Ideally, we'd use the lock files we keep for this anyway, but we can't since we use BSD locks
157 * on them and as those may be taken by any user with read access we can't make them world-readable. */
158
159 xsprintf(path1, "/run/systemd/dynamic-uid/direct:" UID_FMT, uid);
160 if (unlink(path1) < 0 && errno != ENOENT)
161 r = -errno;
162
163 if (b && symlink(name, path1) < 0) {
164 k = log_warning_errno(errno, "Failed to symlink \"%s\": %m", path1);
165 if (r == 0)
166 r = k;
167 }
168
169 path2 = strjoina("/run/systemd/dynamic-uid/direct:", name);
170 if (unlink(path2) < 0 && errno != ENOENT) {
171 k = -errno;
172 if (r == 0)
173 r = k;
174 }
175
176 if (b && symlink(path1 + strlen("/run/systemd/dynamic-uid/direct:"), path2) < 0) {
177 k = log_warning_errno(errno, "Failed to symlink \"%s\": %m", path2);
178 if (r == 0)
179 r = k;
180 }
181
182 return r;
183 }
184
185 static int pick_uid(char **suggested_paths, const char *name, uid_t *ret_uid) {
186
187 /* Find a suitable free UID. We use the following strategy to find a suitable UID:
188 *
189 * 1. Initially, we try to read the UID of a number of specified paths. If any of these UIDs works, we use
190 * them. We use in order to increase the chance of UID reuse, if StateDirectory=, CacheDirectory= or
191 * LogDirectory= are used, as reusing the UID these directories are owned by saves us from having to
192 * recursively chown() them to new users.
193 *
194 * 2. If that didn't yield a currently unused UID, we hash the user name, and try to use that. This should be
195 * pretty good, as the use ris by default derived from the unit name, and hence the same service and same
196 * user should usually get the same UID as long as our hashing doesn't clash.
197 *
198 * 3. Finally, if that didn't work, we randomly pick UIDs, until we find one that is empty.
199 *
200 * Since the dynamic UID space is relatively small we'll stop trying after 100 iterations, giving up. */
201
202 enum {
203 PHASE_SUGGESTED, /* the first phase, reusing directory ownership UIDs */
204 PHASE_HASHED, /* the second phase, deriving a UID from the username by hashing */
205 PHASE_RANDOM, /* the last phase, randomly picking UIDs */
206 } phase = PHASE_SUGGESTED;
207
208 static const uint8_t hash_key[] = {
209 0x37, 0x53, 0x7e, 0x31, 0xcf, 0xce, 0x48, 0xf5,
210 0x8a, 0xbb, 0x39, 0x57, 0x8d, 0xd9, 0xec, 0x59
211 };
212
213 unsigned n_tries = 100, current_suggested = 0;
214 int r;
215
216 (void) mkdir("/run/systemd/dynamic-uid", 0755);
217
218 for (;;) {
219 char lock_path[strlen("/run/systemd/dynamic-uid/") + DECIMAL_STR_MAX(uid_t) + 1];
220 _cleanup_close_ int lock_fd = -1;
221 uid_t candidate;
222 ssize_t l;
223
224 if (--n_tries <= 0) /* Give up retrying eventually */
225 return -EBUSY;
226
227 switch (phase) {
228
229 case PHASE_SUGGESTED: {
230 struct stat st;
231
232 if (!suggested_paths || !suggested_paths[current_suggested]) {
233 /* We reached the end of the suggested paths list, let's try by hashing the name */
234 phase = PHASE_HASHED;
235 continue;
236 }
237
238 if (stat(suggested_paths[current_suggested++], &st) < 0)
239 continue; /* We can't read the UID of this path, but that doesn't matter, just try the next */
240
241 candidate = st.st_uid;
242 break;
243 }
244
245 case PHASE_HASHED:
246 /* A static user by this name does not exist yet. Let's find a free ID then, and use that. We
