]>
Commit | Line | Data |
---|---|---|
db9ecf05 | 1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
70a5db58 LP |
2 | |
3 | #include <stddef.h> | |
4 | #include <sys/mount.h> | |
5 | ||
b25a930f | 6 | #include "blockdev-util.h" |
70a5db58 LP |
7 | #include "chown-recursive.h" |
8 | #include "copy.h" | |
9 | #include "fd-util.h" | |
10 | #include "fileio.h" | |
7c604e89 | 11 | #include "filesystems.h" |
1dfe5de0 | 12 | #include "fs-util.h" |
70a5db58 | 13 | #include "home-util.h" |
17ac40e4 | 14 | #include "homework-blob.h" |
70a5db58 LP |
15 | #include "homework-cifs.h" |
16 | #include "homework-directory.h" | |
7b78db28 | 17 | #include "homework-fido2.h" |
70a5db58 LP |
18 | #include "homework-fscrypt.h" |
19 | #include "homework-luks.h" | |
20 | #include "homework-mount.h" | |
21 | #include "homework-pkcs11.h" | |
22 | #include "homework.h" | |
0e98d17e | 23 | #include "libcrypt-util.h" |
70a5db58 LP |
24 | #include "main-func.h" |
25 | #include "memory-util.h" | |
26 | #include "missing_magic.h" | |
27 | #include "mount-util.h" | |
a4d72746 | 28 | #include "parse-util.h" |
70a5db58 | 29 | #include "path-util.h" |
73d874ba | 30 | #include "recovery-key.h" |
70a5db58 LP |
31 | #include "rm-rf.h" |
32 | #include "stat-util.h" | |
33 | #include "strv.h" | |
86019efa | 34 | #include "sync-util.h" |
70a5db58 LP |
35 | #include "tmpfile-util.h" |
36 | #include "user-util.h" | |
37 | #include "virt.h" | |
38 | ||
39 | /* Make sure a bad password always results in a 3s delay, no matter what */ | |
40 | #define BAD_PASSWORD_DELAY_USEC (3 * USEC_PER_SEC) | |
41 | ||
42 | int user_record_authenticate( | |
43 | UserRecord *h, | |
44 | UserRecord *secret, | |
7b78db28 | 45 | PasswordCache *cache, |
c8f145ad | 46 | bool strict_verify) { |
70a5db58 | 47 | |
17e7561a LP |
48 | bool need_password = false, need_recovery_key = false, need_token = false, need_pin = false, |
49 | need_protected_authentication_path_permitted = false, need_user_presence_permitted = false, | |
50 | need_user_verification_permitted = false, pin_locked = false, pin_incorrect = false, | |
51 | pin_incorrect_few_tries_left = false, pin_incorrect_one_try_left = false, token_action_timeout = false; | |
70a5db58 LP |
52 | int r; |
53 | ||
54 | assert(h); | |
55 | assert(secret); | |
56 | ||
57 | /* Tries to authenticate a user record with the supplied secrets. i.e. checks whether at least one | |
58 | * supplied plaintext passwords matches a hashed password field of the user record. Or if a | |
7b78db28 | 59 | * configured PKCS#11 or FIDO2 token is around and can unlock the record. |
70a5db58 | 60 | * |
7b78db28 LP |
61 | * Note that the 'cache' parameter is both an input and output parameter: it contains lists of |
62 | * configured, decrypted PKCS#11/FIDO2 passwords. We typically have to call this function multiple | |
63 | * times over the course of an operation (think: on login we authenticate the host user record, the | |
64 | * record embedded in the LUKS record and the one embedded in $HOME). Hence we keep a list of | |
65 | * passwords we already decrypted, so that we don't have to do the (slow and potentially interactive) | |
66 | * PKCS#11/FIDO2 dance for the relevant token again and again. */ | |
70a5db58 LP |
67 | |
68 | /* First, let's see if the supplied plain-text passwords work? */ | |
87d7893c LP |
69 | r = user_record_test_password(h, secret); |
70 | if (r == -ENOKEY) | |
70a5db58 | 71 | need_password = true; |
87d7893c | 72 | else if (r == -ENXIO) |
70a5db58 LP |
73 | log_debug_errno(r, "User record has no hashed passwords, plaintext passwords not tested."); |
74 | else if (r < 0) | |
75 | return log_error_errno(r, "Failed to validate password of record: %m"); | |
76 | else { | |
77 | log_info("Provided password unlocks user record."); | |
c8f145ad | 78 | return 1; |
70a5db58 LP |
79 | } |
80 | ||
87d7893c LP |
81 | /* Similar, but test against the recovery keys */ |
82 | r = user_record_test_recovery_key(h, secret); | |
83 | if (r == -ENOKEY) | |
84 | need_recovery_key = true; | |
85 | else if (r == -ENXIO) | |
86 | log_debug_errno(r, "User record has no recovery keys, plaintext passwords not tested against it."); | |
87 | else if (r < 0) | |
88 | return log_error_errno(r, "Failed to validate the recovery key of the record: %m"); | |
89 | else { | |
90 | log_info("Provided password is a recovery key that unlocks the user record."); | |
91 | return 1; | |
92 | } | |
93 | ||
94 | if (need_password && need_recovery_key) | |
95 | log_info("None of the supplied plaintext passwords unlock the user record's hashed passwords or recovery keys."); | |
96 | else if (need_password) | |
97 | log_info("None of the supplied plaintext passwords unlock the user record's hashed passwords."); | |
98 | else | |
99 | log_info("None of the supplied plaintext passwords unlock the user record's hashed recovery keys."); | |
100 | ||
7b78db28 | 101 | /* Second, test cached PKCS#11 passwords */ |
de010b0b | 102 | for (size_t n = 0; n < h->n_pkcs11_encrypted_key; n++) |
7b78db28 LP |
103 | STRV_FOREACH(pp, cache->pkcs11_passwords) { |
104 | r = test_password_one(h->pkcs11_encrypted_key[n].hashed_password, *pp); | |
70a5db58 LP |
105 | if (r < 0) |
106 | return log_error_errno(r, "Failed to check supplied PKCS#11 password: %m"); | |
107 | if (r > 0) { | |
108 | log_info("Previously acquired PKCS#11 password unlocks user record."); | |
c8f145ad | 109 | return 1; |
70a5db58 LP |
110 | } |
111 | } | |
7b78db28 LP |
112 | |
113 | /* Third, test cached FIDO2 passwords */ | |
de010b0b | 114 | for (size_t n = 0; n < h->n_fido2_hmac_salt; n++) |
7b78db28 LP |
115 | /* See if any of the previously calculated passwords work */ |
116 | STRV_FOREACH(pp, cache->fido2_passwords) { | |
117 | r = test_password_one(h->fido2_hmac_salt[n].hashed_password, *pp); | |
118 | if (r < 0) | |
119 | return log_error_errno(r, "Failed to check supplied FIDO2 password: %m"); | |
120 | if (r > 0) { | |
121 | log_info("Previously acquired FIDO2 password unlocks user record."); | |
e4961427 | 122 | return 1; |
7b78db28 LP |
123 | } |
124 | } | |
7b78db28 LP |
125 | |
126 | /* Fourth, let's see if any of the PKCS#11 security tokens are plugged in and help us */ | |
127 | for (size_t n = 0; n < h->n_pkcs11_encrypted_key; n++) { | |
128 | #if HAVE_P11KIT | |
129 | _cleanup_(pkcs11_callback_data_release) struct pkcs11_callback_data data = { | |
130 | .user_record = h, | |
131 | .secret = secret, | |
132 | .encrypted_key = h->pkcs11_encrypted_key + n, | |
133 | }; | |
70a5db58 LP |
134 | |
135 | r = pkcs11_find_token(data.encrypted_key->uri, pkcs11_callback, &data); | |
136 | switch (r) { | |
137 | case -EAGAIN: | |
138 | need_token = true; | |
139 | break; | |
140 | case -ENOANO: | |
141 | need_pin = true; | |
142 | break; | |
143 | case -ERFKILL: | |
144 | need_protected_authentication_path_permitted = true; | |
145 | break; | |
146 | case -EOWNERDEAD: | |
147 | pin_locked = true; | |
148 | break; | |
149 | case -ENOLCK: | |
150 | pin_incorrect = true; | |
151 | break; | |
152 | case -ETOOMANYREFS: | |
153 | pin_incorrect = pin_incorrect_few_tries_left = true; | |
154 | break; | |
155 | case -EUCLEAN: | |
156 | pin_incorrect = pin_incorrect_few_tries_left = pin_incorrect_one_try_left = true; | |
157 | break; | |
158 | default: | |
159 | if (r < 0) | |
160 | return r; | |
161 | ||
162 | r = test_password_one(data.encrypted_key->hashed_password, data.decrypted_password); | |
163 | if (r < 0) | |
164 | return log_error_errno(r, "Failed to test PKCS#11 password: %m"); | |
165 | if (r == 0) | |
166 | return log_error_errno(SYNTHETIC_ERRNO(EPERM), "Configured PKCS#11 security token %s does not decrypt encrypted key correctly.", data.encrypted_key->uri); | |
167 | ||
168 | log_info("Decrypted password from PKCS#11 security token %s unlocks user record.", data.encrypted_key->uri); | |
169 | ||
7b78db28 LP |
170 | r = strv_extend(&cache->pkcs11_passwords, data.decrypted_password); |
171 | if (r < 0) | |
172 | return log_oom(); | |
173 | ||
e4961427 | 174 | return 1; |
7b78db28 LP |
175 | } |
176 | #else | |
177 | need_token = true; | |
178 | break; | |
179 | #endif | |
180 | } | |
181 | ||
182 | /* Fifth, let's see if any of the FIDO2 security tokens are plugged in and help us */ | |
183 | for (size_t n = 0; n < h->n_fido2_hmac_salt; n++) { | |
184 | #if HAVE_LIBFIDO2 | |
185 | _cleanup_(erase_and_freep) char *decrypted_password = NULL; | |
186 | ||
187 | r = fido2_use_token(h, secret, h->fido2_hmac_salt + n, &decrypted_password); | |
188 | switch (r) { | |
189 | case -EAGAIN: | |
190 | need_token = true; | |
191 | break; | |
192 | case -ENOANO: | |
193 | need_pin = true; | |
194 | break; | |
195 | case -EOWNERDEAD: | |
196 | pin_locked = true; | |
197 | break; | |
198 | case -ENOLCK: | |
199 | pin_incorrect = true; | |
200 | break; | |
201 | case -EMEDIUMTYPE: | |
202 | need_user_presence_permitted = true; | |
203 | break; | |
17e7561a LP |
204 | case -ENOCSI: |
205 | need_user_verification_permitted = true; | |
206 | break; | |
7b78db28 LP |
207 | case -ENOSTR: |
208 | token_action_timeout = true; | |
209 | break; | |
210 | default: | |
211 | if (r < 0) | |
212 | return r; | |
213 | ||
214 | r = test_password_one(h->fido2_hmac_salt[n].hashed_password, decrypted_password); | |
215 | if (r < 0) | |
216 | return log_error_errno(r, "Failed to test FIDO2 password: %m"); | |
217 | if (r == 0) | |
218 | return log_error_errno(SYNTHETIC_ERRNO(EPERM), "Configured FIDO2 security token does not decrypt encrypted key correctly."); | |
219 | ||
220 | log_info("Decrypted password from FIDO2 security token unlocks user record."); | |
221 | ||
222 | r = strv_extend(&cache->fido2_passwords, decrypted_password); | |
70a5db58 LP |
223 | if (r < 0) |
224 | return log_oom(); | |
225 | ||
c8f145ad | 226 | return 1; |
70a5db58 LP |
227 | } |
228 | #else | |
229 | need_token = true; | |
230 | break; | |
231 | #endif | |
232 | } | |
233 | ||
234 | /* Ordered by "relevance", i.e. the most "important" or "interesting" error condition is returned. */ | |
235 | if (pin_incorrect_one_try_left) | |
236 | return -EUCLEAN; | |
237 | if (pin_incorrect_few_tries_left) | |
238 | return -ETOOMANYREFS; | |
239 | if (pin_incorrect) | |
240 | return -ENOLCK; | |
241 | if (pin_locked) | |
242 | return -EOWNERDEAD; | |
7b78db28 LP |
243 | if (token_action_timeout) |
244 | return -ENOSTR; | |
70a5db58 LP |
245 | if (need_protected_authentication_path_permitted) |
