Skip to content

Make pam_fscrypt.so support the unlock_only option #367

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ebiggers merged 1 commit into from
Oct 20, 2022
+26 −14
Merged

Make pam_fscrypt.so support the unlock_only option #367

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 9 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -536,8 +536,15 @@ after `pam_unix.so` in `/etc/pam.d/common-session` or similar, but before
which starts processes that access the user's home directory during their
session.

To make `pam_fscrypt.so` print debugging messages to the system log, add the
`debug` option. All hook types accept this option.
`pam_fscrypt.so` accepts several options:

* `debug`: print additional debug messages to the syslog. All hook types accept
this option.

* `unlock_only`: only unlock directories (at log-in); don't also lock them (at
log-out). This is only relevant for the "session" hook. Note that in
`fscrypt` v0.2.9 and earlier, unlock-only was the default behavior, and
`lock_policies` needed to be specified to enable locking.

### Allowing `fscrypt` to check your login passphrase

Expand Down
29 changes: 17 additions & 12 deletions pam_fscrypt/pam_fscrypt.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,9 +55,12 @@ const (
debugFlag = "debug"

// This option is accepted for compatibility with existing config files,
// but now we lock policies unconditionally and this option is a no-op.
// but now we lock policies by default and this option is a no-op.
lockPoliciesFlag = "lock_policies"

// Only unlock directories, don't lock them.
unlockOnlyFlag = "unlock_only"

// This option is accepted for compatibility with existing config files,
// but it no longer does anything. pam_fscrypt now drops caches if and
// only if it is needed. (Usually it is not needed anymore, as the
Expand Down Expand Up @@ -279,19 +282,21 @@ func CloseSession(handle *pam.Handle, args map[string]bool) error {
// Don't automatically drop privileges, since we may need them to
// deprovision policies or to drop caches.

log.Print("locking policies protected with login protector")
needDropCaches, errLock := lockLoginPolicies(handle)

var errCache error
if needDropCaches {
log.Print("dropping appropriate filesystem caches at session close")
errCache = security.DropFilesystemCache()
}
if !args[unlockOnlyFlag] {
log.Print("locking policies protected with login protector")
needDropCaches, errLock := lockLoginPolicies(handle)

if errLock != nil {
return errLock
var errCache error
if needDropCaches {
log.Print("dropping appropriate filesystem caches at session close")
errCache = security.DropFilesystemCache()
}
if errLock != nil {
return errLock
}
return errCache
}
return errCache
return nil
}

// lockLoginPolicies deprovisions all policy keys that are protected by the
Expand Down