picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

core: add a concept of "dynamic" user ids, that are allocated as long as a service is running 

This adds a new boolean setting DynamicUser= to service files. If set, a new
user will be allocated dynamically when the unit is started, and released when
it is stopped. The user ID is allocated from the range 61184..65519. The user
will not be added to /etc/passwd (but an NSS module to be added later should
make it show up in getent passwd).

For now, care should be taken that the service writes no files to disk, since
this might result in files owned by UIDs that might get assigned dynamically to
a different service later on. Later patches will tighten sandboxing in order to
ensure that this cannot happen, except for a few selected directories.

A simple way to test this is:

        systemd-run -p DynamicUser=1 /bin/sleep 99999
This commit is contained in:
Lennart Poettering 2016-07-14 12:37:28 +02:00
parent 66dccd8d85
commit 29206d4619
26 changed files with 1166 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile.am
View File

@ -1197,6 +1197,8 @@ libcore_la_SOURCES = \
src/core/load-dropin.h \
src/core/execute.c \
src/core/execute.h \
src/core/dynamic-user.c \
src/core/dynamic-user.h \
src/core/kill.c \
src/core/kill.h \
src/core/dbus.c \

36
man/systemd.exec.xml
View File

@ -143,10 +143,38 @@
<term><varname>User=</varname></term>
<term><varname>Group=</varname></term>
<listitem><para>Sets the Unix user or group that the processes
are executed as, respectively. Takes a single user or group
name or ID as argument. If no group is set, the default group
of the user is chosen. These do not affect commands prefixed with <literal>!</literal>.</para></listitem>
<listitem><para>Set the UNIX user or group that the processes are executed as, respectively. Takes a single
user or group name, or numeric ID as argument. If no group is set, the default group of the user is used. This
setting does not affect commands whose command line is prefixed with <literal>!</literal>.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>DynamicUser=</varname></term>
<listitem><para>Takes a boolean parameter. If set, a UNIX user and group pair is allocated dynamically when the
unit is started, and released as soon as it is stopped. The user and group will not be added to
<filename>/etc/passwd</filename> or <filename>/etc/group</filename>, but are managed transiently during
runtime. The <citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
glibc NSS module provides integration of these dynamic users/groups into the system's user and group
databases. The user and group name to use may be configured via <varname>User=</varname> and
<varname>Group=</varname> (see above). If these options are not used and dynamic user/group allocation is
enabled for a unit, the name of the dynamic user/group is implicitly derived from the unit name. If the unit
name without the type suffix qualifies as valid user name it is used directly, otherwise a name incorporating a
hash of it is used. If a statically allocated user or group of the configured name already exists, it is used
and no dynamic user/group is allocated. Dynamic users/groups are allocated from the UID/GID range
61184…65519. It is recommended to avoid this range for regular system or login users. At any point in time
each UID/GID from this range is only assigned to zero or one dynamically allocated users/groups in
use. However, UID/GIDs are recycled after a unit is terminated. Care should be taken that any processes running
as part of a unit for which dynamic users/groups are enabled do not leave files or directories owned by these
users/groups around, as a different unit might get the same UID/GID assigned later on, and thus gain access to
these files or directories. If <varname>DynamicUser=</varname> is enabled, <varname>PrivateTmp=</varname> is
implied. This ensures that the lifetime of temporary files created by the executed processes is bound to the
runtime of the service, and hence the lifetime of the dynamic user/group. Since <filename>/tmp</filename> and
<filename>/var/tmp</filename> are usually the only world-writable directories on a system this ensures that a
unit making use of dynamic user/group allocation cannot leave files around after unit termination. Use
<varname>RuntimeDirectory=</varname> (see below) in order to assign a writable runtime directory to a service,
owned by the dynamic user/group and removed automatically when the unit is terminated. Defaults to
off.</para></listitem>
</varlistentry>
<varlistentry>

14
src/basic/socket-util.c
View File

@ -1046,3 +1046,17 @@ int flush_accept(int fd) {
close(cfd);
}
}
struct cmsghdr* cmsg_find(struct msghdr *mh, int level, int type, socklen_t length) {
struct cmsghdr *cmsg;
assert(mh);
CMSG_FOREACH(cmsg, mh)
if (cmsg->cmsg_level == level &&
cmsg->cmsg_type == type &&
(length == (socklen_t) -1 || length == cmsg->cmsg_len))
return cmsg;
return NULL;
}

2
src/basic/socket-util.h
View File

@ -142,6 +142,8 @@ int flush_accept(int fd);
#define CMSG_FOREACH(cmsg, mh) \
for ((cmsg) = CMSG_FIRSTHDR(mh); (cmsg); (cmsg) = CMSG_NXTHDR((mh), (cmsg)))
struct cmsghdr* cmsg_find(struct msghdr *mh, int level, int type, socklen_t length);
/* Covers only file system and abstract AF_UNIX socket addresses, but not unnamed socket addresses. */
#define SOCKADDR_UN_LEN(sa) \
({ \

6
src/core/dbus-execute.c
View File

@ -693,6 +693,7 @@ const sd_bus_vtable bus_exec_vtable[] = {
SD_BUS_PROPERTY("AmbientCapabilities", "t", property_get_ambient_capabilities, 0, SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("User", "s", NULL, offsetof(ExecContext, user), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("Group", "s", NULL, offsetof(ExecContext, group), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("DynamicUser", "b", bus_property_get_bool, offsetof(ExecContext, dynamic_user), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("SupplementaryGroups", "as", NULL, offsetof(ExecContext, supplementary_groups), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("PAMName", "s", NULL, offsetof(ExecContext, pam_name), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("ReadWriteDirectories", "as", NULL, offsetof(ExecContext, read_write_paths), SD_BUS_VTABLE_PROPERTY_CONST|SD_BUS_VTABLE_HIDDEN),
@ -1061,7 +1062,8 @@ int bus_exec_context_set_transient_property(
} else if (STR_IN_SET(name,
"IgnoreSIGPIPE", "TTYVHangup", "TTYReset",
"PrivateTmp", "PrivateDevices", "PrivateNetwork",
"NoNewPrivileges", "SyslogLevelPrefix", "MemoryDenyWriteExecute", "RestrictRealtime")) {
"NoNewPrivileges", "SyslogLevelPrefix", "MemoryDenyWriteExecute",
"RestrictRealtime", "DynamicUser")) {
int b;
r = sd_bus_message_read(message, "b", &b);
@ -1089,6 +1091,8 @@ int bus_exec_context_set_transient_property(
c->memory_deny_write_execute = b;
else if (streq(name, "RestrictRealtime"))
c->restrict_realtime = b;
else if (streq(name, "DynamicUser"))
c->dynamic_user = b;
unit_write_drop_in_private_format(u, mode, name, "%s=%s", name, yes_no(b));
}