246 | return -ERFKILL; | |
7b78db28 LP |
247 | if (need_user_presence_permitted) |
248 | return -EMEDIUMTYPE; | |
17e7561a LP |
249 | if (need_user_verification_permitted) |
250 | return -ENOCSI; | |
70a5db58 LP |
251 | if (need_pin) |
252 | return -ENOANO; | |
253 | if (need_token) | |
254 | return -EBADSLT; | |
255 | if (need_password) | |
256 | return -ENOKEY; | |
87d7893c LP |
257 | if (need_recovery_key) |
258 | return -EREMOTEIO; | |
70a5db58 | 259 | |
87d7893c LP |
260 | /* Hmm, this means neither PCKS#11/FIDO2 nor classic hashed passwords or recovery keys were supplied, |
261 | * we cannot authenticate this reasonably */ | |
c8f145ad LP |
262 | if (strict_verify) |
263 | return log_debug_errno(SYNTHETIC_ERRNO(EKEYREVOKED), | |
87d7893c | 264 | "No hashed passwords, no recovery keys and no PKCS#11/FIDO2 tokens defined, cannot authenticate user record, refusing."); |
c8f145ad LP |
265 | |
266 | /* If strict verification is off this means we are possibly in the case where we encountered an | |
267 | * unfixated record, i.e. a synthetic one that accordingly lacks any authentication data. In this | |
268 | * case, allow the authentication to pass for now, so that the second (or third) authentication level | |
269 | * (the ones of the user record in the LUKS header or inside the home directory) will then catch | |
270 | * invalid passwords. The second/third authentication always runs in strict verification mode. */ | |
87d7893c | 271 | log_debug("No hashed passwords, not recovery keys and no PKCS#11 tokens defined in record, cannot authenticate user record. " |
c8f145ad LP |
272 | "Deferring to embedded user record."); |
273 | return 0; | |
70a5db58 LP |
274 | } |
275 | ||
86019efa LP |
276 | static void drop_caches_now(void) { |
277 | int r; | |
278 | ||
0e685823 | 279 | /* Drop file system caches now. See https://docs.kernel.org/admin-guide/sysctl/vm.html |
2f8211c6 ZJS |
280 | * for details. We write "2" into /proc/sys/vm/drop_caches to ensure dentries/inodes are flushed, but |
281 | * not more. */ | |
86019efa LP |
282 | |
283 | r = write_string_file("/proc/sys/vm/drop_caches", "2\n", WRITE_STRING_FILE_DISABLE_BUFFER); | |
284 | if (r < 0) | |
285 | log_warning_errno(r, "Failed to drop caches, ignoring: %m"); | |
286 | else | |
287 | log_debug("Dropped caches."); | |
288 | } | |
289 | ||
55166094 LP |
290 | int home_setup_undo_mount(HomeSetup *setup, int level) { |
291 | int r; | |
292 | ||
293 | assert(setup); | |
294 | ||
295 | if (!setup->undo_mount) | |
296 | return 0; | |
297 | ||
1147c538 LP |
298 | r = umount_recursive(HOME_RUNTIME_WORK_DIR, 0); |
299 | if (r < 0) { | |
300 | if (level >= LOG_DEBUG) /* umount_recursive() does debug level logging anyway, no need to | |
301 | * repeat that here */ | |
302 | return r; | |
303 | ||
a6f44d61 | 304 | /* If a higher log level is requested, the generate a non-debug message here too. */ |
1147c538 LP |
305 | return log_full_errno(level, r, "Failed to unmount mount tree below %s: %m", HOME_RUNTIME_WORK_DIR); |
306 | } | |
55166094 LP |
307 | |
308 | setup->undo_mount = false; | |
309 | return 1; | |
310 | } | |
311 | ||
f7800049 LP |
312 | int home_setup_undo_dm(HomeSetup *setup, int level) { |
313 | int r, ret; | |
314 | ||
315 | assert(setup); | |
316 | ||
317 | if (setup->undo_dm) { | |
318 | assert(setup->crypt_device); | |
319 | assert(setup->dm_name); | |
320 | ||
321 | r = sym_crypt_deactivate_by_name(setup->crypt_device, setup->dm_name, 0); | |
322 | if (r < 0) | |
323 | return log_full_errno(level, r, "Failed to deactivate LUKS device: %m"); | |
324 | ||
491347bd LP |
325 | /* In case the device was already remove asynchronously by an early unmount via the deferred |
326 | * remove logic, let's wait for it */ | |
327 | (void) wait_for_block_device_gone(setup, USEC_PER_SEC * 30); | |
328 | ||
f7800049 LP |
329 | setup->undo_dm = false; |
330 | ret = 1; | |
331 | } else | |
332 | ret = 0; | |
333 | ||
334 | if (setup->crypt_device) { | |
335 | sym_crypt_free(setup->crypt_device); | |
336 | setup->crypt_device = NULL; | |
337 | } | |
338 | ||
339 | return ret; | |
340 | } | |
341 | ||
d26cdde3 LP |
342 | int keyring_unlink(key_serial_t k) { |
343 | ||
344 | if (k == -1) /* already invalidated? */ | |
345 | return -1; | |
346 | ||
347 | if (keyctl(KEYCTL_UNLINK, k, KEY_SPEC_SESSION_KEYRING, 0, 0) < 0) | |
348 | log_debug_errno(errno, "Failed to unlink key from session kernel keyring, ignoring: %m"); | |
349 | ||
350 | return -1; /* Always return the key_serial_t value for "invalid" */ | |
351 | } | |
352 | ||
353 | static int keyring_flush(UserRecord *h) { | |
354 | _cleanup_free_ char *name = NULL; | |
355 | long serial; | |
356 | ||
357 | assert(h); | |
358 | ||
359 | name = strjoin("homework-user-", h->user_name); | |
360 | if (!name) | |
361 | return log_oom(); | |
362 | ||
363 | serial = keyctl(KEYCTL_SEARCH, (unsigned long) KEY_SPEC_SESSION_KEYRING, (unsigned long) "user", (unsigned long) name, 0); | |
364 | if (serial == -1) | |
365 | return log_debug_errno(errno, "Failed to find kernel keyring entry for user, ignoring: %m"); | |
366 | ||
367 | return keyring_unlink(serial); | |
368 | } | |
369 | ||
66aa51f8 | 370 | int home_setup_done(HomeSetup *setup) { |
70a5db58 LP |
371 | int r = 0, q; |
372 | ||
373 | assert(setup); | |
374 | ||
28a7f106 LP |
375 | if (setup->root_fd >= 0) { |
376 | if (setup->do_offline_fitrim) { | |
377 | q = run_fitrim(setup->root_fd); | |
378 | if (q < 0) | |
379 | r = q; | |
380 | } | |
381 | ||
86019efa LP |
382 | if (syncfs(setup->root_fd) < 0) |
383 | log_debug_errno(errno, "Failed to synchronize home directory, ignoring: %m"); | |
384 | ||
28a7f106 LP |
385 | setup->root_fd = safe_close(setup->root_fd); |
386 | } | |
70a5db58 | 387 | |
55166094 LP |
388 | q = home_setup_undo_mount(setup, LOG_DEBUG); |
389 | if (q < 0) | |
390 | r = q; | |
70a5db58 | 391 | |
f7800049 LP |
392 | q = home_setup_undo_dm(setup, LOG_DEBUG); |
393 | if (q < 0) | |
394 | r = q; | |
70a5db58 | 395 | |
28a7f106 LP |
396 | if (setup->image_fd >= 0) { |
397 | if (setup->do_offline_fallocate) { | |
398 | q = run_fallocate(setup->image_fd, NULL); | |
399 | if (q < 0) | |
400 | r = q; | |
401 | } | |
402 | ||
565ac8b1 LP |
403 | if (setup->do_mark_clean) { |
404 | q = run_mark_dirty(setup->image_fd, false); | |
405 | if (q < 0) | |
406 | r = q; | |
407 | } | |
408 | ||
28a7f106 LP |
409 | setup->image_fd = safe_close(setup->image_fd); |
410 | } | |
411 | ||
32dda527 LP |
412 | if (setup->temporary_image_path) { |
413 | if (unlink(setup->temporary_image_path) < 0) | |
414 | log_debug_errno(errno, "Failed to remove temporary image file '%s', ignoring: %m", | |
415 | setup->temporary_image_path); | |
416 | ||
417 | setup->temporary_image_path = mfree(setup->temporary_image_path); | |
418 | } | |
419 | ||
d26cdde3 LP |
420 | setup->key_serial = keyring_unlink(setup->key_serial); |
421 | ||
70a5db58 LP |
422 | setup->undo_mount = false; |
423 | setup->undo_dm = false; | |
28a7f106 LP |
424 | setup->do_offline_fitrim = false; |
425 | setup->do_offline_fallocate = false; | |
565ac8b1 | 426 | setup->do_mark_clean = false; |
70a5db58 LP |
427 | |
428 | setup->dm_name = mfree(setup->dm_name); | |
429 | setup->dm_node = mfree(setup->dm_node); | |
430 | ||
431 | setup->loop = loop_device_unref(setup->loop); | |
70a5db58 | 432 | |
fc4941d6 | 433 | setup->volume_key = erase_and_free(setup->volume_key); |
70a5db58 LP |
434 | setup->volume_key_size = 0; |
435 | ||
86019efa LP |
436 | if (setup->do_drop_caches) |
437 | drop_caches_now(); | |
438 | ||
bf15879b LP |
439 | setup->mount_suffix = mfree(setup->mount_suffix); |
440 | ||
70a5db58 LP |
441 | return r; |
442 | } | |
443 | ||
aa0a6214 | 444 | int home_setup( |
70a5db58 | 445 | UserRecord *h, |
e1df968b | 446 | HomeSetupFlags flags, |
70a5db58 | 447 | HomeSetup *setup, |
c00b2ddc | 448 | PasswordCache *cache, |
70a5db58 LP |
449 | UserRecord **ret_header_home) { |
450 | ||
451 | int r; | |
452 | ||
453 | assert(h); | |
454 | assert(setup); | |
455 | assert(!setup->loop); | |
456 | assert(!setup->crypt_device); | |
457 | assert(setup->root_fd < 0); | |
458 | assert(!setup->undo_dm); | |
459 | assert(!setup->undo_mount); | |
460 | ||
461 | /* Makes a home directory accessible (through the root_fd file descriptor, not by path!). */ | |
462 | ||
e1df968b | 463 | if (!FLAGS_SET(flags, HOME_SETUP_ALREADY_ACTIVATED)) /* If we set up the directory, we should also drop caches once we are done */ |
86019efa LP |
464 | setup->do_drop_caches = setup->do_drop_caches || user_record_drop_caches(h); |
465 | ||
70a5db58 LP |
466 | switch (user_record_storage(h)) { |
467 | ||
468 | case USER_LUKS: | |
c00b2ddc | 469 | return home_setup_luks(h, flags, NULL, setup, cache, ret_header_home); |
70a5db58 LP |
470 | |
471 | case USER_SUBVOLUME: | |
472 | case USER_DIRECTORY: | |
e1df968b | 473 | r = home_setup_directory(h, setup); |
70a5db58 LP |
474 | break; |
475 | ||
476 | case USER_FSCRYPT: | |
c00b2ddc | 477 | r = home_setup_fscrypt(h, setup, cache); |
70a5db58 LP |
478 | break; |
479 | ||
480 | case USER_CIFS: | |
e1df968b | 481 | r = home_setup_cifs(h, flags, setup); |
70a5db58 LP |
482 | break; |
483 | ||
484 | default: | |
485 | return log_error_errno(SYNTHETIC_ERRNO(ENOLINK), "Processing home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h))); | |
486 | } | |
487 | ||
488 | if (r < 0) | |
489 | return r; | |
490 | ||
491 | if (ret_header_home) | |
492 | *ret_header_home = NULL; | |
493 | ||
494 | return r; | |
495 | } | |
496 | ||
497 | int home_sync_and_statfs(int root_fd, struct statfs *ret) { | |
498 | assert(root_fd >= 0); | |
499 | ||
500 | /* Let's sync this to disk, so that the disk space reported by fstatfs() below is accurate (for file | |
501 | * systems such as btrfs where this is determined lazily). */ | |
502 | ||
503 | if (syncfs(root_fd) < 0) | |
504 | return log_error_errno(errno, "Failed to synchronize file system: %m"); | |
505 | ||
506 | if (ret) | |
507 | if (fstatfs(root_fd, ret) < 0) | |
508 | return log_error_errno(errno, "Failed to statfs() file system: %m"); | |
509 | ||
510 | log_info("Synchronized disk."); | |
511 | ||
512 | return 0; | |
513 | } | |
514 | ||
515 | static int read_identity_file(int root_fd, JsonVariant **ret) { | |
5d2a48da | 516 | _cleanup_fclose_ FILE *identity_file = NULL; |
254d1313 | 517 | _cleanup_close_ int identity_fd = -EBADF; |
70a5db58 LP |
518 | unsigned line, column; |
