Merge pull request #148 from ebiggers/fscrypt-key-mgmt-improvements

Filesystem keyring and v2 encryption policy support

1 files changed, 12 insertions, 7 deletions

diff --git a/pam/pam.go b/pam/pam.go
index c48dd13..54a60e2 100644
--- a/pam/pam.go
+++ b/pam/pam.go
@@ -127,26 +127,31 @@ func (h *Handle) GetItem(i Item) (unsafe.Pointer, error) {
 	return data, nil
 }
 
-// StartAsPamUser sets the effective privileges to that of the PAM user, and
-// configures the PAM user's keyrings to be properly linked.
+// StartAsPamUser sets the effective privileges to that of the PAM user.
 func (h *Handle) StartAsPamUser() error {
-	if _, err := security.UserKeyringID(h.PamUser, true); err != nil {
-		log.Printf("Setting up keyrings in PAM: %v", err)
-	}
 	userPrivs, err := security.UserPrivileges(h.PamUser)
 	if err != nil {
 		return err
 	}
-	if h.origPrivs, err = security.ProcessPrivileges(); err != nil {
+	origPrivs, err := security.ProcessPrivileges()
+	if err != nil {
+		return err
+	}
+	if err = security.SetProcessPrivileges(userPrivs); err != nil {
 		return err
 	}
-	return security.SetProcessPrivileges(userPrivs)
+	h.origPrivs = origPrivs
+	return nil
 }
 
 // StopAsPamUser restores the original privileges that were running the
 // PAM module (this is usually root).
 func (h *Handle) StopAsPamUser() error {
+	if h.origPrivs == nil {
+		return nil
+	}
 	err := security.SetProcessPrivileges(h.origPrivs)
+	h.origPrivs = nil
 	if err != nil {
 		log.Print(err)
 	}