]>
Commit | Line | Data |
---|---|---|
70a5db58 LP |
1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
2 | ||
3 | #include <stddef.h> | |
4 | #include <sys/mount.h> | |
5 | ||
6 | #include "chown-recursive.h" | |
7 | #include "copy.h" | |
8 | #include "fd-util.h" | |
9 | #include "fileio.h" | |
10 | #include "home-util.h" | |
11 | #include "homework-cifs.h" | |
12 | #include "homework-directory.h" | |
13 | #include "homework-fscrypt.h" | |
14 | #include "homework-luks.h" | |
15 | #include "homework-mount.h" | |
16 | #include "homework-pkcs11.h" | |
17 | #include "homework.h" | |
18 | #include "main-func.h" | |
19 | #include "memory-util.h" | |
20 | #include "missing_magic.h" | |
21 | #include "mount-util.h" | |
22 | #include "path-util.h" | |
23 | #include "pkcs11-util.h" | |
24 | #include "rm-rf.h" | |
25 | #include "stat-util.h" | |
26 | #include "strv.h" | |
27 | #include "tmpfile-util.h" | |
28 | #include "user-util.h" | |
29 | #include "virt.h" | |
30 | ||
31 | /* Make sure a bad password always results in a 3s delay, no matter what */ | |
32 | #define BAD_PASSWORD_DELAY_USEC (3 * USEC_PER_SEC) | |
33 | ||
34 | int user_record_authenticate( | |
35 | UserRecord *h, | |
36 | UserRecord *secret, | |
37 | char ***pkcs11_decrypted_passwords) { | |
38 | ||
39 | bool need_password = false, need_token = false, need_pin = false, need_protected_authentication_path_permitted = false, | |
40 | pin_locked = false, pin_incorrect = false, pin_incorrect_few_tries_left = false, pin_incorrect_one_try_left = false; | |
70a5db58 LP |
41 | int r; |
42 | ||
43 | assert(h); | |
44 | assert(secret); | |
45 | ||
46 | /* Tries to authenticate a user record with the supplied secrets. i.e. checks whether at least one | |
47 | * supplied plaintext passwords matches a hashed password field of the user record. Or if a | |
48 | * configured PKCS#11 token is around and can unlock the record. | |
49 | * | |
50 | * Note that the pkcs11_decrypted_passwords parameter is both an input and and output parameter: it | |
51 | * is a list of configured, decrypted PKCS#11 passwords. We typically have to call this function | |
52 | * multiple times over the course of an operation (think: on login we authenticate the host user | |
53 | * record, the record embedded in the LUKS record and the one embedded in $HOME). Hence we keep a | |
54 | * list of passwords we already decrypted, so that we don't have to do the (slow an potentially | |
55 | * interactive) PKCS#11 dance for the relevant token again and again. */ | |
56 | ||
57 | /* First, let's see if the supplied plain-text passwords work? */ | |
58 | r = user_record_test_secret(h, secret); | |
59 | if (r == -ENOKEY) { | |
60 | log_info_errno(r, "None of the supplied plaintext passwords unlocks the user record's hashed passwords."); | |
61 | need_password = true; | |
62 | } else if (r == -ENXIO) | |
63 | log_debug_errno(r, "User record has no hashed passwords, plaintext passwords not tested."); | |
64 | else if (r < 0) | |
65 | return log_error_errno(r, "Failed to validate password of record: %m"); | |
66 | else { | |
67 | log_info("Provided password unlocks user record."); | |
68 | return 0; | |
69 | } | |
70 | ||
71 | /* Second, let's see if any of the PKCS#11 security tokens are plugged in and help us */ | |
3aeea37d | 72 | for (size_t n = 0; n < h->n_pkcs11_encrypted_key; n++) { |
70a5db58 LP |
73 | #if HAVE_P11KIT |
74 | _cleanup_(pkcs11_callback_data_release) struct pkcs11_callback_data data = { | |
75 | .user_record = h, | |
76 | .secret = secret, | |
77 | .encrypted_key = h->pkcs11_encrypted_key + n, | |
78 | }; | |
79 | char **pp; | |
80 | ||
81 | /* See if any of the previously calculated passwords work */ | |
82 | STRV_FOREACH(pp, *pkcs11_decrypted_passwords) { | |
83 | r = test_password_one(data.encrypted_key->hashed_password, *pp); | |
84 | if (r < 0) | |
85 | return log_error_errno(r, "Failed to check supplied PKCS#11 password: %m"); | |
86 | if (r > 0) { | |
87 | log_info("Previously acquired PKCS#11 password unlocks user record."); | |
88 | return 0; | |
89 | } | |
90 | } | |
91 | ||
92 | r = pkcs11_find_token(data.encrypted_key->uri, pkcs11_callback, &data); | |
93 | switch (r) { | |
94 | case -EAGAIN: | |
95 | need_token = true; | |
96 | break; | |
97 | case -ENOANO: | |
98 | need_pin = true; | |
99 | break; | |
100 | case -ERFKILL: | |
101 | need_protected_authentication_path_permitted = true; | |
102 | break; | |
103 | case -EOWNERDEAD: | |
104 | pin_locked = true; | |
105 | break; | |
106 | case -ENOLCK: | |
107 | pin_incorrect = true; | |
108 | break; | |
109 | case -ETOOMANYREFS: | |
110 | pin_incorrect = pin_incorrect_few_tries_left = true; | |
111 | break; | |
112 | case -EUCLEAN: | |
113 | pin_incorrect = pin_incorrect_few_tries_left = pin_incorrect_one_try_left = true; | |
114 | break; | |
115 | default: | |
116 | if (r < 0) | |
117 | return r; | |
118 | ||
119 | r = test_password_one(data.encrypted_key->hashed_password, data.decrypted_password); | |
120 | if (r < 0) | |
121 | return log_error_errno(r, "Failed to test PKCS#11 password: %m"); | |
122 | if (r == 0) | |
123 | return log_error_errno(SYNTHETIC_ERRNO(EPERM), "Configured PKCS#11 security token %s does not decrypt encrypted key correctly.", data.encrypted_key->uri); | |
124 | ||
125 | log_info("Decrypted password from PKCS#11 security token %s unlocks user record.", data.encrypted_key->uri); | |
126 | ||
127 | r = strv_extend(pkcs11_decrypted_passwords, data.decrypted_password); | |
128 | if (r < 0) | |
129 | return log_oom(); | |
130 | ||
131 | return 0; | |
132 | } | |
133 | #else | |
134 | need_token = true; | |
135 | break; | |
136 | #endif | |
137 | } | |
138 | ||
139 | /* Ordered by "relevance", i.e. the most "important" or "interesting" error condition is returned. */ | |
140 | if (pin_incorrect_one_try_left) | |
141 | return -EUCLEAN; | |
142 | if (pin_incorrect_few_tries_left) | |
143 | return -ETOOMANYREFS; | |
144 | if (pin_incorrect) | |
145 | return -ENOLCK; | |
146 | if (pin_locked) | |
147 | return -EOWNERDEAD; | |
148 | if (need_protected_authentication_path_permitted) | |
149 | return -ERFKILL; | |
150 | if (need_pin) | |
151 | return -ENOANO; | |
152 | if (need_token) | |
153 | return -EBADSLT; | |
154 | if (need_password) | |
155 | return -ENOKEY; | |
156 | ||
157 | /* Hmm, this means neither PCKS#11 nor classic hashed passwords were supplied, we cannot authenticate this reasonably */ | |
158 | return log_debug_errno(SYNTHETIC_ERRNO(EKEYREVOKED), "No hashed passwords and no PKCS#11 tokens defined, cannot authenticate user record."); | |
159 | } | |
160 | ||
161 | int home_setup_undo(HomeSetup *setup) { | |
162 | int r = 0, q; | |
163 | ||
164 | assert(setup); | |
165 | ||
166 | setup->root_fd = safe_close(setup->root_fd); | |
167 | ||
168 | if (setup->undo_mount) { | |
169 | q = umount_verbose("/run/systemd/user-home-mount"); | |
170 | if (q < 0) | |
171 | r = q; | |
172 | } | |
173 | ||
