1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2025-01-25 06:03:40 +03:00

userdb: make most loading of JSON user record data "permissive"

We want user records to be extensible, hence we shouldn't complain about
fields we can't parse. In particular we want them to be extensible for
our own future extensions.

Some code already turned the permissive flag when parsing the JSON data,
but most did not. Fix that. A few select cases remain where the bit is
not set: where we just gnerated the JSON data ourselves, and thus can be
reasonably sure that if we can't parse it it's our immediate programming
error and not just us processing a user record from some other tool or a
newer version of ourselves.
This commit is contained in:
Lennart Poettering 2021-05-31 21:55:44 +02:00
parent 17e7561a97
commit bfc0cc1a25
20 changed files with 47 additions and 43 deletions

View File

@ -571,9 +571,9 @@ static void dump_home_record(UserRecord *hr) {
_cleanup_(user_record_unrefp) UserRecord *stripped = NULL;
if (arg_export_format == EXPORT_FORMAT_STRIPPED)
r = user_record_clone(hr, USER_RECORD_EXTRACT_EMBEDDED, &stripped);
r = user_record_clone(hr, USER_RECORD_EXTRACT_EMBEDDED|USER_RECORD_PERMISSIVE, &stripped);
else if (arg_export_format == EXPORT_FORMAT_MINIMAL)
r = user_record_clone(hr, USER_RECORD_EXTRACT_SIGNABLE, &stripped);
r = user_record_clone(hr, USER_RECORD_EXTRACT_SIGNABLE|USER_RECORD_PERMISSIVE, &stripped);
else
r = 0;
if (r < 0)
@ -678,7 +678,7 @@ static int inspect_home(int argc, char *argv[], void *userdata) {
if (!hr)
return log_oom();
r = user_record_load(hr, v, USER_RECORD_LOAD_REFUSE_SECRET|USER_RECORD_LOG);
r = user_record_load(hr, v, USER_RECORD_LOAD_REFUSE_SECRET|USER_RECORD_LOG|USER_RECORD_PERMISSIVE);
if (r < 0) {
if (ret == 0)
ret = r;
@ -1060,7 +1060,7 @@ static int acquire_new_home_record(UserRecord **ret) {
if (!hr)
return log_oom();
r = user_record_load(hr, v, USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_SECRET|USER_RECORD_ALLOW_PRIVILEGED|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_SIGNATURE|USER_RECORD_LOG);
r = user_record_load(hr, v, USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_SECRET|USER_RECORD_ALLOW_PRIVILEGED|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_SIGNATURE|USER_RECORD_LOG|USER_RECORD_PERMISSIVE);
if (r < 0)
return r;
@ -1426,7 +1426,7 @@ static int acquire_updated_home_record(
if (!hr)
return log_oom();
r = user_record_load(hr, json, USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PRIVILEGED|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_SECRET|USER_RECORD_ALLOW_SIGNATURE|USER_RECORD_LOG);
r = user_record_load(hr, json, USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PRIVILEGED|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_SECRET|USER_RECORD_ALLOW_SIGNATURE|USER_RECORD_LOG|USER_RECORD_PERMISSIVE);
if (r < 0)
return r;

View File

@ -28,7 +28,7 @@ int bus_message_read_secret(sd_bus_message *m, UserRecord **ret, sd_bus_error *e
if (!hr)
return -ENOMEM;
r = user_record_load(hr, full, USER_RECORD_REQUIRE_SECRET);
r = user_record_load(hr, full, USER_RECORD_REQUIRE_SECRET|USER_RECORD_PERMISSIVE);
if (r < 0)
return r;

View File

@ -95,7 +95,7 @@ int bus_home_get_record_json(
trusted = false;
}
flags = USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_BINDING|USER_RECORD_STRIP_SECRET|USER_RECORD_ALLOW_STATUS|USER_RECORD_ALLOW_SIGNATURE;
flags = USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_BINDING|USER_RECORD_STRIP_SECRET|USER_RECORD_ALLOW_STATUS|USER_RECORD_ALLOW_SIGNATURE|USER_RECORD_PERMISSIVE;
if (trusted)
flags |= USER_RECORD_ALLOW_PRIVILEGED;
else
@ -443,7 +443,7 @@ int bus_home_method_update(
assert(message);
assert(h);
r = bus_message_read_home_record(message, USER_RECORD_REQUIRE_REGULAR|USER_RECORD_REQUIRE_SECRET|USER_RECORD_ALLOW_PRIVILEGED|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_SIGNATURE, &hr, error);
r = bus_message_read_home_record(message, USER_RECORD_REQUIRE_REGULAR|USER_RECORD_REQUIRE_SECRET|USER_RECORD_ALLOW_PRIVILEGED|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_SIGNATURE|USER_RECORD_PERMISSIVE, &hr, error);
if (r < 0)
return r;

