]>
Commit | Line | Data |
---|---|---|
7ddca96d | 1 | # NOTE: |
2 | # our .zprofile is expensive, so we keep track of what has been run already, | |
3 | # and only set up what is necessary. additionally, we want to ensure that our | |
4 | # environment is set up as early as possible, so we also source .zprofile in | |
5 | # .zshenv for new non-login shells. | |
6 | # | |
7 | # these issues are handled by using these methods: | |
8 | # * the parent shell that starts the user's session after logging in to some | |
9 | # graphical environments may not be a login shell—due to misconfiguration | |
10 | # or otherwise—which means .zprofile is not ran and the environment is not | |
11 | # properly configured for any child processes. | |
12 | # * some desktop environments/graphical terminal emulators will start new | |
13 | # terminal windows with login shells, which runs .zprofile every time and | |
14 | # leads to noticably slow startup times. | |
15 | # * switching users without wiping the environment will result in paths and | |
16 | # variables intended for the old user being used for the new user. while | |
17 | # this may be considered an edge-case that should not be supported, there | |
18 | # are legitimate reasons to want to do this, and in any case the shell | |
19 | # should not choke or cause unexpected problems should it happen anyway. | |
20 | ||
e4677c6b | 21 | ### cleanup |
22 | # XXX: only call after relevant vars have been set up, defined early so that | |
23 | # below code can utilize it after they do so | |
24 | function _sev_zcleanup { | |
25 | ## gpg forwarding | |
26 | if [[ -d $_sev_gpg_forward_dir && ( -z $1 || $1 == 'gpg-forward' ) ]] { | |
27 | # clean up forward dirs if its session is dead or we ask for it | |
fed9e7dc | 28 | find $_sev_gpg_forward_dir -mindepth 1 -maxdepth 1 -type d | |
e4677c6b | 29 | while {read -r x} { |
30 | # NOTE: the only way we can get here is if we have not been | |
31 | # forwarded before, if the user asks for it, or during | |
32 | # logout. if our own pid already has a dir, it is most likely | |
33 | # stale, the user wants it removed, or something is very | |
34 | # broken—in all 3 of these cases the best choice is remove it. | |
35 | p=$(basename $x) | |
36 | if {[[ -v _sev_gpg_forward_clean || $$ == $p ]] || | |
37 | ! kill -0 $p 2>/dev/null} { | |
38 | find $x -mindepth 1 -maxdepth 1 | while {read -r y} { | |
39 | # XXX: real dirs will stop unlink, consider it a feature | |
40 | unlink $y | |
41 | } | |
42 | # don't force in case something important is still there | |
43 | rmdir $x | |
44 | } | |
45 | } | |
46 | # reset GNUPGHOME if we removed our own dir | |
47 | if [[ $GNUPGHOME =~ '/.ssh_forward/\d+/*$' && ! -e $GNUPGHOME ]] { | |
48 | x=$GNUPGHOME | |
49 | [[ -o GLOB_ASSIGN ]]; y=$? | |
50 | setopt GLOB_ASSIGN | |
51 | GNUPGHOME=$GNUPGHOME/../..(:a) | |
52 | (( y != 0 )) && unsetopt GLOB_ASSIGN | |
53 | } | |
54 | } | |
55 | ||
56 | ## tmp | |
57 | # NOTE: _sev_tmp is not unset so session dirs will not be recreated | |
58 | # NOTE: XDG dirs that use our tmp are not unset here, they are in zlogout | |
59 | if [[ -d $_sev_tmp && ( -z $1 || $1 == 'tmp' ) ]] { | |
