obel1x/fedora-OEMDRV
0
0
Fork 1
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fd93f4d2d4ab93d0c53535587134421bd36febb5
fedora-OEMDRV/client_software/0010_kwallet/install.sh
T
Daniel Pätzold fd93f4d2d4 Kwallet: Kill ksecretsd too
2026-03-31 19:32:32 +02:00

137 lines
5.5 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env sh
# SPDX-FileCopyrightText: Daniel Pätzold
# SPDX-License-Identifier: AGPL-3.0-or-later
#
# Kwallet Setup to Secure Directory
#
# Kwallet will be used for storing passwords for most KDE- Applications, like for Nextcloud- Client, Talk app and many more.
# Usually Kwallet will ask for a password to have good security in your encrypted file, but this will make Logon non Interactive and is annoying for the user.
# Or, even worse, the first time you logon, the wallet will be created with your current password. But when it changes on the Domain, after new logon you will be asked
# and you must enter the OLD password, breaking all apps, that are needing password if the old password was lost. This is a very bad situation.
# Instead we will check to have the Passwords opened without a seperate password set, but to have them encrypted at a secure place by the domain-encryption.
#
# Basically, this script checks, if the Walletfile can be used without password and if it is located in the encrypted directory for security.
# Otherwise it will setup a the Walletfile into the encrypted Data-Directory and make it useable.
#
echo "Setup KWallet Password- Service."
#Check for root
if [ "$EUID" -ne 0 ]; then
echo "Error: Script requires root. Please check if ${SCRIPTPATH}/${SCRIPTNAME} is in sudoers rules and if you are a member. And if executed via sudo."
exit 1
fi
#Check Token
if [ "${DAVTOKEN_USER}." == "." ]; then
echo "Error: Script cannot be executed standalone and needs a prereserved Environment. Quit."
exit 1
fi
#Local Vars
#SYNCCMD="$BASECMD --userid ${DAVTOKEN_USER} --apppassword ${DAVTOKEN_PASS} --localdirpath ${CLIENT_DATA_DST} --remotedirpath ${CLIENT_DATA_SRC} --serverurl https://${SERVERFQDN_NC}"
#SYNCCMD_HIDDENPW=$( echo "${SYNCCMD/${DAVTOKEN_PASS}/***HIDDEN***}" )
WALLETNAME="kdewallet"
WALLETFILE="${WALLETNAME}.kwl"
WALLETPATH="${DECRYPTEDDATADIR}/kwallet"
WALLETPATH_CFG="$SUDO_HOME/.local/share/kwalletd"
# Stop the daemon anyway if running
WALLET_PID=$( pgrep -u $SUDO_USER kwalletd6 )
if [[ ! -z ${WALLET_PID} ]]; then
MANAGER_PID=$( pgrep -u $SUDO_USER kwalletmanager5 )
if [[ ! -z ${MANAGER_PID} ]]; then
echo "Stopping kwalletmanager5 with PID ${MANAGER_PID}"
kill ${MANAGER_PID}
if [[ $? -ne 0 ]]; then
echo "Service could not be stopped, please check why."
exit 1
fi
fi
SECTRETS_PID=$( pgrep -u $SUDO_USER ksecretd )
if [[ ! -z ${SECTRETS_PID} ]]; then
echo "Stopping ksecretd with PID ${SECTRETS_PID}"
kill ${SECTRETS_PID}
if [[ $? -ne 0 ]]; then
echo "Service could not be stopped, please check why."
exit 1
fi
fi
kill ${WALLET_PID} && sleep 0.5 && echo "Service kwalletd6 (${WALLET_PID}) was stopped too."
if [[ $? -ne 0 ]]; then
echo "Kwallet Service could not be stopped, please check why."
exit 1
fi
else
echo "Service kwalletd6 not found to be stopped. Please check why."
exit 1
fi
#Setup encrypted path if not existing already
mkdir -p ${WALLETPATH}
#Check, if wallet ist already setup in encryted dir. If not, copy our empty deafult wallets to it
if [ ! -f "${WALLETPATH}/${WALLETNAME}.kwl" ]; then
echo "Wallet ${WALLETNAME} was not found, setting it up from scratch."
rm -f ${WALLETPATH}/*
cp ${WALLETNAME}.* ${WALLETPATH}
if [[ $? -ne 0 ]]; then
echo "Error: Copy of files for Wallet ${WALLETNAME} failed."
exit 1
fi
else
echo "Will use existing encrypted Wallet in ${WALLETPATH}/${WALLETNAME}.kwl"
fi
chown $SUDO_USER:$SUDO_USER ${WALLETPATH} -R
chmod u=rwX,og-rwx ${WALLETPATH} -R
#Unmount to have free vision to Directory
if grep -q ""${WALLETPATH_CFG}"" "/etc/mtab"; then
echo "Umount of Wallet-Config ${WALLETPATH_CFG}"
umount ${WALLETPATH_CFG}
if [[ $? -ne 0 ]]; then
echo "Error in unmount. Please check."
exit 1
fi
fi
#With every new start of KDE the Files will be recreated in ${WALLETPATH_CFG} containing no passwords but enrcypted with current user password
#We cannot use this wallet, so drop it
rm -f ${WALLETPATH_CFG}/*.*
#Always restore configuration with defaults
cp -f kwalletrc $HOME/.config/
chown $SUDO_USER:$SUDO_USER $HOME/.config/kwalletrc
chmod u=rw,og-rwx $HOME/.config/kwalletrc
#Bind mount secure folder to wallet directory
echo "Mounting secure ${WALLETPATH} to wallet-directory ${WALLETPATH_CFG}"
mount --bind ${WALLETPATH} ${WALLETPATH_CFG}
if [[ $? -ne 0 ]]; then
echo "Error bind mounting secure Files to Wallet. Please check what went wrong."
exit 1
fi
#Restart the service
su -c 'nohup kwalletd6 >/dev/null 2>&1 &' $SUDO_USER
sleep 1
#Check if kwalletd is enabled now
QB_RESULT=$( su -c "$(dirname $0)/qbus_wallet_exec.sh isEnabled 2>/dev/null || true" $SUDO_USER )
if [[ "$QB_RESULT" != "true" ]]; then
echo "Error checking if kWallet service is activated. Cannot continue. Return of Check was:"
echo "$QB_RESULT"
exit 1
fi
#It should be possible to open the wallet without having to enter the password now.
echo "Checking if Wallet can be opened by the user. The Program should not ask for a password, maybe for confirmation to access the wallet which is ok."
echo "Please check to NOT have any Password asked now - if so, open kwalletmanager and change the password for wallet ${WALLETNAME} to nothing (by entering nothing when asked for new password)!"
WALLETAPPID="sys_config_wallet_script"
QB_RESULT=$( su -c "$(dirname $0)/qbus_wallet_exec.sh open ${WALLETNAME} 0 $WALLETAPPID" $SUDO_USER )
if [[ $? -ne 0 ]]; then
echo "Some Error opening Wallet ${WALLETNAME}. Please check."
exit 1
fi
echo "Sucessfully opened Wallet ${WALLETNAME} with ID ${QB_RESULT}."
exit 0
Reference in New Issue View Git Blame Copy Permalink