./tools/notsd-move

4 files changed, 460 insertions, 0 deletions

diff --git a/src/systemd-ask-password/Makefile b/src/systemd-ask-password/Makefile
new file mode 100644
index 0000000000..9b23b41513
--- /dev/null
+++ b/src/systemd-ask-password/Makefile
@@ -0,0 +1,33 @@
+#  -*- Mode: makefile; indent-tabs-mode: t -*-
+#
+#  This file is part of systemd.
+#
+#  Copyright 2010-2012 Lennart Poettering
+#  Copyright 2010-2012 Kay Sievers
+#  Copyright 2013 Zbigniew Jędrzejewski-Szmek
+#  Copyright 2013 David Strauss
+#  Copyright 2016 Luke Shumaker
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+#
+#  systemd is distributed in the hope that it will be useful, but
+#  WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+#  Lesser General Public License for more details.
+#
+#  You should have received a copy of the GNU Lesser General Public License
+#  along with systemd; If not, see <http://www.gnu.org/licenses/>.
+include $(dir $(lastword $(MAKEFILE_LIST)))/../../config.mk
+include $(topsrcdir)/build-aux/Makefile.head.mk
+
+rootbin_PROGRAMS += systemd-ask-password
+systemd_ask_password_SOURCES = \
+	src/ask-password/ask-password.c
+
+systemd_ask_password_LDADD = \
+	libsystemd-shared.la
+
+include $(topsrcdir)/build-aux/Makefile.tail.mk
diff --git a/src/systemd-ask-password/ask-password.c b/src/systemd-ask-password/ask-password.c
new file mode 100644
index 0000000000..ee29d1c558
--- /dev/null
+++ b/src/systemd-ask-password/ask-password.c
@@ -0,0 +1,188 @@
+/***
+  This file is part of systemd.
+
+  Copyright 2010 Lennart Poettering
+
+  systemd is free software; you can redistribute it and/or modify it
+  under the terms of the GNU Lesser General Public License as published by
+  the Free Software Foundation; either version 2.1 of the License, or
+  (at your option) any later version.
+
+  systemd is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  Lesser General Public License for more details.
+
+  You should have received a copy of the GNU Lesser General Public License
+  along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include <errno.h>
+#include <getopt.h>
+#include <stddef.h>
+#include <unistd.h>
+
+#include "systemd-basic/def.h"
+#include "systemd-basic/log.h"
+#include "systemd-basic/macro.h"
+#include "systemd-basic/strv.h"
+#include "systemd-shared/ask-password-api.h"
+
+static const char *arg_icon = NULL;
+static const char *arg_id = NULL;
+static const char *arg_keyname = NULL;
+static char *arg_message = NULL;
+static usec_t arg_timeout = DEFAULT_TIMEOUT_USEC;
+static bool arg_multiple = false;
+static bool arg_no_output = false;
+static AskPasswordFlags arg_flags = ASK_PASSWORD_PUSH_CACHE;
+
+static void help(void) {
+        printf("%s [OPTIONS...] MESSAGE\n\n"
+               "Query the user for a system passphrase, via the TTY or an UI agent.\n\n"
+               "  -h --help           Show this help\n"
+               "     --icon=NAME      Icon name\n"
+               "     --id=ID          Query identifier (e.g. \"cryptsetup:/dev/sda5\")\n"
+               "     --keyname=NAME   Kernel key name for caching passwords (e.g. \"cryptsetup\")\n"
+               "     --timeout=SEC    Timeout in seconds\n"
+               "     --echo           Do not mask input (useful for usernames)\n"
+               "     --no-tty         Ask question via agent even on TTY\n"
+               "     --accept-cached  Accept cached passwords\n"
+               "     --multiple       List multiple passwords if available\n"
+               "     --no-output      Do not print password to standard output\n"
+               , program_invocation_short_name);
+}
+
+static int parse_argv(int argc, char *argv[]) {
+
+        enum {
+                ARG_ICON = 0x100,
+                ARG_TIMEOUT,
+                ARG_ECHO,
+                ARG_NO_TTY,
+                ARG_ACCEPT_CACHED,
+                ARG_MULTIPLE,
+                ARG_ID,
+                ARG_KEYNAME,
+                ARG_NO_OUTPUT,
+        };
+
+        static const struct option options[] = {
+                { "help",          no_argument,       NULL, 'h'               },
+                { "icon",          required_argument, NULL, ARG_ICON          },
+                { "timeout",       required_argument, NULL, ARG_TIMEOUT       },
+                { "echo",          no_argument,       NULL, ARG_ECHO          },
+                { "no-tty",        no_argument,       NULL, ARG_NO_TTY        },
+                { "accept-cached", no_argument,       NULL, ARG_ACCEPT_CACHED },
+                { "multiple",      no_argument,       NULL, ARG_MULTIPLE      },
+                { "id",            required_argument, NULL, ARG_ID            },
+                { "keyname",       required_argument, NULL, ARG_KEYNAME       },
+                { "no-output",     no_argument,       NULL, ARG_NO_OUTPUT     },
+                {}
+        };
+
+        int c;
+
+        assert(argc >= 0);
+        assert(argv);
+
+        while ((c = getopt_long(argc, argv, "h", options, NULL)) >= 0)
+
+                switch (c) {
+
+                case 'h':
+                        help();
+                        return 0;
+
+                case ARG_ICON:
+                        arg_icon = optarg;
+                        break;
+
+                case ARG_TIMEOUT:
+                        if (parse_sec(optarg, &arg_timeout) < 0) {
+                                log_error("Failed to parse --timeout parameter %s", optarg);
