summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2014-03-11 02:41:13 +0100
committerLennart Poettering <lennart@poettering.net>2014-03-11 02:41:13 +0100
commit0cb9fbcd44517ec90b2a678876194607beab5dec (patch)
treebf2b481258bacb117061e2796ee4e29bf5b4ff04
parentd96c1ecf7bf9dae6b0cb728e41d09999ecce0b4a (diff)
nspawn: when resoliving UIDs/GIDs for "-u", do so in forked off /usr/bin/getent instead of in-process
When the container runs a different native architecture than the host we shouldn't attempt to load the container's NSS modules with the host's libc. Instead, resolve UID/GID by invoking /usr/bin/getent in the container. The tool should be fairly universally available and allows us to do resolving of the UID/GID with the container's libc in a parsable format. https://bugs.freedesktop.org/show_bug.cgi?id=75733
-rw-r--r--src/nspawn/nspawn.c332
-rw-r--r--src/shared/mkdir.c4
2 files changed, 276 insertions, 60 deletions
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 0903c57225..097d7f779f 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -2219,6 +2219,272 @@ static void loop_remove(int nr, int *image_fd) {
ioctl(control, LOOP_CTL_REMOVE, nr);
}
+static int spawn_getent(const char *database, const char *key, pid_t *rpid) {
+ int pipe_fds[2];
+ pid_t pid;
+
+ assert(database);
+ assert(key);
+ assert(rpid);
+
+ if (pipe2(pipe_fds, O_CLOEXEC) < 0) {
+ log_error("Failed to allocate pipe: %m");
+ return -errno;
+ }
+
+ pid = fork();
+ if (pid < 0) {
+ log_error("Failed to fork getent child: %m");
+ return -errno;
+ } else if (pid == 0) {
+ int nullfd;
+ char *empty_env = NULL;
+
+ if (dup3(pipe_fds[1], STDOUT_FILENO, 0) < 0)
+ _exit(EXIT_FAILURE);
+
+ if (pipe_fds[0] > 2)
+ close_nointr_nofail(pipe_fds[0]);
+ if (pipe_fds[1] > 2)
+ close_nointr_nofail(pipe_fds[1]);
+
+ nullfd = open("/dev/null", O_RDWR);
+ if (nullfd < 0)
+ _exit(EXIT_FAILURE);
+
+ if (dup3(nullfd, STDIN_FILENO, 0) < 0)
+ _exit(EXIT_FAILURE);
+
+ if (dup3(nullfd, STDERR_FILENO, 0) < 0)
+ _exit(EXIT_FAILURE);
+
+ if (nullfd > 2)
+ close_nointr_nofail(nullfd);
+
+ reset_all_signal_handlers();
+ close_all_fds(NULL, 0);
+
+ execle("/usr/bin/getent", "getenv", database, key, NULL, &empty_env);
+ execle("/usr/getent", "getenv", database, key, NULL, &empty_env);
+ _exit(EXIT_FAILURE);
+ }
+
+ close_nointr_nofail(pipe_fds[1]);
+ pipe_fds[1] = -1;
+
+ *rpid = pid;
+
+ return pipe_fds[0];
+}
+
+static int change_uid_gid(char **_home) {
+
+ _cleanup_strv_free_ char **passwd = NULL;
+ char line[LINE_MAX], *w, *x, *state, *u, *g, *h;
+ _cleanup_free_ uid_t *uids = NULL;
+ _cleanup_free_ char *home = NULL;
+ _cleanup_fclose_ FILE *f = NULL;
+ _cleanup_close_ int fd = -1;
+ unsigned n_uids = 0;
+ size_t sz, l;
+ uid_t uid;
+ gid_t gid;
+ pid_t pid;
+ int r;
+
+ assert(_home);
+
+ if (!arg_user || streq(arg_user, "root") || streq(arg_user, "0")) {
+ /* Reset everything fully to 0, just in case */
+
+ if (setgroups(0, NULL) < 0) {
+ log_error("setgroups() failed: %m");
+ return -errno;
+ }
+
+ if (setresgid(0, 0, 0) < 0) {
+ log_error("setregid() failed: %m");
+ return -errno;