View File

@ -145,7 +145,7 @@ int home_new(Manager *m, UserRecord *hr, const char *sysfs, Home **ret) {
return r;
}
r = user_record_clone(hr, USER_RECORD_LOAD_MASK_SECRET, &home->record);
r = user_record_clone(hr, USER_RECORD_LOAD_MASK_SECRET|USER_RECORD_PERMISSIVE, &home->record);
if (r < 0)
return r;
@ -243,7 +243,7 @@ int home_set_record(Home *h, UserRecord *hr) {
if (!new_hr)
return -ENOMEM;
r = user_record_load(new_hr, v, USER_RECORD_LOAD_REFUSE_SECRET);
r = user_record_load(new_hr, v, USER_RECORD_LOAD_REFUSE_SECRET|USER_RECORD_PERMISSIVE);
if (r < 0)
return r;
@ -384,7 +384,7 @@ static int home_parse_worker_stdout(int _fd, UserRecord **ret) {
if (!hr)
return log_oom();
r = user_record_load(hr, v, USER_RECORD_LOAD_REFUSE_SECRET);
r = user_record_load(hr, v, USER_RECORD_LOAD_REFUSE_SECRET|USER_RECORD_PERMISSIVE);
if (r < 0)
return log_error_errno(r, "Failed to load home record identity: %m");
@ -1410,7 +1410,7 @@ static int home_update_internal(
return sd_bus_error_set(error, BUS_ERROR_HOME_RECORD_DOWNGRADE, "Refusing to update to older home record.");
if (!secret && FLAGS_SET(hr->mask, USER_RECORD_SECRET)) {
r = user_record_clone(hr, USER_RECORD_EXTRACT_SECRET, &saved_secret);
r = user_record_clone(hr, USER_RECORD_EXTRACT_SECRET|USER_RECORD_PERMISSIVE, &saved_secret);
if (r < 0)
return r;
@ -1445,7 +1445,7 @@ static int home_update_internal(
return r;
}
r = user_record_extend_with_binding(hr, h->record, USER_RECORD_LOAD_MASK_SECRET, &new_hr);
r = user_record_extend_with_binding(hr, h->record, USER_RECORD_LOAD_MASK_SECRET|USER_RECORD_PERMISSIVE, &new_hr);
if (r < 0)
return r;
@ -1539,7 +1539,7 @@ int home_resize(Home *h, uint64_t disk_size, UserRecord *secret, sd_bus_error *e
if (h->signed_locally <= 0) /* Don't allow changing of records not signed only by us */
return sd_bus_error_setf(error, BUS_ERROR_HOME_RECORD_SIGNED, "Home %s is signed and cannot be modified locally.", h->user_name);
r = user_record_clone(h->record, USER_RECORD_LOAD_REFUSE_SECRET, &c);
r = user_record_clone(h->record, USER_RECORD_LOAD_REFUSE_SECRET|USER_RECORD_PERMISSIVE, &c);
if (r < 0)
return r;
@ -1628,7 +1628,7 @@ int home_passwd(Home *h,
if (r < 0)
return r;
r = user_record_clone(h->record, USER_RECORD_LOAD_REFUSE_SECRET, &c);
r = user_record_clone(h->record, USER_RECORD_LOAD_REFUSE_SECRET|USER_RECORD_PERMISSIVE, &c);
if (r < 0)
return r;

View File

@ -398,7 +398,7 @@ static int method_register_home(
assert(message);
assert(m);
r = bus_message_read_home_record(message, USER_RECORD_LOAD_EMBEDDED, &hr, error);
r = bus_message_read_home_record(message, USER_RECORD_LOAD_EMBEDDED|USER_RECORD_PERMISSIVE, &hr, error);
if (r < 0)
return r;
@ -513,7 +513,7 @@ static int method_update_home(sd_bus_message *message, void *userdata, sd_bus_er
assert(message);
assert(m);
r = bus_message_read_home_record(message, USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_SECRET|USER_RECORD_ALLOW_PRIVILEGED|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_SIGNATURE, &hr, error);
r = bus_message_read_home_record(message, USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_SECRET|USER_RECORD_ALLOW_PRIVILEGED|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_SIGNATURE|USER_RECORD_PERMISSIVE, &hr, error);
if (r < 0)
return r;

