morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-14 00:14:32 +09:00
Code Issues Packages Projects Releases Wiki Activity

User and group error messages (#39783)

Browse Source 
I'm using separate commit here because this changes are a bit finicky.
This commit is contained in:
Zbigniew Jędrzejewski-Szmek
2025-11-18 19:39:57 +01:00
committed by GitHub
parent c3d432a3d2 970c29b6b6
commit c7c457b2fb
13 changed files with 86 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
src/basic/user-util.h
View File

@@ -9,8 +9,10 @@
#include <shadow.h>
#include "basic-forward.h"
#include "errno-util.h"
/* Users managed by systemd-homed. See https://systemd.io/UIDS-GIDS for details how this range fits into the rest of the world */
/* Users managed by systemd-homed. See https://systemd.io/UIDS-GIDS for details
* how this range fits into the rest of the world. */
#define HOME_UID_MIN ((uid_t) 60001)
#define HOME_UID_MAX ((uid_t) 60513)
@@ -18,6 +20,19 @@
#define MAP_UID_MIN ((uid_t) 60514)
#define MAP_UID_MAX ((uid_t) 60577)
/* A helper to print an error message when user or group resolution fails.
* Note that we can't use ({ … }) to define a temporary variable, so errnum is
* evaluated multiple times. */
#define STRERROR_USER(errnum) ((errnum) == -ESRCH ? "Unknown user" : (errnum) == -ENOEXEC ? "Not a system user" : STRERROR(errnum))
#define STRERROR_GROUP(errnum) ((errnum) == -ESRCH ? "Unknown group" : (errnum) == -ENOEXEC ? "Not a system group" : STRERROR(errnum))
static inline bool ERRNO_IS_NEG_BAD_ACCOUNT(intmax_t r) {
return IN_SET(r,
-ESRCH,
-ENOEXEC);
}
_DEFINE_ABS_WRAPPER(BAD_ACCOUNT);
bool uid_is_valid(uid_t uid) _const_;
static inline bool gid_is_valid(gid_t gid) {

15
src/core/exec-invoke.c
View File

@@ -2087,8 +2087,11 @@ static int build_environment(
assert(!c->user);
r = get_fixed_user("root", /* prefer_nss = */ false, &username, NULL, NULL, &home, &shell);
if (r < 0)
return log_debug_errno(r, "Failed to determine user credentials for root: %m");
if (r < 0) {
log_debug_errno(r, "Failed to determine credentials for user root: %s",
STRERROR_USER(r));
return ERRNO_IS_NEG_BAD_ACCOUNT(r) ? -EINVAL : r; /* Suppress confusing errno */
}
}
bool set_user_login_env = exec_context_get_set_login_environment(c);
@@ -5265,7 +5268,9 @@ int exec_invoke(
&username, &uid, &gid, &pwent_home, &shell);
if (r < 0) {
*exit_status = EXIT_USER;
return log_error_errno(r, "Failed to determine user credentials: %m");
log_error_errno(r, "Failed to determine credentials for user '%s': %s",
u, STRERROR_USER(r));
return ERRNO_IS_NEG_BAD_ACCOUNT(r) ? -EINVAL : r; /* Suppress confusing errno */
}
}
@@ -5273,7 +5278,9 @@ int exec_invoke(
r = get_fixed_group(context->group, &groupname, &gid);
if (r < 0) {
*exit_status = EXIT_GROUP;
return log_error_errno(r, "Failed to determine group credentials: %m");
log_error_errno(r, "Failed to determine credentials for group '%s': %s",
u, STRERROR_GROUP(r));
return ERRNO_IS_NEG_BAD_ACCOUNT(r) ? -EINVAL : r; /* Suppress confusing errno */
}
}
}

