Daemon user creation for Alpine and Illumos and general user creation improvements

Author: gershnik

cmake/detect_system.cmake

@@ -82,19 +82,70 @@ check_cxx_source_compiles("
     }"
 HAVE_ABI_CXA_THROW)
 
+if (NOT DEFINED USERADD_PATH)
+    find_program(USERADD_PATH useradd PATHS /usr/sbin /bin NO_DEFAULT_PATH)
+    if (USERADD_PATH)
+        message(STATUS "Looking for useradd - found at ${USERADD_PATH}")
+    else()
+        message(STATUS "Looking for useradd - not found")
+    endif()
+endif()
+
+if (NOT DEFINED GROUPADD_PATH)
+    find_program(GROUPADD_PATH groupadd PATHS /usr/sbin /bin NO_DEFAULT_PATH)
+    if (GROUPADD_PATH)
+        message(STATUS "Looking for groupadd - found at ${GROUPADD_PATH}")
+    else()
+        message(STATUS "Looking for groupadd - not found")
+    endif()
+endif()
 
-find_program(USERADD_PATH useradd PATHS /usr/sbin NO_DEFAULT_PATH)
-if (USERADD_PATH)
-    set(HAVE_USERADD ON CACHE INTERNAL "Whether platform has useradd command")
-else()
-    set(HAVE_USERADD OFF CACHE INTERNAL "Whether platform has useradd command")
+if (NOT DEFINED PW_PATH)
+    find_program(PW_PATH pw PATHS /usr/sbin NO_DEFAULT_PATH)
+    if (PW_PATH)
+        message(STATUS "Looking for pw - found at ${PW_PATH}")
+    else()
+        message(STATUS "Looking for pw - not found")
+    endif()
 endif()
 
-find_program(PW_PATH pw PATHS /usr/sbin NO_DEFAULT_PATH)
-if (PW_PATH)
-    set(HAVE_PW ON CACHE INTERNAL "Whether platform has pw command")
-else()
-    set(HAVE_PW OFF CACHE INTERNAL "Whether platform has pw command")
+# Alpine Linux needs special treatment
+
+if (NOT DEFINED IS_ALPINE_LINUX)
+    if(EXISTS "/etc/os-release")
+        file(STRINGS "/etc/os-release" OS_RELEASE_CONTENTS)
+        foreach(line IN LISTS OS_RELEASE_CONTENTS)
+            if(line MATCHES "^ID=alpine$")
+                set(IS_ALPINE_LINUX TRUE CACHE INTERNAL "whether this is Alpine Linux")
+                message(STATUS "This is Alpine Linux")
+                break()
+            endif()
+        endforeach()
+    endif()
+    if (NOT DEFINED IS_ALPINE_LINUX)
+        set(IS_ALPINE_LINUX FALSE CACHE INTERNAL "whether this is Alpine Linux")
+    endif()
+endif()
+
+if(IS_ALPINE_LINUX)
+    if (NOT DEFINED ADDUSER_PATH)
+        find_program(ADDUSER_PATH adduser PATHS /usr/sbin NO_DEFAULT_PATH)
+        if (ADDUSER_PATH)
+            message(STATUS "Looking for adduser - found at ${ADDUSER_PATH}")
+        else()
+            message(STATUS "Looking for adduser - not found")
+        endif()
+    endif()
+
+    if (NOT DEFINED ADDGROUP_PATH)
+        find_program(ADDGROUP_PATH addgroup PATHS /usr/sbin NO_DEFAULT_PATH)
+        if (ADDGROUP_PATH)
+            message(STATUS "Looking for addgroup - found at ${ADDGROUP_PATH}")
+        else()
+            message(STATUS "Looking for addgroup - not found")
+        endif()
+    endif()
+
 endif()
 
 if (WSDDN_WITH_SYSTEMD STREQUAL "yes" OR WSDDN_WITH_SYSTEMD STREQUAL "auto" AND NOT DEFINED CACHE{HAVE_SYSTEMD})

