1 /* SPDX-License-Identifier: LGPL-2.1+ */
10 #include "missing_resource.h"
11 #include "time-util.h"
13 /* But some limits on disk sizes: not less than 5M, not more than 5T */
14 #define USER_DISK_SIZE_MIN (UINT64_C(5)*1024*1024)
15 #define USER_DISK_SIZE_MAX (UINT64_C(5)*1024*1024*1024*1024)
17 /* The default disk size to use when nothing else is specified, relative to free disk space */
18 #define USER_DISK_SIZE_DEFAULT_PERCENT 85
20 typedef enum UserDisposition
{
21 USER_INTRINSIC
, /* root and nobody */
22 USER_SYSTEM
, /* statically allocated users for system services */
23 USER_DYNAMIC
, /* dynamically allocated users for system services */
24 USER_REGULAR
, /* regular (typically human users) */
25 USER_CONTAINER
, /* UID ranges allocated for container uses */
26 USER_RESERVED
, /* Range above 2^31 */
27 _USER_DISPOSITION_MAX
,
28 _USER_DISPOSITION_INVALID
= -1,
31 typedef enum UserHomeStorage
{
34 USER_DIRECTORY
, /* A directory, and a .identity file in it, which USER_CLASSIC lacks */
39 _USER_STORAGE_INVALID
= -1
42 typedef enum UserRecordMask
{
43 /* The various sections an identity record may have, as bit mask */
44 USER_RECORD_REGULAR
= 1U << 0,
45 USER_RECORD_SECRET
= 1U << 1,
46 USER_RECORD_PRIVILEGED
= 1U << 2,
47 USER_RECORD_PER_MACHINE
= 1U << 3,
48 USER_RECORD_BINDING
= 1U << 4,
49 USER_RECORD_STATUS
= 1U << 5,
50 USER_RECORD_SIGNATURE
= 1U << 6,
51 _USER_RECORD_MASK_MAX
= (1U << 7)-1
54 typedef enum UserRecordLoadFlags
{
55 /* A set of flags used while loading a user record from JSON data. We leave the lower 6 bits free,
56 * just as a safety precaution so that we can detect borked conversions between UserRecordMask and
57 * UserRecordLoadFlags. */
60 USER_RECORD_REQUIRE_REGULAR
= USER_RECORD_REGULAR
<< 7,
61 USER_RECORD_REQUIRE_SECRET
= USER_RECORD_SECRET
<< 7,
62 USER_RECORD_REQUIRE_PRIVILEGED
= USER_RECORD_PRIVILEGED
<< 7,
63 USER_RECORD_REQUIRE_PER_MACHINE
= USER_RECORD_PER_MACHINE
<< 7,
64 USER_RECORD_REQUIRE_BINDING
= USER_RECORD_BINDING
<< 7,
65 USER_RECORD_REQUIRE_STATUS
= USER_RECORD_STATUS
<< 7,
66 USER_RECORD_REQUIRE_SIGNATURE
= USER_RECORD_SIGNATURE
<< 7,
69 USER_RECORD_ALLOW_REGULAR
= USER_RECORD_REGULAR
<< 14,
70 USER_RECORD_ALLOW_SECRET
= USER_RECORD_SECRET
<< 14,
71 USER_RECORD_ALLOW_PRIVILEGED
= USER_RECORD_PRIVILEGED
<< 14,
72 USER_RECORD_ALLOW_PER_MACHINE
= USER_RECORD_PER_MACHINE
<< 14,
73 USER_RECORD_ALLOW_BINDING
= USER_RECORD_BINDING
<< 14,
74 USER_RECORD_ALLOW_STATUS
= USER_RECORD_STATUS
<< 14,
75 USER_RECORD_ALLOW_SIGNATURE
= USER_RECORD_SIGNATURE
<< 14,
78 USER_RECORD_STRIP_REGULAR
= USER_RECORD_REGULAR
<< 21,
79 USER_RECORD_STRIP_SECRET
= USER_RECORD_SECRET
<< 21,
80 USER_RECORD_STRIP_PRIVILEGED
= USER_RECORD_PRIVILEGED
<< 21,
81 USER_RECORD_STRIP_PER_MACHINE
= USER_RECORD_PER_MACHINE
<< 21,
82 USER_RECORD_STRIP_BINDING
= USER_RECORD_BINDING
<< 21,
83 USER_RECORD_STRIP_STATUS
= USER_RECORD_STATUS
<< 21,
84 USER_RECORD_STRIP_SIGNATURE
= USER_RECORD_SIGNATURE
<< 21,
86 /* Some special combinations that deserve explicit names */
87 USER_RECORD_LOAD_FULL
= USER_RECORD_REQUIRE_REGULAR
|
88 USER_RECORD_ALLOW_SECRET
|
89 USER_RECORD_ALLOW_PRIVILEGED
|
90 USER_RECORD_ALLOW_PER_MACHINE
|
91 USER_RECORD_ALLOW_BINDING
