1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2 #pragma once
3
4 #include <grp.h>
5 #if ENABLE_GSHADOW
6 # include <gshadow.h>
7 #endif
8 #include <pwd.h>
9 #include <shadow.h>
10 #include <stdbool.h>
11 #include <stdint.h>
12 #include <sys/types.h>
13 #include <unistd.h>
14
15 /* Users managed by systemd-homed. See https://systemd.io/UIDS-GIDS for details how this range fits into the rest of the world */
16 #define HOME_UID_MIN 60001
17 #define HOME_UID_MAX 60513
18
19 /* Users mapped from host into a container */
20 #define MAP_UID_MIN 60514
21 #define MAP_UID_MAX 60577
22
23 bool uid_is_valid(uid_t uid);
24
gid_is_valid(gid_t gid)25 static inline bool gid_is_valid(gid_t gid) {
26 return uid_is_valid((uid_t) gid);
27 }
28
29 int parse_uid(const char *s, uid_t* ret_uid);
30 int parse_uid_range(const char *s, uid_t *ret_lower, uid_t *ret_upper);
31
parse_gid(const char * s,gid_t * ret_gid)32 static inline int parse_gid(const char *s, gid_t *ret_gid) {
33 return parse_uid(s, (uid_t*) ret_gid);
34 }
35
36 char* getlogname_malloc(void);
37 char* getusername_malloc(void);
38
39 typedef enum UserCredsFlags {
40 USER_CREDS_PREFER_NSS = 1 << 0, /* if set, only synthesize user records if database lacks them. Normally we bypass the userdb entirely for the records we can synthesize */
41 USER_CREDS_ALLOW_MISSING = 1 << 1, /* if a numeric UID string is resolved, be OK if there's no record for it */
42 USER_CREDS_CLEAN = 1 << 2, /* try to clean up shell and home fields with invalid data */
43 } UserCredsFlags;
44
45 int get_user_creds(const char **username, uid_t *uid, gid_t *gid, const char **home, const char **shell, UserCredsFlags flags);
46 int get_group_creds(const char **groupname, gid_t *gid, UserCredsFlags flags);
47
48 char* uid_to_name(uid_t uid);
49 char* gid_to_name(gid_t gid);
50
51 int in_gid(gid_t gid);
52 int in_group(const char *name);
53
54 int merge_gid_lists(const gid_t *list1, size_t size1, const gid_t *list2, size_t size2, gid_t **result);
55 int getgroups_alloc(gid_t** gids);
56
57 int get_home_dir(char **ret);
58 int get_shell(char **_ret);
59
60 int reset_uid_gid(void);
61
62 int take_etc_passwd_lock(const char *root);
63
64 #define UID_INVALID ((uid_t) -1)
65 #define GID_INVALID ((gid_t) -1)
66
67 #define UID_NOBODY ((uid_t) 65534U)
68 #define GID_NOBODY ((gid_t) 65534U)
69
70 /* If REMOUNT_IDMAP_HOST_ROOT is set for remount_idmap() we'll include a mapping here that maps the host root
71 * user accessing the idmapped mount to the this user ID on the backing fs. This is the last valid UID in the
72 * *signed* 32bit range. You might wonder why precisely use this specific UID for this purpose? Well, we
73 * definitely cannot use the first 0…65536 UIDs for that, since in most cases that's precisely the file range
74 * we intend to map to some high UID range, and since UID mappings have to be bijective we thus cannot use
75 * them at all. Furthermore the UID range beyond INT32_MAX (i.e. the range above the signed 32bit range) is
76 * icky, since many APIs cannot use it (example: setfsuid() returns the old UID as signed integer). Following
77 * our usual logic of assigning a 16bit UID range to each container, so that the upper 16bit of a 32bit UID
78 * value indicate kind of a "container ID" and the lower 16bit map directly to the intended user you can read
79 * this specific UID as the "nobody" user of the container with ID 0x7FFF, which is kinda nice. */
80 #define UID_MAPPED_ROOT ((uid_t) (INT32_MAX-1))
81 #define GID_MAPPED_ROOT ((gid_t) (INT32_MAX-1))
82
83 #define ETC_PASSWD_LOCK_PATH "/etc/.pwd.lock"
84
85 /* The following macros add 1 when converting things, since UID 0 is a valid UID, while the pointer
86 * NULL is special */
87 #define PTR_TO_UID(p) ((uid_t) (((uintptr_t) (p))-1))
88 #define UID_TO_PTR(u) ((void*) (((uintptr_t) (u))+1))
89
90 #define PTR_TO_GID(p) ((gid_t) (((uintptr_t) (p))-1))
91 #define GID_TO_PTR(u) ((void*) (((uintptr_t) (u))+1))
92
userns_supported(void)93 static inline bool userns_supported(void) {
94 return access("/proc/self/uid_map", F_OK) >= 0;
95 }
96
97 typedef enum ValidUserFlags {
98 VALID_USER_RELAX = 1 << 0,
99 VALID_USER_WARN = 1 << 1,
100 VALID_USER_ALLOW_NUMERIC = 1 << 2,
101 } ValidUserFlags;
102
103 bool valid_user_group_name(const char *u, ValidUserFlags flags);
104 bool valid_gecos(const char *d);
105 char *mangle_gecos(const char *d);
106 bool valid_home(const char *p);
107
valid_shell(const char * p)108 static inline bool valid_shell(const char *p) {
109 /* We have the same requirements, so just piggy-back on the home check.
110 *
111 * Let's ignore /etc/shells because this is only applicable to real and
112 * not system users. It is also incompatible with the idea of empty /etc.
113 */
114 return valid_home(p);
115 }
116
117 int maybe_setgroups(size_t size, const gid_t *list);
118
119 bool synthesize_nobody(void);
120
121 int fgetpwent_sane(FILE *stream, struct passwd **pw);
122 int fgetspent_sane(FILE *stream, struct spwd **sp);
123 int fgetgrent_sane(FILE *stream, struct group **gr);
124 int putpwent_sane(const struct passwd *pw, FILE *stream);
125 int putspent_sane(const struct spwd *sp, FILE *stream);
126 int putgrent_sane(const struct group *gr, FILE *stream);
127 #if ENABLE_GSHADOW
128 int fgetsgent_sane(FILE *stream, struct sgrp **sg);
129 int putsgent_sane(const struct sgrp *sg, FILE *stream);
130 #endif
131
132 bool is_nologin_shell(const char *shell);
133
134 int is_this_me(const char *username);
135
136 const char *get_home_root(void);
137
hashed_password_is_locked_or_invalid(const char * password)138 static inline bool hashed_password_is_locked_or_invalid(const char *password) {
139 return password && password[0] != '$';
140 }
141
142 /* A locked *and* invalid password for "struct spwd"'s .sp_pwdp and "struct passwd"'s .pw_passwd field */
143 #define PASSWORD_LOCKED_AND_INVALID "!*"
144
145 /* A password indicating "look in shadow file, please!" for "struct passwd"'s .pw_passwd */
146 #define PASSWORD_SEE_SHADOW "x"
147
148 /* A password indicating "hey, no password required for login" */
149 #define PASSWORD_NONE ""
150