shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-01-02 01:18:14 +03:00
Code

pid1: complete per-user credentials support (#35536)

Browse Source 
Fixes: #33887 #33796 #33318
This commit is contained in:
Lennart Poettering 2024-12-20 22:12:08 +01:00 committed by GitHub
commit 2232038187
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
9 changed files with 262 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
TODO
View File

@ -446,10 +446,6 @@ Features:
* credentials: add a flag to the scoped credentials that if set require PK
reauthentication when unlocking a secret.
* teach systemd --user to properly load credentials off disk, with
/etc/credstore equivalent and similar. Make sure that $CREDENTIALS_DIRECTORY=
actually works too when run with user privs.
* extend the smbios11 logic for passing credentials so that instead of passing
the credential data literally it can also just reference an AF_VSOCK CID/port
to read them from. This way the data doesn't remain in the SMBIOS blob during

38
man/systemd.exec.xml
View File

@ -3468,37 +3468,43 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX
<term><varname>LoadCredentialEncrypted=</varname><replaceable>ID</replaceable><optional>:<replaceable>PATH</replaceable></optional></term>
<listitem><para>Pass a credential to the unit. Credentials are limited-size binary or textual objects
that may be passed to unit processes. They are primarily used for passing cryptographic keys (both
public and private) or certificates, user account information or identity information from host to
services. The data is accessible from the unit's processes via the file system, at a read-only
location that (if possible and permitted) is backed by non-swappable memory. The data is only
accessible to the user associated with the unit, via the
<varname>User=</varname>/<varname>DynamicUser=</varname> settings (as well as the superuser). When
available, the location of credentials is exported as the <varname>$CREDENTIALS_DIRECTORY</varname>
environment variable to the unit's processes.</para>
that may be passed to unit processes. They are primarily intended for passing cryptographic keys
(both public and private) or certificates, user account information or identity information from host
to services, but can be freely used to pass any kind of limited-size information to a service. The
data is accessible from the unit's processes via the file system, at a read-only location that (if
possible and permitted) is backed by non-swappable memory. The data is only accessible to the user
associated with the unit, via the <varname>User=</varname>/<varname>DynamicUser=</varname> settings
(as well as the superuser). When available, the location of credentials is exported as the
<varname>$CREDENTIALS_DIRECTORY</varname> environment variable to the unit's processes.</para>
<para>The <varname>LoadCredential=</varname> setting takes a textual ID to use as name for a
credential plus a file system path, separated by a colon. The ID must be a short ASCII string
suitable as filename in the filesystem, and may be chosen freely by the user. If the specified path
is absolute it is opened as regular file and the credential data is read from it. If the absolute
path refers to an <constant>AF_UNIX</constant> stream socket in the file system a connection is made
to it (only once at unit start-up) and the credential data read from the connection, providing an
to it (once at process invocation) and the credential data read from the connection, providing an
easy IPC integration point for dynamically transferring credentials from other services.</para>
<para>If the specified path is not absolute and itself qualifies as valid credential identifier it is
attempted to find a credential that the service manager itself received under the specified name —
which may be used to propagate credentials from an invoking environment (e.g. a container manager
that invoked the service manager) into a service. If no matching system credential is found, the
directories <filename>/etc/credstore/</filename>, <filename>/run/credstore/</filename> and
<filename>/usr/lib/credstore/</filename> are searched for files under the credential's name — which
hence are recommended locations for credential data on disk. If
that invoked the service manager) into a service. If no matching passed credential is found, the
system service manager will search the directories <filename>/etc/credstore/</filename>,
<filename>/run/credstore/</filename> and <filename>/usr/lib/credstore/</filename> for files under the
credential's name — which hence are recommended locations for credential data on disk. If
<varname>LoadCredentialEncrypted=</varname> is used <filename>/run/credstore.encrypted/</filename>,
<filename>/etc/credstore.encrypted/</filename>, and
<filename>/usr/lib/credstore.encrypted/</filename> are searched as well.</para>
<filename>/usr/lib/credstore.encrypted/</filename> are searched as well. The per-user service manager
will search <filename>$XDG_CONFIG_HOME/credstore/</filename>,
<filename>$XDG_RUNTIME_DIR/credstore/</filename>, <filename>$HOME/.local/lib/credstore/</filename>
(and the counterparts ending with <filename>…/credstore.encrypted/</filename>) instead. The
<citerefentry><refentrytitle>systemd-path</refentrytitle><manvolnum>1</manvolnum></citerefentry> tool
may be used to query the precise credential store search path.</para>
<para>If the file system path is omitted it is chosen identical to the credential name, i.e. this is
a terse way to declare credentials to inherit from the service manager into a service. This option
may be used multiple times, each time defining an additional credential to pass to the unit.</para>
a terse way to declare credentials to inherit from the service manager or credstore directories into
a service. This option may be used multiple times, each time defining an additional credential to
pass to the unit.</para>
<para>Note that if the path is not specified or a valid credential identifier is given, i.e.
in the above two cases, a missing credential is not considered fatal.</para>

