sysusers: allow defining additional sysusers lines via credentials

2024-07-22 02:34:54 +00:00 · 2022-07-13 11:06:04 +02:00 · 2022-07-13 11:06:04 +02:00 · 3acb6edef3
parent 69a7d10832
commit 3acb6edef3
6 changed files with 61 additions and 24 deletions
--- a/man/systemd-sysctl.service.xml
+++ b/man/systemd-sysctl.service.xml
@ -86,10 +86,10 @@
        <term><literal>sysctl.extra</literal></term>

        <listitem><para>The contents of this credential may contain additional lines to operate on. The
-        credential contents should follow the same format as any other <filename>sysctl.d/</filename>
-        drop-in. If this credential is passed it is processed after all of the drop-in files read from the
-        file system. The settings configured in the credential hence take precedence over those in the file
-        system.</para></listitem>
+        credential contents should follow the same format as any other <filename>sysctl.d/</filename> drop-in
+        configuration file. If this credential is passed it is processed after all of the drop-in files read
+        from the file system. The settings configured in the credential hence take precedence over those in
+        the file system.</para></listitem>
      </varlistentry>
    </variablelist>

--- a/man/systemd-sysusers.xml
+++ b/man/systemd-sysusers.xml
@ -169,18 +169,27 @@

        <listitem><para>Specifies the shell binary to use for the specified account when creating it.</para></listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term><literal>sysusers.extra</literal></term>
+
+        <listitem><para>The contents of this credential may contain additional lines to operate on. The
+        credential contents should follow the same format as any other <filename>sysusers.d/</filename>
+        drop-in. If this credential is passed it is processed after all of the drop-in files read from the
+        file system.</para></listitem>
+      </varlistentry>
    </variablelist>

    <para>Note that by default the <filename>systemd-sysusers.service</filename> unit file is set up to
    inherit the <literal>passwd.hashed-password.root</literal>,
-    <literal>passwd.plaintext-password.root</literal> and <literal>passwd.shell.root</literal> credentials
-    from the service manager. Thus, when invoking a container with an unpopulated <filename>/etc/</filename>
-    for the first time it is possible to configure the root user's password to be <literal>systemd</literal>
-    like this:</para>
+    <literal>passwd.plaintext-password.root</literal>, <literal>passwd.shell.root</literal> and
+    <literal>sysusers.extra</literal> credentials from the service manager. Thus, when invoking a container
+    with an unpopulated <filename>/etc/</filename> for the first time it is possible to configure the root
+    user's password to be <literal>systemd</literal> like this:</para>

    <para><programlisting># systemd-nspawn --image=… --set-credential=passwd.hashed-password.root:'$y$j9T$yAuRJu1o5HioZAGDYPU5d.$F64ni6J2y2nNQve90M/p0ZP0ECP/qqzipNyaY9fjGpC' …</programlisting></para>

-    <para>Note again that the data specified in these credentials is consulted only when creating an account
+    <para>Note again that the data specified in this credential is consulted only when creating an account
    for the first time, it may not be used for changing the password or shell of an account that already
    exists.</para>

--- a/src/sysusers/sysusers.c
+++ b/src/sysusers/sysusers.c
@ -1981,7 +1981,7 @@ static int parse_arguments(char **args) {
                        /* Use (argument):n, where n==1 for the first positional arg */
                        r = parse_line("(argument)", pos, *arg);
                else
-                        r = read_config_file(*arg, false);
+                        r = read_config_file(*arg, /* ignore_enoent= */ false);
                if (r < 0)
                        return r;

@ -2011,12 +2011,31 @@ static int read_config_files(char **args) {
                        log_debug("Reading config file \"%s\"%s", *f, special_glyph(SPECIAL_GLYPH_ELLIPSIS));

                        /* Just warn, ignore result otherwise */
-                        (void) read_config_file(*f, true);
+                        (void) read_config_file(*f, /* ignore_enoent= */ true);
                }

        return 0;
 }

+static int read_credential_lines(void) {
+        _cleanup_free_ char *j = NULL;
+        const char *d;
+        int r;
+
+        r = get_credentials_dir(&d);
+        if (r == -ENXIO)
+                return 0;
+        if (r < 0)
+                return log_error_errno(r, "Failed to get credentials directory: %m");
+
+        j = path_join(d, "sysusers.extra");
+        if (!j)
+                return log_oom();
+
+        (void) read_config_file(j, /* ignore_enoent= */ true);
+        return 0;
+}
+
 static int run(int argc, char *argv[]) {
 #ifndef STANDALONE
        _cleanup_(loop_device_unrefp) LoopDevice *loop_device = NULL;
@ -2068,12 +2087,10 @@ static int run(int argc, char *argv[]) {
        assert(!arg_image);
 #endif

