From b7399903540c95e89f0ee427fed1de07301fbd93 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Tue, 21 Dec 2021 20:38:03 -0600 Subject: pam_fscrypt: warn user if OLDAUTHTOK not given in chauthtok If someone runs 'passwd USER' as root, the user is assigned a new login passphrase without their fscrypt login protector being updated. Detect this case and show a warning message using pam_info(). Fixes https://github.com/google/fscrypt/issues/273 --- pam_fscrypt/pam_fscrypt.go | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'pam_fscrypt/pam_fscrypt.go') diff --git a/pam_fscrypt/pam_fscrypt.go b/pam_fscrypt/pam_fscrypt.go index 2e31af9..963d9a5 100644 --- a/pam_fscrypt/pam_fscrypt.go +++ b/pam_fscrypt/pam_fscrypt.go @@ -29,6 +29,7 @@ package main */ import "C" import ( + "fmt" "log" "unsafe" @@ -300,6 +301,14 @@ func lockLoginPolicies(handle *pam.Handle) (bool, error) { return needDropCaches, nil } +var noOldAuthTokMessage string = ` +pam_fscrypt: cannot update login protector for '%s' because old passphrase +was not given. This is expected when changing a user's passphrase as root. +You'll need to manually update the protector's passphrase using: + + fscrypt metadata change-passphrase --protector=%s:%s +` + // Chauthtok rewraps the login protector when the passphrase changes. func Chauthtok(handle *pam.Handle, _ map[string]bool) error { if err := handle.StartAsPamUser(); err != nil { @@ -322,6 +331,9 @@ func Chauthtok(handle *pam.Handle, _ map[string]bool) error { } authtok, err := handle.GetItem(pam.Oldauthtok) if err != nil { + handle.InfoMessage(fmt.Sprintf(noOldAuthTokMessage, + handle.PamUser.Username, + protector.Context.Mount.Path, protector.Descriptor())) return nil, errors.Wrap(err, "could not get OLDAUTHTOK") } return crypto.NewKeyFromCString(authtok) -- cgit v1.2.3