8
src/core/scope.c
View File

@@ -348,7 +348,9 @@ static int scope_enter_start_chown(Scope *s) {
r = get_user_creds(&user, &uid, &gid, NULL, NULL, 0);
if (r < 0) {
log_unit_error_errno(UNIT(s), r, "Failed to resolve user \"%s\": %m", user);
log_unit_error_errno(UNIT(s), r,
"Failed to resolve user '%s': %s",
user, STRERROR_USER(r));
_exit(EXIT_USER);
}
}
@@ -358,7 +360,9 @@ static int scope_enter_start_chown(Scope *s) {
r = get_group_creds(&group, &gid, 0);
if (r < 0) {
log_unit_error_errno(UNIT(s), r, "Failed to resolve group \"%s\": %m", group);
log_unit_error_errno(UNIT(s), r,
"Failed to resolve group '%s': %s",
group, STRERROR_GROUP(r));
_exit(EXIT_GROUP);
}
}

8
src/core/socket.c
View File

@@ -2056,7 +2056,9 @@ static int socket_chown(Socket *s, PidRef *ret_pid) {
r = get_user_creds(&user, &uid, &gid, NULL, NULL, 0);
if (r < 0) {
log_unit_error_errno(UNIT(s), r, "Failed to resolve user %s: %m", user);
log_unit_error_errno(UNIT(s), r,
"Failed to resolve user '%s': %s",
user, STRERROR_USER(r));
_exit(EXIT_USER);
}
}
@@ -2066,7 +2068,9 @@ static int socket_chown(Socket *s, PidRef *ret_pid) {
r = get_group_creds(&group, &gid, 0);
if (r < 0) {
log_unit_error_errno(UNIT(s), r, "Failed to resolve group %s: %m", group);
log_unit_error_errno(UNIT(s), r,
"Failed to resolve group '%s': %s",
group, STRERROR_GROUP(r));
_exit(EXIT_GROUP);
}
}

3
src/creds/creds.c
View File

@@ -1062,7 +1062,8 @@ static int parse_argv(int argc, char *argv[]) {
/* ret_shell= */ NULL,
/* flags= */ 0);
if (r < 0)
return log_error_errno(r, "Failed to resolve user '%s': %m", optarg);
return log_error_errno(r, "Failed to resolve user '%s': %s",
optarg, STRERROR_USER(r));
}
break;

4
src/login/user-runtime-dir.c
View File

@@ -348,10 +348,8 @@ static int run(int argc, char *argv[]) {
if (streq(verb, "start")) {
_cleanup_(user_record_unrefp) UserRecord *ur = NULL;
r = userdb_by_name(user, /* match= */ NULL, USERDB_PARSE_NUMERIC|USERDB_SUPPRESS_SHADOW, &ur);
if (r == -ESRCH)
return log_error_errno(r, "User '%s' does not exist: %m", user);
if (r < 0)
return log_error_errno(r, "Failed to resolve user '%s': %m", user);
return log_error_errno(r, "Failed to resolve user '%s': %s", user, STRERROR_USER(r));
/* We do two things here: mount the per-user XDG_RUNTIME_DIR, and set up tmpfs quota on /tmp/
* and /dev/shm/. */

14
src/network/netdev/tuntap.c
View File

@@ -239,10 +239,9 @@ static int tuntap_verify(NetDev *netdev, const char *filename) {
r = userdb_by_name(t->user_name, &USERDB_MATCH_ROOT_AND_SYSTEM,
USERDB_SUPPRESS_SHADOW | USERDB_PARSE_NUMERIC,
&ur);
if (r == -ENOEXEC)
log_netdev_warning_errno(netdev, r, "User %s is not a system user, ignoring.", t->user_name);
else if (r < 0)
log_netdev_warning_errno(netdev, r, "Cannot resolve user name %s, ignoring: %m", t->user_name);
if (r < 0)
log_netdev_warning_errno(netdev, r, "Cannot resolve user name '%s', ignoring: %s",
t->user_name, STRERROR_USER(r));
else
t->uid = ur->uid;
}
@@ -253,10 +252,9 @@ static int tuntap_verify(NetDev *netdev, const char *filename) {
r = groupdb_by_name(t->group_name, &USERDB_MATCH_ROOT_AND_SYSTEM,
USERDB_SUPPRESS_SHADOW | USERDB_PARSE_NUMERIC,
&gr);
if (r == -ENOEXEC)
log_netdev_warning_errno(netdev, r, "Group %s is not a system group, ignoring.", t->group_name);
else if (r < 0)
log_netdev_warning_errno(netdev, r, "Cannot resolve group name %s, ignoring: %m", t->group_name);
if (r < 0)
log_netdev_warning_errno(netdev, r, "Cannot resolve group name '%s', ignoring: %s",
t->group_name, STRERROR_GROUP(r));
else
t->gid = gr->gid;
}