60
src/core/dbus-manager.c
View File

@ -43,6 +43,7 @@
#include "string-util.h"
#include "strv.h"
#include "syslog-util.h"
#include "user-util.h"
#include "virt.h"
#include "watchdog.h"
@ -1511,8 +1512,8 @@ static int method_unset_and_set_environment(sd_bus_message *message, void *userd
}
static int method_set_exit_code(sd_bus_message *message, void *userdata, sd_bus_error *error) {
uint8_t code;
Manager *m = userdata;
uint8_t code;
int r;
assert(message);
@ -1534,6 +1535,61 @@ static int method_set_exit_code(sd_bus_message *message, void *userdata, sd_bus_
return sd_bus_reply_method_return(message, NULL);
}
static int method_lookup_dynamic_user_by_name(sd_bus_message *message, void *userdata, sd_bus_error *error) {
Manager *m = userdata;
const char *name;
uid_t uid;
int r;
assert(message);
assert(m);
r = sd_bus_message_read_basic(message, 's', &name);
if (r < 0)
return r;
if (!MANAGER_IS_SYSTEM(m))
return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED, "Dynamic users are only supported in the system instance.");
if (!valid_user_group_name(name))
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "User name invalid: %s", name);
r = dynamic_user_lookup_name(m, name, &uid);
if (r == -ESRCH)
return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_DYNAMIC_USER, "Dynamic user %s does not exist.", name);
if (r < 0)
return r;
return sd_bus_reply_method_return(message, "u", (uint32_t) uid);
}
static int method_lookup_dynamic_user_by_uid(sd_bus_message *message, void *userdata, sd_bus_error *error) {
_cleanup_free_ char *name = NULL;
Manager *m = userdata;
uid_t uid;
int r;
assert(message);
assert(m);
assert_cc(sizeof(uid) == sizeof(uint32_t));
r = sd_bus_message_read_basic(message, 'u', &uid);
if (r < 0)
return r;
if (!MANAGER_IS_SYSTEM(m))
return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED, "Dynamic users are only supported in the system instance.");
if (!uid_is_valid(uid))
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "User ID invalid: " UID_FMT, uid);
r = dynamic_user_lookup_uid(m, uid, &name);
if (r == -ESRCH)
return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_DYNAMIC_USER, "Dynamic user ID " UID_FMT " does not exist.", uid);
if (r < 0)
return r;
return sd_bus_reply_method_return(message, "s", name);
}
static int list_unit_files_by_patterns(sd_bus_message *message, void *userdata, sd_bus_error *error, char **states, char **patterns) {
_cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL;
Manager *m = userdata;
@ -2199,6 +2255,8 @@ const sd_bus_vtable bus_manager_vtable[] = {
SD_BUS_METHOD("PresetAllUnitFiles", "sbb", "a(sss)", method_preset_all_unit_files, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("AddDependencyUnitFiles", "asssbb", "a(sss)", method_add_dependency_unit_files, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("SetExitCode", "y", NULL, method_set_exit_code, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("LookupDynamicUserByName", "s", "u", method_lookup_dynamic_user_by_name, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("LookupDynamicUserByUID", "u", "s", method_lookup_dynamic_user_by_uid, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_SIGNAL("UnitNew", "so", 0),
SD_BUS_SIGNAL("UnitRemoved", "so", 0),

