From d0ac36dcea341ff000aca983dd80e7bef9fc30ec Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Sun, 15 Dec 2019 19:31:39 -0800 Subject: pam_fscrypt: update to handle filesystem keyring FS_IOC_ADD_ENCRYPTION_KEY and FS_IOC_REMOVE_ENCRYPTION_KEY require root for v1 policy keys, so update the PAM module to re-acquire root privileges while provisioning/deprovisioning policies that need this. Also, only set up the user keyring if it will actually be used. --- pam/pam.go | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) (limited to 'pam/pam.go') diff --git a/pam/pam.go b/pam/pam.go index ece6bda..54a60e2 100644 --- a/pam/pam.go +++ b/pam/pam.go @@ -34,7 +34,6 @@ import ( "os/user" "unsafe" - "github.com/google/fscrypt/keyring" "github.com/google/fscrypt/security" ) @@ -128,26 +127,31 @@ func (h *Handle) GetItem(i Item) (unsafe.Pointer, error) { return data, nil } -// StartAsPamUser sets the effective privileges to that of the PAM user, and -// configures the PAM user's keyrings to be properly linked. +// StartAsPamUser sets the effective privileges to that of the PAM user. func (h *Handle) StartAsPamUser() error { - if _, err := keyring.UserKeyringID(h.PamUser, true); err != nil { - log.Printf("Setting up keyrings in PAM: %v", err) - } userPrivs, err := security.UserPrivileges(h.PamUser) if err != nil { return err } - if h.origPrivs, err = security.ProcessPrivileges(); err != nil { + origPrivs, err := security.ProcessPrivileges() + if err != nil { + return err + } + if err = security.SetProcessPrivileges(userPrivs); err != nil { return err } - return security.SetProcessPrivileges(userPrivs) + h.origPrivs = origPrivs + return nil } // StopAsPamUser restores the original privileges that were running the // PAM module (this is usually root). func (h *Handle) StopAsPamUser() error { + if h.origPrivs == nil { + return nil + } err := security.SetProcessPrivileges(h.origPrivs) + h.origPrivs = nil if err != nil { log.Print(err) } -- cgit v1.2.3