]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/home/homework.c
projects / thirdparty / systemd.git / blob
? search:


77afc402d383936ad89c32a03f8e6be29fb4fc8b
[thirdparty/systemd.git] / src / home / homework.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2
3 #include <stddef.h>
4 #include <sys/mount.h>
5
6 #include "chown-recursive.h"
7 #include "copy.h"
8 #include "fd-util.h"
9 #include "fileio.h"
10 #include "home-util.h"
11 #include "homework-cifs.h"
12 #include "homework-directory.h"
13 #include "homework-fscrypt.h"
14 #include "homework-luks.h"
15 #include "homework-mount.h"
16 #include "homework-pkcs11.h"
17 #include "homework.h"
18 #include "main-func.h"
19 #include "memory-util.h"
20 #include "missing_magic.h"
21 #include "mount-util.h"
22 #include "path-util.h"
23 #include "pkcs11-util.h"
24 #include "rm-rf.h"
25 #include "stat-util.h"
26 #include "strv.h"
27 #include "tmpfile-util.h"
28 #include "user-util.h"
29 #include "virt.h"
30
31 /* Make sure a bad password always results in a 3s delay, no matter what */
32 #define BAD_PASSWORD_DELAY_USEC (3 * USEC_PER_SEC)
33
34 int user_record_authenticate(
35 UserRecord *h,
36 UserRecord *secret,
37 char ***pkcs11_decrypted_passwords) {
38
39 bool need_password = false, need_token = false, need_pin = false, need_protected_authentication_path_permitted = false,
40 pin_locked = false, pin_incorrect = false, pin_incorrect_few_tries_left = false, pin_incorrect_one_try_left = false;
41 int r;
42
43 assert(h);
44 assert(secret);
45
46 /* Tries to authenticate a user record with the supplied secrets. i.e. checks whether at least one
47 * supplied plaintext passwords matches a hashed password field of the user record. Or if a
48 * configured PKCS#11 token is around and can unlock the record.
49 *
50 * Note that the pkcs11_decrypted_passwords parameter is both an input and and output parameter: it
51 * is a list of configured, decrypted PKCS#11 passwords. We typically have to call this function
52 * multiple times over the course of an operation (think: on login we authenticate the host user
53 * record, the record embedded in the LUKS record and the one embedded in $HOME). Hence we keep a
54 * list of passwords we already decrypted, so that we don't have to do the (slow an potentially
55 * interactive) PKCS#11 dance for the relevant token again and again. */
56
57 /* First, let's see if the supplied plain-text passwords work? */
58 r = user_record_test_secret(h, secret);
59 if (r == -ENOKEY) {
60 log_info_errno(r, "None of the supplied plaintext passwords unlocks the user record's hashed passwords.");
61 need_password = true;
62 } else if (r == -ENXIO)
63 log_debug_errno(r, "User record has no hashed passwords, plaintext passwords not tested.");
64 else if (r < 0)
65 return log_error_errno(r, "Failed to validate password of record: %m");
66 else {
67 log_info("Provided password unlocks user record.");
68 return 0;
69 }
70
71 /* Second, let's see if any of the PKCS#11 security tokens are plugged in and help us */
72 for (size_t n = 0; n < h->n_pkcs11_encrypted_key; n++) {
73 #if HAVE_P11KIT
74 _cleanup_(pkcs11_callback_data_release) struct pkcs11_callback_data data = {
75 .user_record = h,
76 .secret = secret,
77 .encrypted_key = h->pkcs11_encrypted_key + n,
78 };
79 char **pp;
80
81 /* See if any of the previously calculated passwords work */
82 STRV_FOREACH(pp, *pkcs11_decrypted_passwords) {
83 r = test_password_one(data.encrypted_key->hashed_password, *pp);
84 if (r < 0)
85 return log_error_errno(r, "Failed to check supplied PKCS#11 password: %m");
86 if (r > 0) {
87 log_info("Previously acquired PKCS#11 password unlocks user record.");
88 return 0;
89 }
90 }
91
92 r = pkcs11_find_token(data.encrypted_key->uri, pkcs11_callback, &data);
93 switch (r) {
94 case -EAGAIN:
95 need_token = true;
96 break;
97 case -ENOANO:
98 need_pin = true;
99 break;
100 case -ERFKILL:
101 need_protected_authentication_path_permitted = true;
102 break;
103 case -EOWNERDEAD:
104 pin_locked = true;
105 break;
106 case -ENOLCK:
107 pin_incorrect = true;
108 break;
109 case -ETOOMANYREFS:
110 pin_incorrect = pin_incorrect_few_tries_left = true;
111 break;
112 case -EUCLEAN:
113 pin_incorrect = pin_incorrect_few_tries_left = pin_incorrect_one_try_left = true;
114 break;
115 default:
116 if (r < 0)
117 return r;
118
119 r = test_password_one(data.encrypted_key->hashed_password, data.decrypted_password);
120 if (r < 0)
121 return log_error_errno(r, "Failed to test PKCS#11 password: %m");
122 if (r == 0)
123 return log_error_errno(SYNTHETIC_ERRNO(EPERM), "Configured PKCS#11 security token %s does not decrypt encrypted key correctly.", data.encrypted_key->uri);
124
125 log_info("Decrypted password from PKCS#11 security token %s unlocks user record.", data.encrypted_key->uri);
126
127 r = strv_extend(pkcs11_decrypted_passwords, data.decrypted_password);
128 if (r < 0)
129 return log_oom();
130
131 return 0;
132 }
133 #else
134 need_token = true;
135 break;
136 #endif
137 }
138
139 /* Ordered by "relevance", i.e. the most "important" or "interesting" error condition is returned. */
140 if (pin_incorrect_one_try_left)
141 return -EUCLEAN;
142 if (pin_incorrect_few_tries_left)
143 return -ETOOMANYREFS;
144 if (pin_incorrect)
145 return -ENOLCK;
146 if (pin_locked)
147 return -EOWNERDEAD;
148 if (need_protected_authentication_path_permitted)
149 return -ERFKILL;
150 if (need_pin)
151 return -ENOANO;
152 if (need_token)
153 return -EBADSLT;
154 if (need_password)
155 return -ENOKEY;
156
157 /* Hmm, this means neither PCKS#11 nor classic hashed passwords were supplied, we cannot authenticate this reasonably */
158 return log_debug_errno(SYNTHETIC_ERRNO(EKEYREVOKED), "No hashed passwords and no PKCS#11 tokens defined, cannot authenticate user record.");
159 }
160
161 int home_setup_undo(HomeSetup *setup) {
162 int r = 0, q;
163
164 assert(setup);
165
166 if (setup->root_fd >= 0) {
167 if (setup->do_offline_fitrim) {
168 q = run_fitrim(setup->root_fd);
