]>
Commit | Line | Data |
---|---|---|
70a5db58 LP |
1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
2 | ||
3 | #include <stddef.h> | |
4 | #include <sys/mount.h> | |
5 | ||
6 | #include "chown-recursive.h" | |
7 | #include "copy.h" | |
8 | #include "fd-util.h" | |
9 | #include "fileio.h" | |
1dfe5de0 | 10 | #include "fs-util.h" |
70a5db58 LP |
11 | #include "home-util.h" |
12 | #include "homework-cifs.h" | |
13 | #include "homework-directory.h" | |
7b78db28 | 14 | #include "homework-fido2.h" |
70a5db58 LP |
15 | #include "homework-fscrypt.h" |
16 | #include "homework-luks.h" | |
17 | #include "homework-mount.h" | |
18 | #include "homework-pkcs11.h" | |
19 | #include "homework.h" | |
20 | #include "main-func.h" | |
21 | #include "memory-util.h" | |
22 | #include "missing_magic.h" | |
87d7893c | 23 | #include "modhex.h" |
70a5db58 LP |
24 | #include "mount-util.h" |
25 | #include "path-util.h" | |
70a5db58 LP |
26 | #include "rm-rf.h" |
27 | #include "stat-util.h" | |
28 | #include "strv.h" | |
29 | #include "tmpfile-util.h" | |
30 | #include "user-util.h" | |
31 | #include "virt.h" | |
32 | ||
33 | /* Make sure a bad password always results in a 3s delay, no matter what */ | |
34 | #define BAD_PASSWORD_DELAY_USEC (3 * USEC_PER_SEC) | |
35 | ||
7b78db28 LP |
36 | void password_cache_free(PasswordCache *cache) { |
37 | if (!cache) | |
38 | return; | |
39 | ||
40 | cache->pkcs11_passwords = strv_free_erase(cache->pkcs11_passwords); | |
41 | cache->fido2_passwords = strv_free_erase(cache->fido2_passwords); | |
42 | } | |
43 | ||
70a5db58 LP |
44 | int user_record_authenticate( |
45 | UserRecord *h, | |
46 | UserRecord *secret, | |
7b78db28 | 47 | PasswordCache *cache, |
c8f145ad | 48 | bool strict_verify) { |
70a5db58 | 49 | |
87d7893c | 50 | bool need_password = false, need_recovery_key = false, need_token = false, need_pin = false, need_protected_authentication_path_permitted = false, need_user_presence_permitted = false, |
7b78db28 | 51 | pin_locked = false, pin_incorrect = false, pin_incorrect_few_tries_left = false, pin_incorrect_one_try_left = false, token_action_timeout = false; |
70a5db58 LP |
52 | int r; |
53 | ||
54 | assert(h); | |
55 | assert(secret); | |
56 | ||
57 | /* Tries to authenticate a user record with the supplied secrets. i.e. checks whether at least one | |
58 | * supplied plaintext passwords matches a hashed password field of the user record. Or if a | |
7b78db28 | 59 | * configured PKCS#11 or FIDO2 token is around and can unlock the record. |
70a5db58 | 60 | * |
7b78db28 LP |
61 | * Note that the 'cache' parameter is both an input and output parameter: it contains lists of |
62 | * configured, decrypted PKCS#11/FIDO2 passwords. We typically have to call this function multiple | |
63 | * times over the course of an operation (think: on login we authenticate the host user record, the | |
64 | * record embedded in the LUKS record and the one embedded in $HOME). Hence we keep a list of | |
65 | * passwords we already decrypted, so that we don't have to do the (slow and potentially interactive) | |
66 | * PKCS#11/FIDO2 dance for the relevant token again and again. */ | |
70a5db58 LP |
67 | |
68 | /* First, let's see if the supplied plain-text passwords work? */ | |
87d7893c LP |
69 | r = user_record_test_password(h, secret); |
70 | if (r == -ENOKEY) | |
70a5db58 | 71 | need_password = true; |
87d7893c | 72 | else if (r == -ENXIO) |
70a5db58 LP |
73 | log_debug_errno(r, "User record has no hashed passwords, plaintext passwords not tested."); |
74 | else if (r < 0) | |
75 | return log_error_errno(r, "Failed to validate password of record: %m"); | |
76 | else { | |
77 | log_info("Provided password unlocks user record."); | |
c8f145ad | 78 | return 1; |
70a5db58 LP |
79 | } |
80 | ||
87d7893c LP |
81 | /* Similar, but test against the recovery keys */ |
82 | r = user_record_test_recovery_key(h, secret); | |
83 | if (r == -ENOKEY) | |
84 | need_recovery_key = true; | |
85 | else if (r == -ENXIO) | |
86 | log_debug_errno(r, "User record has no recovery keys, plaintext passwords not tested against it."); | |
87 | else if (r < 0) | |
88 | return log_error_errno(r, "Failed to validate the recovery key of the record: %m"); | |
89 | else { | |
90 | log_info("Provided password is a recovery key that unlocks the user record."); | |
91 | return 1; | |
92 | } | |
93 | ||
94 | if (need_password && need_recovery_key) | |
95 | log_info("None of the supplied plaintext passwords unlock the user record's hashed passwords or recovery keys."); | |
96 | else if (need_password) | |
97 | log_info("None of the supplied plaintext passwords unlock the user record's hashed passwords."); | |
98 | else | |
99 | log_info("None of the supplied plaintext passwords unlock the user record's hashed recovery keys."); | |
100 | ||
7b78db28 | 101 | /* Second, test cached PKCS#11 passwords */ |
3aeea37d | 102 | for (size_t n = 0; n < h->n_pkcs11_encrypted_key; n++) { |
70a5db58 LP |
103 | char **pp; |
104 | ||
7b78db28 LP |
105 | STRV_FOREACH(pp, cache->pkcs11_passwords) { |
106 | r = test_password_one(h->pkcs11_encrypted_key[n].hashed_password, *pp); | |
70a5db58 LP |
107 | if (r < 0) |
108 | return log_error_errno(r, "Failed to check supplied PKCS#11 password: %m"); | |
109 | if (r > 0) { | |
110 | log_info("Previously acquired PKCS#11 password unlocks user record."); | |
c8f145ad | 111 | return 1; |
70a5db58 LP |
112 | } |
113 | } | |
7b78db28 LP |
114 | } |
115 | ||
116 | /* Third, test cached FIDO2 passwords */ | |
117 | for (size_t n = 0; n < h->n_fido2_hmac_salt; n++) { | |
118 | char **pp; | |
119 | ||
120 | /* See if any of the previously calculated passwords work */ | |
121 | STRV_FOREACH(pp, cache->fido2_passwords) { | |
122 | r = test_password_one(h->fido2_hmac_salt[n].hashed_password, *pp); | |
123 | if (r < 0) | |
124 | return log_error_errno(r, "Failed to check supplied FIDO2 password: %m"); | |
125 | if (r > 0) { | |
126 | log_info("Previously acquired FIDO2 password unlocks user record."); | |
127 | return 0; | |
128 | } | |
129 | } | |
130 | } | |
131 | ||
132 | /* Fourth, let's see if any of the PKCS#11 security tokens are plugged in and help us */ | |
133 | for (size_t n = 0; n < h->n_pkcs11_encrypted_key; n++) { | |
134 | #if HAVE_P11KIT | |
135 | _cleanup_(pkcs11_callback_data_release) struct pkcs11_callback_data data = { | |
136 | .user_record = h, | |
137 | .secret = secret, | |
138 | .encrypted_key = h->pkcs11_encrypted_key + n, | |
139 | }; | |
70a5db58 LP |
140 | |
141 | r = pkcs11_find_token(data.encrypted_key->uri, pkcs11_callback, &data); | |
142 | switch (r) { | |
143 | case -EAGAIN: | |
144 | need_token = true; | |
145 | break; | |
146 | case -ENOANO: | |
147 | need_pin = true; | |
148 | break; | |
149 | case -ERFKILL: | |
150 | need_protected_authentication_path_permitted = true; | |
151 | break; | |
152 | case -EOWNERDEAD: | |
153 | pin_locked = true; | |
154 | break; | |
155 | case -ENOLCK: | |
156 | pin_incorrect = true; | |
157 | break; | |
158 | case -ETOOMANYREFS: | |
159 | pin_incorrect = pin_incorrect_few_tries_left = true; | |
160 | break; | |
161 | case -EUCLEAN: | |
162 | pin_incorrect = pin_incorrect_few_tries_left = pin_incorrect_one_try_left = true; | |
163 | break; | |
164 | default: | |
165 | if (r < 0) | |
166 | return r; | |
167 | ||
168 | r = test_password_one(data.encrypted_key->hashed_password, data.decrypted_password); | |
169 | if (r < 0) | |
170 | return log_error_errno(r, "Failed to test PKCS#11 password: %m"); | |
171 | if (r == 0) | |
172 | return log_error_errno(SYNTHETIC_ERRNO(EPERM), "Configured PKCS#11 security token %s does not decrypt encrypted key correctly.", data.encrypted_key->uri); | |
173 | ||
174 | log_info("Decrypted password from PKCS#11 security token %s unlocks user record.", data.encrypted_key->uri); | |
175 | ||
7b78db28 LP |
176 | r = strv_extend(&cache->pkcs11_passwords, data.decrypted_password); |
177 | if (r < 0) | |
178 | return log_oom(); | |
179 | ||
180 | return 0; | |
181 | } | |
182 | #else | |
183 | need_token = true; | |
184 | break; | |
185 | #endif | |
186 | } | |
187 | ||
188 | /* Fifth, let's see if any of the FIDO2 security tokens are plugged in and help us */ | |
189 | for (size_t n = 0; n < h->n_fido2_hmac_salt; n++) { | |
190 | #if HAVE_LIBFIDO2 | |
191 | _cleanup_(erase_and_freep) char *decrypted_password = NULL; | |
192 | ||
193 | r = fido2_use_token(h, secret, h->fido2_hmac_salt + n, &decrypted_password); | |
194 | switch (r) { | |
