]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/shared/ask-password-api.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #9274 from poettering/comment-header-cleanup
[thirdparty/systemd.git] / src / shared / ask-password-api.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2
3 #include <errno.h>
4 #include <fcntl.h>
5 #include <inttypes.h>
6 #include <limits.h>
7 #include <poll.h>
8 #include <signal.h>
9 #include <stdbool.h>
10 #include <stddef.h>
11 #include <stdint.h>
12 #include <stdio.h>
13 #include <stdlib.h>
14 #include <string.h>
15 #include <sys/inotify.h>
16 #include <sys/signalfd.h>
17 #include <sys/socket.h>
18 #include <sys/stat.h>
19 #include <sys/time.h>
20 #include <sys/uio.h>
21 #include <sys/un.h>
22 #include <termios.h>
23 #include <unistd.h>
24
25 #include "alloc-util.h"
26 #include "ask-password-api.h"
27 #include "fd-util.h"
28 #include "fileio.h"
29 #include "format-util.h"
30 #include "io-util.h"
31 #include "log.h"
32 #include "macro.h"
33 #include "missing.h"
34 #include "mkdir.h"
35 #include "process-util.h"
36 #include "random-util.h"
37 #include "signal-util.h"
38 #include "socket-util.h"
39 #include "string-util.h"
40 #include "strv.h"
41 #include "terminal-util.h"
42 #include "time-util.h"
43 #include "umask-util.h"
44 #include "utf8.h"
45 #include "util.h"
46
47 #define KEYRING_TIMEOUT_USEC ((5 * USEC_PER_MINUTE) / 2)
48
49 static int lookup_key(const char *keyname, key_serial_t *ret) {
50 key_serial_t serial;
51
52 assert(keyname);
53 assert(ret);
54
55 serial = request_key("user", keyname, NULL, 0);
56 if (serial == -1)
57 return negative_errno();
58
59 *ret = serial;
60 return 0;
61 }
62
63 static int retrieve_key(key_serial_t serial, char ***ret) {
64 _cleanup_free_ char *p = NULL;
65 long m = 100, n;
66 char **l;
67
68 assert(ret);
69
70 for (;;) {
71 p = new(char, m);
72 if (!p)
73 return -ENOMEM;
74
75 n = keyctl(KEYCTL_READ, (unsigned long) serial, (unsigned long) p, (unsigned long) m, 0);
76 if (n < 0)
77 return -errno;
78
79 if (n < m)
80 break;
81
82 explicit_bzero(p, n);
83 free(p);
84 m *= 2;
85 }
86
87 l = strv_parse_nulstr(p, n);
88 if (!l)
89 return -ENOMEM;
90
91 explicit_bzero(p, n);
92
93 *ret = l;
94 return 0;
95 }
96
97 static int add_to_keyring(const char *keyname, AskPasswordFlags flags, char **passwords) {
98 _cleanup_strv_free_erase_ char **l = NULL;
99 _cleanup_free_ char *p = NULL;
100 key_serial_t serial;
101 size_t n;
102 int r;
103
104 assert(keyname);
105 assert(passwords);
106
107 if (!(flags & ASK_PASSWORD_PUSH_CACHE))
108 return 0;
109
110 r = lookup_key(keyname, &serial);
111 if (r >= 0) {
112 r = retrieve_key(serial, &l);
113 if (r < 0)
114 return r;
115 } else if (r != -ENOKEY)
116 return r;
117
118 r = strv_extend_strv(&l, passwords, true);
119 if (r <= 0)
120 return r;
121
122 r = strv_make_nulstr(l, &p, &n);
123 if (r < 0)
124 return r;
125
126 serial = add_key("user", keyname, p, n, KEY_SPEC_USER_KEYRING);
