KWallet-Service Setup introduced

2026-03-29 12:39:36 +02:00
parent 0067c7ebfd
commit 670f21526c
7 changed files with 176 additions and 4 deletions
@@ -0,0 +1,109 @@
 #!/usr/bin/env sh
 # SPDX-FileCopyrightText: Daniel Pätzold
 # SPDX-License-Identifier: AGPL-3.0-or-later
 #
 # Kwallet Setup to Secure Directory
 #
 # Kwallet will be used for storing passwords for most KDE- Applications, like for Nextcloud- Client, Talk app and many more.
 # Usually Kwallet will ask for a password to have good security in your encrypted file, but this will make Logon non Interactive and is annoying for the user.
 # Or, even worse, the first time you logon, the wallet will be created with your current password. But when it changes on the Domain, after new logon you will be asked
 # and you must enter the OLD password, breaking all apps, that are needing password if the old password was lost. This is a very bad situation.
 # Instead we will check to have the Passwords opened without a seperate password set, but to have them encrypted at a secure place by the domain-encryption.
 #
 # Basically, this script checks, if the Walletfile can be used without password and if it is located in the encrypted directory for security.
 # Otherwise it will setup a the Walletfile into the encrypted Data-Directory and make it useable.
 #
 echo "Setup KWallet Password- Service."
 #Check for root
 if [ "$EUID" -ne 0 ]; then
    echo "Error: Script requires root. Please check if ${SCRIPTPATH}/${SCRIPTNAME} is in sudoers rules and if you are a member. And if executed via sudo."
    exit 1
 fi
 #Check Token
 if [ "${DAVTOKEN_USER}." == "." ]; then
    echo "Error: Script cannot be executed standalone and needs a prereserved Environment. Quit."
    exit 1
 fi
 #Local Vars
 #SYNCCMD="$BASECMD --userid ${DAVTOKEN_USER} --apppassword ${DAVTOKEN_PASS} --localdirpath ${CLIENT_DATA_DST} --remotedirpath ${CLIENT_DATA_SRC} --serverurl https://${SERVERFQDN_NC}"
 #SYNCCMD_HIDDENPW=$( echo "${SYNCCMD/${DAVTOKEN_PASS}/***HIDDEN***}" )
 WALLETNAME="kdewallet"
 WALLETFILE="${WALLETNAME}.kwl"
 WALLETPATH="${DECRYPTEDDATADIR}/kwallet"
 WALLETPATH_CFG="$SUDO_HOME/.local/share/kwalletd"
 # At the start of this script, the local wallet-directory should be empty and the encrpted directory should be mount to that path
 # if thats not the case, will will move the files an configure them
 # Stop the daemon anyway if running
 WALLET_PID=$( pgrep -u $USER kwalletd6 )
 if [[ ! -z ${WALLET_PID} ]]; then
  kill ${WALLET_PID} && sleep 0.5
  if [[ $? -ne 0 ]]; then
    echo "Kwallet Service could not be stopped, please check why."
    exit 1
  fi
 fi
 #Check for existing legacy wallets: should be empty. Otherwise: move them.
 umount ${WALLETPATH_CFG} >/dev/null 2>&1
 PATTERN=(${WALLETPATH_CFG}/*.kwl)
 if [ -f ${PATTERN[0]} ]; then
  mv ${WALLETPATH_CFG}/*.* ${WALLETPATH}
  if [[ $? -ne 0 ]]; then
    echo "Legacy wallets could not be moved, please do that manually:"
    echo "Move ${WALLETPATH_CFG}/*.kwl to ${WALLETPATH}"
    exit 1
  fi
 else
  echo "Found no legacy Files in ${WALLETPATH_CFG}, no migration needed."
 fi
 #Always restore configuration with defaults
 cp -f kwalletrc $HOME/.config/
 #Bind mount secure folder to wallet directory
 echo "Mounting secure ${WALLETPATH} to wallet-directory ${WALLETPATH_CFG}"
 mount --bind ${WALLETPATH} ${WALLETPATH_CFG}
 if [[ $? -ne 0 ]]; then
  echo "Error bind mounting secure Files to Wallet. Please check what went wrong."
  exit 1
 fi
 PATTERN=(${WALLETPATH_CFG}/${WALLETNAME}.kwl)
 if [ ! -f ${PATTERN[0]} ]; then
  echo "Wallet ${WALLETNAME} was not found, setting it up from scratch."
  cp kdewallet.* ${WALLETPATH}
  if [[ $? -ne 0 ]]; then
    echo "Error: Copy of files for Wallet ${WALLETNAME} failed."
    exit 1
  fi
 fi
 #Restart the service
 su -c 'nohup kwalletd6 >/dev/null 2>&1 &' $SUDO_USER
 sleep 1
 #Check if kwalletd is enabled now
 su -c "$(dirname $0)/qbus_wallet_exec.sh reconfigure" $SUDO_USER
 QB_RESULT=$( su -c "$(dirname $0)/qbus_wallet_exec.sh isEnabled 2>/dev/null || true" $SUDO_USER )
 if [[ "$QB_RESULT" != "true" ]]; then
  echo "Error checking if kWallet service is activated. Cannot continue. Return of Check was:"
  echo "$QB_RESULT"
  exit 1
 fi
 #It should be possible to open the wallet without having to enter the password now.
 echo "Checking if Wallet can be opened by the user. The Program should not ask for a password, maybe for confirmation to access the wallet which is ok."
 echo "Please check to NOT have any Password asked now - if so, open kwalletmanager and change the password for wallet ${WALLETNAME} to nothing (by entering nothing when asked for new password)!"