|
92 USER_RECORD_ALLOW_STATUS
|
93 USER_RECORD_ALLOW_SIGNATURE
,
95 USER_RECORD_LOAD_REFUSE_SECRET
= USER_RECORD_REQUIRE_REGULAR
|
96 USER_RECORD_ALLOW_PRIVILEGED
|
97 USER_RECORD_ALLOW_PER_MACHINE
|
98 USER_RECORD_ALLOW_BINDING
|
99 USER_RECORD_ALLOW_STATUS
|
100 USER_RECORD_ALLOW_SIGNATURE
,
102 USER_RECORD_LOAD_MASK_SECRET
= USER_RECORD_REQUIRE_REGULAR
|
103 USER_RECORD_ALLOW_PRIVILEGED
|
104 USER_RECORD_ALLOW_PER_MACHINE
|
105 USER_RECORD_ALLOW_BINDING
|
106 USER_RECORD_ALLOW_STATUS
|
107 USER_RECORD_ALLOW_SIGNATURE
|
108 USER_RECORD_STRIP_SECRET
,
110 USER_RECORD_EXTRACT_SECRET
= USER_RECORD_REQUIRE_SECRET
|
111 USER_RECORD_STRIP_REGULAR
|
112 USER_RECORD_STRIP_PRIVILEGED
|
113 USER_RECORD_STRIP_PER_MACHINE
|
114 USER_RECORD_STRIP_BINDING
|
115 USER_RECORD_STRIP_STATUS
|
116 USER_RECORD_STRIP_SIGNATURE
,
118 USER_RECORD_LOAD_SIGNABLE
= USER_RECORD_REQUIRE_REGULAR
|
119 USER_RECORD_ALLOW_PRIVILEGED
|
120 USER_RECORD_ALLOW_PER_MACHINE
,
122 USER_RECORD_EXTRACT_SIGNABLE
= USER_RECORD_LOAD_SIGNABLE
|
123 USER_RECORD_STRIP_SECRET
|
124 USER_RECORD_STRIP_BINDING
|
125 USER_RECORD_STRIP_STATUS
|
126 USER_RECORD_STRIP_SIGNATURE
,
128 USER_RECORD_LOAD_EMBEDDED
= USER_RECORD_REQUIRE_REGULAR
|
129 USER_RECORD_ALLOW_PRIVILEGED
|
130 USER_RECORD_ALLOW_PER_MACHINE
|
131 USER_RECORD_ALLOW_SIGNATURE
,
133 USER_RECORD_EXTRACT_EMBEDDED
= USER_RECORD_LOAD_EMBEDDED
|
134 USER_RECORD_STRIP_SECRET
|
135 USER_RECORD_STRIP_BINDING
|
136 USER_RECORD_STRIP_STATUS
,
138 /* Whether to log about loader errors beyond LOG_DEBUG */
139 USER_RECORD_LOG
= 1U << 28,
141 /* Whether to ignore errors and load what we can */
142 USER_RECORD_PERMISSIVE
= 1U << 29,
143 } UserRecordLoadFlags
;
145 static inline UserRecordLoadFlags
USER_RECORD_REQUIRE(UserRecordMask m
) {
146 assert((m
& ~_USER_RECORD_MASK_MAX
) == 0);
150 static inline UserRecordLoadFlags
USER_RECORD_ALLOW(UserRecordMask m
) {
151 assert((m
& ~_USER_RECORD_MASK_MAX
) == 0);
155 static inline UserRecordLoadFlags
USER_RECORD_STRIP(UserRecordMask m
) {
156 assert((m
& ~_USER_RECORD_MASK_MAX
) == 0);
160 static inline UserRecordMask
USER_RECORD_REQUIRE_MASK(UserRecordLoadFlags f
) {
161 return (f
>> 7) & _USER_RECORD_MASK_MAX
;
164 static inline UserRecordMask
USER_RECORD_ALLOW_MASK(UserRecordLoadFlags f
) {
165 return ((f
>> 14) & _USER_RECORD_MASK_MAX
) | USER_RECORD_REQUIRE_MASK(f
);
168 static inline UserRecordMask
USER_RECORD_STRIP_MASK(UserRecordLoadFlags f
) {
169 return (f
>> 21) & _USER_RECORD_MASK_MAX
;
172 static inline JsonDispatchFlags
USER_RECORD_LOAD_FLAGS_TO_JSON_DISPATCH_FLAGS(UserRecordLoadFlags flags
) {
173 return (FLAGS_SET(flags
, USER_RECORD_LOG
) ? JSON_LOG
: 0) |
174 (FLAGS_SET(flags
, USER_RECORD_PERMISSIVE
) ? JSON_PERMISSIVE
: 0);
177 typedef struct Pkcs11EncryptedKey
{
178 /* The encrypted passphrase, which can be decrypted with the private key indicated below */
182 /* Where to find the private key to decrypt the encrypted passphrase above */
185 /* What to test the decrypted passphrase against to allow access (classic UNIX password hash). Note
186 * that the decrypted passphrase is also used for unlocking LUKS and fscrypt, and if the account is