src/app_state.cpp

@@ -69,23 +69,24 @@ void AppState::init() {
     if (getuid() == 0) {
 
         if (!m_currentCommandLine.runAs) {
-#if CAN_CREATE_USERS
             WSDLOG_DEBUG("Running as root but no account to run under is specified in configuration. Using {}", WSDDN_DEFAULT_USER_NAME);
             auto pwd = ptl::Passwd::getByName(WSDDN_DEFAULT_USER_NAME);
             if (pwd) {
                 m_currentCommandLine.runAs = Identity(pwd->pw_uid, pwd->pw_gid);
             } else  {
-                WSDLOG_INFO("User {} does not exist, creating", WSDDN_DEFAULT_USER_NAME);
+                WSDLOG_INFO("User {} does not exist, trying to create", WSDDN_DEFAULT_USER_NAME);
                 m_currentCommandLine.runAs = Identity::createDaemonUser(WSDDN_DEFAULT_USER_NAME);
+            
+                if (!m_currentCommandLine.runAs) {
+                    WSDLOG_INFO("User creation is not supported on this platform");
+                    WSDLOG_CRITICAL("Running network service as a root is extremely insecure and is not allowed.\n"
+                                    "Please use one of the following approaches: \n"
+                                    "  * pass `--user username` command line option to specify which account to run network code under\n"
+                                    "  * start " WSDDN_PROGNAME " under a non-root account (if using systemd consider DynamicUser approach)"
+                    );
+                    exit(EXIT_FAILURE);
+                }
             }
-#else
-            WSDLOG_CRITICAL("Running network service as a root is extremely insecure and is not allowed.\n"
-                            "Please use one of the following approaches: \n"
-                            "  * pass `--user username` command line option to specify which account to run network code under\n"
-                            "  * start " WSDDN_PROGNAME " under a non-root account (if using systemd consider DynamicUser approach)"
-            );
-            exit(EXIT_FAILURE);
-#endif
         }
         if (!m_currentCommandLine.chrootDir) {
             WSDLOG_DEBUG("Running as root but no chroot specified in configuration. Using {}", WSDDN_DEFAULT_CHROOT_DIR);

src/sys_config.h.in

@@ -14,18 +14,26 @@
 #cmakedefine01 HAVE_CXXABI_H
 #cmakedefine01 HAVE_ABI_CXA_THROW
 #cmakedefine01 HAVE_SYSTEMD
-#cmakedefine01 HAVE_USERADD
-#cmakedefine01 HAVE_PW
+#cmakedefine01 IS_ALPINE_LINUX
 
 #cmakedefine LIBSYSTEMD_SO "${LIBSYSTEMD_SO}"
 
+#cmakedefine USERADD_PATH "${USERADD_PATH}"
+#cmakedefine GROUPADD_PATH "${GROUPADD_PATH}"
+#cmakedefine PW_PATH "${PW_PATH}"
+#cmakedefine ADDUSER_PATH "${ADDUSER_PATH}"
+#cmakedefine ADDGROUP_PATH "${ADDGROUP_PATH}"
 
 #if (defined(__APPLE__) && defined(__MACH__))
     #define WSDDN_PLATFORM_APPLE 1
     #define ADMIN_GROUP_NAME "admin"
     #define WSDDN_DEFAULT_USER_NAME "_wsddn"
     #define WSDDN_DEFAULT_CHROOT_DIR "/var/empty"
     #define WSDDN_BUNDLE_IDENTIFIER "@WSDDN_BUNDLE_IDENTIFIER@"
+#elif defined(__FreeBSD__)
+    #define WSDDN_PLATFORM_APPLE 0
+    #define WSDDN_DEFAULT_USER_NAME "wsddn"
+    #define WSDDN_DEFAULT_CHROOT_DIR "/var/empty"
 #elif defined(__OpenBSD__)
     #define WSDDN_PLATFORM_APPLE 0
     #define WSDDN_DEFAULT_USER_NAME "_wsddn"
@@ -34,6 +42,10 @@
     #define WSDDN_PLATFORM_APPLE 0
     #define WSDDN_DEFAULT_USER_NAME "_wsddn"
     #define WSDDN_DEFAULT_CHROOT_DIR "/var/chroot/wsddn"
+#elif defined(__sun) || defined(__HAIKU__)
+    #define WSDDN_PLATFORM_APPLE 0
+    #define WSDDN_DEFAULT_USER_NAME "wsddn"
+    #define WSDDN_DEFAULT_CHROOT_DIR "/var/empty"
 #else
     #define WSDDN_PLATFORM_APPLE 0
     #define WSDDN_DEFAULT_USER_NAME "wsddn"
@@ -47,9 +59,6 @@
 #define HAVE_OS_LOG WSDDN_PLATFORM_APPLE
 