195 | case -EAGAIN: | |
196 | need_token = true; | |
197 | break; | |
198 | case -ENOANO: | |
199 | need_pin = true; | |
200 | break; | |
201 | case -EOWNERDEAD: | |
202 | pin_locked = true; | |
203 | break; | |
204 | case -ENOLCK: | |
205 | pin_incorrect = true; | |
206 | break; | |
207 | case -EMEDIUMTYPE: | |
208 | need_user_presence_permitted = true; | |
209 | break; | |
210 | case -ENOSTR: | |
211 | token_action_timeout = true; | |
212 | break; | |
213 | default: | |
214 | if (r < 0) | |
215 | return r; | |
216 | ||
217 | r = test_password_one(h->fido2_hmac_salt[n].hashed_password, decrypted_password); | |
218 | if (r < 0) | |
219 | return log_error_errno(r, "Failed to test FIDO2 password: %m"); | |
220 | if (r == 0) | |
221 | return log_error_errno(SYNTHETIC_ERRNO(EPERM), "Configured FIDO2 security token does not decrypt encrypted key correctly."); | |
222 | ||
223 | log_info("Decrypted password from FIDO2 security token unlocks user record."); | |
224 | ||
225 | r = strv_extend(&cache->fido2_passwords, decrypted_password); | |
70a5db58 LP |
226 | if (r < 0) |
227 | return log_oom(); | |
228 | ||
c8f145ad | 229 | return 1; |
70a5db58 LP |
230 | } |
231 | #else | |
232 | need_token = true; | |
233 | break; | |
234 | #endif | |
235 | } | |
236 | ||
237 | /* Ordered by "relevance", i.e. the most "important" or "interesting" error condition is returned. */ | |
238 | if (pin_incorrect_one_try_left) | |
239 | return -EUCLEAN; | |
240 | if (pin_incorrect_few_tries_left) | |
241 | return -ETOOMANYREFS; | |
242 | if (pin_incorrect) | |
243 | return -ENOLCK; | |
244 | if (pin_locked) | |
245 | return -EOWNERDEAD; | |
7b78db28 LP |
246 | if (token_action_timeout) |
247 | return -ENOSTR; | |
70a5db58 LP |
248 | if (need_protected_authentication_path_permitted) |
249 | return -ERFKILL; | |
7b78db28 LP |
250 | if (need_user_presence_permitted) |
251 | return -EMEDIUMTYPE; | |
70a5db58 LP |
252 | if (need_pin) |
253 | return -ENOANO; | |
254 | if (need_token) | |
255 | return -EBADSLT; | |
256 | if (need_password) | |
257 | return -ENOKEY; | |
87d7893c LP |
258 | if (need_recovery_key) |
259 | return -EREMOTEIO; | |
70a5db58 | 260 | |
87d7893c LP |
261 | /* Hmm, this means neither PCKS#11/FIDO2 nor classic hashed passwords or recovery keys were supplied, |
262 | * we cannot authenticate this reasonably */ | |
c8f145ad LP |
263 | if (strict_verify) |
264 | return log_debug_errno(SYNTHETIC_ERRNO(EKEYREVOKED), | |
87d7893c | 265 | "No hashed passwords, no recovery keys and no PKCS#11/FIDO2 tokens defined, cannot authenticate user record, refusing."); |
c8f145ad LP |
266 | |
267 | /* If strict verification is off this means we are possibly in the case where we encountered an | |
268 | * unfixated record, i.e. a synthetic one that accordingly lacks any authentication data. In this | |
269 | * case, allow the authentication to pass for now, so that the second (or third) authentication level | |
270 | * (the ones of the user record in the LUKS header or inside the home directory) will then catch | |
271 | * invalid passwords. The second/third authentication always runs in strict verification mode. */ | |
87d7893c | 272 | log_debug("No hashed passwords, not recovery keys and no PKCS#11 tokens defined in record, cannot authenticate user record. " |
c8f145ad LP |
273 | "Deferring to embedded user record."); |
274 | return 0; | |
70a5db58 LP |
275 | } |
276 | ||
277 | int home_setup_undo(HomeSetup *setup) { | |
278 | int r = 0, q; | |
279 | ||
280 | assert(setup); | |
281 | ||
28a7f106 LP |
282 | if (setup->root_fd >= 0) { |
283 | if (setup->do_offline_fitrim) { | |
284 | q = run_fitrim(setup->root_fd); | |
285 | if (q < 0) | |
286 | r = q; | |
287 | } | |
288 | ||
289 | setup->root_fd = safe_close(setup->root_fd); | |
290 | } | |
70a5db58 LP |
291 | |
292 | if (setup->undo_mount) { | |
293 | q = umount_verbose("/run/systemd/user-home-mount"); | |
294 | if (q < 0) | |
295 | r = q; | |
296 | } | |
297 | ||
298 | if (setup->undo_dm && setup->crypt_device && setup->dm_name) { | |
299 | q = crypt_deactivate(setup->crypt_device, setup->dm_name); | |
300 | if (q < 0) | |
301 | r = q; | |
302 | } | |
303 | ||
28a7f106 LP |
304 | if (setup->image_fd >= 0) { |
305 | if (setup->do_offline_fallocate) { | |
306 | q = run_fallocate(setup->image_fd, NULL); | |
307 | if (q < 0) | |
308 | r = q; | |
309 | } | |
310 | ||
565ac8b1 LP |
311 | if (setup->do_mark_clean) { |
312 | q = run_mark_dirty(setup->image_fd, false); | |
313 | if (q < 0) | |
314 | r = q; | |
315 | } | |
316 | ||
28a7f106 LP |
317 | setup->image_fd = safe_close(setup->image_fd); |
318 | } | |
319 | ||
70a5db58 LP |
320 | setup->undo_mount = false; |
321 | setup->undo_dm = false; | |
28a7f106 LP |
322 | setup->do_offline_fitrim = false; |
323 | setup->do_offline_fallocate = false; | |
565ac8b1 | 324 | setup->do_mark_clean = false; |
70a5db58 LP |
325 | |
326 | setup->dm_name = mfree(setup->dm_name); | |
327 | setup->dm_node = mfree(setup->dm_node); | |
328 | ||
329 | setup->loop = loop_device_unref(setup->loop); | |
330 | crypt_free(setup->crypt_device); | |
331 | setup->crypt_device = NULL; | |
332 | ||
333 | explicit_bzero_safe(setup->volume_key, setup->volume_key_size); | |
334 | setup->volume_key = mfree(setup->volume_key); | |
335 | setup->volume_key_size = 0; | |
336 | ||
337 | return r; | |
338 | } | |
339 | ||
340 | int home_prepare( | |
341 | UserRecord *h, | |
342 | bool already_activated, | |
7b78db28 | 343 | PasswordCache *cache, |
70a5db58 LP |
344 | HomeSetup *setup, |
345 | UserRecord **ret_header_home) { | |
346 | ||
347 | int r; | |
348 | ||
349 | assert(h); | |
350 | assert(setup); | |
351 | assert(!setup->loop); | |
352 | assert(!setup->crypt_device); | |
353 | assert(setup->root_fd < 0); | |
354 | assert(!setup->undo_dm); | |
355 | assert(!setup->undo_mount); | |
356 | ||
357 | /* Makes a home directory accessible (through the root_fd file descriptor, not by path!). */ | |
358 | ||
359 | switch (user_record_storage(h)) { | |
360 | ||
361 | case USER_LUKS: | |
7b78db28 | 362 | return home_prepare_luks(h, already_activated, NULL, cache, setup, ret_header_home); |
70a5db58 LP |
363 | |
364 | case USER_SUBVOLUME: | |
365 | case USER_DIRECTORY: | |
366 | r = home_prepare_directory(h, already_activated, setup); | |
367 | break; | |
368 | ||
369 | case USER_FSCRYPT: | |
7b78db28 | 370 | r = home_prepare_fscrypt(h, already_activated, cache, setup); |
70a5db58 LP |
371 | break; |
372 | ||
373 | case USER_CIFS: | |
374 | r = home_prepare_cifs(h, already_activated, setup); | |
375 | break; | |
376 | ||
377 | default: | |
378 | return log_error_errno(SYNTHETIC_ERRNO(ENOLINK), "Processing home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h))); | |
379 | } | |
380 | ||
381 | if (r < 0) | |
382 | return r; | |
383 | ||
384 | if (ret_header_home) | |
385 | *ret_header_home = NULL; | |
386 | ||
387 | return r; | |
388 | } | |
389 | ||
390 | int home_sync_and_statfs(int root_fd, struct statfs *ret) { | |
391 | assert(root_fd >= 0); | |
392 | ||
393 | /* Let's sync this to disk, so that the disk space reported by fstatfs() below is accurate (for file | |
394 | * systems such as btrfs where this is determined lazily). */ | |
395 | ||
396 | if (syncfs(root_fd) < 0) | |
397 | return log_error_errno(errno, "Failed to synchronize file system: %m"); | |
398 | ||
399 | if (ret) | |
400 | if (fstatfs(root_fd, ret) < 0) | |
401 | return log_error_errno(errno, "Failed to statfs() file system: %m"); | |
402 | ||
403 | log_info("Synchronized disk."); | |
404 | ||
405 | return 0; | |
406 | } | |
407 | ||
408 | static int read_identity_file(int root_fd, JsonVariant **ret) { | |
409 | _cleanup_(fclosep) FILE *identity_file = NULL; | |
410 | _cleanup_close_ int identity_fd = -1; | |
411 | unsigned line, column; | |
412 | int r; | |
413 | ||
414 | assert(root_fd >= 0); | |
415 | assert(ret); | |
416 | ||
417 | identity_fd = openat(root_fd, ".identity", O_RDONLY|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW|O_NONBLOCK); | |
418 | if (identity_fd < 0) | |
419 | return log_error_errno(errno, "Failed to open .identity file in home directory: %m"); | |
420 | ||
421 | r = fd_verify_regular(identity_fd); | |
422 | if (r < 0) | |
423 | return log_error_errno(r, "Embedded identity file is not a regular file, refusing: %m"); | |
424 | ||
4fa744a3 | 425 | identity_file = take_fdopen(&identity_fd, "r"); |
70a5db58 LP |
426 | if (!identity_file) |
427 | return log_oom(); | |
428 | ||
70a5db58 LP |
