Compare commits

...

4 Commits

Author SHA1 Message Date
Lennart Poettering 562ffaca26 man: extend documentation of the suspend= switch of pam_systemd_home
As suggested on #15343.

Fixes: #15343
2020-04-10 16:15:23 +02:00
Lennart Poettering 5a3033321a docs: add brief document how to convert home directories to homed 2020-04-10 15:57:29 +02:00
nerdopolis fa2cf64a91 login: Fix incorrect reporting of CanMultiSession=no on non-seat0 seats 2020-04-10 14:22:27 +02:00
Vito Caputo df91e319a9 bus: add sd_bus_message_new_method_call() helper
adds BusLocator variant called bus_message_new_method_call()
2020-04-10 11:30:05 +02:00
5 changed files with 172 additions and 3 deletions

135
docs/CONVERTING_TO_HOMED.md Normal file
View File

@ -0,0 +1,135 @@
---
title: Converting Existing Users to systemd-homed
category: Interfaces
layout: default
---
# Converting Existing Users to systemd-homed managed Users
Traditionally on most Linux distributions, regular (human) users are managed
via entries in `/etc/passwd`, `/etc/shadow`, `/etc/group` and
`/etc/gshadow`. With the advent of
[`systemd-homed`](https://www.freedesktop.org/software/systemd/man/systemd-homed.service.html)
it might be desirable to convert an existing, traditional user account to a
`systemd-homed` managed one. Below is a brief guide how to do that.
Before continuing, please read up on these basic concepts:
* [Home Directories](https://systemd.io/HOME_DIRECTORY)
* [JSON User Records](https://systemd.io/USER_RECORD)
* [JSON Group Records](https://systemd.io/GROUP_RECORD)
* [User/Group Record Lookup API via Varlink](https://systemd.io/USER_GROUP_API)
## Caveat
This is a manual process, and possibly a bit fragile. Hence, do this at your
own risk, read up beforehand, and make a backup first. You know what's at
stake: your own home directory, i.e. all your personal data.
## Step-By-Step
Here's the step-by-step guide:
0. Preparations: make sure you run a distribution that has `systemd-homed`
enabled and properly set up, including the necessary PAM and NSS
configuration updates. Make sure you have enough disk space in `/home/` for
a (temporary) second copy of your home directory. Make sure to backup your
home directory. Make sure to log out of your user account fully. Then log in
as root on the console.
1. Rename your existing home directory to something safe. Let's say your user
ID is `foobar`. Then do:
```
mv /home/foobar /home/foobar.saved
```
2. Have a look at your existing user record, as stored in `/etc/passwd` and
related files. We want to use the same data for the new record, hence it's good
looking at the old data. Use commands such as:
```
getent passwd foobar
getent shadow foobar
```
This will tell you the `/etc/passwd` and `/etc/shadow` entries for your
user. For details about the fields, see the respective man pages
[passwd(5)](http://man7.org/linux/man-pages/man5/passwd.5.html) and
[shadow(5)](http://man7.org/linux/man-pages/man5/shadow.5.html).
The fourth field in the `getent passwd foobar` output tells you the GID of
your user's main group. Depending on your distribution it's a group private
to the user, or a group shared by most local, regular users. Let's say the
GID reported is 1000, let's then query its details:
```
getent group 1000
```
This will tell you the name of that group. If the name is the same as your
user name your distribution apparently provided you with a private group for
your user. If it doesn't match (and is something like `users`) it apparently
didn't. Note that `systemd-homed` will always manage a private group for
each user under the same name, hence if your distribution is one of the
latter kind, then there's a (minor) mismatch in structure when converting.
Save the information reported by these three commands somewhere, for later
reference.
3. Now edit your `/etc/passwd` file and remove your existing record
(i.e. delete a single line, the one of your user's account, leaving all
other lines unmodified). Similar for `/etc/shadow`, `/etc/group` (in case
you have a private group for your user) and `/etc/gshadow`. Most
distributions provide you with a tool for that, that adds safe
synchronization for these changes: `vipw`, `vipw -s`, `vigr` and `vigr -s`.
4. At this point the old user account vanished, while the home directory still
exists safely under the `/home/foobar.saved` name. Let's now create a new
account with `systemd-homed`, using the same username and UID as before:
```
homectl create foobar --uid=$UID --real-name=$GECOS
```
In this command line, replace `$UID` by the UID you previously used,
i.e. the third field of the `getent passwd foobar` output above. Similar,
replace `$GECOS` by the GECOS field of your old account, i.e the fifth field
of the old output. If your distribution traditionally does not assign a
private group to regular user groups, then consider adding `--member-of=`
with the group name to get a modicum of compatibility with the status quo
ante: this way your new user account will still not have the old primary
group as new primary group, but will have it as auxiliary group.
Consider reading through the
[homectl(1)](https://www.freedesktop.org/software/systemd/man/homectl.html)
manual page at this point, maybe there are a couple of other settings you
want to set for your new account. In particular, look at `--storage=` and
`--disk-size=`, in order to change how your home directory shall be stored
(the default `luks` storage is recommended).
5. Your new user account exists now, but it has an empty home directory. Let's
now migrate your old home directory into it. For that let's mount the new
home directory temporarily and copy the data in.
```
homectl with foobar -- rsync -aHAXv --delete-during /home/foobar.saved/ .
```
This mounts the home directory of the user, and then runs the specified
`rsync` command which copies the contents of the old home directory into the
new. The new home directory is the working directory of the invoked `rsync`
process. We are invoking this command as root, hence the `rsync` runs as
root too. When the `rsync` command completes the home directory is
automatically unmounted again. Since we used `--delete-during` all files
copied are removed from the old home directory as the copy progresses. After
the command completes the old home directory should be empty. Let's remove
it hence:
```
rmdir /home/foobar.saved
```
And that's it, we are done already. You can log out now and should be able to
log in under your user account as usual, but now with `systemd-homed` managing
your home directory.

