mirror of
https://github.com/systemd/systemd.git
synced 2025-01-05 13:18:06 +03:00
docs/HOME_DIRECTORY: format text
This commit is contained in:
parent
59390b1926
commit
abbfc39aaa
@ -8,24 +8,24 @@ SPDX-License-Identifier: LGPL-2.1-or-later
|
|||||||
# Home Directories
|
# Home Directories
|
||||||
|
|
||||||
[`systemd-homed.service(8)`](https://www.freedesktop.org/software/systemd/man/systemd-homed.service.html)
|
[`systemd-homed.service(8)`](https://www.freedesktop.org/software/systemd/man/systemd-homed.service.html)
|
||||||
manages home directories of regular ("human") users. Each directory it manages
|
manages home directories of regular ("human") users.
|
||||||
encapsulates both the data store and the user record of the user, so that it
|
Each directory it manages encapsulates both the data store and the user record of the user,
|
||||||
comprehensively describes the user account, and is thus naturally portable
|
so that it comprehensively describes the user account, and is thus naturally portable
|
||||||
between systems without any further, external metadata. This document describes
|
between systems without any further, external metadata.
|
||||||
the format used by these home directories, in the context of the storage
|
This document describes the format used by these home directories, in the context of the storage
|
||||||
mechanism used.
|
mechanism used.
|
||||||
|
|
||||||
## General Structure
|
## General Structure
|
||||||
|
|
||||||
Inside of the home directory a file `~/.identity` contains the JSON formatted
|
Inside of the home directory a file `~/.identity` contains the JSON formatted
|
||||||
user record of the user. It follows the format defined in
|
user record of the user.
|
||||||
[`JSON User Records`](USER_RECORD). It is recommended to bring the
|
It follows the format defined in [`JSON User Records`](USER_RECORD).
|
||||||
record into 'normalized' form (i.e. all objects should contain their fields
|
It is recommended to bring the record into 'normalized' form(i.e. all objects should contain their fields
|
||||||
sorted alphabetically by their key) before storing it there, though this is not
|
sorted alphabetically by their key) before storing it there,
|
||||||
required nor enforced. Since the user record is cryptographically signed, the
|
though this is not required nor enforced.
|
||||||
user cannot make modifications to the file on their own (at least not without
|
Since the user record is cryptographically signed, the user cannot make modifications to the file on their own
|
||||||
corrupting it, or knowing the private key used for signing the record). Note
|
(at least not without corrupting it, or knowing the private key used for signing the record).
|
||||||
that user records are stored here without their `binding`, `status` and
|
Note that user records are stored here without their `binding`, `status` and
|
||||||
`secret` sections, i.e. only with the sections included in the signature plus
|
`secret` sections, i.e. only with the sections included in the signature plus
|
||||||
the signature section itself.
|
the signature section itself.
|
||||||
|
|
||||||
@ -39,127 +39,119 @@ command line) the home directory requires no special setup besides including
|
|||||||
the user record in the `~/.identity` file.
|
the user record in the `~/.identity` file.
|
||||||
|
|
||||||
It is recommended to name home directories managed this way by
|
It is recommended to name home directories managed this way by
|
||||||
`systemd-homed.service` by the user name, suffixed with `.homedir` (example:
|
`systemd-homed.service` by the user name, suffixed with `.homedir`
|
||||||
`lennart.homedir` for a user `lennart`) but this is not enforced. When the user
|
(example: `lennart.homedir` for a user `lennart`) but this is not enforced.
|
||||||
is logged in, the directory is generally mounted to `/home/$USER` (in our
|
When the user is logged in, the directory is generally mounted to `/home/$USER`
|
||||||
example: `/home/lennart`), thus dropping the suffix while the home directory is
|
(in our example: `/home/lennart`), thus dropping the suffix while the home directory is active.
|
||||||
active. `systemd-homed` will automatically discover home directories named this
|
`systemd-homed` will automatically discover home directories named this
|
||||||
way in `/home/*.homedir` and synthesize NSS user records for them as they show
|
way in `/home/*.homedir` and synthesize NSS user records for them as they show up.
|
||||||
up.
|
|
||||||
|
|
||||||
## Storage Mechanism: `fscrypt` Directories
|
## Storage Mechanism: `fscrypt` Directories
|
||||||
|
|
||||||
This storage mechanism is mostly identical to the plain directory storage
|
This storage mechanism is mostly identical to the plain directory storage
|
||||||
mechanism, except that the home directory is encrypted using `fscrypt`. (Use
|
mechanism, except that the home directory is encrypted using `fscrypt`.
