diff options
Diffstat (limited to 'src/core/dynamic-user.c')
| -rw-r--r-- | src/core/dynamic-user.c | 794 |
1 files changed, 0 insertions, 794 deletions
diff --git a/src/core/dynamic-user.c b/src/core/dynamic-user.c deleted file mode 100644 index e1846e1adb..0000000000 --- a/src/core/dynamic-user.c +++ /dev/null @@ -1,794 +0,0 @@ -/*** - This file is part of systemd. - - Copyright 2016 Lennart Poettering - - systemd is free software; you can redistribute it and/or modify it - under the terms of the GNU Lesser General Public License as published by - the Free Software Foundation; either version 2.1 of the License, or - (at your option) any later version. - - systemd is distributed in the hope that it will be useful, but - WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Lesser General Public License for more details. - - You should have received a copy of the GNU Lesser General Public License - along with systemd; If not, see <http://www.gnu.org/licenses/>. -***/ - -#include <grp.h> -#include <pwd.h> -#include <sys/file.h> - -#include "dynamic-user.h" -#include "fd-util.h" -#include "fs-util.h" -#include "parse-util.h" -#include "random-util.h" -#include "stdio-util.h" -#include "string-util.h" -#include "user-util.h" -#include "fileio.h" - -/* Takes a value generated randomly or by hashing and turns it into a UID in the right range */ -#define UID_CLAMP_INTO_RANGE(rnd) (((uid_t) (rnd) % (DYNAMIC_UID_MAX - DYNAMIC_UID_MIN + 1)) + DYNAMIC_UID_MIN) - -static DynamicUser* dynamic_user_free(DynamicUser *d) { - if (!d) - return NULL; - - if (d->manager) - (void) hashmap_remove(d->manager->dynamic_users, d->name); - - safe_close_pair(d->storage_socket); - return mfree(d); -} - -static int dynamic_user_add(Manager *m, const char *name, int storage_socket[2], DynamicUser **ret) { - DynamicUser *d = NULL; - int r; - - assert(m); - assert(name); - assert(storage_socket); - - r = hashmap_ensure_allocated(&m->dynamic_users, &string_hash_ops); - if (r < 0) - return r; - - d = malloc0(offsetof(DynamicUser, name) + strlen(name) + 1); - if (!d) - return -ENOMEM; - - strcpy(d->name, name); - - d->storage_socket[0] = storage_socket[0]; - d->storage_socket[1] = storage_socket[1]; - - r = hashmap_put(m->dynamic_users, d->name, d); - if (r < 0) { - free(d); - return r; - } - - d->manager = m; - - if (ret) - *ret = d; - - return 0; -} - -int dynamic_user_acquire(Manager *m, const char *name, DynamicUser** ret) { - _cleanup_close_pair_ int storage_socket[2] = { -1, -1 }; - DynamicUser *d; - int r; - - assert(m); - assert(name); - - /* Return the DynamicUser structure for a specific user name. Note that this won't actually allocate a UID for - * it, but just prepare the data structure for it. The UID is allocated only on demand, when it's really - * needed, and in the child process we fork off, since allocation involves NSS checks which are not OK to do - * from PID 1. To allow the children and PID 1 share information about allocated UIDs we use an anonymous - * AF_UNIX/SOCK_DGRAM socket (called the "storage socket") that contains at most one datagram with the - * allocated UID number, plus an fd referencing the lock file for the UID - * (i.e. /run/systemd/dynamic-uid/$UID). Why involve the socket pair? So that PID 1 and all its children can - * share the same storage for the UID and lock fd, simply by inheriting the storage socket fds. The socket pair - * may exist in three different states: - * - * a) no datagram stored. This is the initial state. In this case the dynamic user was never realized. - * - * b) a datagram containing a UID stored, but no lock fd attached to it. In this case there was already a - * statically assigned UID by the same name, which we are reusing. - * - * c) a