Comments (16)
This may be the bug I'm fixing with #97. It was causing glibc to silently abort() the login process later in the PAM stack, so the login prompt would just appear again. It may have started appearing after 5d71e1d switched Argon2 implementations from C to Go, because that may have started making the Go runtime leave extra threads around.
from fscrypt.
Sure, I'll post the links here when I've reproduced it in a VM 👍
from fscrypt.
@sebadoom Thanks for reporting this! For the life of me I cannot figure out how you're hitting this on bd2ca31 but not on 141265f. It looks like the only stuff that was changed between those versions has nothing to do with the pam modules.
I really want to get a system where this is breaking. You mentioned ArchLinux and GDE, anything else installed relating to login or PAM?
from fscrypt.
Nope, fairly standard ArchLinux installation: GDM + Gnome, all up-to-date, no external repos (all standard), standard PAM (except for fscrypt). If you are willing to wait for a bit, I think I can prepare a VM image with Arch to see if I can repro it there.
from fscrypt.
If you could that would be amazing. I think I'm also going to finally setup ArchLinux myself (it sounds fun).
from fscrypt.
Unfortunately, I did a complete clean Arch install in a VM and I haven't been able to reproduce this. It does happen on my main system though. I did not install revision 141265f first in the VM before installing HEAD, I just went straight to HEAD. I'm guessing there is some sort of incompatibility between the metadata stored in the disk between versions. I did notice the protoc
version was bumped, could that be the cause? I will now try to do a full reinstall but first go through the revision that is working on my main system before updating to HEAD and report back.
from fscrypt.
Nope, cannot reproduce this on a VM. I'm out of ideas. There's something definitely odd about my system: I am not hitting #77 but I am hitting this. And in the VM I posted in #77 I am hitting that bug but not this one!
from fscrypt.
@sebadoom Thanks for helping out in looking into this. I checked out the metadata compatibility issue. All metadata for fscrypt are just binary protobufs, so a incompatibility there would be a serious bug.
I did a quick check, and HEAD can read metadata created by v0.2.2 and 141265f, so that's (unfortunately) not it. I have a theory that upgrades while a user is logged in might trigger this in some way. I think hacking on your VM in #77 might be enlightening.
from fscrypt.
I've been trying to trigger this in the VM by performing updates while logged in with the user whose home is encrypted and unlocked by pam_fscrypt.so to no avail. If you want me to run more tests, let me know.
from fscrypt.
I would suggest checking if pam_keyinit.so is called in /etc/pam.d/systemd-user
I put full details in an Ubuntu bug here, but the short version is that without this the session keyring is not linked to the user keyring and thus the key is not used even if it exists in the user keyring.
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1754270
Though this is arch you mentioned it being broken on your main system but not a fresh install. So perhaps the PAM config on your main system was different and/or not updated to a newer config style at some point.
If that's not the issue please ignore the noise!
from fscrypt.
I would suggest checking if pam_keyinit.so is called in /etc/pam.d/systemd-user
It should by default an Arch. https://git.archlinux.org/svntogit/packages.git/plain/trunk/systemd-user.pam?h=packages/systemd
from fscrypt.
Though this is arch you mentioned it being broken on your main system but not a fresh install. So perhaps the PAM config on your main system was different and/or not updated to a newer config style at some point.
I did compare the main PAM files from both systems and they matched. There must be some other difference but I haven't been able to find it.
from fscrypt.
Chiming in to say that this affects my Arch system as well. After downgrading, I tried upgrading again with no user logged in and policies locked, it made no difference.
@sebadoom - I noted that your PAM config is different from mine, as I just put pam_fscrypt.so
in system-auth
. Is there a reason to put stuff in system-login
?
from fscrypt.
Using version v0.2.3-8-g3e32282 now and everything seems to be in order.
from fscrypt.
I can confirm revision 3e32282 appears to fix the problem. Great catch @ebiggers.
from fscrypt.
Closing as v0.2.4 contains this fix and will shortly be picked up by Ubuntu/Debian/AUR.
Thanks again @ebiggers and @sebadoom
from fscrypt.
Related Issues (20)
- Poor scriptability due to --name not being easily checkable HOT 2
- failureExitCode should return higher number than 1 if user tries to lock an already locked file
- Deleting files from folder encrypted with fscrypt HOT 4
- Partial Decrypt HOT 3
- fscrypt tests fail on non x86_64 arches (aarch64, ppc64le, s390x) HOT 7
- How to resolve "Some processes can't access unlocked encrypted files"? HOT 2
- Should we make the fscrypt metadata harder to delete? HOT 2
- multiple login nodes (multiple lustre client), how should I correctly apply the fscrypt tool to encrypt files under shared storage? HOT 1
- Unlocking of encrypted directory inside of disk partition image does not work while fscrypt confirms "ready for use" HOT 4
- Generate `fscrypt.conf` with Adiantum as the encryption mode HOT 2
- How to unlock encrypted regular files located in an unencrypted directory? HOT 8
- Obscure error message due to process address space limit HOT 5
- A question: how does diectory know what policy protects it? HOT 12
- Is it good Idea to copy and reuse policy on other device? Is it good idea to copy and reuse a protector? HOT 2
- fscrypt on CephFS does not recognize locked directories upon remount HOT 7
- fscrypt on CephFS: no buffer space available HOT 1
- Can't lock folders encrypted with fscrypt HOT 8
- Inability to change fscrypt's default directory HOT 1
- pam_fscrypt probably locks too much memory HOT 9
- Feature Request: Command to fetch protector ID and policy ID for a given directory
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fscrypt.