174 | if (setup->undo_dm && setup->crypt_device && setup->dm_name) { | |
175 | q = crypt_deactivate(setup->crypt_device, setup->dm_name); | |
176 | if (q < 0) | |
177 | r = q; | |
178 | } | |
179 | ||
180 | setup->undo_mount = false; | |
181 | setup->undo_dm = false; | |
182 | ||
183 | setup->dm_name = mfree(setup->dm_name); | |
184 | setup->dm_node = mfree(setup->dm_node); | |
185 | ||
186 | setup->loop = loop_device_unref(setup->loop); | |
187 | crypt_free(setup->crypt_device); | |
188 | setup->crypt_device = NULL; | |
189 | ||
190 | explicit_bzero_safe(setup->volume_key, setup->volume_key_size); | |
191 | setup->volume_key = mfree(setup->volume_key); | |
192 | setup->volume_key_size = 0; | |
193 | ||
194 | return r; | |
195 | } | |
196 | ||
197 | int home_prepare( | |
198 | UserRecord *h, | |
199 | bool already_activated, | |
200 | char ***pkcs11_decrypted_passwords, | |
201 | HomeSetup *setup, | |
202 | UserRecord **ret_header_home) { | |
203 | ||
204 | int r; | |
205 | ||
206 | assert(h); | |
207 | assert(setup); | |
208 | assert(!setup->loop); | |
209 | assert(!setup->crypt_device); | |
210 | assert(setup->root_fd < 0); | |
211 | assert(!setup->undo_dm); | |
212 | assert(!setup->undo_mount); | |
213 | ||
214 | /* Makes a home directory accessible (through the root_fd file descriptor, not by path!). */ | |
215 | ||
216 | switch (user_record_storage(h)) { | |
217 | ||
218 | case USER_LUKS: | |
219 | return home_prepare_luks(h, already_activated, NULL, pkcs11_decrypted_passwords, setup, ret_header_home); | |
220 | ||
221 | case USER_SUBVOLUME: | |
222 | case USER_DIRECTORY: | |
223 | r = home_prepare_directory(h, already_activated, setup); | |
224 | break; | |
225 | ||
226 | case USER_FSCRYPT: | |
227 | r = home_prepare_fscrypt(h, already_activated, pkcs11_decrypted_passwords, setup); | |
228 | break; | |
229 | ||
230 | case USER_CIFS: | |
231 | r = home_prepare_cifs(h, already_activated, setup); | |
232 | break; | |
233 | ||
234 | default: | |
235 | return log_error_errno(SYNTHETIC_ERRNO(ENOLINK), "Processing home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h))); | |
236 | } | |
237 | ||
238 | if (r < 0) | |
239 | return r; | |
240 | ||
241 | if (ret_header_home) | |
242 | *ret_header_home = NULL; | |
243 | ||
244 | return r; | |
245 | } | |
246 | ||
247 | int home_sync_and_statfs(int root_fd, struct statfs *ret) { | |
248 | assert(root_fd >= 0); | |
249 | ||
250 | /* Let's sync this to disk, so that the disk space reported by fstatfs() below is accurate (for file | |
251 | * systems such as btrfs where this is determined lazily). */ | |
252 | ||
253 | if (syncfs(root_fd) < 0) | |
254 | return log_error_errno(errno, "Failed to synchronize file system: %m"); | |
255 | ||
256 | if (ret) | |
257 | if (fstatfs(root_fd, ret) < 0) | |
258 | return log_error_errno(errno, "Failed to statfs() file system: %m"); | |
259 | ||
260 | log_info("Synchronized disk."); | |
261 | ||
262 | return 0; | |
263 | } | |
264 | ||
265 | static int read_identity_file(int root_fd, JsonVariant **ret) { | |
266 | _cleanup_(fclosep) FILE *identity_file = NULL; | |
267 | _cleanup_close_ int identity_fd = -1; | |
268 | unsigned line, column; | |
269 | int r; | |
270 | ||
271 | assert(root_fd >= 0); | |
272 | assert(ret); | |
273 | ||
274 | identity_fd = openat(root_fd, ".identity", O_RDONLY|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW|O_NONBLOCK); | |
275 | if (identity_fd < 0) | |
276 | return log_error_errno(errno, "Failed to open .identity file in home directory: %m"); | |
277 | ||
278 | r = fd_verify_regular(identity_fd); | |
279 | if (r < 0) | |
280 | return log_error_errno(r, "Embedded identity file is not a regular file, refusing: %m"); | |
281 | ||
4fa744a3 | 282 | identity_file = take_fdopen(&identity_fd, "r"); |
70a5db58 LP |
283 | if (!identity_file) |
284 | return log_oom(); | |
285 | ||
70a5db58 LP |
286 | r = json_parse_file(identity_file, ".identity", JSON_PARSE_SENSITIVE, ret, &line, &column); |
287 | if (r < 0) | |
288 | return log_error_errno(r, "[.identity:%u:%u] Failed to parse JSON data: %m", line, column); | |
289 | ||
290 | log_info("Read embedded .identity file."); | |
291 | ||
292 | return 0; | |
293 | } | |
294 | ||
295 | static int write_identity_file(int root_fd, JsonVariant *v, uid_t uid) { | |
296 | _cleanup_(json_variant_unrefp) JsonVariant *normalized = NULL; | |
297 | _cleanup_(fclosep) FILE *identity_file = NULL; | |
298 | _cleanup_close_ int identity_fd = -1; | |
299 | _cleanup_free_ char *fn = NULL; | |
300 | int r; | |
301 | ||
302 | assert(root_fd >= 0); | |
303 | assert(v); | |
304 | ||
305 | normalized = json_variant_ref(v); | |
306 | ||
307 | r = json_variant_normalize(&normalized); | |
308 | if (r < 0) | |
309 | log_warning_errno(r, "Failed to normalize user record, ignoring: %m"); | |
310 | ||
311 | r = tempfn_random(".identity", NULL, &fn); | |
312 | if (r < 0) | |
313 | return r; | |
314 | ||
315 | identity_fd = openat(root_fd, fn, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW, 0600); | |
316 | if (identity_fd < 0) | |
317 | return log_error_errno(errno, "Failed to create .identity file in home directory: %m"); | |
318 | ||
4fa744a3 | 319 | identity_file = take_fdopen(&identity_fd, "w"); |
70a5db58 LP |
320 | if (!identity_file) { |
321 | r = log_oom(); | |
322 | goto fail; | |
323 | } | |
324 | ||
70a5db58 LP |
325 | json_variant_dump(normalized, JSON_FORMAT_PRETTY, identity_file, NULL); |
326 | ||
327 | r = fflush_and_check(identity_file); | |
328 | if (r < 0) { | |
329 | log_error_errno(r, "Failed to write .identity file: %m"); | |
330 | goto fail; | |
331 | } | |
332 | ||
333 | if (fchown(fileno(identity_file), uid, uid) < 0) { | |
334 | log_error_errno(r, "Failed to change ownership of identity file: %m"); | |
335 | goto fail; | |
336 | } | |
337 | ||
338 | if (renameat(root_fd, fn, root_fd, ".identity") < 0) { | |
339 | r = log_error_errno(errno, "Failed to move identity file into place: %m"); | |
340 | goto fail; | |
341 | } | |
342 | ||
343 | log_info("Wrote embedded .identity file."); | |
344 | ||
345 | return 0; | |
346 | ||
347 | fail: | |
348 | (void) unlinkat(root_fd, fn, 0); | |
349 | return r; | |
350 | } | |
351 | ||
352 | int home_load_embedded_identity( | |
353 | UserRecord *h, | |
354 | int root_fd, | |
355 | UserRecord *header_home, | |
356 | UserReconcileMode mode, | |
357 | char ***pkcs11_decrypted_passwords, | |
358 | UserRecord **ret_embedded_home, | |
359 | UserRecord **ret_new_home) { | |
360 | ||
361 | _cleanup_(user_record_unrefp) UserRecord *embedded_home = NULL, *intermediate_home = NULL, *new_home = NULL; | |
362 | _cleanup_(json_variant_unrefp) JsonVariant *v = NULL; | |
363 | int r; | |
364 | ||
365 | assert(h); | |
366 | assert(root_fd >= 0); | |
367 | ||
368 | r = read_identity_file(root_fd, &v); | |
369 | if (r < 0) | |
370 | return r; | |
371 | ||
372 | embedded_home = user_record_new(); | |
373 | if (!embedded_home) | |
374 | return log_oom(); | |
375 | ||
