diff options
Diffstat (limited to 'cmd')
| -rw-r--r-- | cmd/fscrypt/commands.go | 8 | ||||
| -rw-r--r-- | cmd/fscrypt/errors.go | 3 | ||||
| -rw-r--r-- | cmd/fscrypt/flags.go | 10 |
3 files changed, 15 insertions, 6 deletions
diff --git a/cmd/fscrypt/commands.go b/cmd/fscrypt/commands.go index 0bf0a4c..41009b0 100644 --- a/cmd/fscrypt/commands.go +++ b/cmd/fscrypt/commands.go @@ -232,7 +232,7 @@ func encryptPath(path string) (err error) { defer func() { policy.Lock() if err != nil { - policy.Deprovision() + policy.Deprovision(false) policy.Revert() } }() @@ -248,7 +248,7 @@ func encryptPath(path string) (err error) { return } if skipUnlockFlag.Value { - defer policy.Deprovision() + defer policy.Deprovision(false) } } if err = policy.Apply(path); os.IsPermission(errors.Cause(err)) { @@ -426,7 +426,7 @@ var Lock = cli.Command{ recoverable by an attacker who compromises system memory. To be fully safe, you must reboot with a power cycle.`, directoryArg, shortDisplay(dropCachesFlag)), - Flags: []cli.Flag{dropCachesFlag, userFlag}, + Flags: []cli.Flag{dropCachesFlag, userFlag, allUsersFlag}, Action: lockAction, } @@ -465,7 +465,7 @@ func lockAction(c *cli.Context) error { return newExitError(c, ErrDropCachesPerm) } - if err = policy.Deprovision(); err != nil { + if err = policy.Deprovision(allUsersFlag.Value); err != nil { return newExitError(c, err) } diff --git a/cmd/fscrypt/errors.go b/cmd/fscrypt/errors.go index ba9ec7a..5239155 100644 --- a/cmd/fscrypt/errors.go +++ b/cmd/fscrypt/errors.go @@ -103,7 +103,8 @@ func getErrorSuggestions(err error) string { re-running 'fscrypt lock'.` case keyring.ErrKeyAddedByOtherUsers: return `Directory couldn't be fully locked because other user(s) - have unlocked it.` + have unlocked it. If you want to force the directory to + be locked, use 'sudo fscrypt lock --all-users DIR'.` case keyring.ErrSessionUserKeying: return `This is usually the result of a bad PAM configuration. Either correct the problem in your PAM stack, enable diff --git a/cmd/fscrypt/flags.go b/cmd/fscrypt/flags.go index a22ec05..b7933c9 100644 --- a/cmd/fscrypt/flags.go +++ b/cmd/fscrypt/flags.go @@ -116,7 +116,7 @@ var ( allFlags = []prettyFlag{helpFlag, versionFlag, verboseFlag, quietFlag, forceFlag, legacyFlag, skipUnlockFlag, timeTargetFlag, sourceFlag, nameFlag, keyFileFlag, protectorFlag, - unlockWithFlag, policyFlag} + unlockWithFlag, policyFlag, allUsersFlag} // universalFlags contains flags that should be on every command universalFlags = []cli.Flag{verboseFlag, quietFlag, helpFlag} ) @@ -170,6 +170,14 @@ var ( privileges.`, Default: true, } + allUsersFlag = &boolFlag{ + Name: "all-users", + Usage: `Lock the directory no matter which user(s) have unlocked + it. Requires root privileges. This flag is only + necessary if the directory was unlocked by a user + different from the one you're locking it as. This flag + is only implemented for v2 encryption policies.`, + } ) // Option flags: used to specify options instead of being prompted for them |