519 | int r; | |
520 | ||
521 | assert(root_fd >= 0); | |
522 | assert(ret); | |
523 | ||
524 | identity_fd = openat(root_fd, ".identity", O_RDONLY|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW|O_NONBLOCK); | |
525 | if (identity_fd < 0) | |
526 | return log_error_errno(errno, "Failed to open .identity file in home directory: %m"); | |
527 | ||
528 | r = fd_verify_regular(identity_fd); | |
529 | if (r < 0) | |
530 | return log_error_errno(r, "Embedded identity file is not a regular file, refusing: %m"); | |
531 | ||
4fa744a3 | 532 | identity_file = take_fdopen(&identity_fd, "r"); |
70a5db58 LP |
533 | if (!identity_file) |
534 | return log_oom(); | |
535 | ||
70a5db58 LP |
536 | r = json_parse_file(identity_file, ".identity", JSON_PARSE_SENSITIVE, ret, &line, &column); |
537 | if (r < 0) | |
538 | return log_error_errno(r, "[.identity:%u:%u] Failed to parse JSON data: %m", line, column); | |
539 | ||
540 | log_info("Read embedded .identity file."); | |
541 | ||
542 | return 0; | |
543 | } | |
544 | ||
545 | static int write_identity_file(int root_fd, JsonVariant *v, uid_t uid) { | |
546 | _cleanup_(json_variant_unrefp) JsonVariant *normalized = NULL; | |
5d2a48da | 547 | _cleanup_fclose_ FILE *identity_file = NULL; |
254d1313 | 548 | _cleanup_close_ int identity_fd = -EBADF; |
70a5db58 LP |
549 | _cleanup_free_ char *fn = NULL; |
550 | int r; | |
551 | ||
552 | assert(root_fd >= 0); | |
553 | assert(v); | |
554 | ||
555 | normalized = json_variant_ref(v); | |
556 | ||
557 | r = json_variant_normalize(&normalized); | |
558 | if (r < 0) | |
559 | log_warning_errno(r, "Failed to normalize user record, ignoring: %m"); | |
560 | ||
561 | r = tempfn_random(".identity", NULL, &fn); | |
562 | if (r < 0) | |
563 | return r; | |
564 | ||
565 | identity_fd = openat(root_fd, fn, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW, 0600); | |
566 | if (identity_fd < 0) | |
567 | return log_error_errno(errno, "Failed to create .identity file in home directory: %m"); | |
568 | ||
4fa744a3 | 569 | identity_file = take_fdopen(&identity_fd, "w"); |
70a5db58 LP |
570 | if (!identity_file) { |
571 | r = log_oom(); | |
572 | goto fail; | |
573 | } | |
574 | ||
70a5db58 LP |
575 | json_variant_dump(normalized, JSON_FORMAT_PRETTY, identity_file, NULL); |
576 | ||
577 | r = fflush_and_check(identity_file); | |
578 | if (r < 0) { | |
579 | log_error_errno(r, "Failed to write .identity file: %m"); | |
580 | goto fail; | |
581 | } | |
582 | ||
583 | if (fchown(fileno(identity_file), uid, uid) < 0) { | |
b05f4495 | 584 | r = log_error_errno(errno, "Failed to change ownership of identity file: %m"); |
70a5db58 LP |
585 | goto fail; |
586 | } | |
587 | ||
588 | if (renameat(root_fd, fn, root_fd, ".identity") < 0) { | |
589 | r = log_error_errno(errno, "Failed to move identity file into place: %m"); | |
590 | goto fail; | |
591 | } | |
592 | ||
593 | log_info("Wrote embedded .identity file."); | |
594 | ||
595 | return 0; | |
596 | ||
597 | fail: | |
598 | (void) unlinkat(root_fd, fn, 0); | |
599 | return r; | |
600 | } | |
601 | ||
602 | int home_load_embedded_identity( | |
603 | UserRecord *h, | |
604 | int root_fd, | |
605 | UserRecord *header_home, | |
606 | UserReconcileMode mode, | |
7b78db28 | 607 | PasswordCache *cache, |
70a5db58 LP |
608 | UserRecord **ret_embedded_home, |
609 | UserRecord **ret_new_home) { | |
610 | ||
611 | _cleanup_(user_record_unrefp) UserRecord *embedded_home = NULL, *intermediate_home = NULL, *new_home = NULL; | |
612 | _cleanup_(json_variant_unrefp) JsonVariant *v = NULL; | |
613 | int r; | |
614 | ||
615 | assert(h); | |
616 | assert(root_fd >= 0); | |
617 | ||
618 | r = read_identity_file(root_fd, &v); | |
619 | if (r < 0) | |
620 | return r; | |
621 | ||
622 | embedded_home = user_record_new(); | |
623 | if (!embedded_home) | |
624 | return log_oom(); | |
625 | ||
bfc0cc1a | 626 | r = user_record_load(embedded_home, v, USER_RECORD_LOAD_EMBEDDED|USER_RECORD_PERMISSIVE); |
70a5db58 LP |
627 | if (r < 0) |
628 | return r; | |
629 | ||
630 | if (!user_record_compatible(h, embedded_home)) | |
80ace4f2 | 631 | return log_error_errno(SYNTHETIC_ERRNO(EREMCHG), "Embedded home record not compatible with host record, refusing."); |
70a5db58 LP |
632 | |
633 | /* Insist that credentials the user supplies also unlocks any embedded records. */ | |
7b78db28 | 634 | r = user_record_authenticate(embedded_home, h, cache, /* strict_verify= */ true); |
70a5db58 LP |
635 | if (r < 0) |
636 | return r; | |
c8f145ad | 637 | assert(r > 0); /* Insist that a password was verified */ |
70a5db58 LP |
638 | |
639 | /* At this point we have three records to deal with: | |
640 | * | |
641 | * · The record we got passed from the host | |
642 | * · The record included in the LUKS header (only if LUKS is used) | |
285ad523 | 643 | * · The record in the home directory itself (~/.identity) |
70a5db58 LP |
644 | * |
645 | * Now we have to reconcile all three, and let the newest one win. */ | |
646 | ||
647 | if (header_home) { | |
648 | /* Note we relax the requirements here. Instead of insisting that the host record is strictly | |
649 | * newer, let's also be OK if its equally new. If it is, we'll however insist that the | |
650 | * embedded record must be newer, so that we update at least one of the two. */ | |
651 | ||
652 | r = user_record_reconcile(h, header_home, mode == USER_RECONCILE_REQUIRE_NEWER ? USER_RECONCILE_REQUIRE_NEWER_OR_EQUAL : mode, &intermediate_home); | |
653 | if (r == -EREMCHG) /* this was supposed to be checked earlier already, but let's check this again */ | |
654 | return log_error_errno(r, "Identity stored on host and in header don't match, refusing."); | |
655 | if (r == -ESTALE) | |
656 | return log_error_errno(r, "Embedded identity record is newer than supplied record, refusing."); | |
657 | if (r < 0) | |
658 | return log_error_errno(r, "Failed to reconcile host and header identities: %m"); | |
659 | if (r == USER_RECONCILE_EMBEDDED_WON) | |
660 | log_info("Reconciling header user identity completed (header version was newer)."); | |
661 | else if (r == USER_RECONCILE_HOST_WON) { | |
662 | log_info("Reconciling header user identity completed (host version was newer)."); | |
663 | ||
664 | if (mode == USER_RECONCILE_REQUIRE_NEWER) /* Host version is newer than the header | |
665 | * version, hence we'll update | |
666 | * something. This means we can relax the | |
667 | * requirements on the embedded | |
668 | * identity. */ | |
669 | mode = USER_RECONCILE_REQUIRE_NEWER_OR_EQUAL; | |
670 | } else { | |
671 | assert(r == USER_RECONCILE_IDENTICAL); | |
672 | log_info("Reconciling user identities completed (host and header version were identical)."); | |
673 | } | |
674 | ||
675 | h = intermediate_home; | |
676 | } | |
677 | ||
678 | r = user_record_reconcile(h, embedded_home, mode, &new_home); | |
679 | if (r == -EREMCHG) | |
680 | return log_error_errno(r, "Identity stored on host and in home don't match, refusing."); | |
681 | if (r == -ESTALE) | |
682 | return log_error_errno(r, "Embedded identity record is equally new or newer than supplied record, refusing."); | |
683 | if (r < 0) | |
684 | return log_error_errno(r, "Failed to reconcile host and embedded identities: %m"); | |
685 | if (r == USER_RECONCILE_EMBEDDED_WON) | |
686 | log_info("Reconciling embedded user identity completed (embedded version was newer)."); | |
687 | else if (r == USER_RECONCILE_HOST_WON) | |
688 | log_info("Reconciling embedded user identity completed (host version was newer)."); | |
689 | else { | |
690 | assert(r == USER_RECONCILE_IDENTICAL); | |
691 | log_info("Reconciling embedded user identity completed (host and embedded version were identical)."); | |
692 | } | |
693 | ||
694 | if (ret_embedded_home) | |
695 | *ret_embedded_home = TAKE_PTR(embedded_home); | |
696 | ||
697 | if (ret_new_home) | |
698 | *ret_new_home = TAKE_PTR(new_home); | |
699 | ||
17ac40e4 | 700 | return r; /* We pass along who won the reconciliation */ |
70a5db58 LP |
701 | } |
702 | ||
285ad523 | 703 | int home_store_embedded_identity(UserRecord *h, int root_fd, UserRecord *old_home) { |
70a5db58 LP |
704 | _cleanup_(user_record_unrefp) UserRecord *embedded = NULL; |
705 | int r; | |
706 | ||
707 | assert(h); | |
708 | assert(root_fd >= 0); | |
70a5db58 | 709 | |
bfc0cc1a | 710 | r = user_record_clone(h, USER_RECORD_EXTRACT_EMBEDDED|USER_RECORD_PERMISSIVE, &embedded); |
70a5db58 LP |
711 | if (r < 0) |
712 | return log_error_errno(r, "Failed to determine new embedded record: %m"); | |
713 | ||
714 | if (old_home && user_record_equal(old_home, embedded)) { | |
715 | log_debug("Not updating embedded home record."); | |
716 | return 0; | |
717 | } | |
718 | ||
719 | /* The identity has changed, let's update it in the image */ | |
720 | r = write_identity_file(root_fd, embedded->json, h->uid); | |
721 | if (r < 0) | |
722 | return r; | |
723 | ||
724 | return 1; | |
725 | } | |
726 | ||
727 | static const char *file_system_type_fd(int fd) { | |
728 | struct statfs sfs; | |
729 | ||
730 | assert(fd >= 0); | |
731 | ||
732 | if (fstatfs(fd, &sfs) < 0) { | |
733 | log_debug_errno(errno, "Failed to statfs(): %m"); | |
734 | return NULL; | |
735 | } | |
736 | ||
7c604e89 | 737 | return fs_type_to_string(sfs.f_type); |
70a5db58 LP |
738 | } |
739 | ||
740 | int home_extend_embedded_identity(UserRecord *h, UserRecord *used, HomeSetup *setup) { | |
741 | int r; | |
742 | ||
743 | assert(h); | |
744 | assert(used); | |
745 | assert(setup); | |
746 | ||
747 | r = user_record_add_binding( | |
748 | h, | |
749 | user_record_storage(used), | |
750 | user_record_image_path(used), | |
751 | setup->found_partition_uuid, | |
752 | setup->found_luks_uuid, | |
753 | setup->found_fs_uuid, | |
71eceff6 LP |
754 | setup->crypt_device ? sym_crypt_get_cipher(setup->crypt_device) : NULL, |
755 | setup->crypt_device ? sym_crypt_get_cipher_mode(setup->crypt_device) : NULL, | |
70a5db58 LP |
756 | setup->crypt_device ? luks_volume_key_size_convert(setup->crypt_device) : UINT64_MAX, |
757 | file_system_type_fd(setup->root_fd), | |
758 | user_record_home_directory(used), | |
759 | used->uid, | |
760 | (gid_t) used->uid); | |
761 | if (r < 0) | |
762 | return log_error_errno(r, "Failed to update binding in record: %m"); | |
763 | ||
764 | return 0; | |
765 | } | |
766 | ||
767 | static int chown_recursive_directory(int root_fd, uid_t uid) { | |
768 | int r; | |
769 | ||
770 | assert(root_fd >= 0); | |
