diff options
| -rw-r--r-- | README.md | 10 | ||||
| -rw-r--r-- | pam_fscrypt/config | 2 | ||||
| -rw-r--r-- | pam_fscrypt/pam_fscrypt.go | 19 |
3 files changed, 18 insertions, 13 deletions
@@ -415,12 +415,12 @@ auth optional pam_fscrypt.so after `pam_unix.so` in `/etc/pam.d/common-auth` or similar, and to add the line: ``` -session optional pam_fscrypt.so lock_policies +session optional pam_fscrypt.so ``` -after `pam_unix.so` in `/etc/pam.d/common-session` or similar. The -`lock_policies` option locks the directories protected with the user's login -passphrase when the last session ends. All the types also support the `debug` -option which prints additional debug information to the syslog. +after `pam_unix.so` in `/etc/pam.d/common-session` or similar. + +To make `pam_fscrypt.so` print debugging messages to the system log, add the +`debug` option. All hook types accept this option. ### Allowing `fscrypt` to check your login passphrase diff --git a/pam_fscrypt/config b/pam_fscrypt/config index d2fbf68..f83dab2 100644 --- a/pam_fscrypt/config +++ b/pam_fscrypt/config @@ -7,7 +7,7 @@ Auth-Final: Session-Type: Additional Session-Interactive-Only: yes Session-Final: - optional PAM_INSTALL_PATH lock_policies + optional PAM_INSTALL_PATH Password-Type: Additional Password-Final: optional PAM_INSTALL_PATH diff --git a/pam_fscrypt/pam_fscrypt.go b/pam_fscrypt/pam_fscrypt.go index 195ba43..2e31af9 100644 --- a/pam_fscrypt/pam_fscrypt.go +++ b/pam_fscrypt/pam_fscrypt.go @@ -47,7 +47,10 @@ const ( authtokLabel = "fscrypt_authtok" // These flags are used to toggle behavior of the PAM module. debugFlag = "debug" - lockFlag = "lock_policies" + + // This option is accepted for compatibility with existing config files, + // but now we lock policies unconditionally and this option is a no-op. + lockPoliciesFlag = "lock_policies" // This option is accepted for compatibility with existing config files, // but it no longer does anything. pam_fscrypt now drops caches if and @@ -218,19 +221,21 @@ func CloseSession(handle *pam.Handle, args map[string]bool) error { return err } + if args[lockPoliciesFlag] { + log.Print("ignoring deprecated 'lock_policies' option (now the default)") + } + if args[dropCachesFlag] { log.Print("ignoring deprecated 'drop_caches' option (now auto-detected)") } - needDropCaches := false - var errLock, errCache error // Don't automatically drop privileges, since we may need them to // deprovision policies or to drop caches. - if args[lockFlag] { - log.Print("locking polices protected with login protector") - needDropCaches, errLock = lockLoginPolicies(handle) - } + log.Print("locking policies protected with login protector") + needDropCaches, errLock := lockLoginPolicies(handle) + + var errCache error if needDropCaches { log.Print("dropping appropriate filesystem caches at session close") errCache = security.DropFilesystemCache() |