From 6744ef720b34a87ff69acb8535cf5e83db6f5e8b Mon Sep 17 00:00:00 2001 From: Michal Sekletar Date: Tue, 24 Jun 2014 14:50:26 +0200 Subject: [PATCH] socket: add SocketUser= and SocketGroup= for chown()ing sockets in the file system This is relatively complex, as we cannot invoke NSS from PID 1, and thus need to fork a helper process temporarily. (cherry picked from commit 3900e5fdff688dc3c273f177d9d913b7389d5561) Resolves: #1111761 --- man/systemd.socket.xml | 38 ++++-- src/core/dbus-socket.c | 8 +- src/core/load-fragment-gperf.gperf.m4 | 4 +- src/core/socket.c | 220 +++++++++++++++++++++++++++------- src/core/socket.h | 5 + src/shared/exit-status.c | 4 + src/shared/exit-status.h | 3 +- 7 files changed, 224 insertions(+), 58 deletions(-) diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml index 570a6fb..d146b3b 100644 --- a/man/systemd.socket.xml +++ b/man/systemd.socket.xml @@ -372,16 +372,21 @@ - DirectoryMode= - If listening on a file - system socket or FIFO, the parent - directories are automatically created - if needed. This option specifies the - file system access mode used when - creating these directories. Takes an - access mode in octal - notation. Defaults to - 0755. + SocketUser= + SocketGroup= + + Takes a UNIX + user/group name. When specified + all AF_UNIX sockets and FIFO nodes in + the file system are owned by the + specified user and group. If unset + (the default), the nodes are owned by + the root user/group (if run in system + context) or the invoking user/group + (if run in user context). If only a + user is specified but no group, then + the group is derived from the user's + default group. @@ -396,6 +401,19 @@ + DirectoryMode= + If listening on a file + system socket or FIFO, the parent + directories are automatically created + if needed. This option specifies the + file system access mode used when + creating these directories. Takes an + access mode in octal + notation. Defaults to + 0755. + + + Accept= Takes a boolean argument. If true, a service instance diff --git a/src/core/dbus-socket.c b/src/core/dbus-socket.c index 30c4b63..870bcdc 100644 --- a/src/core/dbus-socket.c +++ b/src/core/dbus-socket.c @@ -44,8 +44,10 @@ BUS_CGROUP_CONTEXT_INTERFACE \ " \n" \ " \n" \ - " \n" \ + " \n" \ + " \n" \ " \n" \ + " \n" \ " \n" \ " \n" \ " \n" \ @@ -172,8 +174,10 @@ static const BusProperty bus_socket_properties[] = { BUS_EXEC_COMMAND_PROPERTY("ExecStopPost", offsetof(Socket, exec_command[SOCKET_EXEC_STOP_POST]), true ), { "ControlPID", bus_property_append_pid, "u", offsetof(Socket, control_pid) }, { "BindToDevice", bus_property_append_string, "s", offsetof(Socket, bind_to_device), true }, - { "DirectoryMode", bus_property_append_mode, "u", offsetof(Socket, directory_mode) }, + { "SocketUser", bus_property_append_string, "s", offsetof(Socket, user), true }, + { "SocketGroup", bus_property_append_string, "s", offsetof(Socket, group), true }, { "SocketMode", bus_property_append_mode, "u", offsetof(Socket, socket_mode) }, + { "DirectoryMode", bus_property_append_mode, "u", offsetof(Socket, directory_mode) }, { "Accept", bus_property_append_bool, "b", offsetof(Socket, accept) }, { "KeepAlive", bus_property_append_bool, "b", offsetof(Socket, keep_alive) }, { "Priority", bus_property_append_int, "i", offsetof(Socket, priority) }, diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4 index d65bcc1..0991cb9 100644 --- a/src/core/load-fragment-gperf.gperf.m4 +++ b/src/core/load-fragment-gperf.gperf.m4 @@ -193,8 +193,10 @@ Socket.ExecStartPost, config_parse_exec, SOCKET_EXEC