169 if (q < 0)
170 r = q;
171 }
172
173 setup->root_fd = safe_close(setup->root_fd);
174 }
175
176 if (setup->undo_mount) {
177 q = umount_verbose("/run/systemd/user-home-mount");
178 if (q < 0)
179 r = q;
180 }
181
182 if (setup->undo_dm && setup->crypt_device && setup->dm_name) {
183 q = crypt_deactivate(setup->crypt_device, setup->dm_name);
184 if (q < 0)
185 r = q;
186 }
187
188 if (setup->image_fd >= 0) {
189 if (setup->do_offline_fallocate) {
190 q = run_fallocate(setup->image_fd, NULL);
191 if (q < 0)
192 r = q;
193 }
194
195 setup->image_fd = safe_close(setup->image_fd);
196 }
197
198 setup->undo_mount = false;
199 setup->undo_dm = false;
200 setup->do_offline_fitrim = false;
201 setup->do_offline_fallocate = false;
202
203 setup->dm_name = mfree(setup->dm_name);
204 setup->dm_node = mfree(setup->dm_node);
205
206 setup->loop = loop_device_unref(setup->loop);
207 crypt_free(setup->crypt_device);
208 setup->crypt_device = NULL;
209
210 explicit_bzero_safe(setup->volume_key, setup->volume_key_size);
211 setup->volume_key = mfree(setup->volume_key);
212 setup->volume_key_size = 0;
213
214 return r;
215 }
216
217 int home_prepare(
218 UserRecord *h,
219 bool already_activated,
220 char ***pkcs11_decrypted_passwords,
221 HomeSetup *setup,
222 UserRecord **ret_header_home) {
223
224 int r;
225
226 assert(h);
227 assert(setup);
228 assert(!setup->loop);
229 assert(!setup->crypt_device);
230 assert(setup->root_fd < 0);
231 assert(!setup->undo_dm);
232 assert(!setup->undo_mount);
233
234 /* Makes a home directory accessible (through the root_fd file descriptor, not by path!). */
235
236 switch (user_record_storage(h)) {
237
238 case USER_LUKS:
239 return home_prepare_luks(h, already_activated, NULL, pkcs11_decrypted_passwords, setup, ret_header_home);
240
241 case USER_SUBVOLUME:
242 case USER_DIRECTORY:
243 r = home_prepare_directory(h, already_activated, setup);
244 break;
245
246 case USER_FSCRYPT:
247 r = home_prepare_fscrypt(h, already_activated, pkcs11_decrypted_passwords, setup);
248 break;
249
250 case USER_CIFS:
251 r = home_prepare_cifs(h, already_activated, setup);
252 break;
253
254 default:
255 return log_error_errno(SYNTHETIC_ERRNO(ENOLINK), "Processing home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h)));
256 }
257
258 if (r < 0)
259 return r;
260
261 if (ret_header_home)
262 *ret_header_home = NULL;
263
264 return r;
265 }
266
267 int home_sync_and_statfs(int root_fd, struct statfs *ret) {
268 assert(root_fd >= 0);
269
270 /* Let's sync this to disk, so that the disk space reported by fstatfs() below is accurate (for file
271 * systems such as btrfs where this is determined lazily). */
272
273 if (syncfs(root_fd) < 0)
274 return log_error_errno(errno, "Failed to synchronize file system: %m");
275
276 if (ret)
277 if (fstatfs(root_fd, ret) < 0)
278 return log_error_errno(errno, "Failed to statfs() file system: %m");
279
280 log_info("Synchronized disk.");
281
282 return 0;
283 }
284
285 static int read_identity_file(int root_fd, JsonVariant **ret) {
286 _cleanup_(fclosep) FILE *identity_file = NULL;
287 _cleanup_close_ int identity_fd = -1;
288 unsigned line, column;
289 int r;
290
291 assert(root_fd >= 0);
292 assert(ret);
293
294 identity_fd = openat(root_fd, ".identity", O_RDONLY|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW|O_NONBLOCK);
295 if (identity_fd < 0)
296 return log_error_errno(errno, "Failed to open .identity file in home directory: %m");
297
298 r = fd_verify_regular(identity_fd);
299 if (r < 0)
300 return log_error_errno(r, "Embedded identity file is not a regular file, refusing: %m");
301
302 identity_file = take_fdopen(&identity_fd, "r");
303 if (!identity_file)
304 return log_oom();
305
306 r = json_parse_file(identity_file, ".identity", JSON_PARSE_SENSITIVE, ret, &line, &column);
307 if (r < 0)
308 return log_error_errno(r, "[.identity:%u:%u] Failed to parse JSON data: %m", line, column);
309
310 log_info("Read embedded .identity file.");
311
312 return 0;
313 }
314
315 static int write_identity_file(int root_fd, JsonVariant *v, uid_t uid) {
316 _cleanup_(json_variant_unrefp) JsonVariant *normalized = NULL;
317 _cleanup_(fclosep) FILE *identity_file = NULL;
318 _cleanup_close_ int identity_fd = -1;
319 _cleanup_free_ char *fn = NULL;
320 int r;
321
322 assert(root_fd >= 0);
323 assert(v);
324
325 normalized = json_variant_ref(v);
326
327 r = json_variant_normalize(&normalized);
328 if (r < 0)
329 log_warning_errno(r, "Failed to normalize user record, ignoring: %m");
330
331 r = tempfn_random(".identity", NULL, &fn);
332 if (r < 0)
333 return r;
334
335 identity_fd = openat(root_fd, fn, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW, 0600);
336 if (identity_fd < 0)
337 return log_error_errno(errno, "Failed to create .identity file in home directory: %m");
338
339 identity_file = take_fdopen(&identity_fd, "w");
340 if (!identity_file) {
341 r = log_oom();
342 goto fail;
343 }
344
345 json_variant_dump(normalized, JSON_FORMAT_PRETTY, identity_file, NULL);
346
347 r = fflush_and_check(identity_file);
348 if (r < 0) {
349 log_error_errno(r, "Failed to write .identity file: %m");
350 goto fail;
351 }
352
353 if (fchown(fileno(identity_file), uid, uid) < 0) {
354 log_error_errno(r, "Failed to change ownership of identity file: %m");
355 goto fail;
356 }
357
358 if (renameat(root_fd, fn, root_fd, ".identity") < 0) {
359 r = log_error_errno(errno, "Failed to move identity file into place: %m");
360 goto fail;
361 }
362
363 log_info("Wrote embedded .identity file.");
364
365 return 0;
366
367 fail:
368 (void) unlinkat(root_fd, fn, 0);
369 return r;
370 }
371
372 int home_load_embedded_identity(
373 UserRecord *h,
374 int root_fd,
375 UserRecord *header_home,
376 UserReconcileMode mode,
377 char ***pkcs11_decrypted_passwords,
378 UserRecord **ret_embedded_home,
379 UserRecord **ret_new_home) {
380
381 _cleanup_(user_record_unrefp) UserRecord *embedded_home = NULL, *intermediate_home = NULL, *new_home = NULL;
