diff --git a/meson.build b/meson.build index edfa02afbb..ea13dff44a 100644 --- a/meson.build +++ b/meson.build @@ -614,9 +614,6 @@ conf.set('SYSTEM_UID_MAX', system_uid_max) substs.set('systemuidmax', system_uid_max) message('maximum system UID is @0@'.format(system_uid_max)) -conf.set_quoted('NOBODY_USER_NAME', get_option('nobody-user')) -conf.set_quoted('NOBODY_GROUP_NAME', get_option('nobody-group')) - system_gid_max = get_option('system-gid-max') if system_gid_max == '' system_gid_max = run_command( @@ -629,6 +626,23 @@ conf.set('SYSTEM_GID_MAX', system_gid_max) substs.set('systemgidmax', system_gid_max) message('maximum system GID is @0@'.format(system_gid_max)) +dynamic_uid_min = get_option('dynamic-uid-min').to_int() +dynamic_uid_max = get_option('dynamic-uid-max').to_int() +conf.set('DYNAMIC_UID_MIN', dynamic_uid_min) +conf.set('DYNAMIC_UID_MAX', dynamic_uid_max) +substs.set('dynamicuidmin', dynamic_uid_min) +substs.set('dynamicuidmax', dynamic_uid_max) + +container_uid_base_min = get_option('container-uid-base-min').to_int() +container_uid_base_max = get_option('container-uid-base-max').to_int() +conf.set('CONTAINER_UID_BASE_MIN', container_uid_base_min) +conf.set('CONTAINER_UID_BASE_MAX', container_uid_base_max) +substs.set('containeruidbasemin', container_uid_base_min) +substs.set('containeruidbasemax', container_uid_base_max) + +conf.set_quoted('NOBODY_USER_NAME', get_option('nobody-user')) +conf.set_quoted('NOBODY_GROUP_NAME', get_option('nobody-group')) + tty_gid = get_option('tty-gid') conf.set('TTY_GID', tty_gid) substs.set('TTY_GID', tty_gid) @@ -2506,6 +2520,10 @@ status = [ 'users GID: @0@'.format(users_gid), 'maximum system UID: @0@'.format(system_uid_max), 'maximum system GID: @0@'.format(system_gid_max), + 'minimum dynamic UID: @0@'.format(dynamic_uid_min), + 'maximum dynamic UID: @0@'.format(dynamic_uid_max), + 'minimum container UID base: @0@'.format(container_uid_base_min), + 'maximum container UID base: @0@'.format(container_uid_base_max), '/dev/kvm access mode: @0@'.format(get_option('dev-kvm-mode')), 'render group access mode: @0@'.format(get_option('group-render-mode')), 'certificate root directory: @0@'.format(get_option('certificate-root')), diff --git a/meson_options.txt b/meson_options.txt index 8c03b0c6de..f0c0506ff1 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -147,6 +147,18 @@ option('system-uid-max', type : 'string', description : 'maximum system UID') option('system-gid-max', type : 'string', description : 'maximum system GID') +option('dynamic-uid-min', type : 'string', + description : 'minimum dynamic UID', + value : '61184') # That's → 0x0000EF00 in hex +option('dynamic-uid-max', type : 'string', + description : 'maximum dynamic UID', + value : '65519') # That's → 0x0000FFEF in hex +option('container-uid-base-min', type : 'string', + description : 'minimum container UID base', + value : '524288') # That's → 0x00080000 in hex +option('container-uid-base-max', type : 'string', + description : 'maximum container UID base', + value : '1878982656') # That's → 0x6FFF0000 in hex option('tty-gid', type : 'string', description : 'the numeric GID of the "tty" group', value : '5') diff --git a/src/basic/user-util.h b/src/basic/user-util.h index f13367893e..855813cc76 100644 --- a/src/basic/user-util.h +++ b/src/basic/user-util.h @@ -60,13 +60,6 @@ int take_etc_passwd_lock(const char *root); #define UID_INVALID ((uid_t) -1) #define GID_INVALID ((gid_t) -1) -/* Let's pick a UIDs within the 16bit range, so that we are compatible with containers using 16bit - * user namespacing. At least on Fedora normal users are allocated until UID 60000, hence do not - * allocate from below this. Also stay away from the upper end of the range as that is often used - * for overflow/nobody users. */ -#define DYNAMIC_UID_MIN ((uid_t) UINT32_C(0x0000EF00)) -#define DYNAMIC_UID_MAX ((uid_t) UINT32_C(0x0000FFEF)) - static inline bool uid_is_dynamic(uid_t uid) { return DYNAMIC_UID_MIN <= uid && uid <= DYNAMIC_UID_MAX; } diff --git a/src/core/systemd.pc.in b/src/core/systemd.pc.in index 22e8cbda8b..655773ea8a 100644 --- a/src/core/systemd.pc.in +++ b/src/core/systemd.pc.in @@ -29,6 +29,10 @@ modulesloaddir=@modulesloaddir@ catalogdir=@catalogdir@ systemuidmax=@systemuidmax@ systemgidmax=@systemgidmax@ +dynamicuidmin=@dynamicuidmin@ +dynamicuidmax=@dynamicuidmax@ +containeruidbasemin=@containeruidbasemin@ +containeruidbasemax=@containeruidbasemax@ Name: systemd Description: systemd System and Service Manager diff --git a/src/nspawn/nspawn-def.h b/src/nspawn/nspawn-def.h index fc3c94064c..43a19d84f5 100644 --- a/src/nspawn/nspawn-def.h +++ b/src/nspawn/nspawn-def.h @@ -21,12 +21,6 @@ #include -/* Note that devpts's gid= parameter parses GIDs as signed values, hence we stay away from the upper half of the 32bit - * UID range here. We leave a bit of room at the lower end and a lot of room at the upper end, so that other subsystems - * may have their own allocation ranges too. */ -#define UID_SHIFT_PICK_MIN ((uid_t) UINT32_C(0x00080000)) -#define UID_SHIFT_PICK_MAX ((uid_t) UINT32_C(0x6FFF0000)) - /* While we are chmod()ing a directory tree, we set the top-level UID base to this "busy" base, so that we can always * recognize trees we are were chmod()ing recursively and got interrupted in */ #define UID_BUSY_BASE ((uid_t) UINT32_C(0xFFFE0000)) diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index ccf5418ceb..4b82345d08 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -2862,7 +2862,7 @@ static int uid_shift_pick(uid_t *shift, LockFile *ret_lock_file) { if (--n_tries <= 0) return -EBUSY; - if (candidate < UID_SHIFT_PICK_MIN || candidate > UID_SHIFT_PICK_MAX) + if (candidate < CONTAINER_UID_BASE_MIN || candidate > CONTAINER_UID_BASE_MAX) goto next; if ((candidate & UINT32_C(0xFFFF)) != 0) goto next; @@ -2904,7 +2904,7 @@ static int uid_shift_pick(uid_t *shift, LockFile *ret_lock_file) { } else random_bytes(&candidate, sizeof(candidate)); - candidate = (candidate % (UID_SHIFT_PICK_MAX - UID_SHIFT_PICK_MIN)) + UID_SHIFT_PICK_MIN; + candidate = (candidate % (CONTAINER_UID_BASE_MAX - CONTAINER_UID_BASE_MIN)) + CONTAINER_UID_BASE_MIN; candidate &= (uid_t) UINT32_C(0xFFFF0000); } }