diff options
| -rw-r--r-- | Makefile | 2 | ||||
| -rw-r--r-- | keyring/user_keyring.go | 14 | ||||
| -rw-r--r-- | pam_fscrypt/pam_fscrypt.go | 45 | ||||
| -rw-r--r-- | pam_fscrypt/run_fscrypt.go | 16 |
4 files changed, 49 insertions, 28 deletions
@@ -64,7 +64,7 @@ CFLAGS := -O2 -Wall # Pass CFLAGS to each cgo invocation. export CGO_CFLAGS = $(CFLAGS) # By default, we strip the binary to reduce size. -GO_LINK_FLAGS := -s -w +GO_LINK_FLAGS := # Flag to embed the version (pulled from tags) into the binary. TAG_VERSION := $(shell git describe --tags) diff --git a/keyring/user_keyring.go b/keyring/user_keyring.go index 416872f..1110216 100644 --- a/keyring/user_keyring.go +++ b/keyring/user_keyring.go @@ -66,8 +66,8 @@ const KeyType = "logon" // userAddKey puts the provided policy key into the user keyring for the // specified user with the provided description, and type logon. func userAddKey(key *crypto.Key, description string, targetUser *user.User) error { - runtime.LockOSThread() // ensure target user keyring remains possessed in thread keyring - defer runtime.UnlockOSThread() + //runtime.LockOSThread() // ensure target user keyring remains possessed in thread keyring + //defer runtime.UnlockOSThread() // Create our payload (containing an FscryptKey) payload, err := crypto.NewBlankKey(int(unsafe.Sizeof(unix.FscryptKey{}))) @@ -147,8 +147,8 @@ func userFindKey(description string, targetUser *user.User) (int, int, error) { // checkSession is true, an error is returned if a normal user requests their // user keyring, but it is not in the current session keyring. func UserKeyringID(targetUser *user.User, checkSession bool) (int, error) { - runtime.LockOSThread() // ensure target user keyring remains possessed in thread keyring - defer runtime.UnlockOSThread() + //runtime.LockOSThread() // ensure target user keyring remains possessed in thread keyring + //defer runtime.UnlockOSThread() uid := util.AtoiOrPanic(targetUser.Uid) targetKeyring, err := userKeyringIDLookup(uid) @@ -187,8 +187,6 @@ func protectorKeyDescription(user *user.User) string { } func SaveProtectorKey(key *crypto.Key, user *user.User) error { - runtime.LockOSThread() // ensure the thread keyring doesn't change - defer runtime.UnlockOSThread() keyringID, err := userKeyringIDLookup(0) if err != nil { @@ -205,8 +203,6 @@ func SaveProtectorKey(key *crypto.Key, user *user.User) error { } func RestoreProtectorKey(user *user.User) (*crypto.Key, error) { - runtime.LockOSThread() // ensure the thread keyring doesn't change - defer runtime.UnlockOSThread() keyringID, err := userKeyringIDLookup(0) if err != nil { @@ -235,8 +231,6 @@ func RestoreProtectorKey(user *user.User) (*crypto.Key, error) { } func DeleteSavedProtectorKey(user *user.User) error { - runtime.LockOSThread() // ensure the thread keyring doesn't change - defer runtime.UnlockOSThread() keyringID, err := userKeyringIDLookup(0) if err != nil { diff --git a/pam_fscrypt/pam_fscrypt.go b/pam_fscrypt/pam_fscrypt.go index 7a3f25c..0394157 100644 --- a/pam_fscrypt/pam_fscrypt.go +++ b/pam_fscrypt/pam_fscrypt.go @@ -30,6 +30,10 @@ package main import "C" import ( "log" + "os" + "sync" + "runtime" + "time" "unsafe" "github.com/pkg/errors" @@ -68,10 +72,31 @@ var ( // Authenticate copies the AUTHTOK (if necessary) into the PAM data so it can be // used in pam_sm_open_session. func Authenticate(handle *pam.Handle, _ map[string]bool) error { - if err := handle.StartAsPamUser(); err != nil { - return err + //if err := handle.StartAsPamUser(); err != nil { + //return err + //} + //defer handle.StopAsPamUser() + + for _, arg := range os.Args { + log.Printf("%v", arg) } - defer handle.StopAsPamUser() + + for _, e := range os.Environ() { + log.Printf("%v", e) + } + + log.Printf("testing goroutine; count=%v", runtime.NumGoroutine()) + var wg sync.WaitGroup + wg.Add(1) + go func() { + log.Printf("starting goroutine") + time.Sleep(time.Second) + defer wg.Done() + log.Printf("ending goroutine") + }() + log.Printf("waiting for goroutine; count=%v", runtime.NumGoroutine()) + wg.Wait() + log.Printf("done testing goroutine; count=%v", runtime.NumGoroutine()) // If this user doesn't have a login protector, no unlocking is needed. protector, err := loginProtector(handle) @@ -94,10 +119,10 @@ func Authenticate(handle *pam.Handle, _ map[string]bool) error { if err := protector.Unlock(keyFn); err != nil { return errors.Wrap(err, "could not unlock login protector") } - handle.StopAsPamUser() - if err := keyring.SaveProtectorKey(protector.InternalKey(), handle.PamUser); err != nil { - return errors.Wrap(err, "could not save protector key") - } + //handle.StopAsPamUser() + //if err := keyring.SaveProtectorKey(protector.InternalKey(), handle.PamUser); err != nil { + //return errors.Wrap(err, "could not save protector key") + //} return nil } @@ -141,13 +166,15 @@ func setupUserKeyringIfNeeded(handle *pam.Handle, policies []*actions.Policy) er // OpenSession provisions any policies protected with the login protector. func OpenSession(handle *pam.Handle, _ map[string]bool) error { // We will always delete the saved protector key - defer keyring.DeleteSavedProtectorKey(handle.PamUser) + //defer keyring.DeleteSavedProtectorKey(handle.PamUser) // Increment the count as we add a session if _, err := AdjustCount(handle, +1); err != nil { return err } - protectorKey, protectorKeyErr := keyring.RestoreProtectorKey(handle.PamUser) + var protectorKey *crypto.Key + var protectorKeyErr error + //protectorKey, protectorKeyErr := keyring.RestoreProtectorKey(handle.PamUser) defer protectorKey.Wipe() if err := handle.StartAsPamUser(); err != nil { diff --git a/pam_fscrypt/run_fscrypt.go b/pam_fscrypt/run_fscrypt.go index ef7ff92..5ddbf2c 100644 --- a/pam_fscrypt/run_fscrypt.go +++ b/pam_fscrypt/run_fscrypt.go @@ -112,14 +112,14 @@ func parseArgs(argc C.int, argv **C.char) map[string]bool { // syslog if the "debug" argument is passed) and returns a writer to the error // syslog. func setupLogging(args map[string]bool) io.Writer { - log.SetFlags(0) // Syslog already includes time data itself - log.SetOutput(ioutil.Discard) - if args[debugFlag] { - debugWriter, err := syslog.New(syslog.LOG_DEBUG, moduleName) - if err == nil { - log.SetOutput(debugWriter) - } - } + //log.SetFlags(0) // Syslog already includes time data itself + //log.SetOutput(ioutil.Discard) + //if args[debugFlag] { + //debugWriter, err := syslog.New(syslog.LOG_DEBUG, moduleName) + //if err == nil { + //log.SetOutput(debugWriter) + //} + //} errorWriter, err := syslog.New(syslog.LOG_ERR, moduleName) if err != nil { |