1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 This file is part of systemd.
5 Copyright 2010 Lennart Poettering
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
35 #include "alloc-util.h"
38 #include "format-util.h"
41 #include "parse-util.h"
42 #include "path-util.h"
43 #include "string-util.h"
45 #include "user-util.h"
48 bool uid_is_valid(uid_t uid) {
50 /* Also see POSIX IEEE Std 1003.1-2008, 2016 Edition, 3.436. */
52 /* Some libc APIs use UID_INVALID as special placeholder */
53 if (uid == (uid_t) UINT32_C(0xFFFFFFFF))
56 /* A long time ago UIDs where 16bit, hence explicitly avoid the 16bit -1 too */
57 if (uid == (uid_t) UINT32_C(0xFFFF))
63 int parse_uid(const char *s, uid_t *ret) {
69 assert_cc(sizeof(uid_t) == sizeof(uint32_t));
70 r = safe_atou32(s, &uid);
74 if (!uid_is_valid(uid))
75 return -ENXIO; /* we return ENXIO instead of EINVAL
76 * here, to make it easy to distuingish
77 * invalid numeric uids from invalid
86 char* getlogname_malloc(void) {
90 if (isatty(STDIN_FILENO) && fstat(STDIN_FILENO, &st) >= 0)
95 return uid_to_name(uid);
98 #if 0 /// UNNEEDED by elogind
99 char *getusername_malloc(void) {
106 return uid_to_name(getuid());
111 const char **username,
112 uid_t *uid, gid_t *gid,
114 const char **shell) {
122 /* We enforce some special rules for uid=0 and uid=65534: in order to avoid NSS lookups for root we hardcode
123 * their user record data. */
125 if (STR_IN_SET(*username, "root", "0")) {
142 if (synthesize_nobody() &&
143 STR_IN_SET(*username, NOBODY_USER_NAME, "65534")) {
144 *username = NOBODY_USER_NAME;
155 *shell = "/sbin/nologin";
160 if (parse_uid(*username, &u) >= 0) {
164 /* If there are multiple users with the same id, make
165 * sure to leave $USER to the configured value instead
166 * of the first occurrence in the database. However if
167 * the uid was configured by a numeric uid, then let's
168 * pick the real username from /etc/passwd. */
170 *username = p->pw_name;
173 p = getpwnam(*username);
177 return errno > 0 ? -errno : -ESRCH;
180 if (!uid_is_valid(p->pw_uid))
187 if (!gid_is_valid(p->pw_gid))
197 *shell = p->pw_shell;
202 static inline bool is_nologin_shell(const char *shell) {
204 return PATH_IN_SET(shell,
205 /* 'nologin' is the friendliest way to disable logins for a user account. It prints a nice
206 * message and exits. Different distributions place the binary at different places though,
207 * hence let's list them all. */
212 /* 'true' and 'false' work too for the same purpose, but are less friendly as they don't do
213 * any message printing. Different distributions place the binary at various places but at
214 * least not in the 'sbin' directory. */
221 #if 0 /// UNNEEDED by elogind
222 int get_user_creds_clean(
223 const char **username,
224 uid_t *uid, gid_t *gid,
226 const char **shell) {
230 /* Like get_user_creds(), but resets home/shell to NULL if they don't contain anything relevant. */
232 r = get_user_creds(username, uid, gid, home, shell);
237 (isempty(*shell) || is_nologin_shell(*shell)))
241 (isempty(*home) || path_equal(*home, "/")))
247 int get_group_creds(const char **groupname, gid_t *gid) {
253 /* We enforce some special rules for gid=0: in order to avoid
254 * NSS lookups for root we hardcode its data. */
256 if (STR_IN_SET(*groupname, "root", "0")) {
265 if (synthesize_nobody() &&
266 STR_IN_SET(*groupname, NOBODY_GROUP_NAME, "65534")) {
267 *groupname = NOBODY_GROUP_NAME;
275 if (parse_gid(*groupname, &id) >= 0) {
280 *groupname = g->gr_name;
283 g = getgrnam(*groupname);
287 return errno > 0 ? -errno : -ESRCH;
290 if (!gid_is_valid(g->gr_gid))
300 char* uid_to_name(uid_t uid) {
