Git Product home page Git Product logo

Comments (7)

josephlr avatar josephlr commented on May 4, 2024

Looking at the logs, everything seems normal, except that for user UID=1001, OpenSession is called twice and CloseSession is called once. This makes me think that something about your setup is causesing two sessions to be opened, but only one to be closed. Are there any more logs for fscrypt? My guess would be it is related to sddm.

The second thing is that permission denied at end of the logs. I would guess it is caused by CloseSession being called without root privileges.

I'll add some more logging to try to figure this out. This is still arch Linux with the PAM setup you described previously?

from fscrypt.

avatar commented on May 4, 2024

Yeah it's still Archlinux. I tried to login with console and it still looks like pam_fscrypt module doesn't work as expected on session close.

Side question: should fscrypt search it's metadata under every filesystem such as tmpfs,debugfs and son on which aren't relevant to it? As you can see it can clutter logs with denial messages.

from fscrypt.

avatar commented on May 4, 2024

I found some misconfiguration with pam systemd_user module which invoked pam_fscrypt on it's own, it think that was the reason why 2 sessions were opened. Keyrings/caches are still not cleared but logs should be clearer. I post them later.

from fscrypt.

avatar commented on May 4, 2024 
fscrypt --version
0.2.1-1-ga949b13

Encrypted directory status before login:

# fscrypt status /home/user1/
"/home/user1/" is encrypted with fscrypt.

Policy:   949471831dcf55cf
Unlocked: No

Protected with 1 protector:
PROTECTOR         LINKED   DESCRIPTION
6682ae84e70e99b3  Yes (/)  login protector for user1

Root keyring before login:

# keyctl show
Session Keyring
 500577725 --alswrv      0     0  keyring: _ses
 749555953 --alswrv      0 65534   \_ keyring: _uid.0

Encrypted directory view before login:

# ls -al /home/user1
total 12
drwxr-xr-x 2 user1 user1 4096 Sep  3 16:14 .
drwxr-xr-x 6 root  root  4096 Sep  3 16:10 ..
-rw-r--r-- 1 user1 user1  220 Sep  5 14:26 kqzCh1XWtdVwkE,KK35Atmzw5sgMJX7LstIonhmQBjF

user1 logs in:

# journalctl -f |grep fscrypt
pam_fscrypt[1188]: Authenticate()
pam_fscrypt[1188]: Setreuid(1001, 0) = <nil>
pam_fscrypt[1188]: keyringID(_uid.1001) = 173465956, <nil>
pam_fscrypt[1188]: Setreuid(0, 1001) = <nil>
pam_fscrypt[1188]: KeyctlLink(173465956, -2) = <nil>
pam_fscrypt[1188]: Setreuid(0, 0) = <nil>
pam_fscrypt[1188]: keyringID(_uid.0) = 749555953, <nil>
pam_fscrypt[1188]: KeyctlLink(749555953, -2) = <nil>
pam_fscrypt[1188]: KeyctlLink(173465956, 749555953) = <nil>
pam_fscrypt[1188]: Setting privileges to "user1"
pam_fscrypt[1188]: Setregid(-1, 1001) = <nil>
pam_fscrypt[1188]: Setgroups([1001 6 7 90 91 92 93 95 96 98]) = <nil>
pam_fscrypt[1188]: Setreuid(-1, 1001) = <nil>
pam_fscrypt[1188]: Reading config from "/etc/fscrypt.conf"
pam_fscrypt[1188]: creating context for "user1"
pam_fscrypt[1188]: found ext4 filesystem "/" (/dev/sda5)
pam_fscrypt[1188]: listing descriptors in "/.fscrypt/protectors"
pam_fscrypt[1188]: found 2 descriptor(s)
pam_fscrypt[1188]: successfully read metadata from "/.fscrypt/protectors/11a49a6b632db2bb"
pam_fscrypt[1188]: successfully read metadata from "/.fscrypt/protectors/6682ae84e70e99b3"
pam_fscrypt[1188]: Getting protector 6682ae84e70e99b3 from option
pam_fscrypt[1188]: copying AUTHTOK for use in the session open
pam_fscrypt[1188]: Setting privileges to "root"
pam_fscrypt[1188]: Setreuid(-1, 0) = <nil>
pam_fscrypt[1188]: Setregid(-1, 0) = <nil>
pam_fscrypt[1188]: Setgroups([0 1 2 3 4 6 10 19]) = <nil>
pam_fscrypt[1188]: pam func succeeded
pam_fscrypt[1188]: OpenSession()
pam_fscrypt[1188]: Session count for UID=1001 updated to 1
pam_fscrypt[1188]: KeyctlLink(173465956, 749555953) = <nil>
pam_fscrypt[1188]: Setting privileges to "user1"
pam_fscrypt[1188]: Setregid(-1, 1001) = <nil>
pam_fscrypt[1188]: Setgroups([1001 6 7 90 91 92 93 95 96 98]) = <nil>
pam_fscrypt[1188]: Setreuid(-1, 1001) = <nil>
pam_fscrypt[1188]: Reading config from "/etc/fscrypt.conf"
pam_fscrypt[1188]: creating context for "user1"
pam_fscrypt[1188]: found ext4 filesystem "/" (/dev/sda5)
pam_fscrypt[1188]: listing descriptors in "/.fscrypt/protectors"
pam_fscrypt[1188]: found 2 descriptor(s)
pam_fscrypt[1188]: successfully read metadata from "/.fscrypt/protectors/11a49a6b632db2bb"
pam_fscrypt[1188]: successfully read metadata from "/.fscrypt/protectors/6682ae84e70e99b3"
pam_fscrypt[1188]: Getting protector 6682ae84e70e99b3 from option
pam_fscrypt[1188]: successfully read metadata from "/.fscrypt/protectors/6682ae84e70e99b3"
pam_fscrypt[1188]: listing descriptors in "/.fscrypt/policies"
pam_fscrypt[1188]: found 2 descriptor(s)
pam_fscrypt[1188]: successfully read metadata from "/.fscrypt/policies/949471831dcf55cf"
pam_fscrypt[1188]: got data for 949471831dcf55cf from "/"
pam_fscrypt[1188]: successfully read metadata from "/.fscrypt/policies/13cb92d62226353b