96
src/core/exec-credential.c
View File

@ -117,10 +117,9 @@ int exec_context_put_load_credential(ExecContext *c, const char *id, const char
return -ENOMEM;
r = hashmap_ensure_put(&c->load_credentials, &exec_load_credential_hash_ops, lc->id, lc);
if (r < 0) {
assert(r != -EEXIST);
if (r < 0)
return r;
}
TAKE_PTR(lc);
}
@ -167,10 +166,9 @@ int exec_context_put_set_credential(
return -ENOMEM;
r = hashmap_ensure_put(&c->set_credentials, &exec_set_credential_hash_ops, sc->id, sc);
if (r < 0) {
assert(r != -EEXIST);
if (r < 0)
return r;
}
TAKE_PTR(sc);
}
@ -193,19 +191,22 @@ int exec_context_put_import_credential(ExecContext *c, const char *glob, const c
*ic = (ExecImportCredential) {
.glob = strdup(glob),
.rename = rename ? strdup(rename) : NULL,
};
if (!ic->glob || (rename && !ic->rename))
if (!ic->glob)
return -ENOMEM;
if (rename) {
ic->rename = strdup(rename);
if (!ic->rename)
return -ENOMEM;
}
if (ordered_set_contains(c->import_credentials, ic))
return 0;
r = ordered_set_ensure_put(&c->import_credentials, &exec_import_credential_hash_ops, ic);
if (r < 0) {
assert(r != -EEXIST);
if (r < 0)
return r;
}
TAKE_PTR(ic);
@ -383,30 +384,46 @@ typedef enum CredentialSearchPath {
_CREDENTIAL_SEARCH_PATH_INVALID = -EINVAL,
} CredentialSearchPath;
static char** credential_search_path(const ExecParameters *params, CredentialSearchPath path) {
static int credential_search_path(const ExecParameters *params, CredentialSearchPath path, char ***ret) {
_cleanup_strv_free_ char **l = NULL;
int r;
assert(params);
assert(path >= 0 && path < _CREDENTIAL_SEARCH_PATH_MAX);
assert(ret);
/* Assemble a search path to find credentials in. For non-encrypted credentials, We'll look in
* /etc/credstore/ (and similar directories in /usr/lib/ + /run/). If we're looking for encrypted
* credentials, we'll look in /etc/credstore.encrypted/ (and similar dirs). */
if (IN_SET(path, CREDENTIAL_SEARCH_PATH_ENCRYPTED, CREDENTIAL_SEARCH_PATH_ALL)) {
if (strv_extend(&l, params->received_encrypted_credentials_directory) < 0)
return NULL;
r = strv_extend(&l, params->received_encrypted_credentials_directory);
if (r < 0)
return r;
if (strv_extend_strv(&l, CONF_PATHS_STRV("credstore.encrypted"), /* filter_duplicates= */ true) < 0)
return NULL;
_cleanup_strv_free_ char **add = NULL;
r = credential_store_path_encrypted(params->runtime_scope, &add);
if (r < 0)
return r;
r = strv_extend_strv_consume(&l, TAKE_PTR(add), /* filter_duplicates= */ false);
if (r < 0)
return r;
}
if (IN_SET(path, CREDENTIAL_SEARCH_PATH_TRUSTED, CREDENTIAL_SEARCH_PATH_ALL)) {
if (strv_extend(&l, params->received_credentials_directory) < 0)
return NULL;
r = strv_extend(&l, params->received_credentials_directory);
if (r < 0)
return r;