datagram containing a UID stored, and a lock fd is attached to it. In this case we allocated a dynamic - * UID and locked it in the file system, using the lock fd. - * - * As PID 1 and various children might access the socket pair simultaneously, and pop the datagram or push it - * back in any time, we also maintain a lock on the socket pair. Note one peculiarity regarding locking here: - * the UID lock on disk is protected via a BSD file lock (i.e. an fd-bound lock), so that the lock is kept in - * place as long as there's a reference to the fd open. The lock on the storage socket pair however is a POSIX - * file lock (i.e. a process-bound lock), as all users share the same fd of this (after all it is anonymous, - * nobody else could get any access to it except via our own fd) and we want to synchronize access between all - * processes that have access to it. */ - - d = hashmap_get(m->dynamic_users, name); - if (d) { - /* We already have a structure for the dynamic user, let's increase the ref count and reuse it */ - d->n_ref++; - *ret = d; - return 0; - } - - if (!valid_user_group_name_or_id(name)) - return -EINVAL; - - if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, storage_socket) < 0) - return -errno; - - r = dynamic_user_add(m, name, storage_socket, &d); - if (r < 0) - return r; - - storage_socket[0] = storage_socket[1] = -1; - - if (ret) { - d->n_ref++; - *ret = d; - } - - return 1; -} - -static int make_uid_symlinks(uid_t uid, const char *name, bool b) { - - char path1[strlen("/run/systemd/dynamic-uid/direct:") + DECIMAL_STR_MAX(uid_t) + 1]; - const char *path2; - int r = 0, k; - - /* Add direct additional symlinks for direct lookups of dynamic UIDs and their names by userspace code. The - * only reason we have this is because dbus-daemon cannot use D-Bus for resolving users and groups (since it - * would be its own client then). We hence keep these world-readable symlinks in place, so that the - * unprivileged dbus user can read the mappings when it needs them via these symlinks instead of having to go - * via the bus. Ideally, we'd use the lock files we keep for this anyway, but we can't since we use BSD locks - * on them and as those may be taken by any user with read access we can't make them world-readable. */ - - xsprintf(path1, "/run/systemd/dynamic-uid/direct:" UID_FMT, uid); - if (unlink(path1) < 0 && errno != ENOENT) - r = -errno; - - if (b && symlink(name, path1) < 0) { - k = log_warning_errno(errno, "Failed to symlink \"%s\": %m", path1); - if (r == 0) - r = k; - } - - path2 = strjoina("/run/systemd/dynamic-uid/direct:", name); - if (unlink(path2) < 0 && errno != ENOENT) { - k = -errno; - if (r == 0) - r = k; - } - - if (b && symlink(path1 + strlen("/run/systemd/dynamic-uid/direct:"), path2) < 0) { - k = log_warning_errno(errno, "Failed to symlink \"%s\": %m", path2); - if (r == 0) - r = k; - } - - return r; -} - -static int pick_uid(const char *name, uid_t *ret_uid) { - - static const uint8_t hash_key[] = { - 0x37, 0x53, 0x7e, 0x31, 0xcf, 0xce, 0x48, 0xf5, - 0x8a, 0xbb, 0x39, 0x57, 0x8d, 0xd9, 0xec, 0x59 - }; - - unsigned n_tries = 100; - uid_t candidate; - int r; - - /* A static user by this name does not exist yet. Let's find a free ID then, and use that. We start with a UID - * generated as hash from the user name. */ - candidate = UID_CLAMP_INTO_RANGE(siphash24(name, strlen(name), hash_key)); - - (void) mkdir("/run/systemd/dynamic-uid", 0755); - - for (;;) { - char lock_path[strlen("/run/systemd/dynamic-uid/") + DECIMAL_STR_MAX(uid_t) + 1]; - _cleanup_close_ int lock_fd = -1; - ssize_t l; - - if (--n_tries <= 0) /* Give up retrying eventually */ - return -EBUSY; - - if (!uid_is_dynamic(candidate)) - goto