mirror of
https://github.com/systemd/systemd.git
synced 2025-01-10 06:48:09 -08:00
pid1: complete per-user credentials support (#35536)
Fixes: #33887 #33796 #33318
This commit is contained in:
commit
2232038187
4
TODO
4
TODO
@ -446,10 +446,6 @@ Features:
|
|||||||
* credentials: add a flag to the scoped credentials that if set require PK
|
* credentials: add a flag to the scoped credentials that if set require PK
|
||||||
reauthentication when unlocking a secret.
|
reauthentication when unlocking a secret.
|
||||||
|
|
||||||
* teach systemd --user to properly load credentials off disk, with
|
|
||||||
/etc/credstore equivalent and similar. Make sure that $CREDENTIALS_DIRECTORY=
|
|
||||||
actually works too when run with user privs.
|
|
||||||
|
|
||||||
* extend the smbios11 logic for passing credentials so that instead of passing
|
* extend the smbios11 logic for passing credentials so that instead of passing
|
||||||
the credential data literally it can also just reference an AF_VSOCK CID/port
|
the credential data literally it can also just reference an AF_VSOCK CID/port
|
||||||
to read them from. This way the data doesn't remain in the SMBIOS blob during
|
to read them from. This way the data doesn't remain in the SMBIOS blob during
|
||||||
|
@ -3468,37 +3468,43 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX
|
|||||||
<term><varname>LoadCredentialEncrypted=</varname><replaceable>ID</replaceable><optional>:<replaceable>PATH</replaceable></optional></term>
|
<term><varname>LoadCredentialEncrypted=</varname><replaceable>ID</replaceable><optional>:<replaceable>PATH</replaceable></optional></term>
|
||||||
|
|
||||||
<listitem><para>Pass a credential to the unit. Credentials are limited-size binary or textual objects
|
<listitem><para>Pass a credential to the unit. Credentials are limited-size binary or textual objects
|
||||||
that may be passed to unit processes. They are primarily used for passing cryptographic keys (both
|
that may be passed to unit processes. They are primarily intended for passing cryptographic keys
|
||||||
public and private) or certificates, user account information or identity information from host to
|
(both public and private) or certificates, user account information or identity information from host
|
||||||
services. The data is accessible from the unit's processes via the file system, at a read-only
|
to services, but can be freely used to pass any kind of limited-size information to a service. The
|
||||||
location that (if possible and permitted) is backed by non-swappable memory. The data is only
|
data is accessible from the unit's processes via the file system, at a read-only location that (if
|
||||||
accessible to the user associated with the unit, via the
|
possible and permitted) is backed by non-swappable memory. The data is only accessible to the user
|
||||||
<varname>User=</varname>/<varname>DynamicUser=</varname> settings (as well as the superuser). When
|
associated with the unit, via the <varname>User=</varname>/<varname>DynamicUser=</varname> settings
|
||||||
available, the location of credentials is exported as the <varname>$CREDENTIALS_DIRECTORY</varname>
|
(as well as the superuser). When available, the location of credentials is exported as the
|
||||||
environment variable to the unit's processes.</para>
|
<varname>$CREDENTIALS_DIRECTORY</varname> environment variable to the unit's processes.</para>
|
||||||
|
|
||||||
<para>The <varname>LoadCredential=</varname> setting takes a textual ID to use as name for a
|
<para>The <varname>LoadCredential=</varname> setting takes a textual ID to use as name for a
|
||||||
credential plus a file system path, separated by a colon. The ID must be a short ASCII string
|
credential plus a file system path, separated by a colon. The ID must be a short ASCII string
|
||||||
suitable as filename in the filesystem, and may be chosen freely by the user. If the specified path
|
suitable as filename in the filesystem, and may be chosen freely by the user. If the specified path
|
||||||
is absolute it is opened as regular file and the credential data is read from it. If the absolute
|
is absolute it is opened as regular file and the credential data is read from it. If the absolute
|
||||||
path refers to an <constant>AF_UNIX</constant> stream socket in the file system a connection is made
|
path refers to an <constant>AF_UNIX</constant> stream socket in the file system a connection is made
|
||||||
to it (only once at unit start-up) and the credential data read from the connection, providing an
