diff options
| author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2016-07-25 16:40:26 -0400 | 
|---|---|---|
| committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2016-07-25 16:40:26 -0400 | 
| commit | dadd6ecfa5eaf842763dca545b4c04f33831789e (patch) | |
| tree | ce34705fdfe6a36b661384f934b697295ada0672 /src | |
| parent | e28973ee182434b59ff562c9b22823250c9fdb4c (diff) | |
| parent | d82047bef5b8a35fb2d1d4685f241383df1a1d76 (diff) | |
Merge pull request #3728 from poettering/dynamic-users
Diffstat (limited to 'src')
33 files changed, 1805 insertions, 111 deletions
| diff --git a/src/basic/socket-util.c b/src/basic/socket-util.c index 385c3e4df3..6093e47172 100644 --- a/src/basic/socket-util.c +++ b/src/basic/socket-util.c @@ -1046,3 +1046,17 @@ int flush_accept(int fd) {                  close(cfd);          }  } + +struct cmsghdr* cmsg_find(struct msghdr *mh, int level, int type, socklen_t length) { +        struct cmsghdr *cmsg; + +        assert(mh); + +        CMSG_FOREACH(cmsg, mh) +                if (cmsg->cmsg_level == level && +                    cmsg->cmsg_type == type && +                    (length == (socklen_t) -1 || length == cmsg->cmsg_len)) +                        return cmsg; + +        return NULL; +} diff --git a/src/basic/socket-util.h b/src/basic/socket-util.h index e9230e4a9f..2536b085f9 100644 --- a/src/basic/socket-util.h +++ b/src/basic/socket-util.h @@ -142,6 +142,8 @@ int flush_accept(int fd);  #define CMSG_FOREACH(cmsg, mh)                                          \          for ((cmsg) = CMSG_FIRSTHDR(mh); (cmsg); (cmsg) = CMSG_NXTHDR((mh), (cmsg))) +struct cmsghdr* cmsg_find(struct msghdr *mh, int level, int type, socklen_t length); +  /* Covers only file system and abstract AF_UNIX socket addresses, but not unnamed socket addresses. */  #define SOCKADDR_UN_LEN(sa)                                             \          ({                                                              \ diff --git a/src/basic/user-util.c b/src/basic/user-util.c index e9d668ddfc..122d9a0c7c 100644 --- a/src/basic/user-util.c +++ b/src/basic/user-util.c @@ -29,6 +29,7 @@  #include <string.h>  #include <sys/stat.h>  #include <unistd.h> +#include <utmp.h>  #include "missing.h"  #include "alloc-util.h" @@ -39,6 +40,7 @@  #include "path-util.h"  #include "string-util.h"  #include "user-util.h" +#include "utf8.h"  bool uid_is_valid(uid_t uid) { @@ -479,3 +481,94 @@ int take_etc_passwd_lock(const char *root) {          return fd;  } + +bool valid_user_group_name(const char *u) { +        const char *i; +        long sz; + +        /* Checks if the specified name is a valid user/group name. */ + +        if (isempty(u)) +                return false; + +        if (!(u[0] >= 'a' && u[0] <= 'z') && +            !(u[0] >= 'A' && u[0] <= 'Z') && +            u[0] != '_') +                return false; + +        for (i = u+1; *i; i++) { +                if (!(*i >= 'a' && *i <= 'z') && +                    !(*i >= 'A' && *i <= 'Z') && +                    !(*i >= '0' && *i <= '9') && +                    *i != '_' && +                    *i != '-') +                        return false; +        } + +        sz = sysconf(_SC_LOGIN_NAME_MAX); +        assert_se(sz > 0); + +        if ((size_t) (i-u) > (size_t) sz) +                return false; + +        if ((size_t) (i-u) > UT_NAMESIZE - 1) +                return false; + +        return true; +} + +bool valid_user_group_name_or_id(const char *u) { + +        /* Similar as above, but is also fine with numeric UID/GID specifications, as long as they are in the right +         * range, and not the invalid user ids. */ + +        if (isempty(u)) +                return false; + +        if (valid_user_group_name(u)) +                return true; + +        return parse_uid(u, NULL) >= 0; +} + +bool valid_gecos(const char *d) { + +        if (!d) +                return false; + +        if (!utf8_is_valid(d)) +                return false; + +        if (string_has_cc(d, NULL)) +                return false; + +        /* Colons are used as field separators, and hence not OK */ +        if (strchr(d, ':')) +                return false; + +        return true; +} + +bool valid_home(const char *p) { + +        if (isempty(p)) +                return false; + +        if (!utf8_is_valid(p)) +                return false; + +        if (string_has_cc(p, NULL)) +                return false; + +        if (!path_is_absolute(p)) +                return false; + +        if (!path_is_safe(p)) +                return false; + +        /* Colons are used as field separators, and hence not OK */ +        if (strchr(p, ':')) +                return false; + +        return true; +} diff --git a/src/basic/user-util.h b/src/basic/user-util.h index 8026eca3f4..36f71fb004 100644 --- a/src/basic/user-util.h +++ b/src/basic/user-util.h @@ -68,3 +68,8 @@ int take_etc_passwd_lock(const char *root);  static inline bool userns_supported(void) {          return access("/proc/self/uid_map", F_OK) >= 0;  } + +bool valid_user_group_name(const char *u); +bool valid_user_group_name_or_id(const char *u); +bool valid_gecos(const char *d); +bool valid_home(const char *p); diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c index 307c3d8e7a..9c50cd93e5 100644 --- a/src/core/dbus-execute.c +++ b/src/core/dbus-execute.c @@ -44,6 +44,7 @@  #endif  #include "strv.h"  #include "syslog-util.h" +#include "user-util.h"  #include "utf8.h"  BUS_DEFINE_PROPERTY_GET_ENUM(bus_property_get_exec_output, exec_output, ExecOutput); @@ -693,6 +694,7 @@ const sd_bus_vtable bus_exec_vtable[] = {          SD_BUS_PROPERTY("AmbientCapabilities", "t", property_get_ambient_capabilities, 0, SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("User", "s", NULL, offsetof(ExecContext, user), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("Group", "s", NULL, offsetof(ExecContext, group), SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("DynamicUser", "b", bus_property_get_bool, offsetof(ExecContext, dynamic_user), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("SupplementaryGroups", "as", NULL, offsetof(ExecContext, supplementary_groups), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("PAMName", "s", NULL, offsetof(ExecContext, pam_name), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("ReadWriteDirectories", "as", NULL, offsetof(ExecContext, read_write_paths), SD_BUS_VTABLE_PROPERTY_CONST|SD_BUS_VTABLE_HIDDEN), @@ -840,6 +842,9 @@ int bus_exec_context_set_transient_property(                  if (r < 0)                          return r; +                if (!isempty(uu) && !valid_user_group_name_or_id(uu)) +                        return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid user name: %s", uu); +                  if (mode != UNIT_CHECK) {                          if (isempty(uu)) @@ -859,6 +864,9 @@ int bus_exec_context_set_transient_property(                  if (r < 0)                          return r; +                if (!isempty(gg) && !valid_user_group_name_or_id(gg)) +                        return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid group name: %s", gg); +                  if (mode != UNIT_CHECK) {                          if (isempty(gg)) @@ -1061,7 +1069,8 @@ int bus_exec_context_set_transient_property(          } else if (STR_IN_SET(name,                                "IgnoreSIGPIPE", "TTYVHangup", "TTYReset",                                "PrivateTmp", "PrivateDevices", "PrivateNetwork", -                              "NoNewPrivileges", "SyslogLevelPrefix", "MemoryDenyWriteExecute", "RestrictRealtime")) { +                              "NoNewPrivileges", "SyslogLevelPrefix", "MemoryDenyWriteExecute", +                              "RestrictRealtime", "DynamicUser")) {                  int b;                  r = sd_bus_message_read(message, "b", &b); @@ -1089,6 +1098,8 @@ int bus_exec_context_set_transient_property(                                  c->memory_deny_write_execute = b;                          else if (streq(name, "RestrictRealtime"))                                  c->restrict_realtime = b; +                        else if (streq(name, "DynamicUser")) +                                c->dynamic_user = b;                          unit_write_drop_in_private_format(u, mode, name, "%s=%s", name, yes_no(b));                  } diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c index d05968bd65..ef05a75a8b 100644 --- a/src/core/dbus-manager.c +++ b/src/core/dbus-manager.c @@ -43,6 +43,7 @@  #include "string-util.h"  #include "strv.h"  #include "syslog-util.h" +#include "user-util.h"  #include "virt.h"  #include "watchdog.h" @@ -1511,8 +1512,8 @@ static int method_unset_and_set_environment(sd_bus_message *message, void *userd  }  static int method_set_exit_code(sd_bus_message *message, void *userdata, sd_bus_error *error) { -        uint8_t code;          Manager *m = userdata; +        uint8_t code;          int r;          assert(message); @@ -1534,6 +1535,61 @@ static int method_set_exit_code(sd_bus_message *message, void *userdata, sd_bus_          return sd_bus_reply_method_return(message, NULL);  } +static int method_lookup_dynamic_user_by_name(sd_bus_message *message, void *userdata, sd_bus_error *error) { +        Manager *m = userdata; +        const char *name; +        uid_t uid; +        int r; + +        assert(message); +        assert(m); + +        r = sd_bus_message_read_basic(message, 's', &name); +        if (r < 0) +                return r; + +        if (!MANAGER_IS_SYSTEM(m)) +                return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED, "Dynamic users are only supported in the system instance."); +        if (!valid_user_group_name(name)) +                return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "User name invalid: %s", name); + +        r = dynamic_user_lookup_name(m, name, &uid); +        if (r == -ESRCH) +                return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_DYNAMIC_USER, "Dynamic user %s does not exist.", name); +        if (r < 0) +                return r; + +        return sd_bus_reply_method_return(message, "u", (uint32_t) uid); +} + +static int method_lookup_dynamic_user_by_uid(sd_bus_message *message, void *userdata, sd_bus_error *error) { +        _cleanup_free_ char *name = NULL; +        Manager *m = userdata; +        uid_t uid; +        int r; + +        assert(message); +        assert(m); + +        assert_cc(sizeof(uid) == sizeof(uint32_t)); +        r = sd_bus_message_read_basic(message, 'u', &uid); +        if (r < 0) +                return r; + +        if (!MANAGER_IS_SYSTEM(m)) +                return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED, "Dynamic users are only supported in the system instance."); +        if (!uid_is_valid(uid)) +                return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "User ID invalid: " UID_FMT, uid); + +        r = dynamic_user_lookup_uid(m, uid, &name); +        if (r == -ESRCH) +                return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_DYNAMIC_USER, "Dynamic user ID " UID_FMT " does not exist.", uid); +        if (r < 0) +                return r; + +        return sd_bus_reply_method_return(message, "s", name); +} +  static int list_unit_files_by_patterns(sd_bus_message *message, void *userdata, sd_bus_error *error, char **states, char **patterns) {          _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL;          Manager *m = userdata; @@ -2199,6 +2255,8 @@ const sd_bus_vtable bus_manager_vtable[] = {          SD_BUS_METHOD("PresetAllUnitFiles", "sbb", "a(sss)", method_preset_all_unit_files, SD_BUS_VTABLE_UNPRIVILEGED),          SD_BUS_METHOD("AddDependencyUnitFiles", "asssbb", "a(sss)", method_add_dependency_unit_files, SD_BUS_VTABLE_UNPRIVILEGED),          SD_BUS_METHOD("SetExitCode", "y", NULL, method_set_exit_code, SD_BUS_VTABLE_UNPRIVILEGED), +        SD_BUS_METHOD("LookupDynamicUserByName", "s", "u", method_lookup_dynamic_user_by_name, SD_BUS_VTABLE_UNPRIVILEGED), +        