if (strv_extend_strv(&l, CONF_PATHS_STRV("credstore"), /* filter_duplicates= */ true) < 0)
return NULL;
_cleanup_strv_free_ char **add = NULL;
r = credential_store_path(params->runtime_scope, &add);
if (r < 0)
return r;
r = strv_extend_strv_consume(&l, TAKE_PTR(add), /* filter_duplicates= */ false);
if (r < 0)
return r;
}
if (DEBUG_LOGGING) {
@ -414,7 +431,8 @@ static char** credential_search_path(const ExecParameters *params, CredentialSea
log_debug("Credential search path is: %s", strempty(t));
}
return TAKE_PTR(l);
*ret = TAKE_PTR(l);
return 0;
}
struct load_cred_args {
@ -445,6 +463,10 @@ static int maybe_decrypt_and_write_credential(
assert(data || size == 0);
if (args->encrypted) {
switch (args->params->runtime_scope) {
case RUNTIME_SCOPE_SYSTEM:
/* In system mode talk directly to the TPM */
r = decrypt_credential_and_warn(
id,
now(CLOCK_REALTIME),
@ -454,6 +476,25 @@ static int maybe_decrypt_and_write_credential(
&IOVEC_MAKE(data, size),
CREDENTIAL_ANY_SCOPE,
&plaintext);
break;
case RUNTIME_SCOPE_USER:
/* In per user mode we'll not have access to the machine secret, nor to the TPM (most
* likely), hence go via the IPC service instead. Do this if we are run in root's
* per-user invocation too, to minimize differences and because isolating this logic
* into a separate process is generally a good thing anyway. */
r = ipc_decrypt_credential(
id,
now(CLOCK_REALTIME),
getuid(),
&IOVEC_MAKE(data, size),
/* flags= */ 0, /* only allow user creds in user scope */
&plaintext);
break;
default:
assert_not_reached();
}
if (r < 0)
return r;
@ -611,9 +652,9 @@ static int load_credential(
* directory we received ourselves. We don't support the AF_UNIX stuff in this mode, since we
* are operating on a credential store, i.e. this is guaranteed to be regular files. */
search_path = credential_search_path(args->params, CREDENTIAL_SEARCH_PATH_ALL);
if (!search_path)
return -ENOMEM;
r = credential_search_path(args->params, CREDENTIAL_SEARCH_PATH_ALL, &search_path);
if (r < 0)
return r;
missing_ok = true;
} else
@ -797,9 +838,9 @@ static int acquire_credentials(
ORDERED_SET_FOREACH(ic, context->import_credentials) {
_cleanup_free_ char **search_path = NULL;
search_path = credential_search_path(params, CREDENTIAL_SEARCH_PATH_TRUSTED);
if (!search_path)
return -ENOMEM;
r = credential_search_path(params, CREDENTIAL_SEARCH_PATH_TRUSTED, &search_path);
if (r < 0)
return r;
args.encrypted = false;
@ -811,9 +852,10 @@ static int acquire_credentials(
return r;
search_path = strv_free(search_path);
search_path = credential_search_path(params, CREDENTIAL_SEARCH_PATH_ENCRYPTED);
if (!search_path)
return -ENOMEM;
r = credential_search_path(params, CREDENTIAL_SEARCH_PATH_ENCRYPTED, &search_path);
if (r < 0)
return r;
args.encrypted = true;