|
to it (once at process invocation) and the credential data read from the connection, providing an
|
||||||
easy IPC integration point for dynamically transferring credentials from other services.</para>
|
easy IPC integration point for dynamically transferring credentials from other services.</para>
|
||||||
|
|
||||||
<para>If the specified path is not absolute and itself qualifies as valid credential identifier it is
|
<para>If the specified path is not absolute and itself qualifies as valid credential identifier it is
|
||||||
attempted to find a credential that the service manager itself received under the specified name —
|
attempted to find a credential that the service manager itself received under the specified name —
|
||||||
which may be used to propagate credentials from an invoking environment (e.g. a container manager
|
which may be used to propagate credentials from an invoking environment (e.g. a container manager
|
||||||
that invoked the service manager) into a service. If no matching system credential is found, the
|
that invoked the service manager) into a service. If no matching passed credential is found, the
|
||||||
directories <filename>/etc/credstore/</filename>, <filename>/run/credstore/</filename> and
|
system service manager will search the directories <filename>/etc/credstore/</filename>,
|
||||||
<filename>/usr/lib/credstore/</filename> are searched for files under the credential's name — which
|
<filename>/run/credstore/</filename> and <filename>/usr/lib/credstore/</filename> for files under the
|
||||||
hence are recommended locations for credential data on disk. If
|
credential's name — which hence are recommended locations for credential data on disk. If
|
||||||
<varname>LoadCredentialEncrypted=</varname> is used <filename>/run/credstore.encrypted/</filename>,
|
<varname>LoadCredentialEncrypted=</varname> is used <filename>/run/credstore.encrypted/</filename>,
|
||||||
<filename>/etc/credstore.encrypted/</filename>, and
|
<filename>/etc/credstore.encrypted/</filename>, and
|
||||||
<filename>/usr/lib/credstore.encrypted/</filename> are searched as well.</para>
|
<filename>/usr/lib/credstore.encrypted/</filename> are searched as well. The per-user service manager
|
||||||
|
will search <filename>$XDG_CONFIG_HOME/credstore/</filename>,
|
||||||
|
<filename>$XDG_RUNTIME_DIR/credstore/</filename>, <filename>$HOME/.local/lib/credstore/</filename>
|
||||||
|
(and the counterparts ending with <filename>…/credstore.encrypted/</filename>) instead. The
|
||||||
|
<citerefentry><refentrytitle>systemd-path</refentrytitle><manvolnum>1</manvolnum></citerefentry> tool
|
||||||
|
may be used to query the precise credential store search path.</para>
|
||||||
|
|
||||||
<para>If the file system path is omitted it is chosen identical to the credential name, i.e. this is
|
<para>If the file system path is omitted it is chosen identical to the credential name, i.e. this is
|
||||||
a terse way to declare credentials to inherit from the service manager into a service. This option
|
a terse way to declare credentials to inherit from the service manager or credstore directories into
|
||||||
may be used multiple times, each time defining an additional credential to pass to the unit.</para>
|
a service. This option may be used multiple times, each time defining an additional credential to
|
||||||
|
pass to the unit.</para>
|
||||||
|
|
||||||
<para>Note that if the path is not specified or a valid credential identifier is given, i.e.
|
<para>Note that if the path is not specified or a valid credential identifier is given, i.e.
|
||||||
in the above two cases, a missing credential is not considered fatal.</para>
|
in the above two cases, a missing credential is not considered fatal.</para>
|
||||||
|
@ -117,10 +117,9 @@ int exec_context_put_load_credential(ExecContext *c, const char *id, const char
|
|||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
|
|
||||||
r = hashmap_ensure_put(&c->load_credentials, &exec_load_credential_hash_ops, lc->id, lc);
|
r = hashmap_ensure_put(&c->load_credentials, &exec_load_credential_hash_ops, lc->id, lc);
|
||||||
if (r < 0) {
|
assert(r != -EEXIST);
|
||||||
assert(r != -EEXIST);
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
}
|
|
||||||
|
|
||||||
TAKE_PTR(lc);
|
TAKE_PTR(lc);
|
||||||
}
|
}
|
||||||
@ -167,10 +166,9 @@ int exec_context_put_set_credential(
|
|||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
|
|
||||||