View File

@ -364,7 +364,7 @@ static int manager_add_home_by_record(
if (!hr)
return log_oom();
r = user_record_load(hr, v, USER_RECORD_LOAD_REFUSE_SECRET|USER_RECORD_LOG);
r = user_record_load(hr, v, USER_RECORD_LOAD_REFUSE_SECRET|USER_RECORD_LOG|USER_RECORD_PERMISSIVE);
if (r < 0)
return r;

View File

@ -42,7 +42,7 @@ static int build_user_json(Home *h, bool trusted, JsonVariant **ret) {
assert(h);
assert(ret);
flags = USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_BINDING|USER_RECORD_STRIP_SECRET|USER_RECORD_ALLOW_STATUS|USER_RECORD_ALLOW_SIGNATURE;
flags = USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_BINDING|USER_RECORD_STRIP_SECRET|USER_RECORD_ALLOW_STATUS|USER_RECORD_ALLOW_SIGNATURE|USER_RECORD_PERMISSIVE;
if (trusted)
flags |= USER_RECORD_ALLOW_PRIVILEGED;
else

View File

@ -185,7 +185,7 @@ int home_create_cifs(UserRecord *h, UserRecord **ret_home) {
if (r < 0)
return r;
r = user_record_clone(h, USER_RECORD_LOAD_MASK_SECRET, &new_home);
r = user_record_clone(h, USER_RECORD_LOAD_MASK_SECRET|USER_RECORD_PERMISSIVE, &new_home);
if (r < 0)
return log_error_errno(r, "Failed to clone record: %m");

View File

@ -158,7 +158,7 @@ int home_create_directory_or_subvolume(UserRecord *h, UserRecord **ret_home) {
if (r < 0)
return r;
r = user_record_clone(h, USER_RECORD_LOAD_MASK_SECRET, &new_home);
r = user_record_clone(h, USER_RECORD_LOAD_MASK_SECRET|USER_RECORD_PERMISSIVE, &new_home);
if (r < 0)
return log_error_errno(r, "Failed to clone record: %m");

View File

@ -550,7 +550,7 @@ int home_create_fscrypt(
if (r < 0)
return r;
r = user_record_clone(h, USER_RECORD_LOAD_MASK_SECRET, &new_home);
r = user_record_clone(h, USER_RECORD_LOAD_MASK_SECRET|USER_RECORD_PERMISSIVE, &new_home);
if (r < 0)
return log_error_errno(r, "Failed to clone record: %m");

View File

@ -779,7 +779,7 @@ static int luks_validate_home_record(
if (!lhr)
return log_oom();
r = user_record_load(lhr, rr, USER_RECORD_LOAD_EMBEDDED);
r = user_record_load(lhr, rr, USER_RECORD_LOAD_EMBEDDED|USER_RECORD_PERMISSIVE);
if (r < 0)
return log_error_errno(r, "Failed to parse user record: %m");
@ -902,7 +902,7 @@ int home_store_header_identity_luks(
* the file system, so that we can validate it first, and only then mount the file system. To keep
* things simple we use the same encryption settings for this record as for the file system itself. */
r = user_record_clone(h, USER_RECORD_EXTRACT_EMBEDDED, &header_home);
r = user_record_clone(h, USER_RECORD_EXTRACT_EMBEDDED|USER_RECORD_PERMISSIVE, &header_home);
if (r < 0)
return log_error_errno(r, "Failed to determine new header record: %m");
@ -1575,7 +1575,7 @@ static int luks_format(
log_info("LUKS activation by volume key succeeded.");
r = user_record_clone(hr, USER_RECORD_EXTRACT_EMBEDDED, &reduced);
r = user_record_clone(hr, USER_RECORD_EXTRACT_EMBEDDED|USER_RECORD_PERMISSIVE, &reduced);
if (r < 0)
return log_error_errno(r, "Failed to prepare home record for LUKS: %m");
@ -2139,7 +2139,7 @@ int home_create_luks(
if (r < 0)
goto fail;
r = user_record_clone(h, USER_RECORD_LOAD_MASK_SECRET|USER_RECORD_LOG, &new_home);
r = user_record_clone(h, USER_RECORD_LOAD_MASK_SECRET|USER_RECORD_LOG|USER_RECORD_PERMISSIVE, &new_home);
if (r < 0) {
log_error_errno(r, "Failed to clone record: %m");
goto fail;

