src/shared/user-record.h

   1 /* SPDX-License-Identifier: LGPL-2.1+ */
   2 #pragma once
   3
   4 #include <inttypes.h>
   5 #include <sys/types.h>
   6
   7 #include "sd-id128.h"
   8
   9 #include "json.h"
  10 #include "missing_resource.h"
  11 #include "time-util.h"
  12
  13 /* But some limits on disk sizes: not less than 5M, not more than 5T */
  14 #define USER_DISK_SIZE_MIN (UINT64_C(5)*1024*1024)
  15 #define USER_DISK_SIZE_MAX (UINT64_C(5)*1024*1024*1024*1024)
  16
  17 /* The default disk size to use when nothing else is specified, relative to free disk space */
  18 #define USER_DISK_SIZE_DEFAULT_PERCENT 85
  19
  20 typedef enum UserDisposition {
  21         USER_INTRINSIC,   /* root and nobody */
  22         USER_SYSTEM,      /* statically allocated users for system services */
  23         USER_DYNAMIC,     /* dynamically allocated users for system services */
  24         USER_REGULAR,     /* regular (typically human users) */
  25         USER_CONTAINER,   /* UID ranges allocated for container uses */
  26         USER_RESERVED,    /* Range above 2^31 */
  27         _USER_DISPOSITION_MAX,
  28         _USER_DISPOSITION_INVALID = -1,
  29 } UserDisposition;
  30
  31 typedef enum UserHomeStorage {
  32         USER_CLASSIC,
  33         USER_LUKS,
  34         USER_DIRECTORY, /* A directory, and a .identity file in it, which USER_CLASSIC lacks */
  35         USER_SUBVOLUME,
  36         USER_FSCRYPT,
  37         USER_CIFS,
  38         _USER_STORAGE_MAX,
  39         _USER_STORAGE_INVALID = -1
  40 } UserStorage;
  41
  42 typedef enum UserRecordMask {
  43         /* The various sections an identity record may have, as bit mask */
  44         USER_RECORD_REGULAR     = 1U << 0,
  45         USER_RECORD_SECRET      = 1U << 1,
  46         USER_RECORD_PRIVILEGED  = 1U << 2,
  47         USER_RECORD_PER_MACHINE = 1U << 3,
  48         USER_RECORD_BINDING     = 1U << 4,
  49         USER_RECORD_STATUS      = 1U << 5,
  50         USER_RECORD_SIGNATURE   = 1U << 6,
  51         _USER_RECORD_MASK_MAX   = (1U << 7)-1
  52 } UserRecordMask;
  53
  54 typedef enum UserRecordLoadFlags {
  55         /* A set of flags used while loading a user record from JSON data. We leave the lower 6 bits free,
  56          * just as a safety precaution so that we can detect borked conversions between UserRecordMask and
  57          * UserRecordLoadFlags. */
  58
  59         /* What to require */
  60         USER_RECORD_REQUIRE_REGULAR     = USER_RECORD_REGULAR     << 7,
  61         USER_RECORD_REQUIRE_SECRET      = USER_RECORD_SECRET      << 7,
  62         USER_RECORD_REQUIRE_PRIVILEGED  = USER_RECORD_PRIVILEGED  << 7,
  63         USER_RECORD_REQUIRE_PER_MACHINE = USER_RECORD_PER_MACHINE << 7,
  64         USER_RECORD_REQUIRE_BINDING     = USER_RECORD_BINDING     << 7,
  65         USER_RECORD_REQUIRE_STATUS      = USER_RECORD_STATUS      << 7,
  66         USER_RECORD_REQUIRE_SIGNATURE   = USER_RECORD_SIGNATURE   << 7,
  67
  68         /* What to allow */
  69         USER_RECORD_ALLOW_REGULAR       = USER_RECORD_REGULAR     << 14,
  70         USER_RECORD_ALLOW_SECRET        = USER_RECORD_SECRET      << 14,
  71         USER_RECORD_ALLOW_PRIVILEGED    = USER_RECORD_PRIVILEGED  << 14,
  72         USER_RECORD_ALLOW_PER_MACHINE   = USER_RECORD_PER_MACHINE << 14,
  73         USER_RECORD_ALLOW_BINDING       = USER_RECORD_BINDING     << 14,
  74         USER_RECORD_ALLOW_STATUS        = USER_RECORD_STATUS      << 14,
  75         USER_RECORD_ALLOW_SIGNATURE     = USER_RECORD_SIGNATURE   << 14,
  76
  77         /* What to strip */
