1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
6 #include "blockdev-util.h"
7 #include "chown-recursive.h"
11 #include "filesystems.h"
13 #include "home-util.h"
14 #include "homework-cifs.h"
15 #include "homework-directory.h"
16 #include "homework-fido2.h"
17 #include "homework-fscrypt.h"
18 #include "homework-luks.h"
19 #include "homework-mount.h"
20 #include "homework-pkcs11.h"
22 #include "libcrypt-util.h"
23 #include "main-func.h"
24 #include "memory-util.h"
25 #include "missing_magic.h"
26 #include "mount-util.h"
27 #include "path-util.h"
28 #include "recovery-key.h"
30 #include "stat-util.h"
32 #include "sync-util.h"
33 #include "tmpfile-util.h"
34 #include "user-util.h"
37 /* Make sure a bad password always results in a 3s delay, no matter what */
38 #define BAD_PASSWORD_DELAY_USEC (3 * USEC_PER_SEC)
40 int user_record_authenticate(
46 bool need_password
= false, need_recovery_key
= false, need_token
= false, need_pin
= false,
47 need_protected_authentication_path_permitted
= false, need_user_presence_permitted
= false,
48 need_user_verification_permitted
= false, pin_locked
= false, pin_incorrect
= false,
49 pin_incorrect_few_tries_left
= false, pin_incorrect_one_try_left
= false, token_action_timeout
= false;
55 /* Tries to authenticate a user record with the supplied secrets. i.e. checks whether at least one
56 * supplied plaintext passwords matches a hashed password field of the user record. Or if a
57 * configured PKCS#11 or FIDO2 token is around and can unlock the record.
59 * Note that the 'cache' parameter is both an input and output parameter: it contains lists of
60 * configured, decrypted PKCS#11/FIDO2 passwords. We typically have to call this function multiple
61 * times over the course of an operation (think: on login we authenticate the host user record, the
62 * record embedded in the LUKS record and the one embedded in $HOME). Hence we keep a list of
63 * passwords we already decrypted, so that we don't have to do the (slow and potentially interactive)
64 * PKCS#11/FIDO2 dance for the relevant token again and again. */
66 /* First, let's see if the supplied plain-text passwords work? */
67 r
= user_record_test_password(h
, secret
);
71 log_debug_errno(r
, "User record has no hashed passwords, plaintext passwords not tested.");
73 return log_error_errno(r
, "Failed to validate password of record: %m");
75 log_info("Provided password unlocks user record.");
79 /* Similar, but test against the recovery keys */
80 r
= user_record_test_recovery_key(h
, secret
);
82 need_recovery_key
= true;
84 log_debug_errno(r
, "User record has no recovery keys, plaintext passwords not tested against it.");
86 return log_error_errno(r
, "Failed to validate the recovery key of the record: %m");
88 log_info("Provided password is a recovery key that unlocks the user record.");
92 if (need_password
&& need_recovery_key
)
93 log_info("None of the supplied plaintext passwords unlock the user record's hashed passwords or recovery keys.");
94 else if (need_password
)
95 log_info("None of the supplied plaintext passwords unlock the user record's hashed passwords.");
97 log_info("None of the supplied plaintext passwords unlock the user record's hashed recovery keys.");
99 /* Second, test cached PKCS#11 passwords */
100 for (size_t n
= 0; n
< h
->n_pkcs11_encrypted_key
; n
++)
101 STRV_FOREACH(pp
, cache
->pkcs11_passwords
) {
102 r
= test_password_one(h
->pkcs11_encrypted_key
[n
].hashed_password
, *pp
);
104 return log_error_errno(r
, "Failed to check supplied PKCS#11 password: %m");
106 log_info("Previously acquired PKCS#11 password unlocks user record.");
111 /* Third, test cached FIDO2 passwords */
112 for (size_t n
= 0; n
< h
->n_fido2_hmac_salt
; n
++)
113 /* See if any of the previously calculated passwords work */
114 STRV_FOREACH(pp
, cache
->fido2_passwords
) {
115 r
= test_password_one(h
->fido2_hmac_salt
[n
].hashed_password
, *pp
);
117 return log_error_errno(r
, "Failed to check supplied FIDO2 password: %m");
119 log_info("Previously acquired FIDO2 password unlocks user record.");
124 /* Fourth, let's see if any of the PKCS#11 security tokens are plugged in and help us */
125 for (size_t n
= 0; n
< h
->n_pkcs11_encrypted_key
; n
++) {
127 _cleanup_(pkcs11_callback_data_release
) struct pkcs11_callback_data data
= {
130 .encrypted_key
= h
->pkcs11_encrypted_key
+ n
,
133 r
= pkcs11_find_token(data
.encrypted_key
->uri
, pkcs11_callback
, &data
);
142 need_protected_authentication_path_permitted
= true;
148 pin_incorrect
= true;
151 pin_incorrect
= pin_incorrect_few_tries_left
= true;
154 pin_incorrect
= pin_incorrect_few_tries_left
= pin_incorrect_one_try_left
= true;
160 r
= test_password_one(data
.encrypted_key
->hashed_password
, data
.decrypted_password
);
162 return log_error_errno(r
, "Failed to test PKCS#11 password: %m");
164 return log_error_errno(SYNTHETIC_ERRNO(EPERM
), "Configured PKCS#11 security token %s does not decrypt encrypted key correctly.", data
.encrypted_key
->uri
);
166 log_info("Decrypted password from PKCS#11 security token %s unlocks user record.", data
.encrypted_key
->uri
);
168 r
= strv_extend(&cache
->pkcs11_passwords
, data
.decrypted_password
);
180 /* Fifth, let's see if any of the FIDO2 security tokens are plugged in and help us */
181 for (size_t n
= 0; n
< h
->n_fido2_hmac_salt
; n
++) {
183 _cleanup_(erase_and_freep
) char *decrypted_password
= NULL
;
185 r
= fido2_use_token(h
, secret
, h
->fido2_hmac_salt
+ n
, &decrypted_password
);
197 pin_incorrect
= true;
200 need_user_presence_permitted
= true;
203 need_user_verification_permitted
= true;
206 token_action_timeout
= true;
212 r
= test_password_one(h
->fido2_hmac_salt
[n
].hashed_password
, decrypted_password
);
214 return log_error_errno(r
, "Failed to test FIDO2 password: %m");
216 return log_error_errno(SYNTHETIC_ERRNO(EPERM
), "Configured FIDO2 security token does not decrypt encrypted key correctly.");
218 log_info("Decrypted password from FIDO2 security token unlocks user record.");
220 r
= strv_extend(&cache
->fido2_passwords
, decrypted_password
);
232 /* Ordered by "relevance", i.e. the most "important" or "interesting" error condition is returned. */
233 if (pin_incorrect_one_try_left
)
235 if (pin_incorrect_few_tries_left
)
236 return -ETOOMANYREFS
;
241 if (token_action_timeout
)
243 if (need_protected_authentication_path_permitted
)
245 if (need_user_presence_permitted
)
247 if (need_user_verification_permitted
)
255 if (need_recovery_key
)
258 /* Hmm, this means neither PCKS#11/FIDO2 nor classic hashed passwords or recovery keys were supplied,