429 | r = json_parse_file(identity_file, ".identity", JSON_PARSE_SENSITIVE, ret, &line, &column); |
430 | if (r < 0) | |
431 | return log_error_errno(r, "[.identity:%u:%u] Failed to parse JSON data: %m", line, column); | |
432 | ||
433 | log_info("Read embedded .identity file."); | |
434 | ||
435 | return 0; | |
436 | } | |
437 | ||
438 | static int write_identity_file(int root_fd, JsonVariant *v, uid_t uid) { | |
439 | _cleanup_(json_variant_unrefp) JsonVariant *normalized = NULL; | |
440 | _cleanup_(fclosep) FILE *identity_file = NULL; | |
441 | _cleanup_close_ int identity_fd = -1; | |
442 | _cleanup_free_ char *fn = NULL; | |
443 | int r; | |
444 | ||
445 | assert(root_fd >= 0); | |
446 | assert(v); | |
447 | ||
448 | normalized = json_variant_ref(v); | |
449 | ||
450 | r = json_variant_normalize(&normalized); | |
451 | if (r < 0) | |
452 | log_warning_errno(r, "Failed to normalize user record, ignoring: %m"); | |
453 | ||
454 | r = tempfn_random(".identity", NULL, &fn); | |
455 | if (r < 0) | |
456 | return r; | |
457 | ||
458 | identity_fd = openat(root_fd, fn, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW, 0600); | |
459 | if (identity_fd < 0) | |
460 | return log_error_errno(errno, "Failed to create .identity file in home directory: %m"); | |
461 | ||
4fa744a3 | 462 | identity_file = take_fdopen(&identity_fd, "w"); |
70a5db58 LP |
463 | if (!identity_file) { |
464 | r = log_oom(); | |
465 | goto fail; | |
466 | } | |
467 | ||
70a5db58 LP |
468 | json_variant_dump(normalized, JSON_FORMAT_PRETTY, identity_file, NULL); |
469 | ||
470 | r = fflush_and_check(identity_file); | |
471 | if (r < 0) { | |
472 | log_error_errno(r, "Failed to write .identity file: %m"); | |
473 | goto fail; | |
474 | } | |
475 | ||
476 | if (fchown(fileno(identity_file), uid, uid) < 0) { | |
477 | log_error_errno(r, "Failed to change ownership of identity file: %m"); | |
478 | goto fail; | |
479 | } | |
480 | ||
481 | if (renameat(root_fd, fn, root_fd, ".identity") < 0) { | |
482 | r = log_error_errno(errno, "Failed to move identity file into place: %m"); | |
483 | goto fail; | |
484 | } | |
485 | ||
486 | log_info("Wrote embedded .identity file."); | |
487 | ||
488 | return 0; | |
489 | ||
490 | fail: | |
491 | (void) unlinkat(root_fd, fn, 0); | |
492 | return r; | |
493 | } | |
494 | ||
495 | int home_load_embedded_identity( | |
496 | UserRecord *h, | |
497 | int root_fd, | |
498 | UserRecord *header_home, | |
499 | UserReconcileMode mode, | |
7b78db28 | 500 | PasswordCache *cache, |
70a5db58 LP |
501 | UserRecord **ret_embedded_home, |
502 | UserRecord **ret_new_home) { | |
503 | ||
504 | _cleanup_(user_record_unrefp) UserRecord *embedded_home = NULL, *intermediate_home = NULL, *new_home = NULL; | |
505 | _cleanup_(json_variant_unrefp) JsonVariant *v = NULL; | |
506 | int r; | |
507 | ||
508 | assert(h); | |
509 | assert(root_fd >= 0); | |
510 | ||
511 | r = read_identity_file(root_fd, &v); | |
512 | if (r < 0) | |
513 | return r; | |
514 | ||
515 | embedded_home = user_record_new(); | |
516 | if (!embedded_home) | |
517 | return log_oom(); | |
518 | ||
519 | r = user_record_load(embedded_home, v, USER_RECORD_LOAD_EMBEDDED); | |
520 | if (r < 0) | |
521 | return r; | |
522 | ||
523 | if (!user_record_compatible(h, embedded_home)) | |
80ace4f2 | 524 | return log_error_errno(SYNTHETIC_ERRNO(EREMCHG), "Embedded home record not compatible with host record, refusing."); |
70a5db58 LP |
525 | |
526 | /* Insist that credentials the user supplies also unlocks any embedded records. */ | |
7b78db28 | 527 | r = user_record_authenticate(embedded_home, h, cache, /* strict_verify= */ true); |
70a5db58 LP |
528 | if (r < 0) |
529 | return r; | |
c8f145ad | 530 | assert(r > 0); /* Insist that a password was verified */ |
70a5db58 LP |
531 | |
532 | /* At this point we have three records to deal with: | |
533 | * | |
534 | * · The record we got passed from the host | |
535 | * · The record included in the LUKS header (only if LUKS is used) | |
536 | * · The record in the home directory itself (~.identity) | |
537 | * | |
538 | * Now we have to reconcile all three, and let the newest one win. */ | |
539 | ||
540 | if (header_home) { | |
541 | /* Note we relax the requirements here. Instead of insisting that the host record is strictly | |
542 | * newer, let's also be OK if its equally new. If it is, we'll however insist that the | |
543 | * embedded record must be newer, so that we update at least one of the two. */ | |
544 | ||
545 | r = user_record_reconcile(h, header_home, mode == USER_RECONCILE_REQUIRE_NEWER ? USER_RECONCILE_REQUIRE_NEWER_OR_EQUAL : mode, &intermediate_home); | |
546 | if (r == -EREMCHG) /* this was supposed to be checked earlier already, but let's check this again */ | |
547 | return log_error_errno(r, "Identity stored on host and in header don't match, refusing."); | |
548 | if (r == -ESTALE) | |
549 | return log_error_errno(r, "Embedded identity record is newer than supplied record, refusing."); | |
550 | if (r < 0) | |
551 | return log_error_errno(r, "Failed to reconcile host and header identities: %m"); | |
552 | if (r == USER_RECONCILE_EMBEDDED_WON) | |
553 | log_info("Reconciling header user identity completed (header version was newer)."); | |
554 | else if (r == USER_RECONCILE_HOST_WON) { | |
555 | log_info("Reconciling header user identity completed (host version was newer)."); | |
556 | ||
557 | if (mode == USER_RECONCILE_REQUIRE_NEWER) /* Host version is newer than the header | |
558 | * version, hence we'll update | |
559 | * something. This means we can relax the | |
560 | * requirements on the embedded | |
561 | * identity. */ | |
562 | mode = USER_RECONCILE_REQUIRE_NEWER_OR_EQUAL; | |
563 | } else { | |
564 | assert(r == USER_RECONCILE_IDENTICAL); | |
565 | log_info("Reconciling user identities completed (host and header version were identical)."); | |
566 | } | |
567 | ||
568 | h = intermediate_home; | |
569 | } | |
570 | ||
571 | r = user_record_reconcile(h, embedded_home, mode, &new_home); | |
572 | if (r == -EREMCHG) | |
573 | return log_error_errno(r, "Identity stored on host and in home don't match, refusing."); | |
574 | if (r == -ESTALE) | |
575 | return log_error_errno(r, "Embedded identity record is equally new or newer than supplied record, refusing."); | |
576 | if (r < 0) | |
577 | return log_error_errno(r, "Failed to reconcile host and embedded identities: %m"); | |
578 | if (r == USER_RECONCILE_EMBEDDED_WON) | |
579 | log_info("Reconciling embedded user identity completed (embedded version was newer)."); | |
580 | else if (r == USER_RECONCILE_HOST_WON) | |
581 | log_info("Reconciling embedded user identity completed (host version was newer)."); | |
582 | else { | |
583 | assert(r == USER_RECONCILE_IDENTICAL); | |
584 | log_info("Reconciling embedded user identity completed (host and embedded version were identical)."); | |
585 | } | |
586 | ||
587 | if (ret_embedded_home) | |
588 | *ret_embedded_home = TAKE_PTR(embedded_home); | |
589 | ||
590 | if (ret_new_home) | |
591 | *ret_new_home = TAKE_PTR(new_home); | |
592 | ||
593 | return 0; | |
594 | } | |
595 | ||
596 | int home_store_embedded_identity(UserRecord *h, int root_fd, uid_t uid, UserRecord *old_home) { | |
597 | _cleanup_(user_record_unrefp) UserRecord *embedded = NULL; | |
598 | int r; | |
599 | ||
600 | assert(h); | |
601 | assert(root_fd >= 0); | |
602 | assert(uid_is_valid(uid)); | |
603 | ||
604 | r = user_record_clone(h, USER_RECORD_EXTRACT_EMBEDDED, &embedded); | |
605 | if (r < 0) | |
606 | return log_error_errno(r, "Failed to determine new embedded record: %m"); | |
607 | ||
608 | if (old_home && user_record_equal(old_home, embedded)) { | |
609 | log_debug("Not updating embedded home record."); | |
610 | return 0; | |
611 | } | |
612 | ||
613 | /* The identity has changed, let's update it in the image */ | |
614 | r = write_identity_file(root_fd, embedded->json, h->uid); | |
615 | if (r < 0) | |
616 | return r; | |
617 | ||
618 | return 1; | |
619 | } | |
620 | ||
621 | static const char *file_system_type_fd(int fd) { | |
622 | struct statfs sfs; | |
623 | ||
624 | assert(fd >= 0); | |
625 | ||
626 | if (fstatfs(fd, &sfs) < 0) { | |
627 | log_debug_errno(errno, "Failed to statfs(): %m"); | |
628 | return NULL; | |
629 | } | |
630 | ||
631 | if (is_fs_type(&sfs, XFS_SB_MAGIC)) | |
632 | return "xfs"; | |
633 | if (is_fs_type(&sfs, EXT4_SUPER_MAGIC)) | |
634 | return "ext4"; | |
635 | if (is_fs_type(&sfs, BTRFS_SUPER_MAGIC)) | |
636 | return "btrfs"; | |