376 | r = user_record_load(embedded_home, v, USER_RECORD_LOAD_EMBEDDED); | |
377 | if (r < 0) | |
378 | return r; | |
379 | ||
380 | if (!user_record_compatible(h, embedded_home)) | |
80ace4f2 | 381 | return log_error_errno(SYNTHETIC_ERRNO(EREMCHG), "Embedded home record not compatible with host record, refusing."); |
70a5db58 LP |
382 | |
383 | /* Insist that credentials the user supplies also unlocks any embedded records. */ | |
384 | r = user_record_authenticate(embedded_home, h, pkcs11_decrypted_passwords); | |
385 | if (r < 0) | |
386 | return r; | |
387 | ||
388 | /* At this point we have three records to deal with: | |
389 | * | |
390 | * · The record we got passed from the host | |
391 | * · The record included in the LUKS header (only if LUKS is used) | |
392 | * · The record in the home directory itself (~.identity) | |
393 | * | |
394 | * Now we have to reconcile all three, and let the newest one win. */ | |
395 | ||
396 | if (header_home) { | |
397 | /* Note we relax the requirements here. Instead of insisting that the host record is strictly | |
398 | * newer, let's also be OK if its equally new. If it is, we'll however insist that the | |
399 | * embedded record must be newer, so that we update at least one of the two. */ | |
400 | ||
401 | r = user_record_reconcile(h, header_home, mode == USER_RECONCILE_REQUIRE_NEWER ? USER_RECONCILE_REQUIRE_NEWER_OR_EQUAL : mode, &intermediate_home); | |
402 | if (r == -EREMCHG) /* this was supposed to be checked earlier already, but let's check this again */ | |
403 | return log_error_errno(r, "Identity stored on host and in header don't match, refusing."); | |
404 | if (r == -ESTALE) | |
405 | return log_error_errno(r, "Embedded identity record is newer than supplied record, refusing."); | |
406 | if (r < 0) | |
407 | return log_error_errno(r, "Failed to reconcile host and header identities: %m"); | |
408 | if (r == USER_RECONCILE_EMBEDDED_WON) | |
409 | log_info("Reconciling header user identity completed (header version was newer)."); | |
410 | else if (r == USER_RECONCILE_HOST_WON) { | |
411 | log_info("Reconciling header user identity completed (host version was newer)."); | |
412 | ||
413 | if (mode == USER_RECONCILE_REQUIRE_NEWER) /* Host version is newer than the header | |
414 | * version, hence we'll update | |
415 | * something. This means we can relax the | |
416 | * requirements on the embedded | |
417 | * identity. */ | |
418 | mode = USER_RECONCILE_REQUIRE_NEWER_OR_EQUAL; | |
419 | } else { | |
420 | assert(r == USER_RECONCILE_IDENTICAL); | |
421 | log_info("Reconciling user identities completed (host and header version were identical)."); | |
422 | } | |
423 | ||
424 | h = intermediate_home; | |
425 | } | |
426 | ||
427 | r = user_record_reconcile(h, embedded_home, mode, &new_home); | |
428 | if (r == -EREMCHG) | |
429 | return log_error_errno(r, "Identity stored on host and in home don't match, refusing."); | |
430 | if (r == -ESTALE) | |
431 | return log_error_errno(r, "Embedded identity record is equally new or newer than supplied record, refusing."); | |
432 | if (r < 0) | |
433 | return log_error_errno(r, "Failed to reconcile host and embedded identities: %m"); | |
434 | if (r == USER_RECONCILE_EMBEDDED_WON) | |
435 | log_info("Reconciling embedded user identity completed (embedded version was newer)."); | |
436 | else if (r == USER_RECONCILE_HOST_WON) | |
437 | log_info("Reconciling embedded user identity completed (host version was newer)."); | |
438 | else { | |
439 | assert(r == USER_RECONCILE_IDENTICAL); | |
440 | log_info("Reconciling embedded user identity completed (host and embedded version were identical)."); | |
441 | } | |
442 | ||
443 | if (ret_embedded_home) | |
444 | *ret_embedded_home = TAKE_PTR(embedded_home); | |
445 | ||
446 | if (ret_new_home) | |
447 | *ret_new_home = TAKE_PTR(new_home); | |
448 | ||
449 | return 0; | |
450 | } | |
451 | ||
452 | int home_store_embedded_identity(UserRecord *h, int root_fd, uid_t uid, UserRecord *old_home) { | |
453 | _cleanup_(user_record_unrefp) UserRecord *embedded = NULL; | |
454 | int r; | |
455 | ||
456 | assert(h); | |
457 | assert(root_fd >= 0); | |
458 | assert(uid_is_valid(uid)); | |
459 | ||
460 | r = user_record_clone(h, USER_RECORD_EXTRACT_EMBEDDED, &embedded); | |
461 | if (r < 0) | |
462 | return log_error_errno(r, "Failed to determine new embedded record: %m"); | |
463 | ||
464 | if (old_home && user_record_equal(old_home, embedded)) { | |
465 | log_debug("Not updating embedded home record."); | |
466 | return 0; | |
467 | } | |
468 | ||
469 | /* The identity has changed, let's update it in the image */ | |
470 | r = write_identity_file(root_fd, embedded->json, h->uid); | |
471 | if (r < 0) | |
472 | return r; | |
473 | ||
474 | return 1; | |
475 | } | |
476 | ||
477 | static const char *file_system_type_fd(int fd) { | |
478 | struct statfs sfs; | |
479 | ||
480 | assert(fd >= 0); | |
481 | ||
482 | if (fstatfs(fd, &sfs) < 0) { | |
483 | log_debug_errno(errno, "Failed to statfs(): %m"); | |
484 | return NULL; | |
485 | } | |
486 | ||
487 | if (is_fs_type(&sfs, XFS_SB_MAGIC)) | |
488 | return "xfs"; | |
489 | if (is_fs_type(&sfs, EXT4_SUPER_MAGIC)) | |
490 | return "ext4"; | |
491 | if (is_fs_type(&sfs, BTRFS_SUPER_MAGIC)) | |
492 | return "btrfs"; | |
493 | ||
494 | return NULL; | |
495 | } | |
496 | ||
497 | int home_extend_embedded_identity(UserRecord *h, UserRecord *used, HomeSetup *setup) { | |
498 | int r; | |
499 | ||
500 | assert(h); | |
501 | assert(used); | |
502 | assert(setup); | |
503 | ||
504 | r = user_record_add_binding( | |
505 | h, | |
506 | user_record_storage(used), | |
507 | user_record_image_path(used), | |
508 | setup->found_partition_uuid, | |
509 | setup->found_luks_uuid, | |
510 | setup->found_fs_uuid, | |
511 | setup->crypt_device ? crypt_get_cipher(setup->crypt_device) : NULL, | |
512 | setup->crypt_device ? crypt_get_cipher_mode(setup->crypt_device) : NULL, | |
513 | setup->crypt_device ? luks_volume_key_size_convert(setup->crypt_device) : UINT64_MAX, | |
514 | file_system_type_fd(setup->root_fd), | |
515 | user_record_home_directory(used), | |
516 | used->uid, | |
517 | (gid_t) used->uid); | |
518 | if (r < 0) | |
519 | return log_error_errno(r, "Failed to update binding in record: %m"); | |
520 | ||
521 | return 0; | |
522 | } | |
523 | ||
524 | static int chown_recursive_directory(int root_fd, uid_t uid) { | |
525 | int r; | |
526 | ||
527 | assert(root_fd >= 0); | |
528 | assert(uid_is_valid(uid)); | |
529 | ||
530 | r = fd_chown_recursive(root_fd, uid, (gid_t) uid, 0777); | |
531 | if (r < 0) | |
532 | return log_error_errno(r, "Failed to change ownership of files and directories: %m"); | |
533 | if (r == 0) | |
534 | log_info("Recursive changing of ownership not necessary, skipped."); | |
535 | else | |
536 | log_info("Recursive changing of ownership completed."); | |
537 | ||
538 | return 0; | |
539 | } | |
540 | ||
541 | int home_refresh( | |
542 | UserRecord *h, | |
