build(deps): bump github/codeql-action from 1.0.22 to 1.0.23

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 1.0.22 to 1.0.23. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](5581e08a65...a627e9fa50) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Merge pull request #21421 from poettering/homed-recovery-pw
2026-04-07 07:34:50 +02:00 · 2021-11-18 01:17:19 +03:00 · 2021-11-17 21:55:31 +01:00 · 2021-11-17 17:47:48 +00:00 · 2021-11-17 17:45:21 +01:00 · 2021-11-17 17:42:12 +01:00
4 changed files with 109 additions and 4 deletions
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -38,14 +38,14 @@ jobs:
      uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579

    - name: Initialize CodeQL
-      uses: github/codeql-action/init@5581e08a65fc3811c3ac78939dd59e7a8adbf003
+      uses: github/codeql-action/init@a627e9fa504113bfa8e90a9b429b157a38b1cdbd
      with:
        languages: ${{ matrix.language }}

    - run: sudo -E .github/workflows/unit_tests.sh SETUP

    - name: Autobuild
-      uses: github/codeql-action/autobuild@5581e08a65fc3811c3ac78939dd59e7a8adbf003
+      uses: github/codeql-action/autobuild@a627e9fa504113bfa8e90a9b429b157a38b1cdbd

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@5581e08a65fc3811c3ac78939dd59e7a8adbf003
+      uses: github/codeql-action/analyze@a627e9fa504113bfa8e90a9b429b157a38b1cdbd
--- a/src/home/homectl.c
+++ b/src/home/homectl.c
@ -255,6 +255,63 @@ static int acquire_existing_password(
        return 1;
 }

+static int acquire_recovery_key(
+                const char *user_name,
+                UserRecord *hr,
+                AskPasswordFlags flags) {
+
+        _cleanup_(strv_free_erasep) char **recovery_key = NULL;
+        _cleanup_free_ char *question = NULL;
+        char *e;
+        int r;
+
+        assert(user_name);
+        assert(hr);
+
+        e = getenv("RECOVERY_KEY");
+        if (e) {
+                /* People really shouldn't use environment variables for passing secrets. We support this
+                 * only for testing purposes, and do not document the behaviour, so that people won't
+                 * actually use this outside of testing. */
+
+                r = user_record_set_password(hr, STRV_MAKE(e), true); /* recovery keys are stored in the record exactly like regular passwords! */
+                if (r < 0)
+                        return log_error_errno(r, "Failed to store recovery key: %m");
+
+                assert_se(unsetenv_erase("RECOVERY_KEY") >= 0);
+                return 1;
+        }
+
+        /* If this is not our own user, then don't use the password cache */
+        if (is_this_me(user_name) <= 0)
+                SET_FLAG(flags, ASK_PASSWORD_ACCEPT_CACHED|ASK_PASSWORD_PUSH_CACHE, false);
+
+        if (asprintf(&question, "Please enter recovery key for user %s:", user_name) < 0)
+                return log_oom();
+
+        r = ask_password_auto(question,
+                              /* icon= */ "user-home",
+                              NULL,
+                              /* key_name= */ "home-recovery-key",
+                              /* credential_name= */ "home.recovery-key",
+                              USEC_INFINITY,
+                              flags,
+                              &recovery_key);
+        if (r == -EUNATCH) { /* EUNATCH is returned if no recovery key was found and asking interactively was
+                              * disabled via the flags. Not an error for us. */
+                log_debug_errno(r, "No recovery keys acquired.");
+                return 0;
+        }
+        if (r < 0)
+                return log_error_errno(r, "Failed to acquire recovery keys: %m");
+
+        r = user_record_set_password(hr, recovery_key, true);
+        if (r < 0)
+                return log_error_errno(r, "Failed to store recovery keys: %m");
+
+        return 1;
+}
+
 static int acquire_token_pin(
                const char *user_name,
                UserRecord *hr,
@ -343,6 +400,20 @@ static int handle_generic_user_record_error(
                if (r < 0)
                        return r;

+        } else if (sd_bus_error_has_name(error, BUS_ERROR_BAD_RECOVERY_KEY)) {
+
+                if (!strv_isempty(hr->password))
+                        log_notice("Recovery key incorrect or not sufficient, please try again.");
+
+                /* Don't consume cache entries or credentials here, we already tried that unsuccessfully. But
+                 * let's push what we acquire here into the cache */
+                r = acquire_recovery_key(
+                                user_name,
+                                hr,
+                                ASK_PASSWORD_PUSH_CACHE | ASK_PASSWORD_NO_CREDENTIAL);
+                if (r < 0)
+                        return r;
+
        } else if (sd_bus_error_has_name(error, BUS_ERROR_BAD_PASSWORD_AND_NO_TOKEN)) {

                if (strv_isempty(hr->password))
@ -469,6 +540,13 @@ static int acquire_passed_secrets(const char *user_name, UserRecord **ret) {
        if (r < 0)
                return r;

+        r = acquire_recovery_key(
+                        user_name,
+                        secret,
+                        ASK_PASSWORD_ACCEPT_CACHED | ASK_PASSWORD_NO_TTY | ASK_PASSWORD_NO_AGENT);
+        if (r < 0)
+                return r;
+
        *ret = TAKE_PTR(secret);
        return 0;
 }
--- a/src/home/pam_systemd_home.c
+++ b/src/home/pam_systemd_home.c
@ -324,6 +324,33 @@ static int handle_generic_user_record_error(
                        return PAM_SERVICE_ERR;
                }

+        } else if (sd_bus_error_has_name(error, BUS_ERROR_BAD_RECOVERY_KEY)) {
+                _cleanup_(erase_and_freep) char *newp = NULL;
+
+                assert(secret);
+
+                /* Hmm, homed asks for recovery key (because no regular password is defined maybe)? Provide it. */
+
+                if (strv_isempty(secret->password))
+                        r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Recovery key: ");
+                else {
+                        (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Password/recovery key incorrect or not sufficient for authentication of user %s.", user_name);
+                        r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Sorry, reenter recovery key: ");
+                }
+                if (r != PAM_SUCCESS)
+                        return PAM_CONV_ERR; /* no logging here */
+
+                if (isempty(newp)) {
+                        pam_syslog(handle, LOG_DEBUG, "Recovery key request aborted.");
+                        return PAM_AUTHTOK_ERR;
+                }
+
+                r = user_record_set_password(secret, STRV_MAKE(newp), true);
+                if (r < 0) {
+                        pam_syslog(handle, LOG_ERR, "Failed to store recovery key: %s", strerror_safe(r));
+                        return PAM_SERVICE_ERR;
+                }
+
        } else if (sd_bus_error_has_name(error, BUS_ERROR_BAD_PASSWORD_AND_NO_TOKEN)) {
                _cleanup_(erase_and_freep) char *newp = NULL;

--- a/src/shared/hwdb-util.c
+++ b/src/shared/hwdb-util.c
@ -639,7 +639,7 @@ int hwdb_update(const char *root, const char *hwdb_bin_dir, bool strict, bool co
        if (!hwdb_bin)
                return -ENOMEM;

-        mkdir_parents_label(hwdb_bin, 0755);
+        (void) mkdir_parents_label(hwdb_bin, 0755);
        err = trie_store(trie, hwdb_bin, compat);
        if (err < 0)
                return log_error_errno(err, "Failed to write database %s: %m", hwdb_bin);
Author	SHA1	Message	Date
dependabot[bot]	d59d6cc154	build(deps): bump github/codeql-action from 1.0.22 to 1.0.23 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 1.0.22 to 1.0.23. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](`5581e08a65...a627e9fa50`) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2021-11-18 01:17:19 +03:00
Lennart Poettering	fe60b860a6	Merge pull request #21421 from poettering/homed-recovery-pw homed: handle password changing for accounts that have recovery keys correctly	2021-11-17 21:55:31 +01:00
Luca Boccassi	b52b5763e7	hwdb: voidify call to mkdir_parents_label CID#1466060	2021-11-17 17:47:48 +00:00
Lennart Poettering	edde3a35b4	pam_systemd_home: prompt user for recovery key if homed asks for it For accoutns that have no passwords but only a recovery key homed might ask explicitly for that. Honour the request and ask the user for it.	2021-11-17 17:45:21 +01:00
Lennart Poettering	c7b6051f16	homectl: if homed asks for the recovery key to be supplied, query the user for it Fixes: #21103	2021-11-17 17:42:12 +01:00