+                                return -EINVAL;
+                        }
+                        break;
+
+                case ARG_ECHO:
+                        arg_flags |= ASK_PASSWORD_ECHO;
+                        break;
+
+                case ARG_NO_TTY:
+                        arg_flags |= ASK_PASSWORD_NO_TTY;
+                        break;
+
+                case ARG_ACCEPT_CACHED:
+                        arg_flags |= ASK_PASSWORD_ACCEPT_CACHED;
+                        break;
+
+                case ARG_MULTIPLE:
+                        arg_multiple = true;
+                        break;
+
+                case ARG_ID:
+                        arg_id = optarg;
+                        break;
+
+                case ARG_KEYNAME:
+                        arg_keyname = optarg;
+                        break;
+
+                case ARG_NO_OUTPUT:
+                        arg_no_output = true;
+                        break;
+
+                case '?':
+                        return -EINVAL;
+
+                default:
+                        assert_not_reached("Unhandled option");
+                }
+
+        if (argc > optind) {
+                arg_message = strv_join(argv + optind, " ");
+                if (!arg_message)
+                        return log_oom();
+        }
+
+        return 1;
+}
+
+int main(int argc, char *argv[]) {
+        _cleanup_strv_free_erase_ char **l = NULL;
+        usec_t timeout;
+        char **p;
+        int r;
+
+        log_parse_environment();
+        log_open();
+
+        r = parse_argv(argc, argv);
+        if (r <= 0)
+                goto finish;
+
+        if (arg_timeout > 0)
+                timeout = now(CLOCK_MONOTONIC) + arg_timeout;
+        else
+                timeout = 0;
+
+        r = ask_password_auto(arg_message, arg_icon, arg_id, arg_keyname, timeout, arg_flags, &l);
+        if (r < 0) {
+                log_error_errno(r, "Failed to query password: %m");
+                goto finish;
+        }
+
+        STRV_FOREACH(p, l) {
+                if (!arg_no_output)
+                        puts(*p);
+
+                if (!arg_multiple)
+                        break;
+        }
+
+finish:
+        free(arg_message);
+
+        return r < 0 ? EXIT_FAILURE : EXIT_SUCCESS;
+}
diff --git a/src/systemd-ask-password/systemd-ask-password.completion.zsh b/src/systemd-ask-password/systemd-ask-password.completion.zsh
new file mode 100644
index 0000000000..fa68159256
--- /dev/null
+++ b/src/systemd-ask-password/systemd-ask-password.completion.zsh
@@ -0,0 +1,12 @@
+#compdef systemd-ask-password
+
+local curcontext="$curcontext" state lstate line
+_arguments \
+    {-h,--help}'[Show this help]' \
+    '--icon=[Icon name]:icon name:' \
+    '--timeout=[Timeout in sec]:timeout (seconds):' \
+    '--no-tty[Ask question via agent even on TTY]' \
+    '--accept-cached[Accept cached passwords]' \
+    '--multiple[List multiple passwords if available]'
+
+#vim: set ft=zsh sw=4 ts=4 et
diff --git a/src/systemd-ask-password/systemd-ask-password.xml b/src/systemd-ask-password/systemd-ask-password.xml
new file mode 100644
index 0000000000..2b6fb5a82f
--- /dev/null
+++ b/src/systemd-ask-password/systemd-ask-password.xml
@@ -0,0 +1,227 @@
+<?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+
+<!--
+  This file is part of systemd.
+
+  Copyright 2011 Lennart Poettering
+
+  systemd is free software; you can redistribute it and/or modify it
+  under the terms of the GNU Lesser General Public License as published by
+  the Free Software Foundation; either version 2.1 of the License, or
+  (at your option) any later version.
+
+  systemd is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  Lesser General Public License for more details.
+
+  You should have received a copy of the GNU Lesser General Public License
+  along with systemd; If not, see <http://www.gnu.org/licenses/>.
+-->
+
+<refentry id="systemd-ask-password"
+    xmlns:xi="http://www.w3.org/2001/XInclude">
+
+  <refentryinfo>
+    <title>systemd-ask-password</title>
+    <productname>systemd</productname>
+
+    <authorgroup>
+      <author>
+        <contrib>Developer</contrib>
+        <firstname>Lennart</firstname>
+        <surname>Poettering</surname>
+        <email>lennart@poettering.net</email>
+      </author>
+    </authorgroup>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>systemd-ask-password</refentrytitle>
+    <manvolnum>1</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>systemd-ask-password</refname>
+    <refpurpose>Query the user for a system password</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>systemd-ask-password <arg choice="opt" rep="repeat">OPTIONS</arg> <arg choice="opt">MESSAGE</arg></command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para><command>systemd-ask-password</command> may be used to query
+    a system password or passphrase from the user, using a question
+    message specified on the command line. When run from a TTY it will
+    query a password on the TTY and print it to standard output. When
+    run with no TTY or with <option>--no-tty</option> it will query
+    the password system-wide and allow active users to respond via
+    several agents. The latter is only available to privileged
+    processes.</para>
+
+    <para>The purpose of this tool is to query system-wide passwords
+    — that is passwords not attached to a specific user account.