382 _cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
383 int r;
384
385 assert(h);
386 assert(root_fd >= 0);
387
388 r = read_identity_file(root_fd, &v);
389 if (r < 0)
390 return r;
391
392 embedded_home = user_record_new();
393 if (!embedded_home)
394 return log_oom();
395
396 r = user_record_load(embedded_home, v, USER_RECORD_LOAD_EMBEDDED);
397 if (r < 0)
398 return r;
399
400 if (!user_record_compatible(h, embedded_home))
401 return log_error_errno(SYNTHETIC_ERRNO(EREMCHG), "Embedded home record not compatible with host record, refusing.");
402
403 /* Insist that credentials the user supplies also unlocks any embedded records. */
404 r = user_record_authenticate(embedded_home, h, pkcs11_decrypted_passwords);
405 if (r < 0)
406 return r;
407
408 /* At this point we have three records to deal with:
409 *
410 * · The record we got passed from the host
411 * · The record included in the LUKS header (only if LUKS is used)
412 * · The record in the home directory itself (~.identity)
413 *
414 * Now we have to reconcile all three, and let the newest one win. */
415
416 if (header_home) {
417 /* Note we relax the requirements here. Instead of insisting that the host record is strictly
418 * newer, let's also be OK if its equally new. If it is, we'll however insist that the
419 * embedded record must be newer, so that we update at least one of the two. */
420
421 r = user_record_reconcile(h, header_home, mode == USER_RECONCILE_REQUIRE_NEWER ? USER_RECONCILE_REQUIRE_NEWER_OR_EQUAL : mode, &intermediate_home);
422 if (r == -EREMCHG) /* this was supposed to be checked earlier already, but let's check this again */
423 return log_error_errno(r, "Identity stored on host and in header don't match, refusing.");
424 if (r == -ESTALE)
425 return log_error_errno(r, "Embedded identity record is newer than supplied record, refusing.");
426 if (r < 0)
427 return log_error_errno(r, "Failed to reconcile host and header identities: %m");
428 if (r == USER_RECONCILE_EMBEDDED_WON)
429 log_info("Reconciling header user identity completed (header version was newer).");
430 else if (r == USER_RECONCILE_HOST_WON) {
431 log_info("Reconciling header user identity completed (host version was newer).");
432
433 if (mode == USER_RECONCILE_REQUIRE_NEWER) /* Host version is newer than the header
434 * version, hence we'll update
435 * something. This means we can relax the
436 * requirements on the embedded
437 * identity. */
438 mode = USER_RECONCILE_REQUIRE_NEWER_OR_EQUAL;
439 } else {
440 assert(r == USER_RECONCILE_IDENTICAL);
441 log_info("Reconciling user identities completed (host and header version were identical).");
442 }
443
444 h = intermediate_home;
445 }
446
447 r = user_record_reconcile(h, embedded_home, mode, &new_home);
448 if (r == -EREMCHG)
449 return log_error_errno(r, "Identity stored on host and in home don't match, refusing.");
450 if (r == -ESTALE)
451 return log_error_errno(r, "Embedded identity record is equally new or newer than supplied record, refusing.");
452 if (r < 0)
453 return log_error_errno(r, "Failed to reconcile host and embedded identities: %m");
454 if (r == USER_RECONCILE_EMBEDDED_WON)
455 log_info("Reconciling embedded user identity completed (embedded version was newer).");
456 else if (r == USER_RECONCILE_HOST_WON)
457 log_info("Reconciling embedded user identity completed (host version was newer).");
458 else {
459 assert(r == USER_RECONCILE_IDENTICAL);
460 log_info("Reconciling embedded user identity completed (host and embedded version were identical).");
461 }
462
463 if (ret_embedded_home)
464 *ret_embedded_home = TAKE_PTR(embedded_home);
465
466 if (ret_new_home)
467 *ret_new_home = TAKE_PTR(new_home);
468
469 return 0;
470 }
471
472 int home_store_embedded_identity(UserRecord *h, int root_fd, uid_t uid, UserRecord *old_home) {
473 _cleanup_(user_record_unrefp) UserRecord *embedded = NULL;
474 int r;
475
476 assert(h);
477 assert(root_fd >= 0);
478 assert(uid_is_valid(uid));
479
480 r = user_record_clone(h, USER_RECORD_EXTRACT_EMBEDDED, &embedded);
481 if (r < 0)
482 return log_error_errno(r, "Failed to determine new embedded record: %m");
483
484 if (old_home && user_record_equal(old_home, embedded)) {
485 log_debug("Not updating embedded home record.");
486 return 0;
487 }
488
489 /* The identity has changed, let's update it in the image */
490 r = write_identity_file(root_fd, embedded->json, h->uid);
491 if (r < 0)
492 return r;
493
494 return 1;
495 }
496
497 static const char *file_system_type_fd(int fd) {
498 struct statfs sfs;
499
500 assert(fd >= 0);
501
502 if (fstatfs(fd, &sfs) < 0) {
503 log_debug_errno(errno, "Failed to statfs(): %m");
504 return NULL;
505 }
506
507 if (is_fs_type(&sfs, XFS_SB_MAGIC))
508 return "xfs";
509 if (is_fs_type(&sfs, EXT4_SUPER_MAGIC))
510 return "ext4";
511 if (is_fs_type(&sfs, BTRFS_SUPER_MAGIC))
512 return "btrfs";
513
514 return NULL;
515 }
516
517 int home_extend_embedded_identity(UserRecord *h, UserRecord *used, HomeSetup *setup) {
518 int r;
519
520 assert(h);
521 assert(used);
522 assert(setup);
523
524 r = user_record_add_binding(
525 h,
526 user_record_storage(used),
527 user_record_image_path(used),
528 setup->found_partition_uuid,
529 setup->found_luks_uuid,
530 setup->found_fs_uuid,
531 setup->crypt_device ? crypt_get_cipher(setup->crypt_device) : NULL,
532 setup->crypt_device ? crypt_get_cipher_mode(setup->crypt_device) : NULL,
533 setup->crypt_device ? luks_volume_key_size_convert(setup->crypt_device) : UINT64_MAX,
534 file_system_type_fd(setup->root_fd),
535 user_record_home_directory(used),
536 used->uid,
537 (gid_t) used->uid);
538 if (r < 0)
539 return log_error_errno(r, "Failed to update binding in record: %m");
540
541 return 0;
542 }
543
544 static int chown_recursive_directory(int root_fd, uid_t uid) {
545 int r;
546
547 assert(root_fd >= 0);
548 assert(uid_is_valid(uid));
549
550 r = fd_chown_recursive(root_fd, uid, (gid_t) uid, 0777);
551 if (r < 0)