763
src/core/dynamic-user.c Normal file
View File

@ -0,0 +1,763 @@
/***
This file is part of systemd.
Copyright 2016 Lennart Poettering
systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.
systemd is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
#include <grp.h>
#include <pwd.h>
#include <sys/file.h>
#include "dynamic-user.h"
#include "fd-util.h"
#include "fs-util.h"
#include "parse-util.h"
#include "random-util.h"
#include "stdio-util.h"
#include "string-util.h"
#include "user-util.h"
#include "fileio.h"
/* Let's pick a UIDs within the 16bit range, so that we are compatible with containers using 16bit user namespacing. At
* least on Fedora normal users are allocated until UID 60000, hence do not allocate from below this. Also stay away
* from the upper end of the range as that is often used for overflow/nobody users. */
#define UID_PICK_MIN ((uid_t) UINT32_C(0x0000EF00))
#define UID_PICK_MAX ((uid_t) UINT32_C(0x0000FFEF))
/* Takes a value generated randomly or by hashing and turns it into a UID in the right range */
#define UID_CLAMP_INTO_RANGE(rnd) (((uid_t) (rnd) % (UID_PICK_MAX - UID_PICK_MIN + 1)) + UID_PICK_MIN)
static DynamicUser* dynamic_user_free(DynamicUser *d) {
if (!d)
return NULL;
if (d->manager)
(void) hashmap_remove(d->manager->dynamic_users, d->name);
safe_close_pair(d->storage_socket);
free(d);
return NULL;
}
static int dynamic_user_add(Manager *m, const char *name, int storage_socket[2], DynamicUser **ret) {
DynamicUser *d = NULL;
int r;
assert(m);
assert(name);
assert(storage_socket);
r = hashmap_ensure_allocated(&m->dynamic_users, &string_hash_ops);
if (r < 0)
return r;
d = malloc0(offsetof(DynamicUser, name) + strlen(name) + 1);
if (!d)
return -ENOMEM;
strcpy(d->name, name);
d->storage_socket[0] = storage_socket[0];
d->storage_socket[1] = storage_socket[1];
r = hashmap_put(m->dynamic_users, d->name, d);
if (r < 0) {
free(d);
return r;
}
d->manager = m;
if (ret)
*ret = d;
return 0;
}
int dynamic_user_acquire(Manager *m, const char *name, DynamicUser** ret) {
_cleanup_close_pair_ int storage_socket[2] = { -1, -1 };
DynamicUser *d;
int r;
assert(m);
assert(name);
/* Return the DynamicUser structure for a specific user name. Note that this won't actually allocate a UID for
* it, but just prepare the data structure for it. The UID is allocated only on demand, when it's really
* needed, and in the child process we fork off, since allocation involves NSS checks which are not OK to do
* from PID 1. To allow the children and PID 1 share information about allocated UIDs we use an anonymous
* AF_UNIX/SOCK_DGRAM socket (called the "storage socket") that contains at most one datagram with the
* allocated UID number, plus an fd referencing the lock file for the UID
* (i.e. /run/systemd/dynamic-uid/$UID). Why involve the socket pair? So that PID 1 and all its children can
* share the same storage for the UID and lock fd, simply by inheriting the storage socket fds. The socket pair
* may exist in three different states:
*
* a) no datagram stored. This is the initial state. In this case the dynamic user was never realized.
*
* b) a datagram containing a UID stored, but no lock fd attached to it. In this case there was already a
* statically assigned UID by the same name, which we are reusing.
*
* c) a datagram containing a UID stored, and a lock fd is attached to it. In this case we allocated a dynamic
* UID and locked it in the file system, using the lock fd.
*
* As PID 1 and various children might access the socket pair simultaneously, and pop the datagram or push it
* back in any time, we also maintain a lock on the socket pair. Note one peculiarity regarding locking here:
* the UID lock on disk is protected via a BSD file lock (i.e. an fd-bound lock), so that the lock is kept in
* place as long as there's a reference to the fd open. The lock on the storage socket pair however is a POSIX
* file lock (i.e. a process-bound lock), as all users share the same fd of this (after all it is anonymous,
* nobody else could get any access to it except via our own fd) and we want to synchronize access between all
* processes that have access to it. */
d = hashmap_get(m->dynamic_users, name);
if (d) {
/* We already have a structure for the dynamic user, let's increase the ref count and reuse it */
d->n_ref++;
*ret = d;
return 0;
}
if (!valid_user_group_name_or_id(name))
return -EINVAL;
if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, storage_socket) < 0)
return -errno;
r = dynamic_user_add(m, name, storage_socket, &d);
if (r < 0)
return r;
storage_socket[0] = storage_socket[1] = -1;
if (ret) {
d->n_ref++;
*ret = d;
}
return 1;
}
static int pick_uid(const char *name, uid_t *ret_uid) {
static const uint8_t hash_key[] = {
0x37, 0x53, 0x7e, 0x31, 0xcf, 0xce, 0x48, 0xf5,
0x8a, 0xbb, 0x39, 0x57, 0x8d, 0xd9, 0xec, 0x59
};
unsigned n_tries = 100;
uid_t candidate;
int r;
/* A static user by this name does not exist yet. Let's find a free ID then, and use that. We start with a UID
* generated as hash from the user name. */
candidate = UID_CLAMP_INTO_RANGE(siphash24(name, strlen(name), hash_key));
(void) mkdir("/run/systemd/dynamic-uid", 0755);
for (;;) {
char lock_path[strlen("/run/systemd/dynamic-uid/") + DECIMAL_STR_MAX(uid_t) + 1];
_cleanup_close_ int lock_fd = -1;
ssize_t l;
if (--n_tries <= 0) /* Give up retrying eventually */
return -EBUSY;
if (candidate < UID_PICK_MIN || candidate > UID_PICK_MAX)
goto next;
xsprintf(lock_path, "/run/systemd/dynamic-uid/" UID_FMT, candidate);
for (;;) {
struct stat st;
lock_fd = open(lock_path, O_CREAT|O_RDWR|O_NOFOLLOW|O_CLOEXEC|O_NOCTTY, 0600);
if (lock_fd < 0)
return -errno;
r = flock(lock_fd, LOCK_EX|LOCK_NB); /* Try to get a BSD file lock on the UID lock file */
if (r < 0) {
if (errno == EBUSY || errno == EAGAIN)
goto next; /* already in use */
return -errno;
}
if (fstat(lock_fd, &st) < 0)
return -errno;
if (st.st_nlink > 0)
break;
/* Oh, bummer, we got got the lock, but the file was unlinked between the time we opened it and
* got the lock. Close it, and try again. */
lock_fd = safe_close(lock_fd);
}
/* Some superficial check whether this UID/GID might already be taken by some static user */
if (getpwuid(candidate) || getgrgid((gid_t) candidate)) {
(void) unlink(lock_path);
goto next;
}
/* Let's store the user name in the lock file, so that we can use it for looking up the username for a UID */
l = pwritev(lock_fd,
(struct iovec[2]) {
{ .iov_base = (char*) name, .iov_len = strlen(name) },
{ .iov_base = (char[1]) { '\n' }, .iov_len = 1 }
}, 2, 0);
if (l < 0) {
(void) unlink(lock_path);
return -errno;
}
(void) ftruncate(lock_fd, l);
*ret_uid = candidate;
r = lock_fd;
lock_fd = -1;
return r;
next:
/* Pick another random UID, and see if that works for us. */
random_bytes(&candidate, sizeof(candidate));
candidate = UID_CLAMP_INTO_RANGE(candidate);
}
}
static int dynamic_user_pop(DynamicUser *d, uid_t *ret_uid, int *ret_lock_fd) {
uid_t uid = UID_INVALID;
struct iovec iov = {
.iov_base = &uid,
.iov_len = sizeof(uid),
};
union {
struct cmsghdr cmsghdr;
uint8_t buf[CMSG_SPACE(sizeof(int))];
} control = {};
struct msghdr mh = {
.msg_control = &control,
.msg_controllen = sizeof(control),
.msg_iov = &iov,
.msg_iovlen = 1,
};
struct cmsghdr *cmsg;
ssize_t k;
int lock_fd = -1;
assert(d);
assert(ret_uid);
assert(ret_lock_fd);
/* Read the UID and lock fd that is stored in the storage AF_UNIX socket. This should be called with the lock
* on the socket taken. */
k = recvmsg(d->storage_socket[0], &mh, MSG_DONTWAIT|MSG_NOSIGNAL|MSG_CMSG_CLOEXEC);
if (k < 0)
return -errno;
cmsg = cmsg_find(&mh, SOL_SOCKET, SCM_RIGHTS, CMSG_LEN(sizeof(int)));
if (cmsg)
lock_fd = *(int*) CMSG_DATA(cmsg);
else
cmsg_close_all(&mh); /* just in case... */
*ret_uid = uid;
*ret_lock_fd = lock_fd;
return 0;
}
static int dynamic_user_push(DynamicUser *d, uid_t uid, int lock_fd) {
struct iovec iov = {
.iov_base = &uid,
.iov_len = sizeof(uid),
};
union {
struct cmsghdr cmsghdr;
uint8_t buf[CMSG_SPACE(sizeof(int))];
} control = {};
struct msghdr mh = {
.msg_control = &control,
.msg_controllen = sizeof(control),
.msg_iov = &iov,
.msg_iovlen = 1,
};
ssize_t k;
assert(d);
/* Store the UID and lock_fd in the storage socket. This should be called with the socket pair lock taken. */
if (lock_fd >= 0) {
struct cmsghdr *cmsg;
cmsg = CMSG_FIRSTHDR(&mh);
cmsg->cmsg_level = SOL_SOCKET;
cmsg->cmsg_type = SCM_RIGHTS;
cmsg->cmsg_len = CMSG_LEN(sizeof(int));
memcpy(CMSG_DATA(cmsg), &lock_fd, sizeof(int));
mh.msg_controllen = CMSG_SPACE(sizeof(int));
} else {
mh.msg_control = NULL;
mh.msg_controllen = 0;
}
k = sendmsg(d->storage_socket[1], &mh, MSG_DONTWAIT|MSG_NOSIGNAL);
if (k < 0)
return -errno;
return 0;
}
static void unlink_uid_lock(int lock_fd, uid_t uid) {
char lock_path[strlen("/run/systemd/dynamic-uid/") + DECIMAL_STR_MAX(uid_t) + 1];
if (lock_fd < 0)
return;
xsprintf(lock_path, "/run/systemd/dynamic-uid/" UID_FMT, uid);
(void) unlink_noerrno(lock_path);
}
int dynamic_user_realize(DynamicUser *d, uid_t *ret) {
_cleanup_close_ int etc_passwd_lock_fd = -1, uid_lock_fd = -1;
uid_t uid = UID_INVALID;
int r;
assert(d);
/* Acquire a UID for the user name. This will allocate a UID for the user name if the user doesn't exist
* yet. If it already exists its existing UID/GID will be reused. */
if (lockf(d->storage_socket[0], F_LOCK, 0) < 0)
return -errno;
r = dynamic_user_pop(d, &uid, &uid_lock_fd);
if (r < 0) {
int new_uid_lock_fd;
uid_t new_uid;
if (r != -EAGAIN)
goto finish;
/* OK, nothing stored yet, let's try to find something useful. While we are working on this release the
