mirror of
https://github.com/systemd/systemd
synced 2024-07-21 10:17:21 +00:00
Also parse the minimum uid/gid values
We don't (and shouldn't I think) look at them when determining the type of the user, but they should be used during user/group allocation. (For example, an admin may specify SYS_UID_MIN==200 to allow statically numbered users that are shared with other systems in the range 1–199.)
This commit is contained in:
parent
53393c894d
commit
fc1a5d1a70
60
meson.build
60
meson.build
|
@ -694,35 +694,31 @@ if time_epoch == -1
|
||||||
endif
|
endif
|
||||||
conf.set('TIME_EPOCH', time_epoch)
|
conf.set('TIME_EPOCH', time_epoch)
|
||||||
|
|
||||||
system_uid_max = get_option('system-uid-max')
|
foreach tuple : [['system-alloc-uid-min', 'SYS_UID_MIN', 1], # Also see login.defs(5).
|
||||||
if system_uid_max == -1
|
['system-uid-max', 'SYS_UID_MAX', 999],
|
||||||
system_uid_max = run_command(
|
['system-alloc-gid-min', 'SYS_GID_MIN', 1],
|
||||||
awk,
|
['system-gid-max', 'SYS_GID_MAX', 999]]
|
||||||
'/^\s*SYS_UID_MAX\s+/ { uid=$2 } END { print uid }',
|
v = get_option(tuple[0])
|
||||||
'/etc/login.defs').stdout().strip()
|
if v == -1
|
||||||
if system_uid_max == ''
|
v = run_command(
|
||||||
system_uid_max = 999
|
awk,
|
||||||
else
|
'/^\s*@0@\s+/ { uid=$2 } END { print uid }'.format(tuple[1]),
|
||||||
system_uid_max = system_uid_max.to_int()
|
'/etc/login.defs').stdout().strip()
|
||||||
|
if v == ''
|
||||||
|
v = tuple[2]
|
||||||
|
else
|
||||||
|
v = v.to_int()
|
||||||
|
endif
|
||||||
endif
|
endif
|
||||||
|
conf.set(tuple[0].underscorify().to_upper(), v)
|
||||||
|
substs.set(tuple[0].underscorify().to_upper(), v)
|
||||||
|
endforeach
|
||||||
|
if conf.get('SYSTEM_ALLOC_UID_MIN') >= conf.get('SYSTEM_UID_MAX')
|
||||||
|
error('Invalid uid allocation range')
|
||||||
endif
|
endif
|
||||||
conf.set('SYSTEM_UID_MAX', system_uid_max)
|
if conf.get('SYSTEM_ALLOC_GID_MIN') >= conf.get('SYSTEM_GID_MAX')
|
||||||
substs.set('systemuidmax', system_uid_max)
|
error('Invalid gid allocation range')
|
||||||
|
|
||||||
system_gid_max = get_option('system-gid-max')
|
|
||||||
if system_gid_max == -1
|
|
||||||
system_gid_max = run_command(
|
|
||||||
awk,
|
|
||||||
'/^\s*SYS_GID_MAX\s+/ { gid=$2 } END { print gid }',
|
|
||||||
'/etc/login.defs').stdout().strip()
|
|
||||||
if system_gid_max == ''
|
|
||||||
system_gid_max = 999
|
|
||||||
else
|
|
||||||
system_gid_max = system_gid_max.to_int()
|
|
||||||
endif
|
|
||||||
endif
|
endif
|
||||||
conf.set('SYSTEM_GID_MAX', system_gid_max)
|
|
||||||
substs.set('systemgidmax', system_gid_max)
|
|
||||||
|
|
||||||
dynamic_uid_min = get_option('dynamic-uid-min')
|
dynamic_uid_min = get_option('dynamic-uid-min')
|
||||||
dynamic_uid_max = get_option('dynamic-uid-max')
|
dynamic_uid_max = get_option('dynamic-uid-max')
|
||||||
|
@ -3539,12 +3535,12 @@ status = [
|
||||||
get_option('debug-tty')),
|
get_option('debug-tty')),
|
||||||
'TTY GID: @0@'.format(tty_gid),
|
'TTY GID: @0@'.format(tty_gid),
|
||||||
'users GID: @0@'.format(substs.get('USERS_GID')),
|
'users GID: @0@'.format(substs.get('USERS_GID')),
|
||||||
'maximum system UID: @0@'.format(system_uid_max),
|
'system UIDs: <=@0@ (alloc >=@1@)'.format(conf.get('SYSTEM_UID_MAX'),
|
||||||
'maximum system GID: @0@'.format(system_gid_max),
|
conf.get('SYSTEM_ALLOC_UID_MIN')),
|
||||||
'minimum dynamic UID: @0@'.format(dynamic_uid_min),
|
'system GIDs: <=@0@ (alloc >=@1@)'.format(conf.get('SYSTEM_GID_MAX'),