16
src/libsystemd/sd-path/path-lookup.h
View File

@ -84,3 +84,19 @@ static inline char** generator_binary_paths(RuntimeScope runtime_scope) {
static inline char** env_generator_binary_paths(RuntimeScope runtime_scope) {
return generator_binary_paths_internal(runtime_scope, true);
}
static inline int credential_store_path(RuntimeScope runtime_scope, char ***ret) {
return sd_path_lookup_strv(
runtime_scope == RUNTIME_SCOPE_SYSTEM ?
SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE : SD_PATH_USER_SEARCH_CREDENTIAL_STORE,
/* suffix= */ NULL,
ret);
}
static inline int credential_store_path_encrypted(RuntimeScope runtime_scope, char ***ret) {
return sd_path_lookup_strv(
runtime_scope == RUNTIME_SCOPE_SYSTEM ?
SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE_ENCRYPTED : SD_PATH_USER_SEARCH_CREDENTIAL_STORE_ENCRYPTED,
/* suffix= */ NULL,
ret);
}

84
src/libsystemd/sd-path/sd-path.c
View File

@ -36,7 +36,12 @@ static int from_environment(const char *envname, const char *fallback, const cha
return -ENXIO;
}
static int from_home_dir(const char *envname, const char *suffix, char **buffer, const char **ret) {
static int from_home_dir(
const char *envname,
const char *suffix,
char **buffer,
const char **ret) {
_cleanup_free_ char *h = NULL;
int r;
@ -350,6 +355,30 @@ static int get_path(uint64_t type, char **buffer, const char **ret) {
case SD_PATH_SYSTEMD_USER_ENVIRONMENT_GENERATOR:
*ret = USER_ENV_GENERATOR_DIR;
return 0;
case SD_PATH_SYSTEM_CREDENTIAL_STORE:
*ret = "/etc/credstore";
return 0;
case SD_PATH_SYSTEM_CREDENTIAL_STORE_ENCRYPTED:
*ret = "/etc/credstore.encrypted";
return 0;
case SD_PATH_USER_CREDENTIAL_STORE:
r = xdg_user_config_dir("credstore", buffer);
if (r < 0)
return r;
*ret = *buffer;
return 0;
case SD_PATH_USER_CREDENTIAL_STORE_ENCRYPTED:
r = xdg_user_config_dir("credstore.encrypted", buffer);
if (r < 0)
return r;
*ret = *buffer;
return 0;
}
return -EOPNOTSUPP;
@ -366,12 +395,12 @@ static int get_path_alloc(uint64_t type, const char *suffix, char **ret) {
if (r < 0)
return r;
if (suffix) {
if (!isempty(suffix)) {
char *suffixed = path_join(p, suffix);
if (!suffixed)
return -ENOMEM;
path_simplify(suffixed);
path_simplify_full(suffixed, PATH_SIMPLIFY_KEEP_TRAILING_SLASH);
free_and_replace(buffer, suffixed);
} else if (!buffer) {
@ -601,8 +630,55 @@ static int get_search(uint64_t type, char ***ret) {
case SD_PATH_SYSTEMD_SEARCH_NETWORK:
return strv_from_nulstr(ret, NETWORK_DIRS_NULSTR);
case SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE:
case SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE_ENCRYPTED: {
const char *suffix =
type == SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE_ENCRYPTED ? "credstore.encrypted" : "credstore";
_cleanup_strv_free_ char **l = NULL;
FOREACH_STRING(d, CONF_PATHS("")) {
char *j = path_join(d, suffix);
if (!j)
return -ENOMEM;
r = strv_consume(&l, TAKE_PTR(j));
if (r < 0)
return r;
}
*ret = TAKE_PTR(l);
return 0;
}
case SD_PATH_USER_SEARCH_CREDENTIAL_STORE:
case SD_PATH_USER_SEARCH_CREDENTIAL_STORE_ENCRYPTED: {
const char *suffix =
type == SD_PATH_USER_SEARCH_CREDENTIAL_STORE_ENCRYPTED ? "credstore.encrypted" : "credstore";
static const uint64_t dirs[] = {
SD_PATH_USER_CONFIGURATION,
SD_PATH_USER_RUNTIME,
SD_PATH_USER_LIBRARY_PRIVATE,
};
_cleanup_strv_free_ char **l = NULL;
FOREACH_ELEMENT(d, dirs) {
_cleanup_free_ char *p = NULL;
r = sd_path_lookup(*d, suffix, &p);
if (r == -ENXIO)
continue;
if (r < 0)
return r;
r = strv_consume(&l, TAKE_PTR(p));
if (r < 0)
return r;
}
*ret = TAKE_PTR(l);
return 0;
}}
return -EOPNOTSUPP;
}
@ -637,7 +713,7 @@ _public_ int sd_path_lookup_strv(uint64_t type, const char *suffix, char ***ret)
if (!path_extend(i, suffix))
return -ENOMEM;
path_simplify(*i);
path_simplify_full(*i, PATH_SIMPLIFY_KEEP_TRAILING_SLASH);
}
*ret = TAKE_PTR(l);

