1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 This file is part of systemd.
5 Copyright 2010 Lennart Poettering
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
35 #include "alloc-util.h"
38 #include "format-util.h"
41 #include "parse-util.h"
42 #include "path-util.h"
43 #include "string-util.h"
45 #include "user-util.h"
48 bool uid_is_valid(uid_t uid) {
50 /* Also see POSIX IEEE Std 1003.1-2008, 2016 Edition, 3.436. */
52 /* Some libc APIs use UID_INVALID as special placeholder */
53 if (uid == (uid_t) UINT32_C(0xFFFFFFFF))
56 /* A long time ago UIDs where 16bit, hence explicitly avoid the 16bit -1 too */
57 if (uid == (uid_t) UINT32_C(0xFFFF))
63 int parse_uid(const char *s, uid_t *ret) {
69 assert_cc(sizeof(uid_t) == sizeof(uint32_t));
70 r = safe_atou32(s, &uid);
74 if (!uid_is_valid(uid))
75 return -ENXIO; /* we return ENXIO instead of EINVAL
76 * here, to make it easy to distuingish
77 * invalid numeric uids from invalid
86 char* getlogname_malloc(void) {
90 if (isatty(STDIN_FILENO) && fstat(STDIN_FILENO, &st) >= 0)
95 return uid_to_name(uid);
98 #if 0 /// UNNEEDED by elogind
99 char *getusername_malloc(void) {
106 return uid_to_name(getuid());
111 const char **username,
112 uid_t *uid, gid_t *gid,
114 const char **shell) {
122 /* We enforce some special rules for uid=0 and uid=65534: in order to avoid NSS lookups for root we hardcode
123 * their user record data. */
125 if (STR_IN_SET(*username, "root", "0")) {
142 if (synthesize_nobody() &&
143 STR_IN_SET(*username, NOBODY_USER_NAME, "65534")) {
144 *username = NOBODY_USER_NAME;
155 *shell = "/sbin/nologin";
160 if (parse_uid(*username, &u) >= 0) {
164 /* If there are multiple users with the same id, make
165 * sure to leave $USER to the configured value instead
166 * of the first occurrence in the database. However if
167 * the uid was configured by a numeric uid, then let's
168 * pick the real username from /etc/passwd. */
170 *username = p->pw_name;
173 p = getpwnam(*username);
177 return errno > 0 ? -errno : -ESRCH;
180 if (!uid_is_valid(p->pw_uid))
187 if (!gid_is_valid(p->pw_gid))
197 *shell = p->pw_shell;
202 #if 0 /// UNNEEDED by elogind
203 int get_user_creds_clean(
204 const char **username,
205 uid_t *uid, gid_t *gid,
207 const char **shell) {
211 /* Like get_user_creds(), but resets home/shell to NULL if they don't contain anything relevant. */
213 r = get_user_creds(username, uid, gid, home, shell);
218 (isempty(*shell) || PATH_IN_SET(*shell,
222 "/usr/sbin/nologin")))
226 (isempty(*home) || path_equal(*home, "/")))
232 int get_group_creds(const char **groupname, gid_t *gid) {
238 /* We enforce some special rules for gid=0: in order to avoid
239 * NSS lookups for root we hardcode its data. */
241 if (STR_IN_SET(*groupname, "root", "0")) {
250 if (synthesize_nobody() &&
251 STR_IN_SET(*groupname, NOBODY_GROUP_NAME, "65534")) {
252 *groupname = NOBODY_GROUP_NAME;
260 if (parse_gid(*groupname, &id) >= 0) {
265 *groupname = g->gr_name;
268 g = getgrnam(*groupname);
272 return errno > 0 ? -errno : -ESRCH;
275 if (!gid_is_valid(g->gr_gid))
285 char* uid_to_name(uid_t uid) {
289 /* Shortcut things to avoid NSS lookups */
291 return strdup("root");
292 if (synthesize_nobody() &&
294 return strdup(NOBODY_USER_NAME);
296 if (uid_is_valid(uid)) {
299 bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
304 struct passwd pwbuf, *pw = NULL;
305 _cleanup_free_ char *buf = NULL;
307 buf = malloc(bufsize);
311 r = getpwuid_r(uid, &pwbuf, buf, (size_t) bufsize, &pw);
313 return strdup(pw->pw_name);
321 if (asprintf(&ret, UID_FMT, uid) < 0)
327 char* gid_to_name(gid_t gid) {
332 return strdup("root");
333 if (synthesize_nobody() &&
335 return strdup(NOBODY_GROUP_NAME);
337 if (gid_is_valid(gid)) {
340 bufsize = sysconf(_SC_GETGR_R_SIZE_MAX);
345 struct group grbuf, *gr = NULL;
346 _cleanup_free_ char *buf = NULL;
348 buf = malloc(bufsize);
352 r = getgrgid_r(gid, &grbuf, buf, (size_t) bufsize, &gr);
354 return strdup(gr->gr_name);
362 if (asprintf(&ret, GID_FMT, gid) < 0)
368 #if 0 /// UNNEEDED by elogind
369 int in_gid(gid_t gid) {
377 if (getegid() == gid)
380 if (!gid_is_valid(gid))
383 ngroups_max = sysconf(_SC_NGROUPS_MAX);
384 assert(ngroups_max > 0);
386 gids = newa(gid_t, ngroups_max);
388 r = getgroups(ngroups_max, gids);
392 for (i = 0; i < r; i++)
399 int in_group(const char *name) {
403 r = get_group_creds(&name, &gid);
410 int get_home_dir(char **_h) {
418 /* Take the user specified one */
419 e = secure_getenv("HOME");
420 if (e && path_is_absolute(e)) {
429 /* Hardcode home directory for root and nobody to avoid NSS */
439 if (synthesize_nobody() &&
449 /* Check the database... */
453 return errno > 0 ? -errno : -ESRCH;
455 if (!path_is_absolute(p->pw_dir))
458 h = strdup(p->pw_dir);
466 int get_shell(char **_s) {
474 /* Take the user specified one */
485 /* Hardcode shell for root and nobody to avoid NSS */
488 s = strdup("/bin/sh");
495 if (synthesize_nobody() &&
497 s = strdup("/sbin/nologin");
505 /* Check the database... */
509 return errno > 0 ? -errno : -ESRCH;
511 if (!path_is_absolute(p->pw_shell))
514 s = strdup(p->pw_shell);
523 int reset_uid_gid(void) {
526 r = maybe_setgroups(0, NULL);
530 if (setresgid(0, 0, 0) < 0)
533 if (setresuid(0, 0, 0) < 0)
539 #if 0 /// UNNEEDED by elogind
540 int take_etc_passwd_lock(const char *root) {
542 struct flock flock = {
544 .l_whence = SEEK_SET,
552 /* This is roughly the same as lckpwdf(), but not as awful. We
553 * don't want to use alarm() and signals, hence we implement
554 * our own trivial version of this.
