From 5c853fd7317d337ab7dc3b9bfe533a22eb713e1f Mon Sep 17 00:00:00 2001 From: "Joe Richey joerichey@google.com" Date: Wed, 19 Jul 2017 15:42:31 -0700 Subject: Updated documentation and build system for PAM --- CONTRIBUTING.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'CONTRIBUTING.md') diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 1470fa4..7272b10 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -30,9 +30,10 @@ these commands when writing your code. ### Building and Testing -As mentioned in `README.md`, running `make` will build the fscrypt executable. -Running `make go` will build each package and run the tests, but just running -`make go` with nothing else will skip the integration tests. +As mentioned in `README.md`, running `make` will build the fscrypt executable +and the PAM module `pam_fscrypt.so`. Running `make go` will build each package +and run the tests, but just running `make go` with nothing else will skip the +integration tests. To run the integration tests, you will need a filesystem that supports encryption. If you already have some empty filesystem at `/foo/bar`, just run: -- cgit v1.3 From b15792b8d7c197d84970415fd2525c51aee3996c Mon Sep 17 00:00:00 2001 From: "Joe Richey joerichey@google.com" Date: Wed, 23 Aug 2017 12:29:10 -0700 Subject: Added some documentation and improved security API --- CONTRIBUTING.md | 10 ++++++++++ README.md | 4 ++-- pam/pam.go | 24 ++++++++++++++++++------ security/keyring.go | 12 ++++++++++-- 4 files changed, 40 insertions(+), 10 deletions(-) (limited to 'CONTRIBUTING.md') diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 7272b10..6b7be43 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -15,6 +15,16 @@ You generally only need to submit a CLA once, so if you've already submitted one (even if it was for a different project), you probably don't need to do it again. +## Reporting an Issue + +Any bugs or problems found in fscrypt should be reported though the +[Github Issue Tracker](https://github.com/google/fscrypt/issues/new). When +reporting an issue, be sure to give as much information about the problem as +possible. If reporting an issue around the fscrypt command-line tool, post the +relevant output from fscrypt, running with the `--verbose` flag. For the +pam_fscrypt module, use the `debug` flag with the module and post the relevant +parts of the syslog (at ``). + ## Code reviews All submissions, including submissions by project members, require review. We diff --git a/README.md b/README.md index 4355239..cb1a1e3 100644 --- a/README.md +++ b/README.md @@ -545,8 +545,8 @@ file for more information about singing the CLA and submitting a pull request. ## Troubleshooting In general, if you are encountering issues with fscrypt, -[open an issue](https://github.com/google/fscrypt/issues/new). We will try our -best to help. +[open an issue](https://github.com/google/fscrypt/issues/new), following the +guidelines in `CONTRIBUTING.md`. We will try our best to help. #### I changed my login passphrase, now all my directories are inaccessible diff --git a/pam/pam.go b/pam/pam.go index 804171d..3049efb 100644 --- a/pam/pam.go +++ b/pam/pam.go @@ -32,12 +32,15 @@ import ( "errors" "fmt" "unsafe" + + "github.com/google/fscrypt/security" ) // Handle wraps the C pam_handle_t type. This is used from within modules. type Handle struct { handle *C.pam_handle_t status C.int + privs *security.Privileges } // NewHandle creates a Handle from a raw pointer. @@ -105,19 +108,28 @@ func (h *Handle) GetItem(i Item) (unsafe.Pointer, error) { return data, h.err() } -// GetIDs retrieves the UID and GID of the corresponding PAM_USER. -func (h *Handle) GetIDs() (uid int, gid int, err error) { +// DropThreadPrivileges sets the effective privileges to that of the PAM user +func (h *Handle) DropThreadPrivileges() error { var pamUsername *C.char + var err error + h.status = C.pam_get_user(h.handle, &pamUsername, nil) if err = h.err(); err != nil { - return 0, 0, err + return err } - pwnam := C.getpwnam(pamUsername) if pwnam == nil { - return 0, 0, fmt.Errorf("unknown user %q", C.GoString(pamUsername)) + return fmt.Errorf("unknown user %q", C.GoString(pamUsername)) } - return int(pwnam.pw_uid), int(pwnam.pw_gid), nil + + h.privs, err = security.DropThreadPrivileges(int(pwnam.pw_uid), int(pwnam.pw_gid)) + return