+ }
+
+ if (setresuid(0, 0, 0) < 0) {
+ log_error("setreuid() failed: %m");
+ return -errno;
+ }
+
+ *_home = NULL;
+ return 0;
+ }
+
+ /* First, get user credentials */
+ fd = spawn_getent("passwd", arg_user, &pid);
+ if (fd < 0)
+ return fd;
+
+ f = fdopen(fd, "r");
+ if (!f)
+ return log_oom();
+ fd = -1;
+
+ if (!fgets(line, sizeof(line), f)) {
+
+ if (!ferror(f)) {
+ log_error("Failed to resolve user %s.", arg_user);
+ return -ESRCH;
+ }
+
+ log_error("Failed to read from getent: %m");
+ return -errno;
+ }
+
+ truncate_nl(line);
+
+ wait_for_terminate_and_warn("getent passwd", pid);
+
+ x = strchr(line, ':');
+ if (!x) {
+ log_error("/etc/passwd entry has invalid user field.");
+ return -EIO;
+ }
+
+ u = strchr(x+1, ':');
+ if (!u) {
+ log_error("/etc/passwd entry has invalid password field.");
+ return -EIO;
+ }
+
+ u++;
+ g = strchr(u, ':');
+ if (!g) {
+ log_error("/etc/passwd entry has invalid UID field.");
+ return -EIO;
+ }
+
+ *g = 0;
+ g++;
+ x = strchr(g, ':');
+ if (!x) {
+ log_error("/etc/passwd entry has invalid GID field.");
+ return -EIO;
+ }
+
+ *x = 0;
+ h = strchr(x+1, ':');
+ if (!h) {
+ log_error("/etc/passwd entry has invalid GECOS field.");
+ return -EIO;
+ }
+
+ h++;
+ x = strchr(h, ':');
+ if (!x) {
+ log_error("/etc/passwd entry has invalid home directory field.");
+ return -EIO;
+ }
+
+ *x = 0;
+
+ r = parse_uid(u, &uid);
+ if (r < 0) {
+ log_error("Failed to parse UID of user.");
+ return -EIO;
+ }
+
+ r = parse_gid(g, &gid);
+ if (r < 0) {
+ log_error("Failed to parse GID of user.");
+ return -EIO;
+ }
+
+ home = strdup(h);
+ if (!home)
+ return log_oom();
+
+ /* Second, get group memberships */
+ fd = spawn_getent("initgroups", arg_user, &pid);
+ if (fd < 0)
+ return fd;
+
+ fclose(f);
+ f = fdopen(fd, "r");
+ if (!f)
+ return log_oom();
+ fd = -1;
+
+ if (!fgets(line, sizeof(line), f)) {
+ if (!ferror(f)) {
+ log_error("Failed to resolve user %s.", arg_user);
+ return -ESRCH;
+ }
+
+ log_error("Failed to read from getent: %m");
+ return -errno;
+ }
+
+ truncate_nl(line);
+
+ wait_for_terminate_and_warn("getent initgroups", pid);
+
+ /* Skip over the username and subsequent separator whitespace */
+ x = line;
+ x += strcspn(x, WHITESPACE);
+ x += strspn(x, WHITESPACE);
+
+ FOREACH_WORD(w, l, x, state) {
+ char c[l+1];
+
+ memcpy(c, w, l);
+ c[l] = 0;
+
+ if (!GREEDY_REALLOC(uids, sz, n_uids+1))
+ return log_oom();
+
+ r = parse_uid(c, &uids[n_uids++]);
+ if (r < 0) {
+ log_error("Failed to parse group data from getent.");
+ return -EIO;
+ }
+ }
+
+ r = mkdir_parents(home, 0775);
+ if (r < 0) {
+ log_error("Failed to make home root directory: %s", strerror(-r));
+ return r;
+ }
+
+ r = mkdir_safe(home, 0755, uid, gid);
+ if (r < 0) {
+ log_error("Failed to make home directory: %s", strerror(-r));
+ return r;
+ }
+
+ fchown(STDIN_FILENO, uid, gid);
+ fchown(STDOUT_FILENO, uid, gid);
+ fchown(STDERR_FILENO, uid, gid);
+
+ if (setgroups(n_uids, uids) < 0) {
+ log_error("Failed to set auxiliary groups: %m");
+ return -errno;
+ }
+
+ if (setresgid(gid, gid, gid) < 0) {
+ log_error("setregid() failed: %m");