* lock however, so that nobody else blocks on our NSS lookups. */
(void) lockf(d->storage_socket[0], F_ULOCK, 0);
/* Let's see if a proper, static user or group by this name exists. Try to take the lock on
* /etc/passwd, if that fails with EROFS then /etc is read-only. In that case it's fine if we don't
* take the lock, given that users can't be added there anyway in this case. */
etc_passwd_lock_fd = take_etc_passwd_lock(NULL);
if (etc_passwd_lock_fd < 0 && etc_passwd_lock_fd != -EROFS)
return etc_passwd_lock_fd;
/* First, let's parse this as numeric UID */
r = parse_uid(d->name, &uid);
if (r < 0) {
struct passwd *p;
struct group *g;
/* OK, this is not a numeric UID. Let's see if there's a user by this name */
p = getpwnam(d->name);
if (p)
uid = p->pw_uid;
/* Let's see if there's a group by this name */
g = getgrnam(d->name);
if (g) {
/* If the UID/GID of the user/group of the same don't match, refuse operation */
if (uid != UID_INVALID && uid != (uid_t) g->gr_gid)
return -EILSEQ;
uid = (uid_t) g->gr_gid;
}
}
if (uid == UID_INVALID) {
/* No static UID assigned yet, excellent. Let's pick a new dynamic one, and lock it. */
uid_lock_fd = pick_uid(d->name, &uid);
if (uid_lock_fd < 0)
return uid_lock_fd;
}
/* So, we found a working UID/lock combination. Let's see if we actually still need it. */
if (lockf(d->storage_socket[0], F_LOCK, 0) < 0) {
unlink_uid_lock(uid_lock_fd, uid);
return -errno;
}
r = dynamic_user_pop(d, &new_uid, &new_uid_lock_fd);
if (r < 0) {
if (r != -EAGAIN) {
/* OK, something bad happened, let's get rid of the bits we acquired. */
unlink_uid_lock(uid_lock_fd, uid);
goto finish;
}
/* Great! Nothing is stored here, still. Store our newly acquired data. */
} else {
/* Hmm, so as it appears there's now something stored in the storage socket. Throw away what we
* acquired, and use what's stored now. */
unlink_uid_lock(uid_lock_fd, uid);
safe_close(uid_lock_fd);
uid = new_uid;
uid_lock_fd = new_uid_lock_fd;
}
}
/* If the UID/GID was already allocated dynamically, push the data we popped out back in. If it was already
* allocated statically, push the UID back too, but do not push the lock fd in. If we allocated the UID
* dynamically right here, push that in along with the lock fd for it. */
r = dynamic_user_push(d, uid, uid_lock_fd);
if (r < 0)
goto finish;
*ret = uid;
r = 0;
finish:
(void) lockf(d->storage_socket[0], F_ULOCK, 0);
return r;
}
int dynamic_user_current(DynamicUser *d, uid_t *ret) {
_cleanup_close_ int lock_fd = -1;
uid_t uid;
int r;
assert(d);
assert(ret);
/* Get the currently assigned UID for the user, if there's any. This simply pops the data from the storage socket, and pushes it back in right-away. */
if (lockf(d->storage_socket[0], F_LOCK, 0) < 0)
return -errno;
r = dynamic_user_pop(d, &uid, &lock_fd);
if (r < 0)
goto finish;
r = dynamic_user_push(d, uid, lock_fd);
if (r < 0)
goto finish;
*ret = uid;
r = 0;
finish:
(void) lockf(d->storage_socket[0], F_ULOCK, 0);
return r;
}
DynamicUser* dynamic_user_ref(DynamicUser *d) {
if (!d)
return NULL;
assert(d->n_ref > 0);
d->n_ref++;
return d;
}
DynamicUser* dynamic_user_unref(DynamicUser *d) {
if (!d)
return NULL;
/* Note that this doesn't actually release any resources itself. If a dynamic user should be fully destroyed
* and its UID released, use dynamic_user_destroy() instead. NB: the dynamic user table may contain entries
* with no references, which is commonly the case right before a daemon reload. */
assert(d->n_ref > 0);
d->n_ref--;
return NULL;
}
static int dynamic_user_close(DynamicUser *d) {
_cleanup_close_ int lock_fd = -1;
uid_t uid;
int r;
/* Release the user ID, by releasing the lock on it, and emptying the storage socket. After this the user is
* unrealized again, much like it was after it the DynamicUser object was first allocated. */
if (lockf(d->storage_socket[0], F_LOCK, 0) < 0)
return -errno;
r = dynamic_user_pop(d, &uid, &lock_fd);
if (r == -EAGAIN) {
/* User wasn't realized yet, nothing to do. */
r = 0;
goto finish;
}
if (r < 0)
goto finish;
/* This dynamic user was realized and dynamically allocated. In this case, let's remove the lock file. */
unlink_uid_lock(lock_fd, uid);
r = 1;
finish:
(void) lockf(d->storage_socket[0], F_ULOCK, 0);
return r;
}
DynamicUser* dynamic_user_destroy(DynamicUser *d) {
if (!d)
return NULL;
/* Drop a reference to a DynamicUser object, and destroy the user completely if this was the last
* reference. This is called whenever a service is shut down and wants its dynamic UID gone. Note that
* dynamic_user_unref() is what is called whenever a service is simply freed, for example during a reload
* cycle, where the dynamic users should not be destroyed, but our datastructures should. */
dynamic_user_unref(d);
if (d->n_ref > 0)
return NULL;
(void) dynamic_user_close(d);
return dynamic_user_free(d);
}
int dynamic_user_serialize(Manager *m, FILE *f, FDSet *fds) {
DynamicUser *d;
Iterator i;
assert(m);
assert(f);
assert(fds);
/* Dump the dynamic user database into the manager serialization, to deal with daemon reloads. */
HASHMAP_FOREACH(d, m->dynamic_users, i) {
int copy0, copy1;
copy0 = fdset_put_dup(fds, d->storage_socket[0]);
if (copy0 < 0)
return copy0;
copy1 = fdset_put_dup(fds, d->storage_socket[1]);
if (copy1 < 0)
return copy1;
fprintf(f, "dynamic-user=%s %i %i\n", d->name, copy0, copy1);
}
return 0;
}
void dynamic_user_deserialize_one(Manager *m, const char *value, FDSet *fds) {
_cleanup_free_ char *name = NULL, *s0 = NULL, *s1 = NULL;
int r, fd0, fd1;
assert(m);
assert(value);
assert(fds);
/* Parse the serialization again, after a daemon reload */
r = extract_many_words(&value, NULL, 0, &name, &s0, &s1, NULL);
if (r != 3 || !isempty(value)) {
log_debug("Unable to parse dynamic user line.");
return;
}
if (safe_atoi(s0, &fd0) < 0 || !fdset_contains(fds, fd0)) {
log_debug("Unable to process dynamic user fd specification.");
return;
}
if (safe_atoi(s1, &fd1) < 0 || !fdset_contains(fds, fd1)) {
log_debug("Unable to process dynamic user fd specification.");
return;
}
r = dynamic_user_add(m, name, (int[]) { fd0, fd1 }, NULL);
if (r < 0) {
log_debug_errno(r, "Failed to add dynamic user: %m");
return;
}
(void) fdset_remove(fds, fd0);
(void) fdset_remove(fds, fd1);
}
void dynamic_user_vacuum(Manager *m, bool close_user) {
DynamicUser *d;
Iterator i;
assert(m);
/* Empty the dynamic user database, optionally cleaning up orphaned dynamic users, i.e. destroy and free users
* to which no reference exist. This is called after a daemon reload finished, in order to destroy users which
* might not be referenced anymore. */
HASHMAP_FOREACH(d, m->dynamic_users, i) {
if (d->n_ref > 0)
continue;
if (close_user) {
log_debug("Removing orphaned dynamic user %s", d->name);
(void) dynamic_user_close(d);
}
dynamic_user_free(d);
}
}
int dynamic_user_lookup_uid(Manager *m, uid_t uid, char **ret) {
char lock_path[strlen("/run/systemd/dynamic-uid/") + DECIMAL_STR_MAX(uid_t) + 1];
_cleanup_free_ char *user = NULL;
uid_t check_uid;
int r;
assert(m);
assert(ret);
/* A friendly way to translate a dynamic user's UID into a his name. */
if (uid < UID_PICK_MIN)
return -ESRCH;
if (uid > UID_PICK_MAX)
return -ESRCH;
xsprintf(lock_path, "/run/systemd/dynamic-uid/" UID_FMT, uid);
r = read_one_line_file(lock_path, &user);
if (r == -ENOENT)
return -ESRCH;
if (r < 0)
return r;
/* The lock file might be stale, hence let's verify the data before we return it */
r = dynamic_user_lookup_name(m, user, &check_uid);
if (r < 0)
return r;
if (check_uid != uid) /* lock file doesn't match our own idea */
return -ESRCH;
*ret = user;
user = NULL;
return 0;
}
int dynamic_user_lookup_name(Manager *m, const char *name, uid_t *ret) {
DynamicUser *d;
int r;
assert(m);
assert(name);
assert(ret);
/* A friendly call for translating a dynamic user's name into its UID */
d = hashmap_get(m->dynamic_users, name);
if (!d)
return -ESRCH;
r = dynamic_user_current(d, ret);
if (r == -EAGAIN) /* not realized yet? */
return -ESRCH;
return r;
}
int dynamic_creds_acquire(DynamicCreds *creds, Manager *m, const char *user, const char *group) {
bool acquired = false;
int r;
assert(creds);
assert(m);
/* A DynamicUser object encapsulates an allocation of both a UID and a GID for a specific name. However, some
* services use different user and groups. For cases like that there's DynamicCreds containing a pair of user
* and group. This call allocates a pair. */
if (!creds->user && user) {
r = dynamic_user_acquire(m, user, &creds->user);
if (r < 0)
return r;
acquired = true;
}
if (!creds->group) {
if (creds->user && (!group || streq_ptr(user, group)))
creds->group = dynamic_user_ref(creds->user);
else {
r = dynamic_user_acquire(m, group, &creds->group);
if (r < 0) {
if (acquired)
creds->user = dynamic_user_unref(creds->user);
return r;
}
}
}
return 0;
}
int dynamic_creds_realize(DynamicCreds *creds, uid_t *uid, gid_t *gid) {
uid_t u = UID_INVALID;
gid_t g = GID_INVALID;
int r;
assert(creds);
assert(uid);
assert(gid);
/* Realize both the referenced user and group */
if (creds->user) {
r = dynamic_user_realize(creds->user, &u);
if (r < 0)
return r;
}
if (creds->group && creds->group != creds->user) {
r = dynamic_user_realize(creds->group, &g);
if (r < 0)
return r;
} else
g = u;
*uid = u;
*gid = g;
return 0;
}
void dynamic_creds_unref(DynamicCreds *creds) {
assert(creds);
creds->user = dynamic_user_unref(creds->user);
creds->group = dynamic_user_unref(creds->group);
}
void dynamic_creds_destroy(DynamicCreds *creds) {
assert(creds);
creds->user = dynamic_user_destroy(creds->user);
creds->group = dynamic_user_destroy(creds->group);
}