 
-#define CAN_CREATE_USERS HAVE_APPLE_USER_CREATION || HAVE_USERADD || HAVE_PW
-
-
 #define WSDDN_VERSION "@WSDDN_VERSION@"
 #define WSDDN_PROGNAME "$<TARGET_FILE_NAME:wsddn>"
 

src/sys_util.cpp

@@ -10,45 +10,104 @@ const char * OsLogHandle::s_category = "main";
 
 #endif
 
-#if HAVE_USERADD || HAVE_PW
+#if !HAVE_APPLE_USER_CREATION
 
-auto Identity::createDaemonUser(const sys_string & name) -> Identity {
+    static auto runCreateDaemonUserCommands([[maybe_unused]] const sys_string & name) -> bool {
+
+    #if defined(__linux__) && defined(USERADD_PATH)
+
+        (void)run({USERADD_PATH, "-r", "-d", WSDDN_DEFAULT_CHROOT_DIR, "-s", "/bin/false", name.c_str()});
+        return true;
+
+    #elif defined(__linux__) && defined(IS_ALPINE_LINUX) && defined(ADDUSER_PATH) && defined(ADDGROUP_PATH)
+    
+        //The second addgroup instead of -G for adduser is necessary since for some reason -G doesn't 
+        //modify /etc/group when run from here
+        (void)run({ADDGROUP_PATH, "-S", name.c_str()});
+        (void)run({ADDUSER_PATH, "-S", "-D", "-H", "-h", "/var/empty", "-s", "/sbin/nologin", "-g", name.c_str(), name.c_str()});
+        (void)run({ADDGROUP_PATH, name.c_str(), name.c_str()});
+        return true;
+
+    #elif (defined(__OpenBSD__) || defined(__NetBSD__)) && defined(USERADD_PATH)
 
-#if HAVE_USERADD
-    #ifdef __linux__
-        sys_string command = S("useradd -r -d " WSDDN_DEFAULT_CHROOT_DIR " -s /bin/false '") + name + S("'");
-    #else
-        sys_string command = S("useradd -L daemon -g =uid -d " WSDDN_DEFAULT_CHROOT_DIR " -s /sbin/nologin -c \"WS-Discovery Daemon\" '") + name + S("'");
         createMissingDirs(WSDDN_DEFAULT_CHROOT_DIR, S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP, Identity::admin());
+        (void)run({USERADD_PATH, "-L", "daemon", "-g", "=uid", "-d", WSDDN_DEFAULT_CHROOT_DIR, "-s", "/sbin/nologin", "-c", "WS-Discovery Daemon", name.c_str()});
+        return true;
+
+    #elif defined(__HAIKU__) && defined(USERADD_PATH) && defined(GROUPADD_PATH)
+
+        (void)run({GROUPADD_PATH, name.c_str()});
+        (void)run({USERADD_PATH, "-g", name.c_str(), "-d", WSDDN_DEFAULT_CHROOT_DIR, "-s", "/bin/false", "-n", "WS-Discovery Daemon", name.c_str()});
+        return true;
+
+    #elif defined(__FreeBSD__) && defined(PW_PATH)
+
+        (void)run({PW_PATH, "adduser", name.c_str(), "-d", WSDDN_DEFAULT_CHROOT_DIR, "-s", "/usr/sbin/nologin", "-c", "WS-Discovery Daemon User"});
+        return true;
+
+    #elif defined(__sun) && defined(USERADD_PATH) && defined(GROUPADD_PATH)
+
+        (void)run({GROUPADD_PATH, name.c_str()});
+        (void)run({USERADD_PATH, "-g", name.c_str(), "-d", WSDDN_DEFAULT_CHROOT_DIR, "-s", "/bin/false", "-c", "WS-Discovery Daemon User", name.c_str()});
+        return true;
+
+    #else
+
+        return false;
+
     #endif
-#elif HAVE_PW
-    sys_string command = S("pw adduser '") + name + S("' -d " WSDDN_DEFAULT_CHROOT_DIR " -s /bin/false -c \"WS-Discovery Daemon User\"");
+    }
+
+    auto Identity::createDaemonUser(const sys_string & name) -> std::optional<Identity> {
+
+        if (!runCreateDaemonUserCommands(name))
+            return {};
+        auto pwd = ptl::Passwd::getByName(name);
+        if (!pwd)
+            throw std::runtime_error(fmt::format("unable to create user {}", name));
+        return Identity(pwd->pw_uid, pwd->pw_gid);
+    }
+
 #endif
-    (void)!system(command.c_str());
-    auto pwd = ptl::Passwd::getByName(name);
-    if (!pwd)
-        throw std::runtime_error(fmt::format("unable to create user {}", name));
-    return Identity(pwd->pw_uid, pwd->pw_gid);
-}
 