543 | HomeSetup *setup, | |
544 | UserRecord *header_home, | |
545 | char ***pkcs11_decrypted_passwords, | |
546 | struct statfs *ret_statfs, | |
547 | UserRecord **ret_new_home) { | |
548 | ||
549 | _cleanup_(user_record_unrefp) UserRecord *embedded_home = NULL, *new_home = NULL; | |
550 | int r; | |
551 | ||
552 | assert(h); | |
553 | assert(setup); | |
554 | assert(ret_new_home); | |
555 | ||
556 | /* When activating a home directory, does the identity work: loads the identity from the $HOME | |
557 | * directory, reconciles it with our idea, chown()s everything. */ | |
558 | ||
559 | r = home_load_embedded_identity(h, setup->root_fd, header_home, USER_RECONCILE_ANY, pkcs11_decrypted_passwords, &embedded_home, &new_home); | |
560 | if (r < 0) | |
561 | return r; | |
562 | ||
563 | r = home_store_header_identity_luks(new_home, setup, header_home); | |
564 | if (r < 0) | |
565 | return r; | |
566 | ||
567 | r = home_store_embedded_identity(new_home, setup->root_fd, h->uid, embedded_home); | |
568 | if (r < 0) | |
569 | return r; | |
570 | ||
571 | r = chown_recursive_directory(setup->root_fd, h->uid); | |
572 | if (r < 0) | |
573 | return r; | |
574 | ||
575 | r = home_sync_and_statfs(setup->root_fd, ret_statfs); | |
576 | if (r < 0) | |
577 | return r; | |
578 | ||
579 | *ret_new_home = TAKE_PTR(new_home); | |
580 | return 0; | |
581 | } | |
582 | ||
583 | static int home_activate(UserRecord *h, UserRecord **ret_home) { | |
584 | _cleanup_(strv_free_erasep) char **pkcs11_decrypted_passwords = NULL; | |
585 | _cleanup_(user_record_unrefp) UserRecord *new_home = NULL; | |
586 | int r; | |
587 | ||
588 | assert(h); | |
589 | ||
590 | if (!h->user_name) | |
591 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record lacks user name, refusing."); | |
592 | if (!uid_is_valid(h->uid)) | |
593 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record lacks UID, refusing."); | |
594 | if (!IN_SET(user_record_storage(h), USER_LUKS, USER_DIRECTORY, USER_SUBVOLUME, USER_FSCRYPT, USER_CIFS)) | |
595 | return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Activating home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h))); | |
596 | ||
597 | r = user_record_authenticate(h, h, &pkcs11_decrypted_passwords); | |
598 | if (r < 0) | |
599 | return r; | |
600 | ||
601 | r = user_record_test_home_directory_and_warn(h); | |
602 | if (r < 0) | |
603 | return r; | |
604 | if (r == USER_TEST_MOUNTED) | |
605 | return log_error_errno(SYNTHETIC_ERRNO(EALREADY), "Home directory %s is already mounted, refusing.", user_record_home_directory(h)); | |
606 | ||
607 | r = user_record_test_image_path_and_warn(h); | |
608 | if (r < 0) | |
609 | return r; | |
610 | if (r == USER_TEST_ABSENT) | |
611 | return log_error_errno(SYNTHETIC_ERRNO(ENOENT), "Image path %s is missing, refusing.", user_record_image_path(h)); | |
612 | ||
613 | switch (user_record_storage(h)) { | |
614 | ||
615 | case USER_LUKS: | |
616 | r = home_activate_luks(h, &pkcs11_decrypted_passwords, &new_home); | |
617 | if (r < 0) | |
618 | return r; | |
619 | ||
620 | break; | |
621 | ||
622 | case USER_SUBVOLUME: | |
623 | case USER_DIRECTORY: | |
624 | case USER_FSCRYPT: | |
625 | r = home_activate_directory(h, &pkcs11_decrypted_passwords, &new_home); | |
626 | if (r < 0) | |
627 | return r; | |
628 | ||
629 | break; | |
630 | ||
631 | case USER_CIFS: | |
632 | r = home_activate_cifs(h, &pkcs11_decrypted_passwords, &new_home); | |
633 | if (r < 0) | |
634 | return r; | |
635 | ||
636 | break; | |
637 | ||
638 | default: | |
639 | assert_not_reached("unexpected type"); | |
640 | } | |
641 | ||
642 | /* Note that the returned object might either be a reference to an updated version of the existing | |
643 | * home object, or a reference to a newly allocated home object. The caller has to be able to deal | |
644 | * with both, and consider the old object out-of-date. */ | |
645 | if (user_record_equal(h, new_home)) { | |
646 | *ret_home = NULL; | |
647 | return 0; /* no identity change */ | |
648 | } | |
649 | ||
650 | *ret_home = TAKE_PTR(new_home); | |
651 | return 1; /* identity updated */ | |
652 | } | |
653 | ||
654 | static int home_deactivate(UserRecord *h, bool force) { | |
655 | bool done = false; | |
656 | int r; | |
657 | ||
658 | assert(h); | |
659 | ||
660 | if (!h->user_name) | |
661 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record incomplete, refusing."); | |
662 | if (!IN_SET(user_record_storage(h), USER_LUKS, USER_DIRECTORY, USER_SUBVOLUME, USER_FSCRYPT, USER_CIFS)) | |
663 | return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Deactivating home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h))); | |
664 | ||
665 | r = user_record_test_home_directory_and_warn(h); | |
666 | if (r < 0) | |
667 | return r; | |
668 | if (r == USER_TEST_MOUNTED) { | |
669 | if (umount2(user_record_home_directory(h), UMOUNT_NOFOLLOW | (force ? MNT_FORCE|MNT_DETACH : 0)) < 0) | |
670 | return log_error_errno(errno, "Failed to unmount %s: %m", user_record_home_directory(h)); | |
671 | ||
672 | log_info("Unmounting completed."); | |
673 | done = true; | |
674 | } else | |
675 | log_info("Directory %s is already unmounted.", user_record_home_directory(h)); | |
676 | ||
677 | if (user_record_storage(h) == USER_LUKS) { | |
678 | r = home_deactivate_luks(h); | |
679 | if (r < 0) | |
680 | return r; | |
681 | if (r > 0) | |
682 | done = true; | |
683 | } | |
684 | ||
685 | if (!done) | |
686 | return log_error_errno(SYNTHETIC_ERRNO(ENOEXEC), "Home is not active."); | |
687 | ||
688 | log_info("Everything completed."); | |
689 | return 0; | |
690 | } | |
691 | ||
692 | static int copy_skel(int root_fd, const char *skel) { | |
693 | int r; | |
694 | ||
695 | assert(root_fd >= 0); | |
696 | ||
697 | r = copy_tree_at(AT_FDCWD, skel, root_fd, ".", UID_INVALID, GID_INVALID, COPY_MERGE|COPY_REPLACE); | |
698 | if (r == -ENOENT) { | |
699 | log_info("Skeleton directory %s missing, ignoring.", skel); | |
700 | return 0; | |
701 | } | |
702 | if (r < 0) | |
703 | return log_error_errno(r, "Failed to copy in %s: %m", skel); | |
704 | ||
705 | log_info("Copying in %s completed.", skel); | |
706 | return 0; | |
707 | } | |
708 | ||
709 | static int change_access_mode(int root_fd, mode_t m) { | |
710 | assert(root_fd >= 0); | |
711 | ||
712 | if (fchmod(root_fd, m) < 0) | |
713 | return log_error_errno(errno, "Failed to change access mode of top-level directory: %m"); | |
714 | ||
715 | log_info("Changed top-level directory access mode to 0%o.", m); | |
716 | return 0; | |
717 | } | |
718 | ||
719 | int home_populate(UserRecord *h, int dir_fd) { | |
720 | int r; | |
721 | ||
722 | assert(h); | |
723 | assert(dir_fd >= 0); | |
724 | ||
725 | r = copy_skel(dir_fd, user_record_skeleton_directory(h)); | |
726 | if (r < 0) | |
727 | return r; | |
728 | ||
729 | r = home_store_embedded_identity(h, dir_fd, h->uid, NULL); | |
730 | if (r < 0) | |
731 | return r; | |
732 | ||