552 return log_error_errno(r, "Failed to change ownership of files and directories: %m");
553 if (r == 0)
554 log_info("Recursive changing of ownership not necessary, skipped.");
555 else
556 log_info("Recursive changing of ownership completed.");
557
558 return 0;
559 }
560
561 int home_refresh(
562 UserRecord *h,
563 HomeSetup *setup,
564 UserRecord *header_home,
565 char ***pkcs11_decrypted_passwords,
566 struct statfs *ret_statfs,
567 UserRecord **ret_new_home) {
568
569 _cleanup_(user_record_unrefp) UserRecord *embedded_home = NULL, *new_home = NULL;
570 int r;
571
572 assert(h);
573 assert(setup);
574 assert(ret_new_home);
575
576 /* When activating a home directory, does the identity work: loads the identity from the $HOME
577 * directory, reconciles it with our idea, chown()s everything. */
578
579 r = home_load_embedded_identity(h, setup->root_fd, header_home, USER_RECONCILE_ANY, pkcs11_decrypted_passwords, &embedded_home, &new_home);
580 if (r < 0)
581 return r;
582
583 r = home_store_header_identity_luks(new_home, setup, header_home);
584 if (r < 0)
585 return r;
586
587 r = home_store_embedded_identity(new_home, setup->root_fd, h->uid, embedded_home);
588 if (r < 0)
589 return r;
590
591 r = chown_recursive_directory(setup->root_fd, h->uid);
592 if (r < 0)
593 return r;
594
595 r = home_sync_and_statfs(setup->root_fd, ret_statfs);
596 if (r < 0)
597 return r;
598
599 *ret_new_home = TAKE_PTR(new_home);
600 return 0;
601 }
602
603 static int home_activate(UserRecord *h, UserRecord **ret_home) {
604 _cleanup_(strv_free_erasep) char **pkcs11_decrypted_passwords = NULL;
605 _cleanup_(user_record_unrefp) UserRecord *new_home = NULL;
606 int r;
607
608 assert(h);
609
610 if (!h->user_name)
611 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record lacks user name, refusing.");
612 if (!uid_is_valid(h->uid))
613 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record lacks UID, refusing.");
614 if (!IN_SET(user_record_storage(h), USER_LUKS, USER_DIRECTORY, USER_SUBVOLUME, USER_FSCRYPT, USER_CIFS))
615 return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Activating home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h)));
616
617 r = user_record_authenticate(h, h, &pkcs11_decrypted_passwords);
618 if (r < 0)
619 return r;
620
621 r = user_record_test_home_directory_and_warn(h);
622 if (r < 0)
623 return r;
624 if (r == USER_TEST_MOUNTED)
625 return log_error_errno(SYNTHETIC_ERRNO(EALREADY), "Home directory %s is already mounted, refusing.", user_record_home_directory(h));
626
627 r = user_record_test_image_path_and_warn(h);
628 if (r < 0)
629 return r;
630 if (r == USER_TEST_ABSENT)
631 return log_error_errno(SYNTHETIC_ERRNO(ENOENT), "Image path %s is missing, refusing.", user_record_image_path(h));
632
633 switch (user_record_storage(h)) {
634
635 case USER_LUKS:
636 r = home_activate_luks(h, &pkcs11_decrypted_passwords, &new_home);
637 if (r < 0)
638 return r;
639
640 break;
641
642 case USER_SUBVOLUME:
643 case USER_DIRECTORY:
644 case USER_FSCRYPT:
645 r = home_activate_directory(h, &pkcs11_decrypted_passwords, &new_home);
646 if (r < 0)
647 return r;
648
649 break;
650
651 case USER_CIFS:
652 r = home_activate_cifs(h, &pkcs11_decrypted_passwords, &new_home);
653 if (r < 0)
654 return r;
655
656 break;
657
658 default:
659 assert_not_reached("unexpected type");
660 }
661
662 /* Note that the returned object might either be a reference to an updated version of the existing
663 * home object, or a reference to a newly allocated home object. The caller has to be able to deal
664 * with both, and consider the old object out-of-date. */
665 if (user_record_equal(h, new_home)) {
666 *ret_home = NULL;
667 return 0; /* no identity change */
668 }
669
670 *ret_home = TAKE_PTR(new_home);
671 return 1; /* identity updated */
672 }
673
674 static int home_deactivate(UserRecord *h, bool force) {
675 bool done = false;
676 int r;
677
678 assert(h);
679
680 if (!h->user_name)
681 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record incomplete, refusing.");
682 if (!IN_SET(user_record_storage(h), USER_LUKS, USER_DIRECTORY, USER_SUBVOLUME, USER_FSCRYPT, USER_CIFS))
683 return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Deactivating home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h)));
684
685 r = user_record_test_home_directory_and_warn(h);
686 if (r < 0)
687 return r;
688 if (r == USER_TEST_MOUNTED) {
689 if (user_record_storage(h) == USER_LUKS) {
690 r = home_trim_luks(h);
691 if (r < 0)
692 return r;
693 }
694
695 if (umount2(user_record_home_directory(h), UMOUNT_NOFOLLOW | (force ? MNT_FORCE|MNT_DETACH : 0)) < 0)
696 return log_error_errno(errno, "Failed to unmount %s: %m", user_record_home_directory(h));
697
698 log_info("Unmounting completed.");
699 done = true;
700 } else
701 log_info("Directory %s is already unmounted.", user_record_home_directory(h));
702
703 if (user_record_storage(h) == USER_LUKS) {
704 r = home_deactivate_luks(h);
705 if (r < 0)
706 return r;
707 if (r > 0)
708 done = true;
709 }
710
711 if (!done)
712 return log_error_errno(SYNTHETIC_ERRNO(ENOEXEC), "Home is not active.");
713
714 log_info("Everything completed.");
715 return 0;
716 }
717
718 static int copy_skel(int root_fd, const char *skel) {
719 int r;
720
721 assert(root_fd >= 0);
722
723 r = copy_tree_at(AT_FDCWD, skel, root_fd, ".", UID_INVALID, GID_INVALID, COPY_MERGE|COPY_REPLACE);
724 if (r == -ENOENT) {
725 log_info("Skeleton directory %s missing, ignoring.", skel);
726 return 0;
727 }
728 if (r < 0)
729 return log_error_errno(r, "Failed to copy in %s: %m", skel);
730
731 log_info("Copying in %s completed.", skel);
732 return 0;
733 }
734
735 static int change_access_mode(int root_fd, mode_t m) {
736 assert(root_fd >= 0);
737
738 if (fchmod(root_fd, m) < 0)
739 return log_error_errno(errno, "Failed to change access mode of top-level directory: %m");
740
741 log_info("Changed top-level directory access mode to 0%o.", m);
742 return 0;
743 }
744