Socket.ExecStopPre, config_parse_exec, SOCKET_EXEC_STOP_PRE, offsetof(Socket, exec_command) Socket.ExecStopPost, config_parse_exec, SOCKET_EXEC_STOP_POST, offsetof(Socket, exec_command) Socket.TimeoutSec, config_parse_sec, 0, offsetof(Socket, timeout_usec) -Socket.DirectoryMode, config_parse_mode, 0, offsetof(Socket, directory_mode) +Socket.SocketUser, config_parse_unit_string_printf, 0, offsetof(Socket, user) +Socket.SocketGroup, config_parse_unit_string_printf, 0, offsetof(Socket, group) Socket.SocketMode, config_parse_mode, 0, offsetof(Socket, socket_mode) +Socket.DirectoryMode, config_parse_mode, 0, offsetof(Socket, directory_mode) Socket.Accept, config_parse_bool, 0, offsetof(Socket, accept) Socket.MaxConnections, config_parse_unsigned, 0, offsetof(Socket, max_connections) Socket.KeepAlive, config_parse_bool, 0, offsetof(Socket, keep_alive) diff --git a/src/core/socket.c b/src/core/socket.c index e673f38..32e0d35 100644 --- a/src/core/socket.c +++ b/src/core/socket.c @@ -54,6 +54,7 @@ static const UnitActiveState state_translation_table[_SOCKET_STATE_MAX] = { [SOCKET_DEAD] = UNIT_INACTIVE, [SOCKET_START_PRE] = UNIT_ACTIVATING, + [SOCKET_START_CHOWN] = UNIT_ACTIVATING, [SOCKET_START_POST] = UNIT_ACTIVATING, [SOCKET_LISTENING] = UNIT_ACTIVE, [SOCKET_RUNNING] = UNIT_ACTIVE, @@ -147,6 +148,8 @@ static void socket_done(Unit *u) { free(s->smack); free(s->smack_ip_in); free(s->smack_ip_out); + free(s->user); + free(s->group); unit_unwatch_timer(u, &s->timer_watch); } @@ -527,6 +530,16 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) { "%sSmackLabelIPOut: %s\n", prefix, s->smack_ip_out); + if (s->user) + fprintf(f, + "%sOwnerUser: %s\n", + prefix, s->user); + + if (s->group) + fprintf(f, + "%sOwnerGroup: %s\n", + prefix, s->user); + LIST_FOREACH(port, p, s->ports) { if (p->type == SOCKET_SOCKET) { @@ -1100,6 +1113,7 @@ static void socket_set_state(Socket *s, SocketState state) { s->state = state; if (state != SOCKET_START_PRE && + state != SOCKET_START_CHOWN && state != SOCKET_START_POST && state != SOCKET_STOP_PRE && state != SOCKET_STOP_PRE_SIGTERM && @@ -1116,7 +1130,8 @@ static void socket_set_state(Socket *s, SocketState state) { if (state != SOCKET_LISTENING) socket_unwatch_fds(s); - if (state != SOCKET_START_POST && + if (state != SOCKET_START_CHOWN && + state != SOCKET_START_POST && state != SOCKET_LISTENING && state != SOCKET_RUNNING && state != SOCKET_STOP_PRE && @@ -1143,6 +1158,7 @@ static int socket_coldplug(Unit *u) { if (s->deserialized_state != s->state) { if (s->deserialized_state == SOCKET_START_PRE || + s->deserialized_state == SOCKET_START_CHOWN || s->deserialized_state == SOCKET_START_POST || s->deserialized_state == SOCKET_STOP_PRE || s->deserialized_state == SOCKET_STOP_PRE_SIGTERM || @@ -1163,7 +1179,8 @@ static int socket_coldplug(Unit *u) { return r; } - if (s->deserialized_state == SOCKET_START_POST || + if (s->deserialized_state == SOCKET_START_CHOWN || + s->deserialized_state == SOCKET_START_POST || s->deserialized_state == SOCKET_LISTENING || s->deserialized_state == SOCKET_RUNNING || s->deserialized_state == SOCKET_STOP_PRE || @@ -1185,7 +1202,7 @@ static int socket_coldplug(Unit *u) { static int socket_spawn(Socket *s, ExecCommand *c, pid_t *_pid) { pid_t pid; int r; - char **argv; + _cleanup_strv_free_ char **argv = NULL; assert(s); assert(c); @@ -1216,11 +1233,11 @@ static int socket_spawn(Socket *s, ExecCommand *c, pid_t *_pid) { NULL, &pid); - strv_free(argv); if (r < 0) goto fail; - if ((r = unit_watch_pid(UNIT(s), pid)) < 0) + r = unit_watch_pid(UNIT(s), pid); + if (r < 0) /* FIXME: we need to do something