SD_BUS_METHOD("LookupDynamicUserByUID", "u", "s", method_lookup_dynamic_user_by_uid, SD_BUS_VTABLE_UNPRIVILEGED),          SD_BUS_SIGNAL("UnitNew", "so", 0),          SD_BUS_SIGNAL("UnitRemoved", "so", 0), diff --git a/src/core/dynamic-user.c b/src/core/dynamic-user.c new file mode 100644 index 0000000000..8035bee231 --- /dev/null +++ b/src/core/dynamic-user.c @@ -0,0 +1,763 @@ +/*** +  This file is part of systemd. + +  Copyright 2016 Lennart Poettering + +  systemd is free software; you can redistribute it and/or modify it +  under the terms of the GNU Lesser General Public License as published by +  the Free Software Foundation; either version 2.1 of the License, or +  (at your option) any later version. + +  systemd is distributed in the hope that it will be useful, but +  WITHOUT ANY WARRANTY; without even the implied warranty of +  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +  Lesser General Public License for more details. + +  You should have received a copy of the GNU Lesser General Public License +  along with systemd; If not, see <http://www.gnu.org/licenses/>. +***/ + +#include <grp.h> +#include <pwd.h> +#include <sys/file.h> + +#include "dynamic-user.h" +#include "fd-util.h" +#include "fs-util.h" +#include "parse-util.h" +#include "random-util.h" +#include "stdio-util.h" +#include "string-util.h" +#include "user-util.h" +#include "fileio.h" + +/* Let's pick a UIDs within the 16bit range, so that we are compatible with containers using 16bit user namespacing. At + * least on Fedora normal users are allocated until UID 60000, hence do not allocate from below this. Also stay away + * from the upper end of the range as that is often used for overflow/nobody users. */ +#define UID_PICK_MIN ((uid_t) UINT32_C(0x0000EF00)) +#define UID_PICK_MAX ((uid_t) UINT32_C(0x0000FFEF)) + +/* Takes a value generated randomly or by hashing and turns it into a UID in the right range */ +#define UID_CLAMP_INTO_RANGE(rnd) (((uid_t) (rnd) % (UID_PICK_MAX - UID_PICK_MIN + 1)) + UID_PICK_MIN) + +static DynamicUser* dynamic_user_free(DynamicUser *d) { +        if (!d) +                return NULL; + +        if (d->manager) +                (void) hashmap_remove(d->manager->dynamic_users, d->name); + +        safe_close_pair(d->storage_socket); +        free(d); + +        return NULL; +} + +static int dynamic_user_add(Manager *m, const char *name, int storage_socket[2], DynamicUser **ret) { +        DynamicUser *d = NULL; +        int r; + +        assert(m); +        assert(name); +        assert(storage_socket); + +        r = hashmap_ensure_allocated(&m->dynamic_users, &string_hash_ops); +        if (r < 0) +                return r; + +        d = malloc0(offsetof(DynamicUser, name) + strlen(name) + 1); +        if (!d) +                return -ENOMEM; + +        strcpy(d->name, name); + +        d->storage_socket[0] = storage_socket[0]; +        d->storage_socket[1] = storage_socket[1]; + +        r = hashmap_put(m->dynamic_users, d->name, d); +        if (r < 0) { +                free(d); +                return r; +        } + +        d->manager = m; + +        if (ret) +                *ret = d; + +        return 0; +} + +int dynamic_user_acquire(Manager *m, const char *name, DynamicUser** ret) { +        _cleanup_close_pair_ int storage_socket[2] = { -1, -1 }; +        DynamicUser *d; +        int r; + +        assert(m); +        assert(name); + +        /* Return the DynamicUser structure for a specific user name. Note that this won't actually allocate a UID for +         * it, but just prepare the data structure for it. The UID is allocated only on demand, when it's really +         * needed, and in the child process we fork off, since allocation involves NSS checks which are not OK to do +         * from PID 1. To allow the children and PID 1 share information about allocated UIDs we use an anonymous +         * AF_UNIX/SOCK_DGRAM socket (called the "storage socket") that contains at most one datagram with the +         * allocated UID number, plus an fd referencing the lock file for the UID +         * (i.e. /run/systemd/dynamic-uid/$UID). Why involve the socket pair? So that PID 1 and all its children can +         * share the same storage for the UID and lock fd, simply by inheriting the storage socket fds. The socket pair +         * may exist in three different states: +         * +         * a) no datagram stored. This is the initial state. In this case the dynamic user was never realized. +         * +         * b) a datagram containing a UID stored, but no lock fd attached to it. In this case there was already a +         *    statically assigned UID by the same name, which we are reusing. +         * +         * c) a datagram containing a UID stored, and a lock fd is attached to it. In this case we allocated a dynamic +         *    UID and locked it in the file system, using the lock fd. +         * +         * As PID 1 and various children might access the socket pair simultaneously, and pop the datagram or push it +         * back in any time, we also maintain a lock on the socket pair. Note one peculiarity regarding locking here: +         * the UID lock on disk is protected via a BSD file lock (i.e. an fd-bound lock), so that the lock is kept in +         * place as long as there's a reference to the fd open. The lock on the storage socket pair however is a POSIX +         * file lock (i.e. a process-bound lock), as all users share the same fd of this (after all it is anonymous, +         * nobody else could get any access to it except via our own fd) and we want to synchronize access between all +         * processes that have access to it. */ + +        d = hashmap_get(m->dynamic_users, name); +        if (d) { +                /* We already have a structure for the dynamic user, let's increase the ref count and reuse it */ +                d->n_ref++; +                *ret = d; +                return 0; +        } + +        if (!valid_user_group_name_or_id(name)) +                return -EINVAL; + +        if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, storage_socket) < 0) +                return -errno; + +        r = dynamic_user_add(m, name, storage_socket, &d); +        if (r < 0) +                return r; + +        storage_socket[0] = storage_socket[1] = -1; + +        if (ret) { +                d->n_ref++; +                *ret = d; +        } + +        return 1; +} + +static int pick_uid(const char *name, uid_t *ret_uid) { + +        static const uint8_t hash_key[] = { +                0x37, 0x53, 0x7e, 0x31, 0xcf, 0xce, 0x48, 0xf5, +                0x8a, 0xbb, 0x39, 0x57, 0x8d, 0xd9, 0xec, 0x59 +        }; + +        unsigned n_tries = 100; +        uid_t candidate; +        int r; + +        /* A static user by this name does not exist yet. Let's find a free ID then, and use that. We start with a UID +         * generated as hash from the user name. */ +        candidate = UID_CLAMP_INTO_RANGE(siphash24(name, strlen(name), hash_key)); + +        (void) mkdir("/run/systemd/dynamic-uid", 0755); + +        for (;;) { +                char lock_path[strlen("/run/systemd/dynamic-uid/") + DECIMAL_STR_MAX(uid_t) + 1]; +                _cleanup_close_ int lock_fd = -1; +                ssize_t l; + +                if (--n_tries <= 0) /* Give up retrying eventually */ +                        return -EBUSY; + +                if (candidate < UID_PICK_MIN || candidate > UID_PICK_MAX) +                        goto next; + +                xsprintf(lock_path, "/run/systemd/dynamic-uid/" UID_FMT, candidate); + +                for (;;) { +                        struct stat st; + +                        lock_fd = open(lock_path, O_CREAT|O_RDWR|O_NOFOLLOW|O_CLOEXEC|O_NOCTTY, 0600); +                        if (lock_fd < 0) +                                return -errno; + +                        r = flock(lock_fd, LOCK_EX|LOCK_NB); /* Try to get a BSD file lock on the UID lock file */ +                        if (r < 0) { +                                if (errno == EBUSY || errno == EAGAIN) +                                        goto next; /* already in use */ + +                                return -errno; +                        } + +                        if (fstat(lock_fd, &st) < 0) +                                return -errno; +                        if (st.st_nlink > 0) +                                break; + +                        /* Oh, bummer, we got got the lock, but the file was unlinked between the time we opened it and +                         * got the lock. Close it, and try again. */ +                        lock_fd = safe_close(lock_fd); +                } + +                /* Some superficial check whether this UID/GID might already be taken by some static user */ +                if (getpwuid(candidate) || getgrgid((gid_t) candidate)) { +                        (void) unlink(lock_path); +                        goto next; +                } + +                /* Let's store the user name in the lock file, so that we can use it for looking up the username for a UID */ +                l = pwritev(lock_fd, +                            (struct iovec[2]) { +                                    { .iov_base = (char*) name, .iov_len = strlen(name) }, +                                    { .iov_base = (char[1]) { '\n' }, .iov_len = 1 } +                            }, 2, 0); +                if (l < 0) { +                        (void) unlink(lock_path); +                        return -errno; +                } + +                (void) ftruncate(lock_fd, l); + +                *ret_uid = candidate; +                r = lock_fd; +                lock_fd = -1; + +                return r; + +        next: +                /* Pick another random UID, and see if that works for us. */ +                random_bytes(&candidate, sizeof(candidate)); +                candidate = UID_CLAMP_INTO_RANGE(candidate); +        } +} + +static int dynamic_user_pop(DynamicUser *d, uid_t *ret_uid, int *ret_lock_fd) { +        uid_t uid = UID_INVALID; +        struct iovec iov = { +                .iov_base = &uid, +                .iov_len = sizeof(uid), +        }; +        union { +                struct cmsghdr cmsghdr; +                uint8_t buf[CMSG_SPACE(sizeof(int))]; +        } control = {}; +        struct msghdr mh = { +                .msg_control = &control, +                .msg_controllen = sizeof(control), +                .msg_iov = &iov, +                .msg_iovlen = 1, +        }; +        struct cmsghdr *cmsg; + +        ssize_t k; +        int lock_fd = -1; + +        assert(d); +        assert(ret_uid); +        assert(ret_lock_fd); + +        /* Read the UID and lock fd that is stored in the storage AF_UNIX socket. This should be called with the lock +         * on the socket taken. */ + +        k = recvmsg(d->storage_socket[0], &mh, MSG_DONTWAIT|MSG_NOSIGNAL|MSG_CMSG_CLOEXEC); +        if (k < 0) +                return -errno; + +        cmsg = cmsg_find(&mh, SOL_SOCKET, SCM_RIGHTS, CMSG_LEN(sizeof(int))); +        if (cmsg) +                lock_fd = *(int*) CMSG_DATA(cmsg); +        else +                cmsg_close_all(&mh); /* just in case... */ + +        *ret_uid = uid; +        *ret_lock_fd = lock_fd; + +        return 0; +} + +static int dynamic_user_push(DynamicUser *d, uid_t uid, int lock_fd) { +        struct iovec iov = { +                .iov_base = &uid, +                .iov_len = sizeof(uid), +        }; +        union { +                struct cmsghdr cmsghdr; +                uint8_t buf[CMSG_SPACE(sizeof(int))]; +        } control = {}; +        struct msghdr mh = { +                .msg_control = &control, +                .msg_controllen = sizeof(control), +                .msg_iov = &iov, +                .msg_iovlen = 1, +        }; +        ssize_t k; + +        assert(d); + +        /* Store the UID and lock_fd in the storage socket. This should be called with the socket pair lock taken. */ + +        if (lock_fd >= 0) { +                struct cmsghdr *cmsg; + +                cmsg = CMSG_FIRSTHDR(&mh); +                cmsg->cmsg_level = SOL_SOCKET; +                cmsg->cmsg_type = SCM_RIGHTS; +                cmsg->cmsg_len = CMSG_LEN(sizeof(int)); +                memcpy(CMSG_DATA(cmsg), &lock_fd, sizeof(int)); + +                mh.msg_controllen = CMSG_SPACE(sizeof(int)); +        } else { +                mh.msg_control = NULL; +                mh.msg_controllen = 0; +        } + +        k = sendmsg(d->storage_socket[1], &mh, MSG_DONTWAIT|MSG_NOSIGNAL); +        if (k < 0) +                return -errno; + +        return 0; +} + +static void unlink_uid_lock(int lock_fd, uid_t uid) { +        char lock_path[strlen("/run/systemd/dynamic-uid/") + DECIMAL_STR_MAX(uid_t) + 1]; + +        if (lock_fd < 0) +                return; + +        xsprintf(lock_path, "/run/systemd/dynamic-uid/" UID_FMT, uid); +        (void) unlink_noerrno(lock_path); +} + +int dynamic_user_realize(DynamicUser *d, uid_t *ret) { + +        _cleanup_close_ int etc_passwd_lock_fd = -1, uid_lock_fd = -1; +        uid_t uid = UID_INVALID; +        int r; + +        assert(d); + +        /* Acquire a UID for the user name. This will allocate a UID for the user name if the user doesn't exist +         * yet. If it already exists its existing UID/GID will be reused. */ + +        if (lockf(d->storage_socket[0], F_LOCK, 0) < 0) +                return -errno; + +        r = dynamic_user_pop(d, &uid, &uid_lock_fd); +        if (r < 0) { +                int new_uid_lock_fd; +                uid_t new_uid; + +                if (r != -EAGAIN) +                        goto finish; + +                /* OK, nothing stored yet, let's try to find something useful. While we are working on this release the +                 * lock however, so that nobody else blocks on our NSS lookups. */ +                (void) lockf(d->storage_socket[0], F_ULOCK, 0); + +                /* Let's see if a proper, static user or group by this name exists. Try to take the lock on +                 * /etc/passwd, if that fails with EROFS then /etc is read-only. In that case it's fine if we don't +                 * take the lock, given that users can't be added there anyway in this case. */ +                etc_passwd_lock_fd = take_etc_passwd_lock(NULL); +                if (etc_passwd_lock_fd < 0 && etc_passwd_lock_fd != -EROFS) +                        return etc_passwd_lock_fd; + +                /* First, let's parse this as numeric UID */ +                r = parse_uid(d->name, &uid); +                if (r < 0) { +                        struct passwd *p; +                        struct group *g; + +                        /* OK, this is not a numeric UID. Let's see if there's a user by this name */ +                        p = getpwnam(d->name); +                        if (p) +                                uid = p->pw_uid; + +                        /* Let's see if there's a group by this name */ +                        g = getgrnam(d->name); +                        if (g) { +                                /* If the UID/GID of the user/group of the same don't match, refuse operation */ +                                if (uid != UID_INVALID && uid != (uid_t) g->gr_gid) +                                        return -EILSEQ; + +                                uid = (uid_t) g->gr_gid; +                        } +                } + +                if (uid == UID_INVALID) { +                        /* No static UID assigned yet, excellent. Let's pick a new dynamic one, and lock it. */ + +                        uid_lock_fd = pick_uid(d->name, &uid); +                        if (uid_lock_fd < 0) +                                return uid_lock_fd; +                } + +                /* So, we found a working UID/lock combination. Let's see if we actually still need it. */ +                if (lockf(d->storage_socket[0], F_LOCK, 0) < 0) { +                        unlink_uid_lock(uid_lock_fd, uid); +                        return -errno; +                } + +                r = dynamic_user_pop(d, &new_uid, &new_uid_lock_fd); +                if (r < 0) { +                        if (r != -EAGAIN) { +                                /* OK, something bad happened, let's get rid of the bits we acquired. */ +                                unlink_uid_lock(uid_lock_fd, uid); +                                goto finish; +                        } + +                        /* Great! Nothing is stored here, still. Store our newly acquired data. */ +                } else { +                        /* Hmm, so as it appears there's now something stored in the storage socket. Throw away what we +                         * acquired, and use what's stored now. */ + +                        unlink_uid_lock(uid_lock_fd, uid); +                        safe_close(uid_lock_fd); + +                        uid = new_uid; +                        uid_lock_fd = new_uid_lock_fd; +                } +        } + +        /* If the UID/GID was already allocated dynamically, push the data we popped out back in. If it was already +         * allocated statically, push the UID back too, but do not push the lock fd in. If we allocated the UID +         * dynamically right here, push that in along with the lock fd for it. */ +        r = dynamic_user_push(d, uid, uid_lock_fd); +        if (r < 0) +                goto finish; + +        *ret = uid; +        r = 0; + +finish: +        (void) lockf(d->storage_socket[0], F_ULOCK, 0); +        return r; +} + +int dynamic_user_current(DynamicUser *d, uid_t *ret) { +        _cleanup_close_ int lock_fd = -1; +        uid_t uid; +        int r; + +        assert(d); +        assert(ret); + +        /* Get the currently assigned UID for the user, if there's any. This simply pops the data from the storage socket, and pushes it back in right-away. */ + +        if (lockf(d->storage_socket[0], F_LOCK, 0) < 0) +                return -errno; + +        r = dynamic_user_pop(d, &uid, &lock_fd); +        if (r < 0) +                goto finish; + +        r = dynamic_user_push(d, uid, lock_fd); +        if (r < 0) +                goto finish; + +        *ret = uid; +        r = 0; + +finish: +        (void) lockf(d->storage_socket[0], F_ULOCK, 0); +        return r; +} + +DynamicUser* dynamic_user_ref(DynamicUser *d) { +        if (!d) +                return NULL; + +        assert(d->n_ref > 0); +        d->n_ref++; + +        return d; +} + +DynamicUser* dynamic_user_unref(DynamicUser *d) { +        if (!d) +                return NULL; + +        /* Note that this doesn't actually release any resources itself. If a dynamic user should be fully destroyed +         * and its UID released, use dynamic_user_destroy() instead. NB: the dynamic user table may contain entries +         * with no references, which is commonly the case right before a daemon reload. */ + +        assert(d->n_ref > 0); +        d->n_ref--; + +        return NULL; +} + +static int dynamic_user_close(DynamicUser *d) { +        _cleanup_close_ int lock_fd = -1; +        uid_t uid; +        int r; + +        /* Release the user ID, by releasing the lock on it, and emptying the storage socket. After this the user is +         * unrealized again, much like it was after it the DynamicUser object was first allocated. */ + +        if (lockf(d->storage_socket[0], F_LOCK, 0) < 0) +                return -errno; + +        r = dynamic_user_pop(d, &uid, &lock_fd); +        if (r == -EAGAIN) { +                /* User wasn't realized yet, nothing to do. */ +                r = 0; +                goto finish; +        } +        if (r < 0) +                goto finish; + +        /* This dynamic user was realized and dynamically allocated. In this case, let's remove the lock file. */ +        unlink_uid_lock(lock_fd, uid); +        r = 1; + +finish: +        (void) lockf(d->storage_socket[0], F_ULOCK, 0); +        return r; +} + +DynamicUser* dynamic_user_destroy(DynamicUser *d) { +        if (!d) +                return NULL; + +        /* Drop a reference to a DynamicUser object, and destroy the user completely if this was the last +         * reference. This is called whenever a service is shut down and wants its dynamic UID gone. Note that +         * dynamic_user_unref() is what is called whenever a service is simply freed, for example during a reload +         * cycle, where the dynamic users should not be destroyed, but our datastructures should. */ + +        dynamic_user_unref(d); + +        if (d->n_ref > 0) +                return NULL; + +        (void) dynamic_user_close(d); +        return dynamic_user_free(d); +} + +int dynamic_user_serialize(Manager *m, FILE *f, FDSet *fds) { +        DynamicUser *d; +        Iterator i; + +        assert(m); +        assert(f); +        assert(fds); + +        /* Dump the dynamic user database into the manager serialization, to deal with daemon reloads. */ + +        HASHMAP_FOREACH(d, m->dynamic_users, i) { +                int copy0, copy1; + +                copy0 = fdset_put_dup(fds, d->storage_socket[0]); +                if (copy0 < 0) +                        return copy0; + +                copy1 = fdset_put_dup(fds, d->storage_socket[1]); +                if (copy1 < 0) +                        return copy1; + +                fprintf(f, "dynamic-user=%s %i %i\n", d->name, copy0, copy1); +        } + +        return 0; +} + +void dynamic_user_deserialize_one(Manager *m, const char *value, FDSet *fds) { +        _cleanup_free_ char *name = NULL, *s0 = NULL, *s1 = NULL; +        int r, fd0, fd1; + +        assert(m); +        assert(value); +        assert(fds); + +        /* Parse the serialization again, after a daemon reload */ + +        r = extract_many_words(&value, NULL, 0, &name, &s0, &s1, NULL); +        if (r != 3 || !isempty(value)) { +                log_debug("Unable to parse dynamic user line."); +                return; +        } + +        if (safe_atoi(s0, &fd0) < 0 || !fdset_contains(fds, fd0)) { +                log_debug("Unable to process dynamic user fd specification."); +                return; +        } + +        if (safe_atoi(s1, &fd1) < 0 || !fdset_contains(fds, fd1)) { +                log_debug("Unable to process dynamic user fd specification."); +                return; +        } + +        r = dynamic_user_add(m, name, (int[]) { fd0, fd1 }, NULL); +        if (r < 0) { +                log_debug_errno(r, "Failed to add dynamic user: %m"); +                return; +        } + +        (void) fdset_remove(fds, fd0); +        (void) fdset_remove(fds, fd1); +} + +void dynamic_user_vacuum(Manager *m, bool close_user) { +        DynamicUser *d; +        Iterator i; + +        assert(m); + +        /* Empty the dynamic user database, optionally cleaning up orphaned dynamic users, i.e. destroy and free users +         * to which no reference exist. This is called after a daemon reload finished, in order to destroy users which +         * might not be referenced anymore. */ + +        HASHMAP_FOREACH(d, m->dynamic_users, i) { +                if (d->n_ref > 0) +                        continue; + +                if (close_user) { +                        log_debug("Removing orphaned dynamic user %s", d->name); +                        (void) dynamic_user_close(d); +                } + +                dynamic_user_free(d); +        } +} + +int dynamic_user_lookup_uid(Manager *m, uid_t uid, char **ret) { +        char lock_path[strlen("/run/systemd/dynamic-uid/") + DECIMAL_STR_MAX(uid_t) + 1]; +        _cleanup_free_ char *user = NULL; +        uid_t check_uid; +        int r; + +        assert(m); +        assert(ret); + +        /* A friendly way to translate a dynamic user's UID into a his name. */ + +        if (uid < UID_PICK_MIN) +                return -ESRCH; +        if (uid > UID_PICK_MAX) +                return -ESRCH; + +        xsprintf(lock_path, "/run/systemd/dynamic-uid/" UID_FMT, uid); +        