733 | r = chown_recursive_directory(dir_fd, h->uid); | |
734 | if (r < 0) | |
735 | return r; | |
736 | ||
737 | r = change_access_mode(dir_fd, user_record_access_mode(h)); | |
738 | if (r < 0) | |
739 | return r; | |
740 | ||
741 | return 0; | |
742 | } | |
743 | ||
744 | static int user_record_compile_effective_passwords( | |
745 | UserRecord *h, | |
746 | char ***ret_effective_passwords, | |
747 | char ***ret_pkcs11_decrypted_passwords) { | |
748 | ||
749 | _cleanup_(strv_free_erasep) char **effective = NULL, **pkcs11_passwords = NULL; | |
750 | size_t n; | |
751 | char **i; | |
752 | int r; | |
753 | ||
754 | assert(h); | |
755 | ||
756 | /* We insist on at least one classic hashed password to be defined in addition to any PKCS#11 one, as | |
757 | * a safe fallback, but also to simplify the password changing algorithm: there we require providing | |
758 | * the old literal password only (and do not care for the old PKCS#11 token) */ | |
759 | ||
760 | if (strv_isempty(h->hashed_password)) | |
761 | return log_error_errno(EINVAL, "User record has no hashed passwords, refusing."); | |
762 | ||
763 | /* Generates the list of plaintext passwords to propagate to LUKS/fscrypt devices, and checks whether | |
764 | * we have a plaintext password for each hashed one. If we are missing one we'll fail, since we | |
765 | * couldn't sync fscrypt/LUKS to the login account properly. */ | |
766 | ||
767 | STRV_FOREACH(i, h->hashed_password) { | |
768 | bool found = false; | |
769 | char **j; | |
770 | ||
771 | log_debug("Looking for plaintext password for: %s", *i); | |
772 | ||
773 | /* Let's scan all provided plaintext passwords */ | |
774 | STRV_FOREACH(j, h->password) { | |
775 | r = test_password_one(*i, *j); | |
776 | if (r < 0) | |
777 | return log_error_errno(r, "Failed to test plain text password: %m"); | |
778 | if (r > 0) { | |
779 | if (ret_effective_passwords) { | |
780 | r = strv_extend(&effective, *j); | |
781 | if (r < 0) | |
782 | return log_oom(); | |
783 | } | |
784 | ||
785 | log_debug("Found literal plaintext password."); | |
786 | found = true; | |
787 | break; | |
788 | } | |
789 | } | |
790 | ||
791 | if (!found) | |
792 | return log_error_errno(SYNTHETIC_ERRNO(ENOKEY), "Missing plaintext password for defined hashed password"); | |
793 | } | |
794 | ||
795 | for (n = 0; n < h->n_pkcs11_encrypted_key; n++) { | |
796 | #if HAVE_P11KIT | |
797 | _cleanup_(pkcs11_callback_data_release) struct pkcs11_callback_data data = { | |
798 | .user_record = h, | |
799 | .secret = h, | |
800 | .encrypted_key = h->pkcs11_encrypted_key + n, | |
801 | }; | |
802 | ||
803 | r = pkcs11_find_token(data.encrypted_key->uri, pkcs11_callback, &data); | |
804 | if (r == -EAGAIN) | |
805 | return -EBADSLT; | |
806 | if (r < 0) | |
807 | return r; | |
808 | ||
809 | r = test_password_one(data.encrypted_key->hashed_password, data.decrypted_password); | |
810 | if (r < 0) | |
811 | return log_error_errno(r, "Failed to test PKCS#11 password: %m"); | |
812 | if (r == 0) | |
813 | return log_error_errno(SYNTHETIC_ERRNO(EPERM), "Decrypted password from token is not correct, refusing."); | |
814 | ||
815 | if (ret_effective_passwords) { | |
816 | r = strv_extend(&effective, data.decrypted_password); | |
817 | if (r < 0) | |
818 | return log_oom(); | |
819 | } | |
820 | ||
821 | if (ret_pkcs11_decrypted_passwords) { | |
822 | r = strv_extend(&pkcs11_passwords, data.decrypted_password); | |
823 | if (r < 0) | |
824 | return log_oom(); | |
825 | } | |
826 | #else | |
827 | return -EBADSLT; | |
828 | #endif | |
829 | } | |
830 | ||
831 | if (ret_effective_passwords) | |
832 | *ret_effective_passwords = TAKE_PTR(effective); | |
833 | if (ret_pkcs11_decrypted_passwords) | |
834 | *ret_pkcs11_decrypted_passwords = TAKE_PTR(pkcs11_passwords); | |
835 | ||
836 | return 0; | |
837 | } | |
838 | ||
839 | static int home_create(UserRecord *h, UserRecord **ret_home) { | |
840 | _cleanup_(strv_free_erasep) char **effective_passwords = NULL, **pkcs11_decrypted_passwords = NULL; | |
841 | _cleanup_(user_record_unrefp) UserRecord *new_home = NULL; | |
842 | int r; | |
843 | ||
844 | assert(h); | |
845 | ||
846 | if (!h->user_name) | |
847 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record lacks name, refusing."); | |
848 | if (!uid_is_valid(h->uid)) | |
849 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record lacks UID, refusing."); | |
850 | ||
851 | r = user_record_compile_effective_passwords(h, &effective_passwords, &pkcs11_decrypted_passwords); | |
852 | if (r < 0) | |
853 | return r; | |
854 | ||
855 | r = user_record_test_home_directory_and_warn(h); | |
856 | if (r < 0) | |
857 | return r; | |
858 | if (r != USER_TEST_ABSENT) | |
859 | return log_error_errno(SYNTHETIC_ERRNO(EEXIST), "Home directory %s already exists, refusing.", user_record_home_directory(h)); | |
860 | ||
861 | /* When the user didn't specify the storage type to use, fix it to be LUKS -- unless we run in a | |
862 | * container where loopback devices and LUKS/DM are not available. Note that we typically default to | |
863 | * the assumption of "classic" storage for most operations. However, if we create a new home, then | |
864 | * let's user LUKS if nothing is specified. */ | |
865 | if (h->storage < 0) { | |
866 | UserStorage new_storage; | |
867 | ||
868 | r = detect_container(); | |
869 | if (r < 0) | |
870 | return log_error_errno(r, "Failed to determine whether we are in a container: %m"); | |
871 | if (r > 0) { | |
872 | new_storage = USER_DIRECTORY; | |
873 | ||
874 | r = path_is_fs_type("/home", BTRFS_SUPER_MAGIC); | |
875 | if (r < 0) | |
876 | log_debug_errno(r, "Failed to determine file system of /home, ignoring: %m"); | |
877 | ||
878 | new_storage = r > 0 ? USER_SUBVOLUME : USER_DIRECTORY; | |
879 | } else | |
880 | new_storage = USER_LUKS; | |
881 | ||
882 | r = user_record_add_binding( | |
883 | h, | |
884 | new_storage, | |
885 | NULL, | |
886 | SD_ID128_NULL, | |
887 | SD_ID128_NULL, | |
888 | SD_ID128_NULL, | |
889 | NULL, | |
890 | NULL, | |
891 | UINT64_MAX, | |
892 | NULL, | |
893 | NULL, | |
894 | UID_INVALID, | |
895 | GID_INVALID); | |
896 | if (r < 0) | |
897 | return log_error_errno(r, "Failed to change storage type to LUKS: %m"); | |
898 | ||
899 | if (!h->image_path_auto) { | |
900 | h->image_path_auto = strjoin("/home/", user_record_user_name_and_realm(h), new_storage == USER_LUKS ? ".home" : ".homedir"); | |
901 | if (!h->image_path_auto) | |
902 | return log_oom(); | |
903 | } | |
904 | } | |
905 | ||
906 | r = user_record_test_image_path_and_warn(h); | |
907 | if (r < 0) | |
908 | return r; | |
909 | if (!IN_SET(r, USER_TEST_ABSENT, USER_TEST_UNDEFINED, USER_TEST_MAYBE)) | |
910 | return log_error_errno(SYNTHETIC_ERRNO(EEXIST), "Image path %s already exists, refusing.", user_record_image_path(h)); | |
911 | ||
912 | switch (user_record_storage(h)) { | |
913 | ||
914 | case USER_LUKS: | |
915 | r = home_create_luks(h, pkcs11_decrypted_passwords, effective_passwords, &new_home); | |