here */ goto fail; @@ -1234,6 +1251,88 @@ fail: return r; } +static int socket_chown(Socket *s, pid_t *_pid) { + pid_t pid; + int r; + + r = unit_watch_timer(UNIT(s), CLOCK_MONOTONIC, true, s->timeout_usec, &s->timer_watch); + if (r < 0) + goto fail; + + pid = fork(); + if (pid < 0) + return -errno; + + if (pid == 0) { + SocketPort *p; + uid_t uid = (uid_t) -1; + gid_t gid = (gid_t) -1; + int ret; + + default_signals(SIGNALS_CRASH_HANDLER, SIGNALS_IGNORE, -1); + ignore_signals(SIGPIPE, -1); + log_forget_fds(); + + if (!isempty(s->user)) { + const char *user = s->user; + + r = get_user_creds(&user, &uid, &gid, NULL, NULL); + if (r < 0) { + ret = EXIT_USER; + goto fail_child; + } + } + + if (!isempty(s->group)) { + const char *group = s->group; + + r = get_group_creds(&group, &gid); + if (r < 0) { + ret = EXIT_GROUP; + goto fail_child; + } + } + + LIST_FOREACH(port, p, s->ports) { + const char *path = NULL; + + if (p->type == SOCKET_SOCKET) + path = socket_address_get_path(&p->address); + else if (p->type == SOCKET_FIFO) + path = p->path; + + if (!path) + continue; + + if (chown(path, uid, gid) < 0) { + r = -errno; + ret = EXIT_CHOWN; + goto fail_child; + } + } + + _exit(0); + + fail_child: + log_open(); + log_error("Failed to chown socket at step %s: %s", exit_status_to_string(ret, EXIT_STATUS_SYSTEMD), strerror(-r)); + + _exit(ret); + } + + r = unit_watch_pid(UNIT(s), pid); + if (r < 0) + goto fail; + + *_pid = pid; + + return 0; + +fail: + unit_unwatch_timer(UNIT(s), &s->timer_watch); + return r; +} + static void socket_enter_dead(Socket *s, SocketResult f) { assert(s); @@ -1256,9 +1355,11 @@ static void socket_enter_stop_post(Socket *s, SocketResult f) { socket_unwatch_control_pid(s); s->control_command_id = SOCKET_EXEC_STOP_POST; + s->control_command = s->exec_command[SOCKET_EXEC_STOP_POST]; - if ((s->control_command = s->exec_command[SOCKET_EXEC_STOP_POST])) { - if ((r = socket_spawn(s, s->control_command, &s->control_pid)) < 0) + if (s->control_command) { + r = socket_spawn(s, s->control_command, &s->control_pid); + if (r < 0) goto fail; socket_set_state(s, SOCKET_STOP_POST); @@ -1326,9 +1427,11 @@ static void socket_enter_stop_pre(Socket *s, SocketResult f) { socket_unwatch_control_pid(s); s->control_command_id = SOCKET_EXEC_STOP_PRE; + s->control_command = s->exec_command[SOCKET_EXEC_STOP_PRE]; - if ((s->control_command = s->exec_command[SOCKET_EXEC_STOP_PRE])) { - if ((r = socket_spawn(s, s->control_command, &s->control_pid)) < 0) + if (s->control_command) { + r = socket_spawn(s, s->control_command, &s->control_pid); + if (r < 0) goto fail; socket_set_state(s, SOCKET_STOP_PRE); @@ -1376,15 +1479,13 @@ static void socket_enter_start_post(Socket *s) { } socket_unwatch_control_pid(s); - s->control_command_id = SOCKET_EXEC_START_POST; + s->control_command = s->exec_command[SOCKET_EXEC_START_POST]; - if ((s->control_command = s->exec_command[SOCKET_EXEC_START_POST])) { + if (s->control_command) { r = socket_spawn(s, s->control_command, &s->control_pid); if (r < 0) { - log_warning_unit(UNIT(s)->id, - "%s failed to run 'start-post' task: %s", - UNIT(s)->id, strerror(-r)); + log_warning_unit(UNIT(s)->id, "%s failed to run 'start-post' task: %s", UNIT(s)->id, strerror(-r)); goto fail; } @@ -1398,6 +1499,38 @@ fail: socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES); } +static void socket_enter_start_chown(Socket *s) { + int r; + + assert(s); + + r = socket_open_fds(s); + if (r < 0) { + log_warning_unit(UNIT(s)->id, "%s failed to listen on sockets: %s", UNIT(s)->id, strerror(-r)); + goto fail; + } + + if (!isempty(s->user) || !isempty(s->group)) { + socket_unwatch_control_pid(s); + s->control_command_id = SOCKET_EXEC_START_CHOWN; + s->control_command = NULL; + + r = socket_chown(s, &s->control_pid); + if (r < 0) { + log_warning_unit(UNIT(s)->id, "%s failed to fork 'start-chown' task: %s", UNIT(s)->id, strerror(-r)); + goto fail; + } + + socket_set_state(s, SOCKET_START_CHOWN); + } else + socket_enter_start_post(s); + + return; + +fail: + socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES); +} + static void socket_enter_start_pre(Socket *s) { int r; assert(s); @@ -1405,21 +1538,21 @@ static void socket_enter_start_pre(Socket *s) { socket_unwatch_control_pid(s); s->control_command_id = SOCKET_EXEC_START_PRE; + s->control_command = s->exec_command[SOCKET_EXEC_START_PRE]; - if ((s->control_command = s->exec_command[SOCKET_EXEC_START_PRE])) { - if ((r = socket_spawn(s, s->control_command, &s->control_pid)) < 0) + if (s->control_command) { + r = socket_spawn(s, s->control_command, &s->control_pid); + if (r < 0) goto fail; socket_set_state(s, SOCKET_START_PRE); } else - socket_enter_start_post(s); + socket_enter_start_chown(s); return; fail: - log_warning_unit(UNIT(s)->id, - "%s failed to run 'start-pre' task: %s", - UNIT(s)->id, strerror(-r)); + log_warning_unit(UNIT(s)->id, "%s failed to run 'start-pre' task: %s", UNIT(s)->id, strerror(-r)); socket_enter_dead(s, SOCKET_FAILURE_RESOURCES); } @@ -1609,6 +1742,7 @@ static int socket_start(Unit *u) { return -EAGAIN; if (s->state == SOCKET_START_PRE || + s->state == SOCKET_START_CHOWN || s->state == SOCKET_START_POST) return 0; @@ -1669,6 +1803,7 @@ static int socket_stop(Unit *u) { /* If there's already something running we go directly into * kill mode. */ if (s->state == SOCKET_START_PRE || + s->state == SOCKET_START_CHOWN || s->state == SOCKET_START_POST) { socket_enter_signal(s, SOCKET_STOP_PRE_SIGTERM, SOCKET_SUCCESS); return -EAGAIN; @@ -2098,11 +2233,18 @@ static void socket_sigchld_event(Unit *u, pid_t pid, int code, int status) { case SOCKET_START_PRE: if (f == SOCKET_SUCCESS) - socket_enter_start_post(s); + socket_enter_start_chown(s); else socket_enter_signal(s, SOCKET_FINAL_SIGTERM, f); break; + case SOCKET_START_CHOWN: + if (f == SOCKET_SUCCESS) + socket_enter_start_post(s); + else + socket_enter_stop_pre(s, f); + break; + case SOCKET_START_POST: if (f == SOCKET_SUCCESS) socket_enter_listening(s); @@ -2141,65 +2283,53 @@ static void socket_timer_event(Unit *u, uint64_t elapsed, Watch *w) { switch (s->state) { case SOCKET_START_PRE: - log_warning_unit(u->id, - "%s starting timed out. Terminating.", u->id); + log_warning_unit(u->id, "%s starting timed out. Terminating.", u->id); socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_TIMEOUT); break; + case SOCKET_START_CHOWN: case SOCKET_START_POST: - log_warning_unit(u->id, - "%s starting timed out. Stopping.", u->id); + log_warning_unit(u->id, "%s starting timed out. Stopping.", u->id); socket_enter_stop_pre(s, SOCKET_FAILURE_TIMEOUT); break; case SOCKET_STOP_PRE: - log_warning_unit(u->id, - "%s stopping timed out. Terminating.", u->id); + log_warning_unit(u->id, "%s stopping timed out. Terminating.", u->id); socket_enter_signal(s, SOCKET_STOP_PRE_SIGTERM, SOCKET_FAILURE_TIMEOUT); break; case SOCKET_STOP_PRE_SIGTERM: if (s->kill_context.send_sigkill) { - log_warning_unit(u->id, - "%s stopping timed out. Killing.", u->id); + log_warning_unit(u->id, "%s stopping timed out. Killing.", u->id); socket_enter_signal(s, SOCKET_STOP_PRE_SIGKILL, SOCKET_FAILURE_TIMEOUT); } else { - log_warning_unit(u->id, - "%s stopping