diff --git a/src/basic/user-util.h b/src/basic/user-util.h index c4f2aea309..b7e71720a5 100644 --- a/src/basic/user-util.h +++ b/src/basic/user-util.h @@ -9,8 +9,10 @@ #include #include "basic-forward.h" +#include "errno-util.h" -/* Users managed by systemd-homed. See https://systemd.io/UIDS-GIDS for details how this range fits into the rest of the world */ +/* Users managed by systemd-homed. See https://systemd.io/UIDS-GIDS for details + * how this range fits into the rest of the world. */ #define HOME_UID_MIN ((uid_t) 60001) #define HOME_UID_MAX ((uid_t) 60513) @@ -18,6 +20,19 @@ #define MAP_UID_MIN ((uid_t) 60514) #define MAP_UID_MAX ((uid_t) 60577) +/* A helper to print an error message when user or group resolution fails. + * Note that we can't use ({ … }) to define a temporary variable, so errnum is + * evaluated multiple times. */ +#define STRERROR_USER(errnum) ((errnum) == -ESRCH ? "Unknown user" : (errnum) == -ENOEXEC ? "Not a system user" : STRERROR(errnum)) +#define STRERROR_GROUP(errnum) ((errnum) == -ESRCH ? "Unknown group" : (errnum) == -ENOEXEC ? "Not a system group" : STRERROR(errnum)) + +static inline bool ERRNO_IS_NEG_BAD_ACCOUNT(intmax_t r) { + return IN_SET(r, + -ESRCH, + -ENOEXEC); +} +_DEFINE_ABS_WRAPPER(BAD_ACCOUNT); + bool uid_is_valid(uid_t uid) _const_; static inline bool gid_is_valid(gid_t gid) { diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c index 97a7107384..e9c4e3f624 100644 --- a/src/core/exec-invoke.c +++ b/src/core/exec-invoke.c @@ -2087,8 +2087,11 @@ static int build_environment( assert(!c->user); r = get_fixed_user("root", /* prefer_nss = */ false, &username, NULL, NULL, &home, &shell); - if (r < 0) - return log_debug_errno(r, "Failed to determine user credentials for root: %m"); + if (r < 0) { + log_debug_errno(r, "Failed to determine credentials for user root: %s", + STRERROR_USER(r)); + return ERRNO_IS_NEG_BAD_ACCOUNT(r) ? -EINVAL : r; /* Suppress confusing errno */ + } } bool set_user_login_env = exec_context_get_set_login_environment(c); @@ -5265,7 +5268,9 @@ int exec_invoke( &username, &uid, &gid, &pwent_home, &shell); if (r < 0) { *exit_status = EXIT_USER; - return log_error_errno(r, "Failed to determine user credentials: %m"); + log_error_errno(r, "Failed to determine credentials for user '%s': %s", + u, STRERROR_USER(r)); + return ERRNO_IS_NEG_BAD_ACCOUNT(r) ? -EINVAL : r; /* Suppress confusing errno */ } } @@ -5273,7 +5278,9 @@ int exec_invoke( r = get_fixed_group(context->group, &groupname, &gid); if (r < 0) { *exit_status = EXIT_GROUP; - return log_error_errno(r, "Failed to determine group credentials: %m"); + log_error_errno(r, "Failed to determine credentials for group '%s': %s", + u, STRERROR_GROUP(r)); + return ERRNO_IS_NEG_BAD_ACCOUNT(r) ? -EINVAL : r; /* Suppress confusing errno */ } } } diff --git a/src/core/scope.c b/src/core/scope.c index 50dafacb42..a6b4cebca5 100644 --- a/src/core/scope.c +++ b/src/core/scope.c @@ -348,7 +348,9 @@ static int scope_enter_start_chown(Scope *s) { r = get_user_creds(&user, &uid, &gid, NULL, NULL, 0); if (r < 0) { - log_unit_error_errno(UNIT(s), r, "Failed to resolve user \"%s\": %m", user); + log_unit_error_errno(UNIT(s), r, + "Failed to resolve user '%s': %s", + user, STRERROR_USER(r)); _exit(EXIT_USER); } } @@ -358,7 +360,9 @@ static int scope_enter_start_chown(Scope *s) { r = get_group_creds(&group, &gid, 0); if (r < 