pam_fscrypt: warn user if OLDAUTHTOK not given in chauthtok

If someone runs 'passwd USER' as root, the user is assigned a new login
passphrase without their fscrypt login protector being updated.  Detect
this case and show a warning message using pam_info().

Fixes https://github.com/google/fscrypt/issues/273

1 files changed, 12 insertions, 0 deletions

diff --git a/pam_fscrypt/pam_fscrypt.go b/pam_fscrypt/pam_fscrypt.go
index 2e31af9..963d9a5 100644
--- a/pam_fscrypt/pam_fscrypt.go
+++ b/pam_fscrypt/pam_fscrypt.go
@@ -29,6 +29,7 @@ package main
 */
 import "C"
 import (
+	"fmt"
 	"log"
 	"unsafe"
 
@@ -300,6 +301,14 @@ func lockLoginPolicies(handle *pam.Handle) (bool, error) {
 	return needDropCaches, nil
 }
 
+var noOldAuthTokMessage string = `
+pam_fscrypt: cannot update login protector for '%s' because old passphrase
+was not given.  This is expected when changing a user's passphrase as root.
+You'll need to manually update the protector's passphrase using:
+
+   fscrypt metadata change-passphrase --protector=%s:%s
+`
+
 // Chauthtok rewraps the login protector when the passphrase changes.
 func Chauthtok(handle *pam.Handle, _ map[string]bool) error {
 	if err := handle.StartAsPamUser(); err != nil {
@@ -322,6 +331,9 @@ func Chauthtok(handle *pam.Handle, _ map[string]bool) error {
 		}
 		authtok, err := handle.GetItem(pam.Oldauthtok)
 		if err != nil {
+			handle.InfoMessage(fmt.Sprintf(noOldAuthTokMessage,
+				handle.PamUser.Username,
+				protector.Context.Mount.Path, protector.Descriptor()))
 			return nil, errors.Wrap(err, "could not get OLDAUTHTOK")
 		}
 		return crypto.NewKeyFromCString(authtok)