247 * start with a UID generated as hash from the user name. */
248 candidate = UID_CLAMP_INTO_RANGE(siphash24(name, strlen(name), hash_key));
249
250 /* If this one fails, we should proceed with random tries */
251 phase = PHASE_RANDOM;
252 break;
253
254 case PHASE_RANDOM:
255
256 /* Pick another random UID, and see if that works for us. */
257 random_bytes(&candidate, sizeof(candidate));
258 candidate = UID_CLAMP_INTO_RANGE(candidate);
259 break;
260
261 default:
262 assert_not_reached("unknown phase");
263 }
264
265 /* Make sure whatever we picked here actually is in the right range */
266 if (!uid_is_dynamic(candidate))
267 continue;
268
269 xsprintf(lock_path, "/run/systemd/dynamic-uid/" UID_FMT, candidate);
270
271 for (;;) {
272 struct stat st;
273
274 lock_fd = open(lock_path, O_CREAT|O_RDWR|O_NOFOLLOW|O_CLOEXEC|O_NOCTTY, 0600);
275 if (lock_fd < 0)
276 return -errno;
277
278 r = flock(lock_fd, LOCK_EX|LOCK_NB); /* Try to get a BSD file lock on the UID lock file */
279 if (r < 0) {
280 if (IN_SET(errno, EBUSY, EAGAIN))
281 goto next; /* already in use */
282
283 return -errno;
284 }
285
286 if (fstat(lock_fd, &st) < 0)
287 return -errno;
288 if (st.st_nlink > 0)
289 break;
290
291 /* Oh, bummer, we got the lock, but the file was unlinked between the time we opened it and
292 * got the lock. Close it, and try again. */
293 lock_fd = safe_close(lock_fd);
294 }
295
296 /* Some superficial check whether this UID/GID might already be taken by some static user */
297 if (getpwuid(candidate) || getgrgid((gid_t) candidate)) {
298 (void) unlink(lock_path);
299 continue;
300 }
301
302 /* Let's store the user name in the lock file, so that we can use it for looking up the username for a UID */
303 l = pwritev(lock_fd,
304 (struct iovec[2]) {
305 IOVEC_INIT_STRING(name),
306 IOVEC_INIT((char[1]) { '\n' }, 1),
307 }, 2, 0);
308 if (l < 0) {
309 r = -errno;
310 (void) unlink(lock_path);
311 return r;
312 }
313
314 (void) ftruncate(lock_fd, l);
315 (void) make_uid_symlinks(candidate, name, true); /* also add direct lookup symlinks */
316
317 *ret_uid = candidate;
318 r = lock_fd;
319 lock_fd = -1;
320
321 return r;
322
323 next:
324 ;
325 }
326 }
327
328 static int dynamic_user_pop(DynamicUser *d, uid_t *ret_uid, int *ret_lock_fd) {
329 uid_t uid = UID_INVALID;
330 struct iovec iov = IOVEC_INIT(&uid, sizeof(uid));
331 union {
332 struct cmsghdr cmsghdr;
333 uint8_t buf[CMSG_SPACE(sizeof(int))];
334 } control = {};
335 struct msghdr mh = {
336 .msg_control = &control,
337 .msg_controllen = sizeof(control),
338 .msg_iov = &iov,
339 .msg_iovlen = 1,
340 };
341 struct cmsghdr *cmsg;
342
343 ssize_t k;
344 int lock_fd = -1;
345
346 assert(d);
347 assert(ret_uid);
348 assert(ret_lock_fd);
349
350 /* Read the UID and lock fd that is stored in the storage AF_UNIX socket. This should be called with the lock
351 * on the socket taken. */
352
353 k = recvmsg(d->storage_socket[0], &mh, MSG_DONTWAIT|MSG_NOSIGNAL|MSG_CMSG_CLOEXEC);
354 if (k < 0)
355 return -errno;
356
357 cmsg = cmsg_find(&mh, SOL_SOCKET, SCM_RIGHTS, CMSG_LEN(sizeof(int)));
358 if (cmsg)
359 lock_fd = *(int*) CMSG_DATA(cmsg);
360 else
361 cmsg_close_all(&mh); /* just in case... */
362
363 *ret_uid = uid;
364 *ret_lock_fd = lock_fd;
365
366 return 0;
367 }
368
369 static int dynamic_user_push(DynamicUser *d, uid_t uid, int lock_fd) {