127 explicit_bzero(p, n);
128 if (serial == -1)
129 return -errno;
130
131 if (keyctl(KEYCTL_SET_TIMEOUT,
132 (unsigned long) serial,
133 (unsigned long) DIV_ROUND_UP(KEYRING_TIMEOUT_USEC, USEC_PER_SEC), 0, 0) < 0)
134 log_debug_errno(errno, "Failed to adjust timeout: %m");
135
136 log_debug("Added key to keyring as %" PRIi32 ".", serial);
137
138 return 1;
139 }
140
141 static int add_to_keyring_and_log(const char *keyname, AskPasswordFlags flags, char **passwords) {
142 int r;
143
144 assert(keyname);
145 assert(passwords);
146
147 r = add_to_keyring(keyname, flags, passwords);
148 if (r < 0)
149 return log_debug_errno(r, "Failed to add password to keyring: %m");
150
151 return 0;
152 }
153
154 int ask_password_keyring(const char *keyname, AskPasswordFlags flags, char ***ret) {
155
156 key_serial_t serial;
157 int r;
158
159 assert(keyname);
160 assert(ret);
161
162 if (!(flags & ASK_PASSWORD_ACCEPT_CACHED))
163 return -EUNATCH;
164
165 r = lookup_key(keyname, &serial);
166 if (r == -ENOSYS) /* when retrieving the distinction doesn't matter */
167 return -ENOKEY;
168 if (r < 0)
169 return r;
170
171 return retrieve_key(serial, ret);
172 }
173
174 static void backspace_chars(int ttyfd, size_t p) {
175
176 if (ttyfd < 0)
177 return;
178
179 while (p > 0) {
180 p--;
181
182 loop_write(ttyfd, "\b \b", 3, false);
183 }
184 }
185
186 static void backspace_string(int ttyfd, const char *str) {
187 size_t m;
188
189 assert(str);
190
191 if (ttyfd < 0)
192 return;
193
194 /* Backspaces through enough characters to entirely undo printing of the specified string. */
195
196 m = utf8_n_codepoints(str);
197 if (m == (size_t) -1)
198 m = strlen(str); /* Not a valid UTF-8 string? If so, let's backspace the number of bytes output. Most
199 * likely this happened because we are not in an UTF-8 locale, and in that case that
200 * is the correct thing to do. And even if it's not, terminals tend to stop
201 * backspacing at the leftmost column, hence backspacing too much should be mostly
202 * OK. */
203
204 backspace_chars(ttyfd, m);
205 }
206
207 int ask_password_tty(
208 int ttyfd,
209 const char *message,
210 const char *keyname,
211 usec_t until,
212 AskPasswordFlags flags,
213 const char *flag_file,
214 char **ret) {
215
216 enum {
217 POLL_TTY,
218 POLL_INOTIFY,
219 _POLL_MAX,
220 };
221
222 bool reset_tty = false, dirty = false, use_color = false;
223 _cleanup_close_ int cttyfd = -1, notify = -1;
224 struct termios old_termios, new_termios;
225 char passphrase[LINE_MAX + 1] = {}, *x;
226 struct pollfd pollfd[_POLL_MAX];
227 size_t p = 0, codepoint = 0;
228 int r;
229
230 assert(ret);
231
232 if (flags & ASK_PASSWORD_NO_TTY)
233 return -EUNATCH;
234
235 if (!message)
236 message = "Password:";
237
238 if (flag_file) {
239 notify = inotify_init1(IN_CLOEXEC|IN_NONBLOCK);
240 if (notify < 0)
241 return -errno;
242
243 if (inotify_add_watch(notify, flag_file, IN_ATTRIB /* for the link count */) < 0)