637 | ||
638 | return NULL; | |
639 | } | |
640 | ||
641 | int home_extend_embedded_identity(UserRecord *h, UserRecord *used, HomeSetup *setup) { | |
642 | int r; | |
643 | ||
644 | assert(h); | |
645 | assert(used); | |
646 | assert(setup); | |
647 | ||
648 | r = user_record_add_binding( | |
649 | h, | |
650 | user_record_storage(used), | |
651 | user_record_image_path(used), | |
652 | setup->found_partition_uuid, | |
653 | setup->found_luks_uuid, | |
654 | setup->found_fs_uuid, | |
655 | setup->crypt_device ? crypt_get_cipher(setup->crypt_device) : NULL, | |
656 | setup->crypt_device ? crypt_get_cipher_mode(setup->crypt_device) : NULL, | |
657 | setup->crypt_device ? luks_volume_key_size_convert(setup->crypt_device) : UINT64_MAX, | |
658 | file_system_type_fd(setup->root_fd), | |
659 | user_record_home_directory(used), | |
660 | used->uid, | |
661 | (gid_t) used->uid); | |
662 | if (r < 0) | |
663 | return log_error_errno(r, "Failed to update binding in record: %m"); | |
664 | ||
665 | return 0; | |
666 | } | |
667 | ||
668 | static int chown_recursive_directory(int root_fd, uid_t uid) { | |
669 | int r; | |
670 | ||
671 | assert(root_fd >= 0); | |
672 | assert(uid_is_valid(uid)); | |
673 | ||
674 | r = fd_chown_recursive(root_fd, uid, (gid_t) uid, 0777); | |
675 | if (r < 0) | |
676 | return log_error_errno(r, "Failed to change ownership of files and directories: %m"); | |
677 | if (r == 0) | |
678 | log_info("Recursive changing of ownership not necessary, skipped."); | |
679 | else | |
680 | log_info("Recursive changing of ownership completed."); | |
681 | ||
682 | return 0; | |
683 | } | |
684 | ||
685 | int home_refresh( | |
686 | UserRecord *h, | |
687 | HomeSetup *setup, | |
688 | UserRecord *header_home, | |
7b78db28 | 689 | PasswordCache *cache, |
70a5db58 LP |
690 | struct statfs *ret_statfs, |
691 | UserRecord **ret_new_home) { | |
692 | ||
693 | _cleanup_(user_record_unrefp) UserRecord *embedded_home = NULL, *new_home = NULL; | |
694 | int r; | |
695 | ||
696 | assert(h); | |
697 | assert(setup); | |
698 | assert(ret_new_home); | |
699 | ||
700 | /* When activating a home directory, does the identity work: loads the identity from the $HOME | |
701 | * directory, reconciles it with our idea, chown()s everything. */ | |
702 | ||
7b78db28 | 703 | r = home_load_embedded_identity(h, setup->root_fd, header_home, USER_RECONCILE_ANY, cache, &embedded_home, &new_home); |
70a5db58 LP |
704 | if (r < 0) |
705 | return r; | |
706 | ||
707 | r = home_store_header_identity_luks(new_home, setup, header_home); | |
708 | if (r < 0) | |
709 | return r; | |
710 | ||
711 | r = home_store_embedded_identity(new_home, setup->root_fd, h->uid, embedded_home); | |
712 | if (r < 0) | |
713 | return r; | |
714 | ||
715 | r = chown_recursive_directory(setup->root_fd, h->uid); | |
716 | if (r < 0) | |
717 | return r; | |
718 | ||
719 | r = home_sync_and_statfs(setup->root_fd, ret_statfs); | |
720 | if (r < 0) | |
721 | return r; | |
722 | ||
723 | *ret_new_home = TAKE_PTR(new_home); | |
724 | return 0; | |
725 | } | |
726 | ||
727 | static int home_activate(UserRecord *h, UserRecord **ret_home) { | |
7b78db28 | 728 | _cleanup_(password_cache_free) PasswordCache cache = {}; |
70a5db58 LP |
729 | _cleanup_(user_record_unrefp) UserRecord *new_home = NULL; |
730 | int r; | |
731 | ||
732 | assert(h); | |
733 | ||
734 | if (!h->user_name) | |
735 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record lacks user name, refusing."); | |
736 | if (!uid_is_valid(h->uid)) | |
737 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record lacks UID, refusing."); | |
738 | if (!IN_SET(user_record_storage(h), USER_LUKS, USER_DIRECTORY, USER_SUBVOLUME, USER_FSCRYPT, USER_CIFS)) | |
739 | return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Activating home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h))); | |
740 | ||
7b78db28 | 741 | r = user_record_authenticate(h, h, &cache, /* strict_verify= */ false); |
70a5db58 LP |
742 | if (r < 0) |
743 | return r; | |
744 | ||
745 | r = user_record_test_home_directory_and_warn(h); | |
746 | if (r < 0) | |
747 | return r; | |
748 | if (r == USER_TEST_MOUNTED) | |
749 | return log_error_errno(SYNTHETIC_ERRNO(EALREADY), "Home directory %s is already mounted, refusing.", user_record_home_directory(h)); | |
750 | ||
751 | r = user_record_test_image_path_and_warn(h); | |
752 | if (r < 0) | |
753 | return r; | |
754 | if (r == USER_TEST_ABSENT) | |
755 | return log_error_errno(SYNTHETIC_ERRNO(ENOENT), "Image path %s is missing, refusing.", user_record_image_path(h)); | |
756 | ||
757 | switch (user_record_storage(h)) { | |
758 | ||
759 | case USER_LUKS: | |
7b78db28 | 760 | r = home_activate_luks(h, &cache, &new_home); |
70a5db58 LP |
761 | if (r < 0) |
762 | return r; | |
763 | ||
764 | break; | |
765 | ||
766 | case USER_SUBVOLUME: | |
767 | case USER_DIRECTORY: | |
768 | case USER_FSCRYPT: | |
7b78db28 | 769 | r = home_activate_directory(h, &cache, &new_home); |
70a5db58 LP |
770 | if (r < 0) |
771 | return r; | |
772 | ||
773 | break; | |
774 | ||
775 | case USER_CIFS: | |
7b78db28 | 776 | r = home_activate_cifs(h, &cache, &new_home); |
70a5db58 LP |
777 | if (r < 0) |
778 | return r; | |
779 | ||
780 | break; | |
781 | ||
782 | default: | |
783 | assert_not_reached("unexpected type"); | |
784 | } | |
785 | ||
786 | /* Note that the returned object might either be a reference to an updated version of the existing | |
787 | * home object, or a reference to a newly allocated home object. The caller has to be able to deal | |
788 | * with both, and consider the old object out-of-date. */ | |
789 | if (user_record_equal(h, new_home)) { | |
790 | *ret_home = NULL; | |
791 | return 0; /* no identity change */ | |
792 | } | |
793 | ||
794 | *ret_home = TAKE_PTR(new_home); | |
795 | return 1; /* identity updated */ | |
796 | } | |
797 | ||
798 | static int home_deactivate(UserRecord *h, bool force) { | |
799 | bool done = false; | |
800 | int r; | |
801 | ||
802 | assert(h); | |
803 | ||
804 | if (!h->user_name) | |
805 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record incomplete, refusing."); | |
806 | if (!IN_SET(user_record_storage(h), USER_LUKS, USER_DIRECTORY, USER_SUBVOLUME, USER_FSCRYPT, USER_CIFS)) | |
807 | return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Deactivating home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h))); | |
808 | ||
809 | r = user_record_test_home_directory_and_warn(h); | |
810 | if (r < 0) | |
811 | return r; | |
812 | if (r == USER_TEST_MOUNTED) { | |
28a7f106 LP |
813 | if (user_record_storage(h) == USER_LUKS) { |
814 | r = home_trim_luks(h); | |
815 | if (r < 0) | |
816 | return r; | |
817 | } | |
818 | ||
70a5db58 LP |
819 | if (umount2(user_record_home_directory(h), UMOUNT_NOFOLLOW | (force ? MNT_FORCE|MNT_DETACH : 0)) < 0) |
820 | return log_error_errno(errno, "Failed to unmount %s: %m", user_record_home_directory(h)); | |
821 | ||
822 | log_info("Unmounting completed."); | |
823 | done = true; | |
824 | } else | |
825 | log_info("Directory %s is already unmounted.", user_record_home_directory(h)); | |
826 | ||
827 | if (user_record_storage(h) == USER_LUKS) { | |
828 | r = home_deactivate_luks(h); | |
829 | if (r < 0) | |
830 | return r; | |
831 | if (r > 0) | |
832 | done = true; | |
833 | } | |
834 | ||
835 | if (!done) | |
836 | return log_error_errno(SYNTHETIC_ERRNO(ENOEXEC), "Home is not active."); | |
837 | ||
838 | log_info("Everything completed."); | |
839 | return 0; | |
840 | } | |
841 | ||
842 | static int copy_skel(int root_fd, const char *skel) { | |
843 | int r; | |
844 | ||
845 | assert(root_fd >= 0); | |
846 | ||
847 | r = copy_tree_at(AT_FDCWD, skel, root_fd, ".", UID_INVALID, GID_INVALID, COPY_MERGE|COPY_REPLACE); | |
848 | if (r == -ENOENT) { | |
849 | log_info("Skeleton directory %s missing, ignoring.", skel); | |
850 | return 0; | |
851 | } | |
852 | if (r < 0) | |
853 | return log_error_errno(r, "Failed to copy in %s: %m", skel); | |
854 | ||
855 | log_info("Copying in %s completed.", skel); | |
856 | return 0; | |
857 | } | |
858 | ||
859 | static int change_access_mode(int root_fd, mode_t m) { | |
860 | assert(root_fd >= 0); | |
861 | ||
862 | if (fchmod(root_fd, m) < 0) | |
863 | return log_error_errno(errno, "Failed to change access mode of top-level directory: %m"); | |
864 | ||
865 | log_info("Changed top-level directory access mode to 0%o.", m); | |
866 | return 0; | |
867 | } | |
868 | ||
