]> git.proxmox.com Git - systemd.git/blob - src/nspawn/nspawn-setuid.c
Enable seccomp support on powerpc, ppc64el, and s390x
[systemd.git] / src / nspawn / nspawn-setuid.c
1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
2
3 /***
4 This file is part of systemd.
5
6 Copyright 2015 Lennart Poettering
7
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
12
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
17
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
20 ***/
21
22 #include <grp.h>
23 #include <sys/types.h>
24 #include <unistd.h>
25
26 #include "alloc-util.h"
27 #include "fd-util.h"
28 #include "mkdir.h"
29 #include "nspawn-setuid.h"
30 #include "process-util.h"
31 #include "signal-util.h"
32 #include "string-util.h"
33 #include "user-util.h"
34 #include "util.h"
35
36 static int spawn_getent(const char *database, const char *key, pid_t *rpid) {
37 int pipe_fds[2];
38 pid_t pid;
39
40 assert(database);
41 assert(key);
42 assert(rpid);
43
44 if (pipe2(pipe_fds, O_CLOEXEC) < 0)
45 return log_error_errno(errno, "Failed to allocate pipe: %m");
46
47 pid = fork();
48 if (pid < 0)
49 return log_error_errno(errno, "Failed to fork getent child: %m");
50 else if (pid == 0) {
51 int nullfd;
52 char *empty_env = NULL;
53
54 if (dup3(pipe_fds[1], STDOUT_FILENO, 0) < 0)
55 _exit(EXIT_FAILURE);
56
57 if (pipe_fds[0] > 2)
58 safe_close(pipe_fds[0]);
59 if (pipe_fds[1] > 2)
60 safe_close(pipe_fds[1]);
61
62 nullfd = open("/dev/null", O_RDWR);
63 if (nullfd < 0)
64 _exit(EXIT_FAILURE);
65
66 if (dup3(nullfd, STDIN_FILENO, 0) < 0)
67 _exit(EXIT_FAILURE);
68
69 if (dup3(nullfd, STDERR_FILENO, 0) < 0)
70 _exit(EXIT_FAILURE);
71
72 if (nullfd > 2)
73 safe_close(nullfd);
74
75 (void) reset_all_signal_handlers();
76 (void) reset_signal_mask();
77 close_all_fds(NULL, 0);
78
79 execle("/usr/bin/getent", "getent", database, key, NULL, &empty_env);
80 execle("/bin/getent", "getent", database, key, NULL, &empty_env);
81 _exit(EXIT_FAILURE);
82 }
83
84 pipe_fds[1] = safe_close(pipe_fds[1]);
85
86 *rpid = pid;
87
88 return pipe_fds[0];
89 }
90
91 int change_uid_gid(const char *user, char **_home) {
92 char line[LINE_MAX], *x, *u, *g, *h;
93 const char *word, *state;
94 _cleanup_free_ uid_t *uids = NULL;
95 _cleanup_free_ char *home = NULL;
96 _cleanup_fclose_ FILE *f = NULL;
97 _cleanup_close_ int fd = -1;
98 unsigned n_uids = 0;
99 size_t sz = 0, l;
100 uid_t uid;
101 gid_t gid;
102 pid_t pid;
103 int r;
104
105 assert(_home);
106
107 if (!user || streq(user, "root") || streq(user, "0")) {
108 /* Reset everything fully to 0, just in case */
109
110 r = reset_uid_gid();
111 if (r < 0)
112 return log_error_errno(r, "Failed to become root: %m");
113
114 *_home = NULL;
115 return 0;
116 }
117
118 /* First, get user credentials */
119 fd = spawn_getent("passwd", user, &pid);
120 if (fd < 0)
121 return fd;
122
123 f = fdopen(fd, "r");
124 if (!f)
125 return log_oom();
126 fd = -1;
127
128 if (!fgets(line, sizeof(line), f)) {
129
130 if (!ferror(f)) {
131 log_error("Failed to resolve user %s.", user);
132 return -ESRCH;
133 }
134
135 log_error_errno(errno, "Failed to read from getent: %m");
