static int fix_acl(int fd, uid_t uid) { #if HAVE_ACL _cleanup_(acl_freep) acl_t acl = NULL; acl_entry_t entry; acl_permset_t permset; int r; assert(fd >= 0); if (uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY) return 0; /* Make sure normal users can read (but not write or delete) * their own coredumps */ acl = acl_get_fd(fd); if (!acl) return log_error_errno(errno, "Failed to get ACL: %m"); if (acl_create_entry(&acl, &entry) < 0 || acl_set_tag_type(entry, ACL_USER) < 0 || acl_set_qualifier(entry, &uid) < 0) return log_error_errno(errno, "Failed to patch ACL: %m"); if (acl_get_permset(entry, &permset) < 0 || acl_add_perm(permset, ACL_READ) < 0) return log_warning_errno(errno, "Failed to patch ACL: %m"); r = calc_acl_mask_if_needed(&acl); if (r < 0) return log_warning_errno(r, "Failed to patch ACL: %m"); if (acl_set_fd(fd, acl) < 0) return log_error_errno(errno, "Failed to apply ACL: %m"); #endif return 0; }
static int pick_uid(char **suggested_paths, const char *name, uid_t *ret_uid) { /* Find a suitable free UID. We use the following strategy to find a suitable UID: * * 1. Initially, we try to read the UID of a number of specified paths. If any of these UIDs works, we use * them. We use in order to increase the chance of UID reuse, if StateDirectory=, CacheDirectory= or * LogsDirectory= are used, as reusing the UID these directories are owned by saves us from having to * recursively chown() them to new users. * * 2. If that didn't yield a currently unused UID, we hash the user name, and try to use that. This should be * pretty good, as the use ris by default derived from the unit name, and hence the same service and same * user should usually get the same UID as long as our hashing doesn't clash. * * 3. Finally, if that didn't work, we randomly pick UIDs, until we find one that is empty. * * Since the dynamic UID space is relatively small we'll stop trying after 100 iterations, giving up. */ enum { PHASE_SUGGESTED, /* the first phase, reusing directory ownership UIDs */ PHASE_HASHED, /* the second phase, deriving a UID from the username by hashing */ PHASE_RANDOM, /* the last phase, randomly picking UIDs */ } phase = PHASE_SUGGESTED; static const uint8_t hash_key[] = { 0x37, 0x53, 0x7e, 0x31, 0xcf, 0xce, 0x48, 0xf5, 0x8a, 0xbb, 0x39, 0x57, 0x8d, 0xd9, 0xec, 0x59 }; unsigned n_tries = 100, current_suggested = 0; int r; (void) mkdir("/run/systemd/dynamic-uid", 0755); for (;;) { char lock_path[STRLEN("/run/systemd/dynamic-uid/") + DECIMAL_STR_MAX(uid_t) + 1]; _cleanup_close_ int lock_fd = -1; uid_t candidate; ssize_t l; if (--n_tries <= 0) /* Give up retrying eventually */ return -EBUSY; switch (phase) { case PHASE_SUGGESTED: { struct stat st; if (!suggested_paths || !suggested_paths[current_suggested]) { /* We reached the end of the suggested paths list, let's try by hashing the name */ phase = PHASE_HASHED; continue; } if (stat(suggested_paths[current_suggested++], &st) < 0) continue; /* We can't read the UID of this path, but that doesn't matter, just try the next */ candidate = st.st_uid; break; } case PHASE_HASHED: /* A static user by this name does not exist yet. Let's find a free ID then, and use that. We * start with a UID generated as hash from the user name. */ candidate = UID_CLAMP_INTO_RANGE(siphash24(name, strlen(name), hash_key)); /* If this one fails, we should proceed with random tries */ phase = PHASE_RANDOM; break; case PHASE_RANDOM: /* Pick another random UID, and see if that works for us. */ random_bytes(&candidate, sizeof(candidate)); candidate = UID_CLAMP_INTO_RANGE(candidate); break; default: assert_not_reached("unknown phase"); } /* Make sure whatever we picked here actually is in the right range */ if (!uid_is_dynamic(candidate)) continue; xsprintf(lock_path, "/run/systemd/dynamic-uid/" UID_FMT, candidate); for (;;) { struct stat st; lock_fd = open(lock_path, O_CREAT|O_RDWR|O_NOFOLLOW|O_CLOEXEC|O_NOCTTY, 0600); if (lock_fd < 0) return -errno; r = flock(lock_fd, LOCK_EX|LOCK_NB); /* Try to get a BSD file lock on the UID lock file */ if (r < 0) { if (IN_SET(errno, EBUSY, EAGAIN)) goto next; /* already in use */ return -errno; } if (fstat(lock_fd, &st) < 0) return -errno; if (st.st_nlink > 0) break; /* Oh, bummer, we got the lock, but the file was unlinked between the time we opened it and * got the lock. Close it, and try again. */ lock_fd = safe_close(lock_fd); } /* Some superficial check whether this UID/GID might already be taken by some static user */ if (getpwuid(candidate) || getgrgid((gid_t) candidate) || search_ipc(candidate, (gid_t) candidate) != 0) { (void) unlink(lock_path); continue; } /* Let's store the user name in the lock file, so that we can use it for looking up the username for a UID */ l = pwritev(lock_fd, (struct iovec[2]) { IOVEC_INIT_STRING(name), IOVEC_INIT((char[1]) { '\n' }, 1), }, 2, 0);