diff --git a/man/systemd-ask-password.xml b/man/systemd-ask-password.xml
index 91bc6f7366..fc005abed6 100644
--- a/man/systemd-ask-password.xml
+++ b/man/systemd-ask-password.xml
@@ -30,26 +30,22 @@
Description
- systemd-ask-password may be used to query
- a system password or passphrase from the user, using a question
- message specified on the command line. When run from a TTY it will
- query a password on the TTY and print it to standard output. When
- run with no TTY or with it will use the
- system-wide query mechanism, which allows active users to respond via
- several agents, listed below.
+ systemd-ask-password may be used to query a password or passphrase interactively
+ from the user, using a question prompt specified on the command line. When run from a TTY it will query a
+ password on the TTY and print it to standard output. When run with no TTY or with
+ it will use a system-wide or per-user agent-based query mechanism, which allows
+ active users to respond via several agents, listed below.
- The purpose of this tool is to query system-wide passwords
- — that is passwords not attached to a specific user account.
- Examples include: unlocking encrypted hard disks when they are
- plugged in or at boot, entering an SSL certificate passphrase for
- web and VPN servers.
+ The purpose of this tool is to query system-wide or per-user passwords — the former includes
+ passwords possibly not associated to a specific user account. Examples include: unlocking encrypted hard
+ disks when they are plugged in or at boot, entering an SSL certificate passphrase for web and VPN
+ servers.
- Existing agents are:
+ Existing system-level agents are:
- A boot-time password agent asking the user for
- passwords using
- plymouth8,
+ A boot-time password agent asking the user for passwords using plymouth8,
A boot-time password agent querying the user
@@ -77,17 +73,15 @@
all the agents listed above (except for the last one), run as privileged
system services. The last one also needs elevated privileges, so
should be run through
- sudo8
+ run01
or similar.
- Additional password agents may be implemented according to
- the systemd Password Agent
- Specification.
+ Additional password agents may be implemented according to the systemd Password Agent Specification.If a password is queried on a TTY, the user may press TAB to
hide the asterisks normally shown for each character typed.
Pressing Backspace as first key achieves the same effect.
-
@@ -241,6 +235,17 @@
+
+
+
+
+ Controls whether to query the system-wide or the per-user password agents. By default
+ if invoked privileged the system-wide agents are queried, otherwise the per-user ones. These options
+ allow to override this automatic behaviour.
+
+
+
+
diff --git a/src/ask-password/ask-password.c b/src/ask-password/ask-password.c
index b2c8ef7003..59eb7acddd 100644
--- a/src/ask-password/ask-password.c
+++ b/src/ask-password/ask-password.c
@@ -38,7 +38,7 @@ static int help(void) {
return log_oom();
printf("%1$s [OPTIONS...] MESSAGE\n\n"
- "%3$sQuery the user for a system passphrase, via the TTY or a UI agent.%4$s\n\n"
+ "%3$sQuery the user for a passphrase, via the TTY or a UI agent.%4$s\n\n"
" -h --help Show this help\n"
" --icon=NAME Icon name\n"
" --id=ID Query identifier (e.g. \"cryptsetup:/dev/sda5\")\n"
@@ -58,6 +58,8 @@ static int help(void) {
" --no-output Do not print password to standard output\n"
" -n Do not suffix password written to standard output with\n"
" newline\n"
+ " --user Ask only our own user's agents\n"
+ " --system Ask agents of the system and of all users\n"
"\nSee the %2$s for details.\n",
program_invocation_short_name,
link,
@@ -81,6 +83,8 @@ static int parse_argv(int argc, char *argv[]) {
ARG_NO_OUTPUT,
ARG_VERSION,
ARG_CREDENTIAL,
+ ARG_USER,
+ ARG_SYSTEM,
};
static const struct option options[] = {
@@ -97,6 +101,8 @@ static int parse_argv(int argc, char *argv[]) {
{ "keyname", required_argument, NULL, ARG_KEYNAME },
{ "no-output", no_argument, NULL, ARG_NO_OUTPUT },
{ "credential", required_argument, NULL, ARG_CREDENTIAL },
+ { "user", no_argument, NULL, ARG_USER },
+ { "system", no_argument, NULL, ARG_SYSTEM },
{}
};
@@ -183,6 +189,14 @@ static int parse_argv(int argc, char *argv[]) {
arg_credential_name = optarg;
break;
+ case ARG_USER:
+ arg_flags |= ASK_PASSWORD_USER;
+ break;
+
+ case ARG_SYSTEM:
+ arg_flags &= ~ASK_PASSWORD_USER;
+ break;
+
case 'n':
arg_newline = false;
break;
@@ -228,6 +242,9 @@ static int run(int argc, char *argv[]) {
log_setup();
+ /* Unprivileged? Then imply ASK_PASSWORD_USER by default */
+ SET_FLAG(arg_flags, ASK_PASSWORD_USER, geteuid() != 0);
+
r = parse_argv(argc, argv);
if (r <= 0)
return r;