66
src/core/dynamic-user.h Normal file
View File

@ -0,0 +1,66 @@
#pragma once
/***
This file is part of systemd.
Copyright 2016 Lennart Poettering
systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.
systemd is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
typedef struct DynamicUser DynamicUser;
typedef struct DynamicCreds {
/* A combination of a dynamic user and group */
DynamicUser *user;
DynamicUser *group;
} DynamicCreds;
#include "manager.h"
/* Note that this object always allocates a pair of user and group under the same name, even if one of them isn't
* used. This means, if you want to allocate a group and user pair, and they might have two different names, then you
* need to allocated two of these objects. DynamicCreds below makes that easy. */
struct DynamicUser {
int n_ref;
Manager *manager;
/* An AF_UNIX socket pair that contains a datagram containing both the numeric ID assigned, as well as a lock
* file fd locking the user ID we picked. */
int storage_socket[2];
char name[];
};
int dynamic_user_acquire(Manager *m, const char *name, DynamicUser **ret);
int dynamic_user_realize(DynamicUser *d, uid_t *ret);
int dynamic_user_current(DynamicUser *d, uid_t *ret);
DynamicUser* dynamic_user_ref(DynamicUser *d);
DynamicUser* dynamic_user_unref(DynamicUser *d);
DynamicUser* dynamic_user_destroy(DynamicUser *d);
int dynamic_user_serialize(Manager *m, FILE *f, FDSet *fds);
void dynamic_user_deserialize_one(Manager *m, const char *value, FDSet *fds);
void dynamic_user_vacuum(Manager *m, bool close_user);
int dynamic_user_lookup_uid(Manager *m, uid_t uid, char **ret);
int dynamic_user_lookup_name(Manager *m, const char *name, uid_t *ret);
int dynamic_creds_acquire(DynamicCreds *creds, Manager *m, const char *user, const char *group);
int dynamic_creds_realize(DynamicCreds *creds, uid_t *uid, gid_t *gid);
void dynamic_creds_unref(DynamicCreds *creds);
void dynamic_creds_destroy(DynamicCreds *creds);

75
src/core/execute.c
View File

@ -1526,14 +1526,28 @@ static bool exec_needs_mount_namespace(
return false;
}
static void append_socket_pair(int *array, unsigned *n, int pair[2]) {
assert(array);
assert(n);
if (!pair)
return;
if (pair[0] >= 0)
array[(*n)++] = pair[0];
if (pair[1] >= 0)
array[(*n)++] = pair[1];
}
static int close_remaining_fds(
const ExecParameters *params,
ExecRuntime *runtime,
DynamicCreds *dcreds,
int socket_fd,
int *fds, unsigned n_fds) {
unsigned n_dont_close = 0;
int dont_close[n_fds + 7];
int dont_close[n_fds + 11];
assert(params);
@ -1551,11 +1565,14 @@ static int close_remaining_fds(
n_dont_close += n_fds;
}
if (runtime) {
if (runtime->netns_storage_socket[0] >= 0)
dont_close[n_dont_close++] = runtime->netns_storage_socket[0];
if (runtime->netns_storage_socket[1] >= 0)
dont_close[n_dont_close++] = runtime->netns_storage_socket[1];
if (runtime)
append_socket_pair(dont_close, &n_dont_close, runtime->netns_storage_socket);
if (dcreds) {
if (dcreds->user)
append_socket_pair(dont_close, &n_dont_close, dcreds->user->storage_socket);
if (dcreds->group)
append_socket_pair(dont_close, &n_dont_close, dcreds->group->storage_socket);
}
return close_all_fds(dont_close, n_dont_close);
@ -1567,6 +1584,7 @@ static int exec_child(
const ExecContext *context,
const ExecParameters *params,
ExecRuntime *runtime,
DynamicCreds *dcreds,
char **argv,
int socket_fd,
int *fds, unsigned n_fds,
@ -1617,7 +1635,7 @@ static int exec_child(
log_forget_fds();
r = close_remaining_fds(params, runtime, socket_fd, fds, n_fds);
r = close_remaining_fds(params, runtime, dcreds, socket_fd, fds, n_fds);
if (r < 0) {
*exit_status = EXIT_FDS;
return r;
@ -1650,26 +1668,43 @@ static int exec_child(
}
}
if (context->user) {
username = context->user;
r = get_user_creds(&username, &uid, &gid, &home, &shell);
if (context->dynamic_user && dcreds) {
r = dynamic_creds_realize(dcreds, &uid, &gid);
if (r < 0) {
*exit_status = EXIT_USER;
return r;
}
}
if (context->group) {
const char *g = context->group;
if (uid == UID_INVALID || gid == GID_INVALID) {
*exit_status = EXIT_USER;
return -ESRCH;
}
r = get_group_creds(&g, &gid);
if (r < 0) {
*exit_status = EXIT_GROUP;
return r;
if (dcreds->user)
username = dcreds->user->name;
} else {
if (context->user) {
username = context->user;
r = get_user_creds(&username, &uid, &gid, &home, &shell);
if (r < 0) {
*exit_status = EXIT_USER;
return r;
}
}
if (context->group) {
const char *g = context->group;
r = get_group_creds(&g, &gid);
if (r < 0) {
*exit_status = EXIT_GROUP;
return r;
}
}
}
/* If a socket is connected to STDIN/STDOUT/STDERR, we
* must sure to drop O_NONBLOCK */
if (socket_fd >= 0)
@ -2192,6 +2227,7 @@ int exec_spawn(Unit *unit,
const ExecContext *context,
const ExecParameters *params,
ExecRuntime *runtime,
DynamicCreds *dcreds,
pid_t *ret) {
_cleanup_strv_free_ char **files_env = NULL;
@ -2250,6 +2286,7 @@ int exec_spawn(Unit *unit,
context,
params,
runtime,
dcreds,
argv,
socket_fd,
fds, n_fds,
@ -2723,6 +2760,8 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
if (c->group)
fprintf(f, "%sGroup: %s\n", prefix, c->group);
fprintf(f, "%sDynamicUser: %s\n", prefix, yes_no(c->dynamic_user));
if (strv_length(c->supplementary_groups) > 0) {
fprintf(f, "%sSupplementaryGroups:", prefix);
strv_fprintf(f, c->supplementary_groups);