+ return -errno;
+ }
+
+ if (setresuid(uid, uid, uid) < 0) {
+ log_error("setreuid() failed: %m");
+ return -errno;
+ }
+
+ if (_home) {
+ *_home = home;
+ home = NULL;
+ }
+
+ return 0;
+}
+
int main(int argc, char *argv[]) {
_cleanup_free_ char *kdbus_domain = NULL, *device_path = NULL, *root_device = NULL, *home_device = NULL, *srv_device = NULL;
@@ -2427,9 +2693,7 @@ int main(int argc, char *argv[]) {
if (pid == 0) {
/* child */
- const char *home = NULL;
- uid_t uid = (uid_t) -1;
- gid_t gid = (gid_t) -1;
+ _cleanup_free_ char *home = NULL;
unsigned n_env = 2;
const char *envp[] = {
"PATH=" DEFAULT_PATH_SPLIT_USR,
@@ -2598,61 +2862,9 @@ int main(int argc, char *argv[]) {
goto child_fail;
}
- if (arg_user) {
-
- /* Note that this resolves user names
- * inside the container, and hence
- * accesses the NSS modules from the
- * container and not the host. This is
- * a bit weird... */
-
- if (get_user_creds((const char**)&arg_user, &uid, &gid, &home, NULL) < 0) {
- log_error("get_user_creds() failed: %m");
- goto child_fail;
- }
-
- if (mkdir_parents_label(home, 0775) < 0) {
- log_error("mkdir_parents_label() failed: %m");
- goto child_fail;
- }
-
- if (mkdir_safe_label(home, 0775, uid, gid) < 0) {
- log_error("mkdir_safe_label() failed: %m");
- goto child_fail;
- }
-
- if (initgroups((const char*)arg_user, gid) < 0) {
- log_error("initgroups() failed: %m");
- goto child_fail;
- }
-
- if (setresgid(gid, gid, gid) < 0) {
- log_error("setregid() failed: %m");
- goto child_fail;
- }
-
- if (setresuid(uid, uid, uid) < 0) {
- log_error("setreuid() failed: %m");
- goto child_fail;
- }
- } else {
- /* Reset everything fully to 0, just in case */
-
- if (setgroups(0, NULL) < 0) {
- log_error("setgroups() failed: %m");
- goto child_fail;
- }
-
- if (setresgid(0, 0, 0) < 0) {
- log_error("setregid() failed: %m");
- goto child_fail;
- }
-
- if (setresuid(0, 0, 0) < 0) {
- log_error("setreuid() failed: %m");
- goto child_fail;
- }
- }
+ r = change_uid_gid(&home);
+ if (r < 0)
+ goto child_fail;
if ((asprintf((char**)(envp + n_env++), "HOME=%s", home ? home: "/root") < 0) ||
(asprintf((char**)(envp + n_env++), "USER=%s", arg_user ? arg_user : "root") < 0) ||
@@ -2698,8 +2910,10 @@ int main(int argc, char *argv[]) {
#ifdef HAVE_SELINUX
if (arg_selinux_context)
- if (setexeccon((security_context_t) arg_selinux_context) < 0)
+ if (setexeccon((security_context_t) arg_selinux_context) < 0) {
log_error("setexeccon(\"%s\") failed: %m", arg_selinux_context);
+ goto child_fail;
+ }
#endif
if (!strv_isempty(arg_setenv)) {
diff --git a/src/shared/mkdir.c b/src/shared/mkdir.c
index 4a2cd5e662..b35551eb02 100644
--- a/src/shared/mkdir.c
+++ b/src/shared/mkdir.c
@@ -41,7 +41,9 @@ int mkdir_safe_internal(const char *path, mode_t mode, uid_t uid, gid_t gid, mkd
if (lstat(path, &st) < 0)
return -errno;
- if ((st.st_mode & 0777) != mode ||
+ if ((st.st_mode & 0007) > (mode & 0007) ||
+ (st.st_mode & 0070) > (mode & 0070) ||
+ (st.st_mode & 0700) > (mode & 0700) ||
(uid != (uid_t) -1 && st.st_uid != uid) ||
(gid != (gid_t) -1 && st.st_gid != gid) ||
!S_ISDIR(st.st_mode)) {