244 return -errno;
245 }
246
247 /* If the caller didn't specify a TTY, then use the controlling tty, if we can. */
248 if (ttyfd < 0)
249 ttyfd = cttyfd = open("/dev/tty", O_RDWR|O_NOCTTY|O_CLOEXEC);
250
251 if (ttyfd >= 0) {
252 if (tcgetattr(ttyfd, &old_termios) < 0)
253 return -errno;
254
255 if (flags & ASK_PASSWORD_CONSOLE_COLOR)
256 use_color = dev_console_colors_enabled();
257 else
258 use_color = colors_enabled();
259
260 if (use_color)
261 (void) loop_write(ttyfd, ANSI_HIGHLIGHT, STRLEN(ANSI_HIGHLIGHT), false);
262
263 (void) loop_write(ttyfd, message, strlen(message), false);
264 (void) loop_write(ttyfd, " ", 1, false);
265
266 if (use_color)
267 (void) loop_write(ttyfd, ANSI_NORMAL, STRLEN(ANSI_NORMAL), false);
268
269 new_termios = old_termios;
270 new_termios.c_lflag &= ~(ICANON|ECHO);
271 new_termios.c_cc[VMIN] = 1;
272 new_termios.c_cc[VTIME] = 0;
273
274 if (tcsetattr(ttyfd, TCSADRAIN, &new_termios) < 0) {
275 r = -errno;
276 goto finish;
277 }
278
279 reset_tty = true;
280 }
281
282 pollfd[POLL_TTY] = (struct pollfd) {
283 .fd = ttyfd >= 0 ? ttyfd : STDIN_FILENO,
284 .events = POLLIN,
285 };
286 pollfd[POLL_INOTIFY] = (struct pollfd) {
287 .fd = notify,
288 .events = POLLIN,
289 };
290
291 for (;;) {
292 int sleep_for = -1, k;
293 ssize_t n;
294 char c;
295
296 if (until > 0) {
297 usec_t y;
298
299 y = now(CLOCK_MONOTONIC);
300
301 if (y > until) {
302 r = -ETIME;
303 goto finish;
304 }
305
306 sleep_for = (int) DIV_ROUND_UP(until - y, USEC_PER_MSEC);
307 }
308
309 if (flag_file)
310 if (access(flag_file, F_OK) < 0) {
311 r = -errno;
312 goto finish;
313 }
314
315 k = poll(pollfd, notify >= 0 ? 2 : 1, sleep_for);
316 if (k < 0) {
317 if (errno == EINTR)
318 continue;
319
320 r = -errno;
321 goto finish;
322 } else if (k == 0) {
323 r = -ETIME;
324 goto finish;
325 }
326
327 if (notify >= 0 && pollfd[POLL_INOTIFY].revents != 0)
328 (void) flush_fd(notify);
329
330 if (pollfd[POLL_TTY].revents == 0)
331 continue;
332
333 n = read(ttyfd >= 0 ? ttyfd : STDIN_FILENO, &c, 1);
334 if (n < 0) {
335 if (IN_SET(errno, EINTR, EAGAIN))
336 continue;
337
338 r = -errno;
339 goto finish;
340
341 }
342
343 /* We treat EOF, newline and NUL byte all as valid end markers */
344 if (n == 0 || c == '\n' || c == 0)
345 break;
346
347 if (c == 21) { /* C-u */
348
349 if (!(flags & ASK_PASSWORD_SILENT))
350 backspace_string(ttyfd, passphrase);
351
352 explicit_bzero(passphrase, sizeof(passphrase));
353 p = codepoint = 0;
354
355 } else if (IN_SET(c, '\b', 127)) {
356
357 if (p > 0) {
358 size_t q;
359
360 if (!(flags & ASK_PASSWORD_SILENT))
361 backspace_chars(ttyfd, 1);
362
363 /* Remove a full UTF-8 codepoint from the end. For that, figure out where the last one
364 * begins */
365 q = 0;
366 for (;;) {
367 size_t z;
368
369 z = utf8_encoded_valid_unichar(passphrase + q);
370 if (z == 0) {
371 q = (size_t) -1; /* Invalid UTF8! */
372 break;