  78         USER_RECORD_STRIP_REGULAR       = USER_RECORD_REGULAR     << 21,
  79         USER_RECORD_STRIP_SECRET        = USER_RECORD_SECRET      << 21,
  80         USER_RECORD_STRIP_PRIVILEGED    = USER_RECORD_PRIVILEGED  << 21,
  81         USER_RECORD_STRIP_PER_MACHINE   = USER_RECORD_PER_MACHINE << 21,
  82         USER_RECORD_STRIP_BINDING       = USER_RECORD_BINDING     << 21,
  83         USER_RECORD_STRIP_STATUS        = USER_RECORD_STATUS      << 21,
  84         USER_RECORD_STRIP_SIGNATURE     = USER_RECORD_SIGNATURE   << 21,
  85
  86         /* Some special combinations that deserve explicit names */
  87         USER_RECORD_LOAD_FULL           = USER_RECORD_REQUIRE_REGULAR |
  88                                           USER_RECORD_ALLOW_SECRET |
  89                                           USER_RECORD_ALLOW_PRIVILEGED |
  90                                           USER_RECORD_ALLOW_PER_MACHINE |
  91                                           USER_RECORD_ALLOW_BINDING |
  92                                           USER_RECORD_ALLOW_STATUS |
  93                                           USER_RECORD_ALLOW_SIGNATURE,
  94
  95         USER_RECORD_LOAD_REFUSE_SECRET =  USER_RECORD_REQUIRE_REGULAR |
  96                                           USER_RECORD_ALLOW_PRIVILEGED |
  97                                           USER_RECORD_ALLOW_PER_MACHINE |
  98                                           USER_RECORD_ALLOW_BINDING |
  99                                           USER_RECORD_ALLOW_STATUS |
 100                                           USER_RECORD_ALLOW_SIGNATURE,
 101
 102         USER_RECORD_LOAD_MASK_SECRET =    USER_RECORD_REQUIRE_REGULAR |
 103                                           USER_RECORD_ALLOW_PRIVILEGED |
 104                                           USER_RECORD_ALLOW_PER_MACHINE |
 105                                           USER_RECORD_ALLOW_BINDING |
 106                                           USER_RECORD_ALLOW_STATUS |
 107                                           USER_RECORD_ALLOW_SIGNATURE |
 108                                           USER_RECORD_STRIP_SECRET,
 109
 110         USER_RECORD_EXTRACT_SECRET      = USER_RECORD_REQUIRE_SECRET |
 111                                           USER_RECORD_STRIP_REGULAR |
 112                                           USER_RECORD_STRIP_PRIVILEGED |
 113                                           USER_RECORD_STRIP_PER_MACHINE |
 114                                           USER_RECORD_STRIP_BINDING |
 115                                           USER_RECORD_STRIP_STATUS |
 116                                           USER_RECORD_STRIP_SIGNATURE,
 117
 118         USER_RECORD_LOAD_SIGNABLE       = USER_RECORD_REQUIRE_REGULAR |
 119                                           USER_RECORD_ALLOW_PRIVILEGED |
 120                                           USER_RECORD_ALLOW_PER_MACHINE,
 121
 122         USER_RECORD_EXTRACT_SIGNABLE    = USER_RECORD_LOAD_SIGNABLE |
 123                                           USER_RECORD_STRIP_SECRET |
 124                                           USER_RECORD_STRIP_BINDING |
 125                                           USER_RECORD_STRIP_STATUS |
 126                                           USER_RECORD_STRIP_SIGNATURE,
 127
 128         USER_RECORD_LOAD_EMBEDDED       = USER_RECORD_REQUIRE_REGULAR |
 129                                           USER_RECORD_ALLOW_PRIVILEGED |
 130                                           USER_RECORD_ALLOW_PER_MACHINE |
 131                                           USER_RECORD_ALLOW_SIGNATURE,
 132
