Normalizing non-mac user creation logic

Author: gershnik

cmake/detect_system.cmake

@@ -82,19 +82,31 @@ check_cxx_source_compiles("
     }"
 HAVE_ABI_CXA_THROW)
 
+if (NOT DEFINED USERADD_PATH)
+    find_program(USERADD_PATH useradd PATHS /usr/sbin /bin NO_DEFAULT_PATH)
+    if (USERADD_PATH)
+        message(STATUS "Looking for useradd - found at ${USERADD_PATH}")
+    else()
+        message(STATUS "Looking for useradd - not found")
+    endif()
+endif()
 
-find_program(USERADD_PATH useradd PATHS /usr/sbin /bin NO_DEFAULT_PATH)
-if (USERADD_PATH)
-    set(HAVE_USERADD ON CACHE INTERNAL "Whether platform has useradd command")
-else()
-    set(HAVE_USERADD OFF CACHE INTERNAL "Whether platform has useradd command")
+if (NOT DEFINED GROUPADD_PATH)
+    find_program(GROUPADD_PATH groupadd PATHS /usr/sbin /bin NO_DEFAULT_PATH)
+    if (GROUPADD_PATH)
+        message(STATUS "Looking for groupadd - found at ${GROUPADD_PATH}")
+    else()
+        message(STATUS "Looking for groupadd - not found")
+    endif()
 endif()
 
-find_program(PW_PATH pw PATHS /usr/sbin NO_DEFAULT_PATH)
-if (PW_PATH)
-    set(HAVE_PW ON CACHE INTERNAL "Whether platform has pw command")
-else()
-    set(HAVE_PW OFF CACHE INTERNAL "Whether platform has pw command")
+if (NOT DEFINED PW_PATH)
+    find_program(PW_PATH pw PATHS /usr/sbin NO_DEFAULT_PATH)
+    if (PW_PATH)
+        message(STATUS "Looking for pw - found at ${PW_PATH}")
+    else()
+        message(STATUS "Looking for pw - not found")
+    endif()
 endif()
 
 if (WSDDN_WITH_SYSTEMD STREQUAL "yes" OR WSDDN_WITH_SYSTEMD STREQUAL "auto" AND NOT DEFINED CACHE{HAVE_SYSTEMD})

src/app_state.cpp

@@ -69,23 +69,24 @@ void AppState::init() {
     if (getuid() == 0) {
 
         if (!m_currentCommandLine.runAs) {
-#if CAN_CREATE_USERS
             WSDLOG_DEBUG("Running as root but no account to run under is specified in configuration. Using {}", WSDDN_DEFAULT_USER_NAME);
             auto pwd = ptl::Passwd::getByName(WSDDN_DEFAULT_USER_NAME);
             if (pwd) {
                 m_currentCommandLine.runAs = Identity(pwd->pw_uid, pwd->pw_gid);
             } else  {
-                WSDLOG_INFO("User {} does not exist, creating", WSDDN_DEFAULT_USER_NAME);
+                WSDLOG_INFO("User {} does not exist, trying to create", WSDDN_DEFAULT_USER_NAME);
                 m_currentCommandLine.runAs = Identity::createDaemonUser(WSDDN_DEFAULT_USER_NAME);
+            
+                if (!m_currentCommandLine.runAs) {
+                    WSDLOG_INFO("User creation is not supported on this platform");
+                    WSDLOG_CRITICAL("Running network service as a root is extremely insecure and is not allowed.\n"
+                                    "Please use one of the following approaches: \n"
+                                    "  * pass `--user username` command line option to specify which account to run network code under\n"
+                                    "  * start " WSDDN_PROGNAME " under a non-root account (if using systemd consider DynamicUser approach)"
+                    );
+                    exit(EXIT_FAILURE);
+                }
             }
-#else
-            WSDLOG_CRITICAL("Running network service as a root is extremely insecure and is not allowed.\n"
-                            "Please use one of the following approaches: \n"
-                            "  * pass `--user username` command line option to specify which account to run network code under\n"
-                            "  * start " WSDDN_PROGNAME " under a non-root account (if using systemd consider DynamicUser approach)"
-            );
-            exit(EXIT_FAILURE);
-#endif
         }
         if (!m_currentCommandLine.chrootDir) {
             WSDLOG_DEBUG("Running as root but no chroot specified in configuration. Using {}", WSDDN_DEFAULT_CHROOT_DIR);

src/sys_config.h.in

@@ -14,12 +14,11 @@
 #cmakedefine01 HAVE_CXXABI_H
 #cmakedefine01 HAVE_ABI_CXA_THROW
 #cmakedefine01 HAVE_SYSTEMD
-#cmakedefine01 HAVE_USERADD
-#cmakedefine01 HAVE_PW
 
 #cmakedefine LIBSYSTEMD_SO "${LIBSYSTEMD_SO}"
 
 #cmakedefine USERADD_PATH "${USERADD_PATH}"
+#cmakedefine GROUPADD_PATH "${GROUPADD_PATH}"
 #cmakedefine PW_PATH "${PW_PATH}"
 
