Comments (7)
Looking at the logs, everything seems normal, except that for user UID=1001, OpenSession is called twice and CloseSession is called once. This makes me think that something about your setup is causesing two sessions to be opened, but only one to be closed. Are there any more logs for fscrypt? My guess would be it is related to sddm.
The second thing is that permission denied at end of the logs. I would guess it is caused by CloseSession being called without root privileges.
I'll add some more logging to try to figure this out. This is still arch Linux with the PAM setup you described previously?
from fscrypt.
Yeah it's still Archlinux. I tried to login with console and it still looks like pam_fscrypt module doesn't work as expected on session close.
Side question: should fscrypt search it's metadata under every filesystem such as tmpfs,debugfs and son on which aren't relevant to it? As you can see it can clutter logs with denial messages.
from fscrypt.
I found some misconfiguration with pam systemd_user module which invoked pam_fscrypt on it's own, it think that was the reason why 2 sessions were opened. Keyrings/caches are still not cleared but logs should be clearer. I post them later.
from fscrypt.
fscrypt --version
0.2.1-1-ga949b13
Encrypted directory status before login:
# fscrypt status /home/user1/
"/home/user1/" is encrypted with fscrypt.
Policy: 949471831dcf55cf
Unlocked: No
Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
6682ae84e70e99b3 Yes (/) login protector for user1
Root keyring before login:
# keyctl show
Session Keyring
500577725 --alswrv 0 0 keyring: _ses
749555953 --alswrv 0 65534 \_ keyring: _uid.0
Encrypted directory view before login:
# ls -al /home/user1
total 12
drwxr-xr-x 2 user1 user1 4096 Sep 3 16:14 .
drwxr-xr-x 6 root root 4096 Sep 3 16:10 ..
-rw-r--r-- 1 user1 user1 220 Sep 5 14:26 kqzCh1XWtdVwkE,KK35Atmzw5sgMJX7LstIonhmQBjF
user1 logs in:
# journalctl -f |grep fscrypt
pam_fscrypt[1188]: Authenticate()
pam_fscrypt[1188]: Setreuid(1001, 0) = <nil>
pam_fscrypt[1188]: keyringID(_uid.1001) = 173465956, <nil>
pam_fscrypt[1188]: Setreuid(0, 1001) = <nil>
pam_fscrypt[1188]: KeyctlLink(173465956, -2) = <nil>
pam_fscrypt[1188]: Setreuid(0, 0) = <nil>
pam_fscrypt[1188]: keyringID(_uid.0) = 749555953, <nil>
pam_fscrypt[1188]: KeyctlLink(749555953, -2) = <nil>
pam_fscrypt[1188]: KeyctlLink(173465956, 749555953) = <nil>
pam_fscrypt[1188]: Setting privileges to "user1"
pam_fscrypt[1188]: Setregid(-1, 1001) = <nil>
pam_fscrypt[1188]: Setgroups([1001 6 7 90 91 92 93 95 96 98]) = <nil>
pam_fscrypt[1188]: Setreuid(-1, 1001) = <nil>
pam_fscrypt[1188]: Reading config from "/etc/fscrypt.conf"
pam_fscrypt[1188]: creating context for "user1"
pam_fscrypt[1188]: found ext4 filesystem "/" (/dev/sda5)
pam_fscrypt[1188]: listing descriptors in "/.fscrypt/protectors"
pam_fscrypt[1188]: found 2 descriptor(s)
pam_fscrypt[1188]: successfully read metadata from "/.fscrypt/protectors/11a49a6b632db2bb"
pam_fscrypt[1188]: successfully read metadata from "/.fscrypt/protectors/6682ae84e70e99b3"
pam_fscrypt[1188]: Getting protector 6682ae84e70e99b3 from option
pam_fscrypt[1188]: copying AUTHTOK for use in the session open
pam_fscrypt[1188]: Setting privileges to "root"
pam_fscrypt[1188]: Setreuid(-1, 0) = <nil>
pam_fscrypt[1188]: Setregid(-1, 0) = <nil>
pam_fscrypt[1188]: Setgroups([0 1 2 3 4 6 10 19]) = <nil>
pam_fscrypt[1188]: pam func succeeded
pam_fscrypt[1188]: OpenSession()
pam_fscrypt[1188]: Session count for UID=1001 updated to 1
pam_fscrypt[1188]: KeyctlLink(173465956, 749555953) = <nil>
pam_fscrypt[1188]: Setting privileges to "user1"
pam_fscrypt[1188]: Setregid(-1, 1001) = <nil>
pam_fscrypt[1188]: Setgroups([1001 6 7 90 91 92 93 95 96 98]) = <nil>
pam_fscrypt[1188]: Setreuid(-1, 1001) = <nil>