r = read_one_line_file(lock_path, &user); +        if (r == -ENOENT) +                return -ESRCH; +        if (r < 0) +                return r; + +        /* The lock file might be stale, hence let's verify the data before we return it */ +        r = dynamic_user_lookup_name(m, user, &check_uid); +        if (r < 0) +                return r; +        if (check_uid != uid) /* lock file doesn't match our own idea */ +                return -ESRCH; + +        *ret = user; +        user = NULL; + +        return 0; +} + +int dynamic_user_lookup_name(Manager *m, const char *name, uid_t *ret) { +        DynamicUser *d; +        int r; + +        assert(m); +        assert(name); +        assert(ret); + +        /* A friendly call for translating a dynamic user's name into its UID */ + +        d = hashmap_get(m->dynamic_users, name); +        if (!d) +                return -ESRCH; + +        r = dynamic_user_current(d, ret); +        if (r == -EAGAIN) /* not realized yet? */ +                return -ESRCH; + +        return r; +} + +int dynamic_creds_acquire(DynamicCreds *creds, Manager *m, const char *user, const char *group) { +        bool acquired = false; +        int r; + +        assert(creds); +        assert(m); + +        /* A DynamicUser object encapsulates an allocation of both a UID and a GID for a specific name. However, some +         * services use different user and groups. For cases like that there's DynamicCreds containing a pair of user +         * and group. This call allocates a pair. */ + +        if (!creds->user && user) { +                r = dynamic_user_acquire(m, user, &creds->user); +                if (r < 0) +                        return r; + +                acquired = true; +        } + +        if (!creds->group) { + +                if (creds->user && (!group || streq_ptr(user, group))) +                        creds->group = dynamic_user_ref(creds->user); +                else { +                        r = dynamic_user_acquire(m, group, &creds->group); +                        if (r < 0) { +                                if (acquired) +                                        creds->user = dynamic_user_unref(creds->user); +                                return r; +                        } +                } +        } + +        return 0; +} + +int dynamic_creds_realize(DynamicCreds *creds, uid_t *uid, gid_t *gid) { +        uid_t u = UID_INVALID; +        gid_t g = GID_INVALID; +        int r; + +        assert(creds); +        assert(uid); +        assert(gid); + +        /* Realize both the referenced user and group */ + +        if (creds->user) { +                r = dynamic_user_realize(creds->user, &u); +                if (r < 0) +                        return r; +        } + +        if (creds->group && creds->group != creds->user) { +                r = dynamic_user_realize(creds->group, &g); +                if (r < 0) +                        return r; +        } else +                g = u; + +        *uid = u; +        *gid = g; + +        return 0; +} + +void dynamic_creds_unref(DynamicCreds *creds) { +        assert(creds); + +        creds->user = dynamic_user_unref(creds->user); +        creds->group = dynamic_user_unref(creds->group); +} + +void dynamic_creds_destroy(DynamicCreds *creds) { +        assert(creds); + +        creds->user = dynamic_user_destroy(creds->user); +        creds->group = dynamic_user_destroy(creds->group); +} diff --git a/src/core/dynamic-user.h b/src/core/dynamic-user.h new file mode 100644 index 0000000000..0b8bce1a72 --- /dev/null +++ b/src/core/dynamic-user.h @@ -0,0 +1,66 @@ +#pragma once + +/*** +  This file is part of systemd. + +  Copyright 2016 Lennart Poettering + +  systemd is free software; you can redistribute it and/or modify it +  under the terms of the GNU Lesser General Public License as published by +  the Free Software Foundation; either version 2.1 of the License, or +  (at your option) any later version. + +  systemd is distributed in the hope that it will be useful, but +  WITHOUT ANY WARRANTY; without even the implied warranty of +  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +  Lesser General Public License for more details. + +  You should have received a copy of the GNU Lesser General Public License +  along with systemd; If not, see <http://www.gnu.org/licenses/>. +***/ + +typedef struct DynamicUser DynamicUser; + +typedef struct DynamicCreds { +        /* A combination of a dynamic user and group */ +        DynamicUser *user; +        DynamicUser *group; +} DynamicCreds; + +#include "manager.h" + +/* Note that this object always allocates a pair of user and group under the same name, even if one of them isn't + * used. This means, if you want to allocate a group and user pair, and they might have two different names, then you + * need to allocated two of these objects. DynamicCreds below makes that easy. */ +struct DynamicUser { +        int n_ref; +        Manager *manager; + +        /* An AF_UNIX socket pair that contains a datagram containing both the numeric ID assigned, as well as a lock +         * file fd locking the user ID we picked. */ +        int storage_socket[2]; + +        char name[]; +}; + +int dynamic_user_acquire(Manager *m, const char *name, DynamicUser **ret); + +int dynamic_user_realize(DynamicUser *d, uid_t *ret); +int dynamic_user_current(DynamicUser *d, uid_t *ret); + +DynamicUser* dynamic_user_ref(DynamicUser *d); +DynamicUser* dynamic_user_unref(DynamicUser *d); +DynamicUser* dynamic_user_destroy(DynamicUser *d); + +int dynamic_user_serialize(Manager *m, FILE *f, FDSet *fds); +void dynamic_user_deserialize_one(Manager *m, const char *value, FDSet *fds); +void dynamic_user_vacuum(Manager *m, bool close_user); + +int dynamic_user_lookup_uid(Manager *m, uid_t uid, char **ret); +int dynamic_user_lookup_name(Manager *m, const char *name, uid_t *ret); + +int dynamic_creds_acquire(DynamicCreds *creds, Manager *m, const char *user, const char *group); +int dynamic_creds_realize(DynamicCreds *creds, uid_t *uid, gid_t *gid); + +void dynamic_creds_unref(DynamicCreds *creds); +void dynamic_creds_destroy(DynamicCreds *creds); diff --git a/src/core/execute.c b/src/core/execute.c index 7c178b97c3..26e9cd5339 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1526,14 +1526,28 @@ static bool exec_needs_mount_namespace(          return false;  } +static void append_socket_pair(int *array, unsigned *n, int pair[2]) { +        assert(array); +        assert(n); + +        if (!pair) +                return; + +        if (pair[0] >= 0) +                array[(*n)++] = pair[0]; +        if (pair[1] >= 0) +                array[(*n)++] = pair[1]; +} +  static int close_remaining_fds(                  const ExecParameters *params,                  ExecRuntime *runtime, +                DynamicCreds *dcreds,                  int socket_fd,                  int *fds, unsigned n_fds) {          unsigned n_dont_close = 0; -        int dont_close[n_fds + 7]; +        int dont_close[n_fds + 11];          assert(params); @@ -1551,11 +1565,14 @@ static int close_remaining_fds(                  n_dont_close += n_fds;          } -        if (runtime) { -                if (runtime->netns_storage_socket[0] >= 0) -                        dont_close[n_dont_close++] = runtime->netns_storage_socket[0]; -                if (runtime->netns_storage_socket[1] >= 0) -                        dont_close[n_dont_close++] = runtime->netns_storage_socket[1]; +        if (runtime) +                append_socket_pair(dont_close, &n_dont_close, runtime->netns_storage_socket); + +        if (dcreds) { +                if (dcreds->user) +                        append_socket_pair(dont_close, &n_dont_close, dcreds->user->storage_socket); +                if (dcreds->group) +                        append_socket_pair(dont_close, &n_dont_close, dcreds->group->storage_socket);          }          return close_all_fds(dont_close, n_dont_close); @@ -1567,6 +1584,7 @@ static int exec_child(                  const ExecContext *context,                  const ExecParameters *params,                  ExecRuntime *runtime, +                DynamicCreds *dcreds,                  char **argv,                  int socket_fd,                  int *fds, unsigned n_fds, @@ -1617,7 +1635,7 @@ static int exec_child(          log_forget_fds(); -        r = close_remaining_fds(params, runtime, socket_fd, fds, n_fds); +        r = close_remaining_fds(params, runtime, dcreds, socket_fd, fds, n_fds);          if (r < 0) {                  *exit_status = EXIT_FDS;                  return r; @@ -1650,25 +1668,48 @@ static int exec_child(                  }          } -        if (context->user) { -                username = context->user; -                r = get_user_creds(&username, &uid, &gid, &home, &shell); +        if (context->dynamic_user && dcreds) { + +                /* Make sure we bypass our own NSS module for any NSS checks */ +                if (putenv((char*) "SYSTEMD_NSS_DYNAMIC_BYPASS=1") != 0) { +                        *exit_status = EXIT_USER; +                        return -errno; +                } + +                r = dynamic_creds_realize(dcreds, &uid, &gid);                  if (r < 0) {                          *exit_status = EXIT_USER;                          return r;                  } -        } -        if (context->group) { -                const char *g = context->group; +                if (uid == UID_INVALID || gid == GID_INVALID) { +                        *exit_status = EXIT_USER; +                        return -ESRCH; +                } -                r = get_group_creds(&g, &gid); -                if (r < 0) { -                        *exit_status = EXIT_GROUP; -                        return r; +                if (dcreds->user) +                        username = dcreds->user->name; + +        } else { +                if (context->user) { +                        username = context->user; +                        r = get_user_creds(&username, &uid, &gid, &home, &shell); +                        if (r < 0) { +                                *exit_status = EXIT_USER; +                                return r; +                        }                  } -        } +                if (context->group) { +                        const char *g = context->group; + +                        r = get_group_creds(&g, &gid); +                        if (r < 0) { +                                *exit_status = EXIT_GROUP; +                                return r; +                        } +                } +        }          /* If a socket is connected to STDIN/STDOUT/STDERR, we           * must sure to drop O_NONBLOCK */ @@ -2192,6 +2233,7 @@ int exec_spawn(Unit *unit,                 const ExecContext *context,                 const ExecParameters *params,                 ExecRuntime *runtime, +               DynamicCreds *dcreds,                 pid_t *ret) {          _cleanup_strv_free_ char **files_env = NULL; @@ -2250,6 +2292,7 @@ int exec_spawn(Unit *unit,                                 context,                                 params,                                 runtime, +                               dcreds,                                 argv,                                 socket_fd,                                 fds, n_fds, @@ -2723,6 +2766,8 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {          if (c->group)                  fprintf(f, "%sGroup: %s\n", prefix, c->group); +        fprintf(f, "%sDynamicUser: %s\n", prefix, yes_no(c->dynamic_user)); +          if (strv_length(c->supplementary_groups) > 0) {                  fprintf(f, "%sSupplementaryGroups:", prefix);                  strv_fprintf(f, c->supplementary_groups); diff --git a/src/core/execute.h b/src/core/execute.h index 189c4d0999..48cc18fbb3 100644 --- a/src/core/execute.h +++ b/src/core/execute.h @@ -92,6 +92,8 @@ struct ExecRuntime {          char *tmp_dir;          char *var_tmp_dir; +        /* An AF_UNIX socket pair, that