nspawn: fix the sections .nspawn settings are placed in

The actual section names are quite different from what the comment so
far suggested. Fix that.

docs/COREDUMP_PACKAGE_METADATA.md

@@ -39,6 +39,9 @@ Implementers working on build tools should strive to use the same key names, for
 consistency. The most common will be listed here. When corresponding to the content of
 os-release, the values should match, again for consistency.
 
+If available, the metadata should also include the debuginfod server URL that can provide
+the original executable, debuginfo and sources, to further facilitate debugging.
+
 * Section header
 
 ```
@@ -57,7 +60,8 @@ Value: a JSON string with the structure described below
      "osVersion":"33",
      "name":"coreutils",
      "version": "4711.0815.fc13.arm32",
-     "osCpe":               # A CPE name for the operating system, `CPE_NAME` from os-release is a good default
+     "osCpe": "cpe:/o:fedoraproject:fedora:33",          # A CPE name for the operating system, `CPE_NAME` from os-release is a good default
+     "debugInfoUrl": "https://debuginfod.fedoraproject.org/"
 }
 ```
 
@@ -104,3 +108,18 @@ SECTIONS
 }
 INSERT AFTER .note.gnu.build-id;
 ```
+
+## Well-known keys
+
+The metadata format is intentionally left open, so that vendors can add their own information.
+A set of well-known keys is defined here, and hopefully shared among all vendors.
+
+| Key name     | Key description                                                          | Example value                         |
+|--------------|--------------------------------------------------------------------------|---------------------------------------|
+| type         | The packaging type                                                       | rpm                                   |
+| os           | The OS name, typically corresponding to ID in os-release                 | fedora                                |
+| osVersion    | The OS version, typically corresponding to VERSION_ID in os-release      | 33                                    |
+| name         | The source package name                                                  | coreutils                             |
+| version      | The source package version                                               | 4711.0815.fc13.arm32                  |
+| osCpe        | A CPE name for the OS, typically corresponding to CPE_NAME in os-release | cpe:/o:fedoraproject:fedora:33        |
+| debugInfoUrl | The debuginfod server url, if available                                  | https://debuginfod.fedoraproject.org/ |

src/basic/user-util.h

@@ -111,3 +111,12 @@ int putsgent_sane(const struct sgrp *sg, FILE *stream);
 bool is_nologin_shell(const char *shell);
 
 int is_this_me(const char *username);
+
+/* A locked *and* invalid password for "struct spwd"'s .sp_pwdp and "struct passwd"'s .pw_passwd field */
+#define PASSWORD_LOCKED_AND_INVALID "!*"
+
+/* A password indicating "look in shadow file, please!" for "struct passwd"'s .pw_passwd */
+#define PASSWORD_SEE_SHADOW "x"
+
+/* A password indicating "hey, no password required for login" */
+#define PASSWORD_NONE ""

src/core/execute.c

@@ -5231,7 +5231,7 @@ static void strv_dump(FILE* f, const char *prefix, const char *name, char **strv
         assert(name);
 
         if (!strv_isempty(strv)) {
-                fprintf(f, "%s%s:", name, prefix);
+                fprintf(f, "%s%s:", prefix, name);
                 strv_fprintf(f, strv);
                 fputs("\n", f);
         }

src/firstboot/firstboot.c

@@ -922,20 +922,20 @@ static int process_root_args(void) {
                 return r;
 
         if (arg_root_password && arg_root_password_is_hashed) {
-                password = "x";
+                password = PASSWORD_SEE_SHADOW;
                 hashed_password = arg_root_password;
         } else if (arg_root_password) {
                 r = hash_password(arg_root_password, &_hashed_password);
                 if (r < 0)
                         return log_error_errno(r, "Failed to hash password: %m");
 
-                password = "x";
+                password = PASSWORD_SEE_SHADOW;
                 hashed_password = _hashed_password;
 