60 | # clean up tmp dirs if its session is dead or we ask for it | |
fed9e7dc | 61 | find $_sev_tmp -mindepth 1 -maxdepth 1 -name '.session.*' -type d | |
e4677c6b | 62 | while {read -r x} { |
63 | # NOTE: same rationale as above | |
64 | p=${$(basename $x)#.session.} | |
65 | if {[[ -v _sev_tmp_clean || $$ == $p ]] || | |
66 | ! kill -0 $p 2>/dev/null} { | |
67 | rm -rf $x | |
68 | } | |
69 | } | |
70 | } | |
71 | ||
72 | unset x p y | |
73 | } | |
74 | ||
c7e3e126 | 75 | ### lang |
e4677c6b | 76 | export CHARSET=${CHARSET:-UTF-8} |
77 | export LANG=${LANG:-en_US.UTF-8} | |
78 | export LC_CTYPE=${LC_TYPE:-$LANG} | |
79 | ||
c7e3e126 | 80 | ### path |
7ddca96d | 81 | # NOTE: we utilize the fact that unique arrays keep the first occurrence and |
82 | # remove any further occurences to capture elements from the old PATH | |
83 | # that we did not anticipate and shift them to the front, since they are | |
84 | # probably important to the system | |
85 | if [[ ! -v _sev_setup_path || -o login ]] { | |
7ddca96d | 86 | typeset -U path fpath |
87 | # add as many generic paths as possible to keep the order we want | |
88 | # NOTE: /usr/{local,pkg,games} are unix/bsdisms | |
fed9e7dc | 89 | # XXX: PREFIX not validated, non-posix but Termux uses it |
7ddca96d | 90 | syspath=("$path[@]") |
fed9e7dc | 91 | path=({~,~/.local,{$PREFIX,}{,/opt,/usr{,/local,pkg}}}/sbin |
92 | {~,~/.local,{$PREFIX,}{,/opt,/usr{,/local,pkg}}}/bin | |
93 | /usr/{X11R{7,6}/bin,games}) | |
c7e3e126 | 94 | ((len=$#path)) |
7ddca96d | 95 | path=("$path[@]" "$syspath[@]") |
96 | # remove nonexistent and duplicate paths | |
97 | for (( i = 1; i <= $#path; i++ )) { | |
98 | if [[ ! -e $path[$i] ]] { | |
99 | path[$i]=() | |
c7e3e126 | 100 | ((i <= len)) && ((len--)) |
7ddca96d | 101 | ((i--)) |
102 | continue | |
103 | } | |
7ddca96d | 104 | } |
c7e3e126 | 105 | # shift valid system paths to the front if there are any left |
106 | ((len > 0 && len < $#path)) && path=("${(@)path[len + 1, -1]}" "${(@)path[1, len]}") | |
107 | unset syspath len i j | |
7ddca96d | 108 | # include our zsh dir in fpath. unlike above, we always prefer our paths |
109 | fpath=(${ZDOTDIR:-~/.zsh}/functions/{*,Completions/*}(N) "$fpath[@]") | |
110 | # FPATH is not exported by default | |
111 | export FPATH | |
112 | typeset +U path fpath | |
113 | export _sev_setup_path= | |
114 | } | |
115 | ||
e4677c6b | 116 | ### tmp |
117 | # NOTE: specs say that POSIX tmp and XDG runtime directories should exist | |
118 | # until the last session is logged out (POSIX can exist for longer). | |
119 | # since we can't reliably keep track of sessions in a cross-platform | |
120 | # manner, the current implementation should use a separate directory per | |
121 | # toplevel session (i.e. SHLVL=1). this should placate most applications, | |
122 | # though it is not expressly spec compliant. | |
123 | if [[ ! -v _sev_tmp ]] { | |
124 | _sev_tmp=~/tmp | |
125 | # create personal tmp dir | |
c7e3e126 | 126 | t=${TMPDIR:-${TEMP:-${TMP:-/tmp}}}/.home-$LOGNAME |
e4677c6b | 127 | [[ ! -e $t ]] && mkdir -m700 $t 2>/dev/null |
c7e3e126 | 128 | if [[ ! -d $t ]] { |
129 | [[ -o interactive ]] && | |
e4677c6b | 130 | print -P "%F{red}!!! Can't create tmpdir $t%f" |
