1 files changed, 30 insertions, 8 deletions

diff --git a/cmd/fscrypt/protector.go b/cmd/fscrypt/protector.go
index 32ba4ab..186ca7a 100644
--- a/cmd/fscrypt/protector.go
+++ b/cmd/fscrypt/protector.go
@@ -21,11 +21,14 @@
 package main
 
 import (
+	"fmt"
 	"log"
+	"os/user"
 
 	"github.com/google/fscrypt/actions"
 	"github.com/google/fscrypt/filesystem"
 	"github.com/google/fscrypt/metadata"
+	"github.com/google/fscrypt/util"
 )
 
 // createProtector makes a new protector on either ctx.Mount or if the requested
@@ -36,6 +39,19 @@ func createProtectorFromContext(ctx *actions.Context) (*actions.Protector, error
 		return nil, err
 	}
 	log.Printf("using source: %s", ctx.Config.Source.String())
+	if ctx.Config.Source == metadata.SourceType_pam_passphrase {
+		if userFlag.Value == "" && util.IsUserRoot() {
+			return nil, ErrSpecifyUser
+		}
+		if !quietFlag.Value {
+			fmt.Print(`
+IMPORTANT: Before continuing, ensure you have properly set up your system for
+           login protectors.  See
+           https://github.com/google/fscrypt#setting-up-for-login-protectors
+
+`)
+		}
+	}
 
 	name, err := promptForName(ctx)
 	if err != nil {
@@ -45,18 +61,24 @@ func createProtectorFromContext(ctx *actions.Context) (*actions.Protector, error
 
 	// We only want to create new login protectors on the root filesystem.
 	// So we make a new context if necessary.
-	if ctx.Config.Source == metadata.SourceType_pam_passphrase && ctx.Mount.Path != "/" {
-		log.Printf("creating login protector on %q instead of %q", "/", ctx.Mount.Path)
+	if ctx.Config.Source == metadata.SourceType_pam_passphrase &&
+		ctx.Mount.Path != actions.LoginProtectorMountpoint {
+		log.Printf("creating login protector on %q instead of %q",
+			actions.LoginProtectorMountpoint, ctx.Mount.Path)
 		if ctx, err = modifiedContext(ctx); err != nil {
 			return nil, err
 		}
 	}
 
-	return actions.CreateProtector(ctx, name, createKeyFn)
+	var owner *user.User
+	if ctx.Config.Source == metadata.SourceType_pam_passphrase && util.IsUserRoot() {
+		owner = ctx.TargetUser
+	}
+	return actions.CreateProtector(ctx, name, createKeyFn, owner)
 }
 
 // selectExistingProtector returns a locked Protector which corresponds to an
-// options in the non-empty slice of options. Prompts for user input are used to
+// option in the non-empty slice of options. Prompts for user input are used to
 // get the keys and select the option.
 func selectExistingProtector(ctx *actions.Context, options []*actions.ProtectorOption) (*actions.Protector, error) {
 	idx, err := promptForProtector(options)
@@ -78,7 +100,7 @@ func expandedProtectorOptions(ctx *actions.Context) ([]*actions.ProtectorOption,
 	}
 
 	// Do nothing different if we are at the root, or cannot load the root.
-	if ctx.Mount.Path == "/" {
+	if ctx.Mount.Path == actions.LoginProtectorMountpoint {
 		return options, nil
 	}
 	if ctx, err = modifiedContext(ctx); err != nil {
@@ -111,10 +133,10 @@ func expandedProtectorOptions(ctx *actions.Context) ([]*actions.ProtectorOption,
 	return options, nil
 }
 
-// modifiedContext returns a copy of ctx with the mountpoint replaced by that of
-// the root filesystem.
+// modifiedContext returns a copy of ctx with the mountpoint replaced by
+// LoginProtectorMountpoint.
 func modifiedContext(ctx *actions.Context) (*actions.Context, error) {
-	mnt, err := filesystem.GetMount("/")
+	mnt, err := filesystem.GetMount(actions.LoginProtectorMountpoint)
 	if err != nil {
 		return nil, err
 	}