next; - - xsprintf(lock_path, "/run/systemd/dynamic-uid/" UID_FMT, candidate); - - for (;;) { - struct stat st; - - lock_fd = open(lock_path, O_CREAT|O_RDWR|O_NOFOLLOW|O_CLOEXEC|O_NOCTTY, 0600); - if (lock_fd < 0) - return -errno; - - r = flock(lock_fd, LOCK_EX|LOCK_NB); /* Try to get a BSD file lock on the UID lock file */ - if (r < 0) { - if (errno == EBUSY || errno == EAGAIN) - goto next; /* already in use */ - - return -errno; - } - - if (fstat(lock_fd, &st) < 0) - return -errno; - if (st.st_nlink > 0) - break; - - /* Oh, bummer, we got the lock, but the file was unlinked between the time we opened it and - * got the lock. Close it, and try again. */ - lock_fd = safe_close(lock_fd); - } - - /* Some superficial check whether this UID/GID might already be taken by some static user */ - if (getpwuid(candidate) || getgrgid((gid_t) candidate)) { - (void) unlink(lock_path); - goto next; - } - - /* Let's store the user name in the lock file, so that we can use it for looking up the username for a UID */ - l = pwritev(lock_fd, - (struct iovec[2]) { - { .iov_base = (char*) name, .iov_len = strlen(name) }, - { .iov_base = (char[1]) { '\n' }, .iov_len = 1 } - }, 2, 0); - if (l < 0) { - (void) unlink(lock_path); - return -errno; - } - - (void) ftruncate(lock_fd, l); - (void) make_uid_symlinks(candidate, name, true); /* also add direct lookup symlinks */ - - *ret_uid = candidate; - r = lock_fd; - lock_fd = -1; - - return r; - - next: - /* Pick another random UID, and see if that works for us. */ - random_bytes(&candidate, sizeof(candidate)); - candidate = UID_CLAMP_INTO_RANGE(candidate); - } -} - -static int dynamic_user_pop(DynamicUser *d, uid_t *ret_uid, int *ret_lock_fd) { - uid_t uid = UID_INVALID; - struct iovec iov = { - .iov_base = &uid, - .iov_len = sizeof(uid), - }; - union { - struct cmsghdr cmsghdr; - uint8_t buf[CMSG_SPACE(sizeof(int))]; - } control = {}; - struct msghdr mh = { - .msg_control = &control, - .msg_controllen = sizeof(control), - .msg_iov = &iov, - .msg_iovlen = 1, - }; - struct cmsghdr *cmsg; - - ssize_t k; - int lock_fd = -1; - - assert(d); - assert(ret_uid); - assert(ret_lock_fd); - - /* Read the UID and lock fd that is stored in the storage AF_UNIX socket. This should be called with the lock - * on the socket taken. */ - - k = recvmsg(d->storage_socket[0], &mh, MSG_DONTWAIT|MSG_NOSIGNAL|MSG_CMSG_CLOEXEC); - if (k < 0) - return -errno; - - cmsg = cmsg_find(&mh, SOL_SOCKET, SCM_RIGHTS, CMSG_LEN(sizeof(int))); - if (cmsg) - lock_fd = *(int*) CMSG_DATA(cmsg); - else - cmsg_close_all(&mh); /* just in case... */ - - *ret_uid = uid; - *ret_lock_fd = lock_fd; - - return 0; -} - -static int dynamic_user_push(DynamicUser *d, uid_t uid, int lock_fd) { - struct iovec iov = { - .iov_base = &uid, - .iov_len = sizeof(uid), - }; - union { - struct cmsghdr cmsghdr; - uint8_t buf[CMSG_SPACE(sizeof(int))]; - } control = {}; - struct msghdr mh = { - .msg_control = &control, - .msg_controllen = sizeof(control), - .msg_iov = &iov, - .msg_iovlen = 1, - }; - ssize_t k; - - assert(d); - - /* Store the UID and lock_fd in the storage socket. This should be called with the socket pair lock taken. */ - - if (lock_fd >= 0) { - struct cmsghdr *cmsg; - - cmsg = CMSG_FIRSTHDR(&mh); - cmsg->cmsg_level = SOL_SOCKET; - cmsg->cmsg_type = SCM_RIGHTS; - cmsg->cmsg_len = CMSG_LEN(sizeof(int)); - memcpy(CMSG_DATA(cmsg), &lock_fd, sizeof(int)); - - mh.msg_controllen = CMSG_SPACE(sizeof(int)); - } else { - mh.msg_control = NULL; - mh.msg_controllen = 0; - } - - k = sendmsg(d->storage_socket[1], &mh, MSG_DONTWAIT|MSG_NOSIGNAL); - if (k < 0) - return -errno; - - return 0; -} - -static void unlink_uid_lock(int lock_fd, uid_t uid, const char *name) { - char lock_path[strlen("/run/systemd/dynamic-uid/") + DECIMAL_STR_MAX(uid_t) + 