c7e3e126 | 131 | # fallback bare directories |
e4677c6b | 132 | [[ -h $_sev_tmp ]] && unlink $_sev_tmp 2>/dev/null |
133 | [[ ! -e $_sev_tmp ]] && mkdir -m700 $_sev_tmp 2>/dev/null | |
c7e3e126 | 134 | } |
e4677c6b | 135 | # link home tmp for convenience if there isn't anything meaningful there |
136 | [[ -h $_sev_tmp || ! -e $_sev_tmp ]] && ln -sfn $t $_sev_tmp 2>/dev/null | |
137 | export _sev_tmp=$(realpath $_sev_tmp) | |
138 | # ensure dir is clean | |
139 | _sev_zcleanup tmp | |
c7e3e126 | 140 | # finally create our subdir for this session |
e4677c6b | 141 | h=$_sev_tmp/.session.$$ |
142 | mkdir -m700 $h 2>/dev/null | |
143 | export TMPDIR=$h TEMP=$h TMP=$h | |
c7e3e126 | 144 | unset t h |
c7e3e126 | 145 | } |
146 | ||
147 | ### xdg | |
7ddca96d | 148 | if [[ ! -v _sev_setup_xdg ]] { |
149 | # merge with any existing dirs and remove duplicates using unique arrays | |
c7e3e126 | 150 | # NOTE: include and then remove CONFIG_HOME and DATA_HOME to ensure they |
151 | # are not present in the array if it was added before we got to it | |
7ddca96d | 152 | typeset -UT XDG_CONFIG_DIRS xdg_config_dirs |
2ec9d552 | 153 | export XDG_CONFIG_HOME=~/etc |
e4677c6b | 154 | mkdir $XDG_CONFIG_HOME 2>/dev/null |
2ec9d552 | 155 | xdg_config_dirs=($XDG_CONFIG_HOME ~/.config |
7ddca96d | 156 | {/opt,/usr/local,/usr/pkg,}/etc/xdg |
157 | "${XDG_CONFIG_DIRS:+${xdg_config_dirs[@]}}") | |
158 | export XDG_CONFIG_DIRS=${XDG_CONFIG_DIRS#$XDG_CONFIG_HOME} | |
2ec9d552 | 159 | |
160 | typeset -UT XDG_DATA_DIRS xdg_data_dirs | |
161 | export XDG_DATA_HOME=~/share | |
e4677c6b | 162 | mkdir $XDG_DATA_HOME 2>/dev/null |
2ec9d552 | 163 | xdg_data_dirs=($XDG_DATA_HOME ~/.local/share |
7ddca96d | 164 | /{opt,usr/local,usr/pkg,usr}/share |
165 | "${XDG_DATA_DIRS:+${xdg_data_dirs[@]}}") | |
166 | export XDG_DATA_DIRS=${XDG_DATA_DIRS#$XDG_DATA_HOME} | |
2ec9d552 | 167 | |
e4677c6b | 168 | mkdir ~/var 2>/dev/null |
2ec9d552 | 169 | export XDG_STATE_HOME=~/var/lib |
e4677c6b | 170 | mkdir $XDG_STATE_HOME 2>/dev/null |
171 | ||
172 | if [[ -v _sev_tmp ]] { | |
173 | export XDG_CACHE_HOME=$_sev_tmp/.xdg.cache | |
174 | mkdir $XDG_CACHE_HOME 2>/dev/null | |
2ec9d552 | 175 | |
e4677c6b | 176 | export XDG_RUNTIME_DIR=$TMPDIR/.xdg.runtime |
177 | # same as in tmpdir creation, ensure it doesn't exist | |
178 | if [[ -h $XDG_RUNTIME_DIR ]]; then | |
179 | unlink $XDG_RUNTIME_DIR 2>/dev/null | |
180 | elif [[ -e $XDG_RUNTIME_DIR ]]; then | |
181 | rm -rf $XDG_RUNTIME_DIR 2>/dev/null | |
c7e3e126 | 182 | fi |
e4677c6b | 183 | mkdir -m700 $XDG_RUNTIME_DIR 2>/dev/null |
184 | } | |
2ec9d552 | 185 | |
7ddca96d | 186 | # source user dirs after other vars |
187 | [[ -e $XDG_CONFIG_HOME/user-dirs.dirs ]] && | |
188 | emulate sh -c "source $XDG_CONFIG_HOME/user-dirs.dirs" | |
189 | export _sev_setup_xdg= | |
b133dc92 | 190 | } |
7ddca96d | 191 | |
e4677c6b | 192 | ### dbus |
193 | if [[ ! -v DBUS_SESSION_BUS_ADDRESS && -v commands[dbus-launch] ]] { | |
194 | eval $(dbus-launch) | |
195 | export DBUS_SESSION_BUS_ADDRESS DBUS_SESSION_BUS_PID | |
196 | } | |
197 | ||
198 | ### gpg home | |
199 | if [[ ! -v GNUPGHOME ]] { | |
200 | export GNUPGHOME=~/etc/gnupg | |
