tty-ask-password-agent.c revision 99f710dde855f7ecb699ddac6ad77923c1f6bc85
/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
/***
This file is part of systemd.
Copyright 2010 Lennart Poettering
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.
systemd is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
#include <stdbool.h>
#include <errno.h>
#include <string.h>
#include <stddef.h>
#include <poll.h>
#include <unistd.h>
#include <getopt.h>
#include <sys/signalfd.h>
#include <fcntl.h>
#include "util.h"
#include "mkdir.h"
#include "path-util.h"
#include "conf-parser.h"
#include "utmp-wtmp.h"
#include "socket-util.h"
#include "ask-password-api.h"
#include "strv.h"
#include "build.h"
#include "def.h"
#include "process-util.h"
#include "terminal-util.h"
static enum {
} arg_action = ACTION_QUERY;
static bool arg_plymouth = false;
static bool arg_console = false;
static int ask_password_plymouth(
const char *message,
const char *flag_file,
bool accept_cached,
char ***_passphrases) {
ssize_t k;
int r, n;
size_t p = 0;
enum {
};
if (flag_file) {
if (notify < 0)
return -errno;
if (r < 0)
return -errno;
}
if (fd < 0)
return -errno;
if (r < 0)
if (accept_cached) {
n = 1;
message, &n) < 0)
if (!packet)
return log_oom();
if (r < 0)
return r;
for (;;) {
int sleep_for = -1, j;
if (until > 0) {
usec_t y;
y = now(CLOCK_MONOTONIC);
if (y > until)
return -ETIME;
}
return -errno;
if (j < 0) {
continue;
return -errno;
} else if (j == 0)
return -ETIME;
continue;
if (k <= 0)
p += k;
if (p < 1)
continue;
if (buffer[0] == 5) {
if (accept_cached) {
/* Hmm, first try with cached
* passwords failed, so let's retry
* with a normal password request */
return -ENOMEM;
if (r < 0)
return r;
accept_cached = false;
p = 0;
continue;
}
/* No password, because UI not shown */
return -ENOENT;
char **l;
/* One or more answers */
if (p < 5)
continue;
return -EIO;
if (p-5 < size)
continue;
if (!l)
return -ENOMEM;
*_passphrases = l;
break;
} else
/* Unknown packet */
return -EIO;
}
return 0;
}
unsigned pid = 0;
bool accept_cached = false, echo = false;
const ConfigTableItem items[] = {
{}
};
int r;
NULL,
true, false, true, NULL);
if (r < 0)
return r;
if (!socket_name) {
return -EBADMSG;
}
return 0;
return 0;
if (arg_action == ACTION_LIST)
else if (arg_action == ACTION_WALL) {
char *_wall;
"%s%sPassword entry required for \'%s\' (PID %u).\r\n"
"Please enter password with the systemd-tty-ask-password-agent tool!",
pid) < 0)
return log_oom();
} else {
union sockaddr_union sa = {};
size_t packet_length = 0;
arg_action == ACTION_WATCH);
if (arg_action == ACTION_QUERY)
return 0;
}
if (arg_plymouth) {
if (r >= 0) {
char **p;
packet_length = 1;
if (!packet)
r = -ENOMEM;
else {
char *d = packet + 1;
d = stpcpy(d, *p) + 1;
packet[0] = '+';
}
}
} else {
int tty_fd = -1;
if (arg_console) {
if (tty_fd < 0)
return tty_fd;
}
if (arg_console) {
}
if (r >= 0) {
if (!packet)
r = -ENOMEM;
else {
packet[0] = '+';
}
}
}
/* If the query went away, that's OK */
return 0;
if (r < 0)
return log_error_errno(r, "Failed to query password: %m");
if (socket_fd < 0)
if (r < 0) {
return r;
}
}
return 0;
}
static int wall_tty_block(void) {
_cleanup_free_ char *p = NULL;
int fd, r;
r = get_ctty_devnr(0, &devnr);
if (r < 0)
return r;
return -ENOMEM;
mkdir_parents_label(p, 0700);
mkfifo(p, 0600);
if (fd < 0)
return -errno;
return fd;
}
int fd, r;
_cleanup_free_ char *p = NULL;
if (!path_is_absolute(path))
if (r < 0)
return true;
return true;
/* We use named pipes to ensure that wall messages suggesting
* password entry are not printed over password prompts
* already shown. We use the fact here that opening a pipe in
* non-blocking mode for write-only will succeed only if
* there's some writer behind it. Using pipes has the
* advantage that the block will automatically go away if the
* process dies. */
if (asprintf(&p, "/run/systemd/ask-password-block/%u:%u", major(st.st_rdev), minor(st.st_rdev)) < 0)
return true;
if (fd < 0)
return true;
/* What, we managed to open the pipe? Then this tty is filtered. */
safe_close(fd);
return false;
}
static int show_passwords(void) {
int r = 0;
d = opendir("/run/systemd/ask-password");
if (!d) {
return 0;
return -errno;
}
int q;
/* We only support /dev on tmpfs, hence we can rely on
* d_type to be reliable */
continue;
continue;
continue;
if (!p)
return log_oom();
q = parse_password(p, &wall);
if (q < 0 && r == 0)
r = q;
if (wall)
}
return r;
}
static int watch_passwords(void) {
enum {
};
int r;
if (notify < 0)
return -errno;
return -errno;
if (signal_fd < 0)
return -errno;
for (;;) {
r = show_passwords();
if (r < 0)
log_error_errno(r, "Failed to show password: %m");
continue;
return -errno;
}
break;
}
return 0;
}
static void help(void) {
printf("%s [OPTIONS...]\n\n"
"Process system password requests.\n\n"
" -h --help Show this help\n"
" --version Show package version\n"
" --list Show pending password requests\n"
" --query Process pending password requests\n"
" --watch Continuously process password requests\n"
" --wall Continuously forward password requests to wall\n"
" --plymouth Ask question with Plymouth instead of on TTY\n"
}
enum {
ARG_LIST = 0x100,
};
{}
};
int c;
switch (c) {
case 'h':
help();
return 0;
case ARG_VERSION:
return 0;
case ARG_LIST:
break;
case ARG_QUERY:
break;
case ARG_WATCH:
break;
case ARG_WALL:
break;
case ARG_PLYMOUTH:
arg_plymouth = true;
break;
case ARG_CONSOLE:
arg_console = true;
break;
case '?':
return -EINVAL;
default:
assert_not_reached("Unhandled option");
}
return -EINVAL;
}
return 1;
}
int r;
log_open();
umask(0022);
if (r <= 0)
goto finish;
if (arg_console) {
setsid();
}
r = watch_passwords();
else
r = show_passwords();
if (r < 0)
log_error_errno(r, "Error: %m");
return r < 0 ? EXIT_FAILURE : EXIT_SUCCESS;
}