diff options
Diffstat (limited to 'cmd/fscrypt')
| -rw-r--r-- | cmd/fscrypt/commands.go | 8 | ||||
| -rw-r--r-- | cmd/fscrypt/flags.go | 21 |
2 files changed, 18 insertions, 11 deletions
diff --git a/cmd/fscrypt/commands.go b/cmd/fscrypt/commands.go index 43c9cb0..fd90626 100644 --- a/cmd/fscrypt/commands.go +++ b/cmd/fscrypt/commands.go @@ -119,7 +119,7 @@ func encryptAction(c *cli.Context) error { // keyring unless --skip-unlock is used. On failure, an error is returned, any // metadata creation is reverted, and the directory is unmodified. func encryptPath(path string) (err error) { - target, err := parseUserFlag() + target, err := parseUserFlag(!skipUnlockFlag.Value) if err != nil { return } @@ -274,7 +274,7 @@ func unlockAction(c *cli.Context) error { return expectedArgsErr(c, 1, false) } - target, err := parseUserFlag() + target, err := parseUserFlag(true) if err != nil { return newExitError(c, err) } @@ -357,7 +357,7 @@ func purgeAction(c *cli.Context) error { } } - target, err := parseUserFlag() + target, err := parseUserFlag(true) if err != nil { return newExitError(c, err) } @@ -507,7 +507,7 @@ func createProtectorAction(c *cli.Context) error { return expectedArgsErr(c, 1, false) } - target, err := parseUserFlag() + target, err := parseUserFlag(false) if err != nil { return newExitError(c, err) } diff --git a/cmd/fscrypt/flags.go b/cmd/fscrypt/flags.go index e883a6d..af03ad2 100644 --- a/cmd/fscrypt/flags.go +++ b/cmd/fscrypt/flags.go @@ -33,6 +33,7 @@ import ( "github.com/urfave/cli" "github.com/google/fscrypt/actions" + "github.com/google/fscrypt/security" "github.com/google/fscrypt/util" ) @@ -283,17 +284,23 @@ func getPolicyFromFlag(flagValue string, target *user.User) (*actions.Policy, er // parseUserFlag returns the user specified by userFlag or the current effective // user if the flag value is missing. If the effective user is root, however, a -// user must specified in the flag. -func parseUserFlag() (*user.User, error) { +// user must specified in the flag. If checkKeyring is true, we also make sure +// there are no problems accessing the user keyring. +func parseUserFlag(checkKeyring bool) (targetUser *user.User, err error) { if userFlag.Value != "" { - return user.Lookup(userFlag.Value) + targetUser, err = user.Lookup(userFlag.Value) + } else { + if util.IsUserRoot() { + return nil, ErrSpecifyUser + } + targetUser, err = util.EffectiveUser() } - effectiveUser, err := util.EffectiveUser() if err != nil { return nil, err } - if util.IsUserRoot() { - return nil, ErrSpecifyUser + + if checkKeyring { + _, err = security.UserKeyringID(targetUser) } - return effectiveUser, nil + return targetUser, err } |