View File

@ -524,7 +524,7 @@ int home_load_embedded_identity(
if (!embedded_home)
return log_oom();
r = user_record_load(embedded_home, v, USER_RECORD_LOAD_EMBEDDED);
r = user_record_load(embedded_home, v, USER_RECORD_LOAD_EMBEDDED|USER_RECORD_PERMISSIVE);
if (r < 0)
return r;
@ -609,7 +609,7 @@ int home_store_embedded_identity(UserRecord *h, int root_fd, uid_t uid, UserReco
assert(root_fd >= 0);
assert(uid_is_valid(uid));
r = user_record_clone(h, USER_RECORD_EXTRACT_EMBEDDED, &embedded);
r = user_record_clone(h, USER_RECORD_EXTRACT_EMBEDDED|USER_RECORD_PERMISSIVE, &embedded);
if (r < 0)
return log_error_errno(r, "Failed to determine new embedded record: %m");
@ -1668,7 +1668,7 @@ static int run(int argc, char *argv[]) {
if (!home)
return log_oom();
r = user_record_load(home, v, USER_RECORD_LOAD_FULL|USER_RECORD_LOG);
r = user_record_load(home, v, USER_RECORD_LOAD_FULL|USER_RECORD_LOG|USER_RECORD_PERMISSIVE);
if (r < 0)
return r;

View File

@ -216,7 +216,7 @@ static int acquire_user_record(
if (!ur)
return pam_log_oom(handle);
r = user_record_load(ur, v, USER_RECORD_LOAD_REFUSE_SECRET);
r = user_record_load(ur, v, USER_RECORD_LOAD_REFUSE_SECRET|USER_RECORD_PERMISSIVE);
if (r < 0) {
pam_syslog(handle, LOG_ERR, "Failed to load user record: %s", strerror_safe(r));
return PAM_SERVICE_ERR;

View File

@ -14,7 +14,7 @@ static int user_record_signable_json(UserRecord *ur, char **ret) {
assert(ur);
assert(ret);
r = user_record_clone(ur, USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PRIVILEGED|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_STRIP_SECRET|USER_RECORD_STRIP_BINDING|USER_RECORD_STRIP_STATUS|USER_RECORD_STRIP_SIGNATURE, &reduced);
r = user_record_clone(ur, USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PRIVILEGED|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_STRIP_SECRET|USER_RECORD_STRIP_BINDING|USER_RECORD_STRIP_STATUS|USER_RECORD_STRIP_SIGNATURE|USER_RECORD_PERMISSIVE, &reduced);
if (r < 0)
return r;
@ -95,7 +95,7 @@ int user_record_sign(UserRecord *ur, EVP_PKEY *private_key, UserRecord **ret) {
if (!signed_ur)
return log_oom();
r = user_record_load(signed_ur, v, USER_RECORD_LOAD_FULL);
r = user_record_load(signed_ur, v, USER_RECORD_LOAD_FULL|USER_RECORD_PERMISSIVE);
if (r < 0)
return r;

View File

@ -252,7 +252,7 @@ int user_record_reconcile(
if (!merged)
return -ENOMEM;
r = user_record_load(merged, extended, USER_RECORD_LOAD_MASK_SECRET);
r = user_record_load(merged, extended, USER_RECORD_LOAD_MASK_SECRET|USER_RECORD_PERMISSIVE);
if (r < 0)
return r;
@ -261,7 +261,7 @@ int user_record_reconcile(
}
/* Strip out secrets */
r = user_record_clone(host, USER_RECORD_LOAD_MASK_SECRET, ret);
r = user_record_clone(host, USER_RECORD_LOAD_MASK_SECRET|USER_RECORD_PERMISSIVE, ret);
if (r < 0)
return r;

View File

@ -141,7 +141,7 @@ static int acquire_user_record(
if (!ur)
return pam_log_oom(handle);
r = user_record_load(ur, v, USER_RECORD_LOAD_REFUSE_SECRET);
r = user_record_load(ur, v, USER_RECORD_LOAD_REFUSE_SECRET|USER_RECORD_PERMISSIVE);
if (r < 0) {
pam_syslog(handle, LOG_ERR, "Failed to load user record: %s", strerror_safe(r));
return PAM_SERVICE_ERR;

