homectl: making stripping of signatures from user records optional

diff --git a/man/homectl.xml b/man/homectl.xml
index 1acb338bbb2d083122e0c354925822039aad8510..5d97c676a969d22c2ca09e5d672684c256c8f45a 100644 (file)
--- a/man/homectl.xml
+++ b/man/homectl.xml
@@ -191,6 +191,20 @@
         <xi:include href="version-info.xml" xpointer="v258"/></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><option>--seize=</option></term>
+
+        <listitem><para>Takes a boolean argument. When used with <command>create</command> or
+        <command>register</command>, controls whether to strip cryptographic signatures from the provided
+        JSON user records, which has the effect of signing them with the local signing key
+        (<filename>local.public</filename>) instead. If this switch is set to true, added user records
+        hence become locally managed (and thus can be modified locally), while if it is set to false the user
+        records remain managed and owned by its origin (and thus cannot be modified locally). This switch
+        defaults to true for <command>create</command> and false for <command>register</command>.</para>
+
+        <xi:include href="version-info.xml" xpointer="v258"/></listitem>
+      </varlistentry>
+
       <xi:include href="user-system-options.xml" xpointer="host" />
       <xi:include href="user-system-options.xml" xpointer="machine" />
 

diff --git a/shell-completion/bash/homectl b/shell-completion/bash/homectl
index 1b365fbb712da5d997f3c5c7b4cc738d3c272ccd..10100947821f3a95e477b38afe2479d1e1ef6fa6 100644 (file)
--- a/shell-completion/bash/homectl
+++ b/shell-completion/bash/homectl
@@ -113,7 +113,8 @@ _homectl() {
                         --login-background
                         --session-launcher
                         --session-type
-                        --key-name'
+                        --key-name
+                        --seize'
     )
 
     if __contains_word "$prev" ${OPTS[ARG]}; then

diff --git a/src/home/homectl.c b/src/home/homectl.c
index 37b6f416f578ea6abd7505b89e35abdb0969de5e..969aabd7983bf67ef981027ee23a96b815d02238 100644 (file)
--- a/src/home/homectl.c
+++ b/src/home/homectl.c
@@ -100,6 +100,7 @@ static bool arg_blob_clear = false;
 static Hashmap *arg_blob_files = NULL;
 static char *arg_key_name = NULL;
 static bool arg_dry_run = false;
+static bool arg_seize = true;
 
 STATIC_DESTRUCTOR_REGISTER(arg_identity_extra, sd_json_variant_unrefp);
 STATIC_DESTRUCTOR_REGISTER(arg_identity_extra_this_machine, sd_json_variant_unrefp);
@@ -1183,7 +1184,7 @@ static int acquire_new_home_record(sd_json_variant *input, UserRecord **ret) {
                         USER_RECORD_ALLOW_PER_MACHINE|
                         USER_RECORD_STRIP_BINDING|
                         USER_RECORD_STRIP_STATUS|
-                        USER_RECORD_STRIP_SIGNATURE|
+                        (arg_seize ? USER_RECORD_STRIP_SIGNATURE : USER_RECORD_ALLOW_SIGNATURE) |
                         USER_RECORD_LOG|
                         USER_RECORD_PERMISSIVE);
         if (r < 0)
@@ -3001,6 +3002,8 @@ static int help(int argc, char *argv[], void *userdata) {
                "     --prompt-new-user         firstboot: Query user interactively for user\n"
                "                               to create\n"
                "     --key-name=NAME           Key name when adding a signing key\n"
+               "     --seize=no                Do not strip existing signatures of user record\n"
+               "                               when creating\n"
                "\n%4$sGeneral User Record Properties:%5$s\n"
                "  -c --real-name=REALNAME      Real name for user\n"
                "     --realm=REALM             Realm to create user in\n"
@@ -3235,6 +3238,7 @@ static int parse_argv(int argc, char *argv[]) {
                 ARG_DEV_SHM_LIMIT,
                 ARG_DEFAULT_AREA,
                 ARG_KEY_NAME,
+                ARG_SEIZE,
         };
 
         static const struct option options[] = {
@@ -3339,6 +3343,7 @@ static int parse_argv(int argc, char *argv[]) {
                 { "dev-shm-limit",                required_argument, NULL, ARG_DEV_SHM_LIMIT               },
                 { "default-area",                 required_argument, NULL, ARG_DEFAULT_AREA                },
                 { "key-name",                     required_argument, NULL, ARG_KEY_NAME                    },
+                { "seize",                        required_argument, NULL, ARG_SEIZE                       },
                 {}
         };
 
@@ -4862,6 +4867,12 @@ static int parse_argv(int argc, char *argv[]) {
 
                         break;
 
+                case ARG_SEIZE:
+                        r = parse_boolean_argument("--seize=", optarg, &arg_seize);
+                        if (r < 0)
+                                return r;
+                        break;
+
                 case '?':
                         return -EINVAL;