summaryrefslogtreecommitdiffstats
path: root/src/nss-systemd/nss-systemd.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* nss: do not modify errno when NSS_STATUS_NOTFOUND or NSS_STATUS_SUCCESSYu Watanabe2018-07-251-48/+26
| | | | | | | | | This also adds PROTECT_ERRNO for all nss module functions. C.f. glibc NSS documents https://www.gnu.org/software/libc/manual/html_node/NSS-Modules-Interface.html and discussion in https://sourceware.org/bugzilla/show_bug.cgi?id=23410. Fixes #9585.
* tree-wide: remove Lennart's copyright linesLennart Poettering2018-06-141-3/+0
| | | | | | | | | | | These lines are generally out-of-date, incomplete and unnecessary. With SPDX and git repository much more accurate and fine grained information about licensing and authorship is available, hence let's drop the per-file copyright notice. Of course, removing copyright lines of others is problematic, hence this commit only removes my own lines and leaves all others untouched. It might be nicer if sooner or later those could go away too, making git the only and accurate source of authorship information.
* tree-wide: drop 'This file is part of systemd' blurbLennart Poettering2018-06-141-2/+0
| | | | | | | | | | | | | | | | This part of the copyright blurb stems from the GPL use recommendations: https://www.gnu.org/licenses/gpl-howto.en.html The concept appears to originate in times where version control was per file, instead of per tree, and was a way to glue the files together. Ultimately, we nowadays don't live in that world anymore, and this information is entirely useless anyway, as people are very welcome to copy these files into any projects they like, and they shouldn't have to change bits that are part of our copyright header for that. hence, let's just get rid of this old cruft, and shorten our codebase a bit.
* tree-wide: drop license boilerplateZbigniew Jędrzejewski-Szmek2018-04-061-13/+0
| | | | | | | | | | Files which are installed as-is (any .service and other unit files, .conf files, .policy files, etc), are left as is. My assumption is that SPDX identifiers are not yet that well known, so it's better to retain the extended header to avoid any doubt. I also kept any copyright lines. We can probably remove them, but it'd nice to obtain explicit acks from all involved authors before doing that.
* nss-systemd: make dynamic users enumerable by `getent`Yu Watanabe2018-03-211-0/+332
| | | | | | This adds `setpwent()`, `getpwent_r()`, `endpwent()`, `setgrent()`, `getgrent_r()`, and `endgrent()` interfaces to nss-systemd library. Thus, dynamic users can be enumerated by e.g. `getent passwd` command.
* nss-systemd: define dynamic user propertiesYu Watanabe2018-03-211-10/+15
|
* nss-systemd: cleanup bypassing dbus logicYu Watanabe2018-03-211-63/+48
|
* nss-systemd: add work-around to silence gcc warningZbigniew Jędrzejewski-Szmek2018-02-051-0/+2
| | | | | | | | | | | | | | | | | | In file included from ../src/basic/fs-util.h:32, from ../src/nss-systemd/nss-systemd.c:28: ../src/nss-systemd/nss-systemd.c: In function '_nss_systemd_getgrnam_r': ../src/nss-systemd/nss-systemd.c:416:32: warning: argument to 'sizeof' in 'memset' call is the same pointer type 'char *' as the destination; expected 'char' or an explicit length [-Wsizeof-pointer-memaccess] memzero(buffer, sizeof(char*)); ^~~~ ../src/basic/util.h:118:39: note: in definition of macro 'memzero' #define memzero(x,l) (memset((x), 0, (l))) ^ gcc is trying to be helpful, and it's not far from being right. It _looks_ like sizeof(char*) is an error, but in this case we're really leaving a space empty for a pointer, and our calculation is correct. Since this is a short file, let's just use simplest option and turn off the warning above the two functions that trigger it.
* nss-systemd,user-util: add a way how synthesizing "nobody" can be turned offLennart Poettering2018-01-101-4/+8
| | | | | | | | | | | This is quite ugly, but provides us with an avenue for moving distributions to define the "nobody" user properly without breaking legacy systems that us the name for other stuff. The idea is basically, that the distribution adopts the new definition of "nobody" (and thus recompiles systemd with it) and then touches /etc/systemd/dont-synthesize-nobody on legacy systems to turn off possibly conflicting synthesizing of the nobody name by systemd.
* tree-wide: make use of new STRLEN() macro everywhere (#7639)Lennart Poettering2017-12-141-1/+1
| | | | | Let's employ coccinelle to do this for us. Follow-up for #7625.
* user-util: add UID_NOBODY defines that resolve to (uid_t) 65534Lennart Poettering2017-12-061-3/+3
| | | | | We use it all over the place, let's add a #define for it. Makes things easier greppable, and more explanatory I think.