259 * we cannot authenticate this reasonably */
261 return log_debug_errno(SYNTHETIC_ERRNO(EKEYREVOKED
),
262 "No hashed passwords, no recovery keys and no PKCS#11/FIDO2 tokens defined, cannot authenticate user record, refusing.");
264 /* If strict verification is off this means we are possibly in the case where we encountered an
265 * unfixated record, i.e. a synthetic one that accordingly lacks any authentication data. In this
266 * case, allow the authentication to pass for now, so that the second (or third) authentication level
267 * (the ones of the user record in the LUKS header or inside the home directory) will then catch
268 * invalid passwords. The second/third authentication always runs in strict verification mode. */
269 log_debug("No hashed passwords, not recovery keys and no PKCS#11 tokens defined in record, cannot authenticate user record. "
270 "Deferring to embedded user record.");
274 static void drop_caches_now(void) {
277 /* Drop file system caches now. See https://docs.kernel.org/admin-guide/sysctl/vm.html
278 * for details. We write "2" into /proc/sys/vm/drop_caches to ensure dentries/inodes are flushed, but
281 r
= write_string_file("/proc/sys/vm/drop_caches", "2\n", WRITE_STRING_FILE_DISABLE_BUFFER
);
283 log_warning_errno(r
, "Failed to drop caches, ignoring: %m");
285 log_debug("Dropped caches.");
288 int home_setup_undo_mount(HomeSetup
*setup
, int level
) {
293 if (!setup
->undo_mount
)
296 r
= umount_recursive(HOME_RUNTIME_WORK_DIR
, 0);
298 if (level
>= LOG_DEBUG
) /* umount_recursive() does debug level logging anyway, no need to
299 * repeat that here */
302 /* If a higher log level is requested, the generate a non-debug message here too. */
303 return log_full_errno(level
, r
, "Failed to unmount mount tree below %s: %m", HOME_RUNTIME_WORK_DIR
);
306 setup
->undo_mount
= false;
310 int home_setup_undo_dm(HomeSetup
*setup
, int level
) {
315 if (setup
->undo_dm
) {
316 assert(setup
->crypt_device
);
317 assert(setup
->dm_name
);
319 r
= sym_crypt_deactivate_by_name(setup
->crypt_device
, setup
->dm_name
, 0);
321 return log_full_errno(level
, r
, "Failed to deactivate LUKS device: %m");
323 /* In case the device was already remove asynchronously by an early unmount via the deferred
324 * remove logic, let's wait for it */
325 (void) wait_for_block_device_gone(setup
, USEC_PER_SEC
* 30);
327 setup
->undo_dm
= false;
332 if (setup
->crypt_device
) {
333 sym_crypt_free(setup
->crypt_device
);
334 setup
->crypt_device
= NULL
;
340 int keyring_unlink(key_serial_t k
) {
342 if (k
== -1) /* already invalidated? */
345 if (keyctl(KEYCTL_UNLINK
, k
, KEY_SPEC_SESSION_KEYRING
, 0, 0) < 0)
346 log_debug_errno(errno
, "Failed to unlink key from session kernel keyring, ignoring: %m");
348 return -1; /* Always return the key_serial_t value for "invalid" */
351 static int keyring_flush(UserRecord
*h
) {
352 _cleanup_free_
char *name
= NULL
;
357 name
= strjoin("homework-user-", h
->user_name
);
361 serial
= keyctl(KEYCTL_SEARCH
, (unsigned long) KEY_SPEC_SESSION_KEYRING
, (unsigned long) "user", (unsigned long) name
, 0);
363 return log_debug_errno(errno
, "Failed to find kernel keyring entry for user, ignoring: %m");
365 return keyring_unlink(serial
);
368 int home_setup_done(HomeSetup
*setup
) {
373 if (setup
->root_fd
>= 0) {
374 if (setup
->do_offline_fitrim
) {
375 q
= run_fitrim(setup
->root_fd
);
380 if (syncfs(setup
->root_fd
) < 0)
381 log_debug_errno(errno
, "Failed to synchronize home directory, ignoring: %m");
383 setup
->root_fd
= safe_close(setup
->root_fd
);
386 q
= home_setup_undo_mount(setup
, LOG_DEBUG
);
390 q
= home_setup_undo_dm(setup
, LOG_DEBUG
);
394 if (setup
->image_fd
>= 0) {
395 if (setup
->do_offline_fallocate
) {
396 q
= run_fallocate(setup
->image_fd
, NULL
);
401 if (setup
->do_mark_clean
) {
402 q
= run_mark_dirty(setup
->image_fd
, false);
407 setup
->image_fd
= safe_close(setup
->image_fd
);
410 if (setup
->temporary_image_path
) {
411 if (unlink(setup
->temporary_image_path
) < 0)
412 log_debug_errno(errno
, "Failed to remove temporary image file '%s', ignoring: %m",
413 setup
->temporary_image_path
);
415 setup
->temporary_image_path
= mfree(setup
->temporary_image_path
);
418 setup
->key_serial
= keyring_unlink(setup
->key_serial
);
420 setup
->undo_mount
= false;
421 setup
->undo_dm
= false;
422 setup
->do_offline_fitrim
= false;
423 setup
->do_offline_fallocate
= false;
424 setup
->do_mark_clean
= false;
426 setup
->dm_name
= mfree(setup
->dm_name
);
427 setup
->dm_node
= mfree(setup
->dm_node
);
429 setup
->loop
= loop_device_unref(setup
->loop
);
431 setup
->volume_key
= erase_and_free(setup
->volume_key
);
432 setup
->volume_key_size
= 0;
434 if (setup
->do_drop_caches
)
437 setup
->mount_suffix
= mfree(setup
->mount_suffix
);
444 HomeSetupFlags flags
,
446 PasswordCache
*cache
,
447 UserRecord
**ret_header_home
) {
453 assert(!setup
->loop
);
454 assert(!setup
->crypt_device
);
455 assert(setup
->root_fd
< 0);
456 assert(!setup
->undo_dm
);
457 assert(!setup
->undo_mount
);
459 /* Makes a home directory accessible (through the root_fd file descriptor, not by path!). */
461 if (!FLAGS_SET(flags
, HOME_SETUP_ALREADY_ACTIVATED
)) /* If we set up the directory, we should also drop caches once we are done */
462 setup
->do_drop_caches
= setup
->do_drop_caches
|| user_record_drop_caches(h
);
464 switch (user_record_storage(h
)) {
467 return home_setup_luks(h
, flags
, NULL
, setup
, cache
, ret_header_home
);
471 r
= home_setup_directory(h
, setup
);
475 r
= home_setup_fscrypt(h
, setup
, cache
);
479 r
= home_setup_cifs(h
, flags
, setup
);
483 return log_error_errno(SYNTHETIC_ERRNO(ENOLINK
), "Processing home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h
)));
490 *ret_header_home
= NULL
;
495 int home_sync_and_statfs(int root_fd
, struct statfs
*ret
) {
496 assert(root_fd
>= 0);
498 /* Let's sync this to disk, so that the disk space reported by fstatfs() below is accurate (for file
499 * systems such as btrfs where this is determined lazily). */
501 if (syncfs(root_fd
) < 0)
502 return log_error_errno(errno
, "Failed to synchronize file system: %m");
505 if (fstatfs(root_fd
, ret
) < 0)
506 return log_error_errno(errno
, "Failed to statfs() file system: %m");
508 log_info("Synchronized disk.");
513 static int read_identity_file(int root_fd
, JsonVariant
**ret
) {
514 _cleanup_(fclosep
) FILE *identity_file
= NULL
;
515 _cleanup_close_
int identity_fd
= -1;
516 unsigned line
, column
;
519 assert(root_fd
>= 0);
522 identity_fd