0) { - log_unit_error_errno(UNIT(s), r, "Failed to resolve group \"%s\": %m", group); + log_unit_error_errno(UNIT(s), r, + "Failed to resolve group '%s': %s", + group, STRERROR_GROUP(r)); _exit(EXIT_GROUP); } } diff --git a/src/core/socket.c b/src/core/socket.c index c53f84906f..dd4b96c213 100644 --- a/src/core/socket.c +++ b/src/core/socket.c @@ -2056,7 +2056,9 @@ static int socket_chown(Socket *s, PidRef *ret_pid) { r = get_user_creds(&user, &uid, &gid, NULL, NULL, 0); if (r < 0) { - log_unit_error_errno(UNIT(s), r, "Failed to resolve user %s: %m", user); + log_unit_error_errno(UNIT(s), r, + "Failed to resolve user '%s': %s", + user, STRERROR_USER(r)); _exit(EXIT_USER); } } @@ -2066,7 +2068,9 @@ static int socket_chown(Socket *s, PidRef *ret_pid) { r = get_group_creds(&group, &gid, 0); if (r < 0) { - log_unit_error_errno(UNIT(s), r, "Failed to resolve group %s: %m", group); + log_unit_error_errno(UNIT(s), r, + "Failed to resolve group '%s': %s", + group, STRERROR_GROUP(r)); _exit(EXIT_GROUP); } } diff --git a/src/creds/creds.c b/src/creds/creds.c index 383ef268b8..bcdf3d3038 100644 --- a/src/creds/creds.c +++ b/src/creds/creds.c @@ -1062,7 +1062,8 @@ static int parse_argv(int argc, char *argv[]) { /* ret_shell= */ NULL, /* flags= */ 0); if (r < 0) - return log_error_errno(r, "Failed to resolve user '%s': %m", optarg); + return log_error_errno(r, "Failed to resolve user '%s': %s", + optarg, STRERROR_USER(r)); } break; diff --git a/src/login/user-runtime-dir.c b/src/login/user-runtime-dir.c index b80723b97e..6cf157ffad 100644 --- a/src/login/user-runtime-dir.c +++ b/src/login/user-runtime-dir.c @@ -348,10 +348,8 @@ static int run(int argc, char *argv[]) { if (streq(verb, "start")) { _cleanup_(user_record_unrefp) UserRecord *ur = NULL; r = userdb_by_name(user, /* match= */ NULL, USERDB_PARSE_NUMERIC|USERDB_SUPPRESS_SHADOW, &ur); - if (r == -ESRCH) - return log_error_errno(r, "User '%s' does not exist: %m", user); if (r < 0) - return log_error_errno(r, "Failed to resolve user '%s': %m", user); + return log_error_errno(r, "Failed to resolve user '%s': %s", user, STRERROR_USER(r)); /* We do two things here: mount the per-user XDG_RUNTIME_DIR, and set up tmpfs quota on /tmp/ * and /dev/shm/. */ diff --git a/src/network/netdev/tuntap.c b/src/network/netdev/tuntap.c index 3c573335c0..1288458819 100644 --- a/src/network/netdev/tuntap.c +++ b/src/network/netdev/tuntap.c @@ -239,10 +239,9 @@ static int tuntap_verify(NetDev *netdev, const char *filename) { r = userdb_by_name(t->user_name, &USERDB_MATCH_ROOT_AND_SYSTEM, USERDB_SUPPRESS_SHADOW | USERDB_PARSE_NUMERIC, &ur); - if (r == -ENOEXEC) - log_netdev_warning_errno(netdev, r, "User %s is not a system user, ignoring.", t->user_name); - else if (r < 0) - log_netdev_warning_errno(netdev, r, "Cannot resolve user name %s, ignoring: %m", t->user_name); + if (r < 0) + log_netdev_warning_errno(netdev, r, "Cannot resolve user name '%s', ignoring: %s", + t->user_name, STRERROR_USER(r)); else t->uid = ur->uid; } @@ -253,10 +252,9 @@ static int tuntap_verify(NetDev *netdev, const char *filename) { r = groupdb_by_name(t->group_name, &USERDB_MATCH_ROOT_AND_SYSTEM, USERDB_SUPPRESS_SHADOW | USERDB_PARSE_NUMERIC, &gr); - if (r == -ENOEXEC) - log_netdev_warning_errno(netdev, r, "Group %s is not a system group, ignoring.", t->group_name); - else if (r < 0) - log_netdev_warning_errno(netdev, r, "Cannot resolve group name %s, ignoring: %m", t->group_name); + if (r < 0) + log_netdev_warning_errno(netdev, r, "Cannot resolve group name '%s', ignoring: %s", + t->group_name, STRERROR_GROUP(r)); else t->gid = gr->gid; } diff --git a/src/run/run.c b/src/run/run.c index d1202632ac..510d4c51ab 100644 --- a/src/run/run.c +++ b/src/run/run.c @@ -2748,7 +2748,8 @@ static int start_transient_scope(sd_bus *bus) { r = get_group_creds(&arg_exec_group, &gid, 0); if (r < 0) - return log_error_errno(r, "Failed to resolve group %s: %m", arg_exec_group); + return log_error_errno(r, "Failed to resolve group '%s': %s", + arg_exec_group, STRERROR_GROUP(r)); if (setresgid(gid, gid, gid) < 0) return log_error_errno(errno, "Failed to change GID to " GID_FMT ": %m", gid); @@ -2762,7 +2763,8 @@ static int start_transient_scope(sd_bus *bus) { r = get_user_creds(&arg_exec_user, &uid, &gid, &home, &shell, USER_CREDS_CLEAN|USER_CREDS_SUPPRESS_PLACEHOLDER|USER_CREDS_PREFER_NSS); if (r < 0) - return log_error_errno(r, "Failed to resolve user %s: %m", arg_exec_user); + return log_error_errno(r, "Failed to resolve user '%s': %s", + arg_exec_user, STRERROR_USER(r)); if (home) { r = strv_extendf(&user_env, "HOME=%s", home); diff --git a/src/shared/machine-bind-user.c b/src/shared/machine-bind-user.c index c0fd1a96d0..e0f6ef6650 100644 --- a/src/shared/machine-bind-user.c +++ b/src/shared/machine-bind-user.c @@ -244,8 +244,10 @@ int machine_bind_user_prepare( _cleanup_(group_record_unrefp) GroupRecord *g = NULL, *cg = NULL; r = userdb_by_name(*n, /* match= */ NULL, USERDB_DONT_SYNTHESIZE_INTRINSIC|USERDB_DONT_SYNTHESIZE_FOREIGN, &u); + if (r == -ENOEXEC) + return log_error_errno(r, "User '%s' did not pass filter.", *n); if (r < 0) - return log_error_errno(r, "Failed to resolve user '%s': %m", *n); + return log_error_errno(r, "Failed to resolve user '%s': %s", *n, STRERROR_USER(r)); /* For now, let's refuse mapping the root/nobody users explicitly. The records we generate * are strictly additive, nss-systemd is typically placed last in /etc/nsswitch.conf. Thus @@ -266,8 +268,11 @@ int machine_bind_user_prepare( return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Cannot bind user with no UID, refusing."); r = groupdb_by_gid(user_record_gid(u), /* match= */ NULL, USERDB_DONT_SYNTHESIZE_INTRINSIC|USERDB_DONT_SYNTHESIZE_FOREIGN, &g); + if (r == -ENOEXEC) + return log_error_errno(r, "Group of user '%s' did not pass filter.", u->user_name); if (r < 0) - return log_error_errno(r, "Failed to resolve group of user '%s': %m", u->user_name); + return log_error_errno(r, "Failed to resolve group of user '%s': %s", + u->user_name, STRERROR_GROUP(r)); /* We want to synthesize exactly one user + group from the host into the machine. This only * makes sense if the user on the host has its own private group. We can't reasonably check diff --git a/src/shared/userdb.c b/src/shared/userdb.c index c7a1595211..99cceb25a4 100644 --- a/src/shared/userdb.c +++ b/src/shared/userdb.c @@ -932,7 +932,7 @@ int userdb_by_name(const char *name, const UserDBMatch *match, UserDBFlags flags r = userdb_start_query(iterator, "io.systemd.UserDatabase.GetUserRecord", /* more= */ false, query, flags); if (r >= 0) { r = userdb_process(iterator, &ur, /* ret_group_record= */ NULL, /* ret_user_name= */ NULL, /* ret_group_name= */ NULL); - if (r == -ENOEXEC) /* found a user matching UID or name, but not filter. In this case the + if (r == -ENOEXEC) /* Found