shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-03-19 22:50:17 +03:00
Code

creds: permit interactive polkit auth when encrypting/decrypting through IPC

Browse Source
This commit is contained in:
Mike Yuan 2025-01-22 18:25:17 +01:00 committed by Yu Watanabe
parent f3ba767d6c
commit 0dc1716854
5 changed files with 30 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
man/systemd-creds.xml
View File

@ -177,6 +177,7 @@
<xi:include href="version-info.xml" xpointer="v250"/></listitem>
</varlistentry>
<xi:include href="standard-options.xml" xpointer="no-ask-password" />
<xi:include href="standard-options.xml" xpointer="help" />
<xi:include href="standard-options.xml" xpointer="version" />
</variablelist>

4
shell-completion/bash/systemd-creds
View File

@ -41,7 +41,7 @@ _systemd_creds() {
local verb comps mode i
local cur=${COMP_WORDS[COMP_CWORD]} prev=${COMP_WORDS[COMP_CWORD-1]} words cword
local -A OPTS=(
[STANDALONE]='-h --help --version --no-pager --no-legend
[STANDALONE]='-h --help --version --no-pager --no-legend --no-ask-password
-H -T --system --user -p --pretty --allow-null'
[ARG]='--tpm2-device
--tpm2-device-key
@ -77,6 +77,7 @@ _systemd_creds() {
--version
--no-pager
--no-legend
--no-ask-password
--uid
--with-key
-H
@ -94,6 +95,7 @@ _systemd_creds() {
--version
--no-pager
--no-legend
--no-ask-password
--uid
--tpm2-device
--tpm2-pcrs

23
src/creds/creds.c
View File

@ -65,6 +65,7 @@ static bool arg_quiet = false;
static bool arg_varlink = false;
static uid_t arg_uid = UID_INVALID;
static bool arg_allow_null = false;
static bool arg_ask_password = true;
STATIC_DESTRUCTOR_REGISTER(arg_tpm2_public_key, freep);
STATIC_DESTRUCTOR_REGISTER(arg_tpm2_signature, freep);
@ -586,16 +587,18 @@ static int verb_encrypt(int argc, char **argv, void *userdata) {
if (arg_not_after != USEC_INFINITY && arg_not_after < timestamp)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Credential is invalidated before it is valid.");
if (geteuid() != 0)
if (geteuid() != 0) {
(void) polkit_agent_open_if_enabled(BUS_TRANSPORT_LOCAL, arg_ask_password);
r = ipc_encrypt_credential(
name,
timestamp,
arg_not_after,
arg_uid,
&plaintext,
/* flags= */ 0,
arg_ask_password ? CREDENTIAL_IPC_ALLOW_INTERACTIVE : 0,
&output);
else
} else
r = encrypt_credential_and_warn(
arg_with_key,
name,
@ -690,15 +693,17 @@ static int verb_decrypt(int argc, char **argv, void *userdata) {
timestamp = arg_timestamp != USEC_INFINITY ? arg_timestamp : now(CLOCK_REALTIME);
if (geteuid() != 0)
if (geteuid() != 0) {
(void) polkit_agent_open_if_enabled(BUS_TRANSPORT_LOCAL, arg_ask_password);
r = ipc_decrypt_credential(
name,
timestamp,
arg_uid,
&input,
/* flags= */ 0,
arg_ask_password ? CREDENTIAL_IPC_ALLOW_INTERACTIVE : 0,
&plaintext);
else
} else
r = decrypt_credential_and_warn(
name,
timestamp,
@ -832,6 +837,7 @@ static int parse_argv(int argc, char *argv[]) {
ARG_USER,
ARG_UID,
ARG_ALLOW_NULL,
ARG_NO_ASK_PASSWORD,
};
static const struct option options[] = {
@ -857,6 +863,7 @@ static int parse_argv(int argc, char *argv[]) {
{ "user", no_argument, NULL, ARG_USER },
{ "uid", required_argument, NULL, ARG_UID },
{ "allow-null", no_argument, NULL, ARG_ALLOW_NULL },
{ "no-ask-password", no_argument, NULL, ARG_NO_ASK_PASSWORD },
{}
};
@ -1052,6 +1059,10 @@ static int parse_argv(int argc, char *argv[]) {
arg_allow_null = true;
break;
case ARG_NO_ASK_PASSWORD:
arg_ask_password = false;
break;
case 'q':
arg_quiet = true;
break;