 133         USER_RECORD_EXTRACT_EMBEDDED    = USER_RECORD_LOAD_EMBEDDED |
 134                                           USER_RECORD_STRIP_SECRET |
 135                                           USER_RECORD_STRIP_BINDING |
 136                                           USER_RECORD_STRIP_STATUS,
 137
 138         /* Whether to log about loader errors beyond LOG_DEBUG */
 139         USER_RECORD_LOG                 = 1U << 28,
 140
 141         /* Whether to ignore errors and load what we can */
 142         USER_RECORD_PERMISSIVE          = 1U << 29,
 143 } UserRecordLoadFlags;
 144
 145 static inline UserRecordLoadFlags USER_RECORD_REQUIRE(UserRecordMask m) {
 146         assert((m & ~_USER_RECORD_MASK_MAX) == 0);
 147         return m << 7;
 148 }
 149
 150 static inline UserRecordLoadFlags USER_RECORD_ALLOW(UserRecordMask m) {
 151         assert((m & ~_USER_RECORD_MASK_MAX) == 0);
 152         return m << 14;
 153 }
 154
 155 static inline UserRecordLoadFlags USER_RECORD_STRIP(UserRecordMask m) {
 156         assert((m & ~_USER_RECORD_MASK_MAX) == 0);
 157         return m << 21;
 158 }
 159
 160 static inline UserRecordMask USER_RECORD_REQUIRE_MASK(UserRecordLoadFlags f) {
 161         return (f >> 7) & _USER_RECORD_MASK_MAX;
 162 }
 163
 164 static inline UserRecordMask USER_RECORD_ALLOW_MASK(UserRecordLoadFlags f) {
 165         return ((f >> 14) & _USER_RECORD_MASK_MAX) | USER_RECORD_REQUIRE_MASK(f);
 166 }
 167
 168 static inline UserRecordMask USER_RECORD_STRIP_MASK(UserRecordLoadFlags f) {
 169         return (f >> 21) & _USER_RECORD_MASK_MAX;
 170 }
 171
 172 static inline JsonDispatchFlags USER_RECORD_LOAD_FLAGS_TO_JSON_DISPATCH_FLAGS(UserRecordLoadFlags flags) {
 173         return (FLAGS_SET(flags, USER_RECORD_LOG) ? JSON_LOG : 0) |
 174                 (FLAGS_SET(flags, USER_RECORD_PERMISSIVE) ? JSON_PERMISSIVE : 0);
 175 }
 176
 177 typedef struct Pkcs11EncryptedKey {
 178         /* The encrypted passphrase, which can be decrypted with the private key indicated below */
 179         void *data;
 180         size_t size;
 181
 182         /* Where to find the private key to decrypt the encrypted passphrase above */
 183         char *uri;
 184
 185         /* What to test the decrypted passphrase against to allow access (classic UNIX password hash).  Note
 186          * that the decrypted passphrase is also used for unlocking LUKS and fscrypt, and if the account is
 187          * backed by LUKS or fscrypt the hashed password is only an additional layer of authentication, not
 188          * the only. */
 189         char *hashed_password;
 190 } Pkcs11EncryptedKey;
 191
 192 typedef struct UserRecord {
 193         /* The following three fields are not part of the JSON record */
 194         unsigned n_ref;
 195         UserRecordMask mask;
 196         bool incomplete; /* incomplete due to security restrictions. */
 197
 198         char *user_name;
 199         char *realm;
 200         char *user_name_and_realm_auto; /* the user_name field concatenated with '@' and the realm, if the latter is defined */
 201         char *real_name;
 202         char *email_address;
 203         char *password_hint;
 204         char *icon_name;
 205         char *location;
 206
 207         UserDisposition disposition;
 208         uint64_t last_change_usec;
 209         uint64_t last_password_change_usec;
 210
 211         char *shell;
 212         mode_t umask;
 213         char **environment;
 214         char *time_zone;
 215         char *preferred_language;
 216         int nice_level;
 217         struct rlimit *rlimits[_RLIMIT_MAX];
 218