916 | break; | |
917 | ||
918 | case USER_DIRECTORY: | |
919 | case USER_SUBVOLUME: | |
920 | r = home_create_directory_or_subvolume(h, &new_home); | |
921 | break; | |
922 | ||
923 | case USER_FSCRYPT: | |
924 | r = home_create_fscrypt(h, effective_passwords, &new_home); | |
925 | break; | |
926 | ||
927 | case USER_CIFS: | |
928 | r = home_create_cifs(h, &new_home); | |
929 | break; | |
930 | ||
931 | default: | |
932 | return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), | |
933 | "Creating home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h))); | |
934 | } | |
935 | if (r < 0) | |
936 | return r; | |
937 | ||
938 | if (user_record_equal(h, new_home)) { | |
939 | *ret_home = NULL; | |
940 | return 0; | |
941 | } | |
942 | ||
943 | *ret_home = TAKE_PTR(new_home); | |
944 | return 1; | |
945 | } | |
946 | ||
947 | static int home_remove(UserRecord *h) { | |
948 | bool deleted = false; | |
949 | const char *ip, *hd; | |
950 | int r; | |
951 | ||
952 | assert(h); | |
953 | ||
954 | if (!h->user_name) | |
955 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record lacks user name, refusing."); | |
956 | if (!IN_SET(user_record_storage(h), USER_LUKS, USER_DIRECTORY, USER_SUBVOLUME, USER_FSCRYPT, USER_CIFS)) | |
957 | return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Removing home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h))); | |
958 | ||
959 | hd = user_record_home_directory(h); | |
960 | ||
961 | r = user_record_test_home_directory_and_warn(h); | |
962 | if (r < 0) | |
963 | return r; | |
964 | if (r == USER_TEST_MOUNTED) | |
965 | return log_error_errno(SYNTHETIC_ERRNO(EBUSY), "Directory %s is still mounted, refusing.", hd); | |
966 | ||
967 | assert(hd); | |
968 | ||
969 | r = user_record_test_image_path_and_warn(h); | |
970 | if (r < 0) | |
971 | return r; | |
972 | ||
973 | ip = user_record_image_path(h); | |
974 | ||
975 | switch (user_record_storage(h)) { | |
976 | ||
977 | case USER_LUKS: { | |
978 | struct stat st; | |
979 | ||
980 | assert(ip); | |
981 | ||
982 | if (stat(ip, &st) < 0) { | |
983 | if (errno != -ENOENT) | |
80ace4f2 | 984 | return log_error_errno(errno, "Failed to stat() %s: %m", ip); |
70a5db58 LP |
985 | |
986 | } else { | |
987 | if (S_ISREG(st.st_mode)) { | |
988 | if (unlink(ip) < 0) { | |
989 | if (errno != ENOENT) | |
990 | return log_error_errno(errno, "Failed to remove %s: %m", ip); | |
991 | } else | |
992 | deleted = true; | |
993 | ||
994 | } else if (S_ISBLK(st.st_mode)) | |
995 | log_info("Not removing file system on block device %s.", ip); | |
996 | else | |
997 | return log_error_errno(SYNTHETIC_ERRNO(ENOTBLK), "Image file %s is neither block device, nor regular, refusing removal.", ip); | |
998 | } | |
999 | ||
1000 | break; | |
1001 | } | |
1002 | ||
1003 | case USER_SUBVOLUME: | |
1004 | case USER_DIRECTORY: | |
1005 | case USER_FSCRYPT: | |
1006 | assert(ip); | |
1007 | ||
1008 | r = rm_rf(ip, REMOVE_ROOT|REMOVE_PHYSICAL|REMOVE_SUBVOLUME); | |
1009 | if (r < 0) { | |
1010 | if (r != -ENOENT) | |
1011 | return log_warning_errno(r, "Failed to remove %s: %m", ip); | |
1012 | } else | |
1013 | deleted = true; | |
1014 | ||
1015 | /* If the image path and the home directory are the same invalidate the home directory, so | |
1016 | * that we don't remove it anymore */ | |
1017 | if (path_equal(ip, hd)) | |
1018 | hd = NULL; | |
1019 | ||
1020 | break; | |
1021 | ||
1022 | case USER_CIFS: | |
1023 | /* Nothing else to do here: we won't remove remote stuff. */ | |
1024 | log_info("Not removing home directory on remote server."); | |
1025 | break; | |
1026 | ||
1027 | default: | |
1028 | assert_not_reached("unknown storage type"); | |
1029 | } | |
1030 | ||
1031 | if (hd) { | |
1032 | if (rmdir(hd) < 0) { | |
1033 | if (errno != ENOENT) | |
1034 | return log_error_errno(errno, "Failed to remove %s, ignoring: %m", hd); | |
1035 | } else | |
1036 | deleted = true; | |
1037 | } | |
1038 | ||
1039 | if (deleted) | |
1040 | log_info("Everything completed."); | |
1041 | else { | |
1042 | log_notice("Nothing to remove."); | |
1043 | return -EALREADY; | |
1044 | } | |
1045 | ||
1046 | return 0; | |
1047 | } | |
1048 | ||
1049 | static int home_validate_update(UserRecord *h, HomeSetup *setup) { | |
1050 | bool has_mount = false; | |
1051 | int r; | |
1052 | ||
1053 | assert(h); | |
1054 | assert(setup); | |
1055 | ||
1056 | if (!h->user_name) | |
1057 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record lacks user name, refusing."); | |
1058 | if (!uid_is_valid(h->uid)) | |
1059 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record lacks UID, refusing."); | |
1060 | if (!IN_SET(user_record_storage(h), USER_LUKS, USER_DIRECTORY, USER_SUBVOLUME, USER_FSCRYPT, USER_CIFS)) | |
1061 | return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Processing home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h))); | |
1062 | ||
1063 | r = user_record_test_home_directory_and_warn(h); | |
1064 | if (r < 0) | |
1065 | return r; | |
1066 | ||
1067 | has_mount = r == USER_TEST_MOUNTED; | |
1068 | ||
1069 | r = user_record_test_image_path_and_warn(h); | |
1070 | if (r < 0) | |
1071 | return r; | |
1072 | if (r == USER_TEST_ABSENT) | |
1073 | return log_error_errno(SYNTHETIC_ERRNO(ENOENT), "Image path %s does not exist", user_record_image_path(h)); | |
1074 | ||
1075 | switch (user_record_storage(h)) { | |
1076 | ||
1077 | case USER_DIRECTORY: | |
1078 | case USER_SUBVOLUME: | |
1079 | case USER_FSCRYPT: | |
1080 | case USER_CIFS: | |
1081 | break; | |
1082 | ||
1083 | case USER_LUKS: { | |
1084 | r = home_validate_update_luks(h, setup); | |
1085 | if (r < 0) | |
1086 | return r; | |
1087 | if ((r > 0) != has_mount) | |
1088 | return log_error_errno(SYNTHETIC_ERRNO(EBUSY), "Home mount incompletely set up."); | |
1089 | ||
1090 | break; | |
1091 | } | |
1092 | ||
1093 | default: | |
1094 | assert_not_reached("unexpected storage type"); | |
1095 | } | |
1096 | ||
1097 | return has_mount; /* return true if the home record is already active */ | |
1098 | } | |
1099 | ||
1100 | static int home_update(UserRecord *h, UserRecord **ret) { | |
1101 | _cleanup_(user_record_unrefp) UserRecord *new_home = NULL, *header_home = NULL, *embedded_home = NULL; | |
1102 | _cleanup_(strv_free_erasep) char **pkcs11_decrypted_passwords = NULL; | |
1103 | _cleanup_(home_setup_undo) HomeSetup setup = HOME_SETUP_INIT; | |
1104 | bool already_activated = false; | |
1105 | int r; | |
1106 | ||
1107 | assert(h); | |
1108 | assert(ret); | |
1109 | ||
1110 | r = user_record_authenticate(h, h, &pkcs11_decrypted_passwords); | |
1111 | if (r < 0) | |
1112 | return r; | |
1113 | ||
1114 | r = home_validate_update(h, &setup); | |
1115 | if (r < 0) | |
1116 | return r; | |
1117 | ||
1118 | already_activated = r > 0; | |
1119 | ||
1120 | r = home_prepare(h, already_activated, &pkcs11_decrypted_passwords, &setup, &header_home); | |
1121 | if (r < 0) | |