745 int home_populate(UserRecord *h, int dir_fd) {
746 int r;
747
748 assert(h);
749 assert(dir_fd >= 0);
750
751 r = copy_skel(dir_fd, user_record_skeleton_directory(h));
752 if (r < 0)
753 return r;
754
755 r = home_store_embedded_identity(h, dir_fd, h->uid, NULL);
756 if (r < 0)
757 return r;
758
759 r = chown_recursive_directory(dir_fd, h->uid);
760 if (r < 0)
761 return r;
762
763 r = change_access_mode(dir_fd, user_record_access_mode(h));
764 if (r < 0)
765 return r;
766
767 return 0;
768 }
769
770 static int user_record_compile_effective_passwords(
771 UserRecord *h,
772 char ***ret_effective_passwords,
773 char ***ret_pkcs11_decrypted_passwords) {
774
775 _cleanup_(strv_free_erasep) char **effective = NULL, **pkcs11_passwords = NULL;
776 size_t n;
777 char **i;
778 int r;
779
780 assert(h);
781
782 /* We insist on at least one classic hashed password to be defined in addition to any PKCS#11 one, as
783 * a safe fallback, but also to simplify the password changing algorithm: there we require providing
784 * the old literal password only (and do not care for the old PKCS#11 token) */
785
786 if (strv_isempty(h->hashed_password))
787 return log_error_errno(EINVAL, "User record has no hashed passwords, refusing.");
788
789 /* Generates the list of plaintext passwords to propagate to LUKS/fscrypt devices, and checks whether
790 * we have a plaintext password for each hashed one. If we are missing one we'll fail, since we
791 * couldn't sync fscrypt/LUKS to the login account properly. */
792
793 STRV_FOREACH(i, h->hashed_password) {
794 bool found = false;
795 char **j;
796
797 log_debug("Looking for plaintext password for: %s", *i);
798
799 /* Let's scan all provided plaintext passwords */
800 STRV_FOREACH(j, h->password) {
801 r = test_password_one(*i, *j);
802 if (r < 0)
803 return log_error_errno(r, "Failed to test plain text password: %m");
804 if (r > 0) {
805 if (ret_effective_passwords) {
806 r = strv_extend(&effective, *j);
807 if (r < 0)
808 return log_oom();
809 }
810
811 log_debug("Found literal plaintext password.");
812 found = true;
813 break;
814 }
815 }
816
817 if (!found)
818 return log_error_errno(SYNTHETIC_ERRNO(ENOKEY), "Missing plaintext password for defined hashed password");
819 }
820
821 for (n = 0; n < h->n_pkcs11_encrypted_key; n++) {
822 #if HAVE_P11KIT
823 _cleanup_(pkcs11_callback_data_release) struct pkcs11_callback_data data = {
824 .user_record = h,
825 .secret = h,
826 .encrypted_key = h->pkcs11_encrypted_key + n,
827 };
828
829 r = pkcs11_find_token(data.encrypted_key->uri, pkcs11_callback, &data);
830 if (r == -EAGAIN)
831 return -EBADSLT;
832 if (r < 0)
833 return r;
834
835 r = test_password_one(data.encrypted_key->hashed_password, data.decrypted_password);
836 if (r < 0)
837 return log_error_errno(r, "Failed to test PKCS#11 password: %m");
838 if (r == 0)
839 return log_error_errno(SYNTHETIC_ERRNO(EPERM), "Decrypted password from token is not correct, refusing.");
840
841 if (ret_effective_passwords) {
842 r = strv_extend(&effective, data.decrypted_password);
843 if (r < 0)
844 return log_oom();
845 }
846
847 if (ret_pkcs11_decrypted_passwords) {
848 r = strv_extend(&pkcs11_passwords, data.decrypted_password);
849 if (r < 0)
850 return log_oom();
851 }
852 #else
853 return -EBADSLT;
854 #endif
855 }
856
857 if (ret_effective_passwords)
858 *ret_effective_passwords = TAKE_PTR(effective);
859 if (ret_pkcs11_decrypted_passwords)
860 *ret_pkcs11_decrypted_passwords = TAKE_PTR(pkcs11_passwords);
861
862 return 0;
863 }
864
865 static int home_create(UserRecord *h, UserRecord **ret_home) {
866 _cleanup_(strv_free_erasep) char **effective_passwords = NULL, **pkcs11_decrypted_passwords = NULL;
867 _cleanup_(user_record_unrefp) UserRecord *new_home = NULL;
868 int r;
869
870 assert(h);
871
872 if (!h->user_name)
873 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record lacks name, refusing.");
874 if (!uid_is_valid(h->uid))
875 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record lacks UID, refusing.");
876
877 r = user_record_compile_effective_passwords(h, &effective_passwords, &pkcs11_decrypted_passwords);
878 if (r < 0)
879 return r;
880
881 r = user_record_test_home_directory_and_warn(h);
882 if (r < 0)
883 return r;
884 if (r != USER_TEST_ABSENT)
885 return log_error_errno(SYNTHETIC_ERRNO(EEXIST), "Home directory %s already exists, refusing.", user_record_home_directory(h));
886
887 /* When the user didn't specify the storage type to use, fix it to be LUKS -- unless we run in a
888 * container where loopback devices and LUKS/DM are not available. Note that we typically default to
889 * the assumption of "classic" storage for most operations. However, if we create a new home, then
890 * let's user LUKS if nothing is specified. */
891 if (h->storage < 0) {
892 UserStorage new_storage;
893
894 r = detect_container();
895 if (r < 0)
896 return log_error_errno(r, "Failed to determine whether we are in a container: %m");
897 if (r > 0) {
898 new_storage = USER_DIRECTORY;
899
900 r = path_is_fs_type("/home", BTRFS_SUPER_MAGIC);
901 if (r < 0)
902 log_debug_errno(r, "Failed to determine file system of /home, ignoring: %m");
903
904 new_storage = r > 0 ? USER_SUBVOLUME : USER_DIRECTORY;
905 } else
906 new_storage = USER_LUKS;
907
908 r = user_record_add_binding(
909 h,
910 new_storage,
911 NULL,
912 SD_ID128_NULL,
913 SD_ID128_NULL,
914 SD_ID128_NULL,
915 NULL,
916 NULL,
917 UINT64_MAX,
918 NULL,
919 NULL,
920 UID_INVALID,
921 GID_INVALID);
922 if (r < 0)
923 return log_error_errno(r, "Failed to change storage type to LUKS: %m");
924
925 if (!h->image_path_auto) {
926 h->image_path_auto = strjoin("/home/", user_record_user_name_and_realm(h), new_storage == USER_LUKS ? ".home" : ".homedir");
927 if (!h->image_path_auto)
928 return log_oom();
929 }
930 }
931
932 r = user_record_test_image_path_and_warn(h);
933 if (r < 0)
934 return r;
935 if (!IN_SET(r, USER_TEST_ABSENT, USER_TEST_UNDEFINED, USER_TEST_MAYBE))