187 * backed by LUKS or fscrypt the hashed password is only an additional layer of authentication, not
189 char *hashed_password
;
190 } Pkcs11EncryptedKey
;
192 typedef struct UserRecord
{
193 /* The following three fields are not part of the JSON record */
196 bool incomplete
; /* incomplete due to security restrictions. */
200 char *user_name_and_realm_auto
; /* the user_name field concatenated with '@' and the realm, if the latter is defined */
207 UserDisposition disposition
;
208 uint64_t last_change_usec
;
209 uint64_t last_password_change_usec
;
215 char *preferred_language
;
217 struct rlimit
*rlimits
[_RLIMIT_MAX
];
219 int locked
; /* prohibit activation in general */
220 uint64_t not_before_usec
; /* prohibit activation before this unix time */
221 uint64_t not_after_usec
; /* prohibit activation after this unix time */
225 uint64_t disk_size_relative
; /* Disk size, relative to the free bytes of the medium, normalized to UINT32_MAX = 100% */
226 char *skeleton_directory
;
230 uint64_t memory_high
;
239 char **hashed_password
;
240 char **ssh_authorized_keys
;
245 char *cifs_user_name
;
249 char *image_path_auto
; /* when none is configured explicitly, this is where we place the implicit image */
250 char *home_directory
;
251 char *home_directory_auto
; /* when none is set explicitly, this is where we place the implicit home directory */
258 char *file_system_type
;
259 sd_id128_t partition_uuid
;
260 sd_id128_t luks_uuid
;
261 sd_id128_t file_system_uuid
;
264 int luks_offline_discard
;
266 char *luks_cipher_mode
;
267 uint64_t luks_volume_key_size
;
268 char *luks_pbkdf_hash_algorithm
;
269 char *luks_pbkdf_type
;
270 uint64_t luks_pbkdf_time_cost_usec
;
271 uint64_t luks_pbkdf_memory_cost
;
272 uint64_t luks_pbkdf_parallel_threads
;
276 uint64_t disk_ceiling
;
283 uint64_t good_authentication_counter
;
284 uint64_t bad_authentication_counter
;
285 uint64_t last_good_authentication_usec
;
286 uint64_t last_bad_authentication_usec
;
288 uint64_t ratelimit_begin_usec
;
289 uint64_t ratelimit_count
;
290 uint64_t ratelimit_interval_usec
;
291 uint64_t ratelimit_burst
;
294 int enforce_password_policy
;
297 uint64_t stop_delay_usec
; /* How long to leave systemd --user around on log-out */
298 int kill_processes
; /* Whether to kill user processes forcibly on log-out */
300 /* The following exist mostly so that we can cover the full /etc/shadow set of fields */
301 uint64_t password_change_min_usec
; /* maps to .sp_min */
302 uint64_t password_change_max_usec
; /* maps to .sp_max */
303 uint64_t password_change_warn_usec
; /* maps to .sp_warn */
304 uint64_t password_change_inactive_usec
; /* maps to .sp_inact */
305 int password_change_now
; /* Require a password change immediately on next login (.sp_lstchg = 0) */
307 char **pkcs11_token_uri
;
308 Pkcs11EncryptedKey
*pkcs11_encrypted_key
;
309 size_t n_pkcs11_encrypted_key
;
310 int pkcs11_protected_authentication_path_permitted
;
315 UserRecord
* user_record_new(void);
316 UserRecord
* user_record_ref(UserRecord
*h
);
317 UserRecord
* user_record_unref(UserRecord
*h
);
319 DEFINE_TRIVIAL_CLEANUP_FUNC(UserRecord
*, user_record_unref
);
321 int user_record_load(UserRecord
*h
, JsonVariant
*v
, UserRecordLoadFlags flags
);