6
src/core/execute.h
View File

@ -92,6 +92,8 @@ struct ExecRuntime {
char *tmp_dir;
char *var_tmp_dir;
/* An AF_UNIX socket pair, that contains a datagram containing a file descriptor referring to the network
* namespace. */
int netns_storage_socket[2];
};
@ -174,6 +176,8 @@ struct ExecContext {
bool no_new_privileges;
bool dynamic_user;
/* This is not exposed to the user but available
* internally. We need it to make sure that whenever we spawn
* /usr/bin/mount it is run in the same process group as us so
@ -235,12 +239,14 @@ struct ExecParameters {
};
#include "unit.h"
#include "dynamic-user.h"
int exec_spawn(Unit *unit,
ExecCommand *command,
const ExecContext *context,
const ExecParameters *exec_params,
ExecRuntime *runtime,
DynamicCreds *dynamic_creds,
pid_t *ret);
void exec_command_done(ExecCommand *c);

1
src/core/load-fragment-gperf.gperf.m4
View File

@ -34,6 +34,7 @@ $1.UMask, config_parse_mode, 0,
$1.Environment, config_parse_environ, 0, offsetof($1, exec_context.environment)
$1.EnvironmentFile, config_parse_unit_env_file, 0, offsetof($1, exec_context.environment_files)
$1.PassEnvironment, config_parse_pass_environ, 0, offsetof($1, exec_context.pass_environment)
$1.DynamicUser, config_parse_bool, 0, offsetof($1, exec_context.dynamic_user)
$1.StandardInput, config_parse_input, 0, offsetof($1, exec_context.std_input)
$1.StandardOutput, config_parse_output, 0, offsetof($1, exec_context.std_output)
$1.StandardError, config_parse_output, 0, offsetof($1, exec_context.std_error)

18
src/core/manager.c
View File

@ -1004,6 +1004,9 @@ Manager* manager_free(Manager *m) {
bus_done(m);
dynamic_user_vacuum(m, false);
hashmap_free(m->dynamic_users);
hashmap_free(m->units);
hashmap_free(m->jobs);
hashmap_free(m->watch_pids1);
@ -1227,6 +1230,9 @@ int manager_startup(Manager *m, FILE *serialization, FDSet *fds) {
/* Third, fire things up! */
manager_coldplug(m);
/* Release any dynamic users no longer referenced */
dynamic_user_vacuum(m, true);
if (serialization) {
assert(m->n_reloading > 0);
m->n_reloading--;
@ -2403,6 +2409,10 @@ int manager_serialize(Manager *m, FILE *f, FDSet *fds, bool switching_root) {
bus_track_serialize(m->subscribed, f);
r = dynamic_user_serialize(m, f, fds);
if (r < 0)
return r;
fputc('\n', f);
HASHMAP_FOREACH_KEY(u, t, m->units, i) {
@ -2579,7 +2589,9 @@ int manager_deserialize(Manager *m, FILE *f, FDSet *fds) {
m->kdbus_fd = fdset_remove(fds, fd);
}
} else {
} else if (startswith(l, "dynamic-user="))
dynamic_user_deserialize_one(m, l + 13, fds);
else {
int k;
k = bus_track_deserialize_item(&m->deserialized_subscribed, l);
@ -2660,6 +2672,7 @@ int manager_reload(Manager *m) {
manager_clear_jobs_and_units(m);
lookup_paths_flush_generator(&m->lookup_paths);
lookup_paths_free(&m->lookup_paths);
dynamic_user_vacuum(m, false);
q = lookup_paths_init(&m->lookup_paths, m->unit_file_scope, 0, NULL);
if (q < 0 && r >= 0)
@ -2696,6 +2709,9 @@ int manager_reload(Manager *m) {
/* Third, fire things up! */
manager_coldplug(m);
/* Release any dynamic users no longer referenced */
dynamic_user_vacuum(m, true);
/* Sync current state of bus names with our set of listening units */
if (m->api_bus)
manager_sync_bus_names(m, m->api_bus);

3
src/core/manager.h
View File

@ -298,6 +298,9 @@ struct Manager {
/* Used for processing polkit authorization responses */
Hashmap *polkit_registry;
/* Dynamic users/groups, indexed by their name */
Hashmap *dynamic_users;
/* When the user hits C-A-D more than 7 times per 2s, reboot immediately... */
RateLimit ctrl_alt_del_ratelimit;

15
src/core/mount.c
View File

@ -245,6 +245,8 @@ static void mount_done(Unit *u) {
exec_command_done_array(m->exec_command, _MOUNT_EXEC_COMMAND_MAX);
m->control_command = NULL;
dynamic_creds_unref(&m->dynamic_creds);
mount_unwatch_control_pid(m);
m->timer_event_source = sd_event_source_unref(m->timer_event_source);
@ -648,6 +650,9 @@ static int mount_coldplug(Unit *u) {
return r;
}
if (!IN_SET(new_state, MOUNT_DEAD, MOUNT_FAILED))
(void) unit_setup_dynamic_creds(u);
mount_set_state(m, new_state);
return 0;
}
@ -716,6 +721,10 @@ static int mount_spawn(Mount *m, ExecCommand *c, pid_t *_pid) {
if (r < 0)
return r;
r = unit_setup_dynamic_creds(UNIT(m));
if (r < 0)
return r;
r = mount_arm_timer(m, usec_add(now(CLOCK_MONOTONIC), m->timeout_usec));
if (r < 0)
return r;
@ -732,6 +741,7 @@ static int mount_spawn(Mount *m, ExecCommand *c, pid_t *_pid) {
&m->exec_context,
&exec_params,
m->exec_runtime,
&m->dynamic_creds,
&pid);
if (r < 0)
return r;
@ -752,12 +762,14 @@ static void mount_enter_dead(Mount *m, MountResult f) {
if (f != MOUNT_SUCCESS)
m->result = f;
mount_set_state(m, m->result != MOUNT_SUCCESS ? MOUNT_FAILED : MOUNT_DEAD);
exec_runtime_destroy(m->exec_runtime);
m->exec_runtime = exec_runtime_unref(m->exec_runtime);
exec_context_destroy_runtime_directory(&m->exec_context, manager_get_runtime_prefix(UNIT(m)->manager));
mount_set_state(m, m->result != MOUNT_SUCCESS ? MOUNT_FAILED : MOUNT_DEAD);
dynamic_creds_destroy(&m->dynamic_creds);
}
static void mount_enter_mounted(Mount *m, MountResult f) {
@ -1817,6 +1829,7 @@ const UnitVTable mount_vtable = {
.cgroup_context_offset = offsetof(Mount, cgroup_context),
.kill_context_offset = offsetof(Mount, kill_context),
.exec_runtime_offset = offsetof(Mount, exec_runtime),
.dynamic_creds_offset = offsetof(Mount, dynamic_creds),
.sections =
"Unit\0"

