diff options
author | Yu Watanabe <watanabe.yu+github@gmail.com> | 2017-10-11 14:41:13 +0900 |
---|---|---|
committer | Yu Watanabe <watanabe.yu+github@gmail.com> | 2017-10-11 14:41:19 +0900 |
commit | 9ec655cbbd7505ef465e0444da0622e46099ce42 (patch) | |
tree | 494bf962d1455e134d3b30f8227a7bcf4a1103a8 /src/core/dynamic-user.c | |
parent | 9da440b1b3d8476394e6ffcaf687e0f89932e6ac (diff) | |
download | systemd-9ec655cbbd7505ef465e0444da0622e46099ce42.tar.gz |
dynamic-user: permit the case static uid and gid are different
This makes systemd supports the case that DynamicUser=yes and
static user and group exist such that uid and gid of them are different.
We only refuse the operation when user does not exist but the group
with the same name exists.
Fixes #7013.
Diffstat (limited to 'src/core/dynamic-user.c')
-rw-r--r-- | src/core/dynamic-user.c | 41 |
1 files changed, 25 insertions, 16 deletions
diff --git a/src/core/dynamic-user.c b/src/core/dynamic-user.c index a191341186..8f229d27ff 100644 --- a/src/core/dynamic-user.c +++ b/src/core/dynamic-user.c @@ -421,7 +421,7 @@ static void unlink_uid_lock(int lock_fd, uid_t uid, const char *name) { (void) make_uid_symlinks(uid, name, false); /* remove direct lookup symlinks */ } -static int dynamic_user_realize(DynamicUser *d, char **suggested_dirs, uid_t *ret) { +static int dynamic_user_realize(DynamicUser *d, char **suggested_dirs, uid_t *ret, bool is_user) { _cleanup_close_ int etc_passwd_lock_fd = -1, uid_lock_fd = -1; uid_t uid = UID_INVALID; @@ -460,19 +460,28 @@ static int dynamic_user_realize(DynamicUser *d, char **suggested_dirs, uid_t *re struct passwd *p; struct group *g; - /* OK, this is not a numeric UID. Let's see if there's a user by this name */ - p = getpwnam(d->name); - if (p) - uid = p->pw_uid; - - /* Let's see if there's a group by this name */ - g = getgrnam(d->name); - if (g) { - /* If the UID/GID of the user/group of the same don't match, refuse operation */ - if (uid != UID_INVALID && uid != (uid_t) g->gr_gid) - return -EILSEQ; - - uid = (uid_t) g->gr_gid; + if (is_user) { + /* OK, this is not a numeric UID. Let's see if there's a user by this name */ + p = getpwnam(d->name); + if (p) + uid = p->pw_uid; + else { + /* if the user does not exist but the group with the same name exists, refuse operation */ + g = getgrnam(d->name); + if (g) + return -EILSEQ; + } + } else { + /* Let's see if there's a group by this name */ + g = getgrnam(d->name); + if (g) + uid = (uid_t) g->gr_gid; + else { + /* if the group does not exist but the user with the same name exists, refuse operation */ + p = getpwnam(d->name); + if (p) + return -EILSEQ; + } } } @@ -814,13 +823,13 @@ int dynamic_creds_realize(DynamicCreds *creds, char **suggested_paths, uid_t *ui /* Realize both the referenced user and group */ if (creds->user) { - r = dynamic_user_realize(creds->user, suggested_paths, &u); + r = dynamic_user_realize(creds->user, suggested_paths, &u, true); if (r < 0) return r; } if (creds->group && creds->group != creds->user) { - r = dynamic_user_realize(creds->group, suggested_paths, &g); + r = dynamic_user_realize(creds->group, suggested_paths, &g, false); if (r < 0) return r; } else |