The team behind
systemd want you to adopt a new way of managing home directories. Calling it a “new way” is putting it lightly—this is a real paradigm shift for Linux. Here’s everything you need to know about
systemd-homed, which is likely coming to a Linux distro near you.
No Stranger to Controversy
systemd was introduced in 2010, the Linux community split into three camps. Some thought it was an improvement, and others thought it was a flawed design that didn’t adhere to the Unix philosophy. And some didn’t care one way or the other.
Songs advocating violence toward Poettering were posted on YouTube, and websites appeared trying to coerce Linux users to boycott
systemd. His co-developer, Kay Sievers, also received criticism and abuse, but Poettering certainly bore the brunt of it.
Yet, within eight months, Fedora was using
systemd. By the end of 2013, Arch, Debian, Manjaro, and Ubuntu had all moved to
systemd. Of course, the glory of open source is if you don’t like something, you can fork the source code and do your own thing with it. New distributions—like Devuan, which was a fork of Debian—were created solely to avoid using
Your $HOME Directory
In the Linux directory structure, everything you do resides within the “/home” directory. Your data files, images, music, and entire personal directory tree are stored within this one directory named after your user account.
The settings for your applications are stored in your home folder in hidden “dot directories.” If the first character of a file or directory name is a period (.), it’s hidden. Because these settings are stored locally and not in a central registry—and because a backup of your home directory includes these hidden files and folders—all your settings get backed up too.
When you restore a backup and fire up an application, like LibreOffice or Thunderbird, it looks for its hidden directory. It also finds your document preferences, toolbar settings, and any other customizations. Thunderbird finds your email account information and your email. You don’t have to go through the pain of slowly setting up each application.
You can use
ls with the
-a (all) option to see hidden files and directories. First, type the following:
This shows you the regular files and directories. Next, type the following:
Now, you can see the hidden files and directories.
Because it’s the most precious part of an installation, it’s common for the “/home” directory to be mounted in its own partition or on a separate hard drive. This way, if something catastrophic happens to the operating system or the partition it’s on, you can either reinstall your Linux distribution or swap to a new one. Then, you can just remount your existing home partition on “/home.”
Data About You
Your home directory doesn’t just store your data; it also stores information about you. including some attributes of your digital identity. For example, your “.ssh” directory stores information about remote connections you’ve made to other computers, and any SSH keys you’ve generated.
Other system attributes, such as your account username, password, and unique user ID, are stored elsewhere in files like “/etc/passwd” and “/etc/shadow.” Anyone can read some of these, but others can only be read by people who have root privileges.
This is what the contents of the “/etc/passwd” file looks like:
The systemd-homed Changes
The intent of the
systemd-homed changes is to provide a fully portable home directory with both your data and Linux digital identity stored within it. Your UID and all other identification and authentication mechanisms will be stored only within your home directory.
Due to their “all eggs in one basket” design, home directories are encrypted. They’re decrypted automatically whenever you log in and encrypted again whenever you log out. The preferred method is to use the Linux Unified Key Setup (LUKS) disk encryption. However, there are other schemes available, such as fscrypt.
Each person’s home directory is mounted on a loopback device, similar to the way in which a
snap application is mounted. This is so the directory tree within the home directory appears as a seamless part of the directory tree of the operating system. The mount point defaults to “/home/$USER.homedir” (“$USER” is replaced by the person’s account name).
What Are the Benefits?
Because your home directory becomes a secure encapsulation of all your data, you could even have your home directory on a removable device. For example, you could use a USB drive to move it between your work and home machines, or any other
This is what Poettering meant by “a fully portable home directory.” He said even if you don’t want to move your home directory around on a portable device, this will make upgrades and migrations easier and increase security.
It removes what he calls “sidecar databases,” which contain snippets of important information about you that Poettering thinks should be centralized. The “/etc/passwd” and “/etc/shadow” files contain authentication information and hashed passwords. However, they also hold information like your default shell, the General Electric Comprehensive Operating Supervisor (GECOS) field.
Poettering said this metadata should be rationalized and stored in meaningful groups within the JSON record of each person in their home directory.
Managing Your New $HOME
systemd-homed service is controlled through the new
homectl command-line tool.
There are options to create users and home directories and set storage limits for each user. You can also set the password, lock someone out of his account, or delete an account completely. Users can be inspected, and their JSON user records can also be read.
Time zones and other location-based information can also be set for each user. You can specify the default shell, and even set environment variables so they’re in a certain state whenever someone logs in.
If you look in the “/home” directory, you see
systemd-homed managed entries that look like the following, with “.homedir” appended to the username:
Remember, this is just a mount point. The location of the actual encrypted home directory is elsewhere.
Limitations and Issues
systemd-homed is only for use on the user accounts of humans. It can’t handle user accounts with a UID of less than 1,000. In other words, root, daemon, bin, and so on, can’t be administered using the new scheme. There’s always going to be a need for the standard ways of administering users. Therefore,
systemd-homed isn’t a global solution.
There’s a known catch-22 that needs to be resolved. As we mentioned previously, a person’s home directory is decrypted whenever he or she logs in. But if someone is remotely accessing the computer over SSH, the SSH keys in the home directory can’t be referenced because the home directory is still encrypted until that person logs in. Of course, one needs the SSH keys to authenticate against before he or she can log in.
This was a recognized issue by the
systemd-homed team, but we couldn’t find any reference about a fix for this. We’re sure they’ll come up with a solution; it would be a spectacular pratfall if they don’t.
Let’s say someone transports his home directory to a new machine. If the UID is already being used on the new machine by someone else, he’ll be assigned a new UID automatically. Of course, all his files will have to have their ownership reassigned to the new UID.
Currently, this is being handled by a recursive, automatic application of the
chown -R command. This will probably be handled differently in the future when a more elegant scheme is developed. This heavy-handed approach doesn’t take into account the daemons and processes that run as other users.
When Is This Happening?
To check which version you have, type the following:
homectl command isn’t yet present, though. Ubuntu 20.04 uses a traditional /home directory and doesn’t use systemd-homed.
Of course, it’s up to the individual distributions to decide when they’ll include and support
So, there’s no need for anyone to go into full-on pitchforks and burning torches mode. Because the standard methods for managing users and home directories will remain, we’ll all still have choices.