a user matching UID or name, but not filter. In this case the * fallback paths below are pointless */ return r; } diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c index 981c6a5198..8def2a16de 100644 --- a/src/tmpfiles/tmpfiles.c +++ b/src/tmpfiles/tmpfiles.c @@ -3992,7 +3992,8 @@ static int parse_line( missing_user_or_group = true; } else if (r < 0) { *invalid_config = true; - return log_syntax(NULL, LOG_ERR, fname, line, r, "Failed to resolve user '%s': %m", u); + return log_syntax(NULL, LOG_ERR, fname, line, r, + "Failed to resolve user '%s': %s", u, STRERROR_USER(r)); } else i.uid_set = true; } @@ -4013,7 +4014,8 @@ static int parse_line( missing_user_or_group = true; } else if (r < 0) { *invalid_config = true; - return log_syntax(NULL, LOG_ERR, fname, line, r, "Failed to resolve group '%s': %m", g); + return log_syntax(NULL, LOG_ERR, fname, line, r, + "Failed to resolve group '%s': %s", g, STRERROR_GROUP(r)); } else i.gid_set = true; } diff --git a/src/udev/udev-rules.c b/src/udev/udev-rules.c index 87c57d7487..543ad9be06 100644 --- a/src/udev/udev-rules.c +++ b/src/udev/udev-rules.c @@ -512,12 +512,10 @@ static int rule_resolve_user(UdevRuleLine *rule_line, const char *name, uid_t *r r = userdb_by_name(name, &USERDB_MATCH_ROOT_AND_SYSTEM, USERDB_SUPPRESS_SHADOW | USERDB_PARSE_NUMERIC | USERDB_SYNTHESIZE_NUMERIC, &ur); - if (r == -ESRCH) - return log_line_error_errno(rule_line, r, "Unknown user '%s', ignoring.", name); - if (r == -ENOEXEC) - return log_line_error_errno(rule_line, r, "User '%s' is not a system user, ignoring.", name); if (r < 0) - return log_line_error_errno(rule_line, r, "Failed to resolve user '%s', ignoring: %m", name); + return log_line_error_errno(rule_line, r, + "Failed to resolve user '%s', ignoring: %s", + name, STRERROR_USER(r)); _cleanup_free_ char *n = strdup(name); if (!n) @@ -549,12 +547,10 @@ static int rule_resolve_group(UdevRuleLine *rule_line, const char *name, gid_t * r = groupdb_by_name(name, &USERDB_MATCH_ROOT_AND_SYSTEM, USERDB_SUPPRESS_SHADOW | USERDB_PARSE_NUMERIC | USERDB_SYNTHESIZE_NUMERIC, &gr); - if (r == -ESRCH) - return log_line_error_errno(rule_line, r, "Unknown group '%s', ignoring.", name); - if (r == -ENOEXEC) - return log_line_error_errno(rule_line, r, "Group '%s' is not a system group, ignoring.", name); if (r < 0) - return log_line_error_errno(rule_line, r, "Failed to resolve group '%s', ignoring: %m", name); + return log_line_error_errno(rule_line, r, + "Failed to resolve group '%s', ignoring: %s", + name, STRERROR_GROUP(r)); _cleanup_free_ char *n = strdup(name); if (!n) @@ -2681,12 +2677,10 @@ static int udev_rule_apply_token_to_event( r = userdb_by_name(owner, &USERDB_MATCH_ROOT_AND_SYSTEM, USERDB_SUPPRESS_SHADOW | USERDB_PARSE_NUMERIC | USERDB_SYNTHESIZE_NUMERIC, &ur); - if (r == -ESRCH) - log_event_error_errno(event, token, r, "Unknown user \"%s\", ignoring.", owner); - else if (r == -ENOEXEC) - log_event_error(event, token, "User \"%s\" is not a system user, ignoring.", owner); - else if (r < 0) - log_event_error_errno(event, token, r, "Failed to resolve user \"%s\", ignoring: %m", owner); + if (r < 0) + log_event_error_errno(event, token, r, + "Failed to resolve user \"%s\", ignoring: %s", + owner, STRERROR_USER(r)); else { event->uid = ur->uid; log_event_debug(event, token, "Set owner: %s("UID_FMT")", owner, event->uid); @@ -2709,12 +2703,10 @@ static int