370 struct iovec iov = IOVEC_INIT(&uid, sizeof(uid));
371 union {
372 struct cmsghdr cmsghdr;
373 uint8_t buf[CMSG_SPACE(sizeof(int))];
374 } control = {};
375 struct msghdr mh = {
376 .msg_control = &control,
377 .msg_controllen = sizeof(control),
378 .msg_iov = &iov,
379 .msg_iovlen = 1,
380 };
381 ssize_t k;
382
383 assert(d);
384
385 /* Store the UID and lock_fd in the storage socket. This should be called with the socket pair lock taken. */
386
387 if (lock_fd >= 0) {
388 struct cmsghdr *cmsg;
389
390 cmsg = CMSG_FIRSTHDR(&mh);
391 cmsg->cmsg_level = SOL_SOCKET;
392 cmsg->cmsg_type = SCM_RIGHTS;
393 cmsg->cmsg_len = CMSG_LEN(sizeof(int));
394 memcpy(CMSG_DATA(cmsg), &lock_fd, sizeof(int));
395
396 mh.msg_controllen = CMSG_SPACE(sizeof(int));
397 } else {
398 mh.msg_control = NULL;
399 mh.msg_controllen = 0;
400 }
401
402 k = sendmsg(d->storage_socket[1], &mh, MSG_DONTWAIT|MSG_NOSIGNAL);
403 if (k < 0)
404 return -errno;
405
406 return 0;
407 }
408
409 static void unlink_uid_lock(int lock_fd, uid_t uid, const char *name) {
410 char lock_path[strlen("/run/systemd/dynamic-uid/") + DECIMAL_STR_MAX(uid_t) + 1];
411
412 if (lock_fd < 0)
413 return;
414
415 xsprintf(lock_path, "/run/systemd/dynamic-uid/" UID_FMT, uid);
416 (void) unlink(lock_path);
417
418 (void) make_uid_symlinks(uid, name, false); /* remove direct lookup symlinks */
419 }
420
421 int dynamic_user_realize(DynamicUser *d, char **suggested_dirs, uid_t *ret) {
422
423 _cleanup_close_ int etc_passwd_lock_fd = -1, uid_lock_fd = -1;
424 uid_t uid = UID_INVALID;
425 int r;
426
427 assert(d);
428
429 /* Acquire a UID for the user name. This will allocate a UID for the user name if the user doesn't exist
430 * yet. If it already exists its existing UID/GID will be reused. */
431
432 if (lockf(d->storage_socket[0], F_LOCK, 0) < 0)
433 return -errno;
434
435 r = dynamic_user_pop(d, &uid, &uid_lock_fd);
436 if (r < 0) {
437 int new_uid_lock_fd;
438 uid_t new_uid;
439
440 if (r != -EAGAIN)
441 goto finish;
442
443 /* OK, nothing stored yet, let's try to find something useful. While we are working on this release the
444 * lock however, so that nobody else blocks on our NSS lookups. */
445 (void) lockf(d->storage_socket[0], F_ULOCK, 0);
446
447 /* Let's see if a proper, static user or group by this name exists. Try to take the lock on
448 * /etc/passwd, if that fails with EROFS then /etc is read-only. In that case it's fine if we don't
449 * take the lock, given that users can't be added there anyway in this case. */
450 etc_passwd_lock_fd = take_etc_passwd_lock(NULL);
451 if (etc_passwd_lock_fd < 0 && etc_passwd_lock_fd != -EROFS)
452 return etc_passwd_lock_fd;
453
454 /* First, let's parse this as numeric UID */
455 r = parse_uid(d->name, &uid);
456 if (r < 0) {
457 struct passwd *p;
458 struct group *g;
459
460 /* OK, this is not a numeric UID. Let's see if there's a user by this name */
461 p = getpwnam(d->name);
462 if (p)
463 uid = p->pw_uid;
464
465 /* Let's see if there's a group by this name */
466 g = getgrnam(d->name);
467 if (g) {
468 /* If the UID/GID of the user/group of the same don't match, refuse operation */
469 if (uid != UID_INVALID && uid != (uid_t) g->gr_gid)
470 return -EILSEQ;
471
472 uid = (uid_t) g->gr_gid;
473 }
474 }
475
476 if (uid == UID_INVALID) {
477 /* No static UID assigned yet, excellent. Let's pick a new dynamic one, and lock it. */