 #if (defined(__APPLE__) && defined(__MACH__))
@@ -53,9 +52,6 @@
 #define HAVE_OS_LOG WSDDN_PLATFORM_APPLE
 
 
-#define CAN_CREATE_USERS HAVE_APPLE_USER_CREATION || HAVE_USERADD || HAVE_PW
-
-
 #define WSDDN_VERSION "@WSDDN_VERSION@"
 #define WSDDN_PROGNAME "$<TARGET_FILE_NAME:wsddn>"
 

src/sys_util.cpp

@@ -10,29 +10,55 @@ const char * OsLogHandle::s_category = "main";
 
 #endif
 
-#if HAVE_USERADD || HAVE_PW
+#if !HAVE_APPLE_USER_CREATION
 
-auto Identity::createDaemonUser(const sys_string & name) -> Identity {
+    static auto runCreateDaemonUserCommands(const sys_string & name) -> bool {
+        
+    #if defined(__linux__) && defined(USERADD_PATH)
 
-#if HAVE_USERADD
-    #ifdef __linux__
         sys_string command = S(USERADD_PATH " -r -d " WSDDN_DEFAULT_CHROOT_DIR " -s /bin/false '") + name + S("'");
-    #elif defined(__OpenBSD__) || defined(__NetBSD__)
-        sys_string command = S(USERADD_PATH " -L daemon -g =uid -d " WSDDN_DEFAULT_CHROOT_DIR " -s /sbin/nologin -c \"WS-Discovery Daemon\" '") + name + S("'");
+        (void)!system(command.c_str());
+        return true;
+
+    #elif (defined(__OpenBSD__) || defined(__NetBSD__)) && defined(USERADD_PATH)
+
         createMissingDirs(WSDDN_DEFAULT_CHROOT_DIR, S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP, Identity::admin());
-    #elif defined(__HAIKU__)
-        sys_string command = S(USERADD_PATH " -d " WSDDN_DEFAULT_CHROOT_DIR " -s /bin/false -n \"WS-Discovery Daemon\" '") + name + S("'");
+        sys_string command = S(USERADD_PATH " -L daemon -g =uid -d " WSDDN_DEFAULT_CHROOT_DIR " -s /sbin/nologin -c \"WS-Discovery Daemon\" '") + name + S("'");
+        (void)!system(command.c_str());
+        return true;
+
+    #elif defined(__HAIKU__) && defined(USERADD_PATH) && defined(GROUPADD_PATH)
+
         createMissingDirs(WSDDN_DEFAULT_CHROOT_DIR, S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP, Identity::admin());
+
+        sys_string command = S(GROUPADD_PATH " '") + name + S("'");
+        (void)!system(command.c_str());
+        command = S(USERADD_PATH " -g ") + name + S(" -d " WSDDN_DEFAULT_CHROOT_DIR " -s /bin/false -n \"WS-Discovery Daemon\" '") + name + S("'");
+        (void)!system(command.c_str());
+        return true;
+
+    #elif defined(__FreeBSD__) && defined(PW_PATH)
+
+        sys_string command = S(PW_PATH " adduser '") + name + S("' -d " WSDDN_DEFAULT_CHROOT_DIR " -s /bin/false -c \"WS-Discovery Daemon User\"");
+        (void)!system(command.c_str());
+        return true;
+
+    #else
+
+        return false;
+
     #endif
-#elif HAVE_PW
-    sys_string command = S(PW_PATH " adduser '") + name + S("' -d " WSDDN_DEFAULT_CHROOT_DIR " -s /bin/false -c \"WS-Discovery Daemon User\"");
-#endif
-    (void)!system(command.c_str());
-    auto pwd = ptl::Passwd::getByName(name);
-    if (!pwd)
-        throw std::runtime_error(fmt::format("unable to create user {}", name));
-    return Identity(pwd->pw_uid, pwd->pw_gid);
-}
+    }
+
+    auto Identity::createDaemonUser(const sys_string & name) -> std::optional<Identity> {
+
+        if (!runCreateDaemonUserCommands(name))
+            return {};
+        auto pwd = ptl::Passwd::getByName(name);
+        if (!pwd)
+            throw std::runtime_error(fmt::format("unable to create user {}", name));
+        return Identity(pwd->pw_uid, pwd->pw_gid);
+    }
 
 #endif
 

src/sys_util.h

@@ -31,11 +31,7 @@ class Identity {
 #endif
     }
 
-#if CAN_CREATE_USERS
-
-    static auto createDaemonUser(const sys_string & name) -> Identity;
-
-#endif
+    static auto createDaemonUser(const sys_string & name) -> std::optional<Identity>;
 
     void setMyIdentity() const {
         ptl::setGroups({});

src/sys_util_mac.cpp

@@ -201,7 +201,7 @@ static auto createRecordWithUniqueId(const cf_ptr<ODNodeRef> & localNode,
     return {record, idValue};
 }
 
-auto Identity::createDaemonUser(const sys_string & name) -> Identity {
+auto Identity::createDaemonUser(const sys_string & name) -> std::optional<Identity> {
 
     cf_ptr<CFErrorRef> err;