869 | int home_populate(UserRecord *h, int dir_fd) { | |
870 | int r; | |
871 | ||
872 | assert(h); | |
873 | assert(dir_fd >= 0); | |
874 | ||
875 | r = copy_skel(dir_fd, user_record_skeleton_directory(h)); | |
876 | if (r < 0) | |
877 | return r; | |
878 | ||
879 | r = home_store_embedded_identity(h, dir_fd, h->uid, NULL); | |
880 | if (r < 0) | |
881 | return r; | |
882 | ||
883 | r = chown_recursive_directory(dir_fd, h->uid); | |
884 | if (r < 0) | |
885 | return r; | |
886 | ||
887 | r = change_access_mode(dir_fd, user_record_access_mode(h)); | |
888 | if (r < 0) | |
889 | return r; | |
890 | ||
891 | return 0; | |
892 | } | |
893 | ||
894 | static int user_record_compile_effective_passwords( | |
895 | UserRecord *h, | |
7b78db28 LP |
896 | PasswordCache *cache, |
897 | char ***ret_effective_passwords) { | |
70a5db58 | 898 | |
7b78db28 | 899 | _cleanup_(strv_free_erasep) char **effective = NULL; |
70a5db58 LP |
900 | size_t n; |
901 | char **i; | |
902 | int r; | |
903 | ||
904 | assert(h); | |
7b78db28 | 905 | assert(cache); |
70a5db58 LP |
906 | |
907 | /* We insist on at least one classic hashed password to be defined in addition to any PKCS#11 one, as | |
908 | * a safe fallback, but also to simplify the password changing algorithm: there we require providing | |
909 | * the old literal password only (and do not care for the old PKCS#11 token) */ | |
910 | ||
911 | if (strv_isempty(h->hashed_password)) | |
912 | return log_error_errno(EINVAL, "User record has no hashed passwords, refusing."); | |
913 | ||
914 | /* Generates the list of plaintext passwords to propagate to LUKS/fscrypt devices, and checks whether | |
915 | * we have a plaintext password for each hashed one. If we are missing one we'll fail, since we | |
916 | * couldn't sync fscrypt/LUKS to the login account properly. */ | |
917 | ||
918 | STRV_FOREACH(i, h->hashed_password) { | |
919 | bool found = false; | |
920 | char **j; | |
921 | ||
922 | log_debug("Looking for plaintext password for: %s", *i); | |
923 | ||
924 | /* Let's scan all provided plaintext passwords */ | |
925 | STRV_FOREACH(j, h->password) { | |
926 | r = test_password_one(*i, *j); | |
927 | if (r < 0) | |
87d7893c | 928 | return log_error_errno(r, "Failed to test plaintext password: %m"); |
70a5db58 LP |
929 | if (r > 0) { |
930 | if (ret_effective_passwords) { | |
931 | r = strv_extend(&effective, *j); | |
932 | if (r < 0) | |
933 | return log_oom(); | |
934 | } | |
935 | ||
936 | log_debug("Found literal plaintext password."); | |
937 | found = true; | |
938 | break; | |
939 | } | |
940 | } | |
941 | ||
942 | if (!found) | |
943 | return log_error_errno(SYNTHETIC_ERRNO(ENOKEY), "Missing plaintext password for defined hashed password"); | |
944 | } | |
945 | ||
87d7893c LP |
946 | for (n = 0; n < h->n_recovery_key; n++) { |
947 | bool found = false; | |
948 | char **j; | |
949 | ||
950 | log_debug("Looking for plaintext recovery key for: %s", h->recovery_key[n].hashed_password); | |
951 | ||
952 | STRV_FOREACH(j, h->password) { | |
953 | _cleanup_(erase_and_freep) char *mangled = NULL; | |
954 | const char *p; | |
955 | ||
956 | if (streq(h->recovery_key[n].type, "modhex64")) { | |
957 | ||
958 | r = normalize_recovery_key(*j, &mangled); | |
959 | if (r == -EINVAL) /* Not properly formatted, probably a regular password. */ | |
960 | continue; | |
961 | if (r < 0) | |
962 | return log_error_errno(r, "Failed to normalize recovery key: %m"); | |
963 | ||
964 | p = mangled; | |
965 | } else | |
966 | p = *j; | |
967 | ||
968 | r = test_password_one(h->recovery_key[n].hashed_password, p); | |
969 | if (r < 0) | |
970 | return log_error_errno(r, "Failed to test plaintext recovery key: %m"); | |
971 | if (r > 0) { | |
972 | if (ret_effective_passwords) { | |
973 | r = strv_extend(&effective, p); | |
974 | if (r < 0) | |
975 | return log_oom(); | |
976 | } | |
977 | ||
978 | log_debug("Found plaintext recovery key."); | |
979 | found = true; | |
980 | break; | |
981 | } | |
982 | } | |
983 | ||
984 | if (!found) | |
985 | return log_error_errno(SYNTHETIC_ERRNO(EREMOTEIO), "Missing plaintext recovery key for defined recovery key"); | |
986 | } | |
987 | ||
70a5db58 LP |
988 | for (n = 0; n < h->n_pkcs11_encrypted_key; n++) { |
989 | #if HAVE_P11KIT | |
990 | _cleanup_(pkcs11_callback_data_release) struct pkcs11_callback_data data = { | |
991 | .user_record = h, | |
992 | .secret = h, | |
993 | .encrypted_key = h->pkcs11_encrypted_key + n, | |
994 | }; | |
995 | ||
996 | r = pkcs11_find_token(data.encrypted_key->uri, pkcs11_callback, &data); | |
997 | if (r == -EAGAIN) | |
998 | return -EBADSLT; | |
999 | if (r < 0) | |
1000 | return r; | |
1001 | ||
1002 | r = test_password_one(data.encrypted_key->hashed_password, data.decrypted_password); | |
1003 | if (r < 0) | |
1004 | return log_error_errno(r, "Failed to test PKCS#11 password: %m"); | |
1005 | if (r == 0) | |
1006 | return log_error_errno(SYNTHETIC_ERRNO(EPERM), "Decrypted password from token is not correct, refusing."); | |
1007 | ||
1008 | if (ret_effective_passwords) { | |
1009 | r = strv_extend(&effective, data.decrypted_password); | |
1010 | if (r < 0) | |
1011 | return log_oom(); | |
1012 | } | |
1013 | ||
7b78db28 LP |
1014 | r = strv_extend(&cache->pkcs11_passwords, data.decrypted_password); |
1015 | if (r < 0) | |
1016 | return log_oom(); | |
1017 | #else | |
1018 | return -EBADSLT; | |
1019 | #endif | |
1020 | } | |
1021 | ||
1022 | for (n = 0; n < h->n_fido2_hmac_salt; n++) { | |
1023 | #if HAVE_LIBFIDO2 | |
1024 | _cleanup_(erase_and_freep) char *decrypted_password = NULL; | |
1025 | ||
1026 | r = fido2_use_token(h, h, h->fido2_hmac_salt + n, &decrypted_password); | |
1027 | if (r < 0) | |
1028 | return r; | |
1029 | ||
1030 | r = test_password_one(h->fido2_hmac_salt[n].hashed_password, decrypted_password); | |
1031 | if (r < 0) | |
1032 | return log_error_errno(r, "Failed to test FIDO2 password: %m"); | |
1033 | if (r == 0) | |
1034 | return log_error_errno(SYNTHETIC_ERRNO(EPERM), "Decrypted password from token is not correct, refusing."); | |
1035 | ||
1036 | if (ret_effective_passwords) { | |
1037 | r = strv_extend(&effective, decrypted_password); | |
70a5db58 LP |
1038 | if (r < 0) |
1039 | return log_oom(); | |
1040 | } | |
7b78db28 LP |
1041 | |
1042 | r = strv_extend(&cache->fido2_passwords, decrypted_password); | |
1043 | if (r < 0) | |
1044 | return log_oom(); | |
70a5db58 LP |
1045 | #else |
1046 | return -EBADSLT; | |
1047 | #endif | |
1048 | } | |
1049 | ||
1050 | if (ret_effective_passwords) | |
1051 | *ret_effective_passwords = TAKE_PTR(effective); | |
70a5db58 LP |
1052 | |
1053 | return 0; | |
1054 | } | |
1055 | ||
1dfe5de0 LP |
1056 | static int determine_default_storage(UserStorage *ret) { |
1057 | UserStorage storage = _USER_STORAGE_INVALID; | |
1058 | const char *e; | |
1059 | int r; | |
1060 | ||
1061 | assert(ret); | |
1062 | ||
1063 | /* homed tells us via an environment variable which default storage to use */ | |
1064 | e = getenv("SYSTEMD_HOME_DEFAULT_STORAGE"); | |
1065 | if (e) { | |
1066 | storage = user_storage_from_string(e); | |
1067 | if (storage < 0) | |
1068 | log_warning("$SYSTEMD_HOME_DEFAULT_STORAGE set to invalid storage type, ignoring: %s", e); | |
1069 | else { | |
1070 | log_info("Using configured default storage '%s'.", user_storage_to_string(storage)); | |
1071 | *ret = storage; | |
1072 | return 0; | |
1073 | } | |
1074 | } | |
1075 | ||
1076 | /* When neither user nor admin specified the storage type to use, fix it to be LUKS — unless we run | |
1077 | * in a container where loopback devices and LUKS/DM are not available. Also, if /home is encrypted | |
1078 | * anyway, let's avoid duplicate encryption. Note that we typically default to the assumption of | |
1079 | * "classic" storage for most operations. However, if we create a new home, then let's user LUKS if | |
1080 | * nothing is specified. */ | |
1081 | ||
1082 | r = detect_container(); | |
1083 | if (r < 0) | |
1084 | return log_error_errno(r, "Failed to determine whether we are in a container: %m"); | |
1085 | if (r == 0) { | |
1086 | r = path_is_encrypted("/home"); | |
1087 | if (r < 0) | |
1088 | log_warning_errno(r, "Failed to determine if /home is encrypted, ignoring: %m"); | |
1089 | if (r <= 0) { | |
1090 | log_info("Using automatic default storage of '%s'.", user_storage_to_string(USER_LUKS)); | |
1091 | *ret = USER_LUKS; | |
1092 | return 0; | |
1093 | } | |
1094 | ||