|
||||||
`--storage=fscrypt` on the `homectl` command line.) Key management is
|
(Use `--storage=fscrypt` on the `homectl` command line.)
|
||||||
implemented via extended attributes on the directory itself: for each password
|
Key management is implemented via extended attributes on the directory itself:
|
||||||
an extended attribute `trusted.fscrypt_slot0`, `trusted.fscrypt_slot1`,
|
for each password an extended attribute `trusted.fscrypt_slot0`, `trusted.fscrypt_slot1`,
|
||||||
`trusted.fscrypt_slot2`, … is maintained. Its value contains a colon-separated
|
`trusted.fscrypt_slot2`, … is maintained.
|
||||||
pair of Base64 encoded data fields. The first field contains a salt value, the
|
Its value contains a colon-separated pair of Base64 encoded data fields.
|
||||||
second field the encrypted volume key. The latter is encrypted using AES256 in
|
The first field contains a salt value, the second field the encrypted volume key.
|
||||||
counter mode, using a key derived from the password via PBKDF2-HMAC-SHA512,
|
The latter is encrypted using AES256 in counter mode, using a key derived from the password via PBKDF2-HMAC-SHA512,
|
||||||
together with the salt value. The construction is similar to what LUKS does for
|
together with the salt value.
|
||||||
`dm-crypt` encrypted volumes. Note that extended attributes are not encrypted
|
The construction is similar to what LUKS does for`dm-crypt` encrypted volumes.
|
||||||
by `fscrypt` and hence are suitable for carrying the key slots. Moreover, by
|
Note that extended attributes are not encrypted by `fscrypt` and hence are suitable for carrying the key slots.
|
||||||
using extended attributes, the slots are directly attached to the directory and
|
Moreover, by using extended attributes, the slots are directly attached to the directory and
|
||||||
an independent sidecar key database is not required.
|
an independent sidecar key database is not required.
|
||||||
|
|
||||||
## Storage Mechanism: `cifs` Home Directories
|
## Storage Mechanism: `cifs` Home Directories
|
||||||
|
|
||||||
In this storage mechanism, the home directory is mounted from a CIFS server and
|
In this storage mechanism, the home directory is mounted from a CIFS server and
|
||||||
service at login, configured inside the user record. (Use `--storage=cifs` on
|
service at login, configured inside the user record.
|
||||||
the `homectl` command line.) The local password of the user is used to log into
|
(Use `--storage=cifs` on the `homectl` command line.)
|
||||||
the CIFS service. The directory share needs to contain the user record in
|
The local password of the user is used to log into the CIFS service.
|
||||||
`~/.identity` as well. Note that this means that the user record needs to be
|
The directory share needs to contain the user record in `~/.identity` as well.
|
||||||
registered locally before it can be mounted for the first time, since CIFS
|
Note that this means that the user record needs to be registered locally before it can be mounted for the first time,
|
||||||
domain and server information needs to be known *before* the mount. Note that
|
since CIFS domain and server information needs to be known *before* the mount.
|
||||||
for all other storage mechanisms it is entirely sufficient if the directories
|
Note that for all other storage mechanisms it is entirely sufficient if the directories
|
||||||
or storage artifacts are placed at the right locations — all information to
|
or storage artifacts are placed at the right locations — all information to
|
||||||
activate them can be derived automatically from their mere availability.
|
activate them can be derived automatically from their mere availability.
|
||||||
|
|
||||||
## Storage Mechanism: `luks` Home Directories
|
## Storage Mechanism: `luks` Home Directories
|
||||||
|
|
||||||
This is the most advanced and most secure storage mechanism and consists of a
|
This is the most advanced and most secure storage mechanism and consists of a
|
||||||
Linux file system inside a LUKS2 volume inside a loopback file (or on removable
|
Linux file system inside a LUKS2 volume inside a loopback file (or on removable media).
|
||||||
media). (Use `--storage=luks` on the `homectl` command line.) Specifically:
|
(Use `--storage=luks` on the `homectl` command line.) Specifically:
|
||||||
|
|
||||||
* The image contains a GPT partition table. For now it should only contain a
|
* The image contains a GPT partition table.
|
||||||
single partition, and that partition must have the type UUID
|
For now it should only contain a single partition,
|
||||||
`773f91ef-66d4-49b5-bd83-d683bf40ad16`. Its partition label must be the
|
and that partition must have the type UUID
|
||||||
user name.