+int run(const ptl::StringRefArray & args) {
+    ptl::SpawnAttr spawnAttr;
+#ifndef __HAIKU__
+    spawnAttr.setFlags(POSIX_SPAWN_SETSIGDEF);
+    auto sigs = ptl::SignalSet::all();
+    sigs.del(SIGKILL);
+    sigs.del(SIGSTOP);
+    spawnAttr.setSigDefault(sigs);
 #endif
+    
+    auto proc = spawn(args, ptl::SpawnSettings().attr(spawnAttr).usePath());
+    
+    auto stat = proc.wait().value();
+    if (WIFEXITED(stat))
+        return WEXITSTATUS(stat);
+    if (WIFSIGNALED(stat))
+        return 128+WTERMSIG(stat);
+    throw std::runtime_error(fmt::format("`{} finished with status 0x{:X}`", args, stat));
+}
 
 void shell(const ptl::StringRefArray & args, bool suppressStdErr, std::function<void (const ptl::FileDescriptor & fd)> reader) {
     auto [read, write] = ptl::Pipe::create();
     ptl::SpawnAttr spawnAttr;
+#ifndef __HAIKU__
     spawnAttr.setFlags(POSIX_SPAWN_SETSIGDEF);
     auto sigs = ptl::SignalSet::all();
     sigs.del(SIGKILL);
     sigs.del(SIGSTOP);
     spawnAttr.setSigDefault(sigs);
+#endif
 
     ptl::SpawnFileActions act;
     act.addDuplicateTo(write, stdout);
     act.addClose(read);
     if (suppressStdErr) {
        act.addOpen(stderr, "/dev/null", O_WRONLY, 0);
     }
-    auto proc = spawn(args, ptl::SpawnSettings().fileActions(act).usePath());
+    auto proc = spawn(args, ptl::SpawnSettings().attr(spawnAttr).fileActions(act).usePath());
     write.close();
 
     reader(read);

src/sys_util.h

@@ -31,11 +31,7 @@ class Identity {
 #endif
     }
 
-#if CAN_CREATE_USERS
-
-    static auto createDaemonUser(const sys_string & name) -> Identity;
-
-#endif
+    static auto createDaemonUser(const sys_string & name) -> std::optional<Identity>;
 
     void setMyIdentity() const {
         ptl::setGroups({});
@@ -202,6 +198,7 @@ class LineReader {
     Sink m_sink;
 };
 
+int run(const ptl::StringRefArray & args);
 void shell(const ptl::StringRefArray & args, bool suppressStdErr, std::function<void (const ptl::FileDescriptor & fd)> reader);
 
 

src/sys_util_mac.cpp

@@ -201,7 +201,7 @@ static auto createRecordWithUniqueId(const cf_ptr<ODNodeRef> & localNode,
     return {record, idValue};
 }
 
-auto Identity::createDaemonUser(const sys_string & name) -> Identity {
+auto Identity::createDaemonUser(const sys_string & name) -> std::optional<Identity> {
 
     cf_ptr<CFErrorRef> err;