936 return log_error_errno(SYNTHETIC_ERRNO(EEXIST), "Image path %s already exists, refusing.", user_record_image_path(h));
937
938 switch (user_record_storage(h)) {
939
940 case USER_LUKS:
941 r = home_create_luks(h, pkcs11_decrypted_passwords, effective_passwords, &new_home);
942 break;
943
944 case USER_DIRECTORY:
945 case USER_SUBVOLUME:
946 r = home_create_directory_or_subvolume(h, &new_home);
947 break;
948
949 case USER_FSCRYPT:
950 r = home_create_fscrypt(h, effective_passwords, &new_home);
951 break;
952
953 case USER_CIFS:
954 r = home_create_cifs(h, &new_home);
955 break;
956
957 default:
958 return log_error_errno(SYNTHETIC_ERRNO(ENOTTY),
959 "Creating home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h)));
960 }
961 if (r < 0)
962 return r;
963
964 if (user_record_equal(h, new_home)) {
965 *ret_home = NULL;
966 return 0;
967 }
968
969 *ret_home = TAKE_PTR(new_home);
970 return 1;
971 }
972
973 static int home_remove(UserRecord *h) {
974 bool deleted = false;
975 const char *ip, *hd;
976 int r;
977
978 assert(h);
979
980 if (!h->user_name)
981 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record lacks user name, refusing.");
982 if (!IN_SET(user_record_storage(h), USER_LUKS, USER_DIRECTORY, USER_SUBVOLUME, USER_FSCRYPT, USER_CIFS))
983 return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Removing home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h)));
984
985 hd = user_record_home_directory(h);
986
987 r = user_record_test_home_directory_and_warn(h);
988 if (r < 0)
989 return r;
990 if (r == USER_TEST_MOUNTED)
991 return log_error_errno(SYNTHETIC_ERRNO(EBUSY), "Directory %s is still mounted, refusing.", hd);
992
993 assert(hd);
994
995 r = user_record_test_image_path_and_warn(h);
996 if (r < 0)
997 return r;
998
999 ip = user_record_image_path(h);
1000
1001 switch (user_record_storage(h)) {
1002
1003 case USER_LUKS: {
1004 struct stat st;
1005
1006 assert(ip);
1007
1008 if (stat(ip, &st) < 0) {
1009 if (errno != -ENOENT)
1010 return log_error_errno(errno, "Failed to stat() %s: %m", ip);
1011
1012 } else {
1013 if (S_ISREG(st.st_mode)) {
1014 if (unlink(ip) < 0) {
1015 if (errno != ENOENT)
1016 return log_error_errno(errno, "Failed to remove %s: %m", ip);
1017 } else
1018 deleted = true;
1019
1020 } else if (S_ISBLK(st.st_mode))
1021 log_info("Not removing file system on block device %s.", ip);
1022 else
1023 return log_error_errno(SYNTHETIC_ERRNO(ENOTBLK), "Image file %s is neither block device, nor regular, refusing removal.", ip);
1024 }
1025
1026 break;
1027 }
1028
1029 case USER_SUBVOLUME:
1030 case USER_DIRECTORY:
1031 case USER_FSCRYPT:
1032 assert(ip);
1033
1034 r = rm_rf(ip, REMOVE_ROOT|REMOVE_PHYSICAL|REMOVE_SUBVOLUME);
1035 if (r < 0) {
1036 if (r != -ENOENT)
1037 return log_warning_errno(r, "Failed to remove %s: %m", ip);
1038 } else
1039 deleted = true;
1040
1041 /* If the image path and the home directory are the same invalidate the home directory, so
1042 * that we don't remove it anymore */
1043 if (path_equal(ip, hd))
1044 hd = NULL;
1045
1046 break;
1047
1048 case USER_CIFS:
1049 /* Nothing else to do here: we won't remove remote stuff. */
1050 log_info("Not removing home directory on remote server.");
1051 break;
1052
1053 default:
1054 assert_not_reached("unknown storage type");
1055 }
1056
1057 if (hd) {
1058 if (rmdir(hd) < 0) {
1059 if (errno != ENOENT)
1060 return log_error_errno(errno, "Failed to remove %s, ignoring: %m", hd);
1061 } else
1062 deleted = true;
1063 }
1064
1065 if (deleted)
1066 log_info("Everything completed.");
1067 else
1068 return log_notice_errno(SYNTHETIC_ERRNO(EALREADY),
1069 "Nothing to remove.");
1070
1071 return 0;
1072 }
1073
1074 static int home_validate_update(UserRecord *h, HomeSetup *setup) {
1075 bool has_mount = false;
1076 int r;
1077
1078 assert(h);
1079 assert(setup);
1080
1081 if (!h->user_name)
1082 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record lacks user name, refusing.");
1083 if (!uid_is_valid(h->uid))
1084 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record lacks UID, refusing.");
1085 if (!IN_SET(user_record_storage(h), USER_LUKS, USER_DIRECTORY, USER_SUBVOLUME, USER_FSCRYPT, USER_CIFS))
1086 return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Processing home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h)));
1087
1088 r = user_record_test_home_directory_and_warn(h);
1089 if (r < 0)
1090 return r;
1091
1092 has_mount = r == USER_TEST_MOUNTED;
1093
1094 r = user_record_test_image_path_and_warn(h);
1095 if (r < 0)
1096 return r;
1097 if (r == USER_TEST_ABSENT)
1098 return log_error_errno(SYNTHETIC_ERRNO(ENOENT), "Image path %s does not exist", user_record_image_path(h));
1099
1100 switch (user_record_storage(h)) {
1101
1102 case USER_DIRECTORY:
1103 case USER_SUBVOLUME:
1104 case USER_FSCRYPT:
1105 case USER_CIFS:
1106 break;
1107
1108 case USER_LUKS: {
1109 r = home_validate_update_luks(h, setup);
1110 if (r < 0)
1111 return r;
1112 if ((r > 0) != has_mount)
1113 return log_error_errno(SYNTHETIC_ERRNO(EBUSY), "Home mount incompletely set up.");
1114
1115 break;
1116 }
1117
1118 default:
1119 assert_not_reached("unexpected storage type");
1120 }
1121
1122 return has_mount; /* return true if the home record is already active */
1123 }
1124
1125 static int home_update(UserRecord *h, UserRecord **ret) {
1126 _cleanup_(user_record_unrefp) UserRecord *new_home = NULL, *header_home = NULL, *embedded_home = NULL;
1127 _cleanup_(strv_free_erasep) char **pkcs11_decrypted_passwords = NULL;
1128 _cleanup_(home_setup_undo) HomeSetup setup = HOME_SETUP_INIT;
1129 bool already_activated = false;
1130 int r;
1131
1132 assert(h);
1133 assert(ret);
1134
1135 r = user_record_authenticate(h, h, &pkcs11_decrypted_passwords);
1136 if (r < 0)
1137 return r;
1138
1139 r = home_validate_update(h, &setup);
1140 if (r < 0)
1141 return r;
1142
1143 already_activated = r > 0;
1144
1145 r = home_prepare(h, already_activated, &pkcs11_decrypted_passwords, &setup, &header_home);
1146 if (r < 0)