= openat(root_fd
, ".identity", O_RDONLY
|O_CLOEXEC
|O_NOCTTY
|O_NOFOLLOW
|O_NONBLOCK
);
524 return log_error_errno(errno
, "Failed to open .identity file in home directory: %m");
526 r
= fd_verify_regular(identity_fd
);
528 return log_error_errno(r
, "Embedded identity file is not a regular file, refusing: %m");
530 identity_file
= take_fdopen(&identity_fd
, "r");
534 r
= json_parse_file(identity_file
, ".identity", JSON_PARSE_SENSITIVE
, ret
, &line
, &column
);
536 return log_error_errno(r
, "[.identity:%u:%u] Failed to parse JSON data: %m", line
, column
);
538 log_info("Read embedded .identity file.");
543 static int write_identity_file(int root_fd
, JsonVariant
*v
, uid_t uid
) {
544 _cleanup_(json_variant_unrefp
) JsonVariant
*normalized
= NULL
;
545 _cleanup_(fclosep
) FILE *identity_file
= NULL
;
546 _cleanup_close_
int identity_fd
= -1;
547 _cleanup_free_
char *fn
= NULL
;
550 assert(root_fd
>= 0);
553 normalized
= json_variant_ref(v
);
555 r
= json_variant_normalize(&normalized
);
557 log_warning_errno(r
, "Failed to normalize user record, ignoring: %m");
559 r
= tempfn_random(".identity", NULL
, &fn
);
563 identity_fd
= openat(root_fd
, fn
, O_WRONLY
|O_CREAT
|O_EXCL
|O_CLOEXEC
|O_NOCTTY
|O_NOFOLLOW
, 0600);
565 return log_error_errno(errno
, "Failed to create .identity file in home directory: %m");
567 identity_file
= take_fdopen(&identity_fd
, "w");
568 if (!identity_file
) {
573 json_variant_dump(normalized
, JSON_FORMAT_PRETTY
, identity_file
, NULL
);
575 r
= fflush_and_check(identity_file
);
577 log_error_errno(r
, "Failed to write .identity file: %m");
581 if (fchown(fileno(identity_file
), uid
, uid
) < 0) {
582 r
= log_error_errno(errno
, "Failed to change ownership of identity file: %m");
586 if (renameat(root_fd
, fn
, root_fd
, ".identity") < 0) {
587 r
= log_error_errno(errno
, "Failed to move identity file into place: %m");
591 log_info("Wrote embedded .identity file.");
596 (void) unlinkat(root_fd
, fn
, 0);
600 int home_load_embedded_identity(
603 UserRecord
*header_home
,
604 UserReconcileMode mode
,
605 PasswordCache
*cache
,
606 UserRecord
**ret_embedded_home
,
607 UserRecord
**ret_new_home
) {
609 _cleanup_(user_record_unrefp
) UserRecord
*embedded_home
= NULL
, *intermediate_home
= NULL
, *new_home
= NULL
;
610 _cleanup_(json_variant_unrefp
) JsonVariant
*v
= NULL
;
614 assert(root_fd
>= 0);
616 r
= read_identity_file(root_fd
, &v
);
620 embedded_home
= user_record_new();
624 r
= user_record_load(embedded_home
, v
, USER_RECORD_LOAD_EMBEDDED
|USER_RECORD_PERMISSIVE
);
628 if (!user_record_compatible(h
, embedded_home
))
629 return log_error_errno(SYNTHETIC_ERRNO(EREMCHG
), "Embedded home record not compatible with host record, refusing.");
631 /* Insist that credentials the user supplies also unlocks any embedded records. */
632 r
= user_record_authenticate(embedded_home
, h
, cache
, /* strict_verify= */ true);
635 assert(r
> 0); /* Insist that a password was verified */
637 /* At this point we have three records to deal with:
639 * · The record we got passed from the host
640 * · The record included in the LUKS header (only if LUKS is used)
641 * · The record in the home directory itself (~.identity)
643 * Now we have to reconcile all three, and let the newest one win. */
646 /* Note we relax the requirements here. Instead of insisting that the host record is strictly
647 * newer, let's also be OK if its equally new. If it is, we'll however insist that the
648 * embedded record must be newer, so that we update at least one of the two. */
650 r
= user_record_reconcile(h
, header_home
, mode
== USER_RECONCILE_REQUIRE_NEWER
? USER_RECONCILE_REQUIRE_NEWER_OR_EQUAL
: mode
, &intermediate_home
);
651 if (r
== -EREMCHG
) /* this was supposed to be checked earlier already, but let's check this again */
652 return log_error_errno(r
, "Identity stored on host and in header don't match, refusing.");
654 return log_error_errno(r
, "Embedded identity record is newer than supplied record, refusing.");
656 return log_error_errno(r
, "Failed to reconcile host and header identities: %m");
657 if (r
== USER_RECONCILE_EMBEDDED_WON
)
658 log_info("Reconciling header user identity completed (header version was newer).");
659 else if (r
== USER_RECONCILE_HOST_WON
) {
660 log_info("Reconciling header user identity completed (host version was newer).");
662 if (mode
== USER_RECONCILE_REQUIRE_NEWER
) /* Host version is newer than the header
663 * version, hence we'll update
664 * something. This means we can relax the
665 * requirements on the embedded
667 mode
= USER_RECONCILE_REQUIRE_NEWER_OR_EQUAL
;
669 assert(r
== USER_RECONCILE_IDENTICAL
);
670 log_info("Reconciling user identities completed (host and header version were identical).");
673 h
= intermediate_home
;
676 r
= user_record_reconcile(h
, embedded_home
, mode
, &new_home
);
678 return log_error_errno(r
, "Identity stored on host and in home don't match, refusing.");
680 return log_error_errno(r
, "Embedded identity record is equally new or newer than supplied record, refusing.");
682 return log_error_errno(r
, "Failed to reconcile host and embedded identities: %m");
683 if (r
== USER_RECONCILE_EMBEDDED_WON
)
684 log_info("Reconciling embedded user identity completed (embedded version was newer).");
685 else if (r
== USER_RECONCILE_HOST_WON
)
686 log_info("Reconciling embedded user identity completed (host version was newer).");
688 assert(r
== USER_RECONCILE_IDENTICAL
);
689 log_info("Reconciling embedded user identity completed (host and embedded version were identical).");
692 if (ret_embedded_home
)
693 *ret_embedded_home
= TAKE_PTR(embedded_home
);
696 *ret_new_home
= TAKE_PTR(new_home
);
701 int home_store_embedded_identity(UserRecord
*h
, int root_fd
, uid_t uid
, UserRecord
*old_home
) {
702 _cleanup_(user_record_unrefp
) UserRecord
*embedded
= NULL
;
706 assert(root_fd
>= 0);
707 assert(uid_is_valid(uid
));
709 r
= user_record_clone(h
, USER_RECORD_EXTRACT_EMBEDDED
|USER_RECORD_PERMISSIVE
, &embedded
);
711 return log_error_errno(r
, "Failed to determine new embedded record: %m");
713 if (old_home
&& user_record_equal(old_home
, embedded
)) {
714 log_debug("Not updating embedded home record.");
718 /* The identity has changed, let's update it in the image */
719 r
= write_identity_file(root_fd
, embedded
->json
, h
->uid
);
726 static const char *file_system_type_fd(int fd
) {
731 if (fstatfs(fd
, &sfs
) < 0) {
732 log_debug_errno(errno
, "Failed to statfs(): %m");
736 return fs_type_to_string(sfs
.f_type
);
739 int home_extend_embedded_identity(UserRecord
