.github/workflows/codeql-analysis.yml

@@ -38,14 +38,14 @@ jobs:
       uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@a627e9fa504113bfa8e90a9b429b157a38b1cdbd
+      uses: github/codeql-action/init@5581e08a65fc3811c3ac78939dd59e7a8adbf003
       with:
         languages: ${{ matrix.language }}
 
     - run: sudo -E .github/workflows/unit_tests.sh SETUP
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@a627e9fa504113bfa8e90a9b429b157a38b1cdbd
+      uses: github/codeql-action/autobuild@5581e08a65fc3811c3ac78939dd59e7a8adbf003
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@a627e9fa504113bfa8e90a9b429b157a38b1cdbd
+      uses: github/codeql-action/analyze@5581e08a65fc3811c3ac78939dd59e7a8adbf003

src/home/homectl.c

@@ -255,63 +255,6 @@ static int acquire_existing_password(
         return 1;
 }
 
-static int acquire_recovery_key(
-                const char *user_name,
-                UserRecord *hr,
-                AskPasswordFlags flags) {
-
-        _cleanup_(strv_free_erasep) char **recovery_key = NULL;
-        _cleanup_free_ char *question = NULL;
-        char *e;
-        int r;
-
-        assert(user_name);
-        assert(hr);
-
-        e = getenv("RECOVERY_KEY");
-        if (e) {
-                /* People really shouldn't use environment variables for passing secrets. We support this
-                 * only for testing purposes, and do not document the behaviour, so that people won't
-                 * actually use this outside of testing. */
-
-                r = user_record_set_password(hr, STRV_MAKE(e), true); /* recovery keys are stored in the record exactly like regular passwords! */
-                if (r < 0)
-                        return log_error_errno(r, "Failed to store recovery key: %m");
-
-                assert_se(unsetenv_erase("RECOVERY_KEY") >= 0);
-                return 1;
-        }
-
-        /* If this is not our own user, then don't use the password cache */
-        if (is_this_me(user_name) <= 0)
-                SET_FLAG(flags, ASK_PASSWORD_ACCEPT_CACHED|ASK_PASSWORD_PUSH_CACHE, false);
-
-        if (asprintf(&question, "Please enter recovery key for user %s:", user_name) < 0)
-                return log_oom();
-
-        r = ask_password_auto(question,
-                              /* icon= */ "user-home",
-                              NULL,
-                              /* key_name= */ "home-recovery-key",
-                              /* credential_name= */ "home.recovery-key",
-                              USEC_INFINITY,
-                              flags,
-                              &recovery_key);
-        if (r == -EUNATCH) { /* EUNATCH is returned if no recovery key was found and asking interactively was
-                              * disabled via the flags. Not an error for us. */
-                log_debug_errno(r, "No recovery keys acquired.");
-                return 0;
-        }
-        if (r < 0)
-                return log_error_errno(r, "Failed to acquire recovery keys: %m");
-
-        r = user_record_set_password(hr, recovery_key, true);
-        if (r < 0)
-                return log_error_errno(r, "Failed to store recovery keys: %m");
-
-        return 1;
-}
-
 static int acquire_token_pin(
                 const char *user_name,
                 UserRecord *hr,
@@ -400,20 +343,6 @@ static int handle_generic_user_record_error(
                 if (r < 0)
                         return r;
 
-        } else if (sd_bus_error_has_name(error, BUS_ERROR_BAD_RECOVERY_KEY)) {
-
-                if (!strv_isempty(hr->password))
-                        log_notice("Recovery key incorrect or not sufficient, please try again.");
-
-                /* Don't consume cache entries or credentials here, we already tried that unsuccessfully. But
-                 * let's push what we acquire here into the cache */
-                r = acquire_recovery_key(
-                                user_name,
-                                hr,
-                                ASK_PASSWORD_PUSH_CACHE | ASK_PASSWORD_NO_CREDENTIAL);
-                if (r < 0)
-                        return r;
-
         } else if (sd_bus_error_has_name(error, BUS_ERROR_BAD_PASSWORD_AND_NO_TOKEN)) {
 
                 if (strv_isempty(hr->password))
@@ -540,13 +469,6 @@ static int acquire_passed_secrets(const char *user_name, UserRecord **ret) {
         if (r < 0)
                 return r;
 
-        r = acquire_recovery_key(
-                        user_name,
-                        secret,
-                        ASK_PASSWORD_ACCEPT_CACHED | ASK_PASSWORD_NO_TTY | ASK_PASSWORD_NO_AGENT);
-        if (r < 0)
-                return r;
-
         *ret = TAKE_PTR(secret);
         return 0;
 }

src/home/pam_systemd_home.c

@@ -324,33 +324,6 @@ static int handle_generic_user_record_error(
                         return PAM_SERVICE_ERR;
                 }
 
-        } else if (sd_bus_error_has_name(error, BUS_ERROR_BAD_RECOVERY_KEY)) {
-                _cleanup_(erase_and_freep) char *newp = NULL;
-
-                assert(secret);
-
-                /* Hmm, homed asks for recovery key (because no regular password is defined maybe)? Provide it. */
-
-                if (strv_isempty(secret->password))
-                        r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Recovery key: ");
-                else {
-                        (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Password/recovery key incorrect or not sufficient for authentication of user %s.", user_name);
-                        r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Sorry, reenter recovery key: ");
-                }
-                if (r != PAM_SUCCESS)
-                        return PAM_CONV_ERR; /* no logging here */
-
-                if (isempty(newp)) {
-                        pam_syslog(handle, LOG_DEBUG, "Recovery key request aborted.");
-                        return PAM_AUTHTOK_ERR;
-                }
-
-                r = user_record_set_password(secret, STRV_MAKE(newp), true);
-                if (r < 0) {
-                        pam_syslog(handle, LOG_ERR, "Failed to store recovery key: %s", strerror_safe(r));
-                        return PAM_SERVICE_ERR;
-                }
-
         } else if (sd_bus_error_has_name(error, BUS_ERROR_BAD_PASSWORD_AND_NO_TOKEN)) {
                 _cleanup_(erase_and_freep) char *newp = NULL;
 

src/shared/hwdb-util.c

@@ -639,7 +639,7 @@ int hwdb_update(const char *root, const char *hwdb_bin_dir, bool strict, bool co
         if (!hwdb_bin)
                 return -ENOMEM;
 
-        (void) mkdir_parents_label(hwdb_bin, 0755);
+        mkdir_parents_label(hwdb_bin, 0755);
         err = trie_store(trie, hwdb_bin, compat);
         if (err < 0)
                 return log_error_errno(err, "Failed to write database %s: %m", hwdb_bin);