pam_fscrypt[1188]: Reading config from "/etc/fscrypt.conf"
pam_fscrypt[1188]: creating context for "user1"
pam_fscrypt[1188]: found ext4 filesystem "/" (/dev/sda5)
pam_fscrypt[1188]: listing descriptors in "/.fscrypt/protectors"
pam_fscrypt[1188]: found 2 descriptor(s)
pam_fscrypt[1188]: successfully read metadata from "/.fscrypt/protectors/11a49a6b632db2bb"
pam_fscrypt[1188]: successfully read metadata from "/.fscrypt/protectors/6682ae84e70e99b3"
pam_fscrypt[1188]: Getting protector 6682ae84e70e99b3 from option
pam_fscrypt[1188]: successfully read metadata from "/.fscrypt/protectors/6682ae84e70e99b3"
pam_fscrypt[1188]: listing descriptors in "/.fscrypt/policies"
pam_fscrypt[1188]: found 2 descriptor(s)
pam_fscrypt[1188]: successfully read metadata from "/.fscrypt/policies/949471831dcf55cf"
pam_fscrypt[1188]: got data for 949471831dcf55cf from "/"
pam_fscrypt[1188]: successfully read metadata from "/.fscrypt/policies/13cb92d62226353b
Encrypted directory status after user1 login:
# fscrypt status /home/user1/
"/home/user1/" is encrypted with fscrypt.
Policy: 949471831dcf55cf
Unlocked: Yes
Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
6682ae84e70e99b3 Yes (/) login protector for user1
root keyring after user1 login:
# keyctl show
Session Keyring
500577725 --alswrv 0 0 keyring: _ses
749555953 --alswrv 0 65534 \_ keyring: _uid.0
173465956 ---lswrv 1001 65534 \_ keyring: _uid.1001
462364131 --alsw-v 1001 1001 \_ logon: ext4:949471831dcf55cf
Encrypted directory view after user1 login:
# ls -al /home/user1
total 12
drwxr-xr-x 2 user1 user1 4096 Sep 3 16:14 .
drwxr-xr-x 6 root root 4096 Sep 3 16:10 ..
-rw-r--r-- 1 user1 user1 220 Sep 5 14:26 .bash_history
user1 logout:
# journalctl -f |grep fscrypt
pam_fscrypt[1188]: CloseSession(map[debug:true lock_policies:true drop_caches:true])
pam_fscrypt[1188]: Session count for UID=1001 updated to 0
pam_fscrypt[1188]: locking polices protected with login protector
pam_fscrypt[1188]: KeyctlLink(173465956, 749555953) = <nil>
pam_fscrypt[1188]: Setting privileges to "user1"
pam_fscrypt[1188]: Setregid(-1, 1001) = <nil>
pam_fscrypt[1188]: Setgroups([1001 6 7 90 91 92 93 95 96 98]) = <nil>
pam_fscrypt[1188]: Setreuid(-1, 1001) = <nil>
pam_fscrypt[1188]: Reading config from "/etc/fscrypt.conf"
pam_fscrypt[1188]: creating context for "user1"
pam_fscrypt[1188]: found ext4 filesystem "/" (/dev/sda5)
pam_fscrypt[1188]: listing descriptors in "/.fscrypt/protectors"
pam_fscrypt[1188]: found 2 descriptor(s)
pam_fscrypt[1188]: successfully read metadata from "/.fscrypt/protectors/11a49a6b632db2bb"
pam_fscrypt[1188]: successfully read metadata from "/.fscrypt/protectors/6682ae84e70e99b3"
pam_fscrypt[1188]: Getting protector 6682ae84e70e99b3 from option
pam_fscrypt[1188]: successfully read metadata from "/.fscrypt/protectors/6682ae84e70e99b3"
pam_fscrypt[1188]: listing descriptors in "/.fscrypt/policies"
pam_fscrypt[1188]: found 2 descriptor(s)
pam_fscrypt[1188]: successfully read metadata from "/.fscrypt/policies/949471831dcf55cf"
pam_fscrypt[1188]: got data for 949471831dcf55cf from "/"
pam_fscrypt[1188]: successfully read metadata from "/.fscrypt/policies/13cb92d62226353b"
pam_fscrypt[1188]: got data for 13cb92d62226353b from "/"
pam_fscrypt[1188]: stat /run/user/0/.fscrypt: permission denied
pam_fscrypt[1188]: stat /run/user/0/.fscrypt/policies: permission denied
pam_fscrypt[1188]: stat /run/user/0/.fscrypt/protectors: permission denied
pam_fscrypt[1188]: stat /run/user/995/.fscrypt: permission denied
pam_fscrypt[1188]: stat /run/user/995/.fscrypt/policies: permission denied
pam_fscrypt[1188]: stat /run/user/995/.fscrypt/protectors: permission denied
pam_fscrypt[1188]: stat /sys/firmware/efi/efivars/.fscrypt: invalid argument
pam_fscrypt[1188]: stat /sys/firmware/efi/efivars/.fscrypt/policies: invalid argument