|
`773f91ef-66d4-49b5-bd83-d683bf40ad16`.
|
||||||
|
Its partition label must be the user name.
|
||||||
|
|
||||||
* This partition must contain a LUKS2 volume, whose label must be the user
|
* This partition must contain a LUKS2 volume, whose label must be the user name.
|
||||||
name. The LUKS2 volume must contain a LUKS2 token field of type
|
The LUKS2 volume must contain a LUKS2 token field of type `systemd-homed`.
|
||||||
`systemd-homed`. The JSON data of this token must have a `record` field,
|
The JSON data of this token must have a `record` field, containing a string with base64-encoded data.
|
||||||
containing a string with base64-encoded data. This data is the JSON user
|
This data is the JSON user record, in the same serialization as in `~/.identity`, though encrypted.
|
||||||
record, in the same serialization as in `~/.identity`, though encrypted. The
|
The JSON data of this token must also have an `iv` field, which contains a
|
||||||
JSON data of this token must also have an `iv` field, which contains a
|
base64-encoded binary initialization vector for the encryption.
|
||||||
base64-encoded binary initialization vector for the encryption. The
|
The encryption used is the same as the LUKS2 volume itself uses, unlocked by the
|
||||||
encryption used is the same as the LUKS2 volume itself uses, unlocked by the
|
|
||||||
same volume key, but based on its own IV.
|
same volume key, but based on its own IV.
|
||||||
|
|
||||||
* Inside of this LUKS2 volume must be a Linux file system, one of `ext4`,
|
* Inside of this LUKS2 volume must be a Linux file system, one of `ext4`, `btrfs` and `xfs`.
|
||||||
`btrfs` and `xfs`. The file system label must be the user name.
|
The file system label must be the user name.
|
||||||
|
|
||||||
* This file system should contain a single directory named after the user. This
|
* This file system should contain a single directory named after the user.
|
||||||
directory will become the home directory of the user when activated. It
|
This directory will become the home directory of the user when activated.
|
||||||
contains a second copy of the user record in the `~/.identity` file, like in
|
It contains a second copy of the user record in the `~/.identity` file, like in the other storage mechanisms.
|
||||||
the other storage mechanisms.
|
|
||||||
|
|
||||||
The image file should reside in a directory `/home/` on the system,
|
The image file should reside in a directory `/home/` on the system,
|
||||||
named after the user, suffixed with `.home`. When activated, the container home
|
named after the user, suffixed with `.home`.
|
||||||
directory is mounted to the same path, though with the `.home` suffix dropped —
|
When activated, the container home directory is mounted to the same path,
|
||||||
unless a different mount point is defined in the user record. (e.g.: the
|
though with the `.home` suffix dropped — unless a different mount point is defined in the user record.
|
||||||
loopback file `/home/waldo.home` is mounted to `/home/waldo` while activated.)
|
(e.g.: the loopback file `/home/waldo.home` is mounted to `/home/waldo` while activated.)
|
||||||
When the image is stored on removable media (such as a USB stick), the image
|
When the image is stored on removable media (such as a USB stick), the image
|
||||||
file can be directly `dd`'ed onto it; the format is unchanged. The GPT envelope
|
file can be directly `dd`'ed onto it; the format is unchanged.
|
||||||
should ensure the image is properly recognizable as a home directory both when
|
The GPT envelope should ensure the image is properly recognizable as a home directory both when
|
||||||
used in a loopback file and on a removable USB stick. (Note that when mounting
|
used in a loopback file and on a removable USB stick.
|
||||||
a home directory from a USB stick, it too defaults to a directory in `/home/`,
|
(Note that when mounting a home directory from a USB stick, it too defaults to a directory in `/home/`,
|
||||||
named after the username, with no further suffix.)
|
named after the username, with no further suffix.)
|
||||||
|
|
||||||
Rationale for the GPT partition table envelope: this way the image is nicely
|
Rationale for the GPT partition table envelope:
|
||||||
discoverable and recognizable already by partition managers as a home
|
this way the image is nicely discoverable and recognizable already by partition managers as a home directory.
|
||||||
directory. Moreover, when copied onto a USB stick the GPT envelope makes sure
|
Moreover, when copied onto a USB stick the GPT envelope makes sure
|
||||||
the stick is properly recognizable as a portable home directory
|
the stick is properly recognizable as a portable home directory medium.
|
||||||
medium. (Moreover, it allows embedding additional partitions later on, for
|
(Moreover, it allows embedding additional partitions later on, for
|
||||||
example on a multi-purpose USB stick that contains both a home
|
example on a multi-purpose USB stick that contains both a home directory and a generic storage volume.)
|
||||||
directory and a generic storage volume.)
|
|
||||||
|
|
||||||
Rationale for including the encrypted user record in the LUKS2 header:
|
Rationale for including the encrypted user record in the LUKS2 header:
|
||||||
Linux kernel file system implementations are generally not robust towards
|
Linux kernel file system implementations are generally not robust towards
|
||||||
maliciously formatted file systems; there's a good chance that file system
|
maliciously formatted file systems; there's a good chance that file system
|
||||||
images can be used as attack vectors, exploiting the kernel. Thus it is
|
images can be used as attack vectors, exploiting the kernel.
|
||||||
necessary to validate the home directory image *before* mounting it and
|
Thus it is necessary to validate the home directory image *before* mounting it and establishing a minimal level of trust.
|
||||||
establishing a minimal level of trust. Since the user record data is
|
Since the user record data is cryptographically signed and user records not signed with a recognized private
|
||||||
cryptographically signed and user records not signed with a recognized private
|
key are not accepted, a minimal level of trust between the system and the homedirectory image is established.
|
||||||
key are not accepted, a minimal level of trust between the system and the home
|
|
||||||
directory image is established.
|
|
||||||
|
|
||||||
Rationale for storing the home directory one level below to root directory of
|
Rationale for storing the home directory one level below to root directory of
|
||||||
the contained file system: this way special directories such as `lost+found/`
|
the contained file system:
|
||||||
do not show up in the user's home directory.
|
this way special directories such as `lost+found/` do not show up in the user's home directory.
|
||||||
|
|
||||||
## Algorithm
|
## Algorithm
|
||||||
|
|
||||||
Regardless of the storage mechanism used, an activated home directory
|
Regardless of the storage mechanism used, an activated home directory
|
||||||
necessarily involves a mount point to be established. In case of the
|
necessarily involves a mount point to be established.
|
||||||
directory-based storage mechanisms (`directory`, `subvolume` and `fscrypt`)
|
In case of the directory-based storage mechanisms (`directory`, `subvolume` and `fscrypt`) this is a bind mount.
|
||||||
this is a bind mount. In case of `cifs` this is a CIFS network mount, and in
|
In case of `cifs` this is a CIFS network mount, and in case of the LUKS2 backend a regular block device mount of the file system
|
||||||
case of the LUKS2 backend a regular block device mount of the file system
|
contained in the LUKS2 image.
|
||||||
contained in the LUKS2 image. By requiring a mount for all cases (even for
|
By requiring a mount for all cases (even for those that already are a directory),
|
||||||
those that already are a directory), a clear logic is defined to distinguish
|
a clear logic is defined to distinguish active and inactive home directories,
|
||||||
active and inactive home directories, so that the directories become
|
so that the directories become inaccessible under their regular path the instant they are deactivated.
|
||||||
inaccessible under their regular path the instant they are
|
Moreover, the `nosuid`, `nodev` and `noexec` flags configured in the user record are applied when the bind mount is established.
|
||||||
deactivated. Moreover, the `nosuid`, `nodev` and `noexec` flags configured in
|
|
||||||
the user record are applied when the bind mount is established.
|
|
||||||
|
|
||||||
During activation, the user records retained on the host, the user record
|
During activation, the user records retained on the host, the user record
|
||||||
stored in the LUKS2 header (in case of the LUKS2 storage mechanism) and the
|
stored in the LUKS2 header (in case of the LUKS2 storage mechanism) and the
|
||||||
user record stored inside the home directory in `~/.identity` are
|
user record stored inside the home directory in `~/.identity` are compared.
|
||||||
compared. Activation is only permitted if they match the same user and are
|
Activation is only permitted if they match the same user and are signed by a recognized key.
|
||||||
signed by a recognized key. When the three instances differ in `lastChangeUSec`
|
When the three instances differ in `lastChangeUSec` field, the newest record wins, and is propagated to the other two locations.
|
||||||
field, the newest record wins, and is propagated to the other two locations.
|
|
||||||
|
|
||||||
During activation, the file system checker (`fsck`) appropriate for the
|
During activation, the file system checker (`fsck`) appropriate for the
|
||||||
selected file system is automatically invoked, ensuring the file system is in a
|
selected file system is automatically invoked, ensuring the file system is in a
|
||||||
|
Loading…
Reference in New Issue
Block a user