diff options
| author | Eric Biggers <ebiggers@google.com> | 2021-12-21 20:38:03 -0600 |
|---|---|---|
| committer | Eric Biggers <ebiggers@google.com> | 2021-12-21 21:55:01 -0600 |
| commit | b7399903540c95e89f0ee427fed1de07301fbd93 (patch) | |
| tree | 2aa1240435ff91f25b0f05923e80cb8b299ef337 | |
| parent | ce477ef12ac46c4df0152d43dae5d6e58772b120 (diff) | |
pam_fscrypt: warn user if OLDAUTHTOK not given in chauthtok
If someone runs 'passwd USER' as root, the user is assigned a new login
passphrase without their fscrypt login protector being updated. Detect
this case and show a warning message using pam_info().
Fixes https://github.com/google/fscrypt/issues/273
| -rw-r--r-- | pam/pam.c | 5 | ||||
| -rw-r--r-- | pam/pam.go | 7 | ||||
| -rw-r--r-- | pam/pam.h | 3 | ||||
| -rw-r--r-- | pam_fscrypt/pam_fscrypt.go | 12 |
4 files changed, 27 insertions, 0 deletions
@@ -20,6 +20,7 @@ #include "pam.h" #include <security/pam_appl.h> +#include <security/pam_ext.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -107,3 +108,7 @@ void freeSecret(pam_handle_t* pamh, char* data, int error_status) { munlock(data, size); free(data); } + +void infoMessage(pam_handle_t* pamh, const char* message) { + pam_info(pamh, "%s", message); +} @@ -166,6 +166,13 @@ func (h *Handle) err() error { return errors.New(s) } +// InfoMessage sends a message to the application using pam_info(). +func (h *Handle) InfoMessage(message string) { + cMessage := C.CString(message) + defer C.free(unsafe.Pointer(cMessage)) + C.infoMessage(h.handle, cMessage) +} + // Transaction represents a wrapped pam_handle_t type created with pam_start // form an application. type Transaction Handle @@ -41,4 +41,7 @@ void *copyIntoSecret(void *data); // CleaupFunc that Zeros wipes a C string and unlocks and frees its memory. void freeSecret(pam_handle_t *pamh, char *data, int error_status); +// Sends a message to the application using pam_info(). +void infoMessage(pam_handle_t *pamh, const char *message); + #endif // FSCRYPT_PAM_H diff --git a/pam_fscrypt/pam_fscrypt.go b/pam_fscrypt/pam_fscrypt.go index 2e31af9..963d9a5 100644 --- a/pam_fscrypt/pam_fscrypt.go +++ b/pam_fscrypt/pam_fscrypt.go @@ -29,6 +29,7 @@ package main */ import "C" import ( + "fmt" "log" "unsafe" @@ -300,6 +301,14 @@ func lockLoginPolicies(handle *pam.Handle) (bool, error) { return needDropCaches, nil } +var noOldAuthTokMessage string = ` +pam_fscrypt: cannot update login protector for '%s' because old passphrase +was not given. This is expected when changing a user's passphrase as root. +You'll need to manually update the protector's passphrase using: + + fscrypt metadata change-passphrase --protector=%s:%s +` + // Chauthtok rewraps the login protector when the passphrase changes. func Chauthtok(handle *pam.Handle, _ map[string]bool) error { if err := handle.StartAsPamUser(); err != nil { @@ -322,6 +331,9 @@ func Chauthtok(handle *pam.Handle, _ map[string]bool) error { } authtok, err := handle.GetItem(pam.Oldauthtok) if err != nil { + handle.InfoMessage(fmt.Sprintf(noOldAuthTokMessage, + handle.PamUser.Username, + protector.Context.Mount.Path, protector.Descriptor())) return nil, errors.Wrap(err, "could not get OLDAUTHTOK") } return crypto.NewKeyFromCString(authtok) |