diff options
author | Lennart Poettering <lennart@poettering.net> | 2019-07-04 18:35:39 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2020-01-28 22:36:07 +0100 |
commit | 70a5db5822c8056b53d9a4a9273ad12cb5f87a92 (patch) | |
tree | 809814f6ff623eec673b1ef4efbc4252a635a84f /src/home/homework-cifs.c | |
parent | mkosi: add fdisk-devel, openssl-devel, libpwquality-devel, p11kit-devel and e... (diff) | |
download | systemd-70a5db5822c8056b53d9a4a9273ad12cb5f87a92.tar.xz systemd-70a5db5822c8056b53d9a4a9273ad12cb5f87a92.zip |
home: add new systemd-homed service that can manage LUKS homes
Fixes more or less: https://bugs.freedesktop.org/show_bug.cgi?id=67474
Diffstat (limited to 'src/home/homework-cifs.c')
-rw-r--r-- | src/home/homework-cifs.c | 215 |
1 files changed, 215 insertions, 0 deletions
diff --git a/src/home/homework-cifs.c b/src/home/homework-cifs.c new file mode 100644 index 0000000000..f67e279eee --- /dev/null +++ b/src/home/homework-cifs.c @@ -0,0 +1,215 @@ +/* SPDX-License-Identifier: LGPL-2.1+ */ + +#include "dirent-util.h" +#include "fd-util.h" +#include "fileio.h" +#include "format-util.h" +#include "fs-util.h" +#include "homework-cifs.h" +#include "homework-mount.h" +#include "mount-util.h" +#include "process-util.h" +#include "strv.h" +#include "tmpfile-util.h" + +int home_prepare_cifs( + UserRecord *h, + bool already_activated, + HomeSetup *setup) { + + char **pw; + int r; + + assert(h); + assert(setup); + assert(user_record_storage(h) == USER_CIFS); + + if (already_activated) + setup->root_fd = open(user_record_home_directory(h), O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOFOLLOW); + else { + bool mounted = false; + + r = home_unshare_and_mount(NULL, NULL, false); + if (r < 0) + return r; + + STRV_FOREACH(pw, h->password) { + _cleanup_(unlink_and_freep) char *p = NULL; + _cleanup_free_ char *options = NULL; + _cleanup_(fclosep) FILE *f = NULL; + pid_t mount_pid; + int exit_status; + + r = fopen_temporary(NULL, &f, &p); + if (r < 0) + return log_error_errno(r, "Failed to create temporary credentials file: %m"); + + fprintf(f, + "username=%s\n" + "password=%s\n", + user_record_cifs_user_name(h), + *pw); + + if (h->cifs_domain) + fprintf(f, "domain=%s\n", h->cifs_domain); + + r = fflush_and_check(f); + if (r < 0) + return log_error_errno(r, "Failed to write temporary credentials file: %m"); + + f = safe_fclose(f); + + if (asprintf(&options, "credentials=%s,uid=" UID_FMT ",forceuid,gid=" UID_FMT ",forcegid,file_mode=0%3o,dir_mode=0%3o", + p, h->uid, h->uid, h->access_mode, h->access_mode) < 0) + return log_oom(); + + r = safe_fork("(mount)", FORK_RESET_SIGNALS|FORK_RLIMIT_NOFILE_SAFE|FORK_DEATHSIG|FORK_LOG|FORK_STDOUT_TO_STDERR, &mount_pid); + if (r < 0) + return r; + if (r == 0) { + /* Child */ + execl("/bin/mount", "/bin/mount", "-n", "-t", "cifs", + h->cifs_service, "/run/systemd/user-home-mount", + "-o", options, NULL); + + log_error_errno(errno, "Failed to execute fsck: %m"); + _exit(EXIT_FAILURE); + } + + exit_status = wait_for_terminate_and_check("mount", mount_pid, WAIT_LOG_ABNORMAL|WAIT_LOG_NON_ZERO_EXIT_STATUS); + if (exit_status < 0) + return exit_status; + if (exit_status != EXIT_SUCCESS) + return -EPROTO; + + mounted = true; + break; + } + + if (!mounted) + return log_error_errno(ENOKEY, "Failed to mount home directory with supplied password."); + + setup->root_fd = open("/run/systemd/user-home-mount", O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOFOLLOW); + } + if (setup->root_fd < 0) + return log_error_errno(r, "Failed to open home directory: %m"); + + return 0; +} + +int home_activate_cifs( + UserRecord *h, + char ***pkcs11_decrypted_passwords, + UserRecord **ret_home) { + + _cleanup_(home_setup_undo) HomeSetup setup = HOME_SETUP_INIT; + _cleanup_(user_record_unrefp) UserRecord *new_home = NULL; + const char *hdo, *hd; + int r; + + assert(h); + assert(user_record_storage(h) == USER_CIFS); + assert(ret_home); + + if (!h->cifs_service) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record lacks CIFS service, refusing."); + + assert_se(hdo = user_record_home_directory(h)); + hd = strdupa(hdo); /* copy the string out, since it might change later in the home record object */ + + r = home_prepare_cifs(h, false, &setup); + if (r < 0) + return r; + + r = home_refresh(h, &setup, NULL, pkcs11_decrypted_passwords, NULL, &new_home); + if (r < 0) + return r; + + setup.root_fd = safe_close(setup.root_fd); + + r = home_move_mount(NULL, hd); + if (r < 0) + return r; + + setup.undo_mount = false; + + log_info("Everything completed."); + + *ret_home = TAKE_PTR(new_home); + return 1; +} + +int home_create_cifs(UserRecord *h, UserRecord **ret_home) { + _cleanup_(home_setup_undo) HomeSetup setup = HOME_SETUP_INIT; + _cleanup_(user_record_unrefp) UserRecord *new_home = NULL; + _cleanup_(closedirp) DIR *d = NULL; + int r, copy; + + assert(h); + assert(user_record_storage(h) == USER_CIFS); + assert(ret_home); + + if (!h->cifs_service) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "User record lacks CIFS service, refusing."); + + if (access("/sbin/mount.cifs", F_OK) < 0) { + if (errno == ENOENT) + return log_error_errno(SYNTHETIC_ERRNO(ENOLINK), "/sbin/mount.cifs is missing."); + + return log_error_errno(errno, "Unable to detect whether /sbin/mount.cifs exists: %m"); + } + + r = home_prepare_cifs(h, false, &setup); + if (r < 0) + return r; + + copy = fcntl(setup.root_fd, F_DUPFD_CLOEXEC, 3); + if (copy < 0) + return -errno; + + d = fdopendir(copy); + if (!d) { + safe_close(copy); + return -errno; + } + + errno = 0; + if (readdir_no_dot(d)) + return log_error_errno(SYNTHETIC_ERRNO(ENOTEMPTY), "Selected CIFS directory not empty, refusing."); + if (errno != 0) + return log_error_errno(errno, "Failed to detect if CIFS directory is empty: %m"); + + r = home_populate(h, setup.root_fd); + if (r < 0) + return r; + + r = home_sync_and_statfs(setup.root_fd, NULL); + if (r < 0) + return r; + + r = user_record_clone(h, USER_RECORD_LOAD_MASK_SECRET, &new_home); + if (r < 0) + return log_error_errno(r, "Failed to clone record: %m"); + + r = user_record_add_binding( + new_home, + USER_CIFS, + NULL, + SD_ID128_NULL, + SD_ID128_NULL, + SD_ID128_NULL, + NULL, + NULL, + UINT64_MAX, + NULL, + NULL, + h->uid, + (gid_t) h->uid); + if (r < 0) + return log_error_errno(r, "Failed to add binding to record: %m"); + + log_info("Everything completed."); + + *ret_home = TAKE_PTR(new_home); + return 0; +} |