201 | if [[ -d ~/.gnupg ]] { | |
202 | mv ~/.gnupg ~/etc/gnupg | |
203 | } | |
204 | } | |
205 | ||
206 | ### gpg agent + forwarding | |
7ddca96d | 207 | # NOTE: while ssh manages its auth sock in its protocol when ForwardSsh is |
208 | # enabled, GPG must be forwarded manually over Unix socket. to support | |
209 | # this, we forward the restricted gpg-agent extra socket to the remote | |
210 | # host with a RemoteForward rule in ~/.ssh/config that uses the | |
211 | # _GNUPG_SOCK_* env vars. to avoid conflicts with other ssh sessions | |
212 | # where the same user is connecting to the same host from different | |
213 | # machines, gpg in each environment should utilize its own forwarded | |
214 | # socket, rather than replace the sockets in GNUPGHOME which will be | |
215 | # overridden on the next connection. previously, you could provide a path | |
216 | # to the agent socket in GPG_AGENT_INFO, but that was deprecated in GPG | |
c7e3e126 | 217 | # v2.1. instead, we must clone GNUPGHOME with links and replace the agent |
218 | # sockets there with the forwarded one. | |
7ddca96d | 219 | # NOTE: since Unix sockets are not supported under Windows, this will not work |
c7e3e126 | 220 | # under msys, cygwin, mingw, etc., but may work under wsl2. |
7ddca96d | 221 | # HACK: without SendEnv, which is disabled by default in most sshd configs, |
222 | # there is no foolproof way to prevent race conditions via filename | |
223 | # collisions or to pass the desired forward path to the remote host | |
224 | # environment. we just have to guess the path we choose is good on the | |
225 | # desination, and assume the newest matching socket is the correct one | |
226 | # after connecting. in theory, we could occlude the ssh binary on PATH | |
227 | # with an alias or script that would allow us to communicate with the | |
228 | # remote host before opening a shell, so that we can have the host | |
229 | # communicate back to the client where it wants a socket created or ask | |
230 | # the host if the path the client wants to use is writable. however, this | |
231 | # would open up too many edge cases where it wouldn't work or be clunky | |
232 | # (e.g. asking for password twice) to make it worth it. | |
e4677c6b | 233 | function _gpg_socketpath { |
234 | # dirs are percent-encoded: https://stackoverflow.com/a/64312099 | |
235 | echo ${1//(#b)%([[:xdigit:]](#c2))/${(#):-0x$match[1]}} | |
236 | } | |
237 | if [[ ! -v _sev_setup_gpg_forward && -v commands[gpg] ]] { | |
238 | export _GNUPG_SOCK_DEST_BASE=/tmp/.gpg-agent-forward | |
239 | export _GNUPG_SOCK_DEST_EXT=$(date +%s).$RANDOM | |
240 | export _GNUPG_SOCK_DEST=$_GNUPG_SOCK_DEST_BASE.$_GNUPG_SOCK_DEST_EXT | |
241 | export _sev_gpg_forward_dir=${GNUPGHOME:-~/.gnupg}/.ssh_forward | |
242 | _sev_zcleanup gpg-forward | |
7ddca96d | 243 | |
e4677c6b | 244 | # find our forwarded socket |
245 | s=($_GNUPG_SOCK_DEST_BASE*(N=oc[1])) | |
246 | if [[ -n $s && -v SSH_CLIENT ]] { | |
247 | # create new forward dir | |
248 | export _sev_setup_gpg_forward= | |
249 | h=$_sev_gpg_forward_dir/$$ | |
250 | mkdir -pm700 $h | |
251 | # XXX: is it safe to link scdaemon socket? can its name be changed? | |