timed out. Skipping SIGKILL. Ignoring.", - u->id); + log_warning_unit(u->id, "%s stopping timed out. Skipping SIGKILL. Ignoring.", u->id); socket_enter_stop_post(s, SOCKET_FAILURE_TIMEOUT); } break; case SOCKET_STOP_PRE_SIGKILL: - log_warning_unit(u->id, - "%s still around after SIGKILL. Ignoring.", u->id); + log_warning_unit(u->id, "%s still around after SIGKILL. Ignoring.", u->id); socket_enter_stop_post(s, SOCKET_FAILURE_TIMEOUT); break; case SOCKET_STOP_POST: - log_warning_unit(u->id, - "%s stopping timed out (2). Terminating.", u->id); + log_warning_unit(u->id, "%s stopping timed out (2). Terminating.", u->id); socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_TIMEOUT); break; case SOCKET_FINAL_SIGTERM: if (s->kill_context.send_sigkill) { - log_warning_unit(u->id, - "%s stopping timed out (2). Killing.", u->id); + log_warning_unit(u->id, "%s stopping timed out (2). Killing.", u->id); socket_enter_signal(s, SOCKET_FINAL_SIGKILL, SOCKET_FAILURE_TIMEOUT); } else { - log_warning_unit(u->id, - "%s stopping timed out (2). Skipping SIGKILL. Ignoring.", - u->id); + log_warning_unit(u->id, "%s stopping timed out (2). Skipping SIGKILL. Ignoring.", u->id); socket_enter_dead(s, SOCKET_FAILURE_TIMEOUT); } break; case SOCKET_FINAL_SIGKILL: - log_warning_unit(u->id, - "%s still around after SIGKILL (2). Entering failed mode.", - u->id); + log_warning_unit(u->id, "%s still around after SIGKILL (2). Entering failed mode.", u->id); socket_enter_dead(s, SOCKET_FAILURE_TIMEOUT); break; @@ -2333,6 +2463,7 @@ static int socket_kill(Unit *u, KillWho who, int signo, DBusError *error) { static const char* const socket_state_table[_SOCKET_STATE_MAX] = { [SOCKET_DEAD] = "dead", [SOCKET_START_PRE] = "start-pre", + [SOCKET_START_CHOWN] = "start-chown", [SOCKET_START_POST] = "start-post", [SOCKET_LISTENING] = "listening", [SOCKET_RUNNING] = "running", @@ -2349,6 +2480,7 @@ DEFINE_STRING_TABLE_LOOKUP(socket_state, SocketState); static const char* const socket_exec_command_table[_SOCKET_EXEC_COMMAND_MAX] = { [SOCKET_EXEC_START_PRE] = "StartPre", + [SOCKET_EXEC_START_CHOWN] = "StartChown", [SOCKET_EXEC_START_POST] = "StartPost", [SOCKET_EXEC_STOP_PRE] = "StopPre", [SOCKET_EXEC_STOP_POST] = "StopPost" diff --git a/src/core/socket.h b/src/core/socket.h index 3d7eadc..6a24883 100644 --- a/src/core/socket.h +++ b/src/core/socket.h @@ -32,6 +32,7 @@ typedef struct Socket Socket; typedef enum SocketState { SOCKET_DEAD, SOCKET_START_PRE, + SOCKET_START_CHOWN, SOCKET_START_POST, SOCKET_LISTENING, SOCKET_RUNNING, @@ -48,6 +49,7 @@ typedef enum SocketState { typedef enum SocketExecCommand { SOCKET_EXEC_START_PRE, + SOCKET_EXEC_START_CHOWN, SOCKET_EXEC_START_POST, SOCKET_EXEC_STOP_PRE, SOCKET_EXEC_STOP_POST, @@ -151,6 +153,9 @@ struct Socket { char *smack; char *smack_ip_in; char *smack_ip_out; + + char *user; + char *group; }; /* Called from the service code when collecting fds */ diff --git a/src/shared/exit-status.c b/src/shared/exit-status.c index 45131f2..f15fdba 100644 --- a/src/shared/exit-status.c +++ b/src/shared/exit-status.c @@ -130,6 +130,10 @@ const char* exit_status_to_string(ExitStatus status, ExitStatusLevel level) { case EXIT_SECCOMP: return "SECCOMP"; + + case EXIT_CHOWN: + return "CHOWN"; + } } diff --git a/src/shared/exit-status.h b/src/shared/exit-status.h index 1f035a3..52dd3d0 100644 --- a/src/shared/exit-status.h +++ b/src/shared/exit-status.h @@ -67,7 +67,8 @@ typedef enum ExitStatus { EXIT_NETWORK, EXIT_NAMESPACE, EXIT_NO_NEW_PRIVILEGES, - EXIT_SECCOMP + EXIT_SECCOMP, + EXIT_CHOWN } ExitStatus; typedef enum ExitStatusLevel {