322 int user_record_build(UserRecord
**ret
, ...);
324 const char *user_record_user_name_and_realm(UserRecord
*h
);
325 UserStorage
user_record_storage(UserRecord
*h
);
326 const char *user_record_file_system_type(UserRecord
*h
);
327 const char *user_record_skeleton_directory(UserRecord
*h
);
328 mode_t
user_record_access_mode(UserRecord
*h
);
329 const char *user_record_home_directory(UserRecord
*h
);
330 const char *user_record_image_path(UserRecord
*h
);
331 unsigned long user_record_mount_flags(UserRecord
*h
);
332 const char *user_record_cifs_user_name(UserRecord
*h
);
333 const char *user_record_shell(UserRecord
*h
);
334 const char *user_record_real_name(UserRecord
*h
);
335 bool user_record_luks_discard(UserRecord
*h
);
336 bool user_record_luks_offline_discard(UserRecord
*h
);
337 const char *user_record_luks_cipher(UserRecord
*h
);
338 const char *user_record_luks_cipher_mode(UserRecord
*h
);
339 uint64_t user_record_luks_volume_key_size(UserRecord
*h
);
340 const char* user_record_luks_pbkdf_type(UserRecord
*h
);
341 usec_t
user_record_luks_pbkdf_time_cost_usec(UserRecord
*h
);
342 uint64_t user_record_luks_pbkdf_memory_cost(UserRecord
*h
);
343 uint64_t user_record_luks_pbkdf_parallel_threads(UserRecord
*h
);
344 const char *user_record_luks_pbkdf_hash_algorithm(UserRecord
*h
);
345 gid_t
user_record_gid(UserRecord
*h
);
346 UserDisposition
user_record_disposition(UserRecord
*h
);
347 int user_record_removable(UserRecord
*h
);
348 usec_t
user_record_ratelimit_interval_usec(UserRecord
*h
);
349 uint64_t user_record_ratelimit_burst(UserRecord
*h
);
350 bool user_record_can_authenticate(UserRecord
*h
);
352 bool user_record_equal(UserRecord
*a
, UserRecord
*b
);
353 bool user_record_compatible(UserRecord
*a
, UserRecord
*b
);
354 int user_record_compare_last_change(UserRecord
*a
, UserRecord
*b
);
356 usec_t
user_record_ratelimit_next_try(UserRecord
*h
);
358 int user_record_clone(UserRecord
*h
, UserRecordLoadFlags flags
, UserRecord
**ret
);
359 int user_record_masked_equal(UserRecord
*a
, UserRecord
*b
, UserRecordMask mask
);
361 int user_record_test_blocked(UserRecord
*h
);
362 int user_record_test_password_change_required(UserRecord
*h
);
364 /* The following six are user by group-record.c, that's why we export them here */
365 int json_dispatch_realm(const char *name
, JsonVariant
*variant
, JsonDispatchFlags flags
, void *userdata
);
366 int json_dispatch_user_group_list(const char *name
, JsonVariant
*variant
, JsonDispatchFlags flags
, void *userdata
);
367 int json_dispatch_user_disposition(const char *name
, JsonVariant
*variant
, JsonDispatchFlags flags
, void *userdata
);
369 int per_machine_id_match(JsonVariant
*ids
, JsonDispatchFlags flags
);
370 int per_machine_hostname_match(JsonVariant
*hns
, JsonDispatchFlags flags
);
371 int user_group_record_mangle(JsonVariant
*v
, UserRecordLoadFlags load_flags
, JsonVariant
**ret_variant
, UserRecordMask
*ret_mask
);
373 const char* user_storage_to_string(UserStorage t
) _const_
;
374 UserStorage
user_storage_from_string(const char *s
) _pure_
;
376 const char* user_disposition_to_string(UserDisposition t
) _const_
;
377 UserDisposition
user_disposition_from_string(const char *s
) _pure_
;