1122 | return r; | |
1123 | ||
1124 | r = home_load_embedded_identity(h, setup.root_fd, header_home, USER_RECONCILE_REQUIRE_NEWER, &pkcs11_decrypted_passwords, &embedded_home, &new_home); | |
1125 | if (r < 0) | |
1126 | return r; | |
1127 | ||
1128 | r = home_store_header_identity_luks(new_home, &setup, header_home); | |
1129 | if (r < 0) | |
1130 | return r; | |
1131 | ||
1132 | r = home_store_embedded_identity(new_home, setup.root_fd, h->uid, embedded_home); | |
1133 | if (r < 0) | |
1134 | return r; | |
1135 | ||
1136 | r = home_extend_embedded_identity(new_home, h, &setup); | |
1137 | if (r < 0) | |
1138 | return r; | |
1139 | ||
1140 | r = home_sync_and_statfs(setup.root_fd, NULL); | |
1141 | if (r < 0) | |
1142 | return r; | |
1143 | ||
1144 | r = home_setup_undo(&setup); | |
1145 | if (r < 0) | |
1146 | return r; | |
1147 | ||
1148 | log_info("Everything completed."); | |
1149 | ||
1150 | *ret = TAKE_PTR(new_home); | |
1151 | return 0; | |
1152 | } | |
1153 | ||
1154 | static int home_resize(UserRecord *h, UserRecord **ret) { | |
1155 | _cleanup_(home_setup_undo) HomeSetup setup = HOME_SETUP_INIT; | |
1156 | _cleanup_(strv_free_erasep) char **pkcs11_decrypted_passwords = NULL; | |
1157 | bool already_activated = false; | |
1158 | int r; | |
1159 | ||
1160 | assert(h); | |
1161 | assert(ret); | |
1162 | ||
1163 | if (h->disk_size == UINT64_MAX) | |
1164 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "No target size specified, refusing."); | |
1165 | ||
1166 | r = user_record_authenticate(h, h, &pkcs11_decrypted_passwords); | |
1167 | if (r < 0) | |
1168 | return r; | |
1169 | ||
1170 | r = home_validate_update(h, &setup); | |
1171 | if (r < 0) | |
1172 | return r; | |
1173 | ||
1174 | already_activated = r > 0; | |
1175 | ||
1176 | switch (user_record_storage(h)) { | |
1177 | ||
1178 | case USER_LUKS: | |
1179 | return home_resize_luks(h, already_activated, &pkcs11_decrypted_passwords, &setup, ret); | |
1180 | ||
1181 | case USER_DIRECTORY: | |
1182 | case USER_SUBVOLUME: | |
1183 | case USER_FSCRYPT: | |
1184 | return home_resize_directory(h, already_activated, &pkcs11_decrypted_passwords, &setup, ret); | |
1185 | ||
1186 | default: | |
1187 | return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Resizing home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h))); | |
1188 | } | |
1189 | } | |
1190 | ||
1191 | static int home_passwd(UserRecord *h, UserRecord **ret_home) { | |
1192 | _cleanup_(user_record_unrefp) UserRecord *header_home = NULL, *embedded_home = NULL, *new_home = NULL; | |
1193 | _cleanup_(strv_free_erasep) char **effective_passwords = NULL, **pkcs11_decrypted_passwords = NULL; | |
1194 | _cleanup_(home_setup_undo) HomeSetup setup = HOME_SETUP_INIT; | |
1195 | bool already_activated = false; | |
1196 | int r; | |
1197 | ||
1198 | assert(h); | |
1199 | assert(ret_home); | |
1200 | ||
1201 | if (!IN_SET(user_record_storage(h), USER_LUKS, USER_DIRECTORY, USER_SUBVOLUME, USER_FSCRYPT)) | |
1202 | return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Changing password of home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h))); | |
1203 | ||
1204 | r = user_record_compile_effective_passwords(h, &effective_passwords, &pkcs11_decrypted_passwords); | |
1205 | if (r < 0) | |
1206 | return r; | |
1207 | ||
1208 | r = home_validate_update(h, &setup); | |
1209 | if (r < 0) | |
1210 | return r; | |
1211 | ||
1212 | already_activated = r > 0; | |
1213 | ||
1214 | r = home_prepare(h, already_activated, &pkcs11_decrypted_passwords, &setup, &header_home); | |
1215 | if (r < 0) | |
1216 | return r; | |
1217 | ||
1218 | r = home_load_embedded_identity(h, setup.root_fd, header_home, USER_RECONCILE_REQUIRE_NEWER_OR_EQUAL, &pkcs11_decrypted_passwords, &embedded_home, &new_home); | |
1219 | if (r < 0) | |
1220 | return r; | |
1221 | ||
1222 | switch (user_record_storage(h)) { | |
1223 | ||
1224 | case USER_LUKS: | |
1225 | r = home_passwd_luks(h, &setup, pkcs11_decrypted_passwords, effective_passwords); | |
1226 | if (r < 0) | |
1227 | return r; | |
1228 | break; | |
1229 | ||
1230 | case USER_FSCRYPT: | |
1231 | r = home_passwd_fscrypt(h, &setup, pkcs11_decrypted_passwords, effective_passwords); | |
1232 | if (r < 0) | |
1233 | return r; | |
1234 | break; | |
1235 | ||
1236 | default: | |
1237 | break; | |
1238 | } | |
1239 | ||
1240 | r = home_store_header_identity_luks(new_home, &setup, header_home); | |
1241 | if (r < 0) | |
1242 | return r; | |
1243 | ||
1244 | r = home_store_embedded_identity(new_home, setup.root_fd, h->uid, embedded_home); | |
1245 | if (r < 0) | |
1246 | return r; | |
1247 | ||
1248 | r = home_extend_embedded_identity(new_home, h, &setup); | |
1249 | if (r < 0) | |
1250 | return r; | |
1251 | ||
1252 | r = home_sync_and_statfs(setup.root_fd, NULL); | |
1253 | if (r < 0) | |
1254 | return r; | |
1255 | ||
1256 | r = home_setup_undo(&setup); | |
1257 | if (r < 0) | |
1258 | return r; | |
1259 | ||
1260 | log_info("Everything completed."); | |
1261 | ||
1262 | *ret_home = TAKE_PTR(new_home); | |
1263 | return 1; | |
1264 | } | |
1265 | ||
1266 | static int home_inspect(UserRecord *h, UserRecord **ret_home) { | |
1267 | _cleanup_(user_record_unrefp) UserRecord *header_home = NULL, *new_home = NULL; | |
1268 | _cleanup_(home_setup_undo) HomeSetup setup = HOME_SETUP_INIT; | |
1269 | _cleanup_(strv_free_erasep) char **pkcs11_decrypted_passwords = NULL; | |
1270 | bool already_activated = false; | |
1271 | int r; | |
1272 | ||
1273 | assert(h); | |
1274 | assert(ret_home); | |
1275 | ||
1276 | r = user_record_authenticate(h, h, &pkcs11_decrypted_passwords); | |
1277 | if (r < 0) | |
1278 | return r; | |
1279 | ||
1280 | r = home_validate_update(h, &setup); | |
1281 | if (r < 0) | |
1282 | return r; | |
1283 | ||
1284 | already_activated = r > 0; | |
1285 | ||
1286 | r = home_prepare(h, already_activated, &pkcs11_decrypted_passwords, &setup, &header_home); | |
1287 | if (r < 0) | |
1288 | return r; | |
1289 | ||
1290 | r = home_load_embedded_identity(h, setup.root_fd, header_home, USER_RECONCILE_ANY, &pkcs11_decrypted_passwords, NULL, &new_home); | |
1291 | if (r < 0) | |
1292 | return r; | |
1293 | ||
1294 | r = home_extend_embedded_identity(new_home, h, &setup); | |
1295 | if (r < 0) | |
1296 | return r; | |
1297 | ||
1298 | r = home_setup_undo(&setup); | |
1299 | if (r < 0) | |
1300 | return r; | |
1301 | ||
1302 | log_info("Everything completed."); | |
1303 | ||
1304 | *ret_home = TAKE_PTR(new_home); | |
1305 | return 1; | |
1306 | } | |
1307 | ||
1308 | static int home_lock(UserRecord *h) { | |
1309 | int r; | |
1310 | ||
1311 | assert(h); | |
1312 | ||
1313 | if (!h->user_name) | |
1314 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record incomplete, refusing."); | |
1315 | if (user_record_storage(h) != USER_LUKS) | |
1316 | return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Locking home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h))); | |
1317 | ||