err +} + +// RaiseThreadPrivileges restores the original privileges that were running the +// PAM module (this is usually root). +func (h *Handle) RaiseThreadPrivileges() error { + return security.RaiseThreadPrivileges(h.privs) } func (h *Handle) err() error { diff --git a/security/keyring.go b/security/keyring.go index f75b189..28225b0 100644 --- a/security/keyring.go +++ b/security/keyring.go @@ -151,11 +151,19 @@ func getUserKeyringID() (int, error) { func keyringLink(keyID int, keyringID int) error { _, err := unix.KeyctlInt(unix.KEYCTL_LINK, keyID, keyringID, 0, 0) log.Printf("KeyctlLink(%d, %d) = %v", keyID, keyringID, err) - return errors.Wrap(ErrKeyringLink, err.Error()) + + if err != nil { + return errors.Wrap(ErrKeyringLink, err.Error()) + } + return err } func keyringUnlink(keyID int, keyringID int) error { _, err := unix.KeyctlInt(unix.KEYCTL_UNLINK, keyID, keyringID, 0, 0) log.Printf("KeyctlUnlink(%d, %d) = %v", keyID, keyringID, err) - return errors.Wrap(ErrKeyringUnlink, err.Error()) + + if err != nil { + return errors.Wrap(ErrKeyringUnlink, err.Error()) + } + return err } -- cgit v1.3 From 19c13e861996c3503be5b0dc5a2cecfe186b1744 Mon Sep 17 00:00:00 2001 From: Joseph Richey Date: Thu, 24 Aug 2017 00:29:54 -0700 Subject: Updated documentation for PAM module help --- CONTRIBUTING.md | 4 ++-- README.md | 9 ++++----- pam_fscrypt/pam_fscrypt.go | 4 ++-- 3 files changed, 8 insertions(+), 9 deletions(-) (limited to 'CONTRIBUTING.md') diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 6b7be43..357661c 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -22,8 +22,8 @@ Any bugs or problems found in fscrypt should be reported though the reporting an issue, be sure to give as much information about the problem as possible. If reporting an issue around the fscrypt command-line tool, post the relevant output from fscrypt, running with the `--verbose` flag. For the -pam_fscrypt module, use the `debug` flag with the module and post the relevant -parts of the syslog (at ``). +pam_fscrypt module, use the `debug` option with the module and post the relevant +parts of the syslog (usually at `/var/log/syslog`). ## Code reviews diff --git a/README.md b/README.md index 342fe66..2214dad 100644 --- a/README.md +++ b/README.md @@ -568,12 +568,11 @@ fscrypt metadata change-passphrase --protector=/:ID #### Directories using my login passphrase are not automatically unlocking. Either the PAM module is not installed correctly, or your login passphrase -changed and things got out of sync. +changed and things got out of sync. Another reason that these directories might +not unlock is if your session starts without password authentication. The most +common case of this is public-key ssh login. -#### I can still see files or filenames after running `fscrypt purge MOUNTPOINT` - -You need to unmount `MOUNTPOINT` to clear the necessary caches. See -`fscrypt purge --help` for more information +To trigger a password authentication event, run `su $(whoami) -c exit`. #### Getting "encryption not enabled" on an ext4 filesystem. diff --git a/pam_fscrypt/pam_fscrypt.go b/pam_fscrypt/pam_fscrypt.go index 2eecd3a..21bc779 100644 --- a/pam_fscrypt/pam_fscrypt.go +++ b/pam_fscrypt/pam_fscrypt.go @@ -78,7 +78,7 @@ func OpenSession(handle *pam.Handle, _ map[string]bool) error { // We will always clear the the AUTHTOK data defer handle.ClearData(authtokLabel) // Increment the count as we add a session - if _, err := AdjustCount(handle, 1); err != nil { + if _, err := AdjustCount(handle, +1); err != nil { return err } @@ -150,6 +150,7 @@ func OpenSession(handle *pam.Handle, _ map[string]bool) error { func CloseSession(handle *pam.Handle, args map[string]bool) error { // Only do stuff on session close when we are the last session if count, err := AdjustCount(handle, -1); err != nil || count != 0 { + log.Printf("count is %d and we are not locking", count) return err } @@ -275,7 +276,6 @@ func pam_sm_close_session(pamh unsafe.Pointer, flags, argc C.int, argv **C.char) func pam_sm_chauthtok(pamh unsafe.Pointer, flags, argc C.int, argv **C.char) C.int { // Only do rewrapping if we have both AUTHTOKs and a login protector. if pam.Flag(flags)&pam.PrelimCheck != 0 { - log.Print("no preliminary checks need to run") return C.PAM_SUCCESS } -- cgit v1.3