1]; - - if (lock_fd < 0) - return; - - xsprintf(lock_path, "/run/systemd/dynamic-uid/" UID_FMT, uid); - (void) unlink(lock_path); - - (void) make_uid_symlinks(uid, name, false); /* remove direct lookup symlinks */ -} - -int dynamic_user_realize(DynamicUser *d, uid_t *ret) { - - _cleanup_close_ int etc_passwd_lock_fd = -1, uid_lock_fd = -1; - uid_t uid = UID_INVALID; - int r; - - assert(d); - - /* Acquire a UID for the user name. This will allocate a UID for the user name if the user doesn't exist - * yet. If it already exists its existing UID/GID will be reused. */ - - if (lockf(d->storage_socket[0], F_LOCK, 0) < 0) - return -errno; - - r = dynamic_user_pop(d, &uid, &uid_lock_fd); - if (r < 0) { - int new_uid_lock_fd; - uid_t new_uid; - - if (r != -EAGAIN) - goto finish; - - /* OK, nothing stored yet, let's try to find something useful. While we are working on this release the - * lock however, so that nobody else blocks on our NSS lookups. */ - (void) lockf(d->storage_socket[0], F_ULOCK, 0); - - /* Let's see if a proper, static user or group by this name exists. Try to take the lock on - * /etc/passwd, if that fails with EROFS then /etc is read-only. In that case it's fine if we don't - * take the lock, given that users can't be added there anyway in this case. */ - etc_passwd_lock_fd = take_etc_passwd_lock(NULL); - if (etc_passwd_lock_fd < 0 && etc_passwd_lock_fd != -EROFS) - return etc_passwd_lock_fd; - - /* First, let's parse this as numeric UID */ - r = parse_uid(d->name, &uid); - if (r < 0) { - struct passwd *p; - struct group *g; - - /* OK, this is not a numeric UID. Let's see if there's a user by this name */ - p = getpwnam(d->name); - if (p) - uid = p->pw_uid; - - /* Let's see if there's a group by this name */ - g = getgrnam(d->name); - if (g) { - /* If the UID/GID of the user/group of the same don't match, refuse operation */ - if (uid != UID_INVALID && uid != (uid_t) g->gr_gid) - return -EILSEQ; - - uid = (uid_t) g->gr_gid; - } - } - - if (uid == UID_INVALID) { - /* No static UID assigned yet, excellent. Let's pick a new dynamic one, and lock it. */ - - uid_lock_fd = pick_uid(d->name, &uid); - if (uid_lock_fd < 0) - return uid_lock_fd; - } - - /* So, we found a working UID/lock combination. Let's see if we actually still need it. */ - if (lockf(d->storage_socket[0], F_LOCK, 0) < 0) { - unlink_uid_lock(uid_lock_fd, uid, d->name); - return -errno; - } - - r = dynamic_user_pop(d, &new_uid, &new_uid_lock_fd); - if (r < 0) { - if (r != -EAGAIN) { - /* OK, something bad happened, let's get rid of the bits we acquired. */ - unlink_uid_lock(uid_lock_fd, uid, d->name); - goto finish; - } - - /* Great! Nothing is stored here, still. Store our newly acquired data. */ - } else { - /* Hmm, so as it appears there's now something stored in the storage socket. Throw away what we - * acquired, and use what's stored now. */ - - unlink_uid_lock(uid_lock_fd, uid, d->name); - safe_close(uid_lock_fd); - - uid = new_uid; - uid_lock_fd = new_uid_lock_fd; - } - } - - /* If the UID/GID was already allocated dynamically, push the data we popped out back in. If it was already - * allocated statically, push the UID back too, but do not push the lock fd in. If we allocated the UID - * dynamically right here, push that in along with the lock fd for it. */ - r = dynamic_user_push(d, uid, uid_lock_fd); - if (r < 0) - goto finish; - - *ret = uid; - r = 0; - -finish: - (void) lockf(d->storage_socket[0], F_ULOCK, 0); - return r; -} - -int dynamic_user_current(DynamicUser *d, uid_t *ret) { - _cleanup_close_ int lock_fd = -1; - uid_t uid; - int r; - - assert(d); - assert(ret); - - /* Get the currently assigned UID for the user, if there's any. This simply pops the data from the storage