summaryrefslogtreecommitdiff
path: root/src/basic/user-util.h
Commit message (Collapse)AuthorAgeFilesLines
* user-util: Add default_root_shell_at()Daan De Meyer2023-04-111-0/+1
|
* user-util: Rename ETC_PASSWD_LOCK_NAME to ETC_PASSWD_LOCK_FILENAMEDaan De Meyer2023-03-291-2/+2
|
* user-util: Add ETC_PASSWD_LOCK_NAMEDaan De Meyer2023-03-291-1/+2
|
* nspawn: rename RemountIdmapFlags enum to RemountIdmappingQuentin Deslandes2022-09-051-3/+3
| | | | | | This enum should be used to define various idmapping modes for bind mounts which might be incompatible. Changing its name and the values name to reflect that.
* tree-wide: Mark some constants as unsignedJan Janssen2022-08-301-4/+4
| | | | | All these are really unsigned and used as such. This silences some -Wformat-signedness warnings with gcc.
* basic/user-util: rename output param to ret, shorten codeZbigniew Jędrzejewski-Szmek2022-08-241-1/+1
|
* various: try to use DEFAULT_USER_SHELL for root tooZbigniew Jędrzejewski-Szmek2022-08-241-0/+1
| | | | | | | | | | | | | | | | | | | /bin/sh as a shell is punishing. There is no good reason to make the occasional root login unpleasant. Since /bin/sh is usually /bin/bash in compat mode, i.e. if one is available, the other will be too, /bin/bash is almost as good as a default. But to avoid a regression in the situation where /bin/bash (or DEFAULT_USER_SHELL) is not installed, we check with access() and fall back to /bin/sh. This should make this change in behaviour less risky. (FWIW, e.g. Fedora/RHEL use /bin/bash as default for root.) This is a follow-up of sorts for 53350c7bbade8c5f357aa3d1029ef9b2208ea675, which added the default-user-shell option, but most likely with the idea of using /bin/bash less ;) Fixes #24369.
* nspawn: make sure host root can write to the uidmapped mounts we prepare for ↵Lennart Poettering2022-03-171-0/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | the container payload When using user namespaces in conjunction with uidmapped mounts, nspawn so far set up two uidmappings: 1. One that is used for the uidmapped mount and that maps the UID range 0…65535 on the backing fs to some high UID range X…X+65535 on the uidmapped fs. (Let's call this mapping the "mount mapping") 2. One that is used for the userns namespace the container payload processes run in, that maps X…X+65535 back to 0…65535. (Let's call this one the "process mapping"). These mappings hence are pretty much identical, one just moves things up and one back down. (Reminder: we do all this so that the processes can run under high UIDs while running off file systems that require no recursive chown()ing, i.e. we want processes with high UID range but files with low UID range.) This creates one problem, i.e. issue #20989: if nspawn (which runs as host root, i.e. host UID 0) wants to add inodes to the uidmapped mount it can't do that, since host UID 0 is not defined in the mount mapping (only the X…X+65536 range is, after all, and X > 0), and processes whose UID is not mapped in a uidmapped fs cannot create inodes in it since those would be owned by an unmapped UID, which then triggers the famous EOVERFLOW error. Let's fix this, by explicitly including an entry for the host UID 0 in the mount mapping. Specifically, we'll extend the mount mapping to map UID 2147483646 (which is INT32_MAX-1, see code for an explanation why I picked this one) of the backing fs to UID 0 on the uidmapped fs. This way nspawn can creates inode on the uidmapped as it likes (which will then actually be owned by UID 2147483646 on the backing fs), and as it always did. Note that we do *not* create a similar entry in the process mapping. Thus any files created by nspawn that way (and not chown()ed to something better) will appear as unmapped (i.e. as overflowuid/"nobody") in the container payload. And that's good. Of course, the latter is mostly theoretic, as nspawn should generally chown() the inodes it creates to UID ranges that actually make sense for the container (and we generally already do this correctly), but it#s good to know that we are safe here, given we might accidentally forget to chown() some inodes we create. Net effect: the two mappings will not be identical anymore. The mount mapping has one entry more, and the only reason it exists is so that nspawn can access the uidmapped fs reasonably independently from any process mapping. Fixes: #20989
* user-util: move homed/nspawn map UID_MIN/UID_MAX define into user-util.hLennart Poettering2022-02-161-0/+8
| | | | | Let's have them at a common place, so that we have the ranges altogether at a minimal set of places.
