fscrypt.git/pam_fscrypt/run_fscrypt.go, branch v0.3.4 Go tool for managing Linux filesystem encryption Stop using deprecated package io/ioutil 2022-12-04T22:07:39+00:00 Eric Biggers ebiggers@google.com 2022-12-04T21:27:43+00:00 02875cef9010633b6689cfd1e2ceec9107b756b4 Since Go 1.16 (which recently became the minimum supported Go version for this project), the package io/ioutil is deprecated in favor of equivalent functionality in the io and os packages. staticcheck warns about this. Address all the warnings by switching to the non-deprecated replacement functions. 
Since Go 1.16 (which recently became the minimum supported Go version
for this project), the package io/ioutil is deprecated in favor of
equivalent functionality in the io and os packages.  staticcheck warns
about this.  Address all the warnings by switching to the non-deprecated
replacement functions.
pam_fscrypt: filter out irrelevant policies earlier 2022-12-04T21:05:00+00:00 Eric Biggers ebiggers@google.com 2022-12-03T06:13:01+00:00 5373b314473b08f13372ab55b551738307a85fbd If a session is opened for a user twice and the second doesn't have the AUTHTOK data, pam_fscrypt prints an error message that says it failed to unlock a protector because AUTHTOK data is missing. This is misleading because the protector and its associated policies were already unlocked by the first session. To avoid this, move the check for whether the policy is provisioned or not into policiesUsingProtector(). Also do the same for CloseSession. 
If a session is opened for a user twice and the second doesn't have the
AUTHTOK data, pam_fscrypt prints an error message that says it failed to
unlock a protector because AUTHTOK data is missing.  This is misleading
because the protector and its associated policies were already unlocked
by the first session.

To avoid this, move the check for whether the policy is provisioned or
not into policiesUsingProtector().  Also do the same for CloseSession.
pam_fscrypt: ignore system users 2022-02-23T20:35:04+00:00 Eric Biggers ebiggers@google.com 2022-02-23T20:35:04+00:00 97700817e737eabf45033cdb4a42fa5c6e74f877 pam_fscrypt should never need to do anything for system users, so detect them early so that we can avoid wasting any resources looking for their login protector. 
pam_fscrypt should never need to do anything for system users, so detect
them early so that we can avoid wasting any resources looking for their
login protector.
pam_fscrypt: log errors getting protector in policiesUsingProtector() 2022-02-23T20:35:04+00:00 Eric Biggers ebiggers@google.com 2022-02-23T20:35:04+00:00 9871a39409222a80b4c4c22cbaab17bae84f1712 If the error is anything other than ErrNotSetup, it might be helpful to know what is going on. 
If the error is anything other than ErrNotSetup, it might be helpful to
know what is going on.
Strictly validate metadata file ownership by default 2022-02-23T20:35:04+00:00 Eric Biggers ebiggers@google.com 2022-02-23T20:35:04+00:00 74e870b7bd1585b4b509da47e0e75db66336e576 The metadata validation checks introduced by the previous commits are good, but to reduce the attack surface it would be much better to avoid reading and parsing files owned by other users in the first place. There are some possible use cases for users sharing fscrypt metadata files, but I think that for the vast majority of users it is unneeded and just opens up attack surface. Thus, make fscrypt (and pam_fscrypt) not process policies or protectors owned by other users by default. Specifically, * If fscrypt or pam_fscrypt is running as a non-root user, only policies and protectors owned by the user or by root can be used. * If fscrypt is running as root, any policy or protector can be used. (This is to match user expectations -- starting a sudo session should gain rights, not remove rights.) * If pam_fscrypt is running as root, only policies and protectors owned by root can be used. Note that this only applies when the root user themselves has an fscrypt login protector, which is rare. Add an option 'allow_cross_user_metadata' to /etc/fscrypt.conf which allows restoring the old behavior for anyone who really needs it. 
The metadata validation checks introduced by the previous commits are
good, but to reduce the attack surface it would be much better to avoid
reading and parsing files owned by other users in the first place.

There are some possible use cases for users sharing fscrypt metadata
files, but I think that for the vast majority of users it is unneeded
and just opens up attack surface.  Thus, make fscrypt (and pam_fscrypt)
not process policies or protectors owned by other users by default.
Specifically,

   * If fscrypt or pam_fscrypt is running as a non-root user, only
     policies and protectors owned by the user or by root can be used.

   * If fscrypt is running as root, any policy or protector can be used.
     (This is to match user expectations -- starting a sudo session
     should gain rights, not remove rights.)

   * If pam_fscrypt is running as root, only policies and protectors
     owned by root can be used.  Note that this only applies when the
     root user themselves has an fscrypt login protector, which is rare.

Add an option 'allow_cross_user_metadata' to /etc/fscrypt.conf which
allows restoring the old behavior for anyone who really needs it.
cmd/fscrypt: add FSCRYPT_ROOT_MNT environmental variable 2020-05-09T21:04:47+00:00 Eric Biggers ebiggers@google.com 2020-05-09T21:04:47+00:00 8ff53630f1cc90ae23835e9571f9096e211dce67 Allow overriding the mountpoint where login protectors are stored by setting the FSCRYPT_ROOT_MNT environmental variable. The CLI tests need this to avoid touching the real "/". 
Allow overriding the mountpoint where login protectors are stored by
setting the FSCRYPT_ROOT_MNT environmental variable.  The CLI tests need
this to avoid touching the real "/".
Fix various typos and grammatical errors (#141) 2019-09-09T02:46:59+00:00 ebiggers ebiggers@google.com 2019-09-09T02:46:59+00:00 6445dad7d66fa6a1867090fcd9602c98863649f6 These were found by a combination of manual review and a custom script that checks for common errors. Also removed an outdated sentence from the comment for setupBefore(). 
These were found by a combination of manual review and a custom script
that checks for common errors.

Also removed an outdated sentence from the comment for setupBefore().
 Improve debug and error output for pam_fscrypt 2018-08-23T18:00:34+00:00 Joe Richey joerichey@google.com joerichey@google.com 2018-08-22T12:28:21+00:00 11b09739cbcb25e6602267efe3d48eb063233f5a 






vet: eliminate unnecessary shadowing
2018-02-12T07:56:49+00:00

Joseph Richey
joerichey94@gmail.com

2018-02-12T07:56:49+00:00

69630f37fcebe894b15872148bd8b2496806b60c

Running "go vet -shadow ./..." finds all places where a variable might
be incorrectly or unnecessarily shadowed. This fixes some of them.





Running "go vet -shadow ./..." finds all places where a variable might
be incorrectly or unnecessarily shadowed. This fixes some of them.







pam_fscrypt: PAM module no longer crashes on panic
2017-09-01T07:47:34+00:00

Joseph Richey
joerichey94@gmail.com

2017-09-01T07:47:34+00:00

3432f5757293dda39b9fa936a717160cd788ab68

Now the offending panic will just be logged and the module will fail.
This is important as to not crash the login process.





Now the offending panic will just be logged and the module will fail.
This is important as to not crash the login process.