1147 return r;
1148
1149 r = home_load_embedded_identity(h, setup.root_fd, header_home, USER_RECONCILE_REQUIRE_NEWER, &pkcs11_decrypted_passwords, &embedded_home, &new_home);
1150 if (r < 0)
1151 return r;
1152
1153 r = home_store_header_identity_luks(new_home, &setup, header_home);
1154 if (r < 0)
1155 return r;
1156
1157 r = home_store_embedded_identity(new_home, setup.root_fd, h->uid, embedded_home);
1158 if (r < 0)
1159 return r;
1160
1161 r = home_extend_embedded_identity(new_home, h, &setup);
1162 if (r < 0)
1163 return r;
1164
1165 r = home_sync_and_statfs(setup.root_fd, NULL);
1166 if (r < 0)
1167 return r;
1168
1169 r = home_setup_undo(&setup);
1170 if (r < 0)
1171 return r;
1172
1173 log_info("Everything completed.");
1174
1175 *ret = TAKE_PTR(new_home);
1176 return 0;
1177 }
1178
1179 static int home_resize(UserRecord *h, UserRecord **ret) {
1180 _cleanup_(home_setup_undo) HomeSetup setup = HOME_SETUP_INIT;
1181 _cleanup_(strv_free_erasep) char **pkcs11_decrypted_passwords = NULL;
1182 bool already_activated = false;
1183 int r;
1184
1185 assert(h);
1186 assert(ret);
1187
1188 if (h->disk_size == UINT64_MAX)
1189 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "No target size specified, refusing.");
1190
1191 r = user_record_authenticate(h, h, &pkcs11_decrypted_passwords);
1192 if (r < 0)
1193 return r;
1194
1195 r = home_validate_update(h, &setup);
1196 if (r < 0)
1197 return r;
1198
1199 already_activated = r > 0;
1200
1201 switch (user_record_storage(h)) {
1202
1203 case USER_LUKS:
1204 return home_resize_luks(h, already_activated, &pkcs11_decrypted_passwords, &setup, ret);
1205
1206 case USER_DIRECTORY:
1207 case USER_SUBVOLUME:
1208 case USER_FSCRYPT:
1209 return home_resize_directory(h, already_activated, &pkcs11_decrypted_passwords, &setup, ret);
1210
1211 default:
1212 return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Resizing home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h)));
1213 }
1214 }
1215
1216 static int home_passwd(UserRecord *h, UserRecord **ret_home) {
1217 _cleanup_(user_record_unrefp) UserRecord *header_home = NULL, *embedded_home = NULL, *new_home = NULL;
1218 _cleanup_(strv_free_erasep) char **effective_passwords = NULL, **pkcs11_decrypted_passwords = NULL;
1219 _cleanup_(home_setup_undo) HomeSetup setup = HOME_SETUP_INIT;
1220 bool already_activated = false;
1221 int r;
1222
1223 assert(h);
1224 assert(ret_home);
1225
1226 if (!IN_SET(user_record_storage(h), USER_LUKS, USER_DIRECTORY, USER_SUBVOLUME, USER_FSCRYPT))
1227 return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Changing password of home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h)));
1228
1229 r = user_record_compile_effective_passwords(h, &effective_passwords, &pkcs11_decrypted_passwords);
1230 if (r < 0)
1231 return r;
1232
1233 r = home_validate_update(h, &setup);
1234 if (r < 0)
1235 return r;
1236
1237 already_activated = r > 0;
1238
1239 r = home_prepare(h, already_activated, &pkcs11_decrypted_passwords, &setup, &header_home);
1240 if (r < 0)
1241 return r;
1242
1243 r = home_load_embedded_identity(h, setup.root_fd, header_home, USER_RECONCILE_REQUIRE_NEWER_OR_EQUAL, &pkcs11_decrypted_passwords, &embedded_home, &new_home);
1244 if (r < 0)
1245 return r;
1246
1247 switch (user_record_storage(h)) {
1248
1249 case USER_LUKS:
1250 r = home_passwd_luks(h, &setup, pkcs11_decrypted_passwords, effective_passwords);
1251 if (r < 0)
1252 return r;
1253 break;
1254
1255 case USER_FSCRYPT:
1256 r = home_passwd_fscrypt(h, &setup, pkcs11_decrypted_passwords, effective_passwords);
1257 if (r < 0)
1258 return r;
1259 break;
1260
1261 default:
1262 break;
1263 }
1264
1265 r = home_store_header_identity_luks(new_home, &setup, header_home);
1266 if (r < 0)
1267 return r;
1268
1269 r = home_store_embedded_identity(new_home, setup.root_fd, h->uid, embedded_home);
1270 if (r < 0)
1271 return r;
1272
1273 r = home_extend_embedded_identity(new_home, h, &setup);
1274 if (r < 0)
1275 return r;
1276
1277 r = home_sync_and_statfs(setup.root_fd, NULL);
1278 if (r < 0)
1279 return r;
1280
1281 r = home_setup_undo(&setup);
1282 if (r < 0)
1283 return r;
1284
1285 log_info("Everything completed.");
1286
1287 *ret_home = TAKE_PTR(new_home);
1288 return 1;
1289 }
1290
1291 static int home_inspect(UserRecord *h, UserRecord **ret_home) {
1292 _cleanup_(user_record_unrefp) UserRecord *header_home = NULL, *new_home = NULL;
1293 _cleanup_(home_setup_undo) HomeSetup setup = HOME_SETUP_INIT;
1294 _cleanup_(strv_free_erasep) char **pkcs11_decrypted_passwords = NULL;
1295 bool already_activated = false;
1296 int r;
1297
1298 assert(h);
1299 assert(ret_home);
1300
1301 r = user_record_authenticate(h, h, &pkcs11_decrypted_passwords);
1302 if (r < 0)
1303 return r;
1304
1305 r = home_validate_update(h, &setup);
1306 if (r < 0)
1307 return r;
1308
1309 already_activated = r > 0;
1310
1311 r = home_prepare(h, already_activated, &pkcs11_decrypted_passwords, &setup, &header_home);
1312 if (r < 0)
1313 return r;
1314
1315 r = home_load_embedded_identity(h, setup.root_fd, header_home, USER_RECONCILE_ANY, &pkcs11_decrypted_passwords, NULL, &new_home);
1316 if (r < 0)
1317 return r;
1318
1319 r = home_extend_embedded_identity(new_home, h, &setup);
1320 if (r < 0)
1321 return r;
1322
1323 r = home_setup_undo(&setup);
1324 if (r < 0)
1325 return r;
1326
1327 log_info("Everything completed.");
1328
1329 *ret_home = TAKE_PTR(new_home);
1330 return 1;
1331 }
1332
1333 static int home_lock(UserRecord *h) {
1334 int r;
1335
1336 assert(h);
1337
1338 if (!h->user_name)
1339 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record incomplete, refusing.");
1340 if (user_record_storage(h) != USER_LUKS)
1341 return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Locking home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h)));
1342
1343 r = user_record_test_home_directory_and_warn(h);
1344 if (r < 0)
1345 return r;
1346 if (r != USER_TEST_MOUNTED)
