diff options
| author | Eric Biggers <ebiggers@google.com> | 2021-03-08 15:20:08 -0800 |
|---|---|---|
| committer | Eric Biggers <ebiggers@google.com> | 2021-03-08 15:20:08 -0800 |
| commit | b7e898f01bcae17174fcd928599d0d933655db9b (patch) | |
| tree | a53f09298957ead959a360cb1af0ba9460e8ce9e /pam_fscrypt | |
| parent | 28e4999ebd9221a71488d715d9f1182b494216d8 (diff) | |
pam_fscrypt: make "lock_policies" the default behavior
All pam_fscrypt configuration guides that I'm aware of say to use the
"lock_policies" option for the pam_fscrypt.so session hook. The
Debian/Ubuntu pam-config-framework config file has it too.
Make locking the default behavior, since this is what everyone wants.
Existing configuration files that contain the "lock_policies" option
will continue to work, but that option won't do anything anymore.
(We could add an option "unlock_only" to restore the old default
behavior, but it's not clear that it would be useful. So for
simplicity, leave it out for now.)
Diffstat (limited to 'pam_fscrypt')
| -rw-r--r-- | pam_fscrypt/config | 2 | ||||
| -rw-r--r-- | pam_fscrypt/pam_fscrypt.go | 19 |
2 files changed, 13 insertions, 8 deletions
diff --git a/pam_fscrypt/config b/pam_fscrypt/config index d2fbf68..f83dab2 100644 --- a/pam_fscrypt/config +++ b/pam_fscrypt/config @@ -7,7 +7,7 @@ Auth-Final: Session-Type: Additional Session-Interactive-Only: yes Session-Final: - optional PAM_INSTALL_PATH lock_policies + optional PAM_INSTALL_PATH Password-Type: Additional Password-Final: optional PAM_INSTALL_PATH diff --git a/pam_fscrypt/pam_fscrypt.go b/pam_fscrypt/pam_fscrypt.go index 195ba43..2e31af9 100644 --- a/pam_fscrypt/pam_fscrypt.go +++ b/pam_fscrypt/pam_fscrypt.go @@ -47,7 +47,10 @@ const ( authtokLabel = "fscrypt_authtok" // These flags are used to toggle behavior of the PAM module. debugFlag = "debug" - lockFlag = "lock_policies" + + // This option is accepted for compatibility with existing config files, + // but now we lock policies unconditionally and this option is a no-op. + lockPoliciesFlag = "lock_policies" // This option is accepted for compatibility with existing config files, // but it no longer does anything. pam_fscrypt now drops caches if and @@ -218,19 +221,21 @@ func CloseSession(handle *pam.Handle, args map[string]bool) error { return err } + if args[lockPoliciesFlag] { + log.Print("ignoring deprecated 'lock_policies' option (now the default)") + } + if args[dropCachesFlag] { log.Print("ignoring deprecated 'drop_caches' option (now auto-detected)") } - needDropCaches := false - var errLock, errCache error // Don't automatically drop privileges, since we may need them to // deprovision policies or to drop caches. - if args[lockFlag] { - log.Print("locking polices protected with login protector") - needDropCaches, errLock = lockLoginPolicies(handle) - } + log.Print("locking policies protected with login protector") + needDropCaches, errLock := lockLoginPolicies(handle) + + var errCache error if needDropCaches { log.Print("dropping appropriate filesystem caches at session close") errCache = security.DropFilesystemCache() |