r = hashmap_ensure_put(&c->set_credentials, &exec_set_credential_hash_ops, sc->id, sc);
|
r = hashmap_ensure_put(&c->set_credentials, &exec_set_credential_hash_ops, sc->id, sc);
|
||||||
if (r < 0) {
|
assert(r != -EEXIST);
|
||||||
assert(r != -EEXIST);
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
}
|
|
||||||
|
|
||||||
TAKE_PTR(sc);
|
TAKE_PTR(sc);
|
||||||
}
|
}
|
||||||
@ -193,19 +191,22 @@ int exec_context_put_import_credential(ExecContext *c, const char *glob, const c
|
|||||||
|
|
||||||
*ic = (ExecImportCredential) {
|
*ic = (ExecImportCredential) {
|
||||||
.glob = strdup(glob),
|
.glob = strdup(glob),
|
||||||
.rename = rename ? strdup(rename) : NULL,
|
|
||||||
};
|
};
|
||||||
if (!ic->glob || (rename && !ic->rename))
|
if (!ic->glob)
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
|
if (rename) {
|
||||||
|
ic->rename = strdup(rename);
|
||||||
|
if (!ic->rename)
|
||||||
|
return -ENOMEM;
|
||||||
|
}
|
||||||
|
|
||||||
if (ordered_set_contains(c->import_credentials, ic))
|
if (ordered_set_contains(c->import_credentials, ic))
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
r = ordered_set_ensure_put(&c->import_credentials, &exec_import_credential_hash_ops, ic);
|
r = ordered_set_ensure_put(&c->import_credentials, &exec_import_credential_hash_ops, ic);
|
||||||
if (r < 0) {
|
assert(r != -EEXIST);
|
||||||
assert(r != -EEXIST);
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
}
|
|
||||||
|
|
||||||
TAKE_PTR(ic);
|
TAKE_PTR(ic);
|
||||||
|
|
||||||
@ -383,30 +384,46 @@ typedef enum CredentialSearchPath {
|
|||||||
_CREDENTIAL_SEARCH_PATH_INVALID = -EINVAL,
|
_CREDENTIAL_SEARCH_PATH_INVALID = -EINVAL,
|
||||||
} CredentialSearchPath;
|
} CredentialSearchPath;
|
||||||
|
|
||||||
static char** credential_search_path(const ExecParameters *params, CredentialSearchPath path) {
|
static int credential_search_path(const ExecParameters *params, CredentialSearchPath path, char ***ret) {
|
||||||
_cleanup_strv_free_ char **l = NULL;
|
_cleanup_strv_free_ char **l = NULL;
|
||||||
|
int r;
|
||||||
|
|
||||||
assert(params);
|
assert(params);
|
||||||
assert(path >= 0 && path < _CREDENTIAL_SEARCH_PATH_MAX);
|
assert(path >= 0 && path < _CREDENTIAL_SEARCH_PATH_MAX);
|
||||||
|
assert(ret);
|
||||||
|
|
||||||
/* Assemble a search path to find credentials in. For non-encrypted credentials, We'll look in
|
/* Assemble a search path to find credentials in. For non-encrypted credentials, We'll look in
|
||||||
* /etc/credstore/ (and similar directories in /usr/lib/ + /run/). If we're looking for encrypted
|
* /etc/credstore/ (and similar directories in /usr/lib/ + /run/). If we're looking for encrypted
|
||||||
* credentials, we'll look in /etc/credstore.encrypted/ (and similar dirs). */
|
* credentials, we'll look in /etc/credstore.encrypted/ (and similar dirs). */
|
||||||
|
|
||||||
if (IN_SET(path, CREDENTIAL_SEARCH_PATH_ENCRYPTED, CREDENTIAL_SEARCH_PATH_ALL)) {
|
if (IN_SET(path, CREDENTIAL_SEARCH_PATH_ENCRYPTED, CREDENTIAL_SEARCH_PATH_ALL)) {
|
||||||
if (strv_extend(&l, params->received_encrypted_credentials_directory) < 0)
|
r = strv_extend(&l, params->received_encrypted_credentials_directory);
|
||||||
return NULL;
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
if (strv_extend_strv(&l, CONF_PATHS_STRV("credstore.encrypted"), /* filter_duplicates= */ true) < 0)
|
_cleanup_strv_free_ char **add = NULL;
|
||||||
return NULL;
|
r = credential_store_path_encrypted(params->runtime_scope, &add);
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
|
r = strv_extend_strv_consume(&l, TAKE_PTR(add), /* filter_duplicates= */ false);
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (IN_SET(path, CREDENTIAL_SEARCH_PATH_TRUSTED, CREDENTIAL_SEARCH_PATH_ALL)) {
|
if (IN_SET(path, CREDENTIAL_SEARCH_PATH_TRUSTED, CREDENTIAL_SEARCH_PATH_ALL)) {
|
||||||
if (strv_extend(&l, params->received_credentials_directory) < 0)
|
r = strv_extend(&l, params->received_credentials_directory);
|
||||||
return NULL;
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
if (strv_extend_strv(&l, CONF_PATHS_STRV("credstore"), /* filter_duplicates= */ true) < 0)
|
_cleanup_strv_free_ char **add = NULL;
|
||||||
return NULL;
|
r = credential_store_path(params->runtime_scope, &add);
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
|
r = strv_extend_strv_consume(&l, TAKE_PTR(add), /* filter_duplicates= */ false);
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (DEBUG_LOGGING) {
|
if (DEBUG_LOGGING) {
|
||||||
@ -414,7 +431,8 @@ static char** credential_search_path(const ExecParameters *params, CredentialSea