1318 | r = user_record_test_home_directory_and_warn(h); | |
1319 | if (r < 0) | |
1320 | return r; | |
1321 | if (r != USER_TEST_MOUNTED) | |
1322 | return log_error_errno(SYNTHETIC_ERRNO(ENOEXEC), "Home directory of %s is not mounted, can't lock.", h->user_name); | |
1323 | ||
1324 | r = home_lock_luks(h); | |
1325 | if (r < 0) | |
1326 | return r; | |
1327 | ||
1328 | log_info("Everything completed."); | |
1329 | return 1; | |
1330 | } | |
1331 | ||
1332 | static int home_unlock(UserRecord *h) { | |
1333 | _cleanup_(strv_free_erasep) char **pkcs11_decrypted_passwords = NULL; | |
1334 | int r; | |
1335 | ||
1336 | assert(h); | |
1337 | ||
1338 | if (!h->user_name) | |
1339 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record incomplete, refusing."); | |
1340 | if (user_record_storage(h) != USER_LUKS) | |
1341 | return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Unlocking home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h))); | |
1342 | ||
1343 | /* Note that we don't check if $HOME is actually mounted, since we want to avoid disk accesses on | |
1344 | * that mount until we have resumed the device. */ | |
1345 | ||
1346 | r = user_record_authenticate(h, h, &pkcs11_decrypted_passwords); | |
1347 | if (r < 0) | |
1348 | return r; | |
1349 | ||
1350 | r = home_unlock_luks(h, &pkcs11_decrypted_passwords); | |
1351 | if (r < 0) | |
1352 | return r; | |
1353 | ||
1354 | log_info("Everything completed."); | |
1355 | return 1; | |
1356 | } | |
1357 | ||
1358 | static int run(int argc, char *argv[]) { | |
1359 | _cleanup_(user_record_unrefp) UserRecord *home = NULL, *new_home = NULL; | |
1360 | _cleanup_(json_variant_unrefp) JsonVariant *v = NULL; | |
1361 | _cleanup_(fclosep) FILE *opened_file = NULL; | |
1362 | unsigned line = 0, column = 0; | |
1363 | const char *json_path = NULL; | |
1364 | FILE *json_file; | |
1365 | usec_t start; | |
1366 | int r; | |
1367 | ||
1368 | start = now(CLOCK_MONOTONIC); | |
1369 | ||
1370 | log_setup_service(); | |
1371 | ||
1372 | umask(0022); | |
1373 | ||
1374 | if (argc < 2 || argc > 3) | |
1375 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "This program takes one or two arguments."); | |
1376 | ||
1377 | if (argc > 2) { | |
1378 | json_path = argv[2]; | |
1379 | ||
1380 | opened_file = fopen(json_path, "re"); | |
1381 | if (!opened_file) | |
1382 | return log_error_errno(errno, "Failed to open %s: %m", json_path); | |
1383 | ||
1384 | json_file = opened_file; | |
1385 | } else { | |
1386 | json_path = "<stdin>"; | |
1387 | json_file = stdin; | |
1388 | } | |
1389 | ||
1390 | r = json_parse_file(json_file, json_path, JSON_PARSE_SENSITIVE, &v, &line, &column); | |
1391 | if (r < 0) | |
1392 | return log_error_errno(r, "[%s:%u:%u] Failed to parse JSON data: %m", json_path, line, column); | |
1393 | ||
1394 | home = user_record_new(); | |
1395 | if (!home) | |
1396 | return log_oom(); | |
1397 | ||
1398 | r = user_record_load(home, v, USER_RECORD_LOAD_FULL|USER_RECORD_LOG); | |
1399 | if (r < 0) | |
1400 | return r; | |
1401 | ||
1402 | /* Well known return values of these operations, that systemd-homed knows and converts to proper D-Bus errors: | |
1403 | * | |
1404 | * EMSGSIZE → file systems of this type cannnot be shrinked | |
1405 | * ETXTBSY → file systems of this type can only be shrinked offline | |
1406 | * ERANGE → file system size too small | |
1407 | * ENOLINK → system does not support selected storage backend | |
1408 | * EPROTONOSUPPORT → system does not support selected file system | |
1409 | * ENOTTY → operation not support on this storage | |
1410 | * ESOCKTNOSUPPORT → operation not support on this file system | |
1411 | * ENOKEY → password incorrect (or not sufficient, or not supplied) | |
1412 | * EBADSLT → similar, but PKCS#11 device is defined and might be able to provide password, if it was plugged in which it is not | |
1413 | * ENOANO → suitable PKCS#11 device found, but PIN is missing to unlock it | |
1414 | * ERFKILL → suitable PKCS#11 device found, but OK to ask for on-device interactive authentication not given | |
1415 | * EOWNERDEAD → suitable PKCS#11 device found, but its PIN is locked | |
1416 | * ENOLCK → suitable PKCS#11 device found, but PIN incorrect | |
1417 | * ETOOMANYREFS → suitable PKCS#11 device found, but PIN incorrect, and only few tries left | |
1418 | * EUCLEAN → suitable PKCS#11 device found, but PIN incorrect, and only one try left | |
1419 | * EBUSY → file system is currently active | |
1420 | * ENOEXEC → file system is currently not active | |
1421 | * ENOSPC → not enough disk space for operation | |
1422 | */ | |
1423 | ||
1424 | if (streq(argv[1], "activate")) | |
1425 | r = home_activate(home, &new_home); | |
1426 | else if (streq(argv[1], "deactivate")) | |
1427 | r = home_deactivate(home, false); | |
1428 | else if (streq(argv[1], "deactivate-force")) | |
1429 | r = home_deactivate(home, true); | |
1430 | else if (streq(argv[1], "create")) | |
1431 | r = home_create(home, &new_home); | |
1432 | else if (streq(argv[1], "remove")) | |
1433 | r = home_remove(home); | |
1434 | else if (streq(argv[1], "update")) | |
1435 | r = home_update(home, &new_home); | |
1436 | else if (streq(argv[1], "resize")) | |
1437 | r = home_resize(home, &new_home); | |
1438 | else if (streq(argv[1], "passwd")) | |
1439 | r = home_passwd(home, &new_home); | |
1440 | else if (streq(argv[1], "inspect")) | |
1441 | r = home_inspect(home, &new_home); | |
1442 | else if (streq(argv[1], "lock")) | |
1443 | r = home_lock(home); | |
1444 | else if (streq(argv[1], "unlock")) | |
1445 | r = home_unlock(home); | |
1446 | else | |
1447 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unknown verb '%s'.", argv[1]); | |
1448 | if (r == -ENOKEY && !strv_isempty(home->password)) { /* There were passwords specified but they were incorrect */ | |
1449 | usec_t end, n, d; | |
1450 | ||
1451 | /* Make sure bad password replies always take at least 3s, and if longer multiples of 3s, so | |
1452 | * that it's not clear how long we actually needed for our calculations. */ | |
1453 | n = now(CLOCK_MONOTONIC); | |
1454 | assert(n >= start); | |
1455 | ||
1456 | d = usec_sub_unsigned(n, start); | |
1457 | if (d > BAD_PASSWORD_DELAY_USEC) | |
1458 | end = start + DIV_ROUND_UP(d, BAD_PASSWORD_DELAY_USEC) * BAD_PASSWORD_DELAY_USEC; | |
1459 | else | |
1460 | end = start + BAD_PASSWORD_DELAY_USEC; | |
1461 | ||
1462 | if (n < end) | |
1463 | (void) usleep(usec_sub_unsigned(end, n)); | |
1464 | } | |
1465 | if (r < 0) | |
1466 | return r; | |
1467 | ||
1468 | /* We always pass the new record back, regardless if it changed or not. This allows our caller to | |
1469 | * prepare a fresh record, send to us, and only if it works use it without having to keep a local | |
1470 | * copy. */ | |
1471 | if (new_home) | |
1472 | json_variant_dump(new_home->json, JSON_FORMAT_NEWLINE, stdout, NULL); | |
1473 | ||
1474 | return 0; | |
1475 | } | |
1476 | ||
1477 | DEFINE_MAIN_FUNCTION(run); |