socket, and pushes it back in right-away. */ - - if (lockf(d->storage_socket[0], F_LOCK, 0) < 0) - return -errno; - - r = dynamic_user_pop(d, &uid, &lock_fd); - if (r < 0) - goto finish; - - r = dynamic_user_push(d, uid, lock_fd); - if (r < 0) - goto finish; - - *ret = uid; - r = 0; - -finish: - (void) lockf(d->storage_socket[0], F_ULOCK, 0); - return r; -} - -DynamicUser* dynamic_user_ref(DynamicUser *d) { - if (!d) - return NULL; - - assert(d->n_ref > 0); - d->n_ref++; - - return d; -} - -DynamicUser* dynamic_user_unref(DynamicUser *d) { - if (!d) - return NULL; - - /* Note that this doesn't actually release any resources itself. If a dynamic user should be fully destroyed - * and its UID released, use dynamic_user_destroy() instead. NB: the dynamic user table may contain entries - * with no references, which is commonly the case right before a daemon reload. */ - - assert(d->n_ref > 0); - d->n_ref--; - - return NULL; -} - -static int dynamic_user_close(DynamicUser *d) { - _cleanup_close_ int lock_fd = -1; - uid_t uid; - int r; - - /* Release the user ID, by releasing the lock on it, and emptying the storage socket. After this the user is - * unrealized again, much like it was after it the DynamicUser object was first allocated. */ - - if (lockf(d->storage_socket[0], F_LOCK, 0) < 0) - return -errno; - - r = dynamic_user_pop(d, &uid, &lock_fd); - if (r == -EAGAIN) { - /* User wasn't realized yet, nothing to do. */ - r = 0; - goto finish; - } - if (r < 0) - goto finish; - - /* This dynamic user was realized and dynamically allocated. In this case, let's remove the lock file. */ - unlink_uid_lock(lock_fd, uid, d->name); - r = 1; - -finish: - (void) lockf(d->storage_socket[0], F_ULOCK, 0); - return r; -} - -DynamicUser* dynamic_user_destroy(DynamicUser *d) { - if (!d) - return NULL; - - /* Drop a reference to a DynamicUser object, and destroy the user completely if this was the last - * reference. This is called whenever a service is shut down and wants its dynamic UID gone. Note that - * dynamic_user_unref() is what is called whenever a service is simply freed, for example during a reload - * cycle, where the dynamic users should not be destroyed, but our datastructures should. */ - - dynamic_user_unref(d); - - if (d->n_ref > 0) - return NULL; - - (void) dynamic_user_close(d); - return dynamic_user_free(d); -} - -int dynamic_user_serialize(Manager *m, FILE *f, FDSet *fds) { - DynamicUser *d; - Iterator i; - - assert(m); - assert(f); - assert(fds); - - /* Dump the dynamic user database into the manager serialization, to deal with daemon reloads. */ - - HASHMAP_FOREACH(d, m->dynamic_users, i) { - int copy0, copy1; - - copy0 = fdset_put_dup(fds, d->storage_socket[0]); - if (copy0 < 0) - return copy0; - - copy1 = fdset_put_dup(fds, d->storage_socket[1]); - if (copy1 < 0) - return copy1; - - fprintf(f, "dynamic-user=%s %i %i\n", d->name, copy0, copy1); - } - - return 0; -} - -void dynamic_user_deserialize_one(Manager *m, const char *value, FDSet *fds) { - _cleanup_free_ char *name = NULL, *s0 = NULL, *s1 = NULL; - int r, fd0, fd1; - - assert(m); - assert(value); - assert(fds); - - /* Parse the serialization again, after a daemon reload */ - - r = extract_many_words(&value, NULL, 0, &name, &s0, &s1, NULL); - if (r != 3 || !isempty(value)) { - log_debug("Unable to parse dynamic user line."); - return; - } - - if (safe_atoi(s0, &fd0) < 0 || !fdset_contains(fds, fd0)) { - log_debug("Unable to process dynamic user fd specification."); - return; - } - - if (safe_atoi(s1, &fd1) < 0 || !fdset_contains(fds, fd1)) { - log_debug("Unable to process dynamic user fd specification."); - return; - } - - r = dynamic_user_add(m, name, (int[]) { fd0, fd1 }, NULL); - if (r < 0) { - log_debug_errno(r, "Failed