pam_fscrypt[1188]: stat /sys/firmware/efi/efivars/.fscrypt/protectors: invalid argument
pam_fscrypt[1188]: stat /sys/kernel/debug/.fscrypt: permission denied
pam_fscrypt[1188]: stat /sys/kernel/debug/.fscrypt/policies: permission denied
pam_fscrypt[1188]: stat /sys/kernel/debug/.fscrypt/protectors: permission denied
pam_fscrypt[1188]: stat /var/local/makepkg/build/.fscrypt: permission denied
pam_fscrypt[1188]: stat /var/local/makepkg/build/.fscrypt/policies: permission denied
pam_fscrypt[1188]: stat /var/local/makepkg/build/.fscrypt/protectors: permission denied
pam_fscrypt[1188]: keyringID(session) = -1, key has been revoked
pam_fscrypt[1188]: policy 949471831dcf55cf not provisioned
pam_fscrypt[1188]: Setting privileges to "root"
Encrypted directory status after user1 logout:
# fscrypt status /home/user1/
"/home/user1/" is encrypted with fscrypt.
Policy: 949471831dcf55cf
Unlocked: Yes
Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
6682ae84e70e99b3 Yes (/) login protector for user1
root keyring after user1 logout:
# keyctl show
Session Keyring
500577725 --alswrv 0 0 keyring: _ses
749555953 --alswrv 0 65534 \_ keyring: _uid.0
173465956 ---lswrv 1001 65534 \_ keyring: _uid.1001
462364131 --alsw-v 1001 1001 \_ logon: ext4:949471831dcf55cf
Encrypted directory view after user1 logout:
# ls -al /home/user1
total 12
drwxr-xr-x 2 user1 user1 4096 Sep 3 16:14 .
drwxr-xr-x 6 root root 4096 Sep 3 16:10 ..
-rw-r--r-- 1 user1 user1 225 Sep 8 12:02 .bash_history
from fscrypt.
It's clear that encrypted directory isn't locked and keyring isn't cleared after logout. I found this line interesting:
pam_fscrypt[1188]: keyringID(session) = -1, key has been revoked
Does -1
value means that nothing has been revoked actually?
from fscrypt.
The PR I just pushed should have fixed the issue. When logging out, your session keyring was going away before the key could be cleared. This isn't really a problem, as fscrypt removes the key from the user keyring anyway.
from fscrypt.
Please reopen this if my fix didn't work.
from fscrypt.
Related Issues (20)
- fscrypt master key handling at kernel space adding additional secure params. HOT 2
- In fscrypt user space, after removing the key from key ring, the encrypted directories file names continues to be in clear form. HOT 2
- Support for individual files to assigned instead of directory level HOT 3
- "fscrypt metadata add-protector-to-policy" doesn't work in key files HOT 1
- Poor scriptability due to --name not being easily checkable HOT 2
- failureExitCode should return higher number than 1 if user tries to lock an already locked file
- Deleting files from folder encrypted with fscrypt HOT 4
- Partial Decrypt HOT 3
- fscrypt tests fail on non x86_64 arches (aarch64, ppc64le, s390x) HOT 7
- How to resolve "Some processes can't access unlocked encrypted files"? HOT 2
- Should we make the fscrypt metadata harder to delete? HOT 2
- multiple login nodes (multiple lustre client), how should I correctly apply the fscrypt tool to encrypt files under shared storage? HOT 1
- Unlocking of encrypted directory inside of disk partition image does not work while fscrypt confirms "ready for use" HOT 4
- Generate `fscrypt.conf` with Adiantum as the encryption mode HOT 2
- How to unlock encrypted regular files located in an unencrypted directory? HOT 8
- Obscure error message due to process address space limit HOT 5
- A question: how does diectory know what policy protects it? HOT 12
- Is it good Idea to copy and reuse policy on other device? Is it good idea to copy and reuse a protector? HOT 2
- fscrypt on CephFS does not recognize locked directories upon remount HOT 7
- fscrypt on CephFS: no buffer space available HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fscrypt.