3
src/core/mount.h
View File

@ -21,8 +21,8 @@
typedef struct Mount Mount;
#include "execute.h"
#include "kill.h"
#include "dynamic-user.h"
typedef enum MountExecCommand {
MOUNT_EXEC_MOUNT,
@ -85,6 +85,7 @@ struct Mount {
CGroupContext cgroup_context;
ExecRuntime *exec_runtime;
DynamicCreds dynamic_creds;
MountState state, deserialized_state;

16
src/core/service.c
View File

@ -322,6 +322,8 @@ static void service_done(Unit *u) {
s->control_command = NULL;
s->main_command = NULL;
dynamic_creds_unref(&s->dynamic_creds);
exit_status_set_free(&s->restart_prevent_status);
exit_status_set_free(&s->restart_force_status);
exit_status_set_free(&s->success_status);
@ -1030,6 +1032,9 @@ static int service_coldplug(Unit *u) {
if (IN_SET(s->deserialized_state, SERVICE_START_POST, SERVICE_RUNNING, SERVICE_RELOAD))
service_start_watchdog(s);
if (!IN_SET(s->deserialized_state, SERVICE_DEAD, SERVICE_FAILED, SERVICE_AUTO_RESTART))
(void) unit_setup_dynamic_creds(u);
service_set_state(s, s->deserialized_state);
return 0;
}
@ -1184,6 +1189,10 @@ static int service_spawn(
if (r < 0)
return r;
r = unit_setup_dynamic_creds(UNIT(s));
if (r < 0)
return r;
if (pass_fds ||
s->exec_context.std_input == EXEC_INPUT_SOCKET ||
s->exec_context.std_output == EXEC_OUTPUT_SOCKET ||
@ -1285,6 +1294,7 @@ static int service_spawn(
&s->exec_context,
&exec_params,
s->exec_runtime,
&s->dynamic_creds,
&pid);
if (r < 0)
return r;
@ -1418,9 +1428,12 @@ static void service_enter_dead(Service *s, ServiceResult f, bool allow_restart)
exec_runtime_destroy(s->exec_runtime);
s->exec_runtime = exec_runtime_unref(s->exec_runtime);
/* Also, remove the runtime directory in */
/* Also, remove the runtime directory */
exec_context_destroy_runtime_directory(&s->exec_context, manager_get_runtime_prefix(UNIT(s)->manager));
/* Release the user, and destroy it if we are the only remaining owner */
dynamic_creds_destroy(&s->dynamic_creds);
/* Try to delete the pid file. At this point it will be
* out-of-date, and some software might be confused by it, so
* let's remove it. */
@ -3323,6 +3336,7 @@ const UnitVTable service_vtable = {
.cgroup_context_offset = offsetof(Service, cgroup_context),
.kill_context_offset = offsetof(Service, kill_context),
.exec_runtime_offset = offsetof(Service, exec_runtime),
.dynamic_creds_offset = offsetof(Service, dynamic_creds),
.sections =
"Unit\0"

1
src/core/service.h
View File

@ -148,6 +148,7 @@ struct Service {
/* Runtime data of the execution context */
ExecRuntime *exec_runtime;
DynamicCreds dynamic_creds;
pid_t main_pid, control_pid;
int socket_fd;

15
src/core/socket.c
View File

@ -150,6 +150,8 @@ static void socket_done(Unit *u) {
exec_command_free_array(s->exec_command, _SOCKET_EXEC_COMMAND_MAX);
s->control_command = NULL;
dynamic_creds_unref(&s->dynamic_creds);
socket_unwatch_control_pid(s);
unit_ref_unset(&s->service);
@ -1602,6 +1604,9 @@ static int socket_coldplug(Unit *u) {
return r;
}
if (!IN_SET(s->deserialized_state, SOCKET_DEAD, SOCKET_FAILED))
(void) unit_setup_dynamic_creds(u);
socket_set_state(s, s->deserialized_state);
return 0;
}
@ -1633,6 +1638,10 @@ static int socket_spawn(Socket *s, ExecCommand *c, pid_t *_pid) {
if (r < 0)
return r;
r = unit_setup_dynamic_creds(UNIT(s));
if (r < 0)
return r;
r = socket_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
if (r < 0)
return r;
@ -1654,6 +1663,7 @@ static int socket_spawn(Socket *s, ExecCommand *c, pid_t *_pid) {
&s->exec_context,
&exec_params,
s->exec_runtime,
&s->dynamic_creds,
&pid);
if (r < 0)
return r;
@ -1757,12 +1767,14 @@ static void socket_enter_dead(Socket *s, SocketResult f) {
if (f != SOCKET_SUCCESS)
s->result = f;
socket_set_state(s, s->result != SOCKET_SUCCESS ? SOCKET_FAILED : SOCKET_DEAD);
exec_runtime_destroy(s->exec_runtime);
s->exec_runtime = exec_runtime_unref(s->exec_runtime);
exec_context_destroy_runtime_directory(&s->exec_context, manager_get_runtime_prefix(UNIT(s)->manager));
socket_set_state(s, s->result != SOCKET_SUCCESS ? SOCKET_FAILED : SOCKET_DEAD);
dynamic_creds_destroy(&s->dynamic_creds);
}
static void socket_enter_signal(Socket *s, SocketState state, SocketResult f);
@ -2930,6 +2942,7 @@ const UnitVTable socket_vtable = {
.cgroup_context_offset = offsetof(Socket, cgroup_context),
.kill_context_offset = offsetof(Socket, kill_context),
.exec_runtime_offset = offsetof(Socket, exec_runtime),
.dynamic_creds_offset = offsetof(Socket, dynamic_creds),
.sections =
"Unit\0"

2
src/core/socket.h
View File

@ -94,7 +94,9 @@ struct Socket {
ExecContext exec_context;
KillContext kill_context;
CGroupContext cgroup_context;
ExecRuntime *exec_runtime;
DynamicCreds dynamic_creds;
/* For Accept=no sockets refers to the one service we'll
activate. For Accept=yes sockets is either NULL, or filled

15
src/core/swap.c
View File

@ -153,6 +153,8 @@ static void swap_done(Unit *u) {
exec_command_done_array(s->exec_command, _SWAP_EXEC_COMMAND_MAX);
s->control_command = NULL;
dynamic_creds_unref(&s->dynamic_creds);
swap_unwatch_control_pid(s);
s->timer_event_source = sd_event_source_unref(s->timer_event_source);
@ -553,6 +555,9 @@ static int swap_coldplug(Unit *u) {
return r;
}
if (!IN_SET(new_state, SWAP_DEAD, SWAP_FAILED))
(void) unit_setup_dynamic_creds(u);
swap_set_state(s, new_state);
return 0;
}
@ -628,6 +633,10 @@ static int swap_spawn(Swap *s, ExecCommand *c, pid_t *_pid) {
if (r < 0)
goto fail;
r = unit_setup_dynamic_creds(UNIT(s));
if (r < 0)
return r;
r = swap_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->timeout_usec));
if (r < 0)
goto fail;
@ -644,6 +653,7 @@ static int swap_spawn(Swap *s, ExecCommand *c, pid_t *_pid) {
&s->exec_context,
&exec_params,
s->exec_runtime,
&s->dynamic_creds,
&pid);
if (r < 0)
goto fail;
@ -668,12 +678,14 @@ static void swap_enter_dead(Swap *s, SwapResult f) {
if (f != SWAP_SUCCESS)
s->result = f;
swap_set_state(s, s->result != SWAP_SUCCESS ? SWAP_FAILED : SWAP_DEAD);
exec_runtime_destroy(s->exec_runtime);
s->exec_runtime = exec_runtime_unref(s->exec_runtime);
exec_context_destroy_runtime_directory(&s->exec_context, manager_get_runtime_prefix(UNIT(s)->manager));
swap_set_state(s, s->result != SWAP_SUCCESS ? SWAP_FAILED : SWAP_DEAD);
dynamic_creds_destroy(&s->dynamic_creds);
}
static void swap_enter_active(Swap *s, SwapResult f) {
@ -1466,6 +1478,7 @@ const UnitVTable swap_vtable = {
.cgroup_context_offset = offsetof(Swap, cgroup_context),
.kill_context_offset = offsetof(Swap, kill_context),
.exec_runtime_offset = offsetof(Swap, exec_runtime),
.dynamic_creds_offset = offsetof(Swap, dynamic_creds),
.sections =
"Unit\0"

