+ if (root) {
+ *root_device = root;
+ root = NULL;
+
+ *root_device_rw = root_rw;
+ *secondary = false;
+ } else if (secondary_root) {
+ *root_device = secondary_root;
+ secondary_root = NULL;
+
+ *root_device_rw = secondary_root_rw;
+ *secondary = true;
+ }
+
+ if (home) {
+ *home_device = home;
+ home = NULL;
+
+ *home_device_rw = home_rw;
+ }
+
+ if (srv) {
+ *srv_device = srv;
+ srv = NULL;
+
+ *srv_device_rw = srv_rw;
+ }
+
+ return 0;
+#else
+ log_error("--image= is not supported, compiled without blkid support.");
+ return -ENOTSUP;
+#endif
+}
+
+static int mount_device(const char *what, const char *where, const char *directory, bool rw) {
+#ifdef HAVE_BLKID
+ _cleanup_blkid_free_probe_ blkid_probe b = NULL;
+ const char *fstype, *p;
+ int r;
+
+ assert(what);
+ assert(where);
+
+ if (arg_read_only)
+ rw = false;
+
+ if (directory)
+ p = strappenda(where, directory);
+ else
+ p = where;
+
+ errno = 0;
+ b = blkid_new_probe_from_filename(what);
+ if (!b) {
+ if (errno == 0)
+ return log_oom();
+ log_error("Failed to allocate prober for %s: %m", what);
+ return -errno;
+ }
+
+ blkid_probe_enable_superblocks(b, 1);
+ blkid_probe_set_superblocks_flags(b, BLKID_SUBLKS_TYPE);
+
+ errno = 0;
+ r = blkid_do_safeprobe(b);
+ if (r == -1 || r == 1) {
+ log_error("Cannot determine file system type of %s", what);
+ return -EINVAL;
+ } else if (r != 0) {
+ if (errno == 0)
+ errno = EIO;
+ log_error("Failed to probe %s: %m", what);
+ return -errno;
+ }
+
+ errno = 0;
+ if (blkid_probe_lookup_value(b, "TYPE", &fstype, NULL) < 0) {
+ if (errno == 0)
+ errno = EINVAL;
+ log_error("Failed to determine file system type of %s", what);
+ return -errno;
+ }
+
+ if (streq(fstype, "crypto_LUKS")) {
+ log_error("nspawn currently does not support LUKS disk images.");
+ return -ENOTSUP;
+ }
+
+ if (mount(what, p, fstype, MS_NODEV|(rw ? 0 : MS_RDONLY), NULL) < 0) {
+ log_error("Failed to mount %s: %m", what);
+ return -errno;
+ }
+
+ return 0;
+#else
+ log_error("--image= is not supported, compiled without blkid support.");
+ return -ENOTSUP;
+#endif
+}
+
+static int mount_devices(
+ const char *where,
+ const char *root_device, bool root_device_rw,
+ const char *home_device, bool home_device_rw,
+ const char *srv_device, bool srv_device_rw) {
+ int r;
+
+ assert(where);
+
+ if (root_device) {
+ r = mount_device(root_device, arg_directory, NULL, root_device_rw);
+ if (r < 0) {
+ log_error("Failed to mount root directory: %s", strerror(-r));
+ return r;
+ }
+ }
+
+ if (home_device) {
+ r = mount_device(home_device, arg_directory, "/home", home_device_rw);
+ if (r < 0) {
+ log_error("Failed to mount home directory: %s", strerror(-r));
+ return r;
+ }
+ }
+
+ if (srv_device) {
+ r = mount_device(srv_device, arg_directory, "/srv", srv_device_rw);
+ if (r < 0) {
+ log_error("Failed to mount server data directory: %s", strerror(-r));
+ return r;
+ }
+ }
+
+ return 0;
+}
+
+static void loop_remove(int nr, int *image_fd) {
+ _cleanup_close_ int control = -1;
+
+ if (nr < 0)
+ return;
+
+ if (image_fd && *image_fd >= 0) {
+ ioctl(*image_fd, LOOP_CLR_FD);
+ *image_fd = safe_close(*image_fd);
+ }
+
+ control = open("/dev/loop-control", O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
+ if (control < 0)
+ return;
+
+ ioctl(control, LOOP_CTL_REMOVE, nr);
+}
+
+static int spawn_getent(const char *database, const char *key, pid_t *rpid) {
+ int pipe_fds[2];
+ pid_t pid;
+
+ assert(database);
+ assert(key);
+ assert(rpid);
+
+ if (pipe2(pipe_fds, O_CLOEXEC) < 0) {
+ log_error("Failed to allocate pipe: %m");
+ return -errno;
+ }
+
+ pid = fork();
+ if (pid < 0) {
+ log_error("Failed to fork getent child: %m");
+ return -errno;
+ } else if (pid == 0) {
+ int nullfd;
+ char *empty_env = NULL;
+
+ if (dup3(pipe_fds[1], STDOUT_FILENO, 0) < 0)
+ _exit(EXIT_FAILURE);
+
+ if (pipe_fds[0] > 2)
