1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 This file is part of systemd.
5 Copyright 2010 Lennart Poettering
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
35 #include "alloc-util.h"
38 #include "format-util.h"
41 #include "parse-util.h"
42 #include "path-util.h"
43 #include "string-util.h"
45 #include "user-util.h"
48 bool uid_is_valid(uid_t uid) {
50 /* Also see POSIX IEEE Std 1003.1-2008, 2016 Edition, 3.436. */
52 /* Some libc APIs use UID_INVALID as special placeholder */
53 if (uid == (uid_t) UINT32_C(0xFFFFFFFF))
56 /* A long time ago UIDs where 16bit, hence explicitly avoid the 16bit -1 too */
57 if (uid == (uid_t) UINT32_C(0xFFFF))
63 int parse_uid(const char *s, uid_t *ret) {
69 assert_cc(sizeof(uid_t) == sizeof(uint32_t));
70 r = safe_atou32(s, &uid);
74 if (!uid_is_valid(uid))
75 return -ENXIO; /* we return ENXIO instead of EINVAL
76 * here, to make it easy to distuingish
77 * invalid numeric uids from invalid
86 char* getlogname_malloc(void) {
90 if (isatty(STDIN_FILENO) && fstat(STDIN_FILENO, &st) >= 0)
95 return uid_to_name(uid);
98 #if 0 /// UNNEEDED by elogind
99 char *getusername_malloc(void) {
106 return uid_to_name(getuid());
111 const char **username,
112 uid_t *uid, gid_t *gid,
114 const char **shell) {
122 /* We enforce some special rules for uid=0 and uid=65534: in order to avoid NSS lookups for root we hardcode
123 * their user record data. */
125 if (STR_IN_SET(*username, "root", "0")) {
142 if (STR_IN_SET(*username, NOBODY_USER_NAME, "65534")) {
143 *username = NOBODY_USER_NAME;
154 *shell = "/sbin/nologin";
159 if (parse_uid(*username, &u) >= 0) {
163 /* If there are multiple users with the same id, make
164 * sure to leave $USER to the configured value instead
165 * of the first occurrence in the database. However if
166 * the uid was configured by a numeric uid, then let's
167 * pick the real username from /etc/passwd. */
169 *username = p->pw_name;
172 p = getpwnam(*username);
176 return errno > 0 ? -errno : -ESRCH;
179 if (!uid_is_valid(p->pw_uid))
186 if (!gid_is_valid(p->pw_gid))
196 *shell = p->pw_shell;
201 #if 0 /// UNNEEDED by elogind
202 int get_user_creds_clean(
203 const char **username,
204 uid_t *uid, gid_t *gid,
206 const char **shell) {
210 /* Like get_user_creds(), but resets home/shell to NULL if they don't contain anything relevant. */
212 r = get_user_creds(username, uid, gid, home, shell);
217 (isempty(*shell) || PATH_IN_SET(*shell,
221 "/usr/sbin/nologin")))
225 (isempty(*home) || path_equal(*home, "/")))
231 int get_group_creds(const char **groupname, gid_t *gid) {
237 /* We enforce some special rules for gid=0: in order to avoid
238 * NSS lookups for root we hardcode its data. */
240 if (STR_IN_SET(*groupname, "root", "0")) {
249 if (STR_IN_SET(*groupname, NOBODY_GROUP_NAME, "65534")) {
250 *groupname = NOBODY_GROUP_NAME;
258 if (parse_gid(*groupname, &id) >= 0) {
263 *groupname = g->gr_name;
266 g = getgrnam(*groupname);
270 return errno > 0 ? -errno : -ESRCH;
273 if (!gid_is_valid(g->gr_gid))
283 char* uid_to_name(uid_t uid) {
287 /* Shortcut things to avoid NSS lookups */
289 return strdup("root");
290 if (uid == UID_NOBODY)
291 return strdup(NOBODY_USER_NAME);
293 if (uid_is_valid(uid)) {
296 bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
301 struct passwd pwbuf, *pw = NULL;
302 _cleanup_free_ char *buf = NULL;
304 buf = malloc(bufsize);
308 r = getpwuid_r(uid, &pwbuf, buf, (size_t) bufsize, &pw);
310 return strdup(pw->pw_name);
318 if (asprintf(&ret, UID_FMT, uid) < 0)
324 char* gid_to_name(gid_t gid) {
329 return strdup("root");
330 if (gid == GID_NOBODY)
331 return strdup(NOBODY_GROUP_NAME);
333 if (gid_is_valid(gid)) {
336 bufsize = sysconf(_SC_GETGR_R_SIZE_MAX);
341 struct group grbuf, *gr = NULL;
342 _cleanup_free_ char *buf = NULL;
344 buf = malloc(bufsize);
348 r = getgrgid_r(gid, &grbuf, buf, (size_t) bufsize, &gr);
350 return strdup(gr->gr_name);
358 if (asprintf(&ret, GID_FMT, gid) < 0)
364 #if 0 /// UNNEEDED by elogind
365 int in_gid(gid_t gid) {
373 if (getegid() == gid)
376 if (!gid_is_valid(gid))
379 ngroups_max = sysconf(_SC_NGROUPS_MAX);
