| Age | Commit message (Collapse) | Author |
|---|
|
We now create the `*pb.go` files via the makefile instead of though
`go generate`.
Signed-off-by: Joe Richey <joerichey@google.com>
|
|
Since Go 1.16 (which recently became the minimum supported Go version
for this project), the package io/ioutil is deprecated in favor of
equivalent functionality in the io and os packages. staticcheck warns
about this. Address all the warnings by switching to the non-deprecated
replacement functions.
|
|
If a session is opened for a user twice and the second doesn't have the
AUTHTOK data, pam_fscrypt prints an error message that says it failed to
unlock a protector because AUTHTOK data is missing. This is misleading
because the protector and its associated policies were already unlocked
by the first session.
To avoid this, move the check for whether the policy is provisioned or
not into policiesUsingProtector(). Also do the same for CloseSession.
|
|
Now that it's been requested by users, bring back the "unlock_only"
option, which was originally proposed as part of
https://github.com/google/fscrypt/pull/281 but was dropped in the final
version of that pull request.
Resolves https://github.com/google/fscrypt/issues/357
|
|
Support for AES_256_HCTR2 filenames encryption was added in kernel
version 6.0. The kernel doesn't yet support AES_256_HCTR2 for contents
encryption.
|
|
Follow up to #362
Protojson randomly inserts whitespace to indicate that the output is
unstable, breaking out tests. To fix this, compact the output before
comparison.
Signed-off-by: Joe Richey <joerichey@google.com>
Signed-off-by: Joe Richey <joerichey@google.com>
|
|
Split policyIoctl into setPolicyIoctl and getPolicyIoctl. Add a
os.Sync() call to setPolicyIoctl.
Policy ioctls are not necessary durable on return. For example, on
ext4 (ref: fs/ext4/crypto.c: ext4_set_context) they are not. This may
lead to a filesystem containing fscrypt metadata (in .fscrypt), but
without the policy applied on an encrypted directory.
Example:
Snapshotting a mounted ext4 filesystem on Ceph RBD right after
setting the policy. While subject to timing, with high probability the
snapshot will not have the policy set. Calling fsync fixes this.
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
|
|
cli-tests: account for protojson whitespace randomization
|
|
Annoyingly, for JSON formatting protojson randomly selects a spacing
method (one space or two spaces) depending on a hash of some sections of
the Go binary, to discourage depending on its output being stable. This
breaks some checks in the CLI tests of the contents of fscrypt.conf and
the output of 'fscrypt status'. As there doesn't appear to be a
straightforward alternative currently, for now just update the tests to
take into consideration the possible extra space.
|
|
Update https://github.com/google/fscrypt/issues/350
|
|
Upgrade dependencies to latest version
|
|
Add lustre to allowed filesystems and update documentation
|
|
|
|
github.com/golang/protobuf/proto has been deprecated in favor of
google.golang.org/protobuf/proto, so migrate to the non-deprecated one.
|
|
|
|
Signed-off-by: Joe Richey <joerichey@google.com>
|
|
Signed-off-by: Joe Richey <joerichey@google.com>
|
|
The version of 'staticcheck' (part of honnef.co/go/tools) we were
pinning is incompatible with Go 1.18, as per
https://github.com/dominikh/go-tools/issues/1165.
To allow 'make lint' to work with Go 1.18 and later, upgrade
honnef.co/go/tools to the latest version.
This requires that several other modules be upgraded too.
|
|
The latest version of 'staticcheck' warns about these.
|
|
Bump up required Go version to 1.16
|
|
Bump up the required Go version to 1.16 so that we can assume that Go
modules are enabled by default. Go 1.16 is the latest end-of-life
release, so this makes it so that we support the latest end-of-life
release (1.16), the current maintainance release (1.17), the current
release (1.18), and future releases. This the same approach we took
when we last bumped up the required Go version.
Also update the ci.yml file to test with these versions.
|
|
|
|
Metadata validation and other security improvements
|
|
pam_fscrypt should never need to do anything for system users, so detect
them early so that we can avoid wasting any resources looking for their
login protector.
|
|
If the error is anything other than ErrNotSetup, it might be helpful to
know what is going on.
|
|
Currently, fscrypt policies and protectors are world readable, as they
are created with mode 0644. While this can be nice for use cases where
users share these files, those use cases seem to be quite rare, and it's
not a great default security-wise since it exposes password hashes to
all users. While fscrypt uses a very strong password hash algorithm, it
would still be best to follow the lead of /etc/shadow and keep this
information non-world-readable.
Therefore, start creating these files with mode 0600.
Of course, if users do actually want to share these files, they have the
option of simply chmod'ing them to a less restrictive mode. An option
could also be added to make fscrypt use the old mode 0644; however, the
need for that is currently unclear.
|
|
Since fscrypt replaces metadata files rather than overwrites them (to
get atomicity), their owner will change to root if root makes a change.
That isn't too much of an issue when the files have mode 0644. However,
it will become a much bigger issue when the files have mode 0600,
especially because existing files with mode 0644 would also get changed
to have mode 0600.