556 * Note that shadow-utils also takes per-database locks in
557 * addition to lckpwdf(). However, we don't given that they
558 * are redundant as they invoke lckpwdf() first and keep
559 * it during everything they do. The per-database locks are
560 * awfully racy, and thus we just won't do them. */
563 path = prefix_roota(root, ETC_PASSWD_LOCK_PATH);
565 path = ETC_PASSWD_LOCK_PATH;
567 fd = open(path, O_WRONLY|O_CREAT|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW, 0600);
569 return log_debug_errno(errno, "Cannot open %s: %m", path);
571 r = fcntl(fd, F_SETLKW, &flock);
574 return log_debug_errno(errno, "Locking %s failed: %m", path);
581 bool valid_user_group_name(const char *u) {
585 /* Checks if the specified name is a valid user/group name. Also see POSIX IEEE Std 1003.1-2008, 2016 Edition,
586 * 3.437. We are a bit stricter here however. Specifically we deviate from POSIX rules:
588 * - We don't allow any dots (this would break chown syntax which permits dots as user/group name separator)
589 * - We require that names fit into the appropriate utmp field
590 * - We don't allow empty user names
592 * Note that other systems are even more restrictive, and don't permit underscores or uppercase characters.
598 if (!(u[0] >= 'a' && u[0] <= 'z') &&
599 !(u[0] >= 'A' && u[0] <= 'Z') &&
603 for (i = u+1; *i; i++) {
604 if (!(*i >= 'a' && *i <= 'z') &&
605 !(*i >= 'A' && *i <= 'Z') &&
606 !(*i >= '0' && *i <= '9') &&
607 !IN_SET(*i, '_', '-'))
611 sz = sysconf(_SC_LOGIN_NAME_MAX);
614 if ((size_t) (i-u) > (size_t) sz)
617 if ((size_t) (i-u) > UT_NAMESIZE - 1)
623 bool valid_user_group_name_or_id(const char *u) {
625 /* Similar as above, but is also fine with numeric UID/GID specifications, as long as they are in the right
626 * range, and not the invalid user ids. */
631 if (valid_user_group_name(u))
634 return parse_uid(u, NULL) >= 0;
637 bool valid_gecos(const char *d) {
642 if (!utf8_is_valid(d))
645 if (string_has_cc(d, NULL))
648 /* Colons are used as field separators, and hence not OK */
655 bool valid_home(const char *p) {
656 /* Note that this function is also called by valid_shell(), any
657 * changes must account for that. */
662 if (!utf8_is_valid(p))
665 if (string_has_cc(p, NULL))
668 if (!path_is_absolute(p))
671 if (!path_is_normalized(p))
674 /* Colons are used as field separators, and hence not OK */
681 int maybe_setgroups(size_t size, const gid_t *list) {
684 /* Check if setgroups is allowed before we try to drop all the auxiliary groups */
685 if (size == 0) { /* Dropping all aux groups? */
686 _cleanup_free_ char *setgroups_content = NULL;
689 r = read_one_line_file("/proc/self/setgroups", &setgroups_content);
691 /* Old kernels don't have /proc/self/setgroups, so assume we can use setgroups */
692 can_setgroups = true;
696 can_setgroups = streq(setgroups_content, "allow");
698 if (!can_setgroups) {
699 log_debug("Skipping setgroups(), /proc/self/setgroups is set to 'deny'");
704 if (setgroups(size, list) < 0)
710 bool synthesize_nobody(void) {
715 /* Returns true when we shall synthesize the "nobody" user (which we do by default). This can be turned off by
716 * touching /etc/systemd/dont-synthesize-nobody in order to provide upgrade compatibility with legacy systems
717 * that used the "nobody" user name and group name for other UIDs/GIDs than 65534.
719 * Note that we do not employ any kind of synchronization on the following caching variable. If the variable is
720 * accessed in multi-threaded programs in the worst case it might happen that we initialize twice, but that
721 * shouldn't matter as each initialization should come to the same result. */
722 static int cache = -1;
725 cache = access("/etc/elogind/dont-synthesize-nobody", F_OK) < 0;