chiark / gitweb /
nss-mymachines: map userns users of containers to real user names
authorLennart Poettering <lennart@poettering.net>
Thu, 9 Jul 2015 17:46:20 +0000 (14:46 -0300)
committerSven Eden <yamakuzure@gmx.net>
Tue, 14 Mar 2017 09:06:04 +0000 (10:06 +0100)
Given a container "foo", that maps user id $UID to container user, using
user namespaces, this NSS module extenstion will now map the $UID to a
name "vu-foo-$TUID" for the translated UID $UID.

Similar, userns groups are mapped to "vg-foo-$TGID" for translated GIDs
of $GID.

This simple change should make userns users more discoverable. Also,
given that many tools like "adduser" check NSS before allocating a UID,
should lower the chance of UID range conflicts between tools.

src/libelogind/sd-bus/bus-common-errors.h
src/login/pam_elogind.sym
src/shared/macro.h
src/shared/nss-util.h

index 0dbfbdd..f209279 100644 (file)
@@ -46,6 +46,8 @@
 #define BUS_ERROR_NO_MACHINE_FOR_PID "org.freedesktop.machine1.NoMachineForPID"
 #define BUS_ERROR_MACHINE_EXISTS "org.freedesktop.machine1.MachineExists"
 #define BUS_ERROR_NO_PRIVATE_NETWORKING "org.freedesktop.machine1.NoPrivateNetworking"
+#define BUS_ERROR_NO_SUCH_USER_MAPPING "org.freedesktop.machine1.NoSuchUserMapping"
+#define BUS_ERROR_NO_SUCH_GROUP_MAPPING "org.freedesktop.machine1.NoSuchGroupMapping"
 
 #define BUS_ERROR_NO_SUCH_SESSION "org.freedesktop.login1.NoSuchSession"
 #define BUS_ERROR_NO_SESSION_FOR_PID "org.freedesktop.login1.NoSessionForPID"
index 23ff75f..8f3aed6 100644 (file)
@@ -11,5 +11,9 @@
 global:
         pam_sm_close_session;
         pam_sm_open_session;
+        _nss_mymachines_getpwnam_r;
+        _nss_mymachines_getpwuid_r;
+        _nss_mymachines_getgrnam_r;
+        _nss_mymachines_getgrgid_r;
 local: *;
 };
index 5fa17ed..58530a3 100644 (file)
@@ -26,6 +26,7 @@
 #include <sys/types.h>
 #include <sys/uio.h>
 #include <inttypes.h>
+#include <stdbool.h>
 
 #define _printf_(a,b) __attribute__ ((format (printf, a, b)))
 #define _alloc_(...) __attribute__ ((alloc_size(__VA_ARGS__)))
@@ -461,6 +462,18 @@ do {                                                                    \
 #define GID_INVALID ((gid_t) -1)
 #define MODE_INVALID ((mode_t) -1)
 
+static inline bool UID_IS_INVALID(uid_t uid) {
+        /* We consider both the old 16bit -1 user and the newer 32bit
+         * -1 user invalid, since they are or used to be incompatible
+         * with syscalls such as setresuid() or chown(). */
+
+        return uid == (uid_t) ((uint32_t) -1) || uid == (uid_t) ((uint16_t) -1);
+}
+
+static inline bool GID_IS_INVALID(gid_t gid) {
+        return gid == (gid_t) ((uint32_t) -1) || gid == (gid_t) ((uint16_t) -1);
+}
+
 #define DEFINE_TRIVIAL_CLEANUP_FUNC(type, func)                 \
         static inline void func##p(type *p) {                   \
                 if (*p)                                         \
index 230a986..3657aa5 100644 (file)
@@ -24,6 +24,9 @@
 #include <nss.h>
 #include <netdb.h>
 #include <resolv.h>
+#include <pwd.h>
+#include <grp.h>
+
 
 #define NSS_GETHOSTBYNAME_PROTOTYPES(module)            \
 enum nss_status _nss_##module##_gethostbyname4_r(       \
@@ -109,7 +112,8 @@ enum nss_status _nss_##module##_gethostbyname_r(        \
                         NULL,                           \
                         NULL);                          \
        return ret;                                      \
-}
+}                                                       \
+struct __useless_struct_to_allow_trailing_semicolon__
 
 #define NSS_GETHOSTBYADDR_FALLBACKS(module)             \
 enum nss_status _nss_##module##_gethostbyaddr_r(        \
@@ -125,4 +129,29 @@ enum nss_status _nss_##module##_gethostbyaddr_r(        \
                         buffer, buflen,                 \
                         errnop, h_errnop,               \
                         NULL);                          \
-}
+}                                                       \
+struct __useless_struct_to_allow_trailing_semicolon__
+
+#define NSS_GETPW_PROTOTYPES(module)                    \
+enum nss_status _nss_##module##_getpwnam_r(             \
+                const char *name,                       \
+                struct passwd *pwd,                     \
+                char *buffer, size_t buflen,            \
+                int *errnop) _public_;                  \
+enum nss_status _nss_mymachines_getpwuid_r(             \
+                uid_t uid,                              \
+                struct passwd *pwd,                     \
+                char *buffer, size_t buflen,            \
+                int *errnop) _public_
+
+#define NSS_GETGR_PROTOTYPES(module)                    \
+enum nss_status _nss_##module##_getgrnam_r(             \
+                const char *name,                       \
+                struct group *gr,                       \
+                char *buffer, size_t buflen,            \
+                int *errnop) _public_;                  \
+enum nss_status _nss_##module##_getgrgid_r(             \
+                gid_t gid,                              \
+                struct group *gr,                       \
+                char *buffer, size_t buflen,            \
+                int *errnop) _public_