udev_rule_apply_token_to_event( r = groupdb_by_name(group, &USERDB_MATCH_ROOT_AND_SYSTEM, USERDB_SUPPRESS_SHADOW | USERDB_PARSE_NUMERIC | USERDB_SYNTHESIZE_NUMERIC, &gr); - if (r == -ESRCH) - log_event_error_errno(event, token, r, "Unknown group \"%s\", ignoring.", group); - else if (r == -ENOEXEC) - log_event_error(event, token, "Group \"%s\" is not a system group, ignoring.", group); - else if (r < 0) - log_event_error_errno(event, token, r, "Failed to resolve group \"%s\", ignoring: %m", group); + if (r < 0) + log_event_error_errno(event, token, r, + "Failed to resolve group \"%s\", ignoring: %s", + group, STRERROR_GROUP(r)); else { event->gid = gr->gid; log_event_debug(event, token, "Set group: %s("GID_FMT")", group, event->gid); diff --git a/test/units/TEST-17-UDEV.verify.sh b/test/units/TEST-17-UDEV.verify.sh index 8252b630d3..5b6baa4280 100755 --- a/test/units/TEST-17-UDEV.verify.sh +++ b/test/units/TEST-17-UDEV.verify.sh @@ -309,15 +309,15 @@ assert_0 "${rules}" test_syntax_error 'OWNER=":nosuchuser:"' "Failed to resolve user ':nosuchuser:', ignoring: Invalid argument" # nonexistent user if ! getent passwd nosuchuser >/dev/null; then - test_syntax_error 'OWNER="nosuchuser"' "Unknown user 'nosuchuser', ignoring." + test_syntax_error 'OWNER="nosuchuser"' "Failed to resolve user 'nosuchuser', ignoring: Unknown user" fi if ! getent passwd 12345 >/dev/null; then - test_syntax_error 'OWNER="12345"' "Unknown user '12345', ignoring." + test_syntax_error 'OWNER="12345"' "Failed to resolve user '12345', ignoring: Unknown user" fi # regular user if getent passwd testuser >/dev/null; then - test_syntax_error 'OWNER="testuser"' "User 'testuser' is not a system user, ignoring." - test_syntax_error "OWNER=\"$(id -u testuser)\"" "User '$(id -u testuser)' is not a system user, ignoring." + test_syntax_error 'OWNER="testuser"' "Failed to resolve user 'testuser', ignoring: Not a system user" + test_syntax_error "OWNER=\"$(id -u testuser)\"" "Failed to resolve user '$(id -u testuser)', ignoring: Not a system user" fi test_syntax_error 'GROUP{a}="b"' 'Invalid attribute for GROUP.' test_syntax_error 'GROUP-="b"' 'Invalid operator for GROUP.' @@ -341,15 +341,15 @@ assert_0 "${rules}" test_syntax_error 'GROUP=":nosuchgroup:"' "Failed to resolve group ':nosuchgroup:', ignoring: Invalid argument" # nonexistent group if ! getent group nosuchgroup >/dev/null; then - test_syntax_error 'GROUP="nosuchgroup"' "Unknown group 'nosuchgroup', ignoring." + test_syntax_error 'GROUP="nosuchgroup"' "Failed to resolve group 'nosuchgroup', ignoring: Unknown group" fi if ! getent group 12345 >/dev/null; then - test_syntax_error 'GROUP="12345"' "Unknown group '12345', ignoring." + test_syntax_error 'GROUP="12345"' "Failed to resolve group '12345', ignoring: Unknown group" fi # regular group if getent group testuser >/dev/null; then - test_syntax_error 'GROUP="testuser"' "Group 'testuser' is not a system group, ignoring." - test_syntax_error "GROUP=\"$(id -g testuser)\"" "Group '$(id -g testuser)' is not a system group, ignoring." + test_syntax_error 'GROUP="testuser"' "Failed to resolve group 'testuser', ignoring: Not a system group" + test_syntax_error "GROUP=\"$(id -g testuser)\"" "Failed to resolve group '$(id -g testuser)', ignoring: Not a system group" fi test_syntax_error 'MODE{a}="b"' 'Invalid attribute for MODE.' test_syntax_error 'MODE-="b"' 'Invalid operator for MODE.'