diff options
| author | Eric Biggers <ebiggers@google.com> | 2022-10-18 10:12:02 -0700 |
|---|---|---|
| committer | Eric Biggers <ebiggers3@gmail.com> | 2022-10-19 20:47:57 -0700 |
| commit | 295c503a77f53b87305bba310e37cbdd9b516936 (patch) | |
| tree | b9a64df8dc907eb9924062994570b9f8f3118b88 | |
| parent | 632d66d6fddfa9fd0a279a1811ced1efc567be29 (diff) | |
Make pam_fscrypt.so support the unlock_only option
Now that it's been requested by users, bring back the "unlock_only"
option, which was originally proposed as part of
https://github.com/google/fscrypt/pull/281 but was dropped in the final
version of that pull request.
Resolves https://github.com/google/fscrypt/issues/357
| -rw-r--r-- | README.md | 11 | ||||
| -rw-r--r-- | pam_fscrypt/pam_fscrypt.go | 29 |
2 files changed, 26 insertions, 14 deletions
@@ -536,8 +536,15 @@ after `pam_unix.so` in `/etc/pam.d/common-session` or similar, but before which starts processes that access the user's home directory during their session. -To make `pam_fscrypt.so` print debugging messages to the system log, add the -`debug` option. All hook types accept this option. +`pam_fscrypt.so` accepts several options: + +* `debug`: print additional debug messages to the syslog. All hook types accept + this option. + +* `unlock_only`: only unlock directories (at log-in); don't also lock them (at + log-out). This is only relevant for the "session" hook. Note that in + `fscrypt` v0.2.9 and earlier, unlock-only was the default behavior, and + `lock_policies` needed to be specified to enable locking. ### Allowing `fscrypt` to check your login passphrase diff --git a/pam_fscrypt/pam_fscrypt.go b/pam_fscrypt/pam_fscrypt.go index 04ca13c..bd6b04d 100644 --- a/pam_fscrypt/pam_fscrypt.go +++ b/pam_fscrypt/pam_fscrypt.go @@ -55,9 +55,12 @@ const ( debugFlag = "debug" // This option is accepted for compatibility with existing config files, - // but now we lock policies unconditionally and this option is a no-op. + // but now we lock policies by default and this option is a no-op. lockPoliciesFlag = "lock_policies" + // Only unlock directories, don't lock them. + unlockOnlyFlag = "unlock_only" + // This option is accepted for compatibility with existing config files, // but it no longer does anything. pam_fscrypt now drops caches if and // only if it is needed. (Usually it is not needed anymore, as the @@ -279,19 +282,21 @@ func CloseSession(handle *pam.Handle, args map[string]bool) error { // Don't automatically drop privileges, since we may need them to // deprovision policies or to drop caches. - log.Print("locking policies protected with login protector") - needDropCaches, errLock := lockLoginPolicies(handle) - - var errCache error - if needDropCaches { - log.Print("dropping appropriate filesystem caches at session close") - errCache = security.DropFilesystemCache() - } + if !args[unlockOnlyFlag] { + log.Print("locking policies protected with login protector") + needDropCaches, errLock := lockLoginPolicies(handle) - if errLock != nil { - return errLock + var errCache error + if needDropCaches { + log.Print("dropping appropriate filesystem caches at session close") + errCache = security.DropFilesystemCache() + } + if errLock != nil { + return errLock + } + return errCache } - return errCache + return nil } // lockLoginPolicies deprovisions all policy keys that are protected by the |