373 }
374
375 if (q + z >= p) /* This one brings us over the edge */
376 break;
377
378 q += z;
379 }
380
381 p = codepoint = q == (size_t) -1 ? p - 1 : q;
382 explicit_bzero(passphrase + p, sizeof(passphrase) - p);
383
384 } else if (!dirty && !(flags & ASK_PASSWORD_SILENT)) {
385
386 flags |= ASK_PASSWORD_SILENT;
387
388 /* There are two ways to enter silent mode. Either by pressing backspace as first key
389 * (and only as first key), or ... */
390
391 if (ttyfd >= 0)
392 (void) loop_write(ttyfd, "(no echo) ", 10, false);
393
394 } else if (ttyfd >= 0)
395 (void) loop_write(ttyfd, "\a", 1, false);
396
397 } else if (c == '\t' && !(flags & ASK_PASSWORD_SILENT)) {
398
399 backspace_string(ttyfd, passphrase);
400 flags |= ASK_PASSWORD_SILENT;
401
402 /* ... or by pressing TAB at any time. */
403
404 if (ttyfd >= 0)
405 (void) loop_write(ttyfd, "(no echo) ", 10, false);
406
407 } else if (p >= sizeof(passphrase)-1) {
408
409 /* Reached the size limit */
410 if (ttyfd >= 0)
411 (void) loop_write(ttyfd, "\a", 1, false);
412
413 } else {
414 passphrase[p++] = c;
415
416 if (!(flags & ASK_PASSWORD_SILENT) && ttyfd >= 0) {
417 /* Check if we got a complete UTF-8 character now. If so, let's output one '*'. */
418 n = utf8_encoded_valid_unichar(passphrase + codepoint);
419 if (n >= 0) {
420 codepoint = p;
421 (void) loop_write(ttyfd, (flags & ASK_PASSWORD_ECHO) ? &c : "*", 1, false);
422 }
423 }
424
425 dirty = true;
426 }
427
428 /* Let's forget this char, just to not keep needlessly copies of key material around */
429 c = 'x';
430 }
431
432 x = strndup(passphrase, p);
433 explicit_bzero(passphrase, sizeof(passphrase));
434 if (!x) {
435 r = -ENOMEM;
436 goto finish;
437 }
438
439 if (keyname)
440 (void) add_to_keyring_and_log(keyname, flags, STRV_MAKE(x));
441
442 *ret = x;
443 r = 0;
444
445 finish:
446 if (ttyfd >= 0 && reset_tty) {
447 (void) loop_write(ttyfd, "\n", 1, false);
448 (void) tcsetattr(ttyfd, TCSADRAIN, &old_termios);
449 }
450
451 return r;
452 }
453
454 static int create_socket(char **name) {
455 union sockaddr_union sa = {
456 .un.sun_family = AF_UNIX,
457 };
458 _cleanup_close_ int fd = -1;
459 static const int one = 1;
460 char *c;
461 int r;
462
463 assert(name);
464
465 fd = socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
466 if (fd < 0)
467 return -errno;
468
469 snprintf(sa.un.sun_path, sizeof(sa.un.sun_path)-1, "/run/systemd/ask-password/sck.%" PRIx64, random_u64());
470
471 RUN_WITH_UMASK(0177) {
472 if (bind(fd, &sa.sa, SOCKADDR_UN_LEN(sa.un)) < 0)
473 return -errno;
474 }
475
476 if (setsockopt(fd, SOL_SOCKET, SO_PASSCRED, &one, sizeof(one)) < 0)
477 return -errno;
478
479 c = strdup(sa.un.sun_path);
480 if (!c)
481 return -ENOMEM;
482
483 *name = c;
484
485 r = fd;
486 fd = -1;
487
488 return r;
489 }
490
491 int ask_password_agent(
492 const char *message,
493 const char *icon,
494 const char *id,
495 const char *keyname,
496 usec_t until,