1095 | log_info("/home is encrypted, not using '%s' storage, in order to avoid double encryption.", user_storage_to_string(USER_LUKS)); | |
1096 | } else | |
1097 | log_info("Running in container, not using '%s' storage.", user_storage_to_string(USER_LUKS)); | |
1098 | ||
1099 | r = path_is_fs_type("/home", BTRFS_SUPER_MAGIC); | |
1100 | if (r < 0) | |
1101 | log_warning_errno(r, "Failed to determine file system of /home, ignoring: %m"); | |
1102 | if (r > 0) { | |
1103 | log_info("/home is on btrfs, using '%s' as storage.", user_storage_to_string(USER_SUBVOLUME)); | |
1104 | *ret = USER_SUBVOLUME; | |
1105 | } else { | |
1106 | log_info("/home is on simple file system, using '%s' as storage.", user_storage_to_string(USER_DIRECTORY)); | |
1107 | *ret = USER_DIRECTORY; | |
1108 | } | |
1109 | ||
1110 | return 0; | |
1111 | } | |
1112 | ||
70a5db58 | 1113 | static int home_create(UserRecord *h, UserRecord **ret_home) { |
7b78db28 | 1114 | _cleanup_(strv_free_erasep) char **effective_passwords = NULL; |
70a5db58 | 1115 | _cleanup_(user_record_unrefp) UserRecord *new_home = NULL; |
7b78db28 | 1116 | _cleanup_(password_cache_free) PasswordCache cache = {}; |
1dfe5de0 LP |
1117 | UserStorage new_storage = _USER_STORAGE_INVALID; |
1118 | const char *new_fs = NULL; | |
70a5db58 LP |
1119 | int r; |
1120 | ||
1121 | assert(h); | |
1122 | ||
1123 | if (!h->user_name) | |
1124 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record lacks name, refusing."); | |
1125 | if (!uid_is_valid(h->uid)) | |
1126 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record lacks UID, refusing."); | |
1127 | ||
7b78db28 | 1128 | r = user_record_compile_effective_passwords(h, &cache, &effective_passwords); |
70a5db58 LP |
1129 | if (r < 0) |
1130 | return r; | |
1131 | ||
1132 | r = user_record_test_home_directory_and_warn(h); | |
1133 | if (r < 0) | |
1134 | return r; | |
1135 | if (r != USER_TEST_ABSENT) | |
1136 | return log_error_errno(SYNTHETIC_ERRNO(EEXIST), "Home directory %s already exists, refusing.", user_record_home_directory(h)); | |
1137 | ||
70a5db58 | 1138 | if (h->storage < 0) { |
1dfe5de0 | 1139 | r = determine_default_storage(&new_storage); |
70a5db58 | 1140 | if (r < 0) |
1dfe5de0 LP |
1141 | return r; |
1142 | } | |
70a5db58 | 1143 | |
1dfe5de0 LP |
1144 | if ((h->storage == USER_LUKS || |
1145 | (h->storage < 0 && new_storage == USER_LUKS)) && | |
1146 | !h->file_system_type) | |
1147 | new_fs = getenv("SYSTEMD_HOME_DEFAULT_FILE_SYSTEM_TYPE"); | |
70a5db58 | 1148 | |
1dfe5de0 | 1149 | if (new_storage >= 0 || new_fs) { |
70a5db58 LP |
1150 | r = user_record_add_binding( |
1151 | h, | |
1152 | new_storage, | |
1153 | NULL, | |
1154 | SD_ID128_NULL, | |
1155 | SD_ID128_NULL, | |
1156 | SD_ID128_NULL, | |
1157 | NULL, | |
1158 | NULL, | |
1159 | UINT64_MAX, | |
1dfe5de0 | 1160 | new_fs, |
70a5db58 LP |
1161 | NULL, |
1162 | UID_INVALID, | |
1163 | GID_INVALID); | |
1164 | if (r < 0) | |
1165 | return log_error_errno(r, "Failed to change storage type to LUKS: %m"); | |
70a5db58 LP |
1166 | } |
1167 | ||
1168 | r = user_record_test_image_path_and_warn(h); | |
1169 | if (r < 0) | |
1170 | return r; | |
1171 | if (!IN_SET(r, USER_TEST_ABSENT, USER_TEST_UNDEFINED, USER_TEST_MAYBE)) | |
1172 | return log_error_errno(SYNTHETIC_ERRNO(EEXIST), "Image path %s already exists, refusing.", user_record_image_path(h)); | |
1173 | ||
1174 | switch (user_record_storage(h)) { | |
1175 | ||
1176 | case USER_LUKS: | |
7b78db28 | 1177 | r = home_create_luks(h, &cache, effective_passwords, &new_home); |
70a5db58 LP |
1178 | break; |
1179 | ||
1180 | case USER_DIRECTORY: | |
1181 | case USER_SUBVOLUME: | |
1182 | r = home_create_directory_or_subvolume(h, &new_home); | |
1183 | break; | |
1184 | ||
1185 | case USER_FSCRYPT: | |
1186 | r = home_create_fscrypt(h, effective_passwords, &new_home); | |
1187 | break; | |
1188 | ||
1189 | case USER_CIFS: | |
1190 | r = home_create_cifs(h, &new_home); | |
1191 | break; | |
1192 | ||
1193 | default: | |
1194 | return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), | |
1195 | "Creating home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h))); | |
1196 | } | |
1197 | if (r < 0) | |
1198 | return r; | |
1199 | ||
1200 | if (user_record_equal(h, new_home)) { | |
1201 | *ret_home = NULL; | |
1202 | return 0; | |
1203 | } | |
1204 | ||
1205 | *ret_home = TAKE_PTR(new_home); | |
1206 | return 1; | |
1207 | } | |
1208 | ||
1209 | static int home_remove(UserRecord *h) { | |
1210 | bool deleted = false; | |
1211 | const char *ip, *hd; | |
1212 | int r; | |
1213 | ||
1214 | assert(h); | |
1215 | ||
1216 | if (!h->user_name) | |
1217 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record lacks user name, refusing."); | |
1218 | if (!IN_SET(user_record_storage(h), USER_LUKS, USER_DIRECTORY, USER_SUBVOLUME, USER_FSCRYPT, USER_CIFS)) | |
1219 | return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Removing home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h))); | |
1220 | ||
1221 | hd = user_record_home_directory(h); | |
1222 | ||
1223 | r = user_record_test_home_directory_and_warn(h); | |
1224 | if (r < 0) | |
1225 | return r; | |
1226 | if (r == USER_TEST_MOUNTED) | |
1227 | return log_error_errno(SYNTHETIC_ERRNO(EBUSY), "Directory %s is still mounted, refusing.", hd); | |
1228 | ||
1229 | assert(hd); | |
1230 | ||
1231 | r = user_record_test_image_path_and_warn(h); | |
1232 | if (r < 0) | |
1233 | return r; | |
1234 | ||
1235 | ip = user_record_image_path(h); | |
1236 | ||
1237 | switch (user_record_storage(h)) { | |
1238 | ||
1239 | case USER_LUKS: { | |
1240 | struct stat st; | |
1241 | ||
1242 | assert(ip); | |
1243 | ||
1244 | if (stat(ip, &st) < 0) { | |
6b8664cb | 1245 | if (errno != ENOENT) |
80ace4f2 | 1246 | return log_error_errno(errno, "Failed to stat() %s: %m", ip); |
70a5db58 LP |
1247 | |
1248 | } else { | |
1249 | if (S_ISREG(st.st_mode)) { | |
1250 | if (unlink(ip) < 0) { | |
1251 | if (errno != ENOENT) | |
1252 | return log_error_errno(errno, "Failed to remove %s: %m", ip); | |
1253 | } else | |
1254 | deleted = true; | |
1255 | ||
1256 | } else if (S_ISBLK(st.st_mode)) | |
1257 | log_info("Not removing file system on block device %s.", ip); | |
1258 | else | |
1259 | return log_error_errno(SYNTHETIC_ERRNO(ENOTBLK), "Image file %s is neither block device, nor regular, refusing removal.", ip); | |
1260 | } | |
1261 | ||
1262 | break; | |
1263 | } | |
1264 | ||
1265 | case USER_SUBVOLUME: | |
1266 | case USER_DIRECTORY: | |
1267 | case USER_FSCRYPT: | |
1268 | assert(ip); | |
1269 | ||
1270 | r = rm_rf(ip, REMOVE_ROOT|REMOVE_PHYSICAL|REMOVE_SUBVOLUME); | |
1271 | if (r < 0) { | |
1272 | if (r != -ENOENT) | |
1273 | return log_warning_errno(r, "Failed to remove %s: %m", ip); | |
1274 | } else | |
1275 | deleted = true; | |
1276 | ||
1277 | /* If the image path and the home directory are the same invalidate the home directory, so | |
1278 | * that we don't remove it anymore */ | |
1279 | if (path_equal(ip, hd)) | |
1280 | hd = NULL; | |
1281 | ||
1282 | break; | |
1283 | ||
1284 | case USER_CIFS: | |
1285 | /* Nothing else to do here: we won't remove remote stuff. */ | |
1286 | log_info("Not removing home directory on remote server."); | |
1287 | break; | |
1288 | ||
1289 | default: | |
1290 | assert_not_reached("unknown storage type"); | |
1291 | } | |
1292 | ||
1293 | if (hd) { | |
1294 | if (rmdir(hd) < 0) { | |
1295 | if (errno != ENOENT) | |
1296 | return log_error_errno(errno, "Failed to remove %s, ignoring: %m", hd); | |
1297 | } else | |
1298 | deleted = true; | |
1299 | } | |
1300 | ||
1301 | if (deleted) | |
1302 | log_info("Everything completed."); | |
e4ff0393 FS |
1303 | else |
1304 | return log_notice_errno(SYNTHETIC_ERRNO(EALREADY), | |
1305 | "Nothing to remove."); | |
70a5db58 LP |
1306 | |
1307 | return 0; | |
1308 | } | |
1309 | ||
1310 | static int home_validate_update(UserRecord *h, HomeSetup *setup) { | |
1311 | bool has_mount = false; | |
1312 | int r; | |
1313 | ||
1314 | assert(h); | |
1315 | assert(setup); | |
1316 | ||
1317 | if (!h->user_name) | |
1318 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record lacks user name, refusing."); | |
1319 | if (!uid_is_valid(h->uid)) | |
1320 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record lacks UID, refusing."); | |
1321 | if (!IN_SET(user_record_storage(h), USER_LUKS, USER_DIRECTORY, USER_SUBVOLUME, USER_FSCRYPT, USER_CIFS)) | |
1322 | return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Processing home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h))); | |