771 | assert(uid_is_valid(uid)); | |
772 | ||
773 | r = fd_chown_recursive(root_fd, uid, (gid_t) uid, 0777); | |
774 | if (r < 0) | |
775 | return log_error_errno(r, "Failed to change ownership of files and directories: %m"); | |
776 | if (r == 0) | |
777 | log_info("Recursive changing of ownership not necessary, skipped."); | |
778 | else | |
779 | log_info("Recursive changing of ownership completed."); | |
780 | ||
781 | return 0; | |
782 | } | |
783 | ||
cf5115f6 LP |
784 | int home_maybe_shift_uid( |
785 | UserRecord *h, | |
6f2c8136 | 786 | HomeSetupFlags flags, |
cf5115f6 LP |
787 | HomeSetup *setup) { |
788 | ||
254d1313 | 789 | _cleanup_close_ int mount_fd = -EBADF; |
cf5115f6 LP |
790 | struct stat st; |
791 | ||
792 | assert(h); | |
793 | assert(setup); | |
794 | assert(setup->root_fd >= 0); | |
795 | ||
6f2c8136 LP |
796 | /* If the home dir is already activated, then the UID shift is already applied. */ |
797 | if (FLAGS_SET(flags, HOME_SETUP_ALREADY_ACTIVATED)) | |
798 | return 0; | |
799 | ||
cf5115f6 LP |
800 | if (fstat(setup->root_fd, &st) < 0) |
801 | return log_error_errno(errno, "Failed to stat() home directory: %m"); | |
802 | ||
803 | /* Let's shift UIDs of this mount. Hopefully this makes the later chowning unnecessary. (Note that we | |
804 | * also prefer to do UID mapping even if the UID already matches our goal UID. That's because we want | |
805 | * to leave UIDs in the homed managed range unmapped.) */ | |
806 | (void) home_shift_uid(setup->root_fd, NULL, st.st_uid, h->uid, &mount_fd); | |
807 | ||
808 | /* If this worked, then we'll have a reference to the mount now, which we can also use like an O_PATH | |
809 | * fd to the new dir. Let's convert it into a proper O_DIRECTORY fd. */ | |
810 | if (mount_fd >= 0) { | |
811 | safe_close(setup->root_fd); | |
812 | ||
813 | setup->root_fd = fd_reopen(mount_fd, O_RDONLY|O_CLOEXEC|O_DIRECTORY); | |
814 | if (setup->root_fd < 0) | |
815 | return log_error_errno(setup->root_fd, "Failed to convert mount fd into regular directory fd: %m"); | |
816 | } | |
817 | ||
818 | return 0; | |
819 | } | |
820 | ||
70a5db58 LP |
821 | int home_refresh( |
822 | UserRecord *h, | |
6f2c8136 | 823 | HomeSetupFlags flags, |
70a5db58 LP |
824 | HomeSetup *setup, |
825 | UserRecord *header_home, | |
7b78db28 | 826 | PasswordCache *cache, |
70a5db58 LP |
827 | struct statfs *ret_statfs, |
828 | UserRecord **ret_new_home) { | |
829 | ||
830 | _cleanup_(user_record_unrefp) UserRecord *embedded_home = NULL, *new_home = NULL; | |
17ac40e4 | 831 | int r, reconciled; |
70a5db58 LP |
832 | |
833 | assert(h); | |
834 | assert(setup); | |
835 | assert(ret_new_home); | |
836 | ||
837 | /* When activating a home directory, does the identity work: loads the identity from the $HOME | |
838 | * directory, reconciles it with our idea, chown()s everything. */ | |
839 | ||
17ac40e4 AV |
840 | reconciled = home_load_embedded_identity(h, setup->root_fd, header_home, USER_RECONCILE_ANY, cache, &embedded_home, &new_home); |
841 | if (reconciled < 0) | |
842 | return reconciled; | |
70a5db58 | 843 | |
6f2c8136 | 844 | r = home_maybe_shift_uid(h, flags, setup); |
cf5115f6 LP |
845 | if (r < 0) |
846 | return r; | |
847 | ||
70a5db58 LP |
848 | r = home_store_header_identity_luks(new_home, setup, header_home); |
849 | if (r < 0) | |
850 | return r; | |
851 | ||
285ad523 | 852 | r = home_store_embedded_identity(new_home, setup->root_fd, embedded_home); |
70a5db58 LP |
853 | if (r < 0) |
854 | return r; | |
855 | ||
17ac40e4 AV |
856 | r = home_reconcile_blob_dirs(new_home, setup->root_fd, reconciled); |
857 | if (r < 0) | |
858 | return r; | |
859 | ||
70a5db58 LP |
860 | r = chown_recursive_directory(setup->root_fd, h->uid); |
861 | if (r < 0) | |
862 | return r; | |
863 | ||
864 | r = home_sync_and_statfs(setup->root_fd, ret_statfs); | |
865 | if (r < 0) | |
866 | return r; | |
867 | ||
868 | *ret_new_home = TAKE_PTR(new_home); | |
869 | return 0; | |
870 | } | |
871 | ||
872 | static int home_activate(UserRecord *h, UserRecord **ret_home) { | |
a74e2e44 | 873 | _cleanup_(home_setup_done) HomeSetup setup = HOME_SETUP_INIT; |
70a5db58 | 874 | _cleanup_(user_record_unrefp) UserRecord *new_home = NULL; |
a74e2e44 | 875 | _cleanup_(password_cache_free) PasswordCache cache = {}; |
6f2c8136 | 876 | HomeSetupFlags flags = 0; |
70a5db58 LP |
877 | int r; |
878 | ||
879 | assert(h); | |
880 | ||
881 | if (!h->user_name) | |
882 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record lacks user name, refusing."); | |
883 | if (!uid_is_valid(h->uid)) | |
884 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record lacks UID, refusing."); | |
885 | if (!IN_SET(user_record_storage(h), USER_LUKS, USER_DIRECTORY, USER_SUBVOLUME, USER_FSCRYPT, USER_CIFS)) | |
886 | return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Activating home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h))); | |
887 | ||
7b78db28 | 888 | r = user_record_authenticate(h, h, &cache, /* strict_verify= */ false); |
70a5db58 LP |
889 | if (r < 0) |
890 | return r; | |
891 | ||
892 | r = user_record_test_home_directory_and_warn(h); | |
893 | if (r < 0) | |
894 | return r; | |
895 | if (r == USER_TEST_MOUNTED) | |
896 | return log_error_errno(SYNTHETIC_ERRNO(EALREADY), "Home directory %s is already mounted, refusing.", user_record_home_directory(h)); | |
897 | ||
898 | r = user_record_test_image_path_and_warn(h); | |
899 | if (r < 0) | |
900 | return r; | |
901 | if (r == USER_TEST_ABSENT) | |
902 | return log_error_errno(SYNTHETIC_ERRNO(ENOENT), "Image path %s is missing, refusing.", user_record_image_path(h)); | |
903 | ||
904 | switch (user_record_storage(h)) { | |
905 | ||
906 | case USER_LUKS: | |
6f2c8136 | 907 | r = home_activate_luks(h, flags, &setup, &cache, &new_home); |
70a5db58 LP |
908 | if (r < 0) |
909 | return r; | |
910 | ||
911 | break; | |
912 | ||
913 | case USER_SUBVOLUME: | |
914 | case USER_DIRECTORY: | |
915 | case USER_FSCRYPT: | |
6f2c8136 | 916 | r = home_activate_directory(h, flags, &setup, &cache, &new_home); |
70a5db58 LP |
917 | if (r < 0) |
918 | return r; | |
919 | ||
920 | break; | |
921 | ||
922 | case USER_CIFS: | |
6f2c8136 | 923 | r = home_activate_cifs(h, flags, &setup, &cache, &new_home); |
70a5db58 LP |
924 | if (r < 0) |
925 | return r; | |
926 | ||
927 | break; | |
928 | ||
929 | default: | |
04499a70 | 930 | assert_not_reached(); |
70a5db58 LP |
931 | } |
932 | ||
933 | /* Note that the returned object might either be a reference to an updated version of the existing | |
934 | * home object, or a reference to a newly allocated home object. The caller has to be able to deal | |
935 | * with both, and consider the old object out-of-date. */ | |
936 | if (user_record_equal(h, new_home)) { | |
937 | *ret_home = NULL; | |
938 | return 0; /* no identity change */ | |
939 | } | |
940 | ||
941 | *ret_home = TAKE_PTR(new_home); | |
942 | return 1; /* identity updated */ | |
943 | } | |
944 | ||
945 | static int home_deactivate(UserRecord *h, bool force) { | |
fc032ae1 | 946 | _cleanup_(home_setup_done) HomeSetup setup = HOME_SETUP_INIT; |
26191000 | 947 | _cleanup_(password_cache_free) PasswordCache cache = {}; |
70a5db58 LP |
948 | bool done = false; |
949 | int r; | |
950 | ||
951 | assert(h); | |
952 | ||
953 | if (!h->user_name) | |
954 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record incomplete, refusing."); | |
955 | if (!IN_SET(user_record_storage(h), USER_LUKS, USER_DIRECTORY, USER_SUBVOLUME, USER_FSCRYPT, USER_CIFS)) | |
956 | return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Deactivating home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h))); | |
957 | ||
958 | r = user_record_test_home_directory_and_warn(h); | |
959 | if (r < 0) | |
960 | return r; | |
961 | if (r == USER_TEST_MOUNTED) { | |
a71a0693 LP |
962 | /* Before we do anything, let's move the home mount away. */ |
963 | r = home_unshare_and_mkdir(); | |
964 | if (r < 0) | |
965 | return r; | |
28a7f106 | 966 | |
a71a0693 LP |
967 | r = mount_nofollow_verbose(LOG_ERR, user_record_home_directory(h), HOME_RUNTIME_WORK_DIR, NULL, MS_BIND, NULL); |
968 | if (r < 0) | |
969 | return r; | |
970 | ||
971 | setup.undo_mount = true; /* remember to unmount the new bind mount from HOME_RUNTIME_WORK_DIR */ | |
972 | ||
973 | /* Let's explicitly open the new root fs, using the moved path */ | |
974 | setup.root_fd = open(HOME_RUNTIME_WORK_DIR, O_RDONLY|O_DIRECTORY|O_CLOEXEC); | |
975 | if (setup.root_fd < 0) | |
976 | return log_error_errno(errno, "Failed to open moved home directory: %m"); | |
977 | ||
978 | /* Now get rid of the home at its original place (we only keep the bind mount we created above) */ | |
979 | r = umount_verbose(LOG_ERR, user_record_home_directory(h), UMOUNT_NOFOLLOW | (force ? MNT_FORCE|MNT_DETACH : 0)); | |
86019efa | 980 | if (r < 0) |
a71a0693 LP |
981 | return r; |
982 | ||
d26cdde3 LP |
983 | if (user_record_storage(h) == USER_LUKS) { |
984 | /* Automatically shrink on logout if that's enabled. To be able to shrink we need the | |
985 | * keys to the device. */ | |
986 | password_cache_load_keyring(h, &cache); | |
a71a0693 | 987 | (void) home_trim_luks(h, &setup); |
d26cdde3 | 988 | } |
a71a0693 LP |
989 | |
990 | /* Sync explicitly, so that the drop caches logic below can work as documented */ | |
991 | if (syncfs(setup.root_fd) < 0) | |
992 | log_debug_errno(errno, "Failed to synchronize home directory, ignoring: %m"); | |
86019efa LP |
993 | else |
994 | log_info("Syncing completed."); | |
995 | ||
26191000 LP |
996 | if (user_record_storage(h) == USER_LUKS) |
997 | (void) home_auto_shrink_luks(h, &setup, &cache); | |
998 | ||
a71a0693 LP |
999 | setup.root_fd = safe_close(setup.root_fd); |
1000 | ||
1001 | /* Now get rid of the bind mount, too */ | |
1002 | r = umount_verbose(LOG_ERR, HOME_RUNTIME_WORK_DIR, UMOUNT_NOFOLLOW | (force ? MNT_FORCE|MNT_DETACH : 0)); | |
1003 | if (r < 0) | |
1004 | return r; | |
1005 | ||
1006 | setup.undo_mount = false; /* Remember that the bind mount doesn't need to be unmounted anymore */ | |
1007 | ||
1008 | if (user_record_drop_caches(h)) | |
1009 | setup.do_drop_caches = true; | |
70a5db58 LP |
1010 | |
1011 | log_info("Unmounting completed."); | |
1012 | done = true; | |
1013 | } else | |
1014 | log_info("Directory %s is already unmounted.", user_record_home_directory(h)); | |
1015 | ||
1016 | if (user_record_storage(h) == USER_LUKS) { | |