Encrypted directory status after user1 login:

# fscrypt status /home/user1/
"/home/user1/" is encrypted with fscrypt.

Policy:   949471831dcf55cf
Unlocked: Yes

Protected with 1 protector:
PROTECTOR         LINKED   DESCRIPTION
6682ae84e70e99b3  Yes (/)  login protector for user1

root keyring after user1 login:

# keyctl show
Session Keyring
 500577725 --alswrv      0     0  keyring: _ses
 749555953 --alswrv      0 65534   \_ keyring: _uid.0
 173465956 ---lswrv   1001 65534       \_ keyring: _uid.1001
 462364131 --alsw-v   1001  1001           \_ logon: ext4:949471831dcf55cf

Encrypted directory view after user1 login:

# ls -al /home/user1
total 12
drwxr-xr-x 2 user1 user1 4096 Sep  3 16:14 .
drwxr-xr-x 6 root  root  4096 Sep  3 16:10 ..
-rw-r--r-- 1 user1 user1  220 Sep  5 14:26 .bash_history

user1 logout:

# journalctl -f |grep fscrypt
pam_fscrypt[1188]: CloseSession(map[debug:true lock_policies:true drop_caches:true])
pam_fscrypt[1188]: Session count for UID=1001 updated to 0
pam_fscrypt[1188]: locking polices protected with login protector
pam_fscrypt[1188]: KeyctlLink(173465956, 749555953) = <nil>
pam_fscrypt[1188]: Setting privileges to "user1"
pam_fscrypt[1188]: Setregid(-1, 1001) = <nil>
pam_fscrypt[1188]: Setgroups([1001 6 7 90 91 92 93 95 96 98]) = <nil>
pam_fscrypt[1188]: Setreuid(-1, 1001) = <nil>
pam_fscrypt[1188]: Reading config from "/etc/fscrypt.conf"
pam_fscrypt[1188]: creating context for "user1"
pam_fscrypt[1188]: found ext4 filesystem "/" (/dev/sda5)
pam_fscrypt[1188]: listing descriptors in "/.fscrypt/protectors"
pam_fscrypt[1188]: found 2 descriptor(s)
pam_fscrypt[1188]: successfully read metadata from "/.fscrypt/protectors/11a49a6b632db2bb"
pam_fscrypt[1188]: successfully read metadata from "/.fscrypt/protectors/6682ae84e70e99b3"
pam_fscrypt[1188]: Getting protector 6682ae84e70e99b3 from option
pam_fscrypt[1188]: successfully read metadata from "/.fscrypt/protectors/6682ae84e70e99b3"
pam_fscrypt[1188]: listing descriptors in "/.fscrypt/policies"
pam_fscrypt[1188]: found 2 descriptor(s)
pam_fscrypt[1188]: successfully read metadata from "/.fscrypt/policies/949471831dcf55cf"
pam_fscrypt[1188]: got data for 949471831dcf55cf from "/"
pam_fscrypt[1188]: successfully read metadata from "/.fscrypt/policies/13cb92d62226353b"
pam_fscrypt[1188]: got data for 13cb92d62226353b from "/"
pam_fscrypt[1188]: stat /run/user/0/.fscrypt: permission denied
pam_fscrypt[1188]: stat /run/user/0/.fscrypt/policies: permission denied
pam_fscrypt[1188]: stat /run/user/0/.fscrypt/protectors: permission denied
pam_fscrypt[1188]: stat /run/user/995/.fscrypt: permission denied