6
src/shared/creds-util.c
View File

@ -1572,7 +1572,8 @@ int ipc_encrypt_credential(const char *name, usec_t timestamp, usec_t not_after,
SD_JSON_BUILD_PAIR_CONDITION(timestamp != USEC_INFINITY, "timestamp", SD_JSON_BUILD_UNSIGNED(timestamp)),
SD_JSON_BUILD_PAIR_CONDITION(not_after != USEC_INFINITY, "notAfter", SD_JSON_BUILD_UNSIGNED(not_after)),
SD_JSON_BUILD_PAIR_CONDITION(!FLAGS_SET(flags, CREDENTIAL_ANY_SCOPE), "scope", SD_JSON_BUILD_STRING(uid_is_valid(uid) ? "user" : "system")),
SD_JSON_BUILD_PAIR_CONDITION(uid_is_valid(uid), "uid", SD_JSON_BUILD_UNSIGNED(uid)));
SD_JSON_BUILD_PAIR_CONDITION(uid_is_valid(uid), "uid", SD_JSON_BUILD_UNSIGNED(uid)),
SD_JSON_BUILD_PAIR_BOOLEAN("allowInteractiveAuthentication", FLAGS_SET(flags, CREDENTIAL_IPC_ALLOW_INTERACTIVE)));
if (r < 0)
return log_error_errno(r, "Failed to call Encrypt() varlink call.");
if (!isempty(error_id)) {
@ -1629,7 +1630,8 @@ int ipc_decrypt_credential(const char *validate_name, usec_t validate_timestamp,
SD_JSON_BUILD_PAIR("blob", SD_JSON_BUILD_VARIANT(jinput)),
SD_JSON_BUILD_PAIR_CONDITION(validate_timestamp != USEC_INFINITY, "timestamp", SD_JSON_BUILD_UNSIGNED(validate_timestamp)),
SD_JSON_BUILD_PAIR_CONDITION(!FLAGS_SET(flags, CREDENTIAL_ANY_SCOPE), "scope", SD_JSON_BUILD_STRING(uid_is_valid(uid) ? "user" : "system")),
SD_JSON_BUILD_PAIR_CONDITION(uid_is_valid(uid), "uid", SD_JSON_BUILD_UNSIGNED(uid)));
SD_JSON_BUILD_PAIR_CONDITION(uid_is_valid(uid), "uid", SD_JSON_BUILD_UNSIGNED(uid)),
SD_JSON_BUILD_PAIR_BOOLEAN("allowInteractiveAuthentication", FLAGS_SET(flags, CREDENTIAL_IPC_ALLOW_INTERACTIVE)));
if (r < 0)
return log_error_errno(r, "Failed to call Decrypt() varlink call.");
if (!isempty(error_id)) {

7
src/shared/creds-util.h
View File

@ -58,8 +58,11 @@ int get_credential_host_secret(CredentialSecretFlags flags, struct iovec *ret);
int get_credential_user_password(const char *username, char **ret_password, bool *ret_is_hashed);
typedef enum CredentialFlags {
CREDENTIAL_ALLOW_NULL = 1 << 0, /* allow decryption of NULL key, even if TPM is around */
CREDENTIAL_ANY_SCOPE = 1 << 1, /* allow decryption of both system and user credentials */
CREDENTIAL_ALLOW_NULL = 1 << 0, /* allow decryption of NULL key, even if TPM is around */
CREDENTIAL_ANY_SCOPE = 1 << 1, /* allow decryption of both system and user credentials */
/* Only used by ipc_{encrypt,decrypt}_credential */
CREDENTIAL_IPC_ALLOW_INTERACTIVE = 1 << 2,
} CredentialFlags;
/* The four modes we support: keyed only by on-disk key, only by TPM2 HMAC key, and by the combination of