*h
, UserRecord
*used
, HomeSetup
*setup
) {
746 r
= user_record_add_binding(
748 user_record_storage(used
),
749 user_record_image_path(used
),
750 setup
->found_partition_uuid
,
751 setup
->found_luks_uuid
,
752 setup
->found_fs_uuid
,
753 setup
->crypt_device
? sym_crypt_get_cipher(setup
->crypt_device
) : NULL
,
754 setup
->crypt_device
? sym_crypt_get_cipher_mode(setup
->crypt_device
) : NULL
,
755 setup
->crypt_device
? luks_volume_key_size_convert(setup
->crypt_device
) : UINT64_MAX
,
756 file_system_type_fd(setup
->root_fd
),
757 user_record_home_directory(used
),
761 return log_error_errno(r
, "Failed to update binding in record: %m");
766 static int chown_recursive_directory(int root_fd
, uid_t uid
) {
769 assert(root_fd
>= 0);
770 assert(uid_is_valid(uid
));
772 r
= fd_chown_recursive(root_fd
, uid
, (gid_t
) uid
, 0777);
774 return log_error_errno(r
, "Failed to change ownership of files and directories: %m");
776 log_info("Recursive changing of ownership not necessary, skipped.");
778 log_info("Recursive changing of ownership completed.");
783 int home_maybe_shift_uid(
785 HomeSetupFlags flags
,
788 _cleanup_close_
int mount_fd
= -1;
793 assert(setup
->root_fd
>= 0);
795 /* If the home dir is already activated, then the UID shift is already applied. */
796 if (FLAGS_SET(flags
, HOME_SETUP_ALREADY_ACTIVATED
))
799 if (fstat(setup
->root_fd
, &st
) < 0)
800 return log_error_errno(errno
, "Failed to stat() home directory: %m");
802 /* Let's shift UIDs of this mount. Hopefully this makes the later chowning unnecessary. (Note that we
803 * also prefer to do UID mapping even if the UID already matches our goal UID. That's because we want
804 * to leave UIDs in the homed managed range unmapped.) */
805 (void) home_shift_uid(setup
->root_fd
, NULL
, st
.st_uid
, h
->uid
, &mount_fd
);
807 /* If this worked, then we'll have a reference to the mount now, which we can also use like an O_PATH
808 * fd to the new dir. Let's convert it into a proper O_DIRECTORY fd. */
810 safe_close(setup
->root_fd
);
812 setup
->root_fd
= fd_reopen(mount_fd
, O_RDONLY
|O_CLOEXEC
|O_DIRECTORY
);
813 if (setup
->root_fd
< 0)
814 return log_error_errno(setup
->root_fd
, "Failed to convert mount fd into regular directory fd: %m");
822 HomeSetupFlags flags
,
824 UserRecord
*header_home
,
825 PasswordCache
*cache
,
826 struct statfs
*ret_statfs
,
827 UserRecord
**ret_new_home
) {
829 _cleanup_(user_record_unrefp
) UserRecord
*embedded_home
= NULL
, *new_home
= NULL
;
834 assert(ret_new_home
);
836 /* When activating a home directory, does the identity work: loads the identity from the $HOME
837 * directory, reconciles it with our idea, chown()s everything. */
839 r
= home_load_embedded_identity(h
, setup
->root_fd
, header_home
, USER_RECONCILE_ANY
, cache
, &embedded_home
, &new_home
);
843 r
= home_maybe_shift_uid(h
, flags
, setup
);
847 r
= home_store_header_identity_luks(new_home
, setup
, header_home
);
851 r
= home_store_embedded_identity(new_home
, setup
->root_fd
, h
->uid
, embedded_home
);
855 r
= chown_recursive_directory(setup
->root_fd
, h
->uid
);
859 r
= home_sync_and_statfs(setup
->root_fd
, ret_statfs
);
863 *ret_new_home
= TAKE_PTR(new_home
);
867 static int home_activate(UserRecord
*h
, UserRecord
**ret_home
) {
868 _cleanup_(home_setup_done
) HomeSetup setup
= HOME_SETUP_INIT
;
869 _cleanup_(user_record_unrefp
) UserRecord
*new_home
= NULL
;
870 _cleanup_(password_cache_free
) PasswordCache cache
= {};
871 HomeSetupFlags flags
= 0;
877 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "User record lacks user name, refusing.");
878 if (!uid_is_valid(h
->uid
))
879 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "User record lacks UID, refusing.");
880 if (!IN_SET(user_record_storage(h
), USER_LUKS
, USER_DIRECTORY
, USER_SUBVOLUME
, USER_FSCRYPT
, USER_CIFS
))
881 return log_error_errno(SYNTHETIC_ERRNO(ENOTTY
), "Activating home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h
)));
883 r
= user_record_authenticate(h
, h
, &cache
, /* strict_verify= */ false);
887 r
= user_record_test_home_directory_and_warn(h
);
890 if (r
== USER_TEST_MOUNTED
)
891 return log_error_errno(SYNTHETIC_ERRNO(EALREADY
), "Home directory %s is already mounted, refusing.", user_record_home_directory(h
));
893 r
= user_record_test_image_path_and_warn(h
);
896 if (r
== USER_TEST_ABSENT
)
897 return log_error_errno(SYNTHETIC_ERRNO(ENOENT
), "Image path %s is missing, refusing.", user_record_image_path(h
));
899 switch (user_record_storage(h
)) {
902 r
= home_activate_luks(h
, flags
, &setup
, &cache
, &new_home
);
911 r
= home_activate_directory(h
, flags
, &setup
, &cache
, &new_home
);
918 r
= home_activate_cifs(h
, flags
, &setup
, &cache
, &new_home
);
925 assert_not_reached();
928 /* Note that the returned object might either be a reference to an updated version of the existing
929 * home object, or a reference to a newly allocated home object. The caller has to be able to deal
930 * with both, and consider the old object out-of-date. */
931 if (user_record_equal(h
, new_home
)) {
933 return 0; /* no identity change */
936 *ret_home
= TAKE_PTR(new_home
);
937 return 1; /* identity updated */
940 static int home_deactivate(UserRecord
*h
, bool force
) {
941 _cleanup_(home_setup_done
) HomeSetup setup
= HOME_SETUP_INIT
;
942 _cleanup_(password_cache_free
) PasswordCache cache
= {};
949 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "User record incomplete, refusing.");
950 if (!IN_SET(user_record_storage(h
), USER_LUKS
, USER_DIRECTORY
, USER_SUBVOLUME
, USER_FSCRYPT
, USER_CIFS
))
951 return log_error_errno(SYNTHETIC_ERRNO(ENOTTY
), "Deactivating home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h
)));
953 r
= user_record_test_home_directory_and_warn(h
);
956 if (r
== USER_TEST_MOUNTED
) {
957 /* Before we do anything, let's move the home mount away. */
958 r
= home_unshare_and_mkdir();
962 r
= mount_nofollow_verbose(LOG_ERR
, user_record_home_directory(h
), HOME_RUNTIME_WORK_DIR
, NULL
, MS_BIND
, NULL
);
966 setup
.undo_mount
= true; /* remember to unmount the new bind mount from HOME_RUNTIME_WORK_DIR */
968 /* Let's explicitly open the new root fs, using the moved path */
969 setup
.root_fd
= open(HOME_RUNTIME_WORK_DIR
, O_RDONLY
|O_DIRECTORY
|O_CLOEXEC
);
970 if (setup
.root_fd
< 0)
971 return log_error_errno(errno
, "Failed to open moved home directory: %m");
973 /* Now get rid of the home at its original place (we only keep the bind mount we created above) */
974 r
= umount_verbose(LOG_ERR
, user_record_home_directory(h