In preparation for this, start preserving the previous owner and mode of
policy and protector files when they are updated.
|
|
Since commit 4c7c6631cc5a ("Set owner of login protectors to correct
user"), login protectors are made owned by the user when root creates
one on a user's behalf. That's good, but the same isn't true of other
files that get created at the same time:
- The policy protecting the directory
- The protector link file, if the policy is on a different filesystem
- The recovery protector, if the policy is on a different filesystem
- The recovery instructions file
In preparation for setting all metadata files to mode 0600, start making
all these files owned by the user in this scenario as well.
|
|
A previous commit extended file ownership validation to policy and
protector files (by default -- there's an opt-out in /etc/fscrypt.conf).
However, that didn't apply to the parent directories:
MOUNTPOINT
MOUNTPOINT/.fscrypt
MOUNTPOINT/.fscrypt/policies
MOUNTPOINT/.fscrypt/protectors
The problem is that if the parent directories aren't trusted (owned by
another non-root user), then untrusted changes to their contents can be
made at any time, including the introduction of symlinks and so on.
While it's debatable how much of a problem this really is, given the
other validations that are done, it seems to be appropriate to validate
the parent directories too.
Therefore, this commit applies the same ownership validations to the
above four directories as are done on the metadata files themselves.
In addition, it is validated that none of these directories are symlinks
except for ".fscrypt" where this is explicitly supported.
|
|
The metadata validation checks introduced by the previous commits are
good, but to reduce the attack surface it would be much better to avoid
reading and parsing files owned by other users in the first place.
There are some possible use cases for users sharing fscrypt metadata
files, but I think that for the vast majority of users it is unneeded
and just opens up attack surface. Thus, make fscrypt (and pam_fscrypt)
not process policies or protectors owned by other users by default.
Specifically,
* If fscrypt or pam_fscrypt is running as a non-root user, only
policies and protectors owned by the user or by root can be used.
* If fscrypt is running as root, any policy or protector can be used.
(This is to match user expectations -- starting a sudo session
should gain rights, not remove rights.)
* If pam_fscrypt is running as root, only policies and protectors
owned by root can be used. Note that this only applies when the
root user themselves has an fscrypt login protector, which is rare.
Add an option 'allow_cross_user_metadata' to /etc/fscrypt.conf which
allows restoring the old behavior for anyone who really needs it.
|
|
World-writable directories are not appropriate for some systems, so
offer a choice of single-user-writable and world-writable modes, with
single-user-writable being the default. Add a new documentation section
to help users decide which one to use.
|
|
To allow users to update fscrypt metadata they own in
single-user-writable metadata directories (introduced by the next
commit), fall back to non-atomic overwrites when atomic ones can't be
done due to not having write access to the directory.
|
|
If a login protector contains a UID that differs from the file owner
(and the file owner is not root), it might be a spoofed file that was
created maliciously, so make sure to consider such files to be invalid.
|
|
Don't allow reading metadata files that are very large, as they can
crash the program due to the memory required. Similarly, don't allow
reading metadata files that aren't regular files, such as FIFOs, or
symlinks (which could point to a device node like /dev/zero), as that
can hang the program. Both issues were particularly problematic for
pam_fscrypt, as they could prevent users from being able to log in.
Note: these checks are arguably unneeded if we strictly check the file
ownership too, which a later commit will do. But there's no reason not
to do these basic checks too.
|
|
Mountpoint paths might be untrusted arbitrary strings; the fscrypt bash
completion script might need to complete to such strings.
Unfortunately, the design of bash completion places some major footguns
in the way of doing this correctly and securely:
- "compgen -W" expands anything passed to it, so the argument to -W
must be single-quoted to avoid an extra level of expansion.
- The backslashes needed to escape meta-characters in the completed
text aren't added automatically; they must be explicitly added.
Note that the completion script for 'umount' used to have these same
bugs (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179,
https://github.com/util-linux/util-linux/issues/539).
Fix these bugs in roughly the same way that 'umount' fixed them.
|
|
Following the example of /proc/self/mountinfo, replace the space,
newline, tab, and backslash characters with octal escape sequences so
that the output can be parsed unambiguously.
|
|
CONTRIBUTING: update maintainers list
|
|
|
|
|
|
|
|
Allow the root directory to be a btrfs filesystem
|
|
This is needed to allow creating protector links to btrfs filesystems.
Update https://github.com/google/fscrypt/issues/339
|
|
This is needed to make FindMount() work on btrfs filesystems.
Update https://github.com/google/fscrypt/issues/339
|
|
Restore the canonicalizePath() function from before commit
f2eb79fb5fb10275c014b55c13e28ff02d3b70a8, since it's needed again.
Update https://github.com/google/fscrypt/issues/339
|
|
Add back the mountsByPath map, which indexes all Mounts by mountpoint.
This is needed again.
To avoid confusion, also rename two local variables named mountsByPath.
mountsByPath won't contain nil entries, so also make AllFilesystems()
use it instead of mountsByDevice. This shouldn't change its behavior.
Update https://github.com/google/fscrypt/issues/339
|
|
cli-tests: fix broken test
|
|
I'm not sure how this passed the GitHub checks.
|
|
filesystem: store mountpoint in link files as a fallback
|
|
cmd/fscrypt: don't load protector in remove-protector-from-policy
|
|
Make remove-protector-from-policy work even if the protector cannot be
loaded (for example, due to having been deleted already).
Fixes https://github.com/google/fscrypt/issues/258
Fixes https://github.com/google/fscrypt/issues/272
|
