user-util: add new uid_is_system() helper
This adds uid_is_system() and gid_is_system(), similar in style to uid_is_dynamic(). That a helper like this is useful is illustrated by the fact that test-condition.c didn't get the check right so far, which this patch fixes.
This commit is contained in:
parent
399725532d
commit
ece877d434
|
@ -64,6 +64,14 @@ static inline bool uid_is_dynamic(uid_t uid) {
|
||||||
return DYNAMIC_UID_MIN <= uid && uid <= DYNAMIC_UID_MAX;
|
return DYNAMIC_UID_MIN <= uid && uid <= DYNAMIC_UID_MAX;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static inline bool uid_is_system(uid_t uid) {
|
||||||
|
return uid <= SYSTEM_UID_MAX;
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline bool gid_is_system(gid_t gid) {
|
||||||
|
return gid <= SYSTEM_GID_MAX;
|
||||||
|
}
|
||||||
|
|
||||||
/* The following macros add 1 when converting things, since UID 0 is a valid UID, while the pointer
|
/* The following macros add 1 when converting things, since UID 0 is a valid UID, while the pointer
|
||||||
* NULL is special */
|
* NULL is special */
|
||||||
#define PTR_TO_UID(p) ((uid_t) (((uintptr_t) (p))-1))
|
#define PTR_TO_UID(p) ((uid_t) (((uintptr_t) (p))-1))
|
||||||
|
|
|
@ -165,7 +165,7 @@ static int fix_acl(int fd, uid_t uid) {
|
||||||
|
|
||||||
assert(fd >= 0);
|
assert(fd >= 0);
|
||||||
|
|
||||||
if (uid <= SYSTEM_UID_MAX)
|
if (uid_is_system(uid))
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
/* Make sure normal users can read (but not write or delete)
|
/* Make sure normal users can read (but not write or delete)
|
||||||
|
|
|
@ -248,7 +248,7 @@ static void server_add_acls(JournalFile *f, uid_t uid) {
|
||||||
assert(f);
|
assert(f);
|
||||||
|
|
||||||
#if HAVE_ACL
|
#if HAVE_ACL
|
||||||
if (uid <= SYSTEM_UID_MAX)
|
if (uid_is_system(uid))
|
||||||
return;
|
return;
|
||||||
|
|
||||||
r = add_acls_for_user(f->fd, uid);
|
r = add_acls_for_user(f->fd, uid);
|
||||||
|
@ -406,7 +406,7 @@ static JournalFile* find_journal(Server *s, uid_t uid) {
|
||||||
if (s->runtime_journal)
|
if (s->runtime_journal)
|
||||||
return s->runtime_journal;
|
return s->runtime_journal;
|
||||||
|
|
||||||
if (uid <= SYSTEM_UID_MAX || uid_is_dynamic(uid))
|
if (uid_is_system(uid) || uid_is_dynamic(uid))
|
||||||
return s->system_journal;
|
return s->system_journal;
|
||||||
|
|
||||||
r = sd_id128_get_machine(&machine);
|
r = sd_id128_get_machine(&machine);
|
||||||
|
|
|
@ -617,7 +617,7 @@ int user_finalize(User *u) {
|
||||||
* cases, as we shouldn't accidentally remove a system service's IPC objects while it is running, just because
|
* cases, as we shouldn't accidentally remove a system service's IPC objects while it is running, just because
|
||||||
* a cronjob running as the same user just finished. Hence: exclude system users generally from IPC clean-up,
|
* a cronjob running as the same user just finished. Hence: exclude system users generally from IPC clean-up,
|
||||||
* and do it only for normal users. */
|
* and do it only for normal users. */
|
||||||
if (u->manager->remove_ipc && u->uid > SYSTEM_UID_MAX) {
|
if (u->manager->remove_ipc && !uid_is_system(u->uid)) {
|
||||||
k = clean_ipc_by_uid(u->uid);
|
k = clean_ipc_by_uid(u->uid);
|
||||||
if (k < 0)
|
if (k < 0)
|
||||||
r = k;
|
r = k;
|
||||||
|
|
|
@ -251,7 +251,7 @@ enum nss_status _nss_systemd_getpwuid_r(
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (uid <= SYSTEM_UID_MAX)
|
if (uid_is_system(uid))
|
||||||
goto not_found;
|
goto not_found;
|
||||||
|
|
||||||
if (getenv_bool_secure("SYSTEMD_NSS_DYNAMIC_BYPASS") > 0)
|
if (getenv_bool_secure("SYSTEMD_NSS_DYNAMIC_BYPASS") > 0)
|
||||||
|
@ -463,7 +463,7 @@ enum nss_status _nss_systemd_getgrgid_r(
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (gid <= SYSTEM_GID_MAX)
|
if (gid_is_system(gid))
|
||||||
goto not_found;
|
goto not_found;
|
||||||
|
|
||||||
if (getenv_bool_secure("SYSTEMD_NSS_DYNAMIC_BYPASS") > 0)
|
if (getenv_bool_secure("SYSTEMD_NSS_DYNAMIC_BYPASS") > 0)
|
||||||
|
|
|
@ -157,7 +157,7 @@ static int condition_test_user(Condition *c) {
|
||||||
return id == getuid() || id == geteuid();
|
return id == getuid() || id == geteuid();
|
||||||
|
|
||||||
if (streq("@system", c->parameter))
|
if (streq("@system", c->parameter))
|
||||||
return getuid() <= SYSTEM_UID_MAX || geteuid() <= SYSTEM_UID_MAX;
|
return uid_is_system(getuid()) || uid_is_system(geteuid());
|
||||||
|
|
||||||
username = getusername_malloc();
|
username = getusername_malloc();
|
||||||
if (!username)
|
if (!username)
|
||||||
|
|
|
@ -391,7 +391,7 @@ static void test_condition_test_user(void) {
|
||||||
assert_se(condition);
|
assert_se(condition);
|
||||||
r = condition_test(condition);
|
r = condition_test(condition);
|
||||||
log_info("ConditionUser=@system → %i", r);
|
log_info("ConditionUser=@system → %i", r);
|
||||||
if (getuid() < SYSTEM_UID_MAX || geteuid() < SYSTEM_UID_MAX)
|
if (uid_is_system(getuid()) || uid_is_system(geteuid()))
|
||||||
assert_se(r > 0);
|
assert_se(r > 0);
|
||||||
else
|
else
|
||||||
assert_se(r == 0);
|
assert_se(r == 0);
|
||||||
|
|
Loading…
Reference in a new issue