to add dynamic user: %m"); - return; - } - - (void) fdset_remove(fds, fd0); - (void) fdset_remove(fds, fd1); -} - -void dynamic_user_vacuum(Manager *m, bool close_user) { - DynamicUser *d; - Iterator i; - - assert(m); - - /* Empty the dynamic user database, optionally cleaning up orphaned dynamic users, i.e. destroy and free users - * to which no reference exist. This is called after a daemon reload finished, in order to destroy users which - * might not be referenced anymore. */ - - HASHMAP_FOREACH(d, m->dynamic_users, i) { - if (d->n_ref > 0) - continue; - - if (close_user) { - log_debug("Removing orphaned dynamic user %s", d->name); - (void) dynamic_user_close(d); - } - - dynamic_user_free(d); - } -} - -int dynamic_user_lookup_uid(Manager *m, uid_t uid, char **ret) { - char lock_path[strlen("/run/systemd/dynamic-uid/") + DECIMAL_STR_MAX(uid_t) + 1]; - _cleanup_free_ char *user = NULL; - uid_t check_uid; - int r; - - assert(m); - assert(ret); - - /* A friendly way to translate a dynamic user's UID into a name. */ - if (!uid_is_dynamic(uid)) - return -ESRCH; - - xsprintf(lock_path, "/run/systemd/dynamic-uid/" UID_FMT, uid); - r = read_one_line_file(lock_path, &user); - if (r == -ENOENT) - return -ESRCH; - if (r < 0) - return r; - - /* The lock file might be stale, hence let's verify the data before we return it */ - r = dynamic_user_lookup_name(m, user, &check_uid); - if (r < 0) - return r; - if (check_uid != uid) /* lock file doesn't match our own idea */ - return -ESRCH; - - *ret = user; - user = NULL; - - return 0; -} - -int dynamic_user_lookup_name(Manager *m, const char *name, uid_t *ret) { - DynamicUser *d; - int r; - - assert(m); - assert(name); - assert(ret); - - /* A friendly call for translating a dynamic user's name into its UID */ - - d = hashmap_get(m->dynamic_users, name); - if (!d) - return -ESRCH; - - r = dynamic_user_current(d, ret); - if (r == -EAGAIN) /* not realized yet? */ - return -ESRCH; - - return r; -} - -int dynamic_creds_acquire(DynamicCreds *creds, Manager *m, const char *user, const char *group) { - bool acquired = false; - int r; - - assert(creds); - assert(m); - - /* A DynamicUser object encapsulates an allocation of both a UID and a GID for a specific name. However, some - * services use different user and groups. For cases like that there's DynamicCreds containing a pair of user - * and group. This call allocates a pair. */ - - if (!creds->user && user) { - r = dynamic_user_acquire(m, user, &creds->user); - if (r < 0) - return r; - - acquired = true; - } - - if (!creds->group) { - - if (creds->user && (!group || streq_ptr(user, group))) - creds->group = dynamic_user_ref(creds->user); - else { - r = dynamic_user_acquire(m, group, &creds->group); - if (r < 0) { - if (acquired) - creds->user = dynamic_user_unref(creds->user); - return r; - } - } - } - - return 0; -} - -int dynamic_creds_realize(DynamicCreds *creds, uid_t *uid, gid_t *gid) { - uid_t u = UID_INVALID; - gid_t g = GID_INVALID; - int r; - - assert(creds); - assert(uid); - assert(gid); - - /* Realize both the referenced user and group */ - - if (creds->user) { - r = dynamic_user_realize(creds->user, &u); - if (r < 0) - return r; - } - - if (creds->group && creds->group != creds->user) { - r = dynamic_user_realize(creds->group, &g); - if (r < 0) - return r; - } else - g = u; - - *uid = u; - *gid = g; - - return 0; -} - -void dynamic_creds_unref(DynamicCreds *creds) { - assert(creds); - - creds->user = dynamic_user_unref(creds->user); - creds->group = dynamic_user_unref(creds->group); -} - -void dynamic_creds_destroy(DynamicCreds *creds) { - assert(creds); - - creds->user = dynamic_user_destroy(creds->user); - creds->group = dynamic_user_destroy(creds->group); -} |