         } else if (arg_delete_root_password)
-                password = hashed_password = "";
+                password = hashed_password = PASSWORD_NONE;
         else
-                password = hashed_password = "!";
+                password = hashed_password = PASSWORD_LOCKED_AND_INVALID;
 
         r = write_root_passwd(etc_passwd, password, arg_root_shell);
         if (r < 0)

src/nspawn/nspawn-settings.h

@@ -149,7 +149,7 @@ typedef struct OciHook {
 } OciHook;
 
 typedef struct Settings {
-        /* [Run] */
+        /* [Exec] */
         StartMode start_mode;
         bool ephemeral;
         char **parameters;
@@ -180,7 +180,7 @@ typedef struct Settings {
         bool link_journal_try;
         TimezoneMode timezone;
 
-        /* [Image] */
+        /* [Files] */
         int read_only;
         VolatileMode volatile_mode;
         CustomMount *custom_mounts;

src/nss-systemd/nss-systemd.c

@@ -20,7 +20,7 @@
 
 static const struct passwd root_passwd = {
         .pw_name = (char*) "root",
-        .pw_passwd = (char*) "x", /* see shadow file */
+        .pw_passwd = (char*) PASSWORD_SEE_SHADOW,
         .pw_uid = 0,
         .pw_gid = 0,
         .pw_gecos = (char*) "Super User",
@@ -30,7 +30,7 @@ static const struct passwd root_passwd = {
 
 static const struct passwd nobody_passwd = {
         .pw_name = (char*) NOBODY_USER_NAME,
-        .pw_passwd = (char*) "*", /* locked */
+        .pw_passwd = (char*) PASSWORD_LOCKED_AND_INVALID,
         .pw_uid = UID_NOBODY,
         .pw_gid = GID_NOBODY,
         .pw_gecos = (char*) "User Nobody",
@@ -41,14 +41,14 @@ static const struct passwd nobody_passwd = {
 static const struct group root_group = {
         .gr_name = (char*) "root",
         .gr_gid = 0,
-        .gr_passwd = (char*) "x", /* see shadow file */
+        .gr_passwd = (char*) PASSWORD_SEE_SHADOW,
         .gr_mem = (char*[]) { NULL },
 };
 
 static const struct group nobody_group = {
         .gr_name = (char*) NOBODY_GROUP_NAME,
         .gr_gid = GID_NOBODY,
-        .gr_passwd = (char*) "*", /* locked */
+        .gr_passwd = (char*) PASSWORD_LOCKED_AND_INVALID,
         .gr_mem = (char*[]) { NULL },
 };
 

src/nss-systemd/userdb-glue.c

@@ -6,6 +6,7 @@
 #include "strv.h"
 #include "user-record-nss.h"
 #include "user-record.h"
+#include "user-util.h"
 #include "userdb-glue.h"
 #include "userdb.h"
 
@@ -50,7 +51,7 @@ int nss_pack_user_record(
                 .pw_name = buffer,
                 .pw_uid = hr->uid,
                 .pw_gid = user_record_gid(hr),
-                .pw_passwd = (char*) "x", /* means: see shadow file */
+                .pw_passwd = (char*) PASSWORD_SEE_SHADOW,
         };
 
         assert(buffer);
@@ -184,7 +185,7 @@ int nss_pack_group_record(
         *gr = (struct group) {
                 .gr_name = strcpy(p, g->group_name),
                 .gr_gid = g->gid,
-                .gr_passwd = (char*) "x", /* means: see shadow file */
+                .gr_passwd = (char*) PASSWORD_SEE_SHADOW,
                 .gr_mem = array,
         };
 

src/shared/userdb.c

@@ -27,6 +27,7 @@ typedef enum LookupWhat {
 
 struct UserDBIterator {
         LookupWhat what;
+        UserDBFlags flags;
         Set *links;
         bool nss_covered:1;
         bool nss_iterating:1;
@@ -92,7 +93,7 @@ UserDBIterator* userdb_iterator_free(UserDBIterator *iterator) {
         return mfree(iterator);
 }
 
-static UserDBIterator* userdb_iterator_new(LookupWhat what) {
+static UserDBIterator* userdb_iterator_new(LookupWhat what, UserDBFlags flags) {
         UserDBIterator *i;
 
         assert(what >= 0);
@@ -104,6 +105,7 @@ static UserDBIterator* userdb_iterator_new(LookupWhat what) {
 
         *i = (UserDBIterator) {
                 .what = what,
+                .flags = flags,
         };
 
         return i;
@@ -608,7 +610,7 @@ int userdb_by_name(const char *name, UserDBFlags flags, UserRecord **ret) {
         if (r < 0)
                 return r;
 
-        iterator = userdb_iterator_new(LOOKUP_USER);
+        iterator = userdb_iterator_new(LOOKUP_USER, flags);
         if (!iterator)
                 return -ENOMEM;
 
@@ -655,7 +657,7 @@ int userdb_by_uid(uid_t uid, UserDBFlags flags, UserRecord **ret) {
         if (r < 0)