1323 | ||
1324 | r = user_record_test_home_directory_and_warn(h); | |
1325 | if (r < 0) | |
1326 | return r; | |
1327 | ||
1328 | has_mount = r == USER_TEST_MOUNTED; | |
1329 | ||
1330 | r = user_record_test_image_path_and_warn(h); | |
1331 | if (r < 0) | |
1332 | return r; | |
1333 | if (r == USER_TEST_ABSENT) | |
1334 | return log_error_errno(SYNTHETIC_ERRNO(ENOENT), "Image path %s does not exist", user_record_image_path(h)); | |
1335 | ||
1336 | switch (user_record_storage(h)) { | |
1337 | ||
1338 | case USER_DIRECTORY: | |
1339 | case USER_SUBVOLUME: | |
1340 | case USER_FSCRYPT: | |
1341 | case USER_CIFS: | |
1342 | break; | |
1343 | ||
1344 | case USER_LUKS: { | |
1345 | r = home_validate_update_luks(h, setup); | |
1346 | if (r < 0) | |
1347 | return r; | |
1348 | if ((r > 0) != has_mount) | |
1349 | return log_error_errno(SYNTHETIC_ERRNO(EBUSY), "Home mount incompletely set up."); | |
1350 | ||
1351 | break; | |
1352 | } | |
1353 | ||
1354 | default: | |
1355 | assert_not_reached("unexpected storage type"); | |
1356 | } | |
1357 | ||
1358 | return has_mount; /* return true if the home record is already active */ | |
1359 | } | |
1360 | ||
1361 | static int home_update(UserRecord *h, UserRecord **ret) { | |
1362 | _cleanup_(user_record_unrefp) UserRecord *new_home = NULL, *header_home = NULL, *embedded_home = NULL; | |
70a5db58 | 1363 | _cleanup_(home_setup_undo) HomeSetup setup = HOME_SETUP_INIT; |
7b78db28 | 1364 | _cleanup_(password_cache_free) PasswordCache cache = {}; |
70a5db58 LP |
1365 | bool already_activated = false; |
1366 | int r; | |
1367 | ||
1368 | assert(h); | |
1369 | assert(ret); | |
1370 | ||
7b78db28 | 1371 | r = user_record_authenticate(h, h, &cache, /* strict_verify= */ true); |
70a5db58 LP |
1372 | if (r < 0) |
1373 | return r; | |
c8f145ad | 1374 | assert(r > 0); /* Insist that a password was verified */ |
70a5db58 LP |
1375 | |
1376 | r = home_validate_update(h, &setup); | |
1377 | if (r < 0) | |
1378 | return r; | |
1379 | ||
1380 | already_activated = r > 0; | |
1381 | ||
7b78db28 | 1382 | r = home_prepare(h, already_activated, &cache, &setup, &header_home); |
70a5db58 LP |
1383 | if (r < 0) |
1384 | return r; | |
1385 | ||
7b78db28 | 1386 | r = home_load_embedded_identity(h, setup.root_fd, header_home, USER_RECONCILE_REQUIRE_NEWER, &cache, &embedded_home, &new_home); |
70a5db58 LP |
1387 | if (r < 0) |
1388 | return r; | |
1389 | ||
1390 | r = home_store_header_identity_luks(new_home, &setup, header_home); | |
1391 | if (r < 0) | |
1392 | return r; | |
1393 | ||
1394 | r = home_store_embedded_identity(new_home, setup.root_fd, h->uid, embedded_home); | |
1395 | if (r < 0) | |
1396 | return r; | |
1397 | ||
1398 | r = home_extend_embedded_identity(new_home, h, &setup); | |
1399 | if (r < 0) | |
1400 | return r; | |
1401 | ||
1402 | r = home_sync_and_statfs(setup.root_fd, NULL); | |
1403 | if (r < 0) | |
1404 | return r; | |
1405 | ||
1406 | r = home_setup_undo(&setup); | |
1407 | if (r < 0) | |
1408 | return r; | |
1409 | ||
1410 | log_info("Everything completed."); | |
1411 | ||
1412 | *ret = TAKE_PTR(new_home); | |
1413 | return 0; | |
1414 | } | |
1415 | ||
1416 | static int home_resize(UserRecord *h, UserRecord **ret) { | |
1417 | _cleanup_(home_setup_undo) HomeSetup setup = HOME_SETUP_INIT; | |
7b78db28 | 1418 | _cleanup_(password_cache_free) PasswordCache cache = {}; |
70a5db58 LP |
1419 | bool already_activated = false; |
1420 | int r; | |
1421 | ||
1422 | assert(h); | |
1423 | assert(ret); | |
1424 | ||
1425 | if (h->disk_size == UINT64_MAX) | |
1426 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "No target size specified, refusing."); | |
1427 | ||
7b78db28 | 1428 | r = user_record_authenticate(h, h, &cache, /* strict_verify= */ true); |
70a5db58 LP |
1429 | if (r < 0) |
1430 | return r; | |
c8f145ad | 1431 | assert(r > 0); /* Insist that a password was verified */ |
70a5db58 LP |
1432 | |
1433 | r = home_validate_update(h, &setup); | |
1434 | if (r < 0) | |
1435 | return r; | |
1436 | ||
1437 | already_activated = r > 0; | |
1438 | ||
1439 | switch (user_record_storage(h)) { | |
1440 | ||
1441 | case USER_LUKS: | |
7b78db28 | 1442 | return home_resize_luks(h, already_activated, &cache, &setup, ret); |
70a5db58 LP |
1443 | |
1444 | case USER_DIRECTORY: | |
1445 | case USER_SUBVOLUME: | |
1446 | case USER_FSCRYPT: | |
7b78db28 | 1447 | return home_resize_directory(h, already_activated, &cache, &setup, ret); |
70a5db58 LP |
1448 | |
1449 | default: | |
1450 | return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Resizing home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h))); | |
1451 | } | |
1452 | } | |
1453 | ||
1454 | static int home_passwd(UserRecord *h, UserRecord **ret_home) { | |
1455 | _cleanup_(user_record_unrefp) UserRecord *header_home = NULL, *embedded_home = NULL, *new_home = NULL; | |
7b78db28 | 1456 | _cleanup_(strv_free_erasep) char **effective_passwords = NULL; |
70a5db58 | 1457 | _cleanup_(home_setup_undo) HomeSetup setup = HOME_SETUP_INIT; |
7b78db28 | 1458 | _cleanup_(password_cache_free) PasswordCache cache = {}; |
70a5db58 LP |
1459 | bool already_activated = false; |
1460 | int r; | |
1461 | ||
1462 | assert(h); | |
1463 | assert(ret_home); | |
1464 | ||
1465 | if (!IN_SET(user_record_storage(h), USER_LUKS, USER_DIRECTORY, USER_SUBVOLUME, USER_FSCRYPT)) | |
1466 | return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Changing password of home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h))); | |
1467 | ||
7b78db28 | 1468 | r = user_record_compile_effective_passwords(h, &cache, &effective_passwords); |
70a5db58 LP |
1469 | if (r < 0) |
1470 | return r; | |
1471 | ||
1472 | r = home_validate_update(h, &setup); | |
1473 | if (r < 0) | |
1474 | return r; | |
1475 | ||
1476 | already_activated = r > 0; | |
1477 | ||
7b78db28 | 1478 | r = home_prepare(h, already_activated, &cache, &setup, &header_home); |
70a5db58 LP |
1479 | if (r < 0) |
1480 | return r; | |
1481 | ||
7b78db28 | 1482 | r = home_load_embedded_identity(h, setup.root_fd, header_home, USER_RECONCILE_REQUIRE_NEWER_OR_EQUAL, &cache, &embedded_home, &new_home); |
70a5db58 LP |
1483 | if (r < 0) |
1484 | return r; | |
1485 | ||
1486 | switch (user_record_storage(h)) { | |
1487 | ||
1488 | case USER_LUKS: | |
7b78db28 | 1489 | r = home_passwd_luks(h, &setup, &cache, effective_passwords); |
70a5db58 LP |
1490 | if (r < 0) |
1491 | return r; | |
1492 | break; | |
1493 | ||
1494 | case USER_FSCRYPT: | |
7b78db28 | 1495 | r = home_passwd_fscrypt(h, &setup, &cache, effective_passwords); |
70a5db58 LP |
1496 | if (r < 0) |
1497 | return r; | |
1498 | break; | |
1499 | ||
1500 | default: | |
1501 | break; | |
1502 | } | |
1503 | ||
1504 | r = home_store_header_identity_luks(new_home, &setup, header_home); | |
1505 | if (r < 0) | |
1506 | return r; | |
1507 | ||
1508 | r = home_store_embedded_identity(new_home, setup.root_fd, h->uid, embedded_home); | |
1509 | if (r < 0) | |
1510 | return r; | |
1511 | ||
1512 | r = home_extend_embedded_identity(new_home, h, &setup); | |
1513 | if (r < 0) | |
1514 | return r; | |
1515 | ||
1516 | r = home_sync_and_statfs(setup.root_fd, NULL); | |
1517 | if (r < 0) | |
1518 | return r; | |
1519 | ||
1520 | r = home_setup_undo(&setup); | |
1521 | if (r < 0) | |
1522 | return r; | |
1523 | ||
1524 | log_info("Everything completed."); | |
1525 | ||
1526 | *ret_home = TAKE_PTR(new_home); | |
1527 | return 1; | |
1528 | } | |
1529 | ||
1530 | static int home_inspect(UserRecord *h, UserRecord **ret_home) { | |
1531 | _cleanup_(user_record_unrefp) UserRecord *header_home = NULL, *new_home = NULL; | |
1532 | _cleanup_(home_setup_undo) HomeSetup setup = HOME_SETUP_INIT; | |
7b78db28 | 1533 | _cleanup_(password_cache_free) PasswordCache cache = {}; |
70a5db58 LP |
1534 | bool already_activated = false; |
1535 | int r; | |
1536 | ||
1537 | assert(h); | |
1538 | assert(ret_home); | |
1539 | ||
7b78db28 | 1540 | r = user_record_authenticate(h, h, &cache, /* strict_verify= */ false); |
70a5db58 LP |
1541 | if (r < 0) |
1542 | return r; | |
1543 | ||
1544 | r = home_validate_update(h, &setup); | |
1545 | if (r < 0) | |
1546 | return r; | |
1547 | ||
1548 | already_activated = r > 0; | |
1549 | ||
7b78db28 | 1550 | r = home_prepare(h, already_activated, &cache, &setup, &header_home); |
70a5db58 LP |
1551 | if (r < 0) |
1552 | return r; | |
1553 | ||
7b78db28 | 1554 | r = home_load_embedded_identity(h, setup.root_fd, header_home, USER_RECONCILE_ANY, &cache, NULL, &new_home); |