+    Examples include: unlocking encrypted hard disks when they are
+    plugged in or at boot, entering an SSL certificate passphrase for
+    web and VPN servers.</para>
+
+    <para>Existing agents are:
+    <itemizedlist>
+
+      <listitem><para>A boot-time password agent asking the user for
+      passwords using Plymouth</para></listitem>
+
+      <listitem><para>A boot-time password agent querying the user
+      directly on the console</para></listitem>
+
+      <listitem><para>An agent requesting password input via a
+      <citerefentry
+      project='man-pages'><refentrytitle>wall</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+      message</para></listitem>
+
+      <listitem><para>A command line agent which can be started
+      temporarily to process queued password
+      requests</para></listitem>
+
+      <listitem><para>A TTY agent that is temporarily spawned during
+      <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+      invocations</para></listitem>
+    </itemizedlist></para>
+
+    <para>Additional password agents may be implemented according to
+    the <ulink
+    url="http://www.freedesktop.org/wiki/Software/systemd/PasswordAgents">systemd
+    Password Agent Specification</ulink>.</para>
+
+    <para>If a password is queried on a TTY, the user may press TAB to
+    hide the asterisks normally shown for each character typed.
+    Pressing Backspace as first key achieves the same effect.</para>
+
+  </refsect1>
+
+  <refsect1>
+    <title>Options</title>
+
+    <para>The following options are understood:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><option>--icon=</option></term>
+
+        <listitem><para>Specify an icon name alongside the password
+        query, which may be used in all agents supporting graphical
+        display. The icon name should follow the <ulink
+        url="http://standards.freedesktop.org/icon-naming-spec/icon-naming-spec-latest.html">XDG
+        Icon Naming Specification</ulink>.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--id=</option></term>
+        <listitem><para>Specify an identifier for this password
+        query. This identifier is freely choosable and allows
+        recognition of queries by involved agents. It should include
+        the subsystem doing the query and the specific object the
+        query is done for. Example:
+        <literal>--id=cryptsetup:/dev/sda5</literal>.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--keyname=</option></term>
+        <listitem><para>Configure a kernel keyring key name to use as
+        cache for the password. If set, then the tool will try to push
+        any collected passwords into the kernel keyring of the root
+        user, as a key of the specified name. If combined with
+        <option>--accept-cached</option>, it will also try to retrieve
+        such cached passwords from the key in the kernel keyring
+        instead of querying the user right away. By using this option,
+        the kernel keyring may be used as effective cache to avoid
+        repeatedly asking users for passwords, if there are multiple
+        objects that may be unlocked with the same password. The
+        cached key will have a timeout of 2.5min set, after which it
+        will be purged from the kernel keyring. Note that it is
+        possible to cache multiple passwords under the same keyname,
+        in which case they will be stored as NUL-separated list of
+        passwords. Use
+        <citerefentry project='die-net'><refentrytitle>keyctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+        to access the cached key via the kernel keyring
+        directly. Example: <literal>--keyname=cryptsetup</literal></para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--timeout=</option></term>
+
+        <listitem><para>Specify the query timeout in seconds. Defaults
+        to 90s. A timeout of 0 waits indefinitely. </para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--echo</option></term>
+
+        <listitem><para>Echo the user input instead of masking it.
+        This is useful when using
+        <filename>systemd-ask-password</filename> to query for
+        usernames. </para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--no-tty</option></term>
+
+        <listitem><para>Never ask for password on current TTY even if
+        one is available. Always use agent system.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--accept-cached</option></term>
+
+        <listitem><para>If passed, accept cached passwords, i.e.
+        passwords previously entered.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--multiple</option></term>
+
+        <listitem><para>When used in conjunction with
+        <option>--accept-cached</option> accept multiple passwords.
+        This will output one password per line.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--no-output</option></term>
+
+	<listitem><para>Do not print passwords to standard output.
+	This is useful if you want to store a password in kernel
+	keyring with <option>--keyname</option> but do not want it
+	to show up on screen or in logs.</para></listitem>
+      </varlistentry>
+
+      <xi:include href="standard-options.xml" xpointer="help" />
+    </variablelist>
+
+  </refsect1>
+
+  <refsect1>
+    <title>Exit status</title>
+
+    <para>On success, 0 is returned, a non-zero failure code
+    otherwise.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See Also</title>
+    <para>
+      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+      <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+      <citerefentry project='die-net'><refentrytitle>keyctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+      <citerefentry project='die-net'><refentrytitle>plymouth</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+      <citerefentry project='man-pages'><refentrytitle>wall</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+    </para>
+  </refsect1>
+
+</refentry>