fc032ae1 | 1017 | r = home_deactivate_luks(h, &setup); |
70a5db58 LP |
1018 | if (r < 0) |
1019 | return r; | |
1020 | if (r > 0) | |
1021 | done = true; | |
1022 | } | |
1023 | ||
d26cdde3 LP |
1024 | /* Explicitly flush any per-user key from the keyring */ |
1025 | (void) keyring_flush(h); | |
1026 | ||
70a5db58 LP |
1027 | if (!done) |
1028 | return log_error_errno(SYNTHETIC_ERRNO(ENOEXEC), "Home is not active."); | |
1029 | ||
a71a0693 LP |
1030 | if (setup.do_drop_caches) { |
1031 | setup.do_drop_caches = false; | |
86019efa | 1032 | drop_caches_now(); |
a71a0693 | 1033 | } |
86019efa | 1034 | |
70a5db58 LP |
1035 | log_info("Everything completed."); |
1036 | return 0; | |
1037 | } | |
1038 | ||
1039 | static int copy_skel(int root_fd, const char *skel) { | |
1040 | int r; | |
1041 | ||
1042 | assert(root_fd >= 0); | |
1043 | ||
ad6fae7f | 1044 | r = copy_tree_at(AT_FDCWD, skel, root_fd, ".", UID_INVALID, GID_INVALID, COPY_MERGE|COPY_REPLACE, NULL, NULL); |
70a5db58 LP |
1045 | if (r == -ENOENT) { |
1046 | log_info("Skeleton directory %s missing, ignoring.", skel); | |
1047 | return 0; | |
1048 | } | |
1049 | if (r < 0) | |
1050 | return log_error_errno(r, "Failed to copy in %s: %m", skel); | |
1051 | ||
1052 | log_info("Copying in %s completed.", skel); | |
1053 | return 0; | |
1054 | } | |
1055 | ||
1056 | static int change_access_mode(int root_fd, mode_t m) { | |
1057 | assert(root_fd >= 0); | |
1058 | ||
1059 | if (fchmod(root_fd, m) < 0) | |
1060 | return log_error_errno(errno, "Failed to change access mode of top-level directory: %m"); | |
1061 | ||
1062 | log_info("Changed top-level directory access mode to 0%o.", m); | |
1063 | return 0; | |
1064 | } | |
1065 | ||
1066 | int home_populate(UserRecord *h, int dir_fd) { | |
1067 | int r; | |
1068 | ||
1069 | assert(h); | |
1070 | assert(dir_fd >= 0); | |
1071 | ||
1072 | r = copy_skel(dir_fd, user_record_skeleton_directory(h)); | |
1073 | if (r < 0) | |
1074 | return r; | |
1075 | ||
285ad523 | 1076 | r = home_store_embedded_identity(h, dir_fd, NULL); |
70a5db58 LP |
1077 | if (r < 0) |
1078 | return r; | |
1079 | ||
17ac40e4 AV |
1080 | r = home_reconcile_blob_dirs(h, dir_fd, USER_RECONCILE_HOST_WON); |
1081 | if (r < 0) | |
1082 | return r; | |
1083 | ||
70a5db58 LP |
1084 | r = chown_recursive_directory(dir_fd, h->uid); |
1085 | if (r < 0) | |
1086 | return r; | |
1087 | ||
1088 | r = change_access_mode(dir_fd, user_record_access_mode(h)); | |
1089 | if (r < 0) | |
1090 | return r; | |
1091 | ||
1092 | return 0; | |
1093 | } | |
1094 | ||
1095 | static int user_record_compile_effective_passwords( | |
1096 | UserRecord *h, | |
7b78db28 LP |
1097 | PasswordCache *cache, |
1098 | char ***ret_effective_passwords) { | |
70a5db58 | 1099 | |
5d2a48da | 1100 | _cleanup_strv_free_erase_ char **effective = NULL; |
70a5db58 | 1101 | size_t n; |
70a5db58 LP |
1102 | int r; |
1103 | ||
1104 | assert(h); | |
7b78db28 | 1105 | assert(cache); |
70a5db58 LP |
1106 | |
1107 | /* We insist on at least one classic hashed password to be defined in addition to any PKCS#11 one, as | |
1108 | * a safe fallback, but also to simplify the password changing algorithm: there we require providing | |
1109 | * the old literal password only (and do not care for the old PKCS#11 token) */ | |
1110 | ||
1111 | if (strv_isempty(h->hashed_password)) | |
d7a0f1f4 FS |
1112 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), |
1113 | "User record has no hashed passwords, refusing."); | |
70a5db58 LP |
1114 | |
1115 | /* Generates the list of plaintext passwords to propagate to LUKS/fscrypt devices, and checks whether | |
1116 | * we have a plaintext password for each hashed one. If we are missing one we'll fail, since we | |
1117 | * couldn't sync fscrypt/LUKS to the login account properly. */ | |
1118 | ||
1119 | STRV_FOREACH(i, h->hashed_password) { | |
1120 | bool found = false; | |
70a5db58 LP |
1121 | |
1122 | log_debug("Looking for plaintext password for: %s", *i); | |
1123 | ||
1124 | /* Let's scan all provided plaintext passwords */ | |
1125 | STRV_FOREACH(j, h->password) { | |
1126 | r = test_password_one(*i, *j); | |
1127 | if (r < 0) | |
87d7893c | 1128 | return log_error_errno(r, "Failed to test plaintext password: %m"); |
70a5db58 LP |
1129 | if (r > 0) { |
1130 | if (ret_effective_passwords) { | |
1131 | r = strv_extend(&effective, *j); | |
1132 | if (r < 0) | |
1133 | return log_oom(); | |
1134 | } | |
1135 | ||
1136 | log_debug("Found literal plaintext password."); | |
1137 | found = true; | |
1138 | break; | |
1139 | } | |
1140 | } | |
1141 | ||
1142 | if (!found) | |
1143 | return log_error_errno(SYNTHETIC_ERRNO(ENOKEY), "Missing plaintext password for defined hashed password"); | |
1144 | } | |
1145 | ||
87d7893c LP |
1146 | for (n = 0; n < h->n_recovery_key; n++) { |
1147 | bool found = false; | |
87d7893c LP |
1148 | |
1149 | log_debug("Looking for plaintext recovery key for: %s", h->recovery_key[n].hashed_password); | |
1150 | ||
1151 | STRV_FOREACH(j, h->password) { | |
1152 | _cleanup_(erase_and_freep) char *mangled = NULL; | |
1153 | const char *p; | |
1154 | ||
1155 | if (streq(h->recovery_key[n].type, "modhex64")) { | |
1156 | ||
1157 | r = normalize_recovery_key(*j, &mangled); | |
1158 | if (r == -EINVAL) /* Not properly formatted, probably a regular password. */ | |
1159 | continue; | |
1160 | if (r < 0) | |
1161 | return log_error_errno(r, "Failed to normalize recovery key: %m"); | |
1162 | ||
1163 | p = mangled; | |
1164 | } else | |
1165 | p = *j; | |
1166 | ||
1167 | r = test_password_one(h->recovery_key[n].hashed_password, p); | |
1168 | if (r < 0) | |
1169 | return log_error_errno(r, "Failed to test plaintext recovery key: %m"); | |
1170 | if (r > 0) { | |
1171 | if (ret_effective_passwords) { | |
1172 | r = strv_extend(&effective, p); | |
1173 | if (r < 0) | |
1174 | return log_oom(); | |
1175 | } | |
1176 | ||
1177 | log_debug("Found plaintext recovery key."); | |
1178 | found = true; | |
1179 | break; | |
1180 | } | |
1181 | } | |
1182 | ||
1183 | if (!found) | |
1184 | return log_error_errno(SYNTHETIC_ERRNO(EREMOTEIO), "Missing plaintext recovery key for defined recovery key"); | |
1185 | } | |
1186 | ||
70a5db58 LP |
1187 | for (n = 0; n < h->n_pkcs11_encrypted_key; n++) { |
1188 | #if HAVE_P11KIT | |
1189 | _cleanup_(pkcs11_callback_data_release) struct pkcs11_callback_data data = { | |
1190 | .user_record = h, | |
1191 | .secret = h, | |
1192 | .encrypted_key = h->pkcs11_encrypted_key + n, | |
1193 | }; | |
1194 | ||
1195 | r = pkcs11_find_token(data.encrypted_key->uri, pkcs11_callback, &data); | |
1196 | if (r == -EAGAIN) | |
1197 | return -EBADSLT; | |
1198 | if (r < 0) | |
1199 | return r; | |
1200 | ||
1201 | r = test_password_one(data.encrypted_key->hashed_password, data.decrypted_password); | |
1202 | if (r < 0) | |
1203 | return log_error_errno(r, "Failed to test PKCS#11 password: %m"); | |
1204 | if (r == 0) | |
1205 | return log_error_errno(SYNTHETIC_ERRNO(EPERM), "Decrypted password from token is not correct, refusing."); | |
1206 | ||
1207 | if (ret_effective_passwords) { | |
1208 | r = strv_extend(&effective, data.decrypted_password); | |
1209 | if (r < 0) | |
1210 | return log_oom(); | |
1211 | } | |
1212 | ||
7b78db28 LP |
1213 | r = strv_extend(&cache->pkcs11_passwords, data.decrypted_password); |
1214 | if (r < 0) | |
1215 | return log_oom(); | |
1216 | #else | |
1217 | return -EBADSLT; | |
1218 | #endif | |
1219 | } | |
1220 | ||
1221 | for (n = 0; n < h->n_fido2_hmac_salt; n++) { | |
1222 | #if HAVE_LIBFIDO2 | |
1223 | _cleanup_(erase_and_freep) char *decrypted_password = NULL; | |
1224 | ||
1225 | r = fido2_use_token(h, h, h->fido2_hmac_salt + n, &decrypted_password); | |
1226 | if (r < 0) | |
1227 | return r; | |
1228 | ||
1229 | r = test_password_one(h->fido2_hmac_salt[n].hashed_password, decrypted_password); | |
1230 | if (r < 0) | |
1231 | return log_error_errno(r, "Failed to test FIDO2 password: %m"); | |
1232 | if (r == 0) | |
1233 | return log_error_errno(SYNTHETIC_ERRNO(EPERM), "Decrypted password from token is not correct, refusing."); | |
1234 | ||
1235 | if (ret_effective_passwords) { | |
1236 | r = strv_extend(&effective, decrypted_password); | |
70a5db58 LP |
1237 | if (r < 0) |
1238 | return log_oom(); | |
1239 | } | |
7b78db28 LP |
1240 | |
1241 | r = strv_extend(&cache->fido2_passwords, decrypted_password); | |
1242 | if (r < 0) | |
1243 | return log_oom(); | |
70a5db58 LP |
1244 | #else |
1245 | return -EBADSLT; | |
1246 | #endif | |
1247 | } | |
1248 | ||
1249 | if (ret_effective_passwords) | |
1250 | *ret_effective_passwords = TAKE_PTR(effective); | |
70a5db58 LP |
1251 | |
1252 | return 0; | |
1253 | } | |
1254 | ||
1dfe5de0 LP |
1255 | static int determine_default_storage(UserStorage *ret) { |
1256 | UserStorage storage = _USER_STORAGE_INVALID; | |
1257 | const char *e; | |
1258 | int r; | |
1259 | ||
1260 | assert(ret); | |
1261 | ||
1262 | /* homed tells us via an environment variable which default storage to use */ | |
1263 | e = getenv("SYSTEMD_HOME_DEFAULT_STORAGE"); | |
1264 | if (e) { | |
1265 | storage = user_storage_from_string(e); | |
1266 | if (storage < 0) | |
1267 | log_warning("$SYSTEMD_HOME_DEFAULT_STORAGE set to invalid storage type, ignoring: %s", e); | |
1268 | else { | |
1269 | log_info("Using configured default storage '%s'.", user_storage_to_string(storage)); | |
1270 | *ret = storage; | |
1271 | return 0; | |
1272 | } | |
1273 | } | |
1274 | ||
1275 | /* When neither user nor admin specified the storage type to use, fix it to be LUKS — unless we run | |
1276 | * in a container where loopback devices and LUKS/DM are not available. Also, if /home is encrypted | |
1277 | * anyway, let's avoid duplicate encryption. Note that we typically default to the assumption of | |
1278 | * "classic" storage for most operations. However, if we create a new home, then let's user LUKS if | |
1279 | * nothing is specified. */ | |
1280 | ||
1281 | r = detect_container(); | |
1282 | if (r < 0) | |
1283 | return log_error_errno(r, "Failed to determine whether we are in a container: %m"); | |
1284 | if (r == 0) { | |
2700fecd | 1285 | r = path_is_encrypted(get_home_root()); |
0608e2d3 | 1286 | if (r > 0) |
2700fecd | 1287 | log_info("%s is encrypted, not using '%s' storage, in order to avoid double encryption.", get_home_root(), user_storage_to_string(USER_LUKS)); |
0608e2d3 LP |
1288 | else { |
1289 | if (r < 0) | |