* nss-systemd: tweak checks when we consult PID 1 for dynamic UID/GID lookupsLennart Poettering2017-12-061-3/+2
| | | | | | Instead of contacting PID 1 for dynamic UID/GID lookups for all UIDs/GIDs that do not qualify as "system" do the more precise check instead: check if they actually qualify for the "dynamic" range.
* user-util: add new uid_is_system() helperLennart Poettering2017-12-061-2/+2
| | | | | | | This adds uid_is_system() and gid_is_system(), similar in style to uid_is_dynamic(). That a helper like this is useful is illustrated by the fact that test-condition.c didn't get the check right so far, which this patch fixes.
* Add SPDX license identifiers to source files under the LGPLZbigniew Jędrzejewski-Szmek2017-11-191-0/+1
| | | | | This follows what the kernel is doing, c.f. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5fd54ace4721fc5ce2bb5aef6318fcf17f421460.
* nss-systemd: if cannot open bus, then try to read user info directly (#6971)Yu Watanabe2017-10-041-53/+72
| | | | | | | | If sd_bus_open_system() fail, then try to read information about dynamic users from /run/systemd/dynamic-uid. This makes services can successfully call getpwuid() or their friends even if dbus.service is not started yet. Fixes #6967.
* nss: use secure_getenv for behaviour-modifying booleans (#6817)Zbigniew Jędrzejewski-Szmek2017-09-141-12/+12
| | | Follow up for fe102d6ab15731a199a7ea9f38c4f68d8959f86c.
* nss-systemd,sysusers: make sure sysusers doesn't get confused by nss-systemd ↵Lennart Poettering2017-09-141-36/+44
| | | | | | | | | | | | | (#6812) In nss-systemd we synthesize user entries for "nobody" and "root", as fallback if we boot up with an entirely empty /etc. This is supposed to be a fallback only though, and it's intended that both users exists regularly in /etc/passwd + /etc/group. Before this patch systemd-sysusers would never create the entries however as it notices the synthetic entries. Let's add a way how systemd-sysusers can tell nss-systemd not to synthesize the entries for itself. Fixes: #6808
* nss: fix error to ERANGE for nss calls with too little buffer space (#5365)Lennart Poettering2017-02-161-4/+4
| | | | | | | This is a follow-up for #5359, fixing the error codes in a similar way for the other NSS modules. (user/group lookup calls don't have h_errnop, hence we don't update that in those cases)
* nss: when we encounter an invalid user/group name or UID/GID, don't return ↵Lennart Poettering2016-12-271-16/+10
| | | | | | | | | | | | | | | | | | | | EINVAL It's not our business to validate invalid user/group names or UID/GID. Ideally, libc would filter these out, but they don't, hence we have to filter, but let's not propagate this as error, but simply as "not found" to the caller. User name rules are pretty vaguely defined, and the rules defined by POSIX clash with reality quite heavily (for example, utmp doesn't offer enough room for user name length, and /usr/bin/chown permits separating user/group names by a single dot, even though POSIX allows dots being used in user/group names themselves.) We enforce stricter rules than POSIX for good reason, and hence in doing so we should not categorically return EINVAL on stuff we don't consider valid, but other components might. Fixes: #4983
* nss-systemd: remove useless defineZbigniew Jędrzejewski-Szmek2016-10-231-8/+0
| | | | We always define those two in configure, so no need to provide a fallback.
* core: bypass dynamic user lookups from dbus-daemonLennart Poettering2016-08-191-86/+176
| | | | | | | | | | | | | | | dbus-daemon does NSS name look-ups in order to enforce its bus policy. This might dead-lock if an NSS module use wants to use D-Bus for the look-up itself, like our nss-systemd does. Let's work around this by bypassing bus communication in the NSS module if we run inside of dbus-daemon. To make this work we keep a bit of extra state in /run/systemd/dynamic-uid/ so that we don't have to consult the bus, but can still resolve the names. Note that the normal codepath continues to be via the bus, so that resolving works from all mount namespaces and is subject to authentication, as before. This is a bit dirty, but not too dirty, as dbus daemon is kinda special anyway for PID 1.
* nss-systemd: resolve root/nobody staticallyLennart Poettering2016-08-041-0/+101
| | | | | | | | | | Let's extend nss-systemd to also synthesize user/group entries for the UIDs/GIDs 0 and 65534 which have special kernel meaning. Given that nss-systemd is listed in /etc/nsswitch.conf only very late any explicit listing in /etc/passwd or /etc/group takes precedence. This functionality is useful in minimal container-like setups that lack /etc/passwd files (or only have incompletely populated ones).
* nss: add new "nss-systemd" NSS module for mapping dynamic usersLennart Poettering2016-07-221-0/+332
With this NSS module all dynamic service users will be resolvable via NSS like any real user.