View File

@ -51,8 +51,29 @@
coming back from suspend. It is recommended to set this parameter for all PAM applications that have coming back from suspend. It is recommended to set this parameter for all PAM applications that have
support for automatically re-authenticating via PAM on system resume. If multiple sessions of the support for automatically re-authenticating via PAM on system resume. If multiple sessions of the
same user are open in parallel the user's home directory will be left unsuspended on system suspend same user are open in parallel the user's home directory will be left unsuspended on system suspend
as long as at least one of the sessions does not set this parameter. Defaults to as long as at least one of the sessions does not set this parameter to on. Defaults to
off.</para></listitem> off.</para>
<para>Note that TTY logins generally do not support re-authentication on system resume.
Re-authentication on system resume is primarily a concept implementable in graphical environments, in
the form of lock screens brought up automatically when the system goes to sleep. This means that if a
user concurrently uses graphical login sessions that implement the required re-authentication
mechanism and console logins that do not, the home directory is not locked during suspend, due to the
logic explained above. That said, it is possible to set this field for TTY logins too, ignoring the
fact that TTY logins actually don't support the re-authentication mechanism. In that case the TTY
sessions will appear hung until the user logs in on another virtual terminal (regardless if via
another TTY session or graphically) which will resume the home directory and unblock the original TTY
session. (Do note that lack of screen locking on TTY sessions means even though the TTY session
appears hung, keypresses can still be queued into it, and the existing screen contents be read
without re-authentication; this limitation is unrelated to the home directory management
<command>pam_systemd_home</command> and <filename>systemd-homed.service</filename> implement.)</para>
<para>Turning this option on by default is highly recommended for all sessions, but only if the
service managing these sessions correctly implements the aforementioned re-authentication. Note that
the re-authentication must take place from a component runing outside of the user's context, so that
it does not require access to the user's home directory for operation. Traditionally, most desktop
environments do not implement screen locking this way, and need to be updated
accordingly.</para></listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>

View File

@ -561,7 +561,8 @@ bool seat_is_seat0(Seat *s) {
bool seat_can_multi_session(Seat *s) { bool seat_can_multi_session(Seat *s) {
assert(s); assert(s);
return seat_has_vts(s); /* multiple sessions are supported on all seats now */
return true;
} }
bool seat_can_tty(Seat *s) { bool seat_can_tty(Seat *s) {

View File

@ -1538,3 +1538,14 @@ int bus_match_signal_async(
return sd_bus_match_signal_async(bus, ret, locator->destination, locator->path, locator->interface, member, callback, install_callback, userdata); return sd_bus_match_signal_async(bus, ret, locator->destination, locator->path, locator->interface, member, callback, install_callback, userdata);
} }
int bus_message_new_method_call(
sd_bus *bus,
sd_bus_message **m,
const BusLocator *locator,
const char *member) {
assert(locator);
return sd_bus_message_new_method_call(bus, m, locator->destination, locator->path, locator->interface, member);
}

View File

@ -198,3 +198,4 @@ int bus_get_property_strv(sd_bus *bus, const BusLocator *locator, const char *me
int bus_set_property(sd_bus *bus, const BusLocator *locator, const char *member, sd_bus_error *error, const char *type, ...); int bus_set_property(sd_bus *bus, const BusLocator *locator, const char *member, sd_bus_error *error, const char *type, ...);
int bus_match_signal(sd_bus *bus, sd_bus_slot **ret, const BusLocator *locator, const char *member, sd_bus_message_handler_t callback, void *userdata); int bus_match_signal(sd_bus *bus, sd_bus_slot **ret, const BusLocator *locator, const char *member, sd_bus_message_handler_t callback, void *userdata);
int bus_match_signal_async(sd_bus *bus, sd_bus_slot **ret, const BusLocator *locator, const char *member, sd_bus_message_handler_t callback, sd_bus_message_handler_t install_callback, void *userdata); int bus_match_signal_async(sd_bus *bus, sd_bus_slot **ret, const BusLocator *locator, const char *member, sd_bus_message_handler_t callback, sd_bus_message_handler_t install_callback, void *userdata);
int bus_message_new_method_call(sd_bus *bus, sd_bus_message **m, const BusLocator *locator, const char *member);