From 61464729e79d4b27a878718a92e4e3b70f7ad317 Mon Sep 17 00:00:00 2001 From: ebiggers Date: Tue, 24 Sep 2019 04:04:02 -0700 Subject: cmd/fscrypt: make 'fscrypt setup' create /.fscrypt (#149) Make the global setup command also create the metadata directory at /.fscrypt, since that's where login protectors are placed, even when the actual encrypted directories are on a different filesystem. Resolves https://github.com/google/fscrypt/issues/129 --- cmd/fscrypt/commands.go | 48 ++++++++++++++++++++++++++++++------------------ cmd/fscrypt/setup.go | 2 -- 2 files changed, 30 insertions(+), 20 deletions(-) (limited to 'cmd') diff --git a/cmd/fscrypt/commands.go b/cmd/fscrypt/commands.go index f70ba46..d71b427 100644 --- a/cmd/fscrypt/commands.go +++ b/cmd/fscrypt/commands.go @@ -41,38 +41,50 @@ var Setup = cli.Command{ ArgsUsage: fmt.Sprintf("[%s]", mountpointArg), Usage: "perform global setup or filesystem setup", Description: fmt.Sprintf(`This command creates fscrypt's global config - file or enables fscrypt on a filesystem. - - (1) When used without %[1]s, create the parameters in %[2]s. - This is primarily used to configure the passphrase hashing - parameters to the appropriate hardness (as determined by %[3]s). - Being root is required to write the config file. - - (2) When used with %[1]s, enable fscrypt on %[1]s. This involves - creating the necessary folders on the filesystem which will hold - the metadata structures. Begin root may be required to create - these folders.`, mountpointArg, actions.ConfigFileLocation, + file and/or prepares a filesystem for use with fscrypt. + + (1) When used without %[1]s, this command creates the global + config file %[2]s and the fscrypt metadata directory for the + root filesystem (i.e. /.fscrypt). This requires root privileges. + The passphrase hashing parameters in %[2]s are automatically set + to an appropriate hardness, as determined by %[3]s. The root + filesystem's metadata directory is created even if the root + filesystem doesn't support encryption itself, since it's where + login passphrase protectors are stored. + + (2) When used with %[1]s, this command creates the fscrypt + metadata directory for the filesystem mounted at %[1]s. This + allows fscrypt to be used on that filesystem, provided that any + kernel and filesystem-specific prerequisites are also met (see + the README). This may require root privileges.`, + mountpointArg, actions.ConfigFileLocation, shortDisplay(timeTargetFlag)), Flags: []cli.Flag{timeTargetFlag, legacyFlag, forceFlag}, Action: setupAction, } func setupAction(c *cli.Context) error { - var err error switch c.NArg() { case 0: // Case (1) - global setup - err = createGlobalConfig(c.App.Writer, actions.ConfigFileLocation) + if err := createGlobalConfig(c.App.Writer, actions.ConfigFileLocation); err != nil { + return newExitError(c, err) + } + if err := setupFilesystem(c.App.Writer, "/"); err != nil { + if errors.Cause(err) != filesystem.ErrAlreadySetup { + return newExitError(c, err) + } + fmt.Fprintf(c.App.Writer, + "Skipping creating /.fscrypt because it already exists.\n") + } case 1: // Case (2) - filesystem setup - err = setupFilesystem(c.App.Writer, c.Args().Get(0)) + if err := setupFilesystem(c.App.Writer, c.Args().Get(0)); err != nil { + return newExitError(c, err) + } default: return expectedArgsErr(c, 1, true) } - - if err != nil { - return newExitError(c, err) - } return nil } diff --git a/cmd/fscrypt/setup.go b/cmd/fscrypt/setup.go index f2fff96..2bb15ef 100644 --- a/cmd/fscrypt/setup.go +++ b/cmd/fscrypt/setup.go @@ -72,7 +72,5 @@ func setupFilesystem(w io.Writer, path string) error { } fmt.Fprintf(w, "Metadata directories created at %q.\n", ctx.Mount.BaseDir()) - fmt.Fprintf(w, "Filesystem %q (%s) ready for use with %s encryption.\n", - ctx.Mount.Path, ctx.Mount.Device, ctx.Mount.Filesystem) return nil } -- cgit v1.2.3