contains a datagram containing a file descriptor referring to the network +         * namespace. */          int netns_storage_socket[2];  }; @@ -174,6 +176,8 @@ struct ExecContext {          bool no_new_privileges; +        bool dynamic_user; +          /* This is not exposed to the user but available           * internally. We need it to make sure that whenever we spawn           * /usr/bin/mount it is run in the same process group as us so @@ -235,12 +239,14 @@ struct ExecParameters {  };  #include "unit.h" +#include "dynamic-user.h"  int exec_spawn(Unit *unit,                 ExecCommand *command,                 const ExecContext *context,                 const ExecParameters *exec_params,                 ExecRuntime *runtime, +               DynamicCreds *dynamic_creds,                 pid_t *ret);  void exec_command_done(ExecCommand *c); diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4 index 6a5c16a000..c9cdbe8ba7 100644 --- a/src/core/load-fragment-gperf.gperf.m4 +++ b/src/core/load-fragment-gperf.gperf.m4 @@ -19,9 +19,9 @@ m4_dnl Define the context options only once  m4_define(`EXEC_CONTEXT_CONFIG_ITEMS',  `$1.WorkingDirectory,            config_parse_working_directory,     0,                             offsetof($1, exec_context)  $1.RootDirectory,                config_parse_unit_path_printf,      0,                             offsetof($1, exec_context.root_directory) -$1.User,                         config_parse_unit_string_printf,    0,                             offsetof($1, exec_context.user) -$1.Group,                        config_parse_unit_string_printf,    0,                             offsetof($1, exec_context.group) -$1.SupplementaryGroups,          config_parse_strv,                  0,                             offsetof($1, exec_context.supplementary_groups) +$1.User,                         config_parse_user_group,            0,                             offsetof($1, exec_context.user) +$1.Group,                        config_parse_user_group,            0,                             offsetof($1, exec_context.group) +$1.SupplementaryGroups,          config_parse_user_group_strv,       0,                             offsetof($1, exec_context.supplementary_groups)  $1.Nice,                         config_parse_exec_nice,             0,                             offsetof($1, exec_context)  $1.OOMScoreAdjust,               config_parse_exec_oom_score_adjust, 0,                             offsetof($1, exec_context)  $1.IOSchedulingClass,            config_parse_exec_io_class,         0,                             offsetof($1, exec_context) @@ -34,6 +34,7 @@ $1.UMask,                        config_parse_mode,                  0,  $1.Environment,                  config_parse_environ,               0,                             offsetof($1, exec_context.environment)  $1.EnvironmentFile,              config_parse_unit_env_file,         0,                             offsetof($1, exec_context.environment_files)  $1.PassEnvironment,              config_parse_pass_environ,          0,                             offsetof($1, exec_context.pass_environment) +$1.DynamicUser,                  config_parse_bool,                  0,                             offsetof($1, exec_context.dynamic_user)  $1.StandardInput,                config_parse_input,                 0,                             offsetof($1, exec_context.std_input)  $1.StandardOutput,               config_parse_output,                0,                             offsetof($1, exec_context.std_output)  $1.StandardError,                config_parse_output,                0,                             offsetof($1, exec_context.std_error) @@ -285,8 +286,8 @@ Socket.ExecStartPost,            config_parse_exec,                  SOCKET_EXEC  Socket.ExecStopPre,              config_parse_exec,                  SOCKET_EXEC_STOP_PRE,          offsetof(Socket, exec_command)  Socket.ExecStopPost,             config_parse_exec,                  SOCKET_EXEC_STOP_POST,         offsetof(Socket, exec_command)  Socket.TimeoutSec,               config_parse_sec,                   0,                             offsetof(Socket, timeout_usec) -Socket.SocketUser,               config_parse_unit_string_printf,    0,                             offsetof(Socket, user) -Socket.SocketGroup,              config_parse_unit_string_printf,    0,                             offsetof(Socket, group) +Socket.SocketUser,               config_parse_user_group,            0,                             offsetof(Socket, user) +Socket.SocketGroup,              config_parse_user_group,            0,                             offsetof(Socket, group)  Socket.SocketMode,               config_parse_mode,                  0,                             offsetof(Socket, socket_mode)  Socket.DirectoryMode,            config_parse_mode,                  0,                             offsetof(Socket, directory_mode)  Socket.Accept,                   config_parse_bool,                  0,                             offsetof(Socket, accept) diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c index a36953f766..e8cb3a4249 100644 --- a/src/core/load-fragment.c +++ b/src/core/load-fragment.c @@ -64,6 +64,7 @@  #include "unit-name.h"  #include "unit-printf.h"  #include "unit.h" +#include "user-util.h"  #include "utf8.h"  #include "web-util.h" @@ -1763,6 +1764,123 @@ int config_parse_sec_fix_0(          return 0;  } +int config_parse_user_group( +                const char *unit, +                const char *filename, +                unsigned line, +                const char *section, +                unsigned section_line, +                const char *lvalue, +                int ltype, +                const char *rvalue, +                void *data, +                void *userdata) { + +        char **user = data, *n; +        Unit *u = userdata; +        int r; + +        assert(filename); +        assert(lvalue); +        assert(rvalue); +        assert(u); + +        if (isempty(rvalue)) +                n = NULL; +        else { +                _cleanup_free_ char *k = NULL; + +                r = unit_full_printf(u, rvalue, &k); +                if (r < 0) { +                        log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve unit specifiers in %s, ignoring: %m", rvalue); +                        return 0; +                } + +                if (!valid_user_group_name_or_id(k)) { +                        log_syntax(unit, LOG_ERR, filename, line, 0, "Invalid user/group name or numeric ID, ignoring: %s", k); +                        return 0; +                } + +                n = k; +                k = NULL; +        } + +        free(*user); +        *user = n; + +        return 0; +} + +int config_parse_user_group_strv( +                const char *unit, +                const char *filename, +                unsigned line, +                const char *section, +                unsigned section_line, +                const char *lvalue, +                int ltype, +                const char *rvalue, +                void *data, +                void *userdata) { + +        char ***users = data; +        Unit *u = userdata; +        const char *p; +        int r; + +        assert(filename); +        assert(lvalue); +        assert(rvalue); +        assert(u); + +        if (isempty(rvalue)) { +                char **empty; + +                empty = new0(char*, 1); +                if (!empty) +                        return log_oom(); + +                strv_free(*users); +                *users = empty; + +                return 0; +        } + +        p = rvalue; +        for (;;) { +                _cleanup_free_ char *word = NULL, *k = NULL; + +                r = extract_first_word(&p, &word, WHITESPACE, 0); +                if (r == 0) +                        break; +                if (r == -ENOMEM) +                        return log_oom(); +                if (r < 0) { +                        log_syntax(unit, LOG_ERR, filename, line, r, "Invalid syntax, ignoring: %s", rvalue); +                        break; +                } + +                r = unit_full_printf(u, word, &k); +                if (r < 0) { +                        log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve unit specifiers in %s, ignoring: %m", word); +                        continue; +                } + +                if (!valid_user_group_name_or_id(k)) { +                        log_syntax(unit, LOG_ERR, filename, line, 0, "Invalid user/group name or numeric ID, ignoring: %s", k); +                        continue; +                } + +                r = strv_push(users, k); +                if (r < 0) +                        return log_oom(); + +                k = NULL; +        } + +        return 0; +} +  int config_parse_busname_service(                  const char *unit,                  const char *filename, diff --git a/src/core/load-fragment.h b/src/core/load-fragment.h index b36a2e3a02..213bce55a7 100644 --- a/src/core/load-fragment.h +++ b/src/core/load-fragment.h @@ -111,6 +111,8 @@ int config_parse_exec_utmp_mode(const char *unit, const char *filename, unsigned  int config_parse_working_directory(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);  int config_parse_fdname(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);  int config_parse_sec_fix_0(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata); +int config_parse_user_group(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata); +int config_parse_user_group_strv(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);  /* gperf prototypes */  const struct ConfigPerfItem* load_fragment_gperf_lookup(const char *key, unsigned length); diff --git a/src/core/manager.c b/src/core/manager.c index 4d84a0b37e..e41b65da50 100644 --- a/src/core/manager.c +++ b/src/core/manager.c @@ -1004,6 +1004,9 @@ Manager* manager_free(Manager *m) {          bus_done(m); +        dynamic_user_vacuum(m, false); +        hashmap_free(m->dynamic_users); +          hashmap_free(m->units);          hashmap_free(m->jobs);          hashmap_free(m->watch_pids1); @@ -1227,6 +1230,9 @@ int manager_startup(Manager *m, FILE *serialization, FDSet *fds) {          /* Third, fire things up! */          manager_coldplug(m); +        /* Release any dynamic users no longer referenced */ +        dynamic_user_vacuum(m, true); +          if (serialization) {                  assert(m->n_reloading > 0);                  m->n_reloading--; @@ -2403,6 +2409,10 @@ int manager_serialize(Manager *m, FILE *f, FDSet *fds, bool switching_root) {          bus_track_serialize(m->subscribed, f); +        r = dynamic_user_serialize(m, f, fds); +        if (r < 0) +                return r; +          fputc('\n', f);          HASHMAP_FOREACH_KEY(u, t, m->units, i) { @@ -2579,7 +2589,9 @@ int manager_deserialize(Manager *m, FILE *f, FDSet *fds) {                                  m->kdbus_fd = fdset_remove(fds, fd);                          } -                } else { +                } else if (startswith(l, "dynamic-user=")) +                        dynamic_user_deserialize_one(m, l + 13, fds); +                else {                          int k;                          k = bus_track_deserialize_item(&m->deserialized_subscribed, l); @@ -2660,6 +2672,7 @@ int manager_reload(Manager *m) {          manager_clear_jobs_and_units(m);          lookup_paths_flush_generator(&m->lookup_paths);          lookup_paths_free(&m->lookup_paths); +        dynamic_user_vacuum(m, false);          q = lookup_paths_init(&m->lookup_paths, m->unit_file_scope, 0, NULL);          if (q < 0 && r >= 0) @@ -2696,6 +2709,9 @@ int manager_reload(Manager *m) {          /* Third, fire things up! */          manager_coldplug(m); +        /* Release any dynamic users no longer referenced */ +        dynamic_user_vacuum(m, true); +          /* Sync current state of bus names with our set of listening units */          if (m->api_bus)                  