478
479 uid_lock_fd = pick_uid(suggested_dirs, d->name, &uid);
480 if (uid_lock_fd < 0)
481 return uid_lock_fd;
482 }
483
484 /* So, we found a working UID/lock combination. Let's see if we actually still need it. */
485 if (lockf(d->storage_socket[0], F_LOCK, 0) < 0) {
486 unlink_uid_lock(uid_lock_fd, uid, d->name);
487 return -errno;
488 }
489
490 r = dynamic_user_pop(d, &new_uid, &new_uid_lock_fd);
491 if (r < 0) {
492 if (r != -EAGAIN) {
493 /* OK, something bad happened, let's get rid of the bits we acquired. */
494 unlink_uid_lock(uid_lock_fd, uid, d->name);
495 goto finish;
496 }
497
498 /* Great! Nothing is stored here, still. Store our newly acquired data. */
499 } else {
500 /* Hmm, so as it appears there's now something stored in the storage socket. Throw away what we
501 * acquired, and use what's stored now. */
502
503 unlink_uid_lock(uid_lock_fd, uid, d->name);
504 safe_close(uid_lock_fd);
505
506 uid = new_uid;
507 uid_lock_fd = new_uid_lock_fd;
508 }
509 }
510
511 /* If the UID/GID was already allocated dynamically, push the data we popped out back in. If it was already
512 * allocated statically, push the UID back too, but do not push the lock fd in. If we allocated the UID
513 * dynamically right here, push that in along with the lock fd for it. */
514 r = dynamic_user_push(d, uid, uid_lock_fd);
515 if (r < 0)
516 goto finish;
517
518 *ret = uid;
519 r = 0;
520
521 finish:
522 (void) lockf(d->storage_socket[0], F_ULOCK, 0);
523 return r;
524 }
525
526 int dynamic_user_current(DynamicUser *d, uid_t *ret) {
527 _cleanup_close_ int lock_fd = -1;
528 uid_t uid;
529 int r;
530
531 assert(d);
532 assert(ret);
533
534 /* Get the currently assigned UID for the user, if there's any. This simply pops the data from the storage socket, and pushes it back in right-away. */
535
536 if (lockf(d->storage_socket[0], F_LOCK, 0) < 0)
537 return -errno;
538
539 r = dynamic_user_pop(d, &uid, &lock_fd);
540 if (r < 0)
541 goto finish;
542
543 r = dynamic_user_push(d, uid, lock_fd);
544 if (r < 0)
545 goto finish;
546
547 *ret = uid;
548 r = 0;
549
550 finish:
551 (void) lockf(d->storage_socket[0], F_ULOCK, 0);
552 return r;
553 }
554
555 DynamicUser* dynamic_user_ref(DynamicUser *d) {
556 if (!d)
557 return NULL;
558
559 assert(d->n_ref > 0);
560 d->n_ref++;
561
562 return d;
563 }
564
565 DynamicUser* dynamic_user_unref(DynamicUser *d) {
566 if (!d)
567 return NULL;
568
569 /* Note that this doesn't actually release any resources itself. If a dynamic user should be fully destroyed
570 * and its UID released, use dynamic_user_destroy() instead. NB: the dynamic user table may contain entries
571 * with no references, which is commonly the case right before a daemon reload. */
572
573 assert(d->n_ref > 0);
574 d->n_ref--;
575
576 return NULL;
577 }
578
579 static int dynamic_user_close(DynamicUser *d) {
580 _cleanup_close_ int lock_fd = -1;
581 uid_t uid;
582 int r;
583
584 /* Release the user ID, by releasing the lock on it, and emptying the storage socket. After this the user is
585 * unrealized again, much like it was after it the DynamicUser object was first allocated. */
586
587 if (lockf(d->storage_socket[0], F_LOCK, 0) < 0)
588 return -errno;
589
590 r = dynamic_user_pop(d, &uid, &lock_fd);
591 if (r == -EAGAIN) {
592 /* User wasn't realized yet, nothing to do. */