|
|||||||
log_debug("Credential search path is: %s", strempty(t));
|
log_debug("Credential search path is: %s", strempty(t));
|
||||||
}
|
}
|
||||||
|
|
||||||
return TAKE_PTR(l);
|
*ret = TAKE_PTR(l);
|
||||||
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
struct load_cred_args {
|
struct load_cred_args {
|
||||||
@ -445,15 +463,38 @@ static int maybe_decrypt_and_write_credential(
|
|||||||
assert(data || size == 0);
|
assert(data || size == 0);
|
||||||
|
|
||||||
if (args->encrypted) {
|
if (args->encrypted) {
|
||||||
r = decrypt_credential_and_warn(
|
switch (args->params->runtime_scope) {
|
||||||
id,
|
|
||||||
now(CLOCK_REALTIME),
|
case RUNTIME_SCOPE_SYSTEM:
|
||||||
/* tpm2_device= */ NULL,
|
/* In system mode talk directly to the TPM */
|
||||||
/* tpm2_signature_path= */ NULL,
|
r = decrypt_credential_and_warn(
|
||||||
getuid(),
|
id,
|
||||||
&IOVEC_MAKE(data, size),
|
now(CLOCK_REALTIME),
|
||||||
CREDENTIAL_ANY_SCOPE,
|
/* tpm2_device= */ NULL,
|
||||||
&plaintext);
|
/* tpm2_signature_path= */ NULL,
|
||||||
|
getuid(),
|
||||||
|
&IOVEC_MAKE(data, size),
|
||||||
|
CREDENTIAL_ANY_SCOPE,
|
||||||
|
&plaintext);
|
||||||
|
break;
|
||||||
|
|
||||||
|
case RUNTIME_SCOPE_USER:
|
||||||
|
/* In per user mode we'll not have access to the machine secret, nor to the TPM (most
|
||||||
|
* likely), hence go via the IPC service instead. Do this if we are run in root's
|
||||||
|
* per-user invocation too, to minimize differences and because isolating this logic
|
||||||
|
* into a separate process is generally a good thing anyway. */
|
||||||
|
r = ipc_decrypt_credential(
|
||||||
|
id,
|
||||||
|
now(CLOCK_REALTIME),
|
||||||
|
getuid(),
|
||||||
|
&IOVEC_MAKE(data, size),
|
||||||
|
/* flags= */ 0, /* only allow user creds in user scope */
|
||||||
|
&plaintext);
|
||||||
|
break;
|
||||||
|
|
||||||
|
default:
|
||||||
|
assert_not_reached();
|
||||||
|
}
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
@ -611,9 +652,9 @@ static int load_credential(
|
|||||||
* directory we received ourselves. We don't support the AF_UNIX stuff in this mode, since we
|
* directory we received ourselves. We don't support the AF_UNIX stuff in this mode, since we
|
||||||
* are operating on a credential store, i.e. this is guaranteed to be regular files. */
|
* are operating on a credential store, i.e. this is guaranteed to be regular files. */
|
||||||
|
|
||||||
search_path = credential_search_path(args->params, CREDENTIAL_SEARCH_PATH_ALL);
|
r = credential_search_path(args->params, CREDENTIAL_SEARCH_PATH_ALL, &search_path);
|
||||||
if (!search_path)
|
if (r < 0)
|
||||||
return -ENOMEM;
|
return r;
|
||||||
|
|
||||||
missing_ok = true;
|
missing_ok = true;
|
||||||
} else
|
} else
|
||||||
@ -797,9 +838,9 @@ static int acquire_credentials(
|
|||||||
ORDERED_SET_FOREACH(ic, context->import_credentials) {
|
ORDERED_SET_FOREACH(ic, context->import_credentials) {
|
||||||
_cleanup_free_ char **search_path = NULL;
|
_cleanup_free_ char **search_path = NULL;
|
||||||
|
|
||||||
search_path = credential_search_path(params, CREDENTIAL_SEARCH_PATH_TRUSTED);
|
r = credential_search_path(params, CREDENTIAL_SEARCH_PATH_TRUSTED, &search_path);
|
||||||
if (!search_path)
|
if (r < 0)
|
||||||
return -ENOMEM;
|
return r;
|
||||||
|
|
||||||
args.encrypted = false;
|
args.encrypted = false;
|
||||||
|
|
||||||
@ -811,9 +852,10 @@ static int acquire_credentials(
|
|||||||
return r;
|
return r;
|
||||||
|
|
||||||
search_path = strv_free(search_path);
|
search_path = strv_free(search_path);
|
||||||
search_path = credential_search_path(params, CREDENTIAL_SEARCH_PATH_ENCRYPTED);
|
|
||||||
if (!search_path)
|
r = credential_search_path(params, CREDENTIAL_SEARCH_PATH_ENCRYPTED, &search_path);
|
||||||
return -ENOMEM;
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
args.encrypted = true;
|
args.encrypted = true;
|
||||||
|
|
||||||
|
@ -84,3 +84,19 @@ static inline char** generator_binary_paths(RuntimeScope runtime_scope) {
|
|||||||
static inline char** env_generator_binary_paths(RuntimeScope runtime_scope) {
|
static inline char** env_generator_binary_paths(RuntimeScope runtime_scope) {
|
||||||
return generator_binary_paths_internal(runtime_scope, true);
|
return generator_binary_paths_internal(runtime_scope, true);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static inline int credential_store_path(RuntimeScope runtime_scope, char ***ret) {
|
||||||
|
return sd_path_lookup_strv(
|
||||||
|
runtime_scope == RUNTIME_SCOPE_SYSTEM ?