), UMOUNT_NOFOLLOW
| (force
? MNT_FORCE
|MNT_DETACH
: 0));
978 if (user_record_storage(h
) == USER_LUKS
) {
979 /* Automatically shrink on logout if that's enabled. To be able to shrink we need the
980 * keys to the device. */
981 password_cache_load_keyring(h
, &cache
);
982 (void) home_trim_luks(h
, &setup
);
985 /* Sync explicitly, so that the drop caches logic below can work as documented */
986 if (syncfs(setup
.root_fd
) < 0)
987 log_debug_errno(errno
, "Failed to synchronize home directory, ignoring: %m");
989 log_info("Syncing completed.");
991 if (user_record_storage(h
) == USER_LUKS
)
992 (void) home_auto_shrink_luks(h
, &setup
, &cache
);
994 setup
.root_fd
= safe_close(setup
.root_fd
);
996 /* Now get rid of the bind mount, too */
997 r
= umount_verbose(LOG_ERR
, HOME_RUNTIME_WORK_DIR
, UMOUNT_NOFOLLOW
| (force
? MNT_FORCE
|MNT_DETACH
: 0));
1001 setup
.undo_mount
= false; /* Remember that the bind mount doesn't need to be unmounted anymore */
1003 if (user_record_drop_caches(h
))
1004 setup
.do_drop_caches
= true;
1006 log_info("Unmounting completed.");
1009 log_info("Directory %s is already unmounted.", user_record_home_directory(h
));
1011 if (user_record_storage(h
) == USER_LUKS
) {
1012 r
= home_deactivate_luks(h
, &setup
);
1019 /* Explicitly flush any per-user key from the keyring */
1020 (void) keyring_flush(h
);
1023 return log_error_errno(SYNTHETIC_ERRNO(ENOEXEC
), "Home is not active.");
1025 if (setup
.do_drop_caches
) {
1026 setup
.do_drop_caches
= false;
1030 log_info("Everything completed.");
1034 static int copy_skel(int root_fd
, const char *skel
) {
1037 assert(root_fd
>= 0);
1039 r
= copy_tree_at(AT_FDCWD
, skel
, root_fd
, ".", UID_INVALID
, GID_INVALID
, COPY_MERGE
|COPY_REPLACE
, NULL
);
1041 log_info("Skeleton directory %s missing, ignoring.", skel
);
1045 return log_error_errno(r
, "Failed to copy in %s: %m", skel
);
1047 log_info("Copying in %s completed.", skel
);
1051 static int change_access_mode(int root_fd
, mode_t m
) {
1052 assert(root_fd
>= 0);
1054 if (fchmod(root_fd
, m
) < 0)
1055 return log_error_errno(errno
, "Failed to change access mode of top-level directory: %m");
1057 log_info("Changed top-level directory access mode to 0%o.", m
);
1061 int home_populate(UserRecord
*h
, int dir_fd
) {
1065 assert(dir_fd
>= 0);
1067 r
= copy_skel(dir_fd
, user_record_skeleton_directory(h
));
1071 r
= home_store_embedded_identity(h
, dir_fd
, h
->uid
, NULL
);
1075 r
= chown_recursive_directory(dir_fd
, h
->uid
);
1079 r
= change_access_mode(dir_fd
, user_record_access_mode(h
));
1086 static int user_record_compile_effective_passwords(
1088 PasswordCache
*cache
,
1089 char ***ret_effective_passwords
) {
1091 _cleanup_(strv_free_erasep
) char **effective
= NULL
;
1098 /* We insist on at least one classic hashed password to be defined in addition to any PKCS#11 one, as
1099 * a safe fallback, but also to simplify the password changing algorithm: there we require providing
1100 * the old literal password only (and do not care for the old PKCS#11 token) */
1102 if (strv_isempty(h
->hashed_password
))
1103 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1104 "User record has no hashed passwords, refusing.");
1106 /* Generates the list of plaintext passwords to propagate to LUKS/fscrypt devices, and checks whether
1107 * we have a plaintext password for each hashed one. If we are missing one we'll fail, since we
1108 * couldn't sync fscrypt/LUKS to the login account properly. */
1110 STRV_FOREACH(i
, h
->hashed_password
) {
1113 log_debug("Looking for plaintext password for: %s", *i
);
1115 /* Let's scan all provided plaintext passwords */
1116 STRV_FOREACH(j
, h
->password
) {
1117 r
= test_password_one(*i
, *j
);
1119 return log_error_errno(r
, "Failed to test plaintext password: %m");
1121 if (ret_effective_passwords
) {
1122 r
= strv_extend(&effective
, *j
);
1127 log_debug("Found literal plaintext password.");
1134 return log_error_errno(SYNTHETIC_ERRNO(ENOKEY
), "Missing plaintext password for defined hashed password");
1137 for (n
= 0; n
< h
->n_recovery_key
; n
++) {
1140 log_debug("Looking for plaintext recovery key for: %s", h
->recovery_key
[n
].hashed_password
);
1142 STRV_FOREACH(j
, h
->password
) {
1143 _cleanup_(erase_and_freep
) char *mangled
= NULL
;
1146 if (streq(h
->recovery_key
[n
].type
, "modhex64")) {
1148 r
= normalize_recovery_key(*j
, &mangled
);
1149 if (r
== -EINVAL
) /* Not properly formatted, probably a regular password. */
1152 return log_error_errno(r
, "Failed to normalize recovery key: %m");
1158 r
= test_password_one(h
->recovery_key
[n
].hashed_password
, p
);
1160 return log_error_errno(r
, "Failed to test plaintext recovery key: %m");
1162 if (ret_effective_passwords
) {
1163 r
= strv_extend(&effective
, p
);
1168 log_debug("Found plaintext recovery key.");
1175 return log_error_errno(SYNTHETIC_ERRNO(EREMOTEIO
), "Missing plaintext recovery key for defined recovery key");
1178 for (n
= 0; n
< h
->n_pkcs11_encrypted_key
; n
++) {
1180 _cleanup_(pkcs11_callback_data_release
) struct pkcs11_callback_data data
= {
1183 .encrypted_key
= h
->pkcs11_encrypted_key
+ n
,
1186 r
= pkcs11_find_token(data
.encrypted_key
->uri
, pkcs11_callback
, &data
);
1192 r
= test_password_one(data
.encrypted_key
->hashed_password
, data
.decrypted_password
);
1194 return log_error_errno(r
, "Failed to test PKCS#11 password: %m");
1196 return log_error_errno(SYNTHETIC_ERRNO(EPERM
), "Decrypted password from token is not correct, refusing.");
1198 if (ret_effective_passwords
) {
1199 r
= strv_extend(&effective
, data
.decrypted_password
);
1204 r
= strv_extend(&cache
->pkcs11_passwords
, data
.decrypted_password
);
1212 for (n
= 0; n
< h
->n_fido2_hmac_salt
; n
++) {
1214 _cleanup_(erase_and_freep
) char *decrypted_password
= NULL
;
1216 r
= fido2_use_token(h
, h
, h
->fido2_hmac_salt
+ n
, &decrypted_password
);
1220 r
= test_password_one(h
->fido2_hmac_salt
[n
].hashed_password
, decrypted_password
);
1222 return log_error_errno(r
, "Failed to test FIDO2 password: %m");
1224 return log_error_errno(SYNTHETIC_ERRNO(EPERM
), "Decrypted password from token is not correct, refusing.");
1226 if (ret_effective_passwords
) {
1227 r
= strv_extend(&effective
, decrypted_password
);
1232 r
= strv_extend(&cache
->fido2_passwords
, decrypted_password
);
1240 if (ret_effective_passwords
)
1241 *ret_effective_passwords
= TAKE_PTR(effective
);
1246 static int determine_default_storage(UserStorage
*ret
) {
1247 UserStorage storage
= _USER_STORAGE_INVALID
;