380 assert(ngroups_max > 0);
382 gids = newa(gid_t, ngroups_max);
384 r = getgroups(ngroups_max, gids);
388 for (i = 0; i < r; i++)
395 int in_group(const char *name) {
399 r = get_group_creds(&name, &gid);
406 int get_home_dir(char **_h) {
414 /* Take the user specified one */
415 e = secure_getenv("HOME");
416 if (e && path_is_absolute(e)) {
425 /* Hardcode home directory for root and nobody to avoid NSS */
435 if (u == UID_NOBODY) {
444 /* Check the database... */
448 return errno > 0 ? -errno : -ESRCH;
450 if (!path_is_absolute(p->pw_dir))
453 h = strdup(p->pw_dir);
461 int get_shell(char **_s) {
469 /* Take the user specified one */
480 /* Hardcode shell for root and nobody to avoid NSS */
483 s = strdup("/bin/sh");
490 if (u == UID_NOBODY) {
491 s = strdup("/sbin/nologin");
499 /* Check the database... */
503 return errno > 0 ? -errno : -ESRCH;
505 if (!path_is_absolute(p->pw_shell))
508 s = strdup(p->pw_shell);
517 int reset_uid_gid(void) {
520 r = maybe_setgroups(0, NULL);
524 if (setresgid(0, 0, 0) < 0)
527 if (setresuid(0, 0, 0) < 0)
533 #if 0 /// UNNEEDED by elogind
534 int take_etc_passwd_lock(const char *root) {
536 struct flock flock = {
538 .l_whence = SEEK_SET,
546 /* This is roughly the same as lckpwdf(), but not as awful. We
547 * don't want to use alarm() and signals, hence we implement
548 * our own trivial version of this.
550 * Note that shadow-utils also takes per-database locks in
551 * addition to lckpwdf(). However, we don't given that they
552 * are redundant as they invoke lckpwdf() first and keep
553 * it during everything they do. The per-database locks are
554 * awfully racy, and thus we just won't do them. */
557 path = prefix_roota(root, "/etc/.pwd.lock");
559 path = "/etc/.pwd.lock";
561 fd = open(path, O_WRONLY|O_CREAT|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW, 0600);
565 r = fcntl(fd, F_SETLKW, &flock);
575 bool valid_user_group_name(const char *u) {
579 /* Checks if the specified name is a valid user/group name. Also see POSIX IEEE Std 1003.1-2008, 2016 Edition,
580 * 3.437. We are a bit stricter here however. Specifically we deviate from POSIX rules:
582 * - We don't allow any dots (this would break chown syntax which permits dots as user/group name separator)
583 * - We require that names fit into the appropriate utmp field
584 * - We don't allow empty user names
586 * Note that other systems are even more restrictive, and don't permit underscores or uppercase characters.
592 if (!(u[0] >= 'a' && u[0] <= 'z') &&
593 !(u[0] >= 'A' && u[0] <= 'Z') &&
597 for (i = u+1; *i; i++) {
598 if (!(*i >= 'a' && *i <= 'z') &&
599 !(*i >= 'A' && *i <= 'Z') &&
600 !(*i >= '0' && *i <= '9') &&
601 !IN_SET(*i, '_', '-'))
605 sz = sysconf(_SC_LOGIN_NAME_MAX);
608 if ((size_t) (i-u) > (size_t) sz)
611 if ((size_t) (i-u) > UT_NAMESIZE - 1)
617 bool valid_user_group_name_or_id(const char *u) {
619 /* Similar as above, but is also fine with numeric UID/GID specifications, as long as they are in the right
620 * range, and not the invalid user ids. */
625 if (valid_user_group_name(u))
628 return parse_uid(u, NULL) >= 0;
631 bool valid_gecos(const char *d) {
636 if (!utf8_is_valid(d))
639 if (string_has_cc(d, NULL))
642 /* Colons are used as field separators, and hence not OK */
649 bool valid_home(const char *p) {
654 if (!utf8_is_valid(p))
657 if (string_has_cc(p, NULL))
660 if (!path_is_absolute(p))
663 if (!path_is_normalized(p))
666 /* Colons are used as field separators, and hence not OK */
673 int maybe_setgroups(size_t size, const gid_t *list) {
676 /* Check if setgroups is allowed before we try to drop all the auxiliary groups */
677 if (size == 0) { /* Dropping all aux groups? */
678 _cleanup_free_ char *setgroups_content = NULL;
681 r = read_one_line_file("/proc/self/setgroups", &setgroups_content);
683 /* Old kernels don't have /proc/self/setgroups, so assume we can use setgroups */
684 can_setgroups = true;
688 can_setgroups = streq(setgroups_content, "allow");
690 if (!can_setgroups) {
691 log_debug("Skipping setgroups(), /proc/self/setgroups is set to 'deny'");
696 if (setgroups(size, list) < 0)