|
||||||
'maximum dynamic UID: @0@'.format(dynamic_uid_max),
|
conf.get('SYSTEM_ALLOC_GID_MIN')),
|
||||||
'minimum container UID base: @0@'.format(container_uid_base_min),
|
'dynamic UIDs: @0@–@1@'.format(dynamic_uid_min, dynamic_uid_max),
|
||||||
'maximum container UID base: @0@'.format(container_uid_base_max),
|
'container UID bases: @0@–@1@'.format(container_uid_base_min, container_uid_base_max),
|
||||||
'/dev/kvm access mode: @0@'.format(get_option('dev-kvm-mode')),
|
'/dev/kvm access mode: @0@'.format(get_option('dev-kvm-mode')),
|
||||||
'render group access mode: @0@'.format(get_option('group-render-mode')),
|
'render group access mode: @0@'.format(get_option('group-render-mode')),
|
||||||
'certificate root directory: @0@'.format(get_option('certificate-root')),
|
'certificate root directory: @0@'.format(get_option('certificate-root')),
|
||||||
|
|
|
@ -194,6 +194,10 @@ option('status-unit-format-default', type : 'combo',
|
||||||
description : 'use unit name or description in messages by default')
|
description : 'use unit name or description in messages by default')
|
||||||
option('time-epoch', type : 'integer', value : '-1',
|
option('time-epoch', type : 'integer', value : '-1',
|
||||||
description : 'time epoch for time clients')
|
description : 'time epoch for time clients')
|
||||||
|
option('system-alloc-uid-min', type : 'integer', value : '-1',
|
||||||
|
description : 'minimum system UID used when allocating')
|
||||||
|
option('system-alloc-gid-min', type : 'integer', value : '-1',
|
||||||
|
description : 'minimum system GID used when allocating')
|
||||||
option('system-uid-max', type : 'integer', value : '-1',
|
option('system-uid-max', type : 'integer', value : '-1',
|
||||||
description : 'maximum system UID')
|
description : 'maximum system UID')
|
||||||
option('system-gid-max', type : 'integer', value : '-1',
|
option('system-gid-max', type : 'integer', value : '-1',
|
||||||
|
|
|
@ -80,9 +80,9 @@ modulesloaddir=${modules_load_dir}
|
||||||
catalog_dir=/usr/lib/systemd/catalog
|
catalog_dir=/usr/lib/systemd/catalog
|
||||||
catalogdir=${catalog_dir}
|
catalogdir=${catalog_dir}
|
||||||
|
|
||||||
system_uid_max=@systemuidmax@
|
system_uid_max=@SYSTEM_UID_MAX@
|
||||||
systemuidmax=${system_uid_max}
|
systemuidmax=${system_uid_max}
|
||||||
system_gid_max=@systemgidmax@
|
system_gid_max=@SYSTEM_GID_MAX@
|
||||||
systemgidmax=${system_gid_max}
|
systemgidmax=${system_gid_max}
|
||||||
|
|
||||||
dynamic_uid_min=@dynamicuidmin@
|
dynamic_uid_min=@dynamicuidmin@
|
||||||
|
|
|
@ -41,7 +41,9 @@ static int parse_alloc_uid(const char *path, const char *name, const char *t, ui
|
||||||
static int read_login_defs(UGIDAllocationRange *ret_defs, const char *path) {
|
static int read_login_defs(UGIDAllocationRange *ret_defs, const char *path) {
|
||||||
_cleanup_fclose_ FILE *f = NULL;
|
_cleanup_fclose_ FILE *f = NULL;
|
||||||
UGIDAllocationRange defs = {
|
UGIDAllocationRange defs = {
|
||||||
|
.system_alloc_uid_min = SYSTEM_ALLOC_UID_MIN,
|
||||||
.system_uid_max = SYSTEM_UID_MAX,
|
.system_uid_max = SYSTEM_UID_MAX,
|
||||||
|
.system_alloc_gid_min = SYSTEM_ALLOC_GID_MIN,
|
||||||
.system_gid_max = SYSTEM_GID_MAX,
|
.system_gid_max = SYSTEM_GID_MAX,
|
||||||
};
|
};
|
||||||
int r;
|
int r;
|
||||||
|
@ -65,13 +67,28 @@ static int read_login_defs(UGIDAllocationRange *ret_defs, const char *path) {
|
||||||
if (r == 0)
|