1253 /* homed tells us via an environment variable which default storage to use */
1254 e
= getenv("SYSTEMD_HOME_DEFAULT_STORAGE");
1256 storage
= user_storage_from_string(e
);
1258 log_warning("$SYSTEMD_HOME_DEFAULT_STORAGE set to invalid storage type, ignoring: %s", e
);
1260 log_info("Using configured default storage '%s'.", user_storage_to_string(storage
));
1266 /* When neither user nor admin specified the storage type to use, fix it to be LUKS — unless we run
1267 * in a container where loopback devices and LUKS/DM are not available. Also, if /home is encrypted
1268 * anyway, let's avoid duplicate encryption. Note that we typically default to the assumption of
1269 * "classic" storage for most operations. However, if we create a new home, then let's user LUKS if
1270 * nothing is specified. */
1272 r
= detect_container();
1274 return log_error_errno(r
, "Failed to determine whether we are in a container: %m");
1276 r
= path_is_encrypted(get_home_root());
1278 log_info("%s is encrypted, not using '%s' storage, in order to avoid double encryption.", get_home_root(), user_storage_to_string(USER_LUKS
));
1281 log_warning_errno(r
, "Failed to determine if %s is encrypted, ignoring: %m", get_home_root());
1283 r
= dlopen_cryptsetup();
1285 log_info("Not using '%s' storage, since libcryptsetup could not be loaded.", user_storage_to_string(USER_LUKS
));
1287 log_info("Using automatic default storage of '%s'.", user_storage_to_string(USER_LUKS
));
1293 log_info("Running in container, not using '%s' storage.", user_storage_to_string(USER_LUKS
));
1295 r
= path_is_fs_type(get_home_root(), BTRFS_SUPER_MAGIC
);
1297 log_warning_errno(r
, "Failed to determine file system of %s, ignoring: %m", get_home_root());
1299 log_info("%s is on btrfs, using '%s' as storage.", get_home_root(), user_storage_to_string(USER_SUBVOLUME
));
1300 *ret
= USER_SUBVOLUME
;
1302 log_info("%s is on simple file system, using '%s' as storage.", get_home_root(), user_storage_to_string(USER_DIRECTORY
));
1303 *ret
= USER_DIRECTORY
;
1309 static int home_create(UserRecord
*h
, UserRecord
**ret_home
) {
1310 _cleanup_(strv_free_erasep
) char **effective_passwords
= NULL
;
1311 _cleanup_(home_setup_done
) HomeSetup setup
= HOME_SETUP_INIT
;
1312 _cleanup_(user_record_unrefp
) UserRecord
*new_home
= NULL
;
1313 _cleanup_(password_cache_free
) PasswordCache cache
= {};
1314 UserStorage new_storage
= _USER_STORAGE_INVALID
;
1315 const char *new_fs
= NULL
;
1321 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "User record lacks name, refusing.");
1322 if (!uid_is_valid(h
->uid
))
1323 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "User record lacks UID, refusing.");
1325 r
= user_record_compile_effective_passwords(h
, &cache
, &effective_passwords
);
1329 r
= user_record_test_home_directory_and_warn(h
);
1332 if (r
!= USER_TEST_ABSENT
)
1333 return log_error_errno(SYNTHETIC_ERRNO(EEXIST
), "Home directory %s already exists, refusing.", user_record_home_directory(h
));
1335 if (h
->storage
< 0) {
1336 r
= determine_default_storage(&new_storage
);
1341 if ((h
->storage
== USER_LUKS
||
1342 (h
->storage
< 0 && new_storage
== USER_LUKS
)) &&
1343 !h
->file_system_type
)
1344 new_fs
= getenv("SYSTEMD_HOME_DEFAULT_FILE_SYSTEM_TYPE");
1346 if (new_storage
>= 0 || new_fs
) {
1347 r
= user_record_add_binding(
1362 return log_error_errno(r
, "Failed to change storage type to LUKS: %m");
1365 r
= user_record_test_image_path_and_warn(h
);
1368 if (!IN_SET(r
, USER_TEST_ABSENT
, USER_TEST_UNDEFINED
, USER_TEST_MAYBE
))
1369 return log_error_errno(SYNTHETIC_ERRNO(EEXIST
), "Image path %s already exists, refusing.", user_record_image_path(h
));
1371 switch (user_record_storage(h
)) {
1374 r
= home_create_luks(h
, &setup
, &cache
, effective_passwords
, &new_home
);
1377 case USER_DIRECTORY
:
1378 case USER_SUBVOLUME
:
1379 r
= home_create_directory_or_subvolume(h
, &setup
, &new_home
);
1383 r
= home_create_fscrypt(h
, &setup
, effective_passwords
, &new_home
);
1387 r
= home_create_cifs(h
, &setup
, &new_home
);
1391 return log_error_errno(SYNTHETIC_ERRNO(ENOTTY
),
1392 "Creating home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h
)));
1397 if (user_record_equal(h
, new_home
)) {
1402 *ret_home
= TAKE_PTR(new_home
);
1406 static int home_remove(UserRecord
*h
) {
1407 bool deleted
= false;
1408 const char *ip
, *hd
;
1414 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "User record lacks user name, refusing.");
1415 if (!IN_SET(user_record_storage(h
), USER_LUKS
, USER_DIRECTORY
, USER_SUBVOLUME
, USER_FSCRYPT
, USER_CIFS
))
1416 return log_error_errno(SYNTHETIC_ERRNO(ENOTTY
), "Removing home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h
)));
1418 hd
= user_record_home_directory(h
);
1420 r
= user_record_test_home_directory_and_warn(h
);
1423 if (r
== USER_TEST_MOUNTED
)
1424 return log_error_errno(SYNTHETIC_ERRNO(EBUSY
), "Directory %s is still mounted, refusing.", hd
);
1428 r
= user_record_test_image_path_and_warn(h
);
1432 ip
= user_record_image_path(h
);
1434 switch (user_record_storage(h
)) {
1441 if (stat(ip
, &st
) < 0) {
1442 if (errno
!= ENOENT
)
1443 return log_error_errno(errno
, "Failed to stat() %s: %m", ip
);
1446 if (S_ISREG(st
.st_mode
)) {
1447 if (unlink(ip
) < 0) {
1448 if (errno
!= ENOENT
)
1449 return log_error_errno(errno
, "Failed to remove %s: %m", ip
);
1451 _cleanup_free_
char *parent
= NULL
;
1455 r
= path_extract_directory(ip
, &parent
);
1457 log_debug_errno(r
, "Failed to determine parent directory of '%s': %m", ip
);
1459 r
= fsync_path_at(AT_FDCWD
, parent
);
1461 log_debug_errno(r
, "Failed to synchronize disk after deleting '%s', ignoring: %m", ip
);
1465 } else if (S_ISBLK(st
.st_mode
))
1466 log_info("Not removing file system on block device %s.", ip
);
1468 return log_error_errno(SYNTHETIC_ERRNO(ENOTBLK
), "Image file %s is neither block device, nor regular, refusing removal.", ip
);
1474 case USER_SUBVOLUME
:
1475 case USER_DIRECTORY
:
1479 r
= rm_rf(ip
, REMOVE_ROOT
|REMOVE_PHYSICAL
|REMOVE_SUBVOLUME
|REMOVE_SYNCFS
);
1482 return log_warning_errno(r
, "Failed to remove %s: %m", ip
);
1486 /* If the image path and the home directory are the same invalidate the home directory, so
1487 * that we don't remove it anymore */
1488 if (path_equal(ip
, hd
))
1494 /* Nothing else to do here: we won't remove remote stuff. */
1495 log_info("Not removing home directory on remote server.");
1499 assert_not_reached();
1503 if (rmdir(hd
) < 0) {
1504 if (errno
!= ENOENT
)
1505 return log_error_errno(errno
, "Failed to remove %s, ignoring: %m", hd
);