* userdbctl: fix "Password OK" shown even when password is empty or locked ↵Pigmy-penguin2022-01-061-0/+4
| | | | | (#21308) userdbctl: fix "Password OK" shown even when password is empty or locked
* homed: allow overriding the root directory for home dirs via env var (i.e. ↵Lennart Poettering2021-10-111-0/+2
| | | | | | | | | | | | | | | | | | | use a different path than /home/) This is a debugging feature. It's sometimes incredibly useful to be able to run a second instance of homed that operates on another dir than /home/. Specifically, if you build homed from the source tree you can now run an instance of it pretty reasonably directly from the build tree via: sudo SYSTEMD_HOME_DEBUG_SUFFIX=foo SYSTEMD_HOMEWORK_PATH=$(pwd)/build/systemd-homework SYSTEMD_HOME_ROOT=/home/foo ./build/systemd-homed And then talk to it via sudo SYSTEMD_HOME_DEBUG_SUFFIX=foo homectl … (you might need to tweak your dbus policy for this to work fully though)
* user-util: add generic definition for special password hash values in ↵Lennart Poettering2021-05-061-0/+9
| | | | | | | | | | | | | | /etc/passwd + /etc/shadow Let's add three defines for the 3 special cases of passwords. Some of our tools used different values for the "locked"/"invalid" case, let's settle on using "!*" which means the password is both locked *and* invalid. Other tools like to use "!!" for this case, which however is less than ideal I think, since the this could also be a considered an entry with an empty password, that can be enabled again by unlocking it twice.
* homectl: don't use password cache if we operate on other userLennart Poettering2021-04-231-0/+2
|
* license: LGPL-2.1+ -> LGPL-2.1-or-laterYu Watanabe2020-11-091-1/+1
|
* Move {uid,gid}_is_*() from basic to sharedZbigniew Jędrzejewski-Szmek2020-09-251-25/+1
| | | | | Those are functions that express policy, and nothing in basic/ uses (or should use) them.
* user-util: add mangle_gecos() call for turning strings into fields suitable ↵Lennart Poettering2020-08-071-0/+1
| | | | as GECOS fields
* user-util: rework how we validate user namesLennart Poettering2020-04-081-14/+7
| | | | | | | | | | | | | | | | | | | | | | | | | This reworks the user validation infrastructure. There are now two modes. In regular mode we are strict and test against a strict set of valid chars. And in "relaxed" mode we just filter out some really obvious, dangerous stuff. i.e. strict is whitelisting what is OK, but "relaxed" is blacklisting what is really not OK. The idea is that we use strict mode whenver we allocate a new user (i.e. in sysusers.d or homed), while "relaxed" mode is when we process users registered elsewhere, (i.e. userdb, logind, …) The requirements on user name validity vary wildly. SSSD thinks its fine to embedd "@" for example, while the suggested NAME_REGEX field on Debian does not even allow uppercase chars… This effectively liberaralizes a lot what we expect from usernames. The code that warns about questionnable user names is now optional and only used at places such as unit file parsing, so that it doesn't show up on every userdb query, but only when processing configuration files that know better. Fixes: #15149 #15090
* util: add parse_uid_range() helper functionYu Watanabe2020-02-021-0/+1
|
* shared: split out crypt() specific helpers into its own .c/.h in src/shared/Lennart Poettering2020-01-151-2/+0
| | | | | | | | | | This way we can use libxcrypt specific functionality such as crypt_gensalt() and thus take benefit of the newer algorithms libxcrypt implements. (Also adds support for a new env var $SYSTEMD_CRYPT_PREFIX which may be used to select the hash algorithm to use for libxcrypt.) Also, let's move the weird crypt.h inclusion into libcrypt.h so that there's a single place for it.
* user-util: Add helper functions for gid lists operationsDariusz Gadomski2020-01-131-0/+3
|
* user-util: add uid_is_container() for checking whether UID is in container rangeLennart Poettering2019-12-041-4/+12
| | | | | We have similar calls for the dynamic user and system range, let's add this too here.
* user-util: export is_nologin_shell() so that we can use it elsewhereLennart Poettering2019-12-041-0/+2
|
* shared/user-util: add compat forms of user name checking functionsZbigniew Jędrzejewski-Szmek2019-08-191-2/+14
| | | | | | New functions are called valid_user_group_name_compat() and valid_user_group_name_or_id_compat() and accept dots in the user or group name. No functional change except the tests.