|
||||||
|
SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE : SD_PATH_USER_SEARCH_CREDENTIAL_STORE,
|
||||||
|
/* suffix= */ NULL,
|
||||||
|
ret);
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline int credential_store_path_encrypted(RuntimeScope runtime_scope, char ***ret) {
|
||||||
|
return sd_path_lookup_strv(
|
||||||
|
runtime_scope == RUNTIME_SCOPE_SYSTEM ?
|
||||||
|
SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE_ENCRYPTED : SD_PATH_USER_SEARCH_CREDENTIAL_STORE_ENCRYPTED,
|
||||||
|
/* suffix= */ NULL,
|
||||||
|
ret);
|
||||||
|
}
|
||||||
|
@ -36,7 +36,12 @@ static int from_environment(const char *envname, const char *fallback, const cha
|
|||||||
return -ENXIO;
|
return -ENXIO;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int from_home_dir(const char *envname, const char *suffix, char **buffer, const char **ret) {
|
static int from_home_dir(
|
||||||
|
const char *envname,
|
||||||
|
const char *suffix,
|
||||||
|
char **buffer,
|
||||||
|
const char **ret) {
|
||||||
|
|
||||||
_cleanup_free_ char *h = NULL;
|
_cleanup_free_ char *h = NULL;
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
@ -350,6 +355,30 @@ static int get_path(uint64_t type, char **buffer, const char **ret) {
|
|||||||
case SD_PATH_SYSTEMD_USER_ENVIRONMENT_GENERATOR:
|
case SD_PATH_SYSTEMD_USER_ENVIRONMENT_GENERATOR:
|
||||||
*ret = USER_ENV_GENERATOR_DIR;
|
*ret = USER_ENV_GENERATOR_DIR;
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
|
case SD_PATH_SYSTEM_CREDENTIAL_STORE:
|
||||||
|
*ret = "/etc/credstore";
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
case SD_PATH_SYSTEM_CREDENTIAL_STORE_ENCRYPTED:
|
||||||
|
*ret = "/etc/credstore.encrypted";
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
case SD_PATH_USER_CREDENTIAL_STORE:
|
||||||
|
r = xdg_user_config_dir("credstore", buffer);
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
|
*ret = *buffer;
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
case SD_PATH_USER_CREDENTIAL_STORE_ENCRYPTED:
|
||||||
|
r = xdg_user_config_dir("credstore.encrypted", buffer);
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
|
*ret = *buffer;
|
||||||
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
return -EOPNOTSUPP;
|
return -EOPNOTSUPP;
|
||||||
@ -366,12 +395,12 @@ static int get_path_alloc(uint64_t type, const char *suffix, char **ret) {
|
|||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
if (suffix) {
|
if (!isempty(suffix)) {
|
||||||
char *suffixed = path_join(p, suffix);
|
char *suffixed = path_join(p, suffix);
|
||||||
if (!suffixed)
|
if (!suffixed)
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
|
|
||||||
path_simplify(suffixed);
|
path_simplify_full(suffixed, PATH_SIMPLIFY_KEEP_TRAILING_SLASH);
|
||||||
|
|
||||||
free_and_replace(buffer, suffixed);
|
free_and_replace(buffer, suffixed);
|
||||||
} else if (!buffer) {
|
} else if (!buffer) {
|
||||||
@ -601,8 +630,55 @@ static int get_search(uint64_t type, char ***ret) {
|
|||||||
case SD_PATH_SYSTEMD_SEARCH_NETWORK:
|
case SD_PATH_SYSTEMD_SEARCH_NETWORK:
|
||||||
return strv_from_nulstr(ret, NETWORK_DIRS_NULSTR);
|
return strv_from_nulstr(ret, NETWORK_DIRS_NULSTR);
|
||||||
|
|
||||||
|
case SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE:
|
||||||
|
case SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE_ENCRYPTED: {