57
src/path/path.c
View File

@ -14,6 +14,7 @@
#include "main-func.h"
#include "pager.h"
#include "pretty-print.h"
#include "sort-util.h"
#include "string-util.h"
static const char *arg_suffix = NULL;
@ -101,27 +102,50 @@ static const char* const path_table[_SD_PATH_MAX] = {
[SD_PATH_SYSTEMD_USER_ENVIRONMENT_GENERATOR] = "systemd-user-environment-generator",
[SD_PATH_SYSTEMD_SEARCH_SYSTEM_ENVIRONMENT_GENERATOR] = "systemd-search-system-environment-generator",
[SD_PATH_SYSTEMD_SEARCH_USER_ENVIRONMENT_GENERATOR] = "systemd-search-user-environment-generator",
[SD_PATH_SYSTEM_CREDENTIAL_STORE] = "system-credential-store",
[SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE] = "system-search-credential-store",
[SD_PATH_SYSTEM_CREDENTIAL_STORE_ENCRYPTED] = "system-credential-store-encrypted",
[SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE_ENCRYPTED] = "system-search-credential-store-encrypted",
[SD_PATH_USER_CREDENTIAL_STORE] = "user-credential-store",
[SD_PATH_USER_SEARCH_CREDENTIAL_STORE] = "user-search-credential-store",
[SD_PATH_USER_CREDENTIAL_STORE_ENCRYPTED] = "user-credential-store-encrypted",
[SD_PATH_USER_SEARCH_CREDENTIAL_STORE_ENCRYPTED] = "user-search-credential-store-encrypted",
};
static int order_cmp(const size_t *a, const size_t *b) {
assert(*a < ELEMENTSOF(path_table));
assert(*b < ELEMENTSOF(path_table));
return strcmp(path_table[*a], path_table[*b]);
}
static int list_paths(void) {
int r = 0;
int ret = 0, r;
pager_open(arg_pager_flags);
for (size_t i = 0; i < ELEMENTSOF(path_table); i++) {
_cleanup_free_ char *p = NULL;
int q;
size_t order[ELEMENTSOF(path_table)];
q = sd_path_lookup(i, arg_suffix, &p);
if (q < 0) {
log_full_errno(q == -ENXIO ? LOG_DEBUG : LOG_ERR,
q, "Failed to query %s: %m", path_table[i]);
if (q != -ENXIO)
RET_GATHER(r, q);
for (size_t i = 0; i < ELEMENTSOF(order); i++)
order[i] = i;
typesafe_qsort(order, ELEMENTSOF(order), order_cmp);
for (size_t i = 0; i < ELEMENTSOF(order); i++) {
size_t j = order[i];
const char *t = ASSERT_PTR(path_table[j]);
_cleanup_free_ char *p = NULL;
r = sd_path_lookup(j, arg_suffix, &p);
if (r < 0) {
log_full_errno(r == -ENXIO ? LOG_DEBUG : LOG_ERR, r, "Failed to query %s, proceeding: %m", t);
if (r != -ENXIO)
RET_GATHER(ret, r);
continue;
}
printf("%s%s:%s %s\n", ansi_highlight(), path_table[i], ansi_normal(), p);
printf("%s%s:%s %s\n", ansi_highlight(), t, ansi_normal(), p);
}
return r;
@ -154,14 +178,16 @@ static int help(void) {
if (r < 0)
return log_oom();
printf("%s [OPTIONS...] [NAME...]\n\n"
"Show system and user paths.\n\n"
printf("%s [OPTIONS...] [NAME...]\n"
"\n%sShow system and user paths.%s\n\n"
" -h --help Show this help\n"
" --version Show package version\n"
" --suffix=SUFFIX Suffix to append to paths\n"
" --no-pager Do not pipe output into a pager\n"
"\nSee the %s for details.\n",
program_invocation_short_name,
ansi_highlight(),
ansi_normal(),
link);
return 0;
@ -224,10 +250,11 @@ static int run(int argc, char* argv[]) {
if (r <= 0)
return r;
if (argc > optind)
if (argc > optind) {
r = 0;
for (int i = optind; i < argc; i++)
RET_GATHER(r, print_path(argv[i]));
else
} else
r = list_paths();
return r;