497 AskPasswordFlags flags,
498 char ***ret) {
499
500 enum {
501 FD_SOCKET,
502 FD_SIGNAL,
503 _FD_MAX
504 };
505
506 _cleanup_close_ int socket_fd = -1, signal_fd = -1, fd = -1;
507 char temp[] = "/run/systemd/ask-password/tmp.XXXXXX";
508 char final[sizeof(temp)] = "";
509 _cleanup_free_ char *socket_name = NULL;
510 _cleanup_strv_free_ char **l = NULL;
511 _cleanup_fclose_ FILE *f = NULL;
512 struct pollfd pollfd[_FD_MAX];
513 sigset_t mask, oldmask;
514 int r;
515
516 assert(ret);
517
518 if (flags & ASK_PASSWORD_NO_AGENT)
519 return -EUNATCH;
520
521 assert_se(sigemptyset(&mask) >= 0);
522 assert_se(sigset_add_many(&mask, SIGINT, SIGTERM, -1) >= 0);
523 assert_se(sigprocmask(SIG_BLOCK, &mask, &oldmask) >= 0);
524
525 (void) mkdir_p_label("/run/systemd/ask-password", 0755);
526
527 fd = mkostemp_safe(temp);
528 if (fd < 0) {
529 r = fd;
530 goto finish;
531 }
532
533 (void) fchmod(fd, 0644);
534
535 f = fdopen(fd, "w");
536 if (!f) {
537 r = -errno;
538 goto finish;
539 }
540
541 fd = -1;
542
543 signal_fd = signalfd(-1, &mask, SFD_NONBLOCK|SFD_CLOEXEC);
544 if (signal_fd < 0) {
545 r = -errno;
546 goto finish;
547 }
548
549 socket_fd = create_socket(&socket_name);
550 if (socket_fd < 0) {
551 r = socket_fd;
552 goto finish;
553 }
554
555 fprintf(f,
556 "[Ask]\n"
557 "PID="PID_FMT"\n"
558 "Socket=%s\n"
559 "AcceptCached=%i\n"
560 "Echo=%i\n"
561 "NotAfter="USEC_FMT"\n",
562 getpid_cached(),
563 socket_name,
564 (flags & ASK_PASSWORD_ACCEPT_CACHED) ? 1 : 0,
565 (flags & ASK_PASSWORD_ECHO) ? 1 : 0,
566 until);
567
568 if (message)
569 fprintf(f, "Message=%s\n", message);
570
571 if (icon)
572 fprintf(f, "Icon=%s\n", icon);
573
574 if (id)
575 fprintf(f, "Id=%s\n", id);
576
577 r = fflush_and_check(f);
578 if (r < 0)
579 goto finish;
580
581 memcpy(final, temp, sizeof(temp));
582
583 final[sizeof(final)-11] = 'a';
584 final[sizeof(final)-10] = 's';
585 final[sizeof(final)-9] = 'k';
586
587 if (rename(temp, final) < 0) {
588 r = -errno;
589 goto finish;
590 }
591
592 zero(pollfd);
593 pollfd[FD_SOCKET].fd = socket_fd;
594 pollfd[FD_SOCKET].events = POLLIN;
595 pollfd[FD_SIGNAL].fd = signal_fd;
596 pollfd[FD_SIGNAL].events = POLLIN;
597
598 for (;;) {
599 char passphrase[LINE_MAX+1];
600 struct msghdr msghdr;
601 struct iovec iovec;
602 struct ucred *ucred;
603 union {
604 struct cmsghdr cmsghdr;
605 uint8_t buf[CMSG_SPACE(sizeof(struct ucred))];
606 } control;
607 ssize_t n;
608 int k;
609 usec_t t;
610
611 t = now(CLOCK_MONOTONIC);
612
613 if (until > 0 && until <= t) {
614 r = -ETIME;
615 goto finish;
616 }
617
618 k = poll(pollfd, _FD_MAX, until > 0 ? (int) ((until-t)/USEC_PER_MSEC) : -1);
619 if (k < 0) {
620 if (errno == EINTR)
621 continue;
622
623 r = -errno;
624 goto finish;
625 }
626
627 if (k <= 0) {
628 r = -ETIME;
629 goto finish;
630 }
631
632 if (pollfd[FD_SIGNAL].revents & POLLIN) {
633 r = -EINTR;
634 goto finish;
635 }
636
637 if (pollfd[FD_SOCKET].revents != POLLIN) {