+ safe_close(pipe_fds[0]);
+ if (pipe_fds[1] > 2)
+ safe_close(pipe_fds[1]);
+
+ nullfd = open("/dev/null", O_RDWR);
+ if (nullfd < 0)
+ _exit(EXIT_FAILURE);
+
+ if (dup3(nullfd, STDIN_FILENO, 0) < 0)
+ _exit(EXIT_FAILURE);
+
+ if (dup3(nullfd, STDERR_FILENO, 0) < 0)
+ _exit(EXIT_FAILURE);
+
+ if (nullfd > 2)
+ safe_close(nullfd);
+
+ reset_all_signal_handlers();
+ close_all_fds(NULL, 0);
+
+ execle("/usr/bin/getent", "getent", database, key, NULL, &empty_env);
+ execle("/bin/getent", "getent", database, key, NULL, &empty_env);
+ _exit(EXIT_FAILURE);
+ }
+
+ pipe_fds[1] = safe_close(pipe_fds[1]);
+
+ *rpid = pid;
+
+ return pipe_fds[0];
+}
+
+static int change_uid_gid(char **_home) {
+ char line[LINE_MAX], *w, *x, *state, *u, *g, *h;
+ _cleanup_free_ uid_t *uids = NULL;
+ _cleanup_free_ char *home = NULL;
+ _cleanup_fclose_ FILE *f = NULL;
+ _cleanup_close_ int fd = -1;
+ unsigned n_uids = 0;
+ size_t sz, l;
+ uid_t uid;
+ gid_t gid;
+ pid_t pid;
+ int r;
+
+ assert(_home);
+
+ if (!arg_user || streq(arg_user, "root") || streq(arg_user, "0")) {
+ /* Reset everything fully to 0, just in case */
+
+ if (setgroups(0, NULL) < 0) {
+ log_error("setgroups() failed: %m");
+ return -errno;
+ }
+
+ if (setresgid(0, 0, 0) < 0) {
+ log_error("setregid() failed: %m");
+ return -errno;
+ }
+
+ if (setresuid(0, 0, 0) < 0) {
+ log_error("setreuid() failed: %m");
+ return -errno;
+ }
+
+ *_home = NULL;
+ return 0;
+ }
+
+ /* First, get user credentials */
+ fd = spawn_getent("passwd", arg_user, &pid);
+ if (fd < 0)
+ return fd;
+
+ f = fdopen(fd, "r");
+ if (!f)
+ return log_oom();
+ fd = -1;
+
+ if (!fgets(line, sizeof(line), f)) {
+
+ if (!ferror(f)) {
+ log_error("Failed to resolve user %s.", arg_user);
+ return -ESRCH;
+ }
+
+ log_error("Failed to read from getent: %m");
+ return -errno;
+ }
+
+ truncate_nl(line);
+
+ wait_for_terminate_and_warn("getent passwd", pid);
+
+ x = strchr(line, ':');
+ if (!x) {
+ log_error("/etc/passwd entry has invalid user field.");
+ return -EIO;
+ }
+
+ u = strchr(x+1, ':');
+ if (!u) {
+ log_error("/etc/passwd entry has invalid password field.");
+ return -EIO;
+ }
+
+ u++;
+ g = strchr(u, ':');
+ if (!g) {
+ log_error("/etc/passwd entry has invalid UID field.");
+ return -EIO;
+ }
+
+ *g = 0;
+ g++;
+ x = strchr(g, ':');
+ if (!x) {
+ log_error("/etc/passwd entry has invalid GID field.");
+ return -EIO;
+ }
+
+ *x = 0;
+ h = strchr(x+1, ':');
+ if (!h) {
+ log_error("/etc/passwd entry has invalid GECOS field.");
+ return -EIO;
+ }
+
+ h++;
+ x = strchr(h, ':');
+ if (!x) {
+ log_error("/etc/passwd entry has invalid home directory field.");
+ return -EIO;
+ }
+
+ *x = 0;
+
+ r = parse_uid(u, &uid);
+ if (r < 0) {
+ log_error("Failed to parse UID of user.");
+ return -EIO;
+ }
+
+ r = parse_gid(g, &gid);
+ if (r < 0) {
+ log_error("Failed to parse GID of user.");
+ return -EIO;
+ }
+
+ home = strdup(h);
+ if (!home)
+ return log_oom();
+
+ /* Second, get group memberships */
+ fd = spawn_getent("initgroups", arg_user, &pid);
+ if (fd < 0)
+ return fd;
+
+ fclose(f);
+ f = fdopen(fd, "r");
+ if (!f)
+ return log_oom();
+ fd = -1;
+
+ if (!fgets(line, sizeof(line), f)) {
+ if (!ferror(f)) {
+ log_error("Failed to resolve user %s.", arg_user);
+ return -ESRCH;
+ }
+
+ log_error("Failed to read from getent: %m");
+ return -errno;
+ }
+
+ truncate_nl(line);
+
+ wait_for_terminate_and_warn("getent initgroups", pid);
+
+ /* Skip over the username and subsequent separator whitespace */
+ x = line;
+ x += strcspn(x, WHITESPACE);
+ x += strspn(x, WHITESPACE);
+
+ FOREACH_WORD(w, l, x, state) {
+ char c[l+1];
+
+ memcpy(c, w, l);
+ c[l] = 0;
+
+ if (!GREEDY_REALLOC(uids, sz, n_uids+1))
+ return log_oom();
+
+ r = parse_uid(c, &uids[n_uids++]);
+ if (r < 0) {
+ log_error("Failed to parse group data from getent.");
+ return -EIO;
+ }