* user-util: add generic make_salt() APILennart Poettering2019-04-291-0/+2
|
* basic/user-util: properly protect use of gshadowYann E. MORIN2018-11-221-0/+2
| | | | | | | | | | | | | Commit 100d5f6ee6 (user-util: add new wrappers for [...] database files), ammended by commit 4f07ffa8f5 (Use #if instead of #ifdef for ENABLE_GSHADOW) moved code from sysuser to basic/user-util. In doing so, the combination of both commits properly propagated the ENABLE_GSHADOW conditions around the function manipulating gshadow, but they forgot to protect the inclusion of the gshadow.h header. Fix that to be able to build on C libraries that do not provide gshadow (e.g. uClibc-ng, where it does not exist.)
* Rename USER_CREDS_SYNTHESIZE_FALLBACK to …_PREFER_NSSZbigniew Jędrzejewski-Szmek2018-08-201-3/+3
|
* user-util: rework get_user_creds()Lennart Poettering2018-08-201-3/+8
| | | | | | | | | | | | | | | | | | | | | | | | | Let's fold get_user_creds_clean() into get_user_creds(), and introduce a flags argument for it to select "clean" behaviour. This flags parameter also learns to other new flags: - USER_CREDS_SYNTHESIZE_FALLBACK: in this mode the user records for root/nobody are only synthesized as fallback. Normally, the synthesized records take precedence over what is in the user database. With this flag set this is reversed, and the user database takes precedence, and the synthesized records are only used if they are missing there. This flag should be set in cases where doing NSS is deemed safe, and where there's interest in knowing the correct shell, for example if the admin changed root's shell to zsh or suchlike. - USER_CREDS_ALLOW_MISSING: if set, and a UID/GID is specified by numeric value, and there's no user/group record for it accept it anyway. This allows us to fix #9767 This then also ports all users to set the most appropriate flags. Fixes: #9767 [zj: remove one isempty() call]
* Use #if instead of #ifdef for ENABLE_GSHADOWChenQi19892018-06-291-1/+1
| | | ENABLE_GSHADOW is defined to be 0 or 1. So #if should be used instead of #ifdef.
* tree-wide: remove Lennart's copyright linesLennart Poettering2018-06-141-4/+0
| | | | | | | | | | | These lines are generally out-of-date, incomplete and unnecessary. With SPDX and git repository much more accurate and fine grained information about licensing and authorship is available, hence let's drop the per-file copyright notice. Of course, removing copyright lines of others is problematic, hence this commit only removes my own lines and leaves all others untouched. It might be nicer if sooner or later those could go away too, making git the only and accurate source of authorship information.
* tree-wide: drop 'This file is part of systemd' blurbLennart Poettering2018-06-141-2/+0
| | | | | | | | | | | | | | | | This part of the copyright blurb stems from the GPL use recommendations: https://www.gnu.org/licenses/gpl-howto.en.html The concept appears to originate in times where version control was per file, instead of per tree, and was a way to glue the files together. Ultimately, we nowadays don't live in that world anymore, and this information is entirely useless anyway, as people are very welcome to copy these files into any projects they like, and they shouldn't have to change bits that are part of our copyright header for that. hence, let's just get rid of this old cruft, and shorten our codebase a bit.
* tree-wide: drop license boilerplateZbigniew Jędrzejewski-Szmek2018-04-061-13/+0
| | | | | | | | | | Files which are installed as-is (any .service and other unit files, .conf files, .policy files, etc), are left as is. My assumption is that SPDX identifiers are not yet that well known, so it's better to retain the extended header to avoid any doubt. I also kept any copyright lines. We can probably remove them, but it'd nice to obtain explicit acks from all involved authors before doing that.
* user-util: add new wrappers for reading/writing {passwd,shadow,gshadow} ↵Franck Bui2018-03-211-0/+15
| | | | | | | | database files (#8521) The API povided by the glibc is too error-prone as one has to deal directly with errno in order to detect if errors occured. Suggested by Zbigniew.
* sysusers: allow the shell to be specifiedZbigniew Jędrzejewski-Szmek2018-02-021-0/+9
| | | | | This is necessary for some system users where the "login shell" is set to a specific binary.