pam_fscrypt[1188]: stat /run/user/995/.fscrypt/policies: permission denied
pam_fscrypt[1188]: stat /run/user/995/.fscrypt/protectors: permission denied
pam_fscrypt[1188]: stat /sys/firmware/efi/efivars/.fscrypt: invalid argument
pam_fscrypt[1188]: stat /sys/firmware/efi/efivars/.fscrypt/policies: invalid argument
pam_fscrypt[1188]: stat /sys/firmware/efi/efivars/.fscrypt/protectors: invalid argument
pam_fscrypt[1188]: stat /sys/kernel/debug/.fscrypt: permission denied
pam_fscrypt[1188]: stat /sys/kernel/debug/.fscrypt/policies: permission denied
pam_fscrypt[1188]: stat /sys/kernel/debug/.fscrypt/protectors: permission denied
pam_fscrypt[1188]: stat /var/local/makepkg/build/.fscrypt: permission denied
pam_fscrypt[1188]: stat /var/local/makepkg/build/.fscrypt/policies: permission denied
pam_fscrypt[1188]: stat /var/local/makepkg/build/.fscrypt/protectors: permission denied
pam_fscrypt[1188]: keyringID(session) = -1, key has been revoked
pam_fscrypt[1188]: policy 949471831dcf55cf not provisioned
pam_fscrypt[1188]: Setting privileges to "root"

Encrypted directory status after user1 logout:

# fscrypt status /home/user1/
"/home/user1/" is encrypted with fscrypt.

Policy:   949471831dcf55cf
Unlocked: Yes

Protected with 1 protector:
PROTECTOR         LINKED   DESCRIPTION
6682ae84e70e99b3  Yes (/)  login protector for user1

root keyring after user1 logout:

# keyctl show
Session Keyring
 500577725 --alswrv      0     0  keyring: _ses
 749555953 --alswrv      0 65534   \_ keyring: _uid.0
 173465956 ---lswrv   1001 65534       \_ keyring: _uid.1001
 462364131 --alsw-v   1001  1001           \_ logon: ext4:949471831dcf55cf

Encrypted directory view after user1 logout:

# ls -al /home/user1
total 12
drwxr-xr-x 2 user1 user1 4096 Sep  3 16:14 .
drwxr-xr-x 6 root  root  4096 Sep  3 16:10 ..
-rw-r--r-- 1 user1 user1  225 Sep  8 12:02 .bash_history

from fscrypt.

avatar commented on May 4, 2024

It's clear that encrypted directory isn't locked and keyring isn't cleared after logout. I found this line interesting:
pam_fscrypt[1188]: keyringID(session) = -1, key has been revoked
Does -1 value means that nothing has been revoked actually?

from fscrypt.

josephlr avatar josephlr commented on May 4, 2024

The PR I just pushed should have fixed the issue. When logging out, your session keyring was going away before the key could be cleared. This isn't really a problem, as fscrypt removes the key from the user keyring anyway.

from fscrypt.

josephlr avatar josephlr commented on May 4, 2024

Please reopen this if my fix didn't work.

from fscrypt.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.