|
||||||
|
const char *suffix =
|
||||||
|
type == SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE_ENCRYPTED ? "credstore.encrypted" : "credstore";
|
||||||
|
|
||||||
|
_cleanup_strv_free_ char **l = NULL;
|
||||||
|
FOREACH_STRING(d, CONF_PATHS("")) {
|
||||||
|
char *j = path_join(d, suffix);
|
||||||
|
if (!j)
|
||||||
|
return -ENOMEM;
|
||||||
|
|
||||||
|
r = strv_consume(&l, TAKE_PTR(j));
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
}
|
||||||
|
|
||||||
|
*ret = TAKE_PTR(l);
|
||||||
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
case SD_PATH_USER_SEARCH_CREDENTIAL_STORE:
|
||||||
|
case SD_PATH_USER_SEARCH_CREDENTIAL_STORE_ENCRYPTED: {
|
||||||
|
const char *suffix =
|
||||||
|
type == SD_PATH_USER_SEARCH_CREDENTIAL_STORE_ENCRYPTED ? "credstore.encrypted" : "credstore";
|
||||||
|
|
||||||
|
static const uint64_t dirs[] = {
|
||||||
|
SD_PATH_USER_CONFIGURATION,
|
||||||
|
SD_PATH_USER_RUNTIME,
|
||||||
|
SD_PATH_USER_LIBRARY_PRIVATE,
|
||||||
|
};
|
||||||
|
|
||||||
|
_cleanup_strv_free_ char **l = NULL;
|
||||||
|
FOREACH_ELEMENT(d, dirs) {
|
||||||
|
_cleanup_free_ char *p = NULL;
|
||||||
|
r = sd_path_lookup(*d, suffix, &p);
|
||||||
|
if (r == -ENXIO)
|
||||||
|
continue;
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
|
r = strv_consume(&l, TAKE_PTR(p));
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
}
|
||||||
|
|
||||||
|
*ret = TAKE_PTR(l);
|
||||||
|
return 0;
|
||||||
|
}}
|
||||||
|
|
||||||
return -EOPNOTSUPP;
|
return -EOPNOTSUPP;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -637,7 +713,7 @@ _public_ int sd_path_lookup_strv(uint64_t type, const char *suffix, char ***ret)
|
|||||||
if (!path_extend(i, suffix))
|
if (!path_extend(i, suffix))
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
|
|
||||||
path_simplify(*i);
|
path_simplify_full(*i, PATH_SIMPLIFY_KEEP_TRAILING_SLASH);
|
||||||
}
|
}
|
||||||
|
|
||||||
*ret = TAKE_PTR(l);
|
*ret = TAKE_PTR(l);
|
||||||
|
@ -14,6 +14,7 @@
|
|||||||
#include "main-func.h"
|
#include "main-func.h"
|
||||||
#include "pager.h"
|
#include "pager.h"
|
||||||
#include "pretty-print.h"
|
#include "pretty-print.h"
|
||||||
|
#include "sort-util.h"
|
||||||
#include "string-util.h"
|
#include "string-util.h"
|
||||||
|
|
||||||
static const char *arg_suffix = NULL;
|
static const char *arg_suffix = NULL;
|
||||||
@ -101,27 +102,50 @@ static const char* const path_table[_SD_PATH_MAX] = {
|
|||||||
[SD_PATH_SYSTEMD_USER_ENVIRONMENT_GENERATOR] = "systemd-user-environment-generator",
|
[SD_PATH_SYSTEMD_USER_ENVIRONMENT_GENERATOR] = "systemd-user-environment-generator",
|
||||||
[SD_PATH_SYSTEMD_SEARCH_SYSTEM_ENVIRONMENT_GENERATOR] = "systemd-search-system-environment-generator",
|
[SD_PATH_SYSTEMD_SEARCH_SYSTEM_ENVIRONMENT_GENERATOR] = "systemd-search-system-environment-generator",
|
||||||
[SD_PATH_SYSTEMD_SEARCH_USER_ENVIRONMENT_GENERATOR] = "systemd-search-user-environment-generator",
|
[SD_PATH_SYSTEMD_SEARCH_USER_ENVIRONMENT_GENERATOR] = "systemd-search-user-environment-generator",
|
||||||
|
|
||||||
|
[SD_PATH_SYSTEM_CREDENTIAL_STORE] = "system-credential-store",
|
||||||
|
[SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE] = "system-search-credential-store",
|
||||||
|
[SD_PATH_SYSTEM_CREDENTIAL_STORE_ENCRYPTED] = "system-credential-store-encrypted",
|
||||||
|
[SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE_ENCRYPTED] = "system-search-credential-store-encrypted",
|
||||||
|
[SD_PATH_USER_CREDENTIAL_STORE] = "user-credential-store",
|
||||||
|
[SD_PATH_USER_SEARCH_CREDENTIAL_STORE] = "user-search-credential-store",
|
||||||
|
[SD_PATH_USER_CREDENTIAL_STORE_ENCRYPTED] = "user-credential-store-encrypted",
|
||||||
|
[SD_PATH_USER_SEARCH_CREDENTIAL_STORE_ENCRYPTED] = "user-search-credential-store-encrypted",
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
static int order_cmp(const size_t *a, const size_t *b) {
|
||||||
|
assert(*a < ELEMENTSOF(path_table));
|
||||||
|
assert(*b < ELEMENTSOF(path_table));
|
||||||
|
return strcmp(path_table[*a], path_table[*b]);
|
||||||
|
}
|
||||||
|
|
||||||
static int list_paths(void) {
|
static int list_paths(void) {
|
||||||
int r = 0;
|
int ret = 0, r;
|
||||||
|
|
||||||
pager_open(arg_pager_flags);
|
pager_open(arg_pager_flags);
|
||||||
|
|
||||||
for (size_t i = 0; i < ELEMENTSOF(path_table); i++) {
|
size_t order[ELEMENTSOF(path_table)];
|
||||||
_cleanup_free_ char *p = NULL;
|
|
||||||
int q;
|
|
||||||
|
|
||||||
q = sd_path_lookup(i, arg_suffix, &p);
|
for (size_t i = 0; i < ELEMENTSOF(order); i++)
|
||||||
if (q < 0) {
|
order[i] = i;
|
||||||
log_full_errno(q == -ENXIO ? LOG_DEBUG : LOG_ERR,
|
|
||||||
q, "Failed to query %s: %m", path_table[i]);
|
typesafe_qsort(order, ELEMENTSOF(order), order_cmp);
|
||||||
if (q != -ENXIO)
|
|
||||||
RET_GATHER(r, q);
|
for (size_t i = 0; i < ELEMENTSOF(order); i++) {
|
||||||
|
size_t j = order[i];
|
||||||
|
const char *t = ASSERT_PTR(path_table[j]);
|
||||||
|
|
||||||
|
_cleanup_free_ char *p = NULL;
|
||||||
|
r = sd_path_lookup(j, arg_suffix, &p);
|
||||||
|
if (r < 0) {
|
||||||
|
log_full_errno(r == -ENXIO ? LOG_DEBUG : LOG_ERR, r, "Failed to query %s, proceeding: %m", t);
|
||||||
|
if (r != -ENXIO)
|
||||||
|
RET_GATHER(ret, r);
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
printf("%s%s:%s %s\n", ansi_highlight(), path_table[i], ansi_normal(), p);
|
printf("%s%s:%s %s\n", ansi_highlight(), t, ansi_normal(), p);
|
||||||
}
|
}
|
||||||
|
|
||||||
return r;
|
return r;
|
||||||
@ -154,14 +178,16 @@ static int help(void) {
|
|||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_oom();
|
return log_oom();
|
||||||
|
|
||||||
printf("%s [OPTIONS...] [NAME...]\n\n"
|
printf("%s [OPTIONS...] [NAME...]\n"
|
||||||
"Show system and user paths.\n\n"
|
"\n%sShow system and user paths.%s\n\n"
|
||||||
" -h --help Show this help\n"
|
" -h --help Show this help\n"
|
||||||
" --version Show package version\n"
|
" --version Show package version\n"
|
||||||
" --suffix=SUFFIX Suffix to append to paths\n"
|
" --suffix=SUFFIX Suffix to append to paths\n"
|
||||||
" --no-pager Do not pipe output into a pager\n"
|
" --no-pager Do not pipe output into a pager\n"
|
||||||
"\nSee the %s for details.\n",
|
"\nSee the %s for details.\n",
|
||||||
program_invocation_short_name,
|
program_invocation_short_name,
|
||||||
|
ansi_highlight(),
|
||||||
|
ansi_normal(),
|
||||||
link);
|
link);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
@ -224,10 +250,11 @@ static int run(int argc, char* argv[]) {
|
|||||||
if (r <= 0)
|
if (r <= 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
if (argc > optind)
|
if (argc > optind) {
|
||||||
|
r = 0;
|
||||||