6
src/run/run.c
View File

@@ -2748,7 +2748,8 @@ static int start_transient_scope(sd_bus *bus) {
r = get_group_creds(&arg_exec_group, &gid, 0);
if (r < 0)
return log_error_errno(r, "Failed to resolve group %s: %m", arg_exec_group);
return log_error_errno(r, "Failed to resolve group '%s': %s",
arg_exec_group, STRERROR_GROUP(r));
if (setresgid(gid, gid, gid) < 0)
return log_error_errno(errno, "Failed to change GID to " GID_FMT ": %m", gid);
@@ -2762,7 +2763,8 @@ static int start_transient_scope(sd_bus *bus) {
r = get_user_creds(&arg_exec_user, &uid, &gid, &home, &shell,
USER_CREDS_CLEAN|USER_CREDS_SUPPRESS_PLACEHOLDER|USER_CREDS_PREFER_NSS);
if (r < 0)
return log_error_errno(r, "Failed to resolve user %s: %m", arg_exec_user);
return log_error_errno(r, "Failed to resolve user '%s': %s",
arg_exec_user, STRERROR_USER(r));
if (home) {
r = strv_extendf(&user_env, "HOME=%s", home);

9
src/shared/machine-bind-user.c
View File

@@ -244,8 +244,10 @@ int machine_bind_user_prepare(
_cleanup_(group_record_unrefp) GroupRecord *g = NULL, *cg = NULL;
r = userdb_by_name(*n, /* match= */ NULL, USERDB_DONT_SYNTHESIZE_INTRINSIC|USERDB_DONT_SYNTHESIZE_FOREIGN, &u);
if (r == -ENOEXEC)
return log_error_errno(r, "User '%s' did not pass filter.", *n);
if (r < 0)
return log_error_errno(r, "Failed to resolve user '%s': %m", *n);
return log_error_errno(r, "Failed to resolve user '%s': %s", *n, STRERROR_USER(r));
/* For now, let's refuse mapping the root/nobody users explicitly. The records we generate
* are strictly additive, nss-systemd is typically placed last in /etc/nsswitch.conf. Thus
@@ -266,8 +268,11 @@ int machine_bind_user_prepare(
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Cannot bind user with no UID, refusing.");
r = groupdb_by_gid(user_record_gid(u), /* match= */ NULL, USERDB_DONT_SYNTHESIZE_INTRINSIC|USERDB_DONT_SYNTHESIZE_FOREIGN, &g);
if (r == -ENOEXEC)
return log_error_errno(r, "Group of user '%s' did not pass filter.", u->user_name);
if (r < 0)
return log_error_errno(r, "Failed to resolve group of user '%s': %m", u->user_name);
return log_error_errno(r, "Failed to resolve group of user '%s': %s",
u->user_name, STRERROR_GROUP(r));
/* We want to synthesize exactly one user + group from the host into the machine. This only
* makes sense if the user on the host has its own private group. We can't reasonably check

2
src/shared/userdb.c
View File

@@ -932,7 +932,7 @@ int userdb_by_name(const char *name, const UserDBMatch *match, UserDBFlags flags
r = userdb_start_query(iterator, "io.systemd.UserDatabase.GetUserRecord", /* more= */ false, query, flags);
if (r >= 0) {
r = userdb_process(iterator, &ur, /* ret_group_record= */ NULL, /* ret_user_name= */ NULL, /* ret_group_name= */ NULL);
if (r == -ENOEXEC) /* found a user matching UID or name, but not filter. In this case the
if (r == -ENOEXEC) /* Found a user matching UID or name, but not filter. In this case the
* fallback paths below are pointless */
return r;
}