                 return r;
 
-        iterator = userdb_iterator_new(LOOKUP_USER);
+        iterator = userdb_iterator_new(LOOKUP_USER, flags);
         if (!iterator)
                 return -ENOMEM;
 
@@ -693,7 +695,7 @@ int userdb_all(UserDBFlags flags, UserDBIterator **ret) {
 
         assert(ret);
 
-        iterator = userdb_iterator_new(LOOKUP_USER);
+        iterator = userdb_iterator_new(LOOKUP_USER, flags);
         if (!iterator)
                 return -ENOMEM;
 
@@ -738,11 +740,16 @@ int userdb_iterator_get(UserDBIterator *iterator, UserRecord **ret) {
                         if (pw->pw_uid == UID_NOBODY)
                                 iterator->synthesize_nobody = false;
 
+                        if (!FLAGS_SET(iterator->flags, USERDB_AVOID_SHADOW)) {
                                 r = nss_spwd_for_passwd(pw, &spwd, &buffer);
                                 if (r < 0) {
                                         log_debug_errno(r, "Failed to acquire shadow entry for user %s, ignoring: %m", pw->pw_name);
                                         incomplete = ERRNO_IS_PRIVILEGE(r);
                                 }
+                        } else {
+                                r = -EUCLEAN;
+                                incomplete = true;
+                        }
 
                         r = nss_passwd_to_user_record(pw, r >= 0 ? &spwd : NULL, ret);
                         if (r < 0)
@@ -750,6 +757,8 @@ int userdb_iterator_get(UserDBIterator *iterator, UserRecord **ret) {
 
                         if (ret)
                                 (*ret)->incomplete = incomplete;
+
+                        iterator->n_found++;
                         return r;
                 }
 
@@ -774,11 +783,11 @@ int userdb_iterator_get(UserDBIterator *iterator, UserRecord **ret) {
                         iterator->n_found++;
                         return synthetic_nobody_user_build(ret);
                 }
-        }
 
                 /* if we found at least one entry, then ignore errors and indicate that we reached the end */
-        if (r < 0 && iterator->n_found > 0)
+                if (iterator->n_found > 0)
                         return -ESRCH;
+        }
 
         return r;
 }
@@ -812,7 +821,7 @@ int groupdb_by_name(const char *name, UserDBFlags flags, GroupRecord **ret) {
         if (r < 0)
                 return r;
 
-        iterator = userdb_iterator_new(LOOKUP_GROUP);
+        iterator = userdb_iterator_new(LOOKUP_GROUP, flags);
         if (!iterator)
                 return -ENOMEM;
 
@@ -856,7 +865,7 @@ int groupdb_by_gid(gid_t gid, UserDBFlags flags, GroupRecord **ret) {
         if (r < 0)
                 return r;
 
-        iterator = userdb_iterator_new(LOOKUP_GROUP);
+        iterator = userdb_iterator_new(LOOKUP_GROUP, flags);
         if (!iterator)
                 return -ENOMEM;
 
@@ -893,7 +902,7 @@ int groupdb_all(UserDBFlags flags, UserDBIterator **ret) {
 
         assert(ret);
 
-        iterator = userdb_iterator_new(LOOKUP_GROUP);
+        iterator = userdb_iterator_new(LOOKUP_GROUP, flags);
         if (!iterator)
                 return -ENOMEM;
 
@@ -908,7 +917,7 @@ int groupdb_all(UserDBFlags flags, UserDBIterator **ret) {
 
                 setgrent();
                 iterator->nss_iterating = true;
-        } if (r < 0)
+        } else if (r < 0)
                 return r;
 
         *ret = TAKE_PTR(iterator);
@@ -936,11 +945,16 @@ int groupdb_iterator_get(UserDBIterator *iterator, GroupRecord **ret) {
                         if (gr->gr_gid == GID_NOBODY)
                                 iterator->synthesize_nobody = false;
 
+                        if (!FLAGS_SET(iterator->flags, USERDB_AVOID_SHADOW)) {
                                 r = nss_sgrp_for_group(gr, &sgrp, &buffer);
                                 if (r < 0) {
                                         log_debug_errno(r, "Failed to acquire shadow entry for group %s, ignoring: %m", gr->gr_name);
                                         incomplete = ERRNO_IS_PRIVILEGE(r);
                                 }
+                        } else {
+                                r = -EUCLEAN;
+                                incomplete = true;