1347 return log_error_errno(SYNTHETIC_ERRNO(ENOEXEC), "Home directory of %s is not mounted, can't lock.", h->user_name);
1348
1349 r = home_lock_luks(h);
1350 if (r < 0)
1351 return r;
1352
1353 log_info("Everything completed.");
1354 return 1;
1355 }
1356
1357 static int home_unlock(UserRecord *h) {
1358 _cleanup_(strv_free_erasep) char **pkcs11_decrypted_passwords = NULL;
1359 int r;
1360
1361 assert(h);
1362
1363 if (!h->user_name)
1364 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record incomplete, refusing.");
1365 if (user_record_storage(h) != USER_LUKS)
1366 return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Unlocking home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h)));
1367
1368 /* Note that we don't check if $HOME is actually mounted, since we want to avoid disk accesses on
1369 * that mount until we have resumed the device. */
1370
1371 r = user_record_authenticate(h, h, &pkcs11_decrypted_passwords);
1372 if (r < 0)
1373 return r;
1374
1375 r = home_unlock_luks(h, &pkcs11_decrypted_passwords);
1376 if (r < 0)
1377 return r;
1378
1379 log_info("Everything completed.");
1380 return 1;
1381 }
1382
1383 static int run(int argc, char *argv[]) {
1384 _cleanup_(user_record_unrefp) UserRecord *home = NULL, *new_home = NULL;
1385 _cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
1386 _cleanup_(fclosep) FILE *opened_file = NULL;
1387 unsigned line = 0, column = 0;
1388 const char *json_path = NULL;
1389 FILE *json_file;
1390 usec_t start;
1391 int r;
1392
1393 start = now(CLOCK_MONOTONIC);
1394
1395 log_setup_service();
1396
1397 umask(0022);
1398
1399 if (argc < 2 || argc > 3)
1400 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "This program takes one or two arguments.");
1401
1402 if (argc > 2) {
1403 json_path = argv[2];
1404
1405 opened_file = fopen(json_path, "re");
1406 if (!opened_file)
1407 return log_error_errno(errno, "Failed to open %s: %m", json_path);
1408
1409 json_file = opened_file;
1410 } else {
1411 json_path = "<stdin>";
1412 json_file = stdin;
1413 }
1414
1415 r = json_parse_file(json_file, json_path, JSON_PARSE_SENSITIVE, &v, &line, &column);
1416 if (r < 0)
1417 return log_error_errno(r, "[%s:%u:%u] Failed to parse JSON data: %m", json_path, line, column);
1418
1419 home = user_record_new();
1420 if (!home)
1421 return log_oom();
1422
1423 r = user_record_load(home, v, USER_RECORD_LOAD_FULL|USER_RECORD_LOG);
1424 if (r < 0)
1425 return r;
1426
1427 /* Well known return values of these operations, that systemd-homed knows and converts to proper D-Bus errors:
1428 *
1429 * EMSGSIZE → file systems of this type cannot be shrunk
1430 * ETXTBSY → file systems of this type can only be shrunk offline
1431 * ERANGE → file system size too small
1432 * ENOLINK → system does not support selected storage backend
1433 * EPROTONOSUPPORT → system does not support selected file system
1434 * ENOTTY → operation not support on this storage
1435 * ESOCKTNOSUPPORT → operation not support on this file system
1436 * ENOKEY → password incorrect (or not sufficient, or not supplied)
1437 * EBADSLT → similar, but PKCS#11 device is defined and might be able to provide password, if it was plugged in which it is not
1438 * ENOANO → suitable PKCS#11 device found, but PIN is missing to unlock it
1439 * ERFKILL → suitable PKCS#11 device found, but OK to ask for on-device interactive authentication not given
1440 * EOWNERDEAD → suitable PKCS#11 device found, but its PIN is locked
1441 * ENOLCK → suitable PKCS#11 device found, but PIN incorrect
1442 * ETOOMANYREFS → suitable PKCS#11 device found, but PIN incorrect, and only few tries left
1443 * EUCLEAN → suitable PKCS#11 device found, but PIN incorrect, and only one try left
1444 * EBUSY → file system is currently active
1445 * ENOEXEC → file system is currently not active
1446 * ENOSPC → not enough disk space for operation
1447 */
1448
1449 if (streq(argv[1], "activate"))
1450 r = home_activate(home, &new_home);
1451 else if (streq(argv[1], "deactivate"))
1452 r = home_deactivate(home, false);
1453 else if (streq(argv[1], "deactivate-force"))
1454 r = home_deactivate(home, true);
1455 else if (streq(argv[1], "create"))
1456 r = home_create(home, &new_home);
1457 else if (streq(argv[1], "remove"))
1458 r = home_remove(home);
1459 else if (streq(argv[1], "update"))
1460 r = home_update(home, &new_home);
1461 else if (streq(argv[1], "resize"))
1462 r = home_resize(home, &new_home);
1463 else if (streq(argv[1], "passwd"))
1464 r = home_passwd(home, &new_home);
1465 else if (streq(argv[1], "inspect"))
1466 r = home_inspect(home, &new_home);
1467 else if (streq(argv[1], "lock"))
1468 r = home_lock(home);
1469 else if (streq(argv[1], "unlock"))
1470 r = home_unlock(home);
1471 else
1472 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unknown verb '%s'.", argv[1]);
1473 if (r == -ENOKEY && !strv_isempty(home->password)) { /* There were passwords specified but they were incorrect */
1474 usec_t end, n, d;
1475
1476 /* Make sure bad password replies always take at least 3s, and if longer multiples of 3s, so
1477 * that it's not clear how long we actually needed for our calculations. */
1478 n = now(CLOCK_MONOTONIC);
1479 assert(n >= start);
1480
1481 d = usec_sub_unsigned(n, start);
1482 if (d > BAD_PASSWORD_DELAY_USEC)
1483 end = start + DIV_ROUND_UP(d, BAD_PASSWORD_DELAY_USEC) * BAD_PASSWORD_DELAY_USEC;
1484 else
1485 end = start + BAD_PASSWORD_DELAY_USEC;
1486
1487 if (n < end)
1488 (void) usleep(usec_sub_unsigned(end, n));
1489 }
1490 if (r < 0)
1491 return r;
1492
1493 /* We always pass the new record back, regardless if it changed or not. This allows our caller to
1494 * prepare a fresh record, send to us, and only if it works use it without having to keep a local
1495 * copy. */
1496 if (new_home)
1497 json_variant_dump(new_home->json, JSON_FORMAT_NEWLINE, stdout, NULL);
1498
1499 return 0;
1500 }
1501
1502 DEFINE_MAIN_FUNCTION(run);
Unnamed repository; edit this file 'description' to name the repository.