This commit does three things atomically:
- switch over Core::Account+SystemServer+LoginServer to sid based socket
names.
- change socket names with %uid to %sid.
- add/update necessary pledges and unveils.
Userland: Switch over servers to sid based sockets
Userland: Properly pledge and unveil for sid based sockets
Since we already have the directory open, let's have an API to fchown()
the underlying file descriptor instead of forcing clients to do another
path lookup.
Other programs use Core::Account::login(), notably su(1), which stopped
working due to a missing "cpath" pledge promise.
This patch moves the /tmp/user/ creation logic to a separate function
that LoginServer can call.
This patch allows to insert "%uid" in `IPC_CLIENT_CONNECTION`
declaration and in SystemServer's ini files. This pattern is replaced
then replaced by the UID of the owner of the service. It opens a path
for seamlessly managed, per-user portal.
The `/tmp/user` directory is owned by root, this solution prevents
malicious users to interfere with other users' portals.
This commit also moves `launch`'s portal in the user directory.
Various changes are needed to support this:
- The directory is created by Core::Account on login (and located in
/tmp).
- Service's sockets are now deleted on exit (to allow re-creation)
- SystemServer needs to handle SIGTERM to correctly destroy services.
Each of these strings would previously rely on StringView's char const*
constructor overload, which would call __builtin_strlen on the string.
Since we now have operator ""sv, we can replace these with much simpler
versions. This opens the door to being able to remove
StringView(char const*).
No functional changes.
Error::from_string_literal now takes direct char const*s, while
Error::from_string_view does what Error::from_string_literal used to do:
taking StringViews. This change will remove the need to insert `sv`
after error strings when returning string literal errors once
StringView(char const*) is removed.
No functional changes.
This commit moves the length calculations out to be directly on the
StringView users. This is an important step towards the goal of removing
StringView(char const*), as it moves the responsibility of calculating
the size of the string to the user of the StringView (which will prevent
naive uses causing OOB access).
This is not strictly required, as we are comparing hashes, not the
password it self. However given this is generic code that could be
used anywhere in the system, it seems prudent to be cautious and
make sure we don't inadvertently leak any information about the hash
via timing attacks in future usages of `LibCore::Account`.
Reported-by: Jessica Hamilton <jessica.l.hamilton@gmail.com>
- Use umask() to prevent the parent process from tampering with the mode
bits of replacement passwd and shadow files.
- Use fchmod() to set new shadow files to mode 0600.
This matches the API of Account::authenticate. The only caller to this
API is the passwd utility, which already has the new password stored as
a SecretString.
LibCore::Account::generate_passwd_file should follow
generate_shadow_file by conditionally checking for the username.
Previously, usermod's set_uid changes would not reflect in the updated
passwd file as m_uid had already been changed to the updated value.
When LibC/shadow.cpp parses shadow entries in getspent, it sets the
spwd member value to disabled (-1) if the value is empty. When
Core::Account::sync calls getspent to generate a new shadow file, it
would recieve the -1 values and write them in the shadow file. This
would cause the /etc/shadow file to be cluttered with disabled values
after any password change.
This patch checks if the spwd member value is disabled, and prints the
appropriate value to the shadow file.
The user's GID is already available via gid(), and it's not "extra", so
don't include it in extra_gids() again. Also rename the internally used
function from get_gids() to get_extra_gids() to make its purpose more
clear.
SPDX License Identifiers are a more compact / standardized
way of representing file license information.
See: https://spdx.dev/resources/use/#identifiers
This was done with the `ambr` search and replace tool.
ambr --no-parent-ignore --key-from-file --rep-from-file key.txt rep.txt *
This is basically just for consistency, it's quite strange to see
multiple AK container types next to each other, some with and some
without the namespace prefix - we're 'using AK::Foo;' a lot and should
leverage that. :^)
(...and ASSERT_NOT_REACHED => VERIFY_NOT_REACHED)
Since all of these checks are done in release builds as well,
let's rename them to VERIFY to prevent confusion, as everyone is
used to assertions being compiled out in release.
We can introduce a new ASSERT macro that is specifically for debug
checks, but I'm doing this wholesale conversion first since we've
accumulated thousands of these already, and it's not immediately
obvious which ones are suitable for ASSERT.
If a user is missing from /etc/shadow, we used to just allow anyone to
authenticate as that user without a password.
With this patch, authentication will instead always fail.
Now that we've moved to atomic replacement of these files when altering
them, we don't need to keep them open for the lifetime of Core::Account
so just simplify this and close them when they are not needed.
Before this patch, we had a nasty race condition when changing a user's
password: there was a time window between truncating /etc/shadow and
writing out its new contents, where you could simply "su" to root
without using a password.
Instead of writing directly to /etc/passwd and /etc/shadow, we now
create temporary files in /etc and fill them with the new contents.
Those files are then atomically renamed to /etc/passwd and /etc/shadow.
Sadly, fixing this race requires giving the passwd program a lot more
privileges. This is something we can and should improve upon. :^)