+                        }
 
                         r = nss_group_to_group_record(gr, r >= 0 ? &sgrp : NULL, ret);
                         if (r < 0)
@@ -948,6 +962,8 @@ int groupdb_iterator_get(UserDBIterator *iterator, GroupRecord **ret) {
 
                         if (ret)
                                 (*ret)->incomplete = incomplete;
+
+                        iterator->n_found++;
                         return r;
                 }
 
@@ -971,11 +987,11 @@ int groupdb_iterator_get(UserDBIterator *iterator, GroupRecord **ret) {
                         iterator->n_found++;
                         return synthetic_nobody_group_build(ret);
                 }
-        }
 
                 /* if we found at least one entry, then ignore errors and indicate that we reached the end */
-        if (r < 0 && iterator->n_found > 0)
+                if (iterator->n_found > 0)
                         return -ESRCH;
+        }
 
         return r;
 }
@@ -995,7 +1011,7 @@ int membershipdb_by_user(const char *name, UserDBFlags flags, UserDBIterator **r
         if (r < 0)
                 return r;
 
-        iterator = userdb_iterator_new(LOOKUP_MEMBERSHIP);
+        iterator = userdb_iterator_new(LOOKUP_MEMBERSHIP, flags);
         if (!iterator)
                 return -ENOMEM;
 
@@ -1038,7 +1054,7 @@ int membershipdb_by_group(const char *name, UserDBFlags flags, UserDBIterator **
         if (r < 0)
                 return r;
 
-        iterator = userdb_iterator_new(LOOKUP_MEMBERSHIP);
+        iterator = userdb_iterator_new(LOOKUP_MEMBERSHIP, flags);
         if (!iterator)
                 return -ENOMEM;
 
@@ -1079,7 +1095,7 @@ int membershipdb_all(UserDBFlags flags, UserDBIterator **ret) {
 
         assert(ret);
 
-        iterator = userdb_iterator_new(LOOKUP_MEMBERSHIP);
+        iterator = userdb_iterator_new(LOOKUP_MEMBERSHIP, flags);
         if (!iterator)
                 return -ENOMEM;
 
@@ -1113,7 +1129,7 @@ int membershipdb_iterator_get(
         assert(iterator);
 
         for (;;) {
-                /* If we are iteratring through NSS acquire a new group entry if we haven't acquired one yet. */
+                /* If we are iterating through NSS acquire a new group entry if we haven't acquired one yet. */
                 if (!iterator->members_of_group) {
                         struct group *g;
 

src/sysusers/sysusers.c

@@ -441,7 +441,7 @@ static int write_temporary_passwd(const char *passwd_path, FILE **tmpfile, char
                         .pw_gecos = i->description,
 
                         /* "x" means the password is stored in the shadow file */
-                        .pw_passwd = (char*) "x",
+                        .pw_passwd = (char*) PASSWORD_SEE_SHADOW,
 
                         /* We default to the root directory as home */
                         .pw_dir = i->home ?: (char*) "/",
@@ -551,7 +551,7 @@ static int write_temporary_shadow(const char *shadow_path, FILE **tmpfile, char
 
                 struct spwd n = {
                         .sp_namp = i->name,
-                        .sp_pwdp = (char*) "!*", /* lock this password, and make it invalid */
+                        .sp_pwdp = (char*) PASSWORD_LOCKED_AND_INVALID,
                         .sp_lstchg = lstchg,
                         .sp_min = -1,
                         .sp_max = -1,
@@ -682,7 +682,7 @@ static int write_temporary_group(const char *group_path, FILE **tmpfile, char **
                 struct group n = {
                         .gr_name = i->name,
                         .gr_gid = i->gid,
-                        .gr_passwd = (char*) "x",
+                        .gr_passwd = (char*) PASSWORD_SEE_SHADOW,
                 };
 
                 r = putgrent_with_members(&n, group);
@@ -766,7 +766,7 @@ static int write_temporary_gshadow(const char * gshadow_path, FILE **tmpfile, ch
         ORDERED_HASHMAP_FOREACH(i, todo_gids) {
                 struct sgrp n = {
                         .sg_namp = i->name,
-                        .sg_passwd = (char*) "!*",
+                        .sg_passwd = (char*) PASSWORD_LOCKED_AND_INVALID,
                 };
 
                 r = putsgent_with_members(&n, gshadow);