aboutsummaryrefslogtreecommitdiff
path: root/src/run
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2018-08-02 18:36:47 +0200
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2018-08-20 15:58:21 +0200
commitfafff8f1ffdf24517921d7779c2a9eb89766df30 (patch)
treea9f5bd4e5fb6e7680df49e9476b17366e58d06cf /src/run
parentnetworkd: add O_CLOEXEC where it's missing (diff)
downloadsystemd-fafff8f1ffdf24517921d7779c2a9eb89766df30.tar.gz
systemd-fafff8f1ffdf24517921d7779c2a9eb89766df30.tar.bz2
systemd-fafff8f1ffdf24517921d7779c2a9eb89766df30.zip
user-util: rework get_user_creds()
Let's fold get_user_creds_clean() into get_user_creds(), and introduce a flags argument for it to select "clean" behaviour. This flags parameter also learns to other new flags: - USER_CREDS_SYNTHESIZE_FALLBACK: in this mode the user records for root/nobody are only synthesized as fallback. Normally, the synthesized records take precedence over what is in the user database. With this flag set this is reversed, and the user database takes precedence, and the synthesized records are only used if they are missing there. This flag should be set in cases where doing NSS is deemed safe, and where there's interest in knowing the correct shell, for example if the admin changed root's shell to zsh or suchlike. - USER_CREDS_ALLOW_MISSING: if set, and a UID/GID is specified by numeric value, and there's no user/group record for it accept it anyway. This allows us to fix #9767 This then also ports all users to set the most appropriate flags. Fixes: #9767 [zj: remove one isempty() call]
Diffstat (limited to 'src/run')
-rw-r--r--src/run/run.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/src/run/run.c b/src/run/run.c
index 2910fcb27..effbbb62c 100644
--- a/src/run/run.c
+++ b/src/run/run.c
@@ -1232,7 +1232,7 @@ static int start_transient_scope(
if (arg_exec_group) {
gid_t gid;
- r = get_group_creds(&arg_exec_group, &gid);
+ r = get_group_creds(&arg_exec_group, &gid, 0);
if (r < 0)
return log_error_errno(r, "Failed to resolve group %s: %m", arg_exec_group);
@@ -1245,7 +1245,7 @@ static int start_transient_scope(
uid_t uid;
gid_t gid;
- r = get_user_creds_clean(&arg_exec_user, &uid, &gid, &home, &shell);
+ r = get_user_creds(&arg_exec_user, &uid, &gid, &home, &shell, USER_CREDS_CLEAN|USER_CREDS_SYNTHESIZE_FALLBACK);
if (r < 0)
return log_error_errno(r, "Failed to resolve user %s: %m", arg_exec_user);