if (r == 0)
|
||||||
break;
|
break;
|
||||||
|
|
||||||
if ((t = first_word(line, "SYS_UID_MAX")))
|
if ((t = first_word(line, "SYS_UID_MIN")))
|
||||||
|
(void) parse_alloc_uid(path, "SYS_UID_MIN", t, &defs.system_alloc_uid_min);
|
||||||
|
else if ((t = first_word(line, "SYS_UID_MAX")))
|
||||||
(void) parse_alloc_uid(path, "SYS_UID_MAX", t, &defs.system_uid_max);
|
(void) parse_alloc_uid(path, "SYS_UID_MAX", t, &defs.system_uid_max);
|
||||||
|
else if ((t = first_word(line, "SYS_GID_MIN")))
|
||||||
|
(void) parse_alloc_uid(path, "SYS_GID_MIN", t, &defs.system_alloc_gid_min);
|
||||||
else if ((t = first_word(line, "SYS_GID_MAX")))
|
else if ((t = first_word(line, "SYS_GID_MAX")))
|
||||||
(void) parse_alloc_uid(path, "SYS_GID_MAX", t, &defs.system_gid_max);
|
(void) parse_alloc_uid(path, "SYS_GID_MAX", t, &defs.system_gid_max);
|
||||||
}
|
}
|
||||||
|
|
||||||
assign:
|
assign:
|
||||||
|
if (defs.system_alloc_uid_min > defs.system_uid_max) {
|
||||||
|
log_debug("%s: SYS_UID_MIN > SYS_UID_MAX, resetting.", path);
|
||||||
|
defs.system_alloc_uid_min = MIN(defs.system_uid_max - 1, (uid_t) SYSTEM_ALLOC_UID_MIN);
|
||||||
|
/* Look at sys_uid_max to make sure sys_uid_min..sys_uid_max remains a valid range. */
|
||||||
|
}
|
||||||
|
if (defs.system_alloc_gid_min > defs.system_gid_max) {
|
||||||
|
log_debug("%s: SYS_GID_MIN > SYS_GID_MAX, resetting.", path);
|
||||||
|
defs.system_alloc_gid_min = MIN(defs.system_gid_max - 1, (gid_t) SYSTEM_ALLOC_GID_MIN);
|
||||||
|
/* Look at sys_gid_max to make sure sys_gid_min..sys_gid_max remains a valid range. */
|
||||||
|
}
|
||||||
|
|
||||||
*ret_defs = defs;
|
*ret_defs = defs;
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
@ -83,7 +100,9 @@ const UGIDAllocationRange *acquire_ugid_allocation_range(void) {
|
||||||
#else
|
#else
|
||||||
static const UGIDAllocationRange defs = {
|
static const UGIDAllocationRange defs = {
|
||||||
#endif
|
#endif
|
||||||
|
.system_alloc_uid_min = SYSTEM_ALLOC_UID_MIN,
|
||||||
.system_uid_max = SYSTEM_UID_MAX,
|
.system_uid_max = SYSTEM_UID_MAX,
|
||||||
|
.system_alloc_gid_min = SYSTEM_ALLOC_GID_MIN,
|
||||||
.system_gid_max = SYSTEM_GID_MAX,
|
.system_gid_max = SYSTEM_GID_MAX,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -37,7 +37,9 @@ static inline bool gid_is_container(gid_t gid) {
|
||||||
}
|
}
|
||||||
|
|
||||||
typedef struct UGIDAllocationRange {
|
typedef struct UGIDAllocationRange {
|
||||||
|
uid_t system_alloc_uid_min;
|
||||||
uid_t system_uid_max;
|
uid_t system_uid_max;
|
||||||
|
gid_t system_alloc_gid_min;
|
||||||
gid_t system_gid_max;
|
gid_t system_gid_max;
|
||||||
} UGIDAllocationRange;
|
} UGIDAllocationRange;
|
||||||
|
|
||||||
|
|
|
@ -13,7 +13,9 @@ static void test_acquire_ugid_allocation_range(void) {
|
||||||
const UGIDAllocationRange *defs;
|
const UGIDAllocationRange *defs;
|
||||||
assert_se(defs = acquire_ugid_allocation_range());
|
assert_se(defs = acquire_ugid_allocation_range());
|
||||||
|
|
||||||
|
log_info("system_alloc_uid_min="UID_FMT, defs->system_alloc_uid_min);
|
||||||
log_info("system_uid_max="UID_FMT, defs->system_uid_max);
|
log_info("system_uid_max="UID_FMT, defs->system_uid_max);
|
||||||
|
log_info("system_alloc_gid_min="GID_FMT, defs->system_alloc_gid_min);
|
||||||
log_info("system_gid_max="GID_FMT, defs->system_gid_max);
|
log_info("system_gid_max="GID_FMT, defs->system_gid_max);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue