mirror of
https://github.com/systemd/systemd
synced 2026-03-17 18:44:46 +01:00
Compare commits
No commits in common. "51df483846219c86e1e6c405f295a6b873084e0e" and "ffc36c276c47a9b3f21e83947090f11039628676" have entirely different histories.
51df483846
...
ffc36c276c
@ -156,24 +156,13 @@
|
||||
to 90s. A timeout of 0 waits indefinitely. </para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--echo=yes|no|masked</option></term>
|
||||
|
||||
<listitem><para>Controls whether to echo user input. Takes a boolean or the special string
|
||||
<literal>masked</literal>, the default being the latter. If enabled the typed characters are echoed
|
||||
literally, which is useful for prompting for usernames and other non-protected data. If disabled the
|
||||
typed characters are not echoed in any form, the user will not get feedback on their input. If set to
|
||||
<literal>masked</literal>, an asterisk (<literal>*</literal>) is echoed for each character
|
||||
typed. In this mode, if the user hits the tabulator key (<literal>↹</literal>), echo is turned
|
||||
off. (Alternatively, if the user hits the backspace key (<literal>⌫</literal>) while no data has
|
||||
been entered otherwise, echo is turned off, too).</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--echo</option></term>
|
||||
<term><option>-e</option></term>
|
||||
|
||||
<listitem><para>Equivalent to <option>--echo=yes</option>, see above.</para></listitem>
|
||||
<listitem><para>Echo the user input instead of masking it.
|
||||
This is useful when using
|
||||
<filename>systemd-ask-password</filename> to query for
|
||||
usernames. </para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
@ -182,7 +171,7 @@
|
||||
<listitem><para>Controls whether or not to prefix the query with a
|
||||
lock and key emoji (🔐), if the TTY settings permit this. The default
|
||||
is <literal>auto</literal>, which defaults to <literal>yes</literal>,
|
||||
unless <option>--echo=yes</option> is given.</para></listitem>
|
||||
unless <option>--echo</option> is given.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
|
||||
@ -45,9 +45,7 @@ static int help(void) {
|
||||
" Credential name for LoadCredential=/SetCredential=\n"
|
||||
" credentials\n"
|
||||
" --timeout=SEC Timeout in seconds\n"
|
||||
" --echo=yes|no|masked\n"
|
||||
" Control whether to show password while typing (echo)\n"
|
||||
" -e --echo Equivalent to --echo=yes\n"
|
||||
" --echo Do not mask input (useful for usernames)\n"
|
||||
" --emoji=yes|no|auto\n"
|
||||
" Show a lock and key emoji\n"
|
||||
" --no-tty Ask question via agent even on TTY\n"
|
||||
@ -68,6 +66,7 @@ static int parse_argv(int argc, char *argv[]) {
|
||||
enum {
|
||||
ARG_ICON = 0x100,
|
||||
ARG_TIMEOUT,
|
||||
ARG_ECHO,
|
||||
ARG_EMOJI,
|
||||
ARG_NO_TTY,
|
||||
ARG_ACCEPT_CACHED,
|
||||
@ -84,7 +83,7 @@ static int parse_argv(int argc, char *argv[]) {
|
||||
{ "version", no_argument, NULL, ARG_VERSION },
|
||||
{ "icon", required_argument, NULL, ARG_ICON },
|
||||
{ "timeout", required_argument, NULL, ARG_TIMEOUT },
|
||||
{ "echo", optional_argument, NULL, 'e' },
|
||||
{ "echo", no_argument, NULL, ARG_ECHO },
|
||||
{ "emoji", required_argument, NULL, ARG_EMOJI },
|
||||
{ "no-tty", no_argument, NULL, ARG_NO_TTY },
|
||||
{ "accept-cached", no_argument, NULL, ARG_ACCEPT_CACHED },
|
||||
@ -97,14 +96,12 @@ static int parse_argv(int argc, char *argv[]) {
|
||||
};
|
||||
|
||||
const char *emoji = NULL;
|
||||
int c, r;
|
||||
int c;
|
||||
|
||||
assert(argc >= 0);
|
||||
assert(argv);
|
||||
|
||||
/* Note the asymmetry: the long option --echo= allows an optional argument, the short option does
|
||||
* not. */
|
||||
while ((c = getopt_long(argc, argv, "+he", options, NULL)) >= 0)
|
||||
while ((c = getopt_long(argc, argv, "h", options, NULL)) >= 0)
|
||||
|
||||
switch (c) {
|
||||
|
||||
@ -119,30 +116,14 @@ static int parse_argv(int argc, char *argv[]) {
|
||||
break;
|
||||
|
||||
case ARG_TIMEOUT:
|
||||
r = parse_sec(optarg, &arg_timeout);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to parse --timeout= parameter: %s", optarg);
|
||||
|
||||
if (parse_sec(optarg, &arg_timeout) < 0)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
||||
"Failed to parse --timeout parameter %s",
|
||||
optarg);
|
||||
break;
|
||||
|
||||
case 'e':
|
||||
if (!optarg) {
|
||||
/* Short option -e is used, or no argument to long option --echo= */
|
||||
case ARG_ECHO:
|
||||
arg_flags |= ASK_PASSWORD_ECHO;
|
||||
arg_flags &= ~ASK_PASSWORD_SILENT;
|
||||
} else if (isempty(optarg) || streq(optarg, "masked"))
|
||||
/* Empty argument or explicit string "masked" for default behaviour. */
|
||||
arg_flags &= ~(ASK_PASSWORD_ECHO|ASK_PASSWORD_SILENT);
|
||||
else {
|
||||
bool b;
|
||||
|
||||
r = parse_boolean_argument("--echo=", optarg, &b);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
SET_FLAG(arg_flags, ASK_PASSWORD_ECHO, b);
|
||||
SET_FLAG(arg_flags, ASK_PASSWORD_SILENT, !b);
|
||||
}
|
||||
break;
|
||||
|
||||
case ARG_EMOJI:
|
||||
@ -187,12 +168,12 @@ static int parse_argv(int argc, char *argv[]) {
|
||||
if (isempty(emoji) || streq(emoji, "auto"))
|
||||
SET_FLAG(arg_flags, ASK_PASSWORD_HIDE_EMOJI, FLAGS_SET(arg_flags, ASK_PASSWORD_ECHO));
|
||||
else {
|
||||
int r;
|
||||
bool b;
|
||||
|
||||
r = parse_boolean_argument("--emoji=", emoji, &b);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
SET_FLAG(arg_flags, ASK_PASSWORD_HIDE_EMOJI, !b);
|
||||
}
|
||||
|
||||
@ -200,14 +181,6 @@ static int parse_argv(int argc, char *argv[]) {
|
||||
arg_message = strv_join(argv + optind, " ");
|
||||
if (!arg_message)
|
||||
return log_oom();
|
||||
} else if (FLAGS_SET(arg_flags, ASK_PASSWORD_ECHO)) {
|
||||
/* By default ask_password_auto() will query with the string "Password: ", which is not right
|
||||
* when full echo is on, since then it's unlikely a password. Let's hence default to a less
|
||||
* confusing string in that case. */
|
||||
|
||||
arg_message = strdup("Input:");
|
||||
if (!arg_message)
|
||||
return log_oom();
|
||||
}
|
||||
|
||||
return 1;
|
||||
|
||||
@ -159,15 +159,9 @@ static void test_drop_privileges_fail(void) {
|
||||
}
|
||||
|
||||
static void test_drop_privileges(void) {
|
||||
fork_test(test_drop_privileges_fail);
|
||||
|
||||
if (have_effective_cap(CAP_NET_RAW) == 0) /* The remaining two tests only work if we have CAP_NET_RAW
|
||||
* in the first place. If we are run in some restricted
|
||||
* container environment we might not. */
|
||||
return;
|
||||
|
||||
fork_test(test_drop_privileges_keep_net_raw);
|
||||
fork_test(test_drop_privileges_dontkeep_net_raw);
|
||||
fork_test(test_drop_privileges_fail);
|
||||
}
|
||||
|
||||
static void test_have_effective_cap(void) {
|
||||
|
||||
@ -22,7 +22,7 @@
|
||||
#include "tests.h"
|
||||
|
||||
static int here = 0, here2 = 0, here3 = 0;
|
||||
static void *ignore_stdout_args[] = { &here, &here2, &here3 };
|
||||
void *ignore_stdout_args[] = {&here, &here2, &here3};
|
||||
|
||||
/* noop handlers, just check that arguments are passed correctly */
|
||||
static int ignore_stdout_func(int fd, void *arg) {
|
||||
|
||||
@ -924,8 +924,8 @@ int main(int argc, char *argv[]) {
|
||||
can_unshare = have_namespaces();
|
||||
|
||||
/* It is needed otherwise cgroup creation fails */
|
||||
if (geteuid() != 0 || have_effective_cap(CAP_SYS_ADMIN) <= 0)
|
||||
return log_tests_skipped("not privileged");
|
||||
if (getuid() != 0)
|
||||
return log_tests_skipped("not root");
|
||||
|
||||
r = enter_cgroup_subroot(NULL);
|
||||
if (r == -ENOMEDIUM)
|
||||
|
||||
@ -4,7 +4,6 @@
|
||||
#include <sys/statvfs.h>
|
||||
|
||||
#include "alloc-util.h"
|
||||
#include "capability-util.h"
|
||||
#include "fd-util.h"
|
||||
#include "fileio.h"
|
||||
#include "mount-util.h"
|
||||
@ -76,8 +75,8 @@ static void test_bind_remount_recursive(void) {
|
||||
_cleanup_free_ char *subdir = NULL;
|
||||
const char *p;
|
||||
|
||||
if (geteuid() != 0 || have_effective_cap(CAP_SYS_ADMIN) <= 0) {
|
||||
(void) log_tests_skipped("not running privileged");
|
||||
if (geteuid() != 0) {
|
||||
(void) log_tests_skipped("not running as root");
|
||||
return;
|
||||
}
|
||||
|
||||
@ -129,8 +128,8 @@ static void test_bind_remount_recursive(void) {
|
||||
static void test_bind_remount_one(void) {
|
||||
pid_t pid;
|
||||
|
||||
if (geteuid() != 0 || have_effective_cap(CAP_SYS_ADMIN) <= 0) {
|
||||
(void) log_tests_skipped("not running privileged");
|
||||
if (geteuid() != 0) {
|
||||
(void) log_tests_skipped("not running as root");
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
@ -15,7 +15,6 @@
|
||||
#endif
|
||||
|
||||
#include "alloc-util.h"
|
||||
#include "capability-util.h"
|
||||
#include "fd-util.h"
|
||||
#include "fileio.h"
|
||||
#include "macro.h"
|
||||
@ -42,10 +41,6 @@
|
||||
# define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 0
|
||||
#endif
|
||||
|
||||
static bool have_seccomp_privs(void) {
|
||||
return geteuid() == 0 && have_effective_cap(CAP_SYS_ADMIN) > 0; /* If we are root but CAP_SYS_ADMIN we can't do caps (unless we also do NNP) */
|
||||
}
|
||||
|
||||
static void test_parse_syscall_and_errno(void) {
|
||||
_cleanup_free_ char *n = NULL;
|
||||
int e;
|
||||
@ -173,8 +168,8 @@ static void test_filter_sets(void) {
|
||||
log_notice("Seccomp not available, skipping %s", __func__);
|
||||
return;
|
||||
}
|
||||
if (!have_seccomp_privs()) {
|
||||
log_notice("Not privileged, skipping %s", __func__);
|
||||
if (geteuid() != 0) {
|
||||
log_notice("Not root, skipping %s", __func__);
|
||||
return;
|
||||
}
|
||||
|
||||
@ -308,8 +303,8 @@ static void test_restrict_namespace(void) {
|
||||
log_notice("Seccomp not available, skipping remaining tests in %s", __func__);
|
||||
return;
|
||||
}
|
||||
if (!have_seccomp_privs()) {
|
||||
log_notice("Not privileged, skipping remaining tests in %s", __func__);
|
||||
if (geteuid() != 0) {
|
||||
log_notice("Not root, skipping remaining tests in %s", __func__);
|
||||
return;
|
||||
}
|
||||
|
||||
@ -378,8 +373,8 @@ static void test_protect_sysctl(void) {
|
||||
log_notice("Seccomp not available, skipping %s", __func__);
|
||||
return;
|
||||
}
|
||||
if (!have_seccomp_privs()) {
|
||||
log_notice("Not privileged, skipping %s", __func__);
|
||||
if (geteuid() != 0) {
|
||||
log_notice("Not root, skipping %s", __func__);
|
||||
return;
|
||||
}
|
||||
|
||||
@ -431,8 +426,8 @@ static void test_protect_syslog(void) {
|
||||
log_notice("Seccomp not available, skipping %s", __func__);
|
||||
return;
|
||||
}
|
||||
if (!have_seccomp_privs()) {
|
||||
log_notice("Not privileged, skipping %s", __func__);
|
||||
if (geteuid() != 0) {
|
||||
log_notice("Not root, skipping %s", __func__);
|
||||
return;
|
||||
}
|
||||
|
||||
@ -473,8 +468,8 @@ static void test_restrict_address_families(void) {
|
||||
log_notice("Seccomp not available, skipping %s", __func__);
|
||||
return;
|
||||
}
|
||||
if (!have_seccomp_privs()) {
|
||||
log_notice("Not privileged, skipping %s", __func__);
|
||||
if (geteuid() != 0) {
|
||||
log_notice("Not root, skipping %s", __func__);
|
||||
return;
|
||||
}
|
||||
|
||||
@ -562,8 +557,8 @@ static void test_restrict_realtime(void) {
|
||||
log_notice("Seccomp not available, skipping %s", __func__);
|
||||
return;
|
||||
}
|
||||
if (!have_seccomp_privs()) {
|
||||
log_notice("Not privileged, skipping %s", __func__);
|
||||
if (geteuid() != 0) {
|
||||
log_notice("Not root, skipping %s", __func__);
|
||||
return;
|
||||
}
|
||||
|
||||
@ -609,8 +604,8 @@ static void test_memory_deny_write_execute_mmap(void) {
|
||||
log_notice("Seccomp not available, skipping %s", __func__);
|
||||
return;
|
||||
}
|
||||
if (!have_seccomp_privs()) {
|
||||
log_notice("Not privileged, skipping %s", __func__);
|
||||
if (geteuid() != 0) {
|
||||
log_notice("Not root, skipping %s", __func__);
|
||||
return;
|
||||
}
|
||||
#if HAVE_VALGRIND_VALGRIND_H
|
||||
@ -679,8 +674,8 @@ static void test_memory_deny_write_execute_shmat(void) {
|
||||
log_notice("Seccomp not available, skipping %s", __func__);
|
||||
return;
|
||||
}
|
||||
if (!have_seccomp_privs()) {
|
||||
log_notice("Not privileged, skipping %s", __func__);
|
||||
if (geteuid() != 0) {
|
||||
log_notice("Not root, skipping %s", __func__);
|
||||
return;
|
||||
}
|
||||
#if HAVE_VALGRIND_VALGRIND_H
|
||||
@ -744,8 +739,8 @@ static void test_restrict_archs(void) {
|
||||
log_notice("Seccomp not available, skipping %s", __func__);
|
||||
return;
|
||||
}
|
||||
if (!have_seccomp_privs()) {
|
||||
log_notice("Not privileged, skipping %s", __func__);
|
||||
if (geteuid() != 0) {
|
||||
log_notice("Not root, skipping %s", __func__);
|
||||
return;
|
||||
}
|
||||
|
||||
@ -784,8 +779,8 @@ static void test_load_syscall_filter_set_raw(void) {
|
||||
log_notice("Seccomp not available, skipping %s", __func__);
|
||||
return;
|
||||
}
|
||||
if (!have_seccomp_privs()) {
|
||||
log_notice("Not privileged, skipping %s", __func__);
|
||||
if (geteuid() != 0) {
|
||||
log_notice("Not root, skipping %s", __func__);
|
||||
return;
|
||||
}
|
||||
|
||||
@ -882,8 +877,8 @@ static void test_lock_personality(void) {
|
||||
log_notice("Seccomp not available, skipping %s", __func__);
|
||||
return;
|
||||
}
|
||||
if (!have_seccomp_privs()) {
|
||||
log_notice("Not privileged, skipping %s", __func__);
|
||||
if (geteuid() != 0) {
|
||||
log_notice("Not root, skipping %s", __func__);
|
||||
return;
|
||||
}
|
||||
|
||||
@ -946,8 +941,8 @@ static void test_restrict_suid_sgid(void) {
|
||||
log_notice("Seccomp not available, skipping %s", __func__);
|
||||
return;
|
||||
}
|
||||
if (!have_seccomp_privs()) {
|
||||
log_notice("Not privileged, skipping %s", __func__);
|
||||
if (geteuid() != 0) {
|
||||
log_notice("Not root, skipping %s", __func__);
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user