304 /* Shortcut things to avoid NSS lookups */
306 return strdup("root");
307 if (synthesize_nobody() &&
309 return strdup(NOBODY_USER_NAME);
311 if (uid_is_valid(uid)) {
314 bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
319 struct passwd pwbuf, *pw = NULL;
320 _cleanup_free_ char *buf = NULL;
322 buf = malloc(bufsize);
326 r = getpwuid_r(uid, &pwbuf, buf, (size_t) bufsize, &pw);
328 return strdup(pw->pw_name);
336 if (asprintf(&ret, UID_FMT, uid) < 0)
342 char* gid_to_name(gid_t gid) {
347 return strdup("root");
348 if (synthesize_nobody() &&
350 return strdup(NOBODY_GROUP_NAME);
352 if (gid_is_valid(gid)) {
355 bufsize = sysconf(_SC_GETGR_R_SIZE_MAX);
360 struct group grbuf, *gr = NULL;
361 _cleanup_free_ char *buf = NULL;
363 buf = malloc(bufsize);
367 r = getgrgid_r(gid, &grbuf, buf, (size_t) bufsize, &gr);
369 return strdup(gr->gr_name);
377 if (asprintf(&ret, GID_FMT, gid) < 0)
383 #if 0 /// UNNEEDED by elogind
384 int in_gid(gid_t gid) {
392 if (getegid() == gid)
395 if (!gid_is_valid(gid))
398 ngroups_max = sysconf(_SC_NGROUPS_MAX);
399 assert(ngroups_max > 0);
401 gids = newa(gid_t, ngroups_max);
403 r = getgroups(ngroups_max, gids);
407 for (i = 0; i < r; i++)
414 int in_group(const char *name) {
418 r = get_group_creds(&name, &gid);
425 int get_home_dir(char **_h) {
433 /* Take the user specified one */
434 e = secure_getenv("HOME");
435 if (e && path_is_absolute(e)) {
444 /* Hardcode home directory for root and nobody to avoid NSS */
454 if (synthesize_nobody() &&
464 /* Check the database... */
468 return errno > 0 ? -errno : -ESRCH;
470 if (!path_is_absolute(p->pw_dir))
473 h = strdup(p->pw_dir);
481 int get_shell(char **_s) {
489 /* Take the user specified one */
500 /* Hardcode shell for root and nobody to avoid NSS */
503 s = strdup("/bin/sh");
510 if (synthesize_nobody() &&
512 s = strdup("/sbin/nologin");
520 /* Check the database... */
524 return errno > 0 ? -errno : -ESRCH;
526 if (!path_is_absolute(p->pw_shell))
529 s = strdup(p->pw_shell);
538 int reset_uid_gid(void) {
541 r = maybe_setgroups(0, NULL);
545 if (setresgid(0, 0, 0) < 0)
548 if (setresuid(0, 0, 0) < 0)
554 #if 0 /// UNNEEDED by elogind
555 int take_etc_passwd_lock(const char *root) {
557 struct flock flock = {
559 .l_whence = SEEK_SET,
567 /* This is roughly the same as lckpwdf(), but not as awful. We
568 * don't want to use alarm() and signals, hence we implement
569 * our own trivial version of this.
571 * Note that shadow-utils also takes per-database locks in
572 * addition to lckpwdf(). However, we don't given that they
573 * are redundant as they invoke lckpwdf() first and keep
574 * it during everything they do. The per-database locks are
575 * awfully racy, and thus we just won't do them. */
578 path = prefix_roota(root, ETC_PASSWD_LOCK_PATH);
580 path = ETC_PASSWD_LOCK_PATH;
582 fd = open(path, O_WRONLY|O_CREAT|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW, 0600);
584 return log_debug_errno(errno, "Cannot open %s: %m", path);
586 r = fcntl(fd, F_SETLKW, &flock);
589 return log_debug_errno(errno, "Locking %s failed: %m", path);
596 bool valid_user_group_name(const char *u) {
600 /* Checks if the specified name is a valid user/group name. Also see POSIX IEEE Std 1003.1-2008, 2016 Edition,
601 * 3.437. We are a bit stricter here however. Specifically we deviate from POSIX rules:
603 * - We don't allow any dots (this would break chown syntax which permits dots as user/group name separator)
604 * - We require that names fit into the appropriate utmp field
605 * - We don't allow empty user names
607 * Note that other systems are even more restrictive, and don't permit underscores or uppercase characters.