6
src/tmpfiles/tmpfiles.c
View File

@@ -3992,7 +3992,8 @@ static int parse_line(
missing_user_or_group = true;
} else if (r < 0) {
*invalid_config = true;
return log_syntax(NULL, LOG_ERR, fname, line, r, "Failed to resolve user '%s': %m", u);
return log_syntax(NULL, LOG_ERR, fname, line, r,
"Failed to resolve user '%s': %s", u, STRERROR_USER(r));
} else
i.uid_set = true;
}
@@ -4013,7 +4014,8 @@ static int parse_line(
missing_user_or_group = true;
} else if (r < 0) {
*invalid_config = true;
return log_syntax(NULL, LOG_ERR, fname, line, r, "Failed to resolve group '%s': %m", g);
return log_syntax(NULL, LOG_ERR, fname, line, r,
"Failed to resolve group '%s': %s", g, STRERROR_GROUP(r));
} else
i.gid_set = true;
}

36
src/udev/udev-rules.c
View File

@@ -512,12 +512,10 @@ static int rule_resolve_user(UdevRuleLine *rule_line, const char *name, uid_t *r
r = userdb_by_name(name, &USERDB_MATCH_ROOT_AND_SYSTEM,
USERDB_SUPPRESS_SHADOW | USERDB_PARSE_NUMERIC | USERDB_SYNTHESIZE_NUMERIC,
&ur);
if (r == -ESRCH)
return log_line_error_errno(rule_line, r, "Unknown user '%s', ignoring.", name);
if (r == -ENOEXEC)
return log_line_error_errno(rule_line, r, "User '%s' is not a system user, ignoring.", name);
if (r < 0)
return log_line_error_errno(rule_line, r, "Failed to resolve user '%s', ignoring: %m", name);
return log_line_error_errno(rule_line, r,
"Failed to resolve user '%s', ignoring: %s",
name, STRERROR_USER(r));
_cleanup_free_ char *n = strdup(name);
if (!n)
@@ -549,12 +547,10 @@ static int rule_resolve_group(UdevRuleLine *rule_line, const char *name, gid_t *
r = groupdb_by_name(name, &USERDB_MATCH_ROOT_AND_SYSTEM,
USERDB_SUPPRESS_SHADOW | USERDB_PARSE_NUMERIC | USERDB_SYNTHESIZE_NUMERIC,
&gr);
if (r == -ESRCH)
return log_line_error_errno(rule_line, r, "Unknown group '%s', ignoring.", name);
if (r == -ENOEXEC)
return log_line_error_errno(rule_line, r, "Group '%s' is not a system group, ignoring.", name);
if (r < 0)
return log_line_error_errno(rule_line, r, "Failed to resolve group '%s', ignoring: %m", name);
return log_line_error_errno(rule_line, r,
"Failed to resolve group '%s', ignoring: %s",
name, STRERROR_GROUP(r));
_cleanup_free_ char *n = strdup(name);
if (!n)
@@ -2681,12 +2677,10 @@ static int udev_rule_apply_token_to_event(
r = userdb_by_name(owner, &USERDB_MATCH_ROOT_AND_SYSTEM,
USERDB_SUPPRESS_SHADOW | USERDB_PARSE_NUMERIC | USERDB_SYNTHESIZE_NUMERIC,
&ur);
if (r == -ESRCH)
log_event_error_errno(event, token, r, "Unknown user \"%s\", ignoring.", owner);
else if (r == -ENOEXEC)
log_event_error(event, token, "User \"%s\" is not a system user, ignoring.", owner);
else if (r < 0)
log_event_error_errno(event, token, r, "Failed to resolve user \"%s\", ignoring: %m", owner);
if (r < 0)
log_event_error_errno(event, token, r,
"Failed to resolve user \"%s\", ignoring: %s",
owner, STRERROR_USER(r));
else {
event->uid = ur->uid;
log_event_debug(event, token, "Set owner: %s("UID_FMT")", owner, event->uid);
@@ -2709,12 +2703,10 @@ static int udev_rule_apply_token_to_event(
r = groupdb_by_name(group, &USERDB_MATCH_ROOT_AND_SYSTEM,
USERDB_SUPPRESS_SHADOW | USERDB_PARSE_NUMERIC | USERDB_SYNTHESIZE_NUMERIC,
&gr);
if (r == -ESRCH)
log_event_error_errno(event, token, r, "Unknown group \"%s\", ignoring.", group);
else if (r == -ENOEXEC)
log_event_error(event, token, "Group \"%s\" is not a system group, ignoring.", group);
else if (r < 0)
log_event_error_errno(event, token, r, "Failed to resolve group \"%s\", ignoring: %m", group);
if (r < 0)
log_event_error_errno(event, token, r,
"Failed to resolve group \"%s\", ignoring: %s",
group, STRERROR_GROUP(r));
else {
event->gid = gr->gid;
log_event_debug(event, token, "Set group: %s("GID_FMT")", group, event->gid);