1511 if (user_record_drop_caches(h
))
1514 log_info("Everything completed.");
1516 return log_notice_errno(SYNTHETIC_ERRNO(EALREADY
),
1517 "Nothing to remove.");
1522 static int home_validate_update(UserRecord
*h
, HomeSetup
*setup
, HomeSetupFlags
*flags
) {
1523 bool has_mount
= false;
1530 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "User record lacks user name, refusing.");
1531 if (!uid_is_valid(h
->uid
))
1532 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "User record lacks UID, refusing.");
1533 if (!IN_SET(user_record_storage(h
), USER_LUKS
, USER_DIRECTORY
, USER_SUBVOLUME
, USER_FSCRYPT
, USER_CIFS
))
1534 return log_error_errno(SYNTHETIC_ERRNO(ENOTTY
), "Processing home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h
)));
1536 r
= user_record_test_home_directory_and_warn(h
);
1540 has_mount
= r
== USER_TEST_MOUNTED
;
1542 r
= user_record_test_image_path_and_warn(h
);
1545 if (r
== USER_TEST_ABSENT
)
1546 return log_error_errno(SYNTHETIC_ERRNO(ENOENT
), "Image path %s does not exist", user_record_image_path(h
));
1548 switch (user_record_storage(h
)) {
1550 case USER_DIRECTORY
:
1551 case USER_SUBVOLUME
:
1557 r
= home_get_state_luks(h
, setup
);
1560 if ((r
> 0) != has_mount
)
1561 return log_error_errno(SYNTHETIC_ERRNO(EBUSY
), "Home mount incompletely set up.");
1567 assert_not_reached();
1571 SET_FLAG(*flags
, HOME_SETUP_ALREADY_ACTIVATED
, has_mount
);
1573 return has_mount
; /* return true if the home record is already active */
1576 static int home_update(UserRecord
*h
, UserRecord
**ret
) {
1577 _cleanup_(user_record_unrefp
) UserRecord
*new_home
= NULL
, *header_home
= NULL
, *embedded_home
= NULL
;
1578 _cleanup_(home_setup_done
) HomeSetup setup
= HOME_SETUP_INIT
;
1579 _cleanup_(password_cache_free
) PasswordCache cache
= {};
1580 HomeSetupFlags flags
= 0;
1586 r
= user_record_authenticate(h
, h
, &cache
, /* strict_verify= */ true);
1589 assert(r
> 0); /* Insist that a password was verified */
1591 r
= home_validate_update(h
, &setup
, &flags
);
1595 r
= home_setup(h
, flags
, &setup
, &cache
, &header_home
);
1599 r
= home_load_embedded_identity(h
, setup
.root_fd
, header_home
, USER_RECONCILE_REQUIRE_NEWER
, &cache
, &embedded_home
, &new_home
);
1603 r
= home_maybe_shift_uid(h
, flags
, &setup
);
1607 r
= home_store_header_identity_luks(new_home
, &setup
, header_home
);
1611 r
= home_store_embedded_identity(new_home
, setup
.root_fd
, h
->uid
, embedded_home
);
1615 r
= home_extend_embedded_identity(new_home
, h
, &setup
);
1619 r
= home_sync_and_statfs(setup
.root_fd
, NULL
);
1623 r
= home_setup_done(&setup
);
1627 log_info("Everything completed.");
1629 *ret
= TAKE_PTR(new_home
);
1633 static int home_resize(UserRecord
*h
, bool automatic
, UserRecord
**ret
) {
1634 _cleanup_(home_setup_done
) HomeSetup setup
= HOME_SETUP_INIT
;
1635 _cleanup_(password_cache_free
) PasswordCache cache
= {};
1636 HomeSetupFlags flags
= 0;
1642 if (h
->disk_size
== UINT64_MAX
)
1643 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "No target size specified, refusing.");
1646 /* In automatic mode don't want to ask the user for the password, hence load it from the kernel keyring */
1647 password_cache_load_keyring(h
, &cache
);
1649 /* In manual mode let's ensure the user is fully authenticated */
1650 r
= user_record_authenticate(h
, h
, &cache
, /* strict_verify= */ true);
1653 assert(r
> 0); /* Insist that a password was verified */
1656 r
= home_validate_update(h
, &setup
, &flags
);
1660 /* In automatic mode let's skip syncing identities, because we can't validate them, since we can't
1661 * ask the user for reauthentication */
1663 flags
|= HOME_SETUP_RESIZE_DONT_SYNC_IDENTITIES
;
1665 switch (user_record_storage(h
)) {
1668 return home_resize_luks(h
, flags
, &setup
, &cache
, ret
);
1670 case USER_DIRECTORY
:
1671 case USER_SUBVOLUME
:
1673 return home_resize_directory(h
, flags
, &setup
, &cache
, ret
);
1676 return log_error_errno(SYNTHETIC_ERRNO(ENOTTY
), "Resizing home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h
)));
1680 static int home_passwd(UserRecord
*h
, UserRecord
**ret_home
) {
1681 _cleanup_(user_record_unrefp
) UserRecord
*header_home
= NULL
, *embedded_home
= NULL
, *new_home
= NULL
;
1682 _cleanup_(strv_free_erasep
) char **effective_passwords
= NULL
;
1683 _cleanup_(home_setup_done
) HomeSetup setup
= HOME_SETUP_INIT
;
1684 _cleanup_(password_cache_free
) PasswordCache cache
= {};
1685 HomeSetupFlags flags
= 0;
1691 if (!IN_SET(user_record_storage(h
), USER_LUKS
, USER_DIRECTORY
, USER_SUBVOLUME
, USER_FSCRYPT
))
1692 return log_error_errno(SYNTHETIC_ERRNO(ENOTTY
), "Changing password of home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h
)));
1694 r
= user_record_compile_effective_passwords(h
, &cache
, &effective_passwords
);
1698 r
= home_validate_update(h
, &setup
, &flags
);
1702 r
= home_setup(h
, flags
, &setup
, &cache
, &header_home
);
1706 r
= home_load_embedded_identity(h
, setup
.root_fd
, header_home
, USER_RECONCILE_REQUIRE_NEWER_OR_EQUAL
, &cache
, &embedded_home
, &new_home
);
1710 r
= home_maybe_shift_uid(h
, flags
, &setup
);
1714 switch (user_record_storage(h
)) {
1717 r
= home_passwd_luks(h
, flags
, &setup
, &cache
, effective_passwords
);
1723 r
= home_passwd_fscrypt(h
, &setup
, &cache
, effective_passwords
);
1732 r
= home_store_header_identity_luks(new_home
, &setup
, header_home
);
1736 r
= home_store_embedded_identity(new_home
, setup
.root_fd
, h
->uid
, embedded_home
);
1740 r
= home_extend_embedded_identity(new_home
, h
, &setup
);
1744 r
= home_sync_and_statfs(setup
.root_fd
, NULL
);
1748 r
= home_setup_done(&setup
);
1752 log_info("Everything completed.");
1754 *ret_home
= TAKE_PTR(new_home
);
1758 static int home_inspect(UserRecord
*h
, UserRecord
**ret_home
) {
1759 _cleanup_(user_record_unrefp
) UserRecord
*header_home
= NULL
, *new_home
= NULL
;
1760 _cleanup_(home_setup_done
) HomeSetup setup
= HOME_SETUP_INIT
;
1761 _cleanup_(password_cache_free
) PasswordCache cache
= {};
1762 HomeSetupFlags flags
= 0;
1768 r
= user_record_authenticate(h
, h
, &cache
, /* strict_verify= */ false);
1772 r
= home_validate_update(h
, &setup
, &flags
);
1776 r
= home_setup(h
, flags
, &setup
, &cache
, &header_home
);
1780 r
= home_load_embedded_identity(h
, setup
.root_fd
, header_home
, USER_RECONCILE_ANY
, &cache
, NULL
, &new_home
);
1784 r
= home_extend_embedded_identity(new_home
, h
, &setup
);
1788 r
= home_setup_done(&setup
);
1792 log_info("Everything completed.");
1794 *ret_home
= TAKE_PTR(new_home
);
1798 static int home_lock(UserRecord