613 if (!(u[0] >= 'a' && u[0] <= 'z') &&
614 !(u[0] >= 'A' && u[0] <= 'Z') &&
618 for (i = u+1; *i; i++) {
619 if (!(*i >= 'a' && *i <= 'z') &&
620 !(*i >= 'A' && *i <= 'Z') &&
621 !(*i >= '0' && *i <= '9') &&
622 !IN_SET(*i, '_', '-'))
626 sz = sysconf(_SC_LOGIN_NAME_MAX);
629 if ((size_t) (i-u) > (size_t) sz)
632 if ((size_t) (i-u) > UT_NAMESIZE - 1)
638 bool valid_user_group_name_or_id(const char *u) {
640 /* Similar as above, but is also fine with numeric UID/GID specifications, as long as they are in the right
641 * range, and not the invalid user ids. */
646 if (valid_user_group_name(u))
649 return parse_uid(u, NULL) >= 0;
652 bool valid_gecos(const char *d) {
657 if (!utf8_is_valid(d))
660 if (string_has_cc(d, NULL))
663 /* Colons are used as field separators, and hence not OK */
670 bool valid_home(const char *p) {
671 /* Note that this function is also called by valid_shell(), any
672 * changes must account for that. */
677 if (!utf8_is_valid(p))
680 if (string_has_cc(p, NULL))
683 if (!path_is_absolute(p))
686 if (!path_is_normalized(p))
689 /* Colons are used as field separators, and hence not OK */
696 int maybe_setgroups(size_t size, const gid_t *list) {
699 /* Check if setgroups is allowed before we try to drop all the auxiliary groups */
700 if (size == 0) { /* Dropping all aux groups? */
701 _cleanup_free_ char *setgroups_content = NULL;
704 r = read_one_line_file("/proc/self/setgroups", &setgroups_content);
706 /* Old kernels don't have /proc/self/setgroups, so assume we can use setgroups */
707 can_setgroups = true;
711 can_setgroups = streq(setgroups_content, "allow");
713 if (!can_setgroups) {
714 log_debug("Skipping setgroups(), /proc/self/setgroups is set to 'deny'");
719 if (setgroups(size, list) < 0)
725 bool synthesize_nobody(void) {
730 /* Returns true when we shall synthesize the "nobody" user (which we do by default). This can be turned off by
731 * touching /etc/systemd/dont-synthesize-nobody in order to provide upgrade compatibility with legacy systems
732 * that used the "nobody" user name and group name for other UIDs/GIDs than 65534.
734 * Note that we do not employ any kind of synchronization on the following caching variable. If the variable is
735 * accessed in multi-threaded programs in the worst case it might happen that we initialize twice, but that
736 * shouldn't matter as each initialization should come to the same result. */
737 static int cache = -1;
740 cache = access("/etc/elogind/dont-synthesize-nobody", F_OK) < 0;
746 int putpwent_sane(const struct passwd *pw, FILE *stream) {
751 if (putpwent(pw, stream) != 0)
752 return errno > 0 ? -errno : -EIO;
757 int putspent_sane(const struct spwd *sp, FILE *stream) {
762 if (putspent(sp, stream) != 0)
763 return errno > 0 ? -errno : -EIO;
768 int putgrent_sane(const struct group *gr, FILE *stream) {
773 if (putgrent(gr, stream) != 0)
774 return errno > 0 ? -errno : -EIO;
780 int putsgent_sane(const struct sgrp *sg, FILE *stream) {
785 if (putsgent(sg, stream) != 0)
786 return errno > 0 ? -errno : -EIO;
792 int fgetpwent_sane(FILE *stream, struct passwd **pw) {
799 p = fgetpwent(stream);
803 return errno > 0 ? -errno : -EIO;
810 int fgetspent_sane(FILE *stream, struct spwd **sp) {
817 s = fgetspent(stream);
821 return errno > 0 ? -errno : -EIO;
828 int fgetgrent_sane(FILE *stream, struct group **gr) {
835 g = fgetgrent(stream);
839 return errno > 0 ? -errno : -EIO;
847 int fgetsgent_sane(FILE *stream, struct sgrp **sg) {
854 s = fgetsgent(stream);
858 return errno > 0 ? -errno : -EIO;