593 r = 0;
594 goto finish;
595 }
596 if (r < 0)
597 goto finish;
598
599 /* This dynamic user was realized and dynamically allocated. In this case, let's remove the lock file. */
600 unlink_uid_lock(lock_fd, uid, d->name);
601 r = 1;
602
603 finish:
604 (void) lockf(d->storage_socket[0], F_ULOCK, 0);
605 return r;
606 }
607
608 DynamicUser* dynamic_user_destroy(DynamicUser *d) {
609 if (!d)
610 return NULL;
611
612 /* Drop a reference to a DynamicUser object, and destroy the user completely if this was the last
613 * reference. This is called whenever a service is shut down and wants its dynamic UID gone. Note that
614 * dynamic_user_unref() is what is called whenever a service is simply freed, for example during a reload
615 * cycle, where the dynamic users should not be destroyed, but our datastructures should. */
616
617 dynamic_user_unref(d);
618
619 if (d->n_ref > 0)
620 return NULL;
621
622 (void) dynamic_user_close(d);
623 return dynamic_user_free(d);
624 }
625
626 int dynamic_user_serialize(Manager *m, FILE *f, FDSet *fds) {
627 DynamicUser *d;
628 Iterator i;
629
630 assert(m);
631 assert(f);
632 assert(fds);
633
634 /* Dump the dynamic user database into the manager serialization, to deal with daemon reloads. */
635
636 HASHMAP_FOREACH(d, m->dynamic_users, i) {
637 int copy0, copy1;
638
639 copy0 = fdset_put_dup(fds, d->storage_socket[0]);
640 if (copy0 < 0)
641 return copy0;
642
643 copy1 = fdset_put_dup(fds, d->storage_socket[1]);
644 if (copy1 < 0)
645 return copy1;
646
647 fprintf(f, "dynamic-user=%s %i %i\n", d->name, copy0, copy1);
648 }
649
650 return 0;
651 }
652
653 void dynamic_user_deserialize_one(Manager *m, const char *value, FDSet *fds) {
654 _cleanup_free_ char *name = NULL, *s0 = NULL, *s1 = NULL;
655 int r, fd0, fd1;
656
657 assert(m);
658 assert(value);
659 assert(fds);
660
661 /* Parse the serialization again, after a daemon reload */
662
663 r = extract_many_words(&value, NULL, 0, &name, &s0, &s1, NULL);
664 if (r != 3 || !isempty(value)) {
665 log_debug("Unable to parse dynamic user line.");
666 return;
667 }
668
669 if (safe_atoi(s0, &fd0) < 0 || !fdset_contains(fds, fd0)) {
670 log_debug("Unable to process dynamic user fd specification.");
671 return;
672 }
673
674 if (safe_atoi(s1, &fd1) < 0 || !fdset_contains(fds, fd1)) {
675 log_debug("Unable to process dynamic user fd specification.");
676 return;
677 }
678
679 r = dynamic_user_add(m, name, (int[]) { fd0, fd1 }, NULL);
680 if (r < 0) {
681 log_debug_errno(r, "Failed to add dynamic user: %m");
682 return;
683 }
684
685 (void) fdset_remove(fds, fd0);
686 (void) fdset_remove(fds, fd1);
687 }
688
689 void dynamic_user_vacuum(Manager *m, bool close_user) {
690 DynamicUser *d;
691 Iterator i;
692
693 assert(m);
694
695 /* Empty the dynamic user database, optionally cleaning up orphaned dynamic users, i.e. destroy and free users
696 * to which no reference exist. This is called after a daemon reload finished, in order to destroy users which
697 * might not be referenced anymore. */
698
699 HASHMAP_FOREACH(d, m->dynamic_users, i) {
700 if (d->n_ref > 0)
701 continue;
702
703 if (close_user) {
704 log_debug("Removing orphaned dynamic user %s", d->name);
705 (void) dynamic_user_close(d);
706 }
707
708 dynamic_user_free(d);
709 }
710 }
711
712 int dynamic_user_lookup_uid(Manager *m, uid_t uid, char **ret) {