manager_sync_bus_names(m, m->api_bus); diff --git a/src/core/manager.h b/src/core/manager.h index 6ed15c1a41..c681d5dc46 100644 --- a/src/core/manager.h +++ b/src/core/manager.h @@ -298,6 +298,9 @@ struct Manager {          /* Used for processing polkit authorization responses */          Hashmap *polkit_registry; +        /* Dynamic users/groups, indexed by their name */ +        Hashmap *dynamic_users; +          /* When the user hits C-A-D more than 7 times per 2s, reboot immediately... */          RateLimit ctrl_alt_del_ratelimit; diff --git a/src/core/mount.c b/src/core/mount.c index fda4d65d6f..db5cafcb11 100644 --- a/src/core/mount.c +++ b/src/core/mount.c @@ -245,6 +245,8 @@ static void mount_done(Unit *u) {          exec_command_done_array(m->exec_command, _MOUNT_EXEC_COMMAND_MAX);          m->control_command = NULL; +        dynamic_creds_unref(&m->dynamic_creds); +          mount_unwatch_control_pid(m);          m->timer_event_source = sd_event_source_unref(m->timer_event_source); @@ -648,6 +650,9 @@ static int mount_coldplug(Unit *u) {                          return r;          } +        if (!IN_SET(new_state, MOUNT_DEAD, MOUNT_FAILED)) +                (void) unit_setup_dynamic_creds(u); +          mount_set_state(m, new_state);          return 0;  } @@ -716,6 +721,10 @@ static int mount_spawn(Mount *m, ExecCommand *c, pid_t *_pid) {          if (r < 0)                  return r; +        r = unit_setup_dynamic_creds(UNIT(m)); +        if (r < 0) +                return r; +          r = mount_arm_timer(m, usec_add(now(CLOCK_MONOTONIC), m->timeout_usec));          if (r < 0)                  return r; @@ -732,6 +741,7 @@ static int mount_spawn(Mount *m, ExecCommand *c, pid_t *_pid) {                         &m->exec_context,                         &exec_params,                         m->exec_runtime, +                       &m->dynamic_creds,                         &pid);          if (r < 0)                  return r; @@ -752,12 +762,14 @@ static void mount_enter_dead(Mount *m, MountResult f) {          if (f != MOUNT_SUCCESS)                  m->result = f; +        mount_set_state(m, m->result != MOUNT_SUCCESS ? MOUNT_FAILED : MOUNT_DEAD); +          exec_runtime_destroy(m->exec_runtime);          m->exec_runtime = exec_runtime_unref(m->exec_runtime);          exec_context_destroy_runtime_directory(&m->exec_context, manager_get_runtime_prefix(UNIT(m)->manager)); -        mount_set_state(m, m->result != MOUNT_SUCCESS ? MOUNT_FAILED : MOUNT_DEAD); +        dynamic_creds_destroy(&m->dynamic_creds);  }  static void mount_enter_mounted(Mount *m, MountResult f) { @@ -1817,6 +1829,7 @@ const UnitVTable mount_vtable = {          .cgroup_context_offset = offsetof(Mount, cgroup_context),          .kill_context_offset = offsetof(Mount, kill_context),          .exec_runtime_offset = offsetof(Mount, exec_runtime), +        .dynamic_creds_offset = offsetof(Mount, dynamic_creds),          .sections =                  "Unit\0" diff --git a/src/core/mount.h b/src/core/mount.h index da529c44f4..ac27b518cc 100644 --- a/src/core/mount.h +++ b/src/core/mount.h @@ -21,8 +21,8 @@  typedef struct Mount Mount; -#include "execute.h"  #include "kill.h" +#include "dynamic-user.h"  typedef enum MountExecCommand {          MOUNT_EXEC_MOUNT, @@ -85,6 +85,7 @@ struct Mount {          CGroupContext cgroup_context;          ExecRuntime *exec_runtime; +        DynamicCreds dynamic_creds;          MountState state, deserialized_state; diff --git a/src/core/service.c b/src/core/service.c index afb198507b..4d59d78ecb 100644 --- a/src/core/service.c +++ b/src/core/service.c @@ -322,6 +322,8 @@ static void service_done(Unit *u) {          s->control_command = NULL;          s->main_command = NULL; +        dynamic_creds_unref(&s->dynamic_creds); +          exit_status_set_free(&s->restart_prevent_status);          exit_status_set_free(&s->restart_force_status);          exit_status_set_free(&s->success_status); @@ -1030,6 +1032,9 @@ static int service_coldplug(Unit *u) {          if (IN_SET(s->deserialized_state, SERVICE_START_POST, SERVICE_RUNNING, SERVICE_RELOAD))                  service_start_watchdog(s); +        if (!IN_SET(s->deserialized_state, SERVICE_DEAD, SERVICE_FAILED, SERVICE_AUTO_RESTART)) +                (void) unit_setup_dynamic_creds(u); +          service_set_state(s, s->deserialized_state);          return 0;  } @@ -1184,6 +1189,10 @@ static int service_spawn(          if (r < 0)                  return r; +        r = unit_setup_dynamic_creds(UNIT(s)); +        if (r < 0) +                return r; +          if (pass_fds ||              s->exec_context.std_input == EXEC_INPUT_SOCKET ||              s->exec_context.std_output == EXEC_OUTPUT_SOCKET || @@ -1285,6 +1294,7 @@ static int service_spawn(                         &s->exec_context,                         &exec_params,                         s->exec_runtime, +                       &s->dynamic_creds,                         &pid);          if (r < 0)                  return r; @@ -1418,9 +1428,12 @@ static void service_enter_dead(Service *s, ServiceResult f, bool allow_restart)          exec_runtime_destroy(s->exec_runtime);          s->exec_runtime = exec_runtime_unref(s->exec_runtime); -        /* Also, remove the runtime directory in */ +        /* Also, remove the runtime directory */          exec_context_destroy_runtime_directory(&s->exec_context, manager_get_runtime_prefix(UNIT(s)->manager)); +        /* Release the user, and destroy it if we are the only remaining owner */ +        dynamic_creds_destroy(&s->dynamic_creds); +          /* Try to delete the pid file. At this point it will be           * out-of-date, and some software might be confused by it, so           * let's remove it. */ @@ -3323,6 +3336,7 @@ const UnitVTable service_vtable = {          .cgroup_context_offset = offsetof(Service, cgroup_context),          .kill_context_offset = offsetof(Service, kill_context),          .exec_runtime_offset = offsetof(Service, exec_runtime), +        .dynamic_creds_offset = offsetof(Service, dynamic_creds),          .sections =                  "Unit\0" diff --git a/src/core/service.h b/src/core/service.h index cfef375b03..8e56e1acb9 100644 --- a/src/core/service.h +++ b/src/core/service.h @@ -148,6 +148,7 @@ struct Service {          /* Runtime data of the execution context */          ExecRuntime *exec_runtime; +        DynamicCreds dynamic_creds;          pid_t main_pid, control_pid;          int socket_fd; diff --git a/src/core/socket.c b/src/core/socket.c index e098055885..1ce41a1f07 100644 --- a/src/core/socket.c +++ b/src/core/socket.c @@ -150,6 +150,8 @@ static void socket_done(Unit *u) {          exec_command_free_array(s->exec_command, _SOCKET_EXEC_COMMAND_MAX);          s->control_command = NULL; +        dynamic_creds_unref(&s->dynamic_creds); +          socket_unwatch_control_pid(s);          unit_ref_unset(&s->service); @@ -1602,6 +1604,9 @@ static int socket_coldplug(Unit *u) {                          return r;          } +        if (!IN_SET(s->deserialized_state, SOCKET_DEAD, SOCKET_FAILED)) +                (void) unit_setup_dynamic_creds(u); +          socket_set_state(s, s->deserialized_state);          return 0;  } @@ -1633,6 +1638,10 @@ static int socket_spawn(Socket *s, ExecCommand *c, pid_t *_pid) {          if (r < 0)                  return r; +        r = unit_setup_dynamic_creds(UNIT(s)); +        if (r < 0) +                return r; +          r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));          if (r < 0)                  return r; @@ -1654,6 +1663,7 @@ static int socket_spawn(Socket *s, ExecCommand *c, pid_t *_pid) {                         &s->exec_context,                         &exec_params,                         s->exec_runtime, +                       &s->dynamic_creds,                         &pid);          if (r < 0)                  return r; @@ -1757,12 +1767,14 @@ static void socket_enter_dead(Socket *s, SocketResult f) {          if (f != SOCKET_SUCCESS)                  s->result = f; +        socket_set_state(s, s->result != SOCKET_SUCCESS ? SOCKET_FAILED : SOCKET_DEAD); +          exec_runtime_destroy(s->exec_runtime);          s->exec_runtime = exec_runtime_unref(s->exec_runtime);          exec_context_destroy_runtime_directory(&s->exec_context, manager_get_runtime_prefix(UNIT(s)->manager)); -        socket_set_state(s, s->result != SOCKET_SUCCESS ? SOCKET_FAILED : SOCKET_DEAD); +        dynamic_creds_destroy(&s->dynamic_creds);  }  static void socket_enter_signal(Socket *s, SocketState state, SocketResult f); @@ -2930,6 +2942,7 @@ const UnitVTable socket_vtable = {          .cgroup_context_offset = offsetof(Socket, cgroup_context),          .kill_context_offset = offsetof(Socket, kill_context),          .exec_runtime_offset = offsetof(Socket, exec_runtime), +        .dynamic_creds_offset = offsetof(Socket, dynamic_creds),          .sections =                  "Unit\0" diff --git a/src/core/socket.h b/src/core/socket.h index 0f1ac69c6f..6c32d67bef 100644 --- a/src/core/socket.h +++ b/src/core/socket.h @@ -94,7 +94,9 @@ struct Socket {          ExecContext exec_context;          KillContext kill_context;          CGroupContext cgroup_context; +          ExecRuntime *exec_runtime; +        DynamicCreds dynamic_creds;          /* For Accept=no sockets refers to the one service we'll          activate. For Accept=yes sockets is either NULL, or filled diff --git a/src/core/swap.c b/src/core/swap.c index a532b15be8..66a318d01f 100644 --- a/src/core/swap.c +++ b/src/core/swap.c @@ -153,6 +153,8 @@ static void swap_done(Unit *u) {          exec_command_done_array(s->exec_command, _SWAP_EXEC_COMMAND_MAX);          s->control_command = NULL; +        dynamic_creds_unref(&s->dynamic_creds); +          swap_unwatch_control_pid(s);          s->timer_event_source = sd_event_source_unref(s->timer_event_source); @@ -553,6 +555,9 @@ static int swap_coldplug(Unit *u) {                          return r;          } +        if (!IN_SET(new_state, SWAP_DEAD, SWAP_FAILED)) +                (void) unit_setup_dynamic_creds(u); +          swap_set_state(s, new_state);          return 0;  } @@ -628,6 +633,10 @@ static int swap_spawn(Swap *s, ExecCommand *c, pid_t *_pid) {          if (r < 0)                  goto fail; +        r = unit_setup_dynamic_creds(UNIT(s)); +        if (r < 0) +                return r; +          r = swap_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));          if (r < 0)                  goto fail; @@ -644,6 +653,7 @@ static int swap_spawn(Swap *s, ExecCommand *c, pid_t *_pid) {                         &s->exec_context,                         &exec_params,                         s->exec_runtime, +                       &s->dynamic_creds,                         &pid);          if (r < 0)                  goto fail; @@ -668,12 +678,14 @@ static void swap_enter_dead(Swap *s, SwapResult f) {          if (f != SWAP_SUCCESS)                  s->result = f; +        swap_set_state(s, s->result != SWAP_SUCCESS ? SWAP_FAILED : SWAP_DEAD); +          exec_runtime_destroy(s->exec_runtime);          s->exec_runtime = exec_runtime_unref(s->exec_runtime);          exec_context_destroy_runtime_directory(&s->exec_context, manager_get_runtime_prefix(UNIT(s)->manager)); -        swap_set_state(s, s->result != SWAP_SUCCESS ? SWAP_FAILED : SWAP_DEAD); +        dynamic_creds_destroy(&s->dynamic_creds);  }  static void swap_enter_active(Swap *s, SwapResult f) { @@ -1466,6 +1478,7 @@ const UnitVTable swap_vtable = {          .cgroup_context_offset = offsetof(Swap, cgroup_context),          .kill_context_offset = offsetof(Swap, kill_context),          .exec_runtime_offset = offsetof(Swap, exec_runtime), +        .dynamic_creds_offset = offsetof(Swap, dynamic_creds),          .sections =                  "Unit\0" diff --git a/src/core/swap.h b/src/core/swap.h index fbf66debdc..b0ef50f1e8 100644 --- a/src/core/swap.h +++ b/src/core/swap.h @@ -82,6 +82,7 @@ struct Swap {          CGroupContext