1
src/core/swap.h
View File

@ -82,6 +82,7 @@ struct Swap {
CGroupContext cgroup_context;
ExecRuntime *exec_runtime;
DynamicCreds dynamic_creds;
SwapState state, deserialized_state;

63
src/core/unit.c
View File

@ -3224,6 +3224,33 @@ void unit_ref_unset(UnitRef *ref) {
ref->unit = NULL;
}
static int user_from_unit_name(Unit *u, char **ret) {
static const uint8_t hash_key[] = {
0x58, 0x1a, 0xaf, 0xe6, 0x28, 0x58, 0x4e, 0x96,
0xb4, 0x4e, 0xf5, 0x3b, 0x8c, 0x92, 0x07, 0xec
};
_cleanup_free_ char *n = NULL;
int r;
r = unit_name_to_prefix(u->id, &n);
if (r < 0)
return r;
if (valid_user_group_name(n)) {
*ret = n;
n = NULL;
return 0;
}
/* If we can't use the unit name as a user name, then let's hash it and use that */
if (asprintf(ret, "_du%016" PRIx64, siphash24(n, strlen(n), hash_key)) < 0)
return -ENOMEM;
return 0;
}
int unit_patch_contexts(Unit *u) {
CGroupContext *cc;
ExecContext *ec;
@ -3268,6 +3295,22 @@ int unit_patch_contexts(Unit *u) {
if (ec->private_devices)
ec->capability_bounding_set &= ~(UINT64_C(1) << CAP_MKNOD);
if (ec->dynamic_user) {
if (!ec->user) {
r = user_from_unit_name(u, &ec->user);
if (r < 0)
return r;
}
if (!ec->group) {
ec->group = strdup(ec->user);
if (!ec->group)
return -ENOMEM;
}
ec->private_tmp = true;
}
}
cc = unit_get_cgroup_context(u);
@ -3776,6 +3819,26 @@ int unit_setup_exec_runtime(Unit *u) {
return exec_runtime_make(rt, unit_get_exec_context(u), u->id);
}
int unit_setup_dynamic_creds(Unit *u) {
ExecContext *ec;
DynamicCreds *dcreds;
size_t offset;
assert(u);
offset = UNIT_VTABLE(u)->dynamic_creds_offset;
assert(offset > 0);
dcreds = (DynamicCreds*) ((uint8_t*) u + offset);
ec = unit_get_exec_context(u);
assert(ec);
if (!ec->dynamic_user)
return 0;
return dynamic_creds_acquire(dcreds, u->manager, ec->user, ec->group);
}
bool unit_type_supported(UnitType t) {
if (_unlikely_(t < 0))
return false;

5
src/core/unit.h
View File

@ -291,6 +291,10 @@ struct UnitVTable {
* that */
size_t exec_runtime_offset;
/* If greater than 0, the offset into the object where the pointer to DynamicCreds is found, if the unit type
* has that. */
size_t dynamic_creds_offset;
/* The name of the configuration file section with the private settings of this unit */
const char *private_section;
@ -589,6 +593,7 @@ CGroupContext *unit_get_cgroup_context(Unit *u) _pure_;
ExecRuntime *unit_get_exec_runtime(Unit *u) _pure_;
int unit_setup_exec_runtime(Unit *u);
int unit_setup_dynamic_creds(Unit *u);
int unit_write_drop_in(Unit *u, UnitSetPropertiesMode mode, const char *name, const char *data);
int unit_write_drop_in_format(Unit *u, UnitSetPropertiesMode mode, const char *name, const char *format, ...) _printf_(4,5);

1
src/libsystemd/sd-bus/bus-common-errors.c
View File

@ -44,6 +44,7 @@ BUS_ERROR_MAP_ELF_REGISTER const sd_bus_error_map bus_common_errors[] = {
SD_BUS_ERROR_MAP(BUS_ERROR_NO_ISOLATION, EPERM),
SD_BUS_ERROR_MAP(BUS_ERROR_SHUTTING_DOWN, ECANCELED),
SD_BUS_ERROR_MAP(BUS_ERROR_SCOPE_NOT_RUNNING, EHOSTDOWN),
SD_BUS_ERROR_MAP(BUS_ERROR_NO_SUCH_DYNAMIC_USER, ESRCH),
SD_BUS_ERROR_MAP(BUS_ERROR_NO_SUCH_MACHINE, ENXIO),
SD_BUS_ERROR_MAP(BUS_ERROR_NO_SUCH_IMAGE, ENOENT),

1
src/libsystemd/sd-bus/bus-common-errors.h
View File

@ -40,6 +40,7 @@
#define BUS_ERROR_NO_ISOLATION "org.freedesktop.systemd1.NoIsolation"
#define BUS_ERROR_SHUTTING_DOWN "org.freedesktop.systemd1.ShuttingDown"
#define BUS_ERROR_SCOPE_NOT_RUNNING "org.freedesktop.systemd1.ScopeNotRunning"
#define BUS_ERROR_NO_SUCH_DYNAMIC_USER "org.freedesktop.systemd1.NoSuchDynamicUser"
#define BUS_ERROR_NO_SUCH_MACHINE "org.freedesktop.machine1.NoSuchMachine"
#define BUS_ERROR_NO_SUCH_IMAGE "org.freedesktop.machine1.NoSuchImage"

11
src/shared/bus-unit-util.c
View File

@ -179,11 +179,12 @@ int bus_append_unit_property_assignment(sd_bus_message *m, const char *assignmen
r = sd_bus_message_append(m, "sv", sn, "t", l.rlim_cur);
} else if (STR_IN_SET(field,
"CPUAccounting", "MemoryAccounting", "IOAccounting", "BlockIOAccounting", "TasksAccounting",
"SendSIGHUP", "SendSIGKILL", "WakeSystem", "DefaultDependencies",
"IgnoreSIGPIPE", "TTYVHangup", "TTYReset", "RemainAfterExit",
"PrivateTmp", "PrivateDevices", "PrivateNetwork", "NoNewPrivileges",
"SyslogLevelPrefix", "Delegate", "RemainAfterElapse", "MemoryDenyWriteExecute")) {
"CPUAccounting", "MemoryAccounting", "IOAccounting", "BlockIOAccounting", "TasksAccounting",
"SendSIGHUP", "SendSIGKILL", "WakeSystem", "DefaultDependencies",
"IgnoreSIGPIPE", "TTYVHangup", "TTYReset", "RemainAfterExit",
"PrivateTmp", "PrivateDevices", "PrivateNetwork", "NoNewPrivileges",
"SyslogLevelPrefix", "Delegate", "RemainAfterElapse", "MemoryDenyWriteExecute",
"RestrictRealtime", "DynamicUser")) {
r = parse_boolean(eq);
if (r < 0)