-        /* If command line arguments are specified along with --replace, read all
-         * configuration files and insert the positional arguments at the specified
-         * place. Otherwise, if command line arguments are specified, execute just
-         * them, and finally, without --replace= or any positional arguments, just
-         * read configuration and execute it.
-         */
+        /* If command line arguments are specified along with --replace, read all configuration files and
+         * insert the positional arguments at the specified place. Otherwise, if command line arguments are
+         * specified, execute just them, and finally, without --replace= or any positional arguments, just
+         * read configuration and execute it. */
        if (arg_replace || optind >= argc)
                r = read_config_files(argv + optind);
        else
@ -2081,11 +2098,15 @@ static int run(int argc, char *argv[]) {
        if (r < 0)
                return r;

-        /* Let's tell nss-systemd not to synthesize the "root" and "nobody" entries for it, so that our detection
-         * whether the names or UID/GID area already used otherwise doesn't get confused. After all, even though
-         * nss-systemd synthesizes these users/groups, they should still appear in /etc/passwd and /etc/group, as the
-         * synthesizing logic is merely supposed to be fallback for cases where we run with a completely unpopulated
-         * /etc. */
+        r = read_credential_lines();
+        if (r < 0)
+                return r;
+
+        /* Let's tell nss-systemd not to synthesize the "root" and "nobody" entries for it, so that our
+         * detection whether the names or UID/GID area already used otherwise doesn't get confused. After
+         * all, even though nss-systemd synthesizes these users/groups, they should still appear in
+         * /etc/passwd and /etc/group, as the synthesizing logic is merely supposed to be fallback for cases
+         * where we run with a completely unpopulated /etc. */
        if (setenv("SYSTEMD_NSS_BYPASS_SYNTHETIC", "1", 1) < 0)
                return log_error_errno(errno, "Failed to set SYSTEMD_NSS_BYPASS_SYNTHETIC environment variable: %m");

--- a/test/TEST-54-CREDS/test.sh
+++ b/test/TEST-54-CREDS/test.sh
@ -4,7 +4,7 @@ set -e

 TEST_DESCRIPTION="test credentials"
 NSPAWN_ARGUMENTS="${NSPAWN_ARGUMENTS:-} --set-credential=mynspawncredential:strangevalue"
-QEMU_OPTIONS="${QEMU_OPTIONS:-} -fw_cfg name=opt/io.systemd.credentials/myqemucredential,string=othervalue -smbios type=11,value=io.systemd.credential:smbioscredential=magicdata -smbios type=11,value=io.systemd.credential.binary:binarysmbioscredential=bWFnaWNiaW5hcnlkYXRh"
+QEMU_OPTIONS="${QEMU_OPTIONS:-} -fw_cfg name=opt/io.systemd.credentials/myqemucredential,string=othervalue -smbios type=11,value=io.systemd.credential:smbioscredential=magicdata -smbios type=11,value=io.systemd.credential.binary:binarysmbioscredential=bWFnaWNiaW5hcnlkYXRh -smbios type=11,value=io.systemd.credential.binary:sysusers.extra=dSBjcmVkdGVzdHVzZXIK"
 KERNEL_APPEND="${KERNEL_APPEND:-} systemd.set_credential=kernelcmdlinecred:uff systemd.set_credential=sysctl.extra:kernel.domainname=sysctltest rd.systemd.import_credentials=no"

 # shellcheck source=test/test-functions
--- a/test/units/testsuite-54.sh
+++ b/test/units/testsuite-54.sh
@ -40,6 +40,9 @@ elif [ -d /sys/firmware/qemu_fw_cfg/by_name ]; then

    # Verify that writing a sysctl via the kernel cmdline worked
    [ "$(cat /proc/sys/kernel/domainname)" = "sysctltest" ]
+
+    # Verify that creating a user via sysusers via the kernel cmdline worked
+    grep -q ^credtestuser: /etc/passwd
 else
    echo "qemu_fw_cfg support missing in kernel. Sniff!"
    expected_credential=""
--- a/units/systemd-sysusers.service
+++ b/units/systemd-sysusers.service
@ -14,7 +14,8 @@ DefaultDependencies=no
 Conflicts=shutdown.target
 After=systemd-remount-fs.service
 Before=sysinit.target shutdown.target systemd-update-done.service
-ConditionNeedsUpdate=/etc
+ConditionNeedsUpdate=|/etc
+ConditionCredential=|sysusers.extra

 [Service]
 Type=oneshot
@ -28,3 +29,6 @@ TimeoutSec=90s
 LoadCredential=passwd.hashed-password.root
 LoadCredential=passwd.plaintext-password.root
 LoadCredential=passwd.shell.root
+
+# Also, allow configuring extra sysusers lines via a credential
+LoadCredential=sysusers.extra