 219         int locked;               /* prohibit activation in general */
 220         uint64_t not_before_usec; /* prohibit activation before this unix time */
 221         uint64_t not_after_usec;  /* prohibit activation after this unix time */
 222
 223         UserStorage storage;
 224         uint64_t disk_size;
 225         uint64_t disk_size_relative; /* Disk size, relative to the free bytes of the medium, normalized to UINT32_MAX = 100% */
 226         char *skeleton_directory;
 227         mode_t access_mode;
 228
 229         uint64_t tasks_max;
 230         uint64_t memory_high;
 231         uint64_t memory_max;
 232         uint64_t cpu_weight;
 233         uint64_t io_weight;
 234
 235         bool nosuid;
 236         bool nodev;
 237         bool noexec;
 238
 239         char **hashed_password;
 240         char **ssh_authorized_keys;
 241         char **password;
 242         char **pkcs11_pin;
 243
 244         char *cifs_domain;
 245         char *cifs_user_name;
 246         char *cifs_service;
 247
 248         char *image_path;
 249         char *image_path_auto; /* when none is configured explicitly, this is where we place the implicit image */
 250         char *home_directory;
 251         char *home_directory_auto; /* when none is set explicitly, this is where we place the implicit home directory */
 252
 253         uid_t uid;
 254         gid_t gid;
 255
 256         char **member_of;
 257
 258         char *file_system_type;
 259         sd_id128_t partition_uuid;
 260         sd_id128_t luks_uuid;
 261         sd_id128_t file_system_uuid;
 262
 263         int luks_discard;
 264         int luks_offline_discard;
 265         char *luks_cipher;
 266         char *luks_cipher_mode;
 267         uint64_t luks_volume_key_size;
 268         char *luks_pbkdf_hash_algorithm;
 269         char *luks_pbkdf_type;
 270         uint64_t luks_pbkdf_time_cost_usec;
 271         uint64_t luks_pbkdf_memory_cost;
 272         uint64_t luks_pbkdf_parallel_threads;
 273
 274         uint64_t disk_usage;
 275         uint64_t disk_free;
 276         uint64_t disk_ceiling;
 277         uint64_t disk_floor;
 278
 279         char *state;
 280         char *service;
 281         int signed_locally;
 282
 283         uint64_t good_authentication_counter;
 284         uint64_t bad_authentication_counter;
 285         uint64_t last_good_authentication_usec;
 286         uint64_t last_bad_authentication_usec;
 287
 288         uint64_t ratelimit_begin_usec;
 289         uint64_t ratelimit_count;
 290         uint64_t ratelimit_interval_usec;
 291         uint64_t ratelimit_burst;
 292
 293         int removable;
 294         int enforce_password_policy;
 295         int auto_login;
 296
 297         uint64_t stop_delay_usec;   /* How long to leave systemd --user around on log-out */
 298         int kill_processes;         /* Whether to kill user processes forcibly on log-out */
 299
 300         /* The following exist mostly so that we can cover the full /etc/shadow set of fields */
 301         uint64_t password_change_min_usec;       /* maps to .sp_min */
 302         uint64_t password_change_max_usec;       /* maps to .sp_max */
 303         uint64_t password_change_warn_usec;      /* maps to .sp_warn */
 304         uint64_t password_change_inactive_usec;  /* maps to .sp_inact */
 305         int password_change_now;                 /* Require a password change immediately on next login (.sp_lstchg = 0) */
 306
 307         char **pkcs11_token_uri;
 308         Pkcs11EncryptedKey *pkcs11_encrypted_key;
 309         size_t n_pkcs11_encrypted_key;
 310         int pkcs11_protected_authentication_path_permitted;