638 r = -EIO;
639 goto finish;
640 }
641
642 zero(iovec);
643 iovec.iov_base = passphrase;
644 iovec.iov_len = sizeof(passphrase);
645
646 zero(control);
647 zero(msghdr);
648 msghdr.msg_iov = &iovec;
649 msghdr.msg_iovlen = 1;
650 msghdr.msg_control = &control;
651 msghdr.msg_controllen = sizeof(control);
652
653 n = recvmsg(socket_fd, &msghdr, 0);
654 if (n < 0) {
655 if (IN_SET(errno, EAGAIN, EINTR))
656 continue;
657
658 r = -errno;
659 goto finish;
660 }
661
662 cmsg_close_all(&msghdr);
663
664 if (n <= 0) {
665 log_debug("Message too short");
666 continue;
667 }
668
669 if (msghdr.msg_controllen < CMSG_LEN(sizeof(struct ucred)) ||
670 control.cmsghdr.cmsg_level != SOL_SOCKET ||
671 control.cmsghdr.cmsg_type != SCM_CREDENTIALS ||
672 control.cmsghdr.cmsg_len != CMSG_LEN(sizeof(struct ucred))) {
673 log_debug("Received message without credentials. Ignoring.");
674 continue;
675 }
676
677 ucred = (struct ucred*) CMSG_DATA(&control.cmsghdr);
678 if (ucred->uid != 0) {
679 log_debug("Got request from unprivileged user. Ignoring.");
680 continue;
681 }
682
683 if (passphrase[0] == '+') {
684 /* An empty message refers to the empty password */
685 if (n == 1)
686 l = strv_new("", NULL);
687 else
688 l = strv_parse_nulstr(passphrase+1, n-1);
689 explicit_bzero(passphrase, n);
690 if (!l) {
691 r = -ENOMEM;
692 goto finish;
693 }
694
695 if (strv_isempty(l)) {
696 l = strv_free(l);
697 log_debug("Invalid packet");
698 continue;
699 }
700
701 break;
702 }
703
704 if (passphrase[0] == '-') {
705 r = -ECANCELED;
706 goto finish;
707 }
708
709 log_debug("Invalid packet");
710 }
711
712 if (keyname)
713 (void) add_to_keyring_and_log(keyname, flags, l);
714
715 *ret = TAKE_PTR(l);
716 r = 0;
717
718 finish:
719 if (socket_name)
720 (void) unlink(socket_name);
721
722 (void) unlink(temp);
723
724 if (final[0])
725 (void) unlink(final);
726
727 assert_se(sigprocmask(SIG_SETMASK, &oldmask, NULL) == 0);
728 return r;
729 }
730
731 int ask_password_auto(
732 const char *message,
733 const char *icon,
734 const char *id,
735 const char *keyname,
736 usec_t until,
737 AskPasswordFlags flags,
738 char ***ret) {
739
740 int r;
741
742 assert(ret);
743
744 if ((flags & ASK_PASSWORD_ACCEPT_CACHED) && keyname) {
745 r = ask_password_keyring(keyname, flags, ret);
746 if (r != -ENOKEY)
747 return r;
748 }
749
750 if (!(flags & ASK_PASSWORD_NO_TTY) && isatty(STDIN_FILENO)) {
751 char *s = NULL, **l = NULL;
752
753 r = ask_password_tty(-1, message, keyname, until, flags, NULL, &s);
754 if (r < 0)
755 return r;
756
757 r = strv_push(&l, s);
758 if (r < 0) {
759 string_erase(s);
760 free(s);
761 return -ENOMEM;
762 }
763
764 *ret = l;
765 return 0;
766 }
767
768 if (!(flags & ASK_PASSWORD_NO_AGENT))
769 return ask_password_agent(message, icon, id, keyname, until, flags, ret);
770
771 return -EUNATCH;
772 }
Unnamed repository; edit this file 'description' to name the repository.