Eric Biggers [Wed, 23 Feb 2022 20:35:04 +0000 (12:35 -0800)]
filesystem: preserve metadata file permissions on updates
Since fscrypt replaces metadata files rather than overwrites them (to
get atomicity), their owner will change to root if root makes a change.
That isn't too much of an issue when the files have mode 0644. However,
it will become a much bigger issue when the files have mode 0600,
especially because existing files with mode 0644 would also get changed
to have mode 0600.
In preparation for this, start preserving the previous owner and mode of
policy and protector files when they are updated.
Eric Biggers [Wed, 23 Feb 2022 20:35:04 +0000 (12:35 -0800)]
Make all new metadata files owned by user when needed
Since commit 4c7c6631cc5a ("Set owner of login protectors to correct
user"), login protectors are made owned by the user when root creates
one on a user's behalf. That's good, but the same isn't true of other
files that get created at the same time:
- The policy protecting the directory
- The protector link file, if the policy is on a different filesystem
- The recovery protector, if the policy is on a different filesystem
- The recovery instructions file
In preparation for setting all metadata files to mode 0600, start making
all these files owned by the user in this scenario as well.
The problem is that if the parent directories aren't trusted (owned by
another non-root user), then untrusted changes to their contents can be
made at any time, including the introduction of symlinks and so on.
While it's debatable how much of a problem this really is, given the
other validations that are done, it seems to be appropriate to validate
the parent directories too.
Therefore, this commