#include "sd-messages.h"
#include "alloc-util.h"
+#include "chase-symlinks.h"
#include "errno-util.h"
#include "fd-util.h"
#include "fileio.h"
}
bool is_nologin_shell(const char *shell) {
-
return PATH_IN_SET(shell,
/* 'nologin' is the friendliest way to disable logins for a user account. It prints a nice
* message and exits. Different distributions place the binary at different places though,
"/usr/bin/true");
}
+const char* default_root_shell(const char *root) {
+ /* We want to use the preferred shell, i.e. DEFAULT_USER_SHELL, which usually
+ * will be /bin/bash. Fall back to /bin/sh if DEFAULT_USER_SHELL is not found,
+ * or any access errors. */
+
+ int r = chase_symlinks(DEFAULT_USER_SHELL, root, CHASE_PREFIX_ROOT, NULL, NULL);
+ if (r < 0 && r != -ENOENT)
+ log_debug_errno(r, "Failed to look up shell '%s%s%s': %m",
+ strempty(root), root ? "/" : "", DEFAULT_USER_SHELL);
+ if (r > 0)
+ return DEFAULT_USER_SHELL;
+
+ return "/bin/sh";
+}
+
static int synthesize_user_creds(
const char **username,
uid_t *uid, gid_t *gid,
*home = "/root";
if (shell)
- *shell = "/bin/sh";
+ *shell = default_root_shell(NULL);
return 0;
}
/* Hardcode shell for root and nobody to avoid NSS */
u = getuid();
if (u == 0) {
- s = strdup("/bin/sh");
+ s = strdup(default_root_shell(NULL));
if (!s)
return -ENOMEM;
.pw_gid = 0,
.pw_gecos = (char*) "Super User",
.pw_dir = (char*) "/root",
- .pw_shell = (char*) "/bin/sh",
+ .pw_shell = NULL,
};
static const struct spwd root_spwd = {
static enum nss_status copy_synthesized_passwd(
struct passwd *dest,
const struct passwd *src,
+ const char *fallback_shell,
char *buffer, size_t buflen,
int *errnop) {
- size_t required;
-
assert(dest);
assert(src);
assert(src->pw_name);
assert(src->pw_passwd);
assert(src->pw_gecos);
assert(src->pw_dir);
- assert(src->pw_shell);
- required = strlen(src->pw_name) + 1;
- required += strlen(src->pw_passwd) + 1;
- required += strlen(src->pw_gecos) + 1;
- required += strlen(src->pw_dir) + 1;
- required += strlen(src->pw_shell) + 1;
+ const char *shell = ASSERT_PTR(src->pw_shell ?: fallback_shell);
+
+ size_t required =
+ strlen(src->pw_name) + 1 +
+ strlen(src->pw_passwd) + 1 +
+ strlen(src->pw_gecos) + 1 +
+ strlen(src->pw_dir) + 1 +
+ strlen(shell) + 1;
if (buflen < required) {
*errnop = ERANGE;
dest->pw_gecos = stpcpy(dest->pw_passwd, src->pw_passwd) + 1;
dest->pw_dir = stpcpy(dest->pw_gecos, src->pw_gecos) + 1;
dest->pw_shell = stpcpy(dest->pw_dir, src->pw_dir) + 1;
- strcpy(dest->pw_shell, src->pw_shell);
+ strcpy(dest->pw_shell, shell);
return NSS_STATUS_SUCCESS;
}
char *buffer, size_t buflen,
int *errnop) {
- size_t required;
-
assert(dest);
assert(src);
assert(src->sp_namp);
assert(src->sp_pwdp);
- required = strlen(src->sp_namp) + 1;
- required += strlen(src->sp_pwdp) + 1;
+ size_t required =
+ strlen(src->sp_namp) + 1 +
+ strlen(src->sp_pwdp) + 1;
if (buflen < required) {
*errnop = ERANGE;
char *buffer, size_t buflen,
int *errnop) {
- size_t required;
-
assert(dest);
assert(src);
assert(src->gr_name);
assert(src->gr_mem);
assert(!*src->gr_mem); /* Our synthesized records' gr_mem is always just NULL... */
- required = strlen(src->gr_name) + 1;
- required += strlen(src->gr_passwd) + 1;
- required += sizeof(char*); /* ...but that NULL still needs to be stored into the buffer! */
+ size_t required =
+ strlen(src->gr_name) + 1 +
+ strlen(src->gr_passwd) + 1 +
+ sizeof(char*); /* ...but that NULL still needs to be stored into the buffer! */
if (buflen < ALIGN(required)) {
*errnop = ERANGE;
char *buffer, size_t buflen,
int *errnop) {
- size_t required;
-
assert(dest);
assert(src);
assert(src->sg_namp);
assert(src->sg_passwd);
- required = strlen(src->sg_namp) + 1;
- required += strlen(src->sg_passwd) + 1;
+ size_t required =
+ strlen(src->sg_namp) + 1 +
+ strlen(src->sg_passwd) + 1;
if (buflen < required) {
*errnop = ERANGE;
if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_SYNTHETIC") <= 0) {
if (streq(name, root_passwd.pw_name))
- return copy_synthesized_passwd(pwd, &root_passwd, buffer, buflen, errnop);
+ return copy_synthesized_passwd(pwd, &root_passwd,
+ default_root_shell(NULL),
+ buffer, buflen, errnop);
if (streq(name, nobody_passwd.pw_name)) {
if (!synthesize_nobody())
return NSS_STATUS_NOTFOUND;
- return copy_synthesized_passwd(pwd, &nobody_passwd, buffer, buflen, errnop);
+ return copy_synthesized_passwd(pwd, &nobody_passwd,
+ NULL,
+ buffer, buflen, errnop);
}
} else if (STR_IN_SET(name, root_passwd.pw_name, nobody_passwd.pw_name))
if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_SYNTHETIC") <= 0) {
if (uid == root_passwd.pw_uid)
- return copy_synthesized_passwd(pwd, &root_passwd, buffer, buflen, errnop);
+ return copy_synthesized_passwd(pwd, &root_passwd,
+ default_root_shell(NULL),
+ buffer, buflen, errnop);
if (uid == nobody_passwd.pw_uid) {
if (!synthesize_nobody())
return NSS_STATUS_NOTFOUND;
- return copy_synthesized_passwd(pwd, &nobody_passwd, buffer, buflen, errnop);
+ return copy_synthesized_passwd(pwd, &nobody_passwd,
+ NULL,
+ buffer, buflen, errnop);
}
} else if (uid == root_passwd.pw_uid || uid == nobody_passwd.pw_uid)
}
TEST(get_user_creds) {
- test_get_user_creds_one("root", "root", 0, 0, "/root", "/bin/sh");
- test_get_user_creds_one("0", "root", 0, 0, "/root", "/bin/sh");
+ test_get_user_creds_one("root", "root", 0, 0, "/root", DEFAULT_USER_SHELL);
+ test_get_user_creds_one("0", "root", 0, 0, "/root", DEFAULT_USER_SHELL);
test_get_user_creds_one(NOBODY_USER_NAME, NOBODY_USER_NAME, UID_NOBODY, GID_NOBODY, "/", NOLOGIN);
test_get_user_creds_one("65534", NOBODY_USER_NAME, UID_NOBODY, GID_NOBODY, "/", NOLOGIN);
}
projects / thirdparty / systemd.git / commitdiff
