fscrypt.git/cmd, branch v0.3.6 Go tool for managing Linux filesystem encryption Fix non-constant format string passed to errors.Wrapf() 2025-02-17T22:47:54+00:00 Eric Biggers ebiggers@google.com 2025-02-17T22:41:29+00:00 57a749b308a07e26452a794533b4854d70212499 Do not pass a path as the format string argument to errors.Wrapf(), as this causes it to be misinterpreted as a format string, causing an unexpected message if the path contains something like '%s'. Instead use errors.Wrap(). This was diagnosed by Go 1.24. Fixes https://github.com/google/fscrypt/issues/422 
Do not pass a path as the format string argument to errors.Wrapf(), as
this causes it to be misinterpreted as a format string, causing an
unexpected message if the path contains something like '%s'.  Instead
use errors.Wrap().  This was diagnosed by Go 1.24.

Fixes https://github.com/google/fscrypt/issues/422
Document stdin behaviour for getting raw key 2024-12-03T17:54:35+00:00 Petteri Räty github@petteriraty.eu 2024-12-03T12:11:03+00:00 094d62bfc76262da865a305783e9bb809af7998d Document the logic described in makeRawKey. 
Document the logic described in makeRawKey.
Provide better error message when given a locked regular file 2023-12-12T03:33:48+00:00 Eric Biggers ebiggers@google.com 2023-12-09T22:36:03+00:00 a6c5029cd114cd27cc59024e968feb4765e5323d Since opening an encrypted regular file that is locked fails with ENOKEY, getting the encryption policy of such a file is not possible. As a result, 'fscrypt status' and 'fscrypt lock' fail on such files. Provide a better error message that tries to explain what is going on. Resolves https://github.com/google/fscrypt/issues/393 
Since opening an encrypted regular file that is locked fails with
ENOKEY, getting the encryption policy of such a file is not possible.
As a result, 'fscrypt status' and 'fscrypt lock' fail on such files.
Provide a better error message that tries to explain what is going on.

Resolves https://github.com/google/fscrypt/issues/393
README.md, errors.go: CephFS now supports fscrypt 2023-11-03T05:05:07+00:00 Eric Biggers ebiggers@google.com 2023-11-03T05:05:04+00:00 6c5fc571ba7b851e7b36b054fd428bf6ad779dcc 






Re-run 'make format' with latest version of gofmt
2023-09-09T18:30:45+00:00

Eric Biggers
ebiggers@google.com

2023-09-09T18:30:45+00:00

e663a3ee2287be77dcd44631b29147a1eddcb4f0












Stop using deprecated package io/ioutil
2022-12-04T22:07:39+00:00

Eric Biggers
ebiggers@google.com

2022-12-04T21:27:43+00:00

02875cef9010633b6689cfd1e2ceec9107b756b4

Since Go 1.16 (which recently became the minimum supported Go version
for this project), the package io/ioutil is deprecated in favor of
equivalent functionality in the io and os packages.  staticcheck warns
about this.  Address all the warnings by switching to the non-deprecated
replacement functions.





Since Go 1.16 (which recently became the minimum supported Go version
for this project), the package io/ioutil is deprecated in favor of
equivalent functionality in the io and os packages.  staticcheck warns
about this.  Address all the warnings by switching to the non-deprecated
replacement functions.







Remove unnecessary uses of fmt.Sprintf()
2022-04-08T23:25:01+00:00

Eric Biggers
ebiggers@google.com

2022-04-08T23:15:22+00:00

1f4543a97a862c4caf17eb69e0a21eb2ebb7de18

The latest version of 'staticcheck' warns about these.





The latest version of 'staticcheck' warns about these.







Make all new metadata files owned by user when needed
2022-02-23T20:35:04+00:00

Eric Biggers
ebiggers@google.com

2022-02-23T20:35:04+00:00

d4ce0b892cbe68db9f90f4015342e6a9069b079c

Since commit 4c7c6631cc5a ("Set owner of login protectors to correct
user"), login protectors are made owned by the user when root creates
one on a user's behalf.  That's good, but the same isn't true of other
files that get created at the same time:

- The policy protecting the directory
- The protector link file, if the policy is on a different filesystem
- The recovery protector, if the policy is on a different filesystem
- The recovery instructions file

In preparation for setting all metadata files to mode 0600, start making
all these files owned by the user in this scenario as well.