252 | for x (S.scdaemon gpg.conf gpg-agent.conf sshcontrol | |
253 | pubring.kbx trustdb.gpg private-keys-v1.d crls.d) { | |
254 | ln -s ${GNUPGHOME:-~/.gnupg}/$x $h | |
7ddca96d | 255 | } |
e4677c6b | 256 | export GNUPGHOME=$h |
257 | unset h | |
258 | for x in $(gpgconf --list-dirs | grep 'agent-.*-\?socket:'); do | |
259 | x=$(_gpg_socketpath ${x/#agent-*socket:}) | |
260 | if [[ ! -v orig ]] { | |
261 | # move forwarded socket to first valid agent socket path | |
262 | # XXX: if tmp is on different filesystem this may not work | |
263 | mv $s $x | |
264 | orig=$x | |
265 | } else { | |
266 | # make links to forwarded socket for any others | |
267 | ln -s $orig $x | |
268 | } | |
269 | done | |
270 | unset x orig | |
271 | } | |
272 | unset s | |
7ddca96d | 273 | |
e4677c6b | 274 | # what we will forward if we start a new ssh connection |
275 | # NOTE: do this after setting up GNUPGHOME to pick up new socket path; | |
276 | # if already connected over SSH, extra should be the remote one | |
277 | export _GNUPG_SOCK_SRC=$(_gpg_socketpath \ | |
278 | $(gpgconf --list-dirs agent-extra-socket)) | |
279 | } elif [[ ! -v _sev_setup_gpg_forward ]] { | |
280 | # required for RemoteForward to not error out if the vars are unset | |
281 | [[ ! -v _GNUPG_SOCK_SRC ]] && export _GNUPG_SOCK_SRC=/nonexistent | |
282 | [[ ! -v _GNUPG_SOCK_DEST ]] && export _GNUPG_SOCK_DEST=/nonexistent | |
283 | } | |
7ddca96d | 284 | |
e4677c6b | 285 | ### gpg agent |
286 | if [[ -v commands[gpg-connect-agent] && ( ! -v _sev_setup_gpgagent || | |
287 | ( -v _sev_first_display && -z $_sev_first_display ) ) ]] { | |
288 | # avoid printing if we have already set up tty before | |
289 | [[ ! -v _sev_setup_gpgagent && -o interactive ]] && p=true || p=false | |
290 | if {$p} { | |
291 | print -nP '%F{blue}>>>%f GPG: ' | |
292 | if [[ -v _sev_setup_gpg_forward ]] { | |
293 | a=agent | |
294 | print -nP '%F{yellow}Forwarded%f ' | |
295 | } else { a=Agent } | |
296 | print -nP '%F{green}' | |
7ddca96d | 297 | } |
e4677c6b | 298 | gpg-connect-agent /bye >/dev/null 2>&1 |
299 | if [[ $? -ne 0 ]] { | |
300 | $p && print -P '%F{red}$a communication error' | |
301 | } else { | |
302 | if [[ ${+GPG_TTY} -eq 0 && -o interactive ]] | |
7ddca96d | 303 | export GPG_TTY=$(tty) |
e4677c6b | 304 | if [[ ( -v DISPLAY || -v WAYLAND_DISPLAY ) && |
305 | ${PINENTRY_USER_DATA/USE_TTY=0} == $PINENTRY_USER_DATA ]] | |
306 | export PINENTRY_USER_DATA=USE_TTY=$(( | |
307 | ${+DISPLAY} + ${+WAYLAND_DISPLAY} == 0)) | |
308 | # XXX: don't know if gpg-agent supports comments after directives | |
309 | # XXX: path could have # | |
310 | sed -Ei 's#^([[:space:]]*pinentry-program[[:space:]]).*$#\1'${commands[pinentry]:-/dev/null}'#' \ | |
311 | ${GNUPGHOME:-~/.gnupg}/gpg-agent.conf | |
312 | # XXX: could probably check for changes before doing this to save perf | |
313 | gpg-connect-agent RELOADAGENT UPDATESTARTUPTTY /bye >/dev/null 2>&1 | |
314 | $p && gpg-connect-agent /subst /serverpid \ | |
315 | "/echo $a pid \${get serverpid} on $GPG_TTY" /bye | |
316 | export _sev_setup_gpgagent= | |
7ddca96d | 317 | } |
e4677c6b | 318 | $p && print -nP '%f' |
319 | unset p a | |
320 | } | |
7ddca96d | 321 | |