View File

@ -377,14 +377,16 @@ int bind_user_setup(
USER_RECORD_STRIP_PRIVILEGED|
USER_RECORD_ALLOW_PER_MACHINE|
USER_RECORD_ALLOW_BINDING|
USER_RECORD_ALLOW_SIGNATURE;
USER_RECORD_ALLOW_SIGNATURE|
USER_RECORD_PERMISSIVE;
static const UserRecordLoadFlags shadow_flags = /* Extracts privileged info */
USER_RECORD_STRIP_REGULAR|
USER_RECORD_ALLOW_PRIVILEGED|
USER_RECORD_STRIP_PER_MACHINE|
USER_RECORD_STRIP_BINDING|
USER_RECORD_STRIP_SIGNATURE|
USER_RECORD_EMPTY_OK;
USER_RECORD_EMPTY_OK|
USER_RECORD_PERMISSIVE;
int r;
assert(root);

View File

@ -2114,7 +2114,7 @@ int user_record_masked_equal(UserRecord *a, UserRecord *b, UserRecordMask mask)
/* Compares the two records, but ignores anything not listed in the specified mask */
if ((a->mask & ~mask) != 0) {
r = user_record_clone(a, USER_RECORD_ALLOW(mask) | USER_RECORD_STRIP(~mask & _USER_RECORD_MASK_MAX), &x);
r = user_record_clone(a, USER_RECORD_ALLOW(mask) | USER_RECORD_STRIP(~mask & _USER_RECORD_MASK_MAX) | USER_RECORD_PERMISSIVE, &x);
if (r < 0)
return r;
@ -2122,7 +2122,7 @@ int user_record_masked_equal(UserRecord *a, UserRecord *b, UserRecordMask mask)
}
if ((b->mask & ~mask) != 0) {
r = user_record_clone(b, USER_RECORD_ALLOW(mask) | USER_RECORD_STRIP(~mask & _USER_RECORD_MASK_MAX), &y);
r = user_record_clone(b, USER_RECORD_ALLOW(mask) | USER_RECORD_STRIP(~mask & _USER_RECORD_MASK_MAX) | USER_RECORD_PERMISSIVE, &y);
if (r < 0)
return r;

View File

@ -82,7 +82,8 @@ static int load_user(
USER_RECORD_ALLOW_PER_MACHINE|
USER_RECORD_ALLOW_BINDING|
USER_RECORD_ALLOW_SIGNATURE|
(have_privileged ? USER_RECORD_ALLOW_PRIVILEGED : 0));
(have_privileged ? USER_RECORD_ALLOW_PRIVILEGED : 0)|
USER_RECORD_PERMISSIVE);
if (r < 0)
return r;
@ -225,7 +226,8 @@ static int load_group(
USER_RECORD_ALLOW_PER_MACHINE|
USER_RECORD_ALLOW_BINDING|
USER_RECORD_ALLOW_SIGNATURE|
(have_privileged ? USER_RECORD_ALLOW_PRIVILEGED : 0));
(have_privileged ? USER_RECORD_ALLOW_PRIVILEGED : 0)|
USER_RECORD_PERMISSIVE);
if (r < 0)
return r;

View File

@ -88,7 +88,7 @@ static int build_user_json(Varlink *link, UserRecord *ur, JsonVariant **ret) {
} else
trusted = peer_uid == 0 || peer_uid == ur->uid;
flags = USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_BINDING|USER_RECORD_STRIP_SECRET|USER_RECORD_ALLOW_STATUS|USER_RECORD_ALLOW_SIGNATURE;
flags = USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_BINDING|USER_RECORD_STRIP_SECRET|USER_RECORD_ALLOW_STATUS|USER_RECORD_ALLOW_SIGNATURE|USER_RECORD_PERMISSIVE;
if (trusted)
flags |= USER_RECORD_ALLOW_PRIVILEGED;
else
@ -232,7 +232,7 @@ static int build_group_json(Varlink *link, GroupRecord *gr, JsonVariant **ret) {
} else
trusted = peer_uid == 0;
flags = USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_BINDING|USER_RECORD_STRIP_SECRET|USER_RECORD_ALLOW_STATUS|USER_RECORD_ALLOW_SIGNATURE;
flags = USER_RECORD_REQUIRE_REGULAR|USER_RECORD_ALLOW_PER_MACHINE|USER_RECORD_ALLOW_BINDING|USER_RECORD_STRIP_SECRET|USER_RECORD_ALLOW_STATUS|USER_RECORD_ALLOW_SIGNATURE|USER_RECORD_PERMISSIVE;
if (trusted)
flags |= USER_RECORD_ALLOW_PRIVILEGED;
else