16
test/units/TEST-17-UDEV.verify.sh
View File

@@ -309,15 +309,15 @@ assert_0 "${rules}"
test_syntax_error 'OWNER=":nosuchuser:"' "Failed to resolve user ':nosuchuser:', ignoring: Invalid argument"
# nonexistent user
if ! getent passwd nosuchuser >/dev/null; then
test_syntax_error 'OWNER="nosuchuser"' "Unknown user 'nosuchuser', ignoring."
test_syntax_error 'OWNER="nosuchuser"' "Failed to resolve user 'nosuchuser', ignoring: Unknown user"
fi
if ! getent passwd 12345 >/dev/null; then
test_syntax_error 'OWNER="12345"' "Unknown user '12345', ignoring."
test_syntax_error 'OWNER="12345"' "Failed to resolve user '12345', ignoring: Unknown user"
fi
# regular user
if getent passwd testuser >/dev/null; then
test_syntax_error 'OWNER="testuser"' "User 'testuser' is not a system user, ignoring."
test_syntax_error "OWNER=\"$(id -u testuser)\"" "User '$(id -u testuser)' is not a system user, ignoring."
test_syntax_error 'OWNER="testuser"' "Failed to resolve user 'testuser', ignoring: Not a system user"
test_syntax_error "OWNER=\"$(id -u testuser)\"" "Failed to resolve user '$(id -u testuser)', ignoring: Not a system user"
fi
test_syntax_error 'GROUP{a}="b"' 'Invalid attribute for GROUP.'
test_syntax_error 'GROUP-="b"' 'Invalid operator for GROUP.'
@@ -341,15 +341,15 @@ assert_0 "${rules}"
test_syntax_error 'GROUP=":nosuchgroup:"' "Failed to resolve group ':nosuchgroup:', ignoring: Invalid argument"
# nonexistent group
if ! getent group nosuchgroup >/dev/null; then
test_syntax_error 'GROUP="nosuchgroup"' "Unknown group 'nosuchgroup', ignoring."
test_syntax_error 'GROUP="nosuchgroup"' "Failed to resolve group 'nosuchgroup', ignoring: Unknown group"
fi
if ! getent group 12345 >/dev/null; then
test_syntax_error 'GROUP="12345"' "Unknown group '12345', ignoring."
test_syntax_error 'GROUP="12345"' "Failed to resolve group '12345', ignoring: Unknown group"
fi
# regular group
if getent group testuser >/dev/null; then
test_syntax_error 'GROUP="testuser"' "Group 'testuser' is not a system group, ignoring."
test_syntax_error "GROUP=\"$(id -g testuser)\"" "Group '$(id -g testuser)' is not a system group, ignoring."
test_syntax_error 'GROUP="testuser"' "Failed to resolve group 'testuser', ignoring: Not a system group"
test_syntax_error "GROUP=\"$(id -g testuser)\"" "Failed to resolve group '$(id -g testuser)', ignoring: Not a system group"
fi
test_syntax_error 'MODE{a}="b"' 'Invalid attribute for MODE.'
test_syntax_error 'MODE-="b"' 'Invalid operator for MODE.'