usergroupadd_linux.go 5.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164
  1. package idtools
  2. import (
  3. "fmt"
  4. "regexp"
  5. "sort"
  6. "strconv"
  7. "strings"
  8. "sync"
  9. )
  10. // add a user and/or group to Linux /etc/passwd, /etc/group using standard
  11. // Linux distribution commands:
  12. // adduser --system --shell /bin/false --disabled-login --disabled-password --no-create-home --group <username>
  13. // useradd -r -s /bin/false <username>
  14. var (
  15. once sync.Once
  16. userCommand string
  17. cmdTemplates = map[string]string{
  18. "adduser": "--system --shell /bin/false --no-create-home --disabled-login --disabled-password --group %s",
  19. "useradd": "-r -s /bin/false %s",
  20. "usermod": "-%s %d-%d %s",
  21. }
  22. idOutRegexp = regexp.MustCompile(`uid=([0-9]+).*gid=([0-9]+)`)
  23. // default length for a UID/GID subordinate range
  24. defaultRangeLen = 65536
  25. defaultRangeStart = 100000
  26. userMod = "usermod"
  27. )
  28. // AddNamespaceRangesUser takes a username and uses the standard system
  29. // utility to create a system user/group pair used to hold the
  30. // /etc/sub{uid,gid} ranges which will be used for user namespace
  31. // mapping ranges in containers.
  32. func AddNamespaceRangesUser(name string) (int, int, error) {
  33. if err := addUser(name); err != nil {
  34. return -1, -1, fmt.Errorf("Error adding user %q: %v", name, err)
  35. }
  36. // Query the system for the created uid and gid pair
  37. out, err := execCmd("id", name)
  38. if err != nil {
  39. return -1, -1, fmt.Errorf("Error trying to find uid/gid for new user %q: %v", name, err)
  40. }
  41. matches := idOutRegexp.FindStringSubmatch(strings.TrimSpace(string(out)))
  42. if len(matches) != 3 {
  43. return -1, -1, fmt.Errorf("Can't find uid, gid from `id` output: %q", string(out))
  44. }
  45. uid, err := strconv.Atoi(matches[1])
  46. if err != nil {
  47. return -1, -1, fmt.Errorf("Can't convert found uid (%s) to int: %v", matches[1], err)
  48. }
  49. gid, err := strconv.Atoi(matches[2])
  50. if err != nil {
  51. return -1, -1, fmt.Errorf("Can't convert found gid (%s) to int: %v", matches[2], err)
  52. }
  53. // Now we need to create the subuid/subgid ranges for our new user/group (system users
  54. // do not get auto-created ranges in subuid/subgid)
  55. if err := createSubordinateRanges(name); err != nil {
  56. return -1, -1, fmt.Errorf("Couldn't create subordinate ID ranges: %v", err)
  57. }
  58. return uid, gid, nil
  59. }
  60. func addUser(userName string) error {
  61. once.Do(func() {
  62. // set up which commands are used for adding users/groups dependent on distro
  63. if _, err := resolveBinary("adduser"); err == nil {
  64. userCommand = "adduser"
  65. } else if _, err := resolveBinary("useradd"); err == nil {
  66. userCommand = "useradd"
  67. }
  68. })
  69. if userCommand == "" {
  70. return fmt.Errorf("Cannot add user; no useradd/adduser binary found")
  71. }
  72. args := fmt.Sprintf(cmdTemplates[userCommand], userName)
  73. out, err := execCmd(userCommand, args)
  74. if err != nil {
  75. return fmt.Errorf("Failed to add user with error: %v; output: %q", err, string(out))
  76. }
  77. return nil
  78. }
  79. func createSubordinateRanges(name string) error {
  80. // first, we should verify that ranges weren't automatically created
  81. // by the distro tooling
  82. ranges, err := parseSubuid(name)
  83. if err != nil {
  84. return fmt.Errorf("Error while looking for subuid ranges for user %q: %v", name, err)
  85. }
  86. if len(ranges) == 0 {
  87. // no UID ranges; let's create one
  88. startID, err := findNextUIDRange()
  89. if err != nil {
  90. return fmt.Errorf("Can't find available subuid range: %v", err)
  91. }
  92. out, err := execCmd(userMod, fmt.Sprintf(cmdTemplates[userMod], "v", startID, startID+defaultRangeLen-1, name))
  93. if err != nil {
  94. return fmt.Errorf("Unable to add subuid range to user: %q; output: %s, err: %v", name, out, err)
  95. }
  96. }
  97. ranges, err = parseSubgid(name)
  98. if err != nil {
  99. return fmt.Errorf("Error while looking for subgid ranges for user %q: %v", name, err)
  100. }
  101. if len(ranges) == 0 {
  102. // no GID ranges; let's create one
  103. startID, err := findNextGIDRange()
  104. if err != nil {
  105. return fmt.Errorf("Can't find available subgid range: %v", err)
  106. }
  107. out, err := execCmd(userMod, fmt.Sprintf(cmdTemplates[userMod], "w", startID, startID+defaultRangeLen-1, name))
  108. if err != nil {
  109. return fmt.Errorf("Unable to add subgid range to user: %q; output: %s, err: %v", name, out, err)
  110. }
  111. }
  112. return nil
  113. }
  114. func findNextUIDRange() (int, error) {
  115. ranges, err := parseSubuid("ALL")
  116. if err != nil {
  117. return -1, fmt.Errorf("Couldn't parse all ranges in /etc/subuid file: %v", err)
  118. }
  119. sort.Sort(ranges)
  120. return findNextRangeStart(ranges)
  121. }
  122. func findNextGIDRange() (int, error) {
  123. ranges, err := parseSubgid("ALL")
  124. if err != nil {
  125. return -1, fmt.Errorf("Couldn't parse all ranges in /etc/subgid file: %v", err)
  126. }
  127. sort.Sort(ranges)
  128. return findNextRangeStart(ranges)
  129. }
  130. func findNextRangeStart(rangeList ranges) (int, error) {
  131. startID := defaultRangeStart
  132. for _, arange := range rangeList {
  133. if wouldOverlap(arange, startID) {
  134. startID = arange.Start + arange.Length
  135. }
  136. }
  137. return startID, nil
  138. }
  139. func wouldOverlap(arange subIDRange, ID int) bool {
  140. low := ID
  141. high := ID + defaultRangeLen
  142. if (low >= arange.Start && low <= arange.Start+arange.Length) ||
  143. (high <= arange.Start+arange.Length && high >= arange.Start) {
  144. return true
  145. }
  146. return false
  147. }