for (int i = optind; i < argc; i++)
|
for (int i = optind; i < argc; i++)
|
||||||
RET_GATHER(r, print_path(argv[i]));
|
RET_GATHER(r, print_path(argv[i]));
|
||||||
else
|
} else
|
||||||
r = list_paths();
|
r = list_paths();
|
||||||
|
|
||||||
return r;
|
return r;
|
||||||
|
@ -120,6 +120,16 @@ enum {
|
|||||||
|
|
||||||
SD_PATH_USER_STATE_PRIVATE,
|
SD_PATH_USER_STATE_PRIVATE,
|
||||||
|
|
||||||
|
/* credential store */
|
||||||
|
SD_PATH_SYSTEM_CREDENTIAL_STORE,
|
||||||
|
SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE,
|
||||||
|
SD_PATH_SYSTEM_CREDENTIAL_STORE_ENCRYPTED,
|
||||||
|
SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE_ENCRYPTED,
|
||||||
|
SD_PATH_USER_CREDENTIAL_STORE,
|
||||||
|
SD_PATH_USER_SEARCH_CREDENTIAL_STORE,
|
||||||
|
SD_PATH_USER_CREDENTIAL_STORE_ENCRYPTED,
|
||||||
|
SD_PATH_USER_SEARCH_CREDENTIAL_STORE_ENCRYPTED,
|
||||||
|
|
||||||
_SD_PATH_MAX
|
_SD_PATH_MAX
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -1398,6 +1398,10 @@ static void run_tests(RuntimeScope scope, char **patterns) {
|
|||||||
ASSERT_NOT_NULL(unit_paths = strjoin(PRIVATE_UNIT_DIR, ":", user_runtime_unit_dir));
|
ASSERT_NOT_NULL(unit_paths = strjoin(PRIVATE_UNIT_DIR, ":", user_runtime_unit_dir));
|
||||||
ASSERT_OK(setenv_unit_path(unit_paths));
|
ASSERT_OK(setenv_unit_path(unit_paths));
|
||||||
|
|
||||||
|
/* Write credential for test-execute-load-credential to the fake runtime dir, too */
|
||||||
|
_cleanup_free_ char *j = ASSERT_PTR(path_join(runtime_dir, "credstore/test-execute.load-credential"));
|
||||||
|
ASSERT_OK(write_string_file(j, "foo", WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_MKDIR_0755));
|
||||||
|
|
||||||
r = manager_new(scope, MANAGER_TEST_RUN_BASIC, &m);
|
r = manager_new(scope, MANAGER_TEST_RUN_BASIC, &m);
|
||||||
if (manager_errno_skip_test(r))
|
if (manager_errno_skip_test(r))
|
||||||
return (void) log_tests_skipped_errno(r, "manager_new");
|
return (void) log_tests_skipped_errno(r, "manager_new");
|
||||||
|
@ -490,7 +490,7 @@ cmp /tmp/vlcredsdata /tmp/vlcredsdata2
|
|||||||
rm /tmp/vlcredsdata /tmp/vlcredsdata2
|
rm /tmp/vlcredsdata /tmp/vlcredsdata2
|
||||||
|
|
||||||
clean_usertest() {
|
clean_usertest() {
|
||||||
rm -f /tmp/usertest.data /tmp/usertest.data
|
rm -f /tmp/usertest.data /tmp/usertest.data /tmp/brummbaer.data
|
||||||
}
|
}
|
||||||
|
|
||||||
trap clean_usertest EXIT
|
trap clean_usertest EXIT
|
||||||
@ -520,6 +520,12 @@ XDG_RUNTIME_DIR=/run/user/0 systemd-run --pipe --user --unit=waldi.service -p Lo
|
|||||||
# Test mount unit with credential
|
# Test mount unit with credential
|
||||||
test_mount_with_credential
|
test_mount_with_credential
|
||||||
|
|
||||||
|
# Fully unpriv operation
|
||||||
|
dd if=/dev/urandom of=/tmp/brummbaer.data bs=4096 count=1
|
||||||
|
run0 -u testuser --pipe mkdir -p /home/testuser/.config/credstore.encrypted
|
||||||
|
run0 -u testuser --pipe systemd-creds encrypt --user --name=brummbaer - /home/testuser/.config/credstore.encrypted/brummbaer < /tmp/brummbaer.data
|
||||||
|
run0 -u testuser --pipe systemd-run --user --pipe -p ImportCredential=brummbaer systemd-creds cat brummbaer | cmp /tmp/brummbaer.data
|
||||||
|
|
||||||
systemd-analyze log-level info
|
systemd-analyze log-level info
|
||||||
|
|
||||||
touch /testok
|
touch /testok
|
||||||
|
Loading…
Reference in New Issue
Block a user