picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
Systemd/src/home/homework.h
Lennart Poettering c8f145adbb homed: don't insist on authentication against host-copy user record 
homed maintains two or three copies of the user's identity record per
home directory: one on the host, one inside the LUKS header, and one
embedded in the home directory.

Previously we'd insist that if a user logs in they have to authenticate
against all three, as a safety feature. This broke logging into
unfixated records however, since in that case the host version is
synthetic and thus does not carry any authentication data.

Let's hence losen the strictness here: accept authentication against
host records that carry no auth data. This should be safe as we know
after all that the second/third record will catch invalid accesses.

Fixes: #15178
2020-05-21 23:39:30 +02:00

62 lines
2.1 KiB
C
Raw Blame History

/* SPDX-License-Identifier: LGPL-2.1+ */
#pragma once
#include <linux/fs.h>
#include <sys/vfs.h>
#include "sd-id128.h"
#include "loop-util.h"
#include "user-record.h"
#include "user-record-util.h"
typedef struct HomeSetup {
char *dm_name;
char *dm_node;
LoopDevice *loop;
struct crypt_device *crypt_device;
int root_fd;
int image_fd;
sd_id128_t found_partition_uuid;
sd_id128_t found_luks_uuid;
sd_id128_t found_fs_uuid;
uint8_t fscrypt_key_descriptor[FS_KEY_DESCRIPTOR_SIZE];
void *volume_key;
size_t volume_key_size;
bool undo_dm;
bool undo_mount;
bool do_offline_fitrim;
bool do_offline_fallocate;
uint64_t partition_offset;
uint64_t partition_size;
} HomeSetup;
#define HOME_SETUP_INIT \
{ \
.root_fd = -1, \
.image_fd = -1, \
.partition_offset = UINT64_MAX, \
.partition_size = UINT64_MAX, \
}
int home_setup_undo(HomeSetup *setup);
int home_prepare(UserRecord *h, bool already_activated, char ***pkcs11_decrypted_passwords, HomeSetup *setup, UserRecord **ret_header_home);
int home_refresh(UserRecord *h, HomeSetup *setup, UserRecord *header_home, char ***pkcs11_decrypted_passwords, struct statfs *ret_statfs, UserRecord **ret_new_home);
int home_populate(UserRecord *h, int dir_fd);
int home_load_embedded_identity(UserRecord *h, int root_fd, UserRecord *header_home, UserReconcileMode mode, char ***pkcs11_decrypted_passwords, UserRecord **ret_embedded_home, UserRecord **ret_new_home);
int home_store_embedded_identity(UserRecord *h, int root_fd, uid_t uid, UserRecord *old_home);
int home_extend_embedded_identity(UserRecord *h, UserRecord *used, HomeSetup *setup);
int user_record_authenticate(UserRecord *h, UserRecord *secret, char ***pkcs11_decrypted_passwords, bool strict_verify);
int home_sync_and_statfs(int root_fd, struct statfs *ret);
Reference in a new issue View git blame Copy permalink