cgroup_context;          ExecRuntime *exec_runtime; +        DynamicCreds dynamic_creds;          SwapState state, deserialized_state; diff --git a/src/core/unit.c b/src/core/unit.c index 4934a0e56f..ff7c562fba 100644 --- a/src/core/unit.c +++ b/src/core/unit.c @@ -3224,6 +3224,33 @@ void unit_ref_unset(UnitRef *ref) {          ref->unit = NULL;  } +static int user_from_unit_name(Unit *u, char **ret) { + +        static const uint8_t hash_key[] = { +                0x58, 0x1a, 0xaf, 0xe6, 0x28, 0x58, 0x4e, 0x96, +                0xb4, 0x4e, 0xf5, 0x3b, 0x8c, 0x92, 0x07, 0xec +        }; + +        _cleanup_free_ char *n = NULL; +        int r; + +        r = unit_name_to_prefix(u->id, &n); +        if (r < 0) +                return r; + +        if (valid_user_group_name(n)) { +                *ret = n; +                n = NULL; +                return 0; +        } + +        /* If we can't use the unit name as a user name, then let's hash it and use that */ +        if (asprintf(ret, "_du%016" PRIx64, siphash24(n, strlen(n), hash_key)) < 0) +                return -ENOMEM; + +        return 0; +} +  int unit_patch_contexts(Unit *u) {          CGroupContext *cc;          ExecContext *ec; @@ -3268,6 +3295,22 @@ int unit_patch_contexts(Unit *u) {                  if (ec->private_devices)                          ec->capability_bounding_set &= ~(UINT64_C(1) << CAP_MKNOD); + +                if (ec->dynamic_user) { +                        if (!ec->user) { +                                r = user_from_unit_name(u, &ec->user); +                                if (r < 0) +                                        return r; +                        } + +                        if (!ec->group) { +                                ec->group = strdup(ec->user); +                                if (!ec->group) +                                        return -ENOMEM; +                        } + +                        ec->private_tmp = true; +                }          }          cc = unit_get_cgroup_context(u); @@ -3776,6 +3819,26 @@ int unit_setup_exec_runtime(Unit *u) {          return exec_runtime_make(rt, unit_get_exec_context(u), u->id);  } +int unit_setup_dynamic_creds(Unit *u) { +        ExecContext *ec; +        DynamicCreds *dcreds; +        size_t offset; + +        assert(u); + +        offset = UNIT_VTABLE(u)->dynamic_creds_offset; +        assert(offset > 0); +        dcreds = (DynamicCreds*) ((uint8_t*) u + offset); + +        ec = unit_get_exec_context(u); +        assert(ec); + +        if (!ec->dynamic_user) +                return 0; + +        return dynamic_creds_acquire(dcreds, u->manager, ec->user, ec->group); +} +  bool unit_type_supported(UnitType t) {          if (_unlikely_(t < 0))                  return false; diff --git a/src/core/unit.h b/src/core/unit.h index 1eabfa51e2..47eb8d50a6 100644 --- a/src/core/unit.h +++ b/src/core/unit.h @@ -291,6 +291,10 @@ struct UnitVTable {           * that */          size_t exec_runtime_offset; +        /* If greater than 0, the offset into the object where the pointer to DynamicCreds is found, if the unit type +         * has that. */ +        size_t dynamic_creds_offset; +          /* The name of the configuration file section with the private settings of this unit */          const char *private_section; @@ -589,6 +593,7 @@ CGroupContext *unit_get_cgroup_context(Unit *u) _pure_;  ExecRuntime *unit_get_exec_runtime(Unit *u) _pure_;  int unit_setup_exec_runtime(Unit *u); +int unit_setup_dynamic_creds(Unit *u);  int unit_write_drop_in(Unit *u, UnitSetPropertiesMode mode, const char *name, const char *data);  int unit_write_drop_in_format(Unit *u, UnitSetPropertiesMode mode, const char *name, const char *format, ...) _printf_(4,5); diff --git a/src/libsystemd/sd-bus/bus-common-errors.c b/src/libsystemd/sd-bus/bus-common-errors.c index 02e3bf904c..32be3cdc38 100644 --- a/src/libsystemd/sd-bus/bus-common-errors.c +++ b/src/libsystemd/sd-bus/bus-common-errors.c @@ -44,6 +44,7 @@ BUS_ERROR_MAP_ELF_REGISTER const sd_bus_error_map bus_common_errors[] = {          SD_BUS_ERROR_MAP(BUS_ERROR_NO_ISOLATION,                 EPERM),          SD_BUS_ERROR_MAP(BUS_ERROR_SHUTTING_DOWN,                ECANCELED),          SD_BUS_ERROR_MAP(BUS_ERROR_SCOPE_NOT_RUNNING,            EHOSTDOWN), +        SD_BUS_ERROR_MAP(BUS_ERROR_NO_SUCH_DYNAMIC_USER,         ESRCH),          SD_BUS_ERROR_MAP(BUS_ERROR_NO_SUCH_MACHINE,              ENXIO),          SD_BUS_ERROR_MAP(BUS_ERROR_NO_SUCH_IMAGE,                ENOENT), diff --git a/src/libsystemd/sd-bus/bus-common-errors.h b/src/libsystemd/sd-bus/bus-common-errors.h index c8f369cb78..befb6fbfe0 100644 --- a/src/libsystemd/sd-bus/bus-common-errors.h +++ b/src/libsystemd/sd-bus/bus-common-errors.h @@ -40,6 +40,7 @@  #define BUS_ERROR_NO_ISOLATION "org.freedesktop.systemd1.NoIsolation"  #define BUS_ERROR_SHUTTING_DOWN "org.freedesktop.systemd1.ShuttingDown"  #define BUS_ERROR_SCOPE_NOT_RUNNING "org.freedesktop.systemd1.ScopeNotRunning" +#define BUS_ERROR_NO_SUCH_DYNAMIC_USER "org.freedesktop.systemd1.NoSuchDynamicUser"  #define BUS_ERROR_NO_SUCH_MACHINE "org.freedesktop.machine1.NoSuchMachine"  #define BUS_ERROR_NO_SUCH_IMAGE "org.freedesktop.machine1.NoSuchImage" diff --git a/src/nss-systemd/Makefile b/src/nss-systemd/Makefile new file mode 120000 index 0000000000..d0b0e8e008 --- /dev/null +++ b/src/nss-systemd/Makefile @@ -0,0 +1 @@ +../Makefile
\ No newline at end of file diff --git a/src/nss-systemd/nss-systemd.c b/src/nss-systemd/nss-systemd.c new file mode 100644 index 0000000000..e7a4393bb0 --- /dev/null +++ b/src/nss-systemd/nss-systemd.c @@ -0,0 +1,332 @@ +/*** +  This file is part of systemd. + +  Copyright 2016 Lennart Poettering + +  systemd is free software; you can redistribute it and/or modify it +  under the terms of the GNU Lesser General Public License as published by +  the Free Software Foundation; either version 2.1 of the License, or +  (at your option) any later version. + +  systemd is distributed in the hope that it will be useful, but +  WITHOUT ANY WARRANTY; without even the implied warranty of +  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +  Lesser General Public License for more details. + +  You should have received a copy of the GNU Lesser General Public License +  along with systemd; If not, see <http://www.gnu.org/licenses/>. +***/ + +#include <nss.h> + +#include "sd-bus.h" + +#include "bus-common-errors.h" +#include "env-util.h" +#include "macro.h" +#include "nss-util.h" +#include "signal-util.h" +#include "user-util.h" +#include "util.h" + +NSS_GETPW_PROTOTYPES(systemd); +NSS_GETGR_PROTOTYPES(systemd); + +enum nss_status _nss_systemd_getpwnam_r( +                const char *name, +                struct passwd *pwd, +                char *buffer, size_t buflen, +                int *errnop) { + +        _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; +        _cleanup_(sd_bus_message_unrefp) sd_bus_message* reply = NULL; +        _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL; +        uint32_t translated; +        size_t l; +        int r; + +        BLOCK_SIGNALS(NSS_SIGNALS_BLOCK); + +        assert(name); +        assert(pwd); + +        /* Make sure that we don't go in circles when allocating a dynamic UID by checking our own database */ +        if (getenv_bool("SYSTEMD_NSS_DYNAMIC_BYPASS") > 0) +                goto not_found; + +        r = sd_bus_open_system(&bus); +        if (r < 0) +                goto fail; + +        r = sd_bus_call_method(bus, +                               "org.freedesktop.systemd1", +                               "/org/freedesktop/systemd1", +                               "org.freedesktop.systemd1.Manager", +                               "LookupDynamicUserByName", +                               &error, +                               &reply, +                               "s", +                               name); +        if (r < 0) { +                if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_DYNAMIC_USER)) +                        goto not_found; + +                goto fail; +        } + +        r = sd_bus_message_read(reply, "u", &translated); +        if (r < 0) +                goto fail; + +        l = strlen(name); +        if (buflen < l+1) { +                *errnop = ENOMEM; +                return NSS_STATUS_TRYAGAIN; +        } + +        memcpy(buffer, name, l+1); + +        pwd->pw_name = buffer; +        pwd->pw_uid = (uid_t) translated; +        pwd->pw_gid = (uid_t) translated; +        pwd->pw_gecos = (char*) "Dynamic User"; +        pwd->pw_passwd = (char*) "*"; /* locked */ +        pwd->pw_dir = (char*) "/"; +        pwd->pw_shell = (char*) "/sbin/nologin"; + +        *errnop = 0; +        return NSS_STATUS_SUCCESS; + +not_found: +        *errnop = 0; +        return NSS_STATUS_NOTFOUND; + +fail: +        *errnop = -r; +        return NSS_STATUS_UNAVAIL; +} + +enum nss_status _nss_systemd_getpwuid_r( +                uid_t uid, +                struct passwd *pwd, +                char *buffer, size_t buflen, +                int *errnop) { + +        _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; +        _cleanup_(sd_bus_message_unrefp) sd_bus_message* reply = NULL; +        _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL; +        const char *translated; +        size_t l; +        int r; + +        BLOCK_SIGNALS(NSS_SIGNALS_BLOCK); + +        if (!uid_is_valid(uid)) { +                r = -EINVAL; +                goto fail; +        } + +        if (uid <= SYSTEM_UID_MAX) +                goto not_found; + +        if (getenv_bool("SYSTEMD_NSS_DYNAMIC_BYPASS") > 0) +                goto not_found; + +        r = sd_bus_open_system(&bus); +        if (r < 0) +                goto fail; + +        r = sd_bus_call_method(bus, +                               "org.freedesktop.systemd1", +                               "/org/freedesktop/systemd1", +                               "org.freedesktop.systemd1.Manager", +                               "LookupDynamicUserByUID", +                               &error, +                               &reply, +                               "u", +                               (uint32_t) uid); +        if (r < 0) { +                if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_DYNAMIC_USER)) +                        goto not_found; + +                goto fail; +        } + +        r = sd_bus_message_read(reply, "s", &translated); +        if (r < 0) +                goto fail; + +        l = strlen(translated) + 1; +        if (buflen < l) { +                *errnop = ENOMEM; +                return NSS_STATUS_TRYAGAIN; +        } + +        memcpy(buffer, translated, l); + +        pwd->pw_name = buffer; +        pwd->pw_uid = uid; +        pwd->pw_gid = uid; +        pwd->pw_gecos = (char*) "Dynamic User"; +        pwd->pw_passwd = (char*) "*"; /* locked */ +        pwd->pw_dir = (char*) "/"; +        pwd->pw_shell = (char*) "/sbin/nologin"; + +        *errnop = 0; +        return NSS_STATUS_SUCCESS; + +not_found: +        *errnop = 0; +        return NSS_STATUS_NOTFOUND; + +fail: +        *errnop = -r; +        return NSS_STATUS_UNAVAIL; +} + +enum nss_status _nss_systemd_getgrnam_r( +                const char *name, +                struct group *gr, +                char *buffer, size_t buflen, +                int *errnop) { + +        _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; +        _cleanup_(sd_bus_message_unrefp) sd_bus_message* reply = NULL; +        _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL; +        uint32_t translated; +        size_t l; +        int r; + +        BLOCK_SIGNALS(NSS_SIGNALS_BLOCK); + +        assert(name); +        assert(gr); + +        if (getenv_bool("SYSTEMD_NSS_DYNAMIC_BYPASS") > 0) +                goto not_found; + +        r = sd_bus_open_system(&bus); +        if (r < 0) +                goto fail; + +        r = sd_bus_call_method(bus, +                               "org.freedesktop.systemd1", +                               "/org/freedesktop/systemd1", +                               "org.freedesktop.systemd1.Manager", +                               "LookupDynamicUserByName", +                               &error, +                               &reply, +                               "s", +                               name); +        if (r < 0) { +                if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_DYNAMIC_USER)) +                        goto not_found; + +                goto fail; +        } + +        r = sd_bus_message_read(reply, "u", &translated); +        if (r < 0) +                goto fail; + +        l = sizeof(char*) + strlen(name) + 1; +        if (buflen < l) { +                *errnop = ENOMEM; +                return NSS_STATUS_TRYAGAIN; +        } + +        memzero(buffer, sizeof(char*)); +        strcpy(buffer + sizeof(char*), name); + +        gr->gr_name = buffer + sizeof(char*); +        gr->gr_gid = (gid_t) translated; +        gr->gr_passwd = (char*) "*"; /* locked */ +        gr->gr_mem = (char**) buffer; + +        *errnop = 0; +        return NSS_STATUS_SUCCESS; + +not_found: +        *errnop = 0; +        return NSS_STATUS_NOTFOUND; + +fail: +        *errnop = -r; +        return NSS_STATUS_UNAVAIL; +} + +enum nss_status _nss_systemd_getgrgid_r( +                gid_t gid, +                struct group *gr, +                char *buffer, size_t buflen, +                int *errnop) { + +        _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; +        _cleanup_(sd_bus_message_unrefp) sd_bus_message* reply = NULL; +        _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL; +        const char *translated; +        size_t l; +        int r; + +        BLOCK_SIGNALS(NSS_SIGNALS_BLOCK); + +        if (!gid_is_valid(gid)) { +                r = -EINVAL; +                goto fail; +        } + +        if (gid <= SYSTEM_GID_MAX) +                goto not_found; + +        if (getenv_bool("SYSTEMD_NSS_DYNAMIC_BYPASS") > 0) +                goto not_found; + +        r = sd_bus_open_system(&bus); +        if (r < 0) +                goto fail; + +        r = sd_bus_call_method(bus, +                               "org.freedesktop.systemd1", +                               "/org/freedesktop/systemd1", +                               "org.freedesktop.systemd1.Manager", +                               "LookupDynamicUserByUID", +                               &error, +                               &reply, +                               "u", +                               (uint32_t) gid); +        if (r < 0) { +                if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_DYNAMIC_USER)) +                        goto not_found; + +                goto fail; +        } + +        r = sd_bus_message_read(reply, "s", &translated); +        if (r < 0) +                goto fail; + +        l = sizeof(char*) + strlen(translated) + 1; +        if (buflen < l) { +                *errnop = ENOMEM; +                return NSS_STATUS_TRYAGAIN; +        } + +        memzero(buffer, sizeof(char*)); +        strcpy(buffer + sizeof(char*), translated); + +        gr->gr_name = buffer + sizeof(char*); +        gr->gr_gid = gid; +        gr->gr_passwd = (char*) "*"; /* locked */ +        gr->gr_mem = (char**) buffer; + +        *errnop = 0; +        return NSS_STATUS_SUCCESS; + +not_found: +        *errnop = 0; +        return NSS_STATUS_NOTFOUND; + +fail: +        *errnop = -r; +        return NSS_STATUS_UNAVAIL; +} diff --git a/src/nss-systemd/nss-systemd.sym b/src/nss-systemd/nss-systemd.sym new file mode 100644 index 0000000000..955078788a --- /dev/null +++ b/src/nss-systemd/nss-systemd.sym @@ -0,0 +1,17 @@ +/*** +  This file is part of systemd. + +  systemd is free software; you can redistribute it and/or modify it +  under the terms of the GNU Lesser General Public License as published by +  the Free Software Foundation; either version 2.1 of the License, or +  (at your option) any later version. +***/ + +{ +global: +        _nss_systemd_getpwnam_r; +        _nss_systemd_getpwuid_r; +        _nss_systemd_getgrnam_r; +        _nss_systemd_getgrgid_r; +local: *; +}; diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c index ea020b517b..14bf8ad627 100644 --- a/src/shared/bus-unit-util.c +++ b/src/shared/bus-unit-util.c @@ -199,11 +199,12 @@ int bus_append_unit_property_assignment(sd_bus_message *m, const char *assignmen                  r = sd_bus_message_append(m, "sv", sn, "t", l.rlim_cur);          } else if (STR_IN_SET(field, -                       "CPUAccounting", "MemoryAccounting", "IOAccounting", "BlockIOAccounting", "TasksAccounting", -                       "SendSIGHUP", "SendSIGKILL", "WakeSystem", "DefaultDependencies", -                       "IgnoreSIGPIPE", "TTYVHangup", "TTYReset", "RemainAfterExit", -                       "PrivateTmp", "PrivateDevices", "PrivateNetwork", "NoNewPrivileges", -                       "SyslogLevelPrefix", "Delegate", "RemainAfterElapse", "MemoryDenyWriteExecute")) { +                              "CPUAccounting", "MemoryAccounting", "IOAccounting", "BlockIOAccounting", "TasksAccounting", +                              "SendSIGHUP", "SendSIGKILL", "WakeSystem", "DefaultDependencies", +                              "IgnoreSIGPIPE", "TTYVHangup", "TTYReset", "RemainAfterExit", +                              "PrivateTmp", "PrivateDevices", "PrivateNetwork", "NoNewPrivileges", +                              "SyslogLevelPrefix", "Delegate", "RemainAfterElapse", "MemoryDenyWriteExecute", +                              "RestrictRealtime", "DynamicUser")) {                  r = parse_boolean(eq);                  if (r < 0) diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c index 787d68a009..5d72493725 100644 --- a/src/sysusers/sysusers.c +++ b/src/sysusers/sysusers.c @@ -1299,81 +1299,6 @@ static bool item_equal(Item *a, Item *b) {          return true;  } -static bool valid_user_group_name(const char *u) { -        const char *i; -        long sz; - -        if (isempty(u)) -                return false; - -        if (!(u[0] >= 'a' && u[0] <= 'z') && -            !(u[0] >= 'A' && u[0] <= 'Z') && -            u[0] != '_') -                return false; - -        for (i = u+1; *i; i++) { -                if (!(*i >= 'a' && *i <= 'z') && -                    !(*i >= 'A' && *i <= 'Z') && -                    !(*i >= '0' && *i <= '9') && -                    *i != '_' && -                    *i != '-') -                        return false; -        } - -        sz = sysconf(_SC_LOGIN_NAME_MAX); -        assert_se(sz > 0); - -        if ((size_t) (i-u) > (size_t) sz) -                return false; - -        if ((size_t) (i-u) > UT_NAMESIZE - 1) -                return false; - -        return true; -} - -static bool valid_gecos(const char *d) { - -        if (!d) -                return false; - -        if (!utf8_is_valid(d)) -                return false; - -        if (string_has_cc(d, NULL)) -                return false; - -        /* Colons are used as field separators, and hence not OK */ -        if (strchr(d, ':')) -                return false; - -        return true; -} - -static bool valid_home(const char *p) { - -        if (isempty(p)) -                return false; - -        if (!utf8_is_valid(p)) -                return false; - -        if (string_has_cc(p, NULL)) -                return false; - -        if (!path_is_absolute(p)) -                return false; - -        if (!path_is_safe(p)) -                return false; - -        /* Colons are used as field separators, and hence not OK */ -        if (strchr(p, ':')) -                return false; - -        return true; -} -  static int parse_line(const char *fname, unsigned line, const char *buffer) {          static const Specifier specifier_table[] = { diff --git a/src/test/test-user-util.c b/src/test/test-user-util.c index 8d1ec19f17..2a344a9f93 100644 --- a/src/test/test-user-util.c +++ b/src/test/test-user-util.c @@ -61,6 +61,88 @@ static void test_uid_ptr(void) {          assert_se(PTR_TO_UID(UID_TO_PTR(1000)) == 1000);  } +static void test_valid_user_group_name(void) { +        assert_se(!valid_user_group_name(NULL)); +        assert_se(!valid_user_group_name("")); +        assert_se(!valid_user_group_name("1")); +        assert_se(!valid_user_group_name("65535")); +        assert_se(!valid_user_group_name("-1")); +        assert_se(!valid_user_group_name("-kkk")); +        assert_se(!valid_user_group_name("rööt")); +        assert_se(!valid_user_group_name(".")); +        assert_se(!valid_user_group_name("eff.eff")); +        assert_se(!valid_user_group_name("foo\nbar")); +        assert_se(!valid_user_group_name("0123456789012345678901234567890123456789")); +        assert_se(!valid_user_group_name_or_id("aaa:bbb")); + +        assert_se(valid_user_group_name("root")); +        assert_se(valid_user_group_name("lennart")); +        assert_se(valid_user_group_name("LENNART")); +        assert_se(valid_user_group_name("_kkk")); +        assert_se(valid_user_group_name("kkk-")); +        assert_se(valid_user_group_name("kk-k")); + +        assert_se(valid_user_group_name("some5")); +        assert_se(!valid_user_group_name("5some")); +        assert_se(valid_user_group_name("INNER5NUMBER")); +} + +static void test_valid_user_group_name_or_id(void) { +        assert_se(!valid_user_group_name_or_id(NULL)); +        assert_se(!valid_user_group_name_or_id("")); +        assert_se(valid_user_group_name_or_id("0")); +        assert_se(valid_user_group_name_or_id("1")); +        assert_se(valid_user_group_name_or_id("65534")); +        assert_se(!valid_user_group_name_or_id("65535")); +        assert_se(valid_user_group_name_or_id("65536")); +        assert_se(!valid_user_group_name_or_id("-1")); +        assert_se(!valid_user_group_name_or_id("-kkk")); +        assert_se(!valid_user_group_name_or_id("rööt")); +        assert_se(!valid_user_group_name_or_id(".")); +        assert_se(!valid_user_group_name_or_id("eff.eff")); +        assert_se(!valid_user_group_name_or_id("foo\nbar")); +        assert_se(!valid_user_group_name_or_id("0123456789012345678901234567890123456789")); +        assert_se(!valid_user_group_name_or_id("aaa:bbb")); + +        assert_se(valid_user_group_name_or_id("root")); +        assert_se(valid_user_group_name_or_id("lennart")); +        assert_se(valid_user_group_name_or_id("LENNART")); +        assert_se(valid_user_group_name_or_id("_kkk")); +        assert_se(valid_user_group_name_or_id("kkk-")); +        assert_se(valid_user_group_name_or_id("kk-k")); + +        assert_se(valid_user_group_name_or_id("some5")); +        assert_se(!valid_user_group_name_or_id("5some")); +        assert_se(valid_user_group_name_or_id("INNER5NUMBER")); +} + +static void test_valid_gecos(void) { + +        assert_se(!valid_gecos(NULL)); +        assert_se(valid_gecos("")); +        assert_se(valid_gecos("test")); +        assert_se(valid_gecos("Ümläüt")); +        assert_se(!valid_gecos("In\nvalid")); +        assert_se(!valid_gecos("In:valid")); +} + +static void test_valid_home(void) { + +        assert_se(!valid_home(NULL)); +        assert_se(!valid_home("")); +        assert_se(!valid_home(".")); +        assert_se(!valid_home("/home/..")); +        assert_se(!valid_home("/home/../")); +        assert_se(!valid_home("/home\n/foo")); +        assert_se(!valid_home("./piep")); +        assert_se(!valid_home("piep")); +        assert_se(!valid_home("/home/user:lennart")); + +        assert_se(valid_home("/")); +        assert_se(valid_home("/home")); +        assert_se(valid_home("/home/foo")); +} +  int main(int argc, char*argv[]) {          test_uid_to_name_one(0, "root"); @@ -75,5 +157,10 @@ int main(int argc, char*argv[]) {          test_parse_uid();          test_uid_ptr(); +        test_valid_user_group_name(); +        test_valid_user_group_name_or_id(); +        test_valid_gecos(); +        test_valid_home(); +          return 0;  } | 