 311
 312         JsonVariant *json;
 313 } UserRecord;
 314
 315 UserRecord* user_record_new(void);
 316 UserRecord* user_record_ref(UserRecord *h);
 317 UserRecord* user_record_unref(UserRecord *h);
 318
 319 DEFINE_TRIVIAL_CLEANUP_FUNC(UserRecord*, user_record_unref);
 320
 321 int user_record_load(UserRecord *h, JsonVariant *v, UserRecordLoadFlags flags);
 322 int user_record_build(UserRecord **ret, ...);
 323
 324 const char *user_record_user_name_and_realm(UserRecord *h);
 325 UserStorage user_record_storage(UserRecord *h);
 326 const char *user_record_file_system_type(UserRecord *h);
 327 const char *user_record_skeleton_directory(UserRecord *h);
 328 mode_t user_record_access_mode(UserRecord *h);
 329 const char *user_record_home_directory(UserRecord *h);
 330 const char *user_record_image_path(UserRecord *h);
 331 unsigned long user_record_mount_flags(UserRecord *h);
 332 const char *user_record_cifs_user_name(UserRecord *h);
 333 const char *user_record_shell(UserRecord *h);
 334 const char *user_record_real_name(UserRecord *h);
 335 bool user_record_luks_discard(UserRecord *h);
 336 bool user_record_luks_offline_discard(UserRecord *h);
 337 const char *user_record_luks_cipher(UserRecord *h);
 338 const char *user_record_luks_cipher_mode(UserRecord *h);
 339 uint64_t user_record_luks_volume_key_size(UserRecord *h);
 340 const char* user_record_luks_pbkdf_type(UserRecord *h);
 341 usec_t user_record_luks_pbkdf_time_cost_usec(UserRecord *h);
 342 uint64_t user_record_luks_pbkdf_memory_cost(UserRecord *h);
 343 uint64_t user_record_luks_pbkdf_parallel_threads(UserRecord *h);
 344 const char *user_record_luks_pbkdf_hash_algorithm(UserRecord *h);
 345 gid_t user_record_gid(UserRecord *h);
 346 UserDisposition user_record_disposition(UserRecord *h);
 347 int user_record_removable(UserRecord *h);
 348 usec_t user_record_ratelimit_interval_usec(UserRecord *h);
 349 uint64_t user_record_ratelimit_burst(UserRecord *h);
 350 bool user_record_can_authenticate(UserRecord *h);
 351
 352 bool user_record_equal(UserRecord *a, UserRecord *b);
 353 bool user_record_compatible(UserRecord *a, UserRecord *b);
 354 int user_record_compare_last_change(UserRecord *a, UserRecord *b);
 355
 356 usec_t user_record_ratelimit_next_try(UserRecord *h);
 357
 358 int user_record_clone(UserRecord *h, UserRecordLoadFlags flags, UserRecord **ret);
 359 int user_record_masked_equal(UserRecord *a, UserRecord *b, UserRecordMask mask);
 360
 361 int user_record_test_blocked(UserRecord *h);
 362 int user_record_test_password_change_required(UserRecord *h);
 363
 364 /* The following six are user by group-record.c, that's why we export them here */
 365 int json_dispatch_realm(const char *name, JsonVariant *variant, JsonDispatchFlags flags, void *userdata);
 366 int json_dispatch_user_group_list(const char *name, JsonVariant *variant, JsonDispatchFlags flags, void *userdata);
 367 int json_dispatch_user_disposition(const char *name, JsonVariant *variant, JsonDispatchFlags flags, void *userdata);
 368
 369 int per_machine_id_match(JsonVariant *ids, JsonDispatchFlags flags);
 370 int per_machine_hostname_match(JsonVariant *hns, JsonDispatchFlags flags);
 371 int user_group_record_mangle(JsonVariant *v, UserRecordLoadFlags load_flags, JsonVariant **ret_variant, UserRecordMask *ret_mask);
 372
 373 const char* user_storage_to_string(UserStorage t) _const_;
 374 UserStorage user_storage_from_string(const char *s) _pure_;
 375
 376 const char* user_disposition_to_string(UserDisposition t) _const_;
 377 UserDisposition user_disposition_from_string(const char *s) _pure_;