Since commit 4c7c6631cc5a ("Set owner of login protectors to correct
user"), login protectors are made owned by the user when root creates
one on a user's behalf.  That's good, but the same isn't true of other
files that get created at the same time:

- The policy protecting the directory
- The protector link file, if the policy is on a different filesystem
- The recovery protector, if the policy is on a different filesystem
- The recovery instructions file

In preparation for setting all metadata files to mode 0600, start making
all these files owned by the user in this scenario as well.







Extend ownership validation to entire directory structure
2022-02-23T20:35:04+00:00

Eric Biggers
ebiggers@google.com

2022-02-23T20:35:04+00:00

85a747493ff368a72f511619ecd391016ecb933c

A previous commit extended file ownership validation to policy and
protector files (by default -- there's an opt-out in /etc/fscrypt.conf).

However, that didn't apply to the parent directories:

	MOUNTPOINT
	MOUNTPOINT/.fscrypt
	MOUNTPOINT/.fscrypt/policies
	MOUNTPOINT/.fscrypt/protectors

The problem is that if the parent directories aren't trusted (owned by
another non-root user), then untrusted changes to their contents can be
made at any time, including the introduction of symlinks and so on.

While it's debatable how much of a problem this really is, given the
other validations that are done, it seems to be appropriate to validate
the parent directories too.

Therefore, this commit applies the same ownership validations to the
above four directories as are done on the metadata files themselves.

In addition, it is validated that none of these directories are symlinks
except for ".fscrypt" where this is explicitly supported.





A previous commit extended file ownership validation to policy and
protector files (by default -- there's an opt-out in /etc/fscrypt.conf).

However, that didn't apply to the parent directories:

	MOUNTPOINT
	MOUNTPOINT/.fscrypt
	MOUNTPOINT/.fscrypt/policies
	MOUNTPOINT/.fscrypt/protectors

The problem is that if the parent directories aren't trusted (owned by
another non-root user), then untrusted changes to their contents can be
made at any time, including the introduction of symlinks and so on.

While it's debatable how much of a problem this really is, given the
other validations that are done, it seems to be appropriate to validate
the parent directories too.

Therefore, this commit applies the same ownership validations to the
above four directories as are done on the metadata files themselves.

In addition, it is validated that none of these directories are symlinks
except for ".fscrypt" where this is explicitly supported.







Strictly validate metadata file ownership by default
2022-02-23T20:35:04+00:00

Eric Biggers
ebiggers@google.com

2022-02-23T20:35:04+00:00

74e870b7bd1585b4b509da47e0e75db66336e576

The metadata validation checks introduced by the previous commits are
good, but to reduce the attack surface it would be much better to avoid
reading and parsing files owned by other users in the first place.

There are some possible use cases for users sharing fscrypt metadata
files, but I think that for the vast majority of users it is unneeded
and just opens up attack surface.  Thus, make fscrypt (and pam_fscrypt)
not process policies or protectors owned by other users by default.
Specifically,

   * If fscrypt or pam_fscrypt is running as a non-root user, only
     policies and protectors owned by the user or by root can be used.

   * If fscrypt is running as root, any policy or protector can be used.
     (This is to match user expectations -- starting a sudo session
     should gain rights, not remove rights.)

   * If pam_fscrypt is running as root, only policies and protectors
     owned by root can be used.  Note that this only applies when the
     root user themselves has an fscrypt login protector, which is rare.

Add an option 'allow_cross_user_metadata' to /etc/fscrypt.conf which
allows restoring the old behavior for anyone who really needs it.





The metadata validation checks introduced by the previous commits are
good, but to reduce the attack surface it would be much better to avoid
reading and parsing files owned by other users in the first place.

There are some possible use cases for users sharing fscrypt metadata
files, but I think that for the vast majority of users it is unneeded
and just opens up attack surface.  Thus, make fscrypt (and pam_fscrypt)
not process policies or protectors owned by other users by default.
Specifically,

   * If fscrypt or pam_fscrypt is running as a non-root user, only
     policies and protectors owned by the user or by root can be used.

   * If fscrypt is running as root, any policy or protector can be used.
     (This is to match user expectations -- starting a sudo session
     should gain rights, not remove rights.)

   * If pam_fscrypt is running as root, only policies and protectors
     owned by root can be used.  Note that this only applies when the
     root user themselves has an fscrypt login protector, which is rare.

Add an option 'allow_cross_user_metadata' to /etc/fscrypt.conf which
allows restoring the old behavior for anyone who really needs it.