 WALLETAPPID="sys_config_wallet_script"
 QB_RESULT=$( su -c "$(dirname $0)/qbus_wallet_exec.sh open ${WALLETNAME} 0 $WALLETAPPID" $SUDO_USER )
 if [[ $? -ne 0 ]]; then
  echo "Some Error opening Wallet ${WALLETNAME}. Please check."
  exit 1
 fi
 echo "Sucessfully opened Wallet ${WALLETNAME} with ID ${QB_RESULT}."
 exit 0
@@ -0,0 +1 @@
 )¦ň˙8®÷báćSˇăĎđ[Ú‘±†ćúOÍI.´éöV~Ě�PŤ|^Ű8ÜYOÇ4źÄ˝–<Ł
@@ -0,0 +1,15 @@
 [Wallet]
 Close When Idle=true
 Close on Screensaver=false
 Default Wallet=kdewallet
 Enabled=true
 First Use=false
 Idle Timeout=10
 Launch Manager=true
 Leave Manager Open=true
 Leave Open=false
 Prompt on Open=true
 Use One Wallet=true
 [org.freedesktop.secrets]
 apiEnabled=true
@@ -0,0 +1,43 @@
 #!/usr/bin/env bash
 # SPDX-FileCopyrightText: Daniel Pätzold
 # SPDX-License-Identifier: AGPL-3.0-or-later
 #
 # Resets the KDE- Wallet
 #
 set -euo pipefail
 #First, check if qdbus and kwallet is working via dbus
 QB_CMD="qdbus-qt6"
 if ! command -v ${QB_CMD} >/dev/null 2>&1; then
  QB_CMD="qdbus"
  if ! command -v ${QB_CMD} >/dev/null 2>&1; then
    echo "qdbus-qt6 or qdbus not found; cannot create KWallet via DBus. Install Qt DBus tools."
    exit 1
  fi
 fi
 # Determine kwallet DBus service name (kwalletd6 on Plasma with KF6, else kwalletd5)
 QB_SERVICE="org.kde.kwalletd"
 if ( ${QB_CMD} "$QB_SERVICE" | grep -q "/modules/kwalletd6" ); then
  QB_PATH="/modules/kwalletd6"
 elif ( qdbus-qt6 "$QB_SERVICE" | grep -q "/modules/kwalletd5" ); then
  QB_PATH="/modules/kwalletd5"
 else
  # Try calling directly — system may expose the service as org.kde.KWallet
  QB_SERVICE="org.kde.KWallet"
  QB_PATH=$( ${QB_CMD} "$QB_SERVICE" | grep -q "/modules/kwalletd" )
 fi
 #Now, run the command
 ${QB_CMD} "$QB_SERVICE" "$QB_PATH" $@
 exit $?
 #Check if kwalletd is enabled
 ${QB_CMD} "$QB_SERVICE" "$QB_PATH" reconfigure
 QB_RESULT=$( ${QB_CMD} "$QB_SERVICE" "$QB_PATH" isEnabled 2>/dev/null || true)
 if [[ "$QB_RESULT" != "true" ]]; then
  echo "Error checking if kWallet service is activated. Cannot continue. Return of Check was:"
  echo "$QB_RESULT"
  exit 1
 fi
@@ -72,11 +72,13 @@ elog_add "Check the matching client rule:"
 elog_add_command_subshell "/usr/bin/sudo -n -l -l ${SYSCONFIGPATH}/system_setup/sync_client_software.sh"
 if [[ $RETNO -ne 0 ]]; then
    elog_add "Error was no $RETNO"
-    elog_add "No matching IPA rule found for this user, so the user is not allowed to install software, skipping this."
+    elog_add "No matching IPA sudo rule found for the setup- script of this user, so the user is not allowed to run software setup."
-    elog_add "If you want to change: Please check the sudo rules in ipa and your group membership."
+    elog_add "This will not work, because necessary steps cannot be executed."
    elog_add "Please check the sudo rules in ipa and your group membership to make this work."
    elog_add "Hint: the rule must contain the !authenticate and setenv option to work."
    elog_add "A matching sudo rule could look like this: "'^'${SYSCONFIGPATH////'\/'}'\/system_setup\/sync_client_software\.sh.*$'
-    elog_add "Skipping SW Install."
+    elog_add "Skipping SW setup."
    echo "Press any key to continue" && read -n 1 -s -r && exit 1
 else
    # Check, if the rule is with Option !authenticate
    if [[ $RETTXT != *"!authenticate"* ]]; then
@@ -88,7 +90,7 @@ else
        # Rule seems to be ok, executing script
        elog_add "Matching Sudo rule found."
        elog_add ""
-        elog_add "Running client software install..."
+        elog_add "Running client software sync..."
        elog_add_command "/usr/bin/sudo -n --preserve-env ${SYSCONFIGPATH}/system_setup/sync_client_software.sh install $1"
        #ERRTXT=$( { /usr/bin/sudo -n --preserve-env ${SYSCONFIGPATH}/system_setup/sync_client_software.sh install > >(tee -a ${LOGFILE}); } 2>&1 )
        #ERR=$?
@@ -71,6 +71,8 @@ if [ -f "${CLIENT_SOFTWARE_DST}/install.sh" ]; then
    chmod u+x "${CLIENT_SOFTWARE_DST}/install.sh"
 fi
 echo "Sucessfully synced."
 #Run Software setup
 echo "Running Setup of Software"
 if [ $1 == "install" ]; then
    ${CLIENT_SOFTWARE_DST}/install.sh $2
    if [ $? -ne 0 ]; then
		`@@ -0,0 +1 @@`
							`)¦ň˙8®÷báćSˇăĎđ[Ú‘±†ćúOÍI.´éöV~Ě�PŤ\|^Ű8ÜYOÇ4źÄ˝–<Ł`