cmd/fscrypt: adjust user and keyring validation and preparation

Don't force the user to provide a --user argument when running fscrypt
as root if they're doing something where the TargetUser isn't actually
needed, such as provisioning/deprovisioning a v1 encryption policy
to/from the filesystem keyring, or creating a non-login protector.

Also don't set up the user keyring (or check for it being set up) if it
won't actually be used.

Finally, if we'll be provisioning/deprovisioning a v1 encryption policy
to/from the filesystem keyring, make sure the command is running as
root, since the kernel requires this.

1 files changed, 4 insertions, 19 deletions

diff --git a/cmd/fscrypt/flags.go b/cmd/fscrypt/flags.go
index 2eea8de..361732c 100644
--- a/cmd/fscrypt/flags.go
+++ b/cmd/fscrypt/flags.go
@@ -33,7 +33,6 @@ import (
 	"github.com/urfave/cli"
 
 	"github.com/google/fscrypt/actions"
-	"github.com/google/fscrypt/keyring"
 	"github.com/google/fscrypt/util"
 )
 
@@ -283,24 +282,10 @@ func getPolicyFromFlag(flagValue string, targetUser *user.User) (*actions.Policy
 }
 
 // parseUserFlag returns the user specified by userFlag or the current effective
-// user if the flag value is missing. If the effective user is root, however, a
-// user must specified in the flag. If checkKeyring is true, we also make sure
-// there are no problems accessing the user keyring.
-func parseUserFlag(checkKeyring bool) (targetUser *user.User, err error) {
+// user if the flag value is missing.
+func parseUserFlag() (targetUser *user.User, err error) {
 	if userFlag.Value != "" {
-		targetUser, err = user.Lookup(userFlag.Value)
-	} else {
-		if util.IsUserRoot() {
-			return nil, ErrSpecifyUser
-		}
-		targetUser, err = util.EffectiveUser()
+		return user.Lookup(userFlag.Value)
 	}
-	if err != nil {
-		return nil, err
-	}
-
-	if checkKeyring {
-		_, err = keyring.UserKeyringID(targetUser, true)
-	}
-	return targetUser, err
+	return util.EffectiveUser()
 }