713 char lock_path[strlen("/run/systemd/dynamic-uid/") + DECIMAL_STR_MAX(uid_t) + 1];
714 _cleanup_free_ char *user = NULL;
715 uid_t check_uid;
716 int r;
717
718 assert(m);
719 assert(ret);
720
721 /* A friendly way to translate a dynamic user's UID into a name. */
722 if (!uid_is_dynamic(uid))
723 return -ESRCH;
724
725 xsprintf(lock_path, "/run/systemd/dynamic-uid/" UID_FMT, uid);
726 r = read_one_line_file(lock_path, &user);
727 if (r == -ENOENT)
728 return -ESRCH;
729 if (r < 0)
730 return r;
731
732 /* The lock file might be stale, hence let's verify the data before we return it */
733 r = dynamic_user_lookup_name(m, user, &check_uid);
734 if (r < 0)
735 return r;
736 if (check_uid != uid) /* lock file doesn't match our own idea */
737 return -ESRCH;
738
739 *ret = user;
740 user = NULL;
741
742 return 0;
743 }
744
745 int dynamic_user_lookup_name(Manager *m, const char *name, uid_t *ret) {
746 DynamicUser *d;
747 int r;
748
749 assert(m);
750 assert(name);
751 assert(ret);
752
753 /* A friendly call for translating a dynamic user's name into its UID */
754
755 d = hashmap_get(m->dynamic_users, name);
756 if (!d)
757 return -ESRCH;
758
759 r = dynamic_user_current(d, ret);
760 if (r == -EAGAIN) /* not realized yet? */
761 return -ESRCH;
762
763 return r;
764 }
765
766 int dynamic_creds_acquire(DynamicCreds *creds, Manager *m, const char *user, const char *group) {
767 bool acquired = false;
768 int r;
769
770 assert(creds);
771 assert(m);
772
773 /* A DynamicUser object encapsulates an allocation of both a UID and a GID for a specific name. However, some
774 * services use different user and groups. For cases like that there's DynamicCreds containing a pair of user
775 * and group. This call allocates a pair. */
776
777 if (!creds->user && user) {
778 r = dynamic_user_acquire(m, user, &creds->user);
779 if (r < 0)
780 return r;
781
782 acquired = true;
783 }
784
785 if (!creds->group) {
786
787 if (creds->user && (!group || streq_ptr(user, group)))
788 creds->group = dynamic_user_ref(creds->user);
789 else {
790 r = dynamic_user_acquire(m, group, &creds->group);
791 if (r < 0) {
792 if (acquired)
793 creds->user = dynamic_user_unref(creds->user);
794 return r;
795 }
796 }
797 }
798
799 return 0;
800 }
801
802 int dynamic_creds_realize(DynamicCreds *creds, char **suggested_paths, uid_t *uid, gid_t *gid) {
803 uid_t u = UID_INVALID;
804 gid_t g = GID_INVALID;
805 int r;
806
807 assert(creds);
808 assert(uid);
809 assert(gid);
810
811 /* Realize both the referenced user and group */
812
813 if (creds->user) {
814 r = dynamic_user_realize(creds->user, suggested_paths, &u);
815 if (r < 0)
816 return r;
817 }
818
819 if (creds->group && creds->group != creds->user) {
820 r = dynamic_user_realize(creds->group, suggested_paths, &g);
821 if (r < 0)
822 return r;
823 } else
824 g = u;
825
826 *uid = u;
827 *gid = g;
828
829 return 0;
830 }
831
832 void dynamic_creds_unref(DynamicCreds *creds) {
833 assert(creds);
834
835 creds->user = dynamic_user_unref(creds->user);
836 creds->group = dynamic_user_unref(creds->group);
837 }
838
839 void dynamic_creds_destroy(DynamicCreds *creds) {
840 assert(creds);
841
842 creds->user = dynamic_user_destroy(creds->user);
843 creds->group = dynamic_user_destroy(creds->group);
844 }
Unnamed repository; edit this file 'description' to name the repository.