fscrypt.git/pam_fscrypt/run_fscrypt.go, branch v0.3.3 Go tool for managing Linux filesystem encryption pam_fscrypt: ignore system users 2022-02-23T20:35:04+00:00 Eric Biggers ebiggers@google.com 2022-02-23T20:35:04+00:00 97700817e737eabf45033cdb4a42fa5c6e74f877 pam_fscrypt should never need to do anything for system users, so detect them early so that we can avoid wasting any resources looking for their login protector. 
pam_fscrypt should never need to do anything for system users, so detect
them early so that we can avoid wasting any resources looking for their
login protector.
pam_fscrypt: log errors getting protector in policiesUsingProtector() 2022-02-23T20:35:04+00:00 Eric Biggers ebiggers@google.com 2022-02-23T20:35:04+00:00 9871a39409222a80b4c4c22cbaab17bae84f1712 If the error is anything other than ErrNotSetup, it might be helpful to know what is going on. 
If the error is anything other than ErrNotSetup, it might be helpful to
know what is going on.
Strictly validate metadata file ownership by default 2022-02-23T20:35:04+00:00 Eric Biggers ebiggers@google.com 2022-02-23T20:35:04+00:00 74e870b7bd1585b4b509da47e0e75db66336e576 The metadata validation checks introduced by the previous commits are good, but to reduce the attack surface it would be much better to avoid reading and parsing files owned by other users in the first place. There are some possible use cases for users sharing fscrypt metadata files, but I think that for the vast majority of users it is unneeded and just opens up attack surface. Thus, make fscrypt (and pam_fscrypt) not process policies or protectors owned by other users by default. Specifically, * If fscrypt or pam_fscrypt is running as a non-root user, only policies and protectors owned by the user or by root can be used. * If fscrypt is running as root, any policy or protector can be used. (This is to match user expectations -- starting a sudo session should gain rights, not remove rights.) * If pam_fscrypt is running as root, only policies and protectors owned by root can be used. Note that this only applies when the root user themselves has an fscrypt login protector, which is rare. Add an option 'allow_cross_user_metadata' to /etc/fscrypt.conf which allows restoring the old behavior for anyone who really needs it. 
The metadata validation checks introduced by the previous commits are
good, but to reduce the attack surface it would be much better to avoid
reading and parsing files owned by other users in the first place.

There are some possible use cases for users sharing fscrypt metadata
files, but I think that for the vast majority of users it is unneeded
and just opens up attack surface.  Thus, make fscrypt (and pam_fscrypt)
not process policies or protectors owned by other users by default.
Specifically,

   * If fscrypt or pam_fscrypt is running as a non-root user, only
     policies and protectors owned by the user or by root can be used.

   * If fscrypt is running as root, any policy or protector can be used.
     (This is to match user expectations -- starting a sudo session
     should gain rights, not remove rights.)

   * If pam_fscrypt is running as root, only policies and protectors
     owned by root can be used.  Note that this only applies when the
     root user themselves has an fscrypt login protector, which is rare.

Add an option 'allow_cross_user_metadata' to /etc/fscrypt.conf which
allows restoring the old behavior for anyone who really needs it.
cmd/fscrypt: add FSCRYPT_ROOT_MNT environmental variable 2020-05-09T21:04:47+00:00 Eric Biggers ebiggers@google.com 2020-05-09T21:04:47+00:00 8ff53630f1cc90ae23835e9571f9096e211dce67 Allow overriding the mountpoint where login protectors are stored by setting the FSCRYPT_ROOT_MNT environmental variable. The CLI tests need this to avoid touching the real "/". 
Allow overriding the mountpoint where login protectors are stored by
setting the FSCRYPT_ROOT_MNT environmental variable.  The CLI tests need
this to avoid touching the real "/".
Fix various typos and grammatical errors (#141) 2019-09-09T02:46:59+00:00 ebiggers ebiggers@google.com 2019-09-09T02:46:59+00:00 6445dad7d66fa6a1867090fcd9602c98863649f6 These were found by a combination of manual review and a custom script that checks for common errors. Also removed an outdated sentence from the comment for setupBefore(). 
These were found by a combination of manual review and a custom script
that checks for common errors.

Also removed an outdated sentence from the comment for setupBefore().
 Improve debug and error output for pam_fscrypt 2018-08-23T18:00:34+00:00 Joe Richey joerichey@google.com joerichey@google.com 2018-08-22T12:28:21+00:00 11b09739cbcb25e6602267efe3d48eb063233f5a 






vet: eliminate unnecessary shadowing
2018-02-12T07:56:49+00:00

Joseph Richey
joerichey94@gmail.com

2018-02-12T07:56:49+00:00

69630f37fcebe894b15872148bd8b2496806b60c

Running "go vet -shadow ./..." finds all places where a variable might
be incorrectly or unnecessarily shadowed. This fixes some of them.





Running "go vet -shadow ./..." finds all places where a variable might
be incorrectly or unnecessarily shadowed. This fixes some of them.







pam_fscrypt: PAM module no longer crashes on panic
2017-09-01T07:47:34+00:00

Joseph Richey
joerichey94@gmail.com

2017-09-01T07:47:34+00:00

3432f5757293dda39b9fa936a717160cd788ab68

Now the offending panic will just be logged and the module will fail.
This is important as to not crash the login process.





Now the offending panic will just be logged and the module will fail.
This is important as to not crash the login process.







pam_fscrypt: Added logging and use of new pam API
2017-08-31T01:03:09+00:00

Joe Richey
joerichey@google.com

2017-08-31T01:03:09+00:00

5814155d0c0247d501f7479f760a676185cd4b6d












pam_fscrypt: Handle empty arguments list
2017-08-30T04:37:01+00:00

Joseph Richey
joerichey94@gmail.com

2017-08-30T04:37:01+00:00

83d4b499c505d3f5841fc0b0f8f29509622e870b