2700fecd | 1290 | log_warning_errno(r, "Failed to determine if %s is encrypted, ignoring: %m", get_home_root()); |
1dfe5de0 | 1291 | |
0608e2d3 LP |
1292 | r = dlopen_cryptsetup(); |
1293 | if (r < 0) | |
1294 | log_info("Not using '%s' storage, since libcryptsetup could not be loaded.", user_storage_to_string(USER_LUKS)); | |
1295 | else { | |
1296 | log_info("Using automatic default storage of '%s'.", user_storage_to_string(USER_LUKS)); | |
1297 | *ret = USER_LUKS; | |
1298 | return 0; | |
1299 | } | |
1300 | } | |
1dfe5de0 LP |
1301 | } else |
1302 | log_info("Running in container, not using '%s' storage.", user_storage_to_string(USER_LUKS)); | |
1303 | ||
2700fecd | 1304 | r = path_is_fs_type(get_home_root(), BTRFS_SUPER_MAGIC); |
1dfe5de0 | 1305 | if (r < 0) |
2700fecd | 1306 | log_warning_errno(r, "Failed to determine file system of %s, ignoring: %m", get_home_root()); |
1dfe5de0 | 1307 | if (r > 0) { |
2700fecd | 1308 | log_info("%s is on btrfs, using '%s' as storage.", get_home_root(), user_storage_to_string(USER_SUBVOLUME)); |
1dfe5de0 LP |
1309 | *ret = USER_SUBVOLUME; |
1310 | } else { | |
2700fecd | 1311 | log_info("%s is on simple file system, using '%s' as storage.", get_home_root(), user_storage_to_string(USER_DIRECTORY)); |
1dfe5de0 LP |
1312 | *ret = USER_DIRECTORY; |
1313 | } | |
1314 | ||
1315 | return 0; | |
1316 | } | |
1317 | ||
a4d72746 | 1318 | static int home_create(UserRecord *h, Hashmap *blobs, UserRecord **ret_home) { |
5d2a48da | 1319 | _cleanup_strv_free_erase_ char **effective_passwords = NULL; |
a74e2e44 | 1320 | _cleanup_(home_setup_done) HomeSetup setup = HOME_SETUP_INIT; |
70a5db58 | 1321 | _cleanup_(user_record_unrefp) UserRecord *new_home = NULL; |
7b78db28 | 1322 | _cleanup_(password_cache_free) PasswordCache cache = {}; |
1dfe5de0 LP |
1323 | UserStorage new_storage = _USER_STORAGE_INVALID; |
1324 | const char *new_fs = NULL; | |
70a5db58 LP |
1325 | int r; |
1326 | ||
1327 | assert(h); | |
1328 | ||
1329 | if (!h->user_name) | |
1330 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record lacks name, refusing."); | |
1331 | if (!uid_is_valid(h->uid)) | |
1332 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record lacks UID, refusing."); | |
1333 | ||
7b78db28 | 1334 | r = user_record_compile_effective_passwords(h, &cache, &effective_passwords); |
70a5db58 LP |
1335 | if (r < 0) |
1336 | return r; | |
1337 | ||
1338 | r = user_record_test_home_directory_and_warn(h); | |
1339 | if (r < 0) | |
1340 | return r; | |
1341 | if (r != USER_TEST_ABSENT) | |
1342 | return log_error_errno(SYNTHETIC_ERRNO(EEXIST), "Home directory %s already exists, refusing.", user_record_home_directory(h)); | |
1343 | ||
70a5db58 | 1344 | if (h->storage < 0) { |
1dfe5de0 | 1345 | r = determine_default_storage(&new_storage); |
70a5db58 | 1346 | if (r < 0) |
1dfe5de0 LP |
1347 | return r; |
1348 | } | |
70a5db58 | 1349 | |
1dfe5de0 LP |
1350 | if ((h->storage == USER_LUKS || |
1351 | (h->storage < 0 && new_storage == USER_LUKS)) && | |
1352 | !h->file_system_type) | |
1353 | new_fs = getenv("SYSTEMD_HOME_DEFAULT_FILE_SYSTEM_TYPE"); | |
70a5db58 | 1354 | |
1dfe5de0 | 1355 | if (new_storage >= 0 || new_fs) { |
70a5db58 LP |
1356 | r = user_record_add_binding( |
1357 | h, | |
1358 | new_storage, | |
1359 | NULL, | |
1360 | SD_ID128_NULL, | |
1361 | SD_ID128_NULL, | |
1362 | SD_ID128_NULL, | |
1363 | NULL, | |
1364 | NULL, | |
1365 | UINT64_MAX, | |
1dfe5de0 | 1366 | new_fs, |
70a5db58 LP |
1367 | NULL, |
1368 | UID_INVALID, | |
1369 | GID_INVALID); | |
1370 | if (r < 0) | |
1371 | return log_error_errno(r, "Failed to change storage type to LUKS: %m"); | |
70a5db58 LP |
1372 | } |
1373 | ||
1374 | r = user_record_test_image_path_and_warn(h); | |
1375 | if (r < 0) | |
1376 | return r; | |
1377 | if (!IN_SET(r, USER_TEST_ABSENT, USER_TEST_UNDEFINED, USER_TEST_MAYBE)) | |
1378 | return log_error_errno(SYNTHETIC_ERRNO(EEXIST), "Image path %s already exists, refusing.", user_record_image_path(h)); | |
1379 | ||
a4d72746 AV |
1380 | r = home_apply_new_blob_dir(h, blobs); |
1381 | if (r < 0) | |
1382 | return r; | |
1383 | ||
70a5db58 LP |
1384 | switch (user_record_storage(h)) { |
1385 | ||
1386 | case USER_LUKS: | |
bc5890c6 | 1387 | r = home_create_luks(h, &setup, &cache, effective_passwords, &new_home); |
70a5db58 LP |
1388 | break; |
1389 | ||
1390 | case USER_DIRECTORY: | |
1391 | case USER_SUBVOLUME: | |
e1aeaf27 | 1392 | r = home_create_directory_or_subvolume(h, &setup, &new_home); |
70a5db58 LP |
1393 | break; |
1394 | ||
1395 | case USER_FSCRYPT: | |
655807f5 | 1396 | r = home_create_fscrypt(h, &setup, effective_passwords, &new_home); |
70a5db58 LP |
1397 | break; |
1398 | ||
1399 | case USER_CIFS: | |
a74e2e44 | 1400 | r = home_create_cifs(h, &setup, &new_home); |
70a5db58 LP |
1401 | break; |
1402 | ||
1403 | default: | |
1404 | return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), | |
1405 | "Creating home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h))); | |
1406 | } | |
1407 | if (r < 0) | |
1408 | return r; | |
1409 | ||
1410 | if (user_record_equal(h, new_home)) { | |
1411 | *ret_home = NULL; | |
1412 | return 0; | |
1413 | } | |
1414 | ||
1415 | *ret_home = TAKE_PTR(new_home); | |
1416 | return 1; | |
1417 | } | |
1418 | ||
1419 | static int home_remove(UserRecord *h) { | |
1420 | bool deleted = false; | |
1421 | const char *ip, *hd; | |
1422 | int r; | |
1423 | ||
1424 | assert(h); | |
1425 | ||
1426 | if (!h->user_name) | |
1427 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record lacks user name, refusing."); | |
1428 | if (!IN_SET(user_record_storage(h), USER_LUKS, USER_DIRECTORY, USER_SUBVOLUME, USER_FSCRYPT, USER_CIFS)) | |
1429 | return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Removing home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h))); | |
1430 | ||
1431 | hd = user_record_home_directory(h); | |
1432 | ||
1433 | r = user_record_test_home_directory_and_warn(h); | |
1434 | if (r < 0) | |
1435 | return r; | |
1436 | if (r == USER_TEST_MOUNTED) | |
1437 | return log_error_errno(SYNTHETIC_ERRNO(EBUSY), "Directory %s is still mounted, refusing.", hd); | |
1438 | ||
1439 | assert(hd); | |
1440 | ||
1441 | r = user_record_test_image_path_and_warn(h); | |
1442 | if (r < 0) | |
1443 | return r; | |
1444 | ||
1445 | ip = user_record_image_path(h); | |
1446 | ||
1447 | switch (user_record_storage(h)) { | |
1448 | ||
1449 | case USER_LUKS: { | |
1450 | struct stat st; | |
1451 | ||
1452 | assert(ip); | |
1453 | ||
1454 | if (stat(ip, &st) < 0) { | |
6b8664cb | 1455 | if (errno != ENOENT) |
80ace4f2 | 1456 | return log_error_errno(errno, "Failed to stat() %s: %m", ip); |
70a5db58 LP |
1457 | |
1458 | } else { | |
1459 | if (S_ISREG(st.st_mode)) { | |
1460 | if (unlink(ip) < 0) { | |
1461 | if (errno != ENOENT) | |
1462 | return log_error_errno(errno, "Failed to remove %s: %m", ip); | |
86019efa LP |
1463 | } else { |
1464 | _cleanup_free_ char *parent = NULL; | |
1465 | ||
70a5db58 LP |
1466 | deleted = true; |
1467 | ||
86019efa LP |
1468 | r = path_extract_directory(ip, &parent); |
1469 | if (r < 0) | |
1470 | log_debug_errno(r, "Failed to determine parent directory of '%s': %m", ip); | |
1471 | else { | |
1472 | r = fsync_path_at(AT_FDCWD, parent); | |
1473 | if (r < 0) | |
1474 | log_debug_errno(r, "Failed to synchronize disk after deleting '%s', ignoring: %m", ip); | |
1475 | } | |
1476 | } | |
1477 | ||
70a5db58 LP |
1478 | } else if (S_ISBLK(st.st_mode)) |
1479 | log_info("Not removing file system on block device %s.", ip); | |
1480 | else | |
1481 | return log_error_errno(SYNTHETIC_ERRNO(ENOTBLK), "Image file %s is neither block device, nor regular, refusing removal.", ip); | |
1482 | } | |
1483 | ||
1484 | break; | |
1485 | } | |
1486 | ||
1487 | case USER_SUBVOLUME: | |
1488 | case USER_DIRECTORY: | |
1489 | case USER_FSCRYPT: | |
1490 | assert(ip); | |
1491 | ||
86019efa | 1492 | r = rm_rf(ip, REMOVE_ROOT|REMOVE_PHYSICAL|REMOVE_SUBVOLUME|REMOVE_SYNCFS); |
70a5db58 LP |
1493 | if (r < 0) { |
1494 | if (r != -ENOENT) | |
1495 | return log_warning_errno(r, "Failed to remove %s: %m", ip); | |
1496 | } else | |
1497 | deleted = true; | |
1498 | ||
1499 | /* If the image path and the home directory are the same invalidate the home directory, so | |
1500 | * that we don't remove it anymore */ | |
1501 | if (path_equal(ip, hd)) | |
1502 | hd = NULL; | |
1503 | ||
1504 | break; | |
1505 | ||
1506 | case USER_CIFS: | |
1507 | /* Nothing else to do here: we won't remove remote stuff. */ | |
1508 | log_info("Not removing home directory on remote server."); | |
1509 | break; | |
1510 | ||
1511 | default: | |
04499a70 | 1512 | assert_not_reached(); |
70a5db58 LP |
1513 | } |
1514 | ||
1515 | if (hd) { | |
1516 | if (rmdir(hd) < 0) { | |
1517 | if (errno != ENOENT) | |
1518 | return log_error_errno(errno, "Failed to remove %s, ignoring: %m", hd); | |
1519 | } else | |
1520 | deleted = true; | |
1521 | } | |
1522 | ||
86019efa LP |
1523 | if (deleted) { |
1524 | if (user_record_drop_caches(h)) | |
1525 | drop_caches_now(); | |
1526 | ||
70a5db58 | 1527 | log_info("Everything completed."); |
86019efa | 1528 | } else |
e4ff0393 FS |
1529 | return log_notice_errno(SYNTHETIC_ERRNO(EALREADY), |
1530 | "Nothing to remove."); | |
70a5db58 LP |
1531 | |
1532 | return 0; | |
1533 | } | |
1534 | ||
e1df968b | 1535 | static int home_validate_update(UserRecord *h, HomeSetup *setup, HomeSetupFlags *flags) { |
70a5db58 LP |
1536 | bool has_mount = false; |
1537 | int r; | |
1538 | ||
1539 | assert(h); | |
1540 | assert(setup); | |
1541 | ||
1542 | if (!h->user_name) | |
1543 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record lacks user name, refusing."); | |
1544 | if (!uid_is_valid(h->uid)) | |
1545 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record lacks UID, refusing."); | |
1546 | if (!IN_SET(user_record_storage(h), USER_LUKS, USER_DIRECTORY, USER_SUBVOLUME, USER_FSCRYPT, USER_CIFS)) | |
1547 | return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Processing home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h))); | |
1548 | ||
1549 | r = user_record_test_home_directory_and_warn(h); | |
1550 | if (r < 0) | |
1551 | return r; | |
1552 | ||
1553 | has_mount = r == USER_TEST_MOUNTED; | |
1554 | ||
1555 | r = user_record_test_image_path_and_warn(h); | |
1556 | if (r < 0) | |
1557 | return r; | |
1558 | if (r == USER_TEST_ABSENT) | |