70a5db58 LP |
1555 | if (r < 0) |
1556 | return r; | |
1557 | ||
1558 | r = home_extend_embedded_identity(new_home, h, &setup); | |
1559 | if (r < 0) | |
1560 | return r; | |
1561 | ||
1562 | r = home_setup_undo(&setup); | |
1563 | if (r < 0) | |
1564 | return r; | |
1565 | ||
1566 | log_info("Everything completed."); | |
1567 | ||
1568 | *ret_home = TAKE_PTR(new_home); | |
1569 | return 1; | |
1570 | } | |
1571 | ||
1572 | static int home_lock(UserRecord *h) { | |
1573 | int r; | |
1574 | ||
1575 | assert(h); | |
1576 | ||
1577 | if (!h->user_name) | |
1578 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record incomplete, refusing."); | |
1579 | if (user_record_storage(h) != USER_LUKS) | |
1580 | return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Locking home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h))); | |
1581 | ||
1582 | r = user_record_test_home_directory_and_warn(h); | |
1583 | if (r < 0) | |
1584 | return r; | |
1585 | if (r != USER_TEST_MOUNTED) | |
1586 | return log_error_errno(SYNTHETIC_ERRNO(ENOEXEC), "Home directory of %s is not mounted, can't lock.", h->user_name); | |
1587 | ||
1588 | r = home_lock_luks(h); | |
1589 | if (r < 0) | |
1590 | return r; | |
1591 | ||
1592 | log_info("Everything completed."); | |
1593 | return 1; | |
1594 | } | |
1595 | ||
1596 | static int home_unlock(UserRecord *h) { | |
7b78db28 | 1597 | _cleanup_(password_cache_free) PasswordCache cache = {}; |
70a5db58 LP |
1598 | int r; |
1599 | ||
1600 | assert(h); | |
1601 | ||
1602 | if (!h->user_name) | |
1603 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record incomplete, refusing."); | |
1604 | if (user_record_storage(h) != USER_LUKS) | |
1605 | return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Unlocking home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h))); | |
1606 | ||
1607 | /* Note that we don't check if $HOME is actually mounted, since we want to avoid disk accesses on | |
1608 | * that mount until we have resumed the device. */ | |
1609 | ||
7b78db28 | 1610 | r = user_record_authenticate(h, h, &cache, /* strict_verify= */ false); |
70a5db58 LP |
1611 | if (r < 0) |
1612 | return r; | |
1613 | ||
7b78db28 | 1614 | r = home_unlock_luks(h, &cache); |
70a5db58 LP |
1615 | if (r < 0) |
1616 | return r; | |
1617 | ||
1618 | log_info("Everything completed."); | |
1619 | return 1; | |
1620 | } | |
1621 | ||
1622 | static int run(int argc, char *argv[]) { | |
1623 | _cleanup_(user_record_unrefp) UserRecord *home = NULL, *new_home = NULL; | |
1624 | _cleanup_(json_variant_unrefp) JsonVariant *v = NULL; | |
1625 | _cleanup_(fclosep) FILE *opened_file = NULL; | |
1626 | unsigned line = 0, column = 0; | |
1627 | const char *json_path = NULL; | |
1628 | FILE *json_file; | |
1629 | usec_t start; | |
1630 | int r; | |
1631 | ||
1632 | start = now(CLOCK_MONOTONIC); | |
1633 | ||
1634 | log_setup_service(); | |
1635 | ||
1636 | umask(0022); | |
1637 | ||
1638 | if (argc < 2 || argc > 3) | |
1639 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "This program takes one or two arguments."); | |
1640 | ||
1641 | if (argc > 2) { | |
1642 | json_path = argv[2]; | |
1643 | ||
1644 | opened_file = fopen(json_path, "re"); | |
1645 | if (!opened_file) | |
1646 | return log_error_errno(errno, "Failed to open %s: %m", json_path); | |
1647 | ||
1648 | json_file = opened_file; | |
1649 | } else { | |
1650 | json_path = "<stdin>"; | |
1651 | json_file = stdin; | |
1652 | } | |
1653 | ||
1654 | r = json_parse_file(json_file, json_path, JSON_PARSE_SENSITIVE, &v, &line, &column); | |
1655 | if (r < 0) | |
1656 | return log_error_errno(r, "[%s:%u:%u] Failed to parse JSON data: %m", json_path, line, column); | |
1657 | ||
1658 | home = user_record_new(); | |
1659 | if (!home) | |
1660 | return log_oom(); | |
1661 | ||
1662 | r = user_record_load(home, v, USER_RECORD_LOAD_FULL|USER_RECORD_LOG); | |
1663 | if (r < 0) | |
1664 | return r; | |
1665 | ||
1666 | /* Well known return values of these operations, that systemd-homed knows and converts to proper D-Bus errors: | |
1667 | * | |
162392b7 ZJS |
1668 | * EMSGSIZE → file systems of this type cannot be shrunk |
1669 | * ETXTBSY → file systems of this type can only be shrunk offline | |
70a5db58 LP |
1670 | * ERANGE → file system size too small |
1671 | * ENOLINK → system does not support selected storage backend | |
1672 | * EPROTONOSUPPORT → system does not support selected file system | |
1673 | * ENOTTY → operation not support on this storage | |
1674 | * ESOCKTNOSUPPORT → operation not support on this file system | |
1675 | * ENOKEY → password incorrect (or not sufficient, or not supplied) | |
87d7893c | 1676 | * EREMOTEIO → recovery key incorrect (or not sufficeint, or not supplied — only if no passwords defined) |
70a5db58 | 1677 | * EBADSLT → similar, but PKCS#11 device is defined and might be able to provide password, if it was plugged in which it is not |
7b78db28 | 1678 | * ENOANO → suitable PKCS#11/FIDO2 device found, but PIN is missing to unlock it |
70a5db58 | 1679 | * ERFKILL → suitable PKCS#11 device found, but OK to ask for on-device interactive authentication not given |
7b78db28 LP |
1680 | * EMEDIUMTYPE → suitable FIDO2 device found, but OK to ask for user presence not given |
1681 | * ENOSTR → suitable FIDO2 device found, but user didn't react to action request on token quickly enough | |
1682 | * EOWNERDEAD → suitable PKCS#11/FIDO2 device found, but its PIN is locked | |
1683 | * ENOLCK → suitable PKCS#11/FIDO2 device found, but PIN incorrect | |
70a5db58 LP |
1684 | * ETOOMANYREFS → suitable PKCS#11 device found, but PIN incorrect, and only few tries left |
1685 | * EUCLEAN → suitable PKCS#11 device found, but PIN incorrect, and only one try left | |
1686 | * EBUSY → file system is currently active | |
1687 | * ENOEXEC → file system is currently not active | |
1688 | * ENOSPC → not enough disk space for operation | |
cbffdcec | 1689 | * EKEYREVOKED → user record has not suitable hashed password or pkcs#11 entry, we cannot authenticate |
70a5db58 LP |
1690 | */ |
1691 | ||
1692 | if (streq(argv[1], "activate")) | |
1693 | r = home_activate(home, &new_home); | |
1694 | else if (streq(argv[1], "deactivate")) | |
1695 | r = home_deactivate(home, false); | |
1696 | else if (streq(argv[1], "deactivate-force")) | |
1697 | r = home_deactivate(home, true); | |
1698 | else if (streq(argv[1], "create")) | |
1699 | r = home_create(home, &new_home); | |
1700 | else if (streq(argv[1], "remove")) | |
1701 | r = home_remove(home); | |
1702 | else if (streq(argv[1], "update")) | |
1703 | r = home_update(home, &new_home); | |
1704 | else if (streq(argv[1], "resize")) | |
1705 | r = home_resize(home, &new_home); | |
1706 | else if (streq(argv[1], "passwd")) | |
1707 | r = home_passwd(home, &new_home); | |
1708 | else if (streq(argv[1], "inspect")) | |
1709 | r = home_inspect(home, &new_home); | |
1710 | else if (streq(argv[1], "lock")) | |
1711 | r = home_lock(home); | |
1712 | else if (streq(argv[1], "unlock")) | |
1713 | r = home_unlock(home); | |
1714 | else | |
1715 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unknown verb '%s'.", argv[1]); | |
87d7893c | 1716 | if (IN_SET(r, -ENOKEY, -EREMOTEIO) && !strv_isempty(home->password) ) { /* There were passwords specified but they were incorrect */ |
70a5db58 LP |
1717 | usec_t end, n, d; |
1718 | ||
1719 | /* Make sure bad password replies always take at least 3s, and if longer multiples of 3s, so | |
1720 | * that it's not clear how long we actually needed for our calculations. */ | |
1721 | n = now(CLOCK_MONOTONIC); | |
1722 | assert(n >= start); | |
1723 | ||
1724 | d = usec_sub_unsigned(n, start); | |
1725 | if (d > BAD_PASSWORD_DELAY_USEC) | |
1726 | end = start + DIV_ROUND_UP(d, BAD_PASSWORD_DELAY_USEC) * BAD_PASSWORD_DELAY_USEC; | |
1727 | else | |
1728 | end = start + BAD_PASSWORD_DELAY_USEC; | |
1729 | ||
1730 | if (n < end) | |
1731 | (void) usleep(usec_sub_unsigned(end, n)); | |
1732 | } | |
1733 | if (r < 0) | |
1734 | return r; | |
1735 | ||
1736 | /* We always pass the new record back, regardless if it changed or not. This allows our caller to | |
1737 | * prepare a fresh record, send to us, and only if it works use it without having to keep a local | |
1738 | * copy. */ | |
1739 | if (new_home) | |
1740 | json_variant_dump(new_home->json, JSON_FORMAT_NEWLINE, stdout, NULL); | |
1741 | ||
1742 | return 0; | |
1743 | } | |
1744 | ||
1745 | DEFINE_MAIN_FUNCTION(run); |