fscrypt.git/pam, branch v0.2.4 Go tool for managing Linux filesystem encryption Ensure setting user privileges is reversible 2018-08-23T18:00:34+00:00 Joe Richey joerichey@google.com joerichey@google.com 2018-08-22T12:17:32+00:00 3022c1603d968c22f147b4a2c49c4637dd1be91b This change makes sure after dropping then elevating privileges for a process, the euid, guid, and groups are all the same as they were originally. This significantly simplifies the privilege logic. This fixes CVE-2018-6558, which allowed an unprivleged user to gain membership in the root group (gid 0) due to the groups not being properly reset in the process. 
This change makes sure after dropping then elevating privileges for a
process, the euid, guid, and groups are all the same as they were
originally. This significantly simplifies the privilege logic.

This fixes CVE-2018-6558, which allowed an unprivleged user to gain
membership in the root group (gid 0) due to the groups not being
properly reset in the process.
Merge pull request #97 from ebiggers/privileges_fix 2018-04-19T18:14:12+00:00 Joseph Richey joerichey@google.com 2018-04-19T18:14:12+00:00 3e32282af2f62829c711593a670e5d893df45196 security: drop and regain privileges in all threads 
security: drop and regain privileges in all threads
 security: drop and regain privileges in all threads 2018-03-25T17:22:39+00:00 Eric Biggers ebiggers@google.com 2018-03-25T17:13:26+00:00 aa88bf4527cced6e3e16ca3e5ae07076cc8217f0 After enabling pam_fscrypt for "session" and creating a directory protected with a login protector, I was no longer able to log in as that user. The problem is that the Go runtime is creating threads after pam_fscrypt drops privileges, but pam_fscrypt is not re-acquiring privileges on those threads because the Go wrappers for setreuid(), setregid(), and setgroups() in the "sys/unix" package are using the raw syscalls which operate on the calling thread only. This violates glibc's assumption that all threads have the same uids and gids, causing it to abort() the process when a later module in the PAM stack (pam_mail in my case) tries to drop privileges using the glibc functions. Fix it by dropping and regaining privileges using the glibc functions rather than the "sys/unix" functions. This also avoids any possibility that privileges could be changed in a thread other than the "main" one for pam_fscrypt, since the Go runtime does not guarantee which OS-level thread runs what. It would be nice to also exit all Go worker threads before returning from pam_fscrypt, but the Go runtime doesn't seem to support that. 
After enabling pam_fscrypt for "session" and creating a directory
protected with a login protector, I was no longer able to log in as that
user.  The problem is that the Go runtime is creating threads after
pam_fscrypt drops privileges, but pam_fscrypt is not re-acquiring
privileges on those threads because the Go wrappers for setreuid(),
setregid(), and setgroups() in the "sys/unix" package are using the raw
syscalls which operate on the calling thread only.

This violates glibc's assumption that all threads have the same uids and
gids, causing it to abort() the process when a later module in the PAM
stack (pam_mail in my case) tries to drop privileges using the glibc
functions.

Fix it by dropping and regaining privileges using the glibc functions
rather than the "sys/unix" functions.

This also avoids any possibility that privileges could be changed in a
thread other than the "main" one for pam_fscrypt, since the Go runtime
does not guarantee which OS-level thread runs what.

It would be nice to also exit all Go worker threads before returning
from pam_fscrypt, but the Go runtime doesn't seem to support that.
pam: return error when PAM info item is unset 2018-03-25T06:50:36+00:00 Eric Biggers ebiggers@google.com 2018-03-25T06:21:29+00:00 81942ab75c02e720970d6af069e8b8cf3ef847bb pam_fscrypt is crashing with a segfault in copyIntoSecret() when using Ctrl-C to interrupt a 'sudo' prompt. It is dereferencing a NULL pointer that is supposed point to the PAM_AUTHTOK item. The problem is that the Go code assumes pam_get_item() returns a non-success status if the item is unset, when actually it sets the data pointer to NULL and returns PAM_SUCCESS. Fix it by making pam.Handle.GetItem() return an error in that case. 
pam_fscrypt is crashing with a segfault in copyIntoSecret() when using
Ctrl-C to interrupt a 'sudo' prompt.  It is dereferencing a NULL pointer
that is supposed point to the PAM_AUTHTOK item.  The problem is that the
Go code assumes pam_get_item() returns a non-success status if the item
is unset, when actually it sets the data pointer to NULL and returns
PAM_SUCCESS.

Fix it by making pam.Handle.GetItem() return an error in that case.
vet: eliminate unnecessary shadowing 2018-02-12T07:56:49+00:00 Joseph Richey joerichey94@gmail.com 2018-02-12T07:56:49+00:00 69630f37fcebe894b15872148bd8b2496806b60c Running "go vet -shadow ./..." finds all places where a variable might be incorrectly or unnecessarily shadowed. This fixes some of them. 
Running "go vet -shadow ./..." finds all places where a variable might
be incorrectly or unnecessarily shadowed. This fixes some of them.
test: all packages should have tests 2018-02-12T04:19:36+00:00 Joseph Richey joerichey94@gmail.com 2018-02-12T04:19:36+00:00 de002a9585d9fe06422db01629ff117f0150630f The tests added in this change are trivial, but they make sure that every package has a non-zero number of tests. This is important for eventually increasing test coverage. 
The tests added in this change are trivial, but they make sure that
every package has a non-zero number of tests. This is important for
eventually increasing test coverage.
security: Add check option to UserKeyringID 2017-09-29T09:52:56+00:00 Joseph Richey joerichey94@gmail.com 2017-09-29T09:52:56+00:00 4d9372795e7b53d105f69790c1d9deadbff85458 






security: Change user keyring lookup algorithm
2017-09-01T07:53:07+00:00

Joseph Richey
joerichey94@gmail.com

2017-09-01T07:53:07+00:00

1ce72a7367967152948dbe332ea8d9834f194c27

Now instead of spawning a seperate thread we alternate between changing
the euid and ruid to both find the keyring and link it to the process
keyring. Note that we also ensure that the user keyring is linked into
the root keyring whenever possible.





Now instead of spawning a seperate thread we alternate between changing
the euid and ruid to both find the keyring and link it to the process
keyring. Note that we also ensure that the user keyring is linked into
the root keyring whenever possible.







security: No more permenant privilege dropping
2017-09-01T07:50:42+00:00

Joseph Richey
joerichey94@gmail.com

2017-09-01T07:50:42+00:00

d5f64c1ecd8f13f01681d0a18b8f3174ff9bd225

This was creating an issue becasuse fully dropping privileges required
spawning a goroutine and using rutime.DropOSThread().





This was creating an issue becasuse fully dropping privileges required
spawning a goroutine and using rutime.DropOSThread().







pam: Handle holds data for calling and PAM users
2017-08-31T00:55:30+00:00

Joe Richey
joerichey@google.com

2017-08-31T00:55:30+00:00

70efc397db81f3ad170e54114f3ad0a97f2ed7d0

The functions are now changed to (Start|Stop)AsPamUser to indicate that
they handle privilege modification and keyring setup.





The functions are now changed to (Start|Stop)AsPamUser to indicate that
they handle privilege modification and keyring setup.