136 return -errno;
137 }
138
139 truncate_nl(line);
140
141 wait_for_terminate_and_warn("getent passwd", pid, true);
142
143 x = strchr(line, ':');
144 if (!x) {
145 log_error("/etc/passwd entry has invalid user field.");
146 return -EIO;
147 }
148
149 u = strchr(x+1, ':');
150 if (!u) {
151 log_error("/etc/passwd entry has invalid password field.");
152 return -EIO;
153 }
154
155 u++;
156 g = strchr(u, ':');
157 if (!g) {
158 log_error("/etc/passwd entry has invalid UID field.");
159 return -EIO;
160 }
161
162 *g = 0;
163 g++;
164 x = strchr(g, ':');
165 if (!x) {
166 log_error("/etc/passwd entry has invalid GID field.");
167 return -EIO;
168 }
169
170 *x = 0;
171 h = strchr(x+1, ':');
172 if (!h) {
173 log_error("/etc/passwd entry has invalid GECOS field.");
174 return -EIO;
175 }
176
177 h++;
178 x = strchr(h, ':');
179 if (!x) {
180 log_error("/etc/passwd entry has invalid home directory field.");
181 return -EIO;
182 }
183
184 *x = 0;
185
186 r = parse_uid(u, &uid);
187 if (r < 0) {
188 log_error("Failed to parse UID of user.");
189 return -EIO;
190 }
191
192 r = parse_gid(g, &gid);
193 if (r < 0) {
194 log_error("Failed to parse GID of user.");
195 return -EIO;
196 }
197
198 home = strdup(h);
199 if (!home)
200 return log_oom();
201
202 /* Second, get group memberships */
203 fd = spawn_getent("initgroups", user, &pid);
204 if (fd < 0)
205 return fd;
206
207 fclose(f);
208 f = fdopen(fd, "r");
209 if (!f)
210 return log_oom();
211 fd = -1;
212
213 if (!fgets(line, sizeof(line), f)) {
214 if (!ferror(f)) {
215 log_error("Failed to resolve user %s.", user);
216 return -ESRCH;
217 }
218
219 log_error_errno(errno, "Failed to read from getent: %m");
220 return -errno;
221 }
222
223 truncate_nl(line);
224
225 wait_for_terminate_and_warn("getent initgroups", pid, true);
226
227 /* Skip over the username and subsequent separator whitespace */
228 x = line;
229 x += strcspn(x, WHITESPACE);
230 x += strspn(x, WHITESPACE);
231
232 FOREACH_WORD(word, l, x, state) {
233 char c[l+1];
234
235 memcpy(c, word, l);
236 c[l] = 0;
237
238 if (!GREEDY_REALLOC(uids, sz, n_uids+1))
239 return log_oom();
240
241 r = parse_uid(c, &uids[n_uids++]);
242 if (r < 0) {
243 log_error("Failed to parse group data from getent.");
244 return -EIO;
245 }
246 }
247
248 r = mkdir_parents(home, 0775);
249 if (r < 0)
250 return log_error_errno(r, "Failed to make home root directory: %m");
251
252 r = mkdir_safe(home, 0755, uid, gid);
253 if (r < 0 && r != -EEXIST)
254 return log_error_errno(r, "Failed to make home directory: %m");
255
256 (void) fchown(STDIN_FILENO, uid, gid);
257 (void) fchown(STDOUT_FILENO, uid, gid);
258 (void) fchown(STDERR_FILENO, uid, gid);
259
260 if (setgroups(n_uids, uids) < 0)
261 return log_error_errno(errno, "Failed to set auxiliary groups: %m");
262
263 if (setresgid(gid, gid, gid) < 0)
264 return log_error_errno(errno, "setregid() failed: %m");
265
266 if (setresuid(uid, uid, uid) < 0)
267 return log_error_errno(errno, "setreuid() failed: %m");
268
269 if (_home) {
270 *_home = home;
271 home = NULL;
272 }
273
274 return 0;
275 }