e4677c6b | 322 | ### ssh agent |
323 | if [[ ! -v _sev_setup_ssh ]] { | |
7ddca96d | 324 | # NOTE: preferred order of agents to check: okcagent, gnupg, openssh |
325 | # first block takes care of okcagent and openssh, second gnupg | |
e4677c6b | 326 | # XXX: doesn't actually check if ssh is enabled in gpg |
7ddca96d | 327 | [[ -o interactive ]] && print -nP '%F{blue}>>>%f SSH: %F{green}' |
328 | if [[ ! -v SSH_AUTH_SOCK && ( -v commands[okc-ssh-agent] || | |
329 | ( -v commands[ssh-agent] && ! -v commands[gpg] ) ) ]] { | |
330 | okc=${commands[okc-ssh-agent]:+okc-} | |
e4677c6b | 331 | t=${_sev_tmp:-${TMPDIR:-${TEMP:-${TMP:-/tmp}}}} |
332 | e=$t/${okc}ssh-agent-exports | |
7ddca96d | 333 | typeset sock= |
334 | typeset -i pid= | |
e4677c6b | 335 | if [[ -f $e ]] { |
336 | IFS=$'\0' read -r sock pid <$e | |
7ddca96d | 337 | } |
338 | if [[ -S $sock && $pid > 0 ]] && kill -0 $pid; then | |
339 | [[ -o interactive ]] && print -P "Reusing agent PID $pid%f" | |
340 | export SSH_AUTH_SOCK=$sock | |
341 | export SSH_AGENT_PID=$pid | |
342 | else | |
e4677c6b | 343 | e='TMPDIR=$t ${okc}ssh-agent' |
7ddca96d | 344 | # TODO: ensure ssh-agent path looks legit to avoid unsafe eval? |
345 | # XXX: doesn't appear to be any other way to handle redirection. | |
346 | # because eval needs to write to current scope environment | |
347 | # subshells can't be used to capture output and print. | |
348 | if [[ -o interactive ]] { | |
e4677c6b | 349 | eval $(eval $=e) |
7ddca96d | 350 | print -nP '%f' |
351 | } else { | |
e4677c6b | 352 | eval $(eval $=e) >/dev/null 2>&1 |
7ddca96d | 353 | } |
e4677c6b | 354 | echo -n $SSH_AUTH_SOCK$'\0'$SSH_AGENT_PID >!$e |
7ddca96d | 355 | fi |
e4677c6b | 356 | unset okc t e sock pid |
7ddca96d | 357 | } elif [[ ! -v SSH_AUTH_SOCK && -v commands[gpg] ]] { |
e4677c6b | 358 | # since gpg should have been started above, just export and notify |
7ddca96d | 359 | if [[ -o interactive ]] { |
e4677c6b | 360 | if [[ -v _sev_setup_gpg_forward ]] { |
361 | echo 'Forwarded GPG agent' | |
7ddca96d | 362 | } else { |
363 | gpg-connect-agent /subst /serverpid \ | |
e4677c6b | 364 | '/echo GPG agent pid ${get serverpid}' /bye |
7ddca96d | 365 | } |
366 | print -nP '%f' | |
367 | } | |
e4677c6b | 368 | export SSH_AUTH_SOCK=$(_gpg_socketpath \ |
7ddca96d | 369 | $(gpgconf --list-dirs agent-ssh-socket)) |
370 | } elif [[ -v SSH_AUTH_SOCK ]] { | |
371 | [[ -o interactive ]] && print -P 'Preconfigured agent%f' | |
372 | } else { | |
373 | [[ -o interactive ]] && print -P '%F{red}No agent available%f' | |
374 | } | |
375 | ||
e4677c6b | 376 | export _sev_setup_ssh= |
7ddca96d | 377 | } |
e4677c6b | 378 | unfunction _gpg_socketpath |
7ddca96d | 379 | |
e4677c6b | 380 | ### perl local lib |
381 | [[ -v commands[perl] && -d $XDG_DATA_HOME/perl5/lib/perl5 && | |
382 | ! -v PERL_LOCAL_LIB_ROOT ]] && | |
383 | eval $(perl -I$XDG_DATA_HOME/perl5/lib/perl5 \ | |
c7e3e126 | 384 | -Mlocal::lib=$XDG_DATA_HOME/perl5 2>/dev/null) |
7ddca96d | 385 | |
e4677c6b | 386 | |
c7e3e126 | 387 | ### load site-specific |
81c3957e | 388 | if [[ -f ~/.zprofile.local ]] { source ~/.zprofile.local } |
389 | ||
7ddca96d | 390 | # vim: et sts=4 sw=4 ts=8 tw=79 |