1559 | return log_error_errno(SYNTHETIC_ERRNO(ENOENT), "Image path %s does not exist", user_record_image_path(h)); | |
1560 | ||
1561 | switch (user_record_storage(h)) { | |
1562 | ||
1563 | case USER_DIRECTORY: | |
1564 | case USER_SUBVOLUME: | |
1565 | case USER_FSCRYPT: | |
1566 | case USER_CIFS: | |
1567 | break; | |
1568 | ||
1569 | case USER_LUKS: { | |
e1ab6635 | 1570 | r = home_get_state_luks(h, setup); |
70a5db58 LP |
1571 | if (r < 0) |
1572 | return r; | |
1573 | if ((r > 0) != has_mount) | |
1574 | return log_error_errno(SYNTHETIC_ERRNO(EBUSY), "Home mount incompletely set up."); | |
1575 | ||
1576 | break; | |
1577 | } | |
1578 | ||
1579 | default: | |
04499a70 | 1580 | assert_not_reached(); |
70a5db58 LP |
1581 | } |
1582 | ||
e1df968b LP |
1583 | if (flags) |
1584 | SET_FLAG(*flags, HOME_SETUP_ALREADY_ACTIVATED, has_mount); | |
1585 | ||
70a5db58 LP |
1586 | return has_mount; /* return true if the home record is already active */ |
1587 | } | |
1588 | ||
a4d72746 | 1589 | static int home_update(UserRecord *h, Hashmap *blobs, UserRecord **ret) { |
70a5db58 | 1590 | _cleanup_(user_record_unrefp) UserRecord *new_home = NULL, *header_home = NULL, *embedded_home = NULL; |
66aa51f8 | 1591 | _cleanup_(home_setup_done) HomeSetup setup = HOME_SETUP_INIT; |
7b78db28 | 1592 | _cleanup_(password_cache_free) PasswordCache cache = {}; |
e1df968b | 1593 | HomeSetupFlags flags = 0; |
70a5db58 LP |
1594 | int r; |
1595 | ||
1596 | assert(h); | |
1597 | assert(ret); | |
1598 | ||
7b78db28 | 1599 | r = user_record_authenticate(h, h, &cache, /* strict_verify= */ true); |
70a5db58 LP |
1600 | if (r < 0) |
1601 | return r; | |
c8f145ad | 1602 | assert(r > 0); /* Insist that a password was verified */ |
70a5db58 | 1603 | |
e1df968b | 1604 | r = home_validate_update(h, &setup, &flags); |
70a5db58 LP |
1605 | if (r < 0) |
1606 | return r; | |
1607 | ||
a4d72746 AV |
1608 | r = home_apply_new_blob_dir(h, blobs); |
1609 | if (r < 0) | |
1610 | return r; | |
1611 | ||
c00b2ddc | 1612 | r = home_setup(h, flags, &setup, &cache, &header_home); |
70a5db58 LP |
1613 | if (r < 0) |
1614 | return r; | |
1615 | ||
7b78db28 | 1616 | r = home_load_embedded_identity(h, setup.root_fd, header_home, USER_RECONCILE_REQUIRE_NEWER, &cache, &embedded_home, &new_home); |
70a5db58 LP |
1617 | if (r < 0) |
1618 | return r; | |
1619 | ||
a8be0984 LP |
1620 | r = home_maybe_shift_uid(h, flags, &setup); |
1621 | if (r < 0) | |
1622 | return r; | |
1623 | ||
70a5db58 LP |
1624 | r = home_store_header_identity_luks(new_home, &setup, header_home); |
1625 | if (r < 0) | |
1626 | return r; | |
1627 | ||
285ad523 | 1628 | r = home_store_embedded_identity(new_home, setup.root_fd, embedded_home); |
70a5db58 LP |
1629 | if (r < 0) |
1630 | return r; | |
1631 | ||
17ac40e4 AV |
1632 | r = home_reconcile_blob_dirs(new_home, setup.root_fd, USER_RECONCILE_HOST_WON); |
1633 | if (r < 0) | |
1634 | return r; | |
1635 | ||
70a5db58 LP |
1636 | r = home_extend_embedded_identity(new_home, h, &setup); |
1637 | if (r < 0) | |
1638 | return r; | |
1639 | ||
1640 | r = home_sync_and_statfs(setup.root_fd, NULL); | |
1641 | if (r < 0) | |
1642 | return r; | |
1643 | ||
66aa51f8 | 1644 | r = home_setup_done(&setup); |
70a5db58 LP |
1645 | if (r < 0) |
1646 | return r; | |
1647 | ||
1648 | log_info("Everything completed."); | |
1649 | ||
1650 | *ret = TAKE_PTR(new_home); | |
1651 | return 0; | |
1652 | } | |
1653 | ||
d357b80d | 1654 | static int home_resize(UserRecord *h, bool automatic, UserRecord **ret) { |
66aa51f8 | 1655 | _cleanup_(home_setup_done) HomeSetup setup = HOME_SETUP_INIT; |
7b78db28 | 1656 | _cleanup_(password_cache_free) PasswordCache cache = {}; |
e1df968b | 1657 | HomeSetupFlags flags = 0; |
70a5db58 LP |
1658 | int r; |
1659 | ||
1660 | assert(h); | |
1661 | assert(ret); | |
1662 | ||
1663 | if (h->disk_size == UINT64_MAX) | |
1664 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "No target size specified, refusing."); | |
1665 | ||
d357b80d LP |
1666 | if (automatic) |
1667 | /* In automatic mode don't want to ask the user for the password, hence load it from the kernel keyring */ | |
1668 | password_cache_load_keyring(h, &cache); | |
1669 | else { | |
1670 | /* In manual mode let's ensure the user is fully authenticated */ | |
1671 | r = user_record_authenticate(h, h, &cache, /* strict_verify= */ true); | |
1672 | if (r < 0) | |
1673 | return r; | |
1674 | assert(r > 0); /* Insist that a password was verified */ | |
1675 | } | |
70a5db58 | 1676 | |
e1df968b | 1677 | r = home_validate_update(h, &setup, &flags); |
70a5db58 LP |
1678 | if (r < 0) |
1679 | return r; | |
1680 | ||
d357b80d LP |
1681 | /* In automatic mode let's skip syncing identities, because we can't validate them, since we can't |
1682 | * ask the user for reauthentication */ | |
1683 | if (automatic) | |
1684 | flags |= HOME_SETUP_RESIZE_DONT_SYNC_IDENTITIES; | |
1685 | ||
70a5db58 LP |
1686 | switch (user_record_storage(h)) { |
1687 | ||
1688 | case USER_LUKS: | |
c00b2ddc | 1689 | return home_resize_luks(h, flags, &setup, &cache, ret); |
70a5db58 LP |
1690 | |
1691 | case USER_DIRECTORY: | |
1692 | case USER_SUBVOLUME: | |
1693 | case USER_FSCRYPT: | |
c00b2ddc | 1694 | return home_resize_directory(h, flags, &setup, &cache, ret); |
70a5db58 LP |
1695 | |
1696 | default: | |
1697 | return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Resizing home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h))); | |
1698 | } | |
1699 | } | |
1700 | ||
1701 | static int home_passwd(UserRecord *h, UserRecord **ret_home) { | |
1702 | _cleanup_(user_record_unrefp) UserRecord *header_home = NULL, *embedded_home = NULL, *new_home = NULL; | |
5d2a48da | 1703 | _cleanup_strv_free_erase_ char **effective_passwords = NULL; |
66aa51f8 | 1704 | _cleanup_(home_setup_done) HomeSetup setup = HOME_SETUP_INIT; |
7b78db28 | 1705 | _cleanup_(password_cache_free) PasswordCache cache = {}; |
e1df968b | 1706 | HomeSetupFlags flags = 0; |
17ac40e4 | 1707 | int r, reconciled; |
70a5db58 LP |
1708 | |
1709 | assert(h); | |
1710 | assert(ret_home); | |
1711 | ||
1712 | if (!IN_SET(user_record_storage(h), USER_LUKS, USER_DIRECTORY, USER_SUBVOLUME, USER_FSCRYPT)) | |
1713 | return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Changing password of home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h))); | |
1714 | ||
7b78db28 | 1715 | r = user_record_compile_effective_passwords(h, &cache, &effective_passwords); |
70a5db58 LP |
1716 | if (r < 0) |
1717 | return r; | |
1718 | ||
e1df968b | 1719 | r = home_validate_update(h, &setup, &flags); |
70a5db58 LP |
1720 | if (r < 0) |
1721 | return r; | |
1722 | ||
c00b2ddc | 1723 | r = home_setup(h, flags, &setup, &cache, &header_home); |
70a5db58 LP |
1724 | if (r < 0) |
1725 | return r; | |
1726 | ||
17ac40e4 AV |
1727 | reconciled = home_load_embedded_identity(h, setup.root_fd, header_home, USER_RECONCILE_REQUIRE_NEWER_OR_EQUAL, &cache, &embedded_home, &new_home); |
1728 | if (reconciled < 0) | |
1729 | return reconciled; | |
70a5db58 | 1730 | |
a8be0984 LP |
1731 | r = home_maybe_shift_uid(h, flags, &setup); |
1732 | if (r < 0) | |
1733 | return r; | |
1734 | ||
70a5db58 LP |
1735 | switch (user_record_storage(h)) { |
1736 | ||
1737 | case USER_LUKS: | |
d26cdde3 | 1738 | r = home_passwd_luks(h, flags, &setup, &cache, effective_passwords); |
70a5db58 LP |
1739 | if (r < 0) |
1740 | return r; | |
1741 | break; | |
1742 | ||
1743 | case USER_FSCRYPT: | |
7b78db28 | 1744 | r = home_passwd_fscrypt(h, &setup, &cache, effective_passwords); |
70a5db58 LP |
1745 | if (r < 0) |
1746 | return r; | |
1747 | break; | |
1748 | ||
1749 | default: | |
1750 | break; | |
1751 | } | |
1752 | ||
1753 | r = home_store_header_identity_luks(new_home, &setup, header_home); | |
1754 | if (r < 0) | |
1755 | return r; | |
1756 | ||
285ad523 | 1757 | r = home_store_embedded_identity(new_home, setup.root_fd, embedded_home); |
70a5db58 LP |
1758 | if (r < 0) |
1759 | return r; | |
1760 | ||
17ac40e4 AV |
1761 | r = home_reconcile_blob_dirs(new_home, setup.root_fd, reconciled); |
1762 | if (r < 0) | |
1763 | return r; | |
1764 | ||
70a5db58 LP |
1765 | r = home_extend_embedded_identity(new_home, h, &setup); |
1766 | if (r < 0) | |
1767 | return r; | |
1768 | ||
1769 | r = home_sync_and_statfs(setup.root_fd, NULL); | |
1770 | if (r < 0) | |
1771 | return r; | |
1772 | ||
66aa51f8 | 1773 | r = home_setup_done(&setup); |
70a5db58 LP |
1774 | if (r < 0) |
1775 | return r; | |
1776 | ||
1777 | log_info("Everything completed."); | |
1778 | ||
1779 | *ret_home = TAKE_PTR(new_home); | |
1780 | return 1; | |
1781 | } | |
1782 | ||
1783 | static int home_inspect(UserRecord *h, UserRecord **ret_home) { | |
1784 | _cleanup_(user_record_unrefp) UserRecord *header_home = NULL, *new_home = NULL; | |
66aa51f8 | 1785 | _cleanup_(home_setup_done) HomeSetup setup = HOME_SETUP_INIT; |
7b78db28 | 1786 | _cleanup_(password_cache_free) PasswordCache cache = {}; |
e1df968b | 1787 | HomeSetupFlags flags = 0; |
70a5db58 LP |
1788 | int r; |
1789 | ||
1790 | assert(h); | |
1791 | assert(ret_home); | |
1792 | ||
7b78db28 | 1793 | r = user_record_authenticate(h, h, &cache, /* strict_verify= */ false); |
70a5db58 LP |
1794 | if (r < 0) |
1795 | return r; | |
1796 | ||
e1df968b | 1797 | r = home_validate_update(h, &setup, &flags); |
70a5db58 LP |
1798 | if (r < 0) |
1799 | return r; | |
1800 | ||
c00b2ddc | 1801 | r = home_setup(h, flags, &setup, &cache, &header_home); |
70a5db58 LP |
1802 | if (r < 0) |
1803 | return r; | |
1804 | ||
7b78db28 | 1805 | r = home_load_embedded_identity(h, setup.root_fd, header_home, USER_RECONCILE_ANY, &cache, NULL, &new_home); |
70a5db58 LP |
1806 | if (r < 0) |
1807 | return r; | |
1808 | ||
1809 | r = home_extend_embedded_identity(new_home, h, &setup); | |
1810 | if (r < 0) | |
1811 | return r; | |
1812 | ||
66aa51f8 | 1813 | r = home_setup_done(&setup); |
70a5db58 LP |
1814 | if (r < 0) |
1815 | return r; | |
1816 | ||
1817 | log_info("Everything completed."); | |
1818 | ||
1819 | *ret_home = TAKE_PTR(new_home); | |
1820 | return 1; | |
1821 | } | |
1822 | ||
1823 | static int home_lock(UserRecord *h) { | |
fc032ae1 | 1824 | _cleanup_(home_setup_done) HomeSetup setup = HOME_SETUP_INIT; |
70a5db58 LP |
1825 | int r; |
1826 | ||
1827 | assert(h); | |
1828 | ||
1829 | if (!h->user_name) | |
1830 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record incomplete, refusing."); | |
1831 | if (user_record_storage(h) != USER_LUKS) | |
