Merge pull request #331 from ebiggers/login-protector-perms

Set owner of login protectors to correct user

1 files changed, 10 insertions, 1 deletions

diff --git a/cli-tests/t_encrypt_login.sh b/cli-tests/t_encrypt_login.sh
index 652d860..e03122d 100755
--- a/cli-tests/t_encrypt_login.sh
+++ b/cli-tests/t_encrypt_login.sh
@@ -27,13 +27,18 @@ show_status()
 	fi
 }
 
+get_login_protector()
+{
+	fscrypt status "$dir" | awk '/login protector/{print $1}'
+}
+
 begin "Encrypt with login protector"
 chown "$TEST_USER" "$dir"
 _user_do "echo TEST_USER_PASS | fscrypt encrypt --quiet --source=pam_passphrase '$dir'"
 show_status true
 recovery_passphrase=$(grep -E '^ +[a-z]{20}$' "$dir/fscrypt_recovery_readme.txt" | sed 's/^ +//')
 recovery_protector=$(fscrypt status "$dir" | awk '/Recovery passphrase/{print $1}')
-login_protector=$(fscrypt status "$dir" | awk '/login protector/{print $1}')
+login_protector=$(get_login_protector)
 _print_header "=> Lock, then unlock with login passphrase"
 _user_do "fscrypt lock '$dir'"
 # FIXME: should we be able to use $MNT:$login_protector here?
@@ -57,6 +62,10 @@ show_status true
 begin "Encrypt with login protector as root"
 echo TEST_USER_PASS | fscrypt encrypt --quiet --source=pam_passphrase --user="$TEST_USER" "$dir"
 show_status true
+# The newly-created login protector should be owned by the user, not root.
+login_protector=$(get_login_protector)
+owner=$(stat -c "%U:%G" "$MNT_ROOT/.fscrypt/protectors/$login_protector")
+echo -e "\nProtector is owned by $owner"
 
 begin "Encrypt with login protector with --no-recovery"
 chown "$TEST_USER" "$dir"