pam_fscrypt: make "lock_policies" the default behavior

All pam_fscrypt configuration guides that I'm aware of say to use the
"lock_policies" option for the pam_fscrypt.so session hook.  The
Debian/Ubuntu pam-config-framework config file has it too.

Make locking the default behavior, since this is what everyone wants.

Existing configuration files that contain the "lock_policies" option
will continue to work, but that option won't do anything anymore.

(We could add an option "unlock_only" to restore the old default
behavior, but it's not clear that it would be useful.  So for
simplicity, leave it out for now.)

diff --git a/README.md b/README.md
index 4a59535dcab4c96e6cde1bda320e1f2a46af15dd..97caed27c1f0c36cbff4a4bb3778c00c85436eac 100644 (file)
--- a/README.md
+++ b/README.md
@@ -415,12 +415,12 @@ auth        optional    pam_fscrypt.so
 after `pam_unix.so` in `/etc/pam.d/common-auth` or similar, and to add the
 line:
 ```
-session     optional    pam_fscrypt.so lock_policies
+session     optional    pam_fscrypt.so
 ```
-after `pam_unix.so` in `/etc/pam.d/common-session` or similar. The
-`lock_policies` option locks the directories protected with the user's login
-passphrase when the last session ends.  All the types also support the `debug`
-option which prints additional debug information to the syslog.
+after `pam_unix.so` in `/etc/pam.d/common-session` or similar.
+
+To make `pam_fscrypt.so` print debugging messages to the system log, add the
+`debug` option.  All hook types accept this option.
 
 ### Allowing `fscrypt` to check your login passphrase
 

diff --git a/pam_fscrypt/config b/pam_fscrypt/config
index d2fbf68185e174fb7150b5563058744c092056ea..f83dab2d6a5e4f90b1a0349df07de07eb5258cd9 100644 (file)
--- a/pam_fscrypt/config
+++ b/pam_fscrypt/config
@@ -7,7 +7,7 @@ Auth-Final:
 Session-Type: Additional
 Session-Interactive-Only: yes
 Session-Final:
-       optional        PAM_INSTALL_PATH lock_policies
+       optional        PAM_INSTALL_PATH
 Password-Type: Additional
 Password-Final:
        optional        PAM_INSTALL_PATH

diff --git a/pam_fscrypt/pam_fscrypt.go b/pam_fscrypt/pam_fscrypt.go
index 195ba43ca5388b3b363c38edb568cce7870c64f0..2e31af93ef8deed16d39dd33aee5a882cc0b15a3 100644 (file)
--- a/pam_fscrypt/pam_fscrypt.go
+++ b/pam_fscrypt/pam_fscrypt.go
@@ -47,7 +47,10 @@ const (
        authtokLabel = "fscrypt_authtok"
        // These flags are used to toggle behavior of the PAM module.
        debugFlag = "debug"
-       lockFlag  = "lock_policies"
+
+       // This option is accepted for compatibility with existing config files,
+       // but now we lock policies unconditionally and this option is a no-op.
+       lockPoliciesFlag = "lock_policies"
 
        // This option is accepted for compatibility with existing config files,
        // but it no longer does anything.  pam_fscrypt now drops caches if and
@@ -218,19 +221,21 @@ func CloseSession(handle *pam.Handle, args map[string]bool) error {
                return err
        }
 
+       if args[lockPoliciesFlag] {
+               log.Print("ignoring deprecated 'lock_policies' option (now the default)")
+       }
+
        if args[dropCachesFlag] {
                log.Print("ignoring deprecated 'drop_caches' option (now auto-detected)")
        }
 
-       needDropCaches := false
-       var errLock, errCache error
        // Don't automatically drop privileges, since we may need them to
        // deprovision policies or to drop caches.
-       if args[lockFlag] {
-               log.Print("locking polices protected with login protector")
-               needDropCaches, errLock = lockLoginPolicies(handle)
-       }
 
+       log.Print("locking policies protected with login protector")
+       needDropCaches, errLock := lockLoginPolicies(handle)
+
+       var errCache error
        if needDropCaches {
                log.Print("dropping appropriate filesystem caches at session close")
                errCache = security.DropFilesystemCache()