aboutsummaryrefslogtreecommitdiff
path: root/cmd
diff options
context:
space:
mode:
Diffstat (limited to 'cmd')
-rw-r--r--cmd/fscrypt/commands.go8
-rw-r--r--cmd/fscrypt/errors.go9
-rw-r--r--cmd/fscrypt/flags.go21
3 files changed, 27 insertions, 11 deletions
diff --git a/cmd/fscrypt/commands.go b/cmd/fscrypt/commands.go
index 43c9cb0..fd90626 100644
--- a/cmd/fscrypt/commands.go
+++ b/cmd/fscrypt/commands.go
@@ -119,7 +119,7 @@ func encryptAction(c *cli.Context) error {
// keyring unless --skip-unlock is used. On failure, an error is returned, any
// metadata creation is reverted, and the directory is unmodified.
func encryptPath(path string) (err error) {
- target, err := parseUserFlag()
+ target, err := parseUserFlag(!skipUnlockFlag.Value)
if err != nil {
return
}
@@ -274,7 +274,7 @@ func unlockAction(c *cli.Context) error {
return expectedArgsErr(c, 1, false)
}
- target, err := parseUserFlag()
+ target, err := parseUserFlag(true)
if err != nil {
return newExitError(c, err)
}
@@ -357,7 +357,7 @@ func purgeAction(c *cli.Context) error {
}
}
- target, err := parseUserFlag()
+ target, err := parseUserFlag(true)
if err != nil {
return newExitError(c, err)
}
@@ -507,7 +507,7 @@ func createProtectorAction(c *cli.Context) error {
return expectedArgsErr(c, 1, false)
}
- target, err := parseUserFlag()
+ target, err := parseUserFlag(false)
if err != nil {
return newExitError(c, err)
}
diff --git a/cmd/fscrypt/errors.go b/cmd/fscrypt/errors.go
index 9731efc..81a6798 100644
--- a/cmd/fscrypt/errors.go
+++ b/cmd/fscrypt/errors.go
@@ -35,6 +35,7 @@ import (
"github.com/google/fscrypt/crypto"
"github.com/google/fscrypt/filesystem"
"github.com/google/fscrypt/metadata"
+ "github.com/google/fscrypt/security"
"github.com/google/fscrypt/util"
)
@@ -93,6 +94,14 @@ func getErrorSuggestions(err error) string {
needs to be enabled for this filesystem. See the
documentation on how to enable encryption on ext4
systems (and the risks of doing so).`
+ case security.ErrSessionUserKeying:
+ return `This is usually the result of a bad PAM configuration.
+ Either correct the problem in your PAM stack, enable
+ pam_keyinit.so, or run "keyctl link @u @s".`
+ case security.ErrAccessUserKeyring:
+ return fmt.Sprintf(`You can only use %s to access the user
+ keyring of another user if you are running as root.`,
+ shortDisplay(userFlag))
case actions.ErrBadConfigFile:
return `Run "sudo fscrypt setup" to recreate the file.`
case actions.ErrNoConfigFile:
diff --git a/cmd/fscrypt/flags.go b/cmd/fscrypt/flags.go
index e883a6d..af03ad2 100644
--- a/cmd/fscrypt/flags.go
+++ b/cmd/fscrypt/flags.go
@@ -33,6 +33,7 @@ import (
"github.com/urfave/cli"
"github.com/google/fscrypt/actions"
+ "github.com/google/fscrypt/security"
"github.com/google/fscrypt/util"
)
@@ -283,17 +284,23 @@ func getPolicyFromFlag(flagValue string, target *user.User) (*actions.Policy, er
// parseUserFlag returns the user specified by userFlag or the current effective
// user if the flag value is missing. If the effective user is root, however, a
-// user must specified in the flag.
-func parseUserFlag() (*user.User, error) {
+// user must specified in the flag. If checkKeyring is true, we also make sure
+// there are no problems accessing the user keyring.
+func parseUserFlag(checkKeyring bool) (targetUser *user.User, err error) {
if userFlag.Value != "" {
- return user.Lookup(userFlag.Value)
+ targetUser, err = user.Lookup(userFlag.Value)
+ } else {
+ if util.IsUserRoot() {
+ return nil, ErrSpecifyUser
+ }
+ targetUser, err = util.EffectiveUser()
}
- effectiveUser, err := util.EffectiveUser()
if err != nil {
return nil, err
}
- if util.IsUserRoot() {
- return nil, ErrSpecifyUser
+
+ if checkKeyring {
+ _, err = security.UserKeyringID(targetUser)
}
- return effectiveUser, nil
+ return targetUser, err
}
generated by cgit v1.2.3 (git 2.25.1) at 2026-05-10 20:31:01 +0000