* sysusers: emit a bit more info at debug level when locking failsZbigniew Jędrzejewski-Szmek2018-02-021-0/+2
| | | | | | This is the first error message when running unprivileged, and the message is unspecific, so let's at least add some logging at debug level to make this less confusing.
* nss-systemd,user-util: add a way how synthesizing "nobody" can be turned offLennart Poettering2018-01-101-0/+2
| | | | | | | | | | | This is quite ugly, but provides us with an avenue for moving distributions to define the "nobody" user properly without breaking legacy systems that us the name for other stuff. The idea is basically, that the distribution adopts the new definition of "nobody" (and thus recompiles systemd with it) and then touches /etc/systemd/dont-synthesize-nobody on legacy systems to turn off possibly conflicting synthesizing of the nobody name by systemd.
* user-util: add UID_NOBODY defines that resolve to (uid_t) 65534Lennart Poettering2017-12-061-0/+3
| | | | | We use it all over the place, let's add a #define for it. Makes things easier greppable, and more explanatory I think.
* nss-systemd: tweak checks when we consult PID 1 for dynamic UID/GID lookupsLennart Poettering2017-12-061-0/+4
| | | | | | Instead of contacting PID 1 for dynamic UID/GID lookups for all UIDs/GIDs that do not qualify as "system" do the more precise check instead: check if they actually qualify for the "dynamic" range.
* user-util: add new uid_is_system() helperLennart Poettering2017-12-061-0/+8
| | | | | | | This adds uid_is_system() and gid_is_system(), similar in style to uid_is_dynamic(). That a helper like this is useful is illustrated by the fact that test-condition.c didn't get the check right so far, which this patch fixes.
* build-sys: make the dynamic UID range, and the container UID range configurableLennart Poettering2017-12-061-7/+0
| | | | Also, export these ranges in our pkg-config files.
* Add SPDX license identifiers to source files under the LGPLZbigniew Jędrzejewski-Szmek2017-11-191-0/+1
| | | | | This follows what the kernel is doing, c.f. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5fd54ace4721fc5ce2bb5aef6318fcf17f421460.
* core: do not fail in a container if we can't use setgroupsGiuseppe Scrivano2016-10-061-0/+2
| | | | It might be blocked through /proc/PID/setgroups
* execute: move suppression of HOME=/ and SHELL=/bin/nologin into user-util.cLennart Poettering2016-09-251-0/+1
| | | | | | | This adds a new call get_user_creds_clean(), which is just like get_user_creds() but returns NULL in the home/shell parameters if they contain no useful information. This code previously lived in execute.c, but by generalizing this we can reuse it in run.c.
* journald: do not create split journals for dynamic usersZbigniew Jędrzejewski-Szmek2016-08-181-2/+14
| | | | | Dynamic users should be treated like system users, and their logs should end up in the main system journal.
* sysusers: move various user credential validity checks to src/basic/Lennart Poettering2016-07-221-0/+5
| | | | | | | This way we can reuse them for validating User=/Group= settings in unit files (to be added in a later commit). Also, add some tests for them.
* nspawn: make -U a tiny bit smarterLennart Poettering2016-04-251-0/+5
| | | | | With this change -U will turn on user namespacing only if the kernel actually supports it and otherwise gracefully degrade to non-userns mode.
* tree-wide: remove Emacs lines from all filesDaniel Mack2016-02-101-2/+0
| | | | | This should be handled fine now by .dir-locals.el, so need to carry that stuff in every file.
* tree-wide: sort includes in *.hThomas Hindoe Paaboel Andersen2015-11-181-1/+1
| | | | | This is a continuation of the previous include sort patch, which only sorted for .c files.
* user-util: move UID/GID related macros from macro.h to user-util.hLennart Poettering2015-10-271-0/+11
|
* util-lib: move take_password_lock() to user-util.[ch]Lennart Poettering2015-10-271-0/+2
| | | | | Also, rename it take_etc_passwd_lock(), in order to make it more expressive.
* util: remove lookup_uid(), replace by uid_to_name()Lennart Poettering2015-10-261-1/+0
| | | | | | | So far we had two pretty much identical calls in user-util.[ch]: lookup_uid() and uid_to_name(). Get rid of the former, in favour of the latter, and while we are at it, rewrite it, to use getpwuid_r() correctly, inside an allocation loop, as POSIX intended.
View Lorry Controller Status