10
src/systemd/sd-path.h
View File

@ -120,6 +120,16 @@ enum {
SD_PATH_USER_STATE_PRIVATE,
/* credential store */
SD_PATH_SYSTEM_CREDENTIAL_STORE,
SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE,
SD_PATH_SYSTEM_CREDENTIAL_STORE_ENCRYPTED,
SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE_ENCRYPTED,
SD_PATH_USER_CREDENTIAL_STORE,
SD_PATH_USER_SEARCH_CREDENTIAL_STORE,
SD_PATH_USER_CREDENTIAL_STORE_ENCRYPTED,
SD_PATH_USER_SEARCH_CREDENTIAL_STORE_ENCRYPTED,
_SD_PATH_MAX
};

4
src/test/test-execute.c
View File

@ -1398,6 +1398,10 @@ static void run_tests(RuntimeScope scope, char **patterns) {
ASSERT_NOT_NULL(unit_paths = strjoin(PRIVATE_UNIT_DIR, ":", user_runtime_unit_dir));
ASSERT_OK(setenv_unit_path(unit_paths));
/* Write credential for test-execute-load-credential to the fake runtime dir, too */
_cleanup_free_ char *j = ASSERT_PTR(path_join(runtime_dir, "credstore/test-execute.load-credential"));
ASSERT_OK(write_string_file(j, "foo", WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_MKDIR_0755));
r = manager_new(scope, MANAGER_TEST_RUN_BASIC, &m);
if (manager_errno_skip_test(r))
return (void) log_tests_skipped_errno(r, "manager_new");

8
test/units/TEST-54-CREDS.sh
View File

@ -490,7 +490,7 @@ cmp /tmp/vlcredsdata /tmp/vlcredsdata2
rm /tmp/vlcredsdata /tmp/vlcredsdata2
clean_usertest() {
rm -f /tmp/usertest.data /tmp/usertest.data
rm -f /tmp/usertest.data /tmp/usertest.data /tmp/brummbaer.data
}
trap clean_usertest EXIT
@ -520,6 +520,12 @@ XDG_RUNTIME_DIR=/run/user/0 systemd-run --pipe --user --unit=waldi.service -p Lo
# Test mount unit with credential
test_mount_with_credential
# Fully unpriv operation
dd if=/dev/urandom of=/tmp/brummbaer.data bs=4096 count=1
run0 -u testuser --pipe mkdir -p /home/testuser/.config/credstore.encrypted
run0 -u testuser --pipe systemd-creds encrypt --user --name=brummbaer - /home/testuser/.config/credstore.encrypted/brummbaer < /tmp/brummbaer.data
run0 -u testuser --pipe systemd-run --user --pipe -p ImportCredential=brummbaer systemd-creds cat brummbaer | cmp /tmp/brummbaer.data
systemd-analyze log-level info
touch /testok