1832 | return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Locking home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h))); | |
1833 | ||
1834 | r = user_record_test_home_directory_and_warn(h); | |
1835 | if (r < 0) | |
1836 | return r; | |
1837 | if (r != USER_TEST_MOUNTED) | |
1838 | return log_error_errno(SYNTHETIC_ERRNO(ENOEXEC), "Home directory of %s is not mounted, can't lock.", h->user_name); | |
1839 | ||
fc032ae1 | 1840 | r = home_lock_luks(h, &setup); |
70a5db58 LP |
1841 | if (r < 0) |
1842 | return r; | |
1843 | ||
1844 | log_info("Everything completed."); | |
1845 | return 1; | |
1846 | } | |
1847 | ||
1848 | static int home_unlock(UserRecord *h) { | |
fc032ae1 | 1849 | _cleanup_(home_setup_done) HomeSetup setup = HOME_SETUP_INIT; |
7b78db28 | 1850 | _cleanup_(password_cache_free) PasswordCache cache = {}; |
70a5db58 LP |
1851 | int r; |
1852 | ||
1853 | assert(h); | |
1854 | ||
1855 | if (!h->user_name) | |
1856 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record incomplete, refusing."); | |
1857 | if (user_record_storage(h) != USER_LUKS) | |
1858 | return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Unlocking home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h))); | |
1859 | ||
1860 | /* Note that we don't check if $HOME is actually mounted, since we want to avoid disk accesses on | |
1861 | * that mount until we have resumed the device. */ | |
1862 | ||
7b78db28 | 1863 | r = user_record_authenticate(h, h, &cache, /* strict_verify= */ false); |
70a5db58 LP |
1864 | if (r < 0) |
1865 | return r; | |
1866 | ||
fc032ae1 | 1867 | r = home_unlock_luks(h, &setup, &cache); |
70a5db58 LP |
1868 | if (r < 0) |
1869 | return r; | |
1870 | ||
1871 | log_info("Everything completed."); | |
1872 | return 1; | |
1873 | } | |
1874 | ||
1875 | static int run(int argc, char *argv[]) { | |
1876 | _cleanup_(user_record_unrefp) UserRecord *home = NULL, *new_home = NULL; | |
1877 | _cleanup_(json_variant_unrefp) JsonVariant *v = NULL; | |
5d2a48da | 1878 | _cleanup_fclose_ FILE *opened_file = NULL; |
a4d72746 | 1879 | _cleanup_hashmap_free_ Hashmap *blobs = NULL; |
70a5db58 | 1880 | unsigned line = 0, column = 0; |
a4d72746 | 1881 | const char *json_path = NULL, *blob_filename; |
70a5db58 LP |
1882 | FILE *json_file; |
1883 | usec_t start; | |
a4d72746 | 1884 | JsonVariant *fdmap, *blob_fd_variant; |
70a5db58 LP |
1885 | int r; |
1886 | ||
1887 | start = now(CLOCK_MONOTONIC); | |
1888 | ||
d2acb93d | 1889 | log_setup(); |
70a5db58 | 1890 | |
30f19400 LP |
1891 | cryptsetup_enable_logging(NULL); |
1892 | ||
70a5db58 LP |
1893 | umask(0022); |
1894 | ||
1895 | if (argc < 2 || argc > 3) | |
1896 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "This program takes one or two arguments."); | |
1897 | ||
1898 | if (argc > 2) { | |
1899 | json_path = argv[2]; | |
1900 | ||
1901 | opened_file = fopen(json_path, "re"); | |
1902 | if (!opened_file) | |
1903 | return log_error_errno(errno, "Failed to open %s: %m", json_path); | |
1904 | ||
1905 | json_file = opened_file; | |
1906 | } else { | |
1907 | json_path = "<stdin>"; | |
1908 | json_file = stdin; | |
1909 | } | |
1910 | ||
1911 | r = json_parse_file(json_file, json_path, JSON_PARSE_SENSITIVE, &v, &line, &column); | |
1912 | if (r < 0) | |
1913 | return log_error_errno(r, "[%s:%u:%u] Failed to parse JSON data: %m", json_path, line, column); | |
1914 | ||
a4d72746 AV |
1915 | fdmap = json_variant_by_key(v, HOMEWORK_BLOB_FDMAP_FIELD); |
1916 | if (fdmap) { | |
1917 | r = hashmap_ensure_allocated(&blobs, &blob_fd_hash_ops); | |
1918 | if (r < 0) | |
1919 | return log_oom(); | |
1920 | ||
1921 | JSON_VARIANT_OBJECT_FOREACH(blob_filename, blob_fd_variant, fdmap) { | |
1922 | _cleanup_free_ char *filename = NULL; | |
1923 | _cleanup_close_ int fd = -EBADF; | |
1924 | ||
1925 | assert(json_variant_is_integer(blob_fd_variant)); | |
1926 | assert(json_variant_integer(blob_fd_variant) >= 0); | |
1927 | assert(json_variant_integer(blob_fd_variant) <= INT_MAX - SD_LISTEN_FDS_START); | |
1928 | fd = SD_LISTEN_FDS_START + (int) json_variant_integer(blob_fd_variant); | |
1929 | ||
1930 | if (DEBUG_LOGGING) { | |
1931 | _cleanup_free_ char *resolved = NULL; | |
1932 | r = fd_get_path(fd, &resolved); | |
1933 | log_debug("Got blob from daemon: %s (%d) → %s", | |
1934 | blob_filename, fd, resolved ?: STRERROR(r)); | |
1935 | } | |
1936 | ||
1937 | filename = strdup(blob_filename); | |
1938 | if (!filename) | |
1939 | return log_oom(); | |
1940 | ||
1941 | r = fd_cloexec(fd, true); | |
1942 | if (r < 0) | |
1943 | return log_error_errno(r, "Failed to enable O_CLOEXEC on blob %s: %m", filename); | |
1944 | ||
1945 | r = hashmap_put(blobs, filename, FD_TO_PTR(fd)); | |
1946 | if (r < 0) | |
1947 | return log_error_errno(r, "Failed to insert blob %s into map: %m", filename); | |
1948 | TAKE_PTR(filename); /* Ownership transfers to hashmap */ | |
1949 | TAKE_FD(fd); | |
1950 | } | |
1951 | ||
1952 | r = json_variant_filter(&v, STRV_MAKE(HOMEWORK_BLOB_FDMAP_FIELD)); | |
1953 | if (r < 0) | |
1954 | return log_error_errno(r, "Failed to strip internal fdmap from JSON: %m"); | |
1955 | } | |
1956 | ||
70a5db58 LP |
1957 | home = user_record_new(); |
1958 | if (!home) | |
1959 | return log_oom(); | |
1960 | ||
bfc0cc1a | 1961 | r = user_record_load(home, v, USER_RECORD_LOAD_FULL|USER_RECORD_LOG|USER_RECORD_PERMISSIVE); |
70a5db58 LP |
1962 | if (r < 0) |
1963 | return r; | |
1964 | ||
1965 | /* Well known return values of these operations, that systemd-homed knows and converts to proper D-Bus errors: | |
1966 | * | |
162392b7 ZJS |
1967 | * EMSGSIZE → file systems of this type cannot be shrunk |
1968 | * ETXTBSY → file systems of this type can only be shrunk offline | |
70a5db58 LP |
1969 | * ERANGE → file system size too small |
1970 | * ENOLINK → system does not support selected storage backend | |
1971 | * EPROTONOSUPPORT → system does not support selected file system | |
1972 | * ENOTTY → operation not support on this storage | |
1973 | * ESOCKTNOSUPPORT → operation not support on this file system | |
1974 | * ENOKEY → password incorrect (or not sufficient, or not supplied) | |
87d7893c | 1975 | * EREMOTEIO → recovery key incorrect (or not sufficeint, or not supplied — only if no passwords defined) |
70a5db58 | 1976 | * EBADSLT → similar, but PKCS#11 device is defined and might be able to provide password, if it was plugged in which it is not |
7b78db28 | 1977 | * ENOANO → suitable PKCS#11/FIDO2 device found, but PIN is missing to unlock it |
70a5db58 | 1978 | * ERFKILL → suitable PKCS#11 device found, but OK to ask for on-device interactive authentication not given |
7b78db28 | 1979 | * EMEDIUMTYPE → suitable FIDO2 device found, but OK to ask for user presence not given |
17e7561a | 1980 | * ENOCSI → suitable FIDO2 device found, but OK to ask for user verification not given |
7b78db28 LP |
1981 | * ENOSTR → suitable FIDO2 device found, but user didn't react to action request on token quickly enough |
1982 | * EOWNERDEAD → suitable PKCS#11/FIDO2 device found, but its PIN is locked | |
1983 | * ENOLCK → suitable PKCS#11/FIDO2 device found, but PIN incorrect | |
70a5db58 LP |
1984 | * ETOOMANYREFS → suitable PKCS#11 device found, but PIN incorrect, and only few tries left |
1985 | * EUCLEAN → suitable PKCS#11 device found, but PIN incorrect, and only one try left | |
1986 | * EBUSY → file system is currently active | |
1987 | * ENOEXEC → file system is currently not active | |
1988 | * ENOSPC → not enough disk space for operation | |
cbffdcec | 1989 | * EKEYREVOKED → user record has not suitable hashed password or pkcs#11 entry, we cannot authenticate |
2aaf565a | 1990 | * EADDRINUSE → home image is already used elsewhere (lock taken) |
70a5db58 LP |
1991 | */ |
1992 | ||
1993 | if (streq(argv[1], "activate")) | |
1994 | r = home_activate(home, &new_home); | |
1995 | else if (streq(argv[1], "deactivate")) | |
1996 | r = home_deactivate(home, false); | |
1997 | else if (streq(argv[1], "deactivate-force")) | |
1998 | r = home_deactivate(home, true); | |
1999 | else if (streq(argv[1], "create")) | |
a4d72746 | 2000 | r = home_create(home, blobs, &new_home); |
70a5db58 LP |
2001 | else if (streq(argv[1], "remove")) |
2002 | r = home_remove(home); | |
2003 | else if (streq(argv[1], "update")) | |
a4d72746 | 2004 | r = home_update(home, blobs, &new_home); |
d357b80d LP |
2005 | else if (streq(argv[1], "resize")) /* Resize on user request */ |
2006 | r = home_resize(home, false, &new_home); | |
2007 | else if (streq(argv[1], "resize-auto")) /* Automatic resize */ | |
2008 | r = home_resize(home, true, &new_home); | |
70a5db58 LP |
2009 | else if (streq(argv[1], "passwd")) |
2010 | r = home_passwd(home, &new_home); | |
2011 | else if (streq(argv[1], "inspect")) | |
2012 | r = home_inspect(home, &new_home); | |
2013 | else if (streq(argv[1], "lock")) | |
2014 | r = home_lock(home); | |
2015 | else if (streq(argv[1], "unlock")) | |
2016 | r = home_unlock(home); | |
2017 | else | |
2018 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unknown verb '%s'.", argv[1]); | |
87d7893c | 2019 | if (IN_SET(r, -ENOKEY, -EREMOTEIO) && !strv_isempty(home->password) ) { /* There were passwords specified but they were incorrect */ |
70a5db58 LP |
2020 | usec_t end, n, d; |
2021 | ||
2022 | /* Make sure bad password replies always take at least 3s, and if longer multiples of 3s, so | |
2023 | * that it's not clear how long we actually needed for our calculations. */ | |
2024 | n = now(CLOCK_MONOTONIC); | |
2025 | assert(n >= start); | |
2026 | ||
2027 | d = usec_sub_unsigned(n, start); | |
2028 | if (d > BAD_PASSWORD_DELAY_USEC) | |
2029 | end = start + DIV_ROUND_UP(d, BAD_PASSWORD_DELAY_USEC) * BAD_PASSWORD_DELAY_USEC; | |
2030 | else | |
2031 | end = start + BAD_PASSWORD_DELAY_USEC; | |
2032 | ||
2033 | if (n < end) | |
4251512e | 2034 | (void) usleep_safe(usec_sub_unsigned(end, n)); |
70a5db58 LP |
2035 | } |
2036 | if (r < 0) | |
2037 | return r; | |
2038 | ||
2039 | /* We always pass the new record back, regardless if it changed or not. This allows our caller to | |
2040 | * prepare a fresh record, send to us, and only if it works use it without having to keep a local | |
2041 | * copy. */ | |
2042 | if (new_home) | |
2043 | json_variant_dump(new_home->json, JSON_FORMAT_NEWLINE, stdout, NULL); | |
2044 | ||
2045 | return 0; | |
2046 | } | |
2047 | ||
2048 | DEFINE_MAIN_FUNCTION(run); |