*h
) {
1799 _cleanup_(home_setup_done
) HomeSetup setup
= HOME_SETUP_INIT
;
1805 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "User record incomplete, refusing.");
1806 if (user_record_storage(h
) != USER_LUKS
)
1807 return log_error_errno(SYNTHETIC_ERRNO(ENOTTY
), "Locking home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h
)));
1809 r
= user_record_test_home_directory_and_warn(h
);
1812 if (r
!= USER_TEST_MOUNTED
)
1813 return log_error_errno(SYNTHETIC_ERRNO(ENOEXEC
), "Home directory of %s is not mounted, can't lock.", h
->user_name
);
1815 r
= home_lock_luks(h
, &setup
);
1819 log_info("Everything completed.");
1823 static int home_unlock(UserRecord
*h
) {
1824 _cleanup_(home_setup_done
) HomeSetup setup
= HOME_SETUP_INIT
;
1825 _cleanup_(password_cache_free
) PasswordCache cache
= {};
1831 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "User record incomplete, refusing.");
1832 if (user_record_storage(h
) != USER_LUKS
)
1833 return log_error_errno(SYNTHETIC_ERRNO(ENOTTY
), "Unlocking home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h
)));
1835 /* Note that we don't check if $HOME is actually mounted, since we want to avoid disk accesses on
1836 * that mount until we have resumed the device. */
1838 r
= user_record_authenticate(h
, h
, &cache
, /* strict_verify= */ false);
1842 r
= home_unlock_luks(h
, &setup
, &cache
);
1846 log_info("Everything completed.");
1850 static int run(int argc
, char *argv
[]) {
1851 _cleanup_(user_record_unrefp
) UserRecord
*home
= NULL
, *new_home
= NULL
;
1852 _cleanup_(json_variant_unrefp
) JsonVariant
*v
= NULL
;
1853 _cleanup_(fclosep
) FILE *opened_file
= NULL
;
1854 unsigned line
= 0, column
= 0;
1855 const char *json_path
= NULL
;
1860 start
= now(CLOCK_MONOTONIC
);
1864 cryptsetup_enable_logging(NULL
);
1868 if (argc
< 2 || argc
> 3)
1869 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "This program takes one or two arguments.");
1872 json_path
= argv
[2];
1874 opened_file
= fopen(json_path
, "re");
1876 return log_error_errno(errno
, "Failed to open %s: %m", json_path
);
1878 json_file
= opened_file
;
1880 json_path
= "<stdin>";
1884 r
= json_parse_file(json_file
, json_path
, JSON_PARSE_SENSITIVE
, &v
, &line
, &column
);
1886 return log_error_errno(r
, "[%s:%u:%u] Failed to parse JSON data: %m", json_path
, line
, column
);
1888 home
= user_record_new();
1892 r
= user_record_load(home
, v
, USER_RECORD_LOAD_FULL
|USER_RECORD_LOG
|USER_RECORD_PERMISSIVE
);
1896 /* Well known return values of these operations, that systemd-homed knows and converts to proper D-Bus errors:
1898 * EMSGSIZE → file systems of this type cannot be shrunk
1899 * ETXTBSY → file systems of this type can only be shrunk offline
1900 * ERANGE → file system size too small
1901 * ENOLINK → system does not support selected storage backend
1902 * EPROTONOSUPPORT → system does not support selected file system
1903 * ENOTTY → operation not support on this storage
1904 * ESOCKTNOSUPPORT → operation not support on this file system
1905 * ENOKEY → password incorrect (or not sufficient, or not supplied)
1906 * EREMOTEIO → recovery key incorrect (or not sufficeint, or not supplied — only if no passwords defined)
1907 * EBADSLT → similar, but PKCS#11 device is defined and might be able to provide password, if it was plugged in which it is not
1908 * ENOANO → suitable PKCS#11/FIDO2 device found, but PIN is missing to unlock it
1909 * ERFKILL → suitable PKCS#11 device found, but OK to ask for on-device interactive authentication not given
1910 * EMEDIUMTYPE → suitable FIDO2 device found, but OK to ask for user presence not given
1911 * ENOCSI → suitable FIDO2 device found, but OK to ask for user verification not given
1912 * ENOSTR → suitable FIDO2 device found, but user didn't react to action request on token quickly enough
1913 * EOWNERDEAD → suitable PKCS#11/FIDO2 device found, but its PIN is locked
1914 * ENOLCK → suitable PKCS#11/FIDO2 device found, but PIN incorrect
1915 * ETOOMANYREFS → suitable PKCS#11 device found, but PIN incorrect, and only few tries left
1916 * EUCLEAN → suitable PKCS#11 device found, but PIN incorrect, and only one try left
1917 * EBUSY → file system is currently active
1918 * ENOEXEC → file system is currently not active
1919 * ENOSPC → not enough disk space for operation
1920 * EKEYREVOKED → user record has not suitable hashed password or pkcs#11 entry, we cannot authenticate
1921 * EADDRINUSE → home image is already used elsewhere (lock taken)
1924 if (streq(argv
[1], "activate"))
1925 r
= home_activate(home
, &new_home
);
1926 else if (streq(argv
[1], "deactivate"))
1927 r
= home_deactivate(home
, false);
1928 else if (streq(argv
[1], "deactivate-force"))
1929 r
= home_deactivate(home
, true);
1930 else if (streq(argv
[1], "create"))
1931 r
= home_create(home
, &new_home
);
1932 else if (streq(argv
[1], "remove"))
1933 r
= home_remove(home
);
1934 else if (streq(argv
[1], "update"))
1935 r
= home_update(home
, &new_home
);
1936 else if (streq(argv
[1], "resize")) /* Resize on user request */
1937 r
= home_resize(home
, false, &new_home
);
1938 else if (streq(argv
[1], "resize-auto")) /* Automatic resize */
1939 r
= home_resize(home
, true, &new_home
);
1940 else if (streq(argv
[1], "passwd"))
1941 r
= home_passwd(home
, &new_home
);
1942 else if (streq(argv
[1], "inspect"))
1943 r
= home_inspect(home
, &new_home
);
1944 else if (streq(argv
[1], "lock"))
1945 r
= home_lock(home
);
1946 else if (streq(argv
[1], "unlock"))
1947 r
= home_unlock(home
);
1949 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Unknown verb '%s'.", argv
[1]);
1950 if (IN_SET(r
, -ENOKEY
, -EREMOTEIO
) && !strv_isempty(home
->password
) ) { /* There were passwords specified but they were incorrect */
1953 /* Make sure bad password replies always take at least 3s, and if longer multiples of 3s, so
1954 * that it's not clear how long we actually needed for our calculations. */
1955 n
= now(CLOCK_MONOTONIC
);
1958 d
= usec_sub_unsigned(n
, start
);
1959 if (d
> BAD_PASSWORD_DELAY_USEC
)
1960 end
= start
+ DIV_ROUND_UP(d
, BAD_PASSWORD_DELAY_USEC
) * BAD_PASSWORD_DELAY_USEC
;
1962 end
= start
+ BAD_PASSWORD_DELAY_USEC
;
1965 (void) usleep(usec_sub_unsigned(end
, n
));
1970 /* We always pass the new record back, regardless if it changed or not. This allows our caller to
1971 * prepare a fresh record, send to us, and only if it works use it without having to keep a local
1974 json_variant_dump(new_home
->json
, JSON_FORMAT_NEWLINE
, stdout
, NULL
);
1979 DEFINE_MAIN_FUNCTION(run
);