fscrypt.git/pam_fscrypt/config, branch v0.3.4 Go tool for managing Linux filesystem encryption pam_fscrypt: make "lock_policies" the default behavior 2021-03-08T23:20:08+00:00 Eric Biggers ebiggers@google.com 2021-03-08T23:20:08+00:00 b7e898f01bcae17174fcd928599d0d933655db9b All pam_fscrypt configuration guides that I'm aware of say to use the "lock_policies" option for the pam_fscrypt.so session hook. The Debian/Ubuntu pam-config-framework config file has it too. Make locking the default behavior, since this is what everyone wants. Existing configuration files that contain the "lock_policies" option will continue to work, but that option won't do anything anymore. (We could add an option "unlock_only" to restore the old default behavior, but it's not clear that it would be useful. So for simplicity, leave it out for now.) 
All pam_fscrypt configuration guides that I'm aware of say to use the
"lock_policies" option for the pam_fscrypt.so session hook.  The
Debian/Ubuntu pam-config-framework config file has it too.

Make locking the default behavior, since this is what everyone wants.

Existing configuration files that contain the "lock_policies" option
will continue to work, but that option won't do anything anymore.

(We could add an option "unlock_only" to restore the old default
behavior, but it's not clear that it would be useful.  So for
simplicity, leave it out for now.)
pam_fscrypt: decide cache dropping behavior automatically 2021-03-08T23:20:08+00:00 Eric Biggers ebiggers@google.com 2021-03-08T23:20:08+00:00 28e4999ebd9221a71488d715d9f1182b494216d8 Configuring whether pam_fscrypt drops caches or not isn't really something the user should have to do, and it's also irrelevant for v2 encryption policies (the default on newer systems). It's better to have pam_fscrypt automatically decide whether it needs to drop caches or not. Do this by making pam_fscrypt check whether any encryption policy keys are being removed from a user keyring (rather than from a filesystem keyring). If so, it drops caches; otherwise it doesn't. This supersedes the "drop_caches" option, which won't do anything anymore. 
Configuring whether pam_fscrypt drops caches or not isn't really
something the user should have to do, and it's also irrelevant for v2
encryption policies (the default on newer systems).  It's better to have
pam_fscrypt automatically decide whether it needs to drop caches or not.

Do this by making pam_fscrypt check whether any encryption policy keys
are being removed from a user keyring (rather than from a filesystem
keyring).  If so, it drops caches; otherwise it doesn't.  This
supersedes the "drop_caches" option, which won't do anything anymore.
pam_fscrypt/config: prioritise over other session modules 2021-03-03T18:06:13+00:00 Robert McQueen rob@endlessos.org 2021-03-03T11:34:55+00:00 90a96e4473ae7bcf61a97f25fc67a9a953187f56 Services launched by systemd user sessions on Debian / Ubuntu systems are often not able to access the home directory, because there is no guarantee / requirement that pam_fscrypt is sequenced before pam_systemd. Although this pam-config mechanism is Debian-specific, the config file is provided here upstream and unmodified in Debian. Raising the priority here so that it's always ordered ahead of pam_systemd will solve issues such as https://github.com/google/fscrypt/issues/270, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964951 and https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1889416. After a survey of pam-config files available in Debian bullseye, the value of 100 was chosen as it appears after most other plugins that could be involved in more explicit homedir configuration (eg pam_mount at 128) but before those which seem unlikely to work without a home directory (eg pam_ssh at 64). 
Services launched by systemd user sessions on Debian / Ubuntu systems
are often not able to access the home directory, because there is no
guarantee / requirement that pam_fscrypt is sequenced before
pam_systemd.

Although this pam-config mechanism is Debian-specific, the config file
is provided here upstream and unmodified in Debian. Raising the
priority here so that it's always ordered ahead of pam_systemd will
solve issues such as https://github.com/google/fscrypt/issues/270,
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964951 and
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1889416.

After a survey of pam-config files available in Debian bullseye, the
value of 100 was chosen as it appears after most other plugins that
could be involved in more explicit homedir configuration (eg pam_mount
at 128) but before those which seem unlikely to work without a home
directory (eg pam_ssh at 64).
Install pam modules/configs to the right location 2019-01-20T03:27:30+00:00 Joe Richey joerichey@google.com 2019-01-20T03:27:30+00:00 ae476d1f2354de43d656d0d3767c2a31017e5985 Per the FHS, manually installed programs should go under /usr/local. This change also makes it easier to change the global installation prefix. For example, package managers should set PREFIX=/usr 
Per the FHS, manually installed programs should go under /usr/local.
This change also makes it easier to change the global installation
prefix. For example, package managers should set PREFIX=/usr
pam_fscrypt: lock all PAM policies w/ flag 2017-08-22T22:41:18+00:00 Joe Richey joerichey@google.com joerichey@google.com 2017-08-22T22:41:18+00:00 ef5cc07774674c66b5dbeb7c655a26ac6371e378 






pam_fscrypt: The actual PAM module and config
2017-08-22T18:51:31+00:00

Joe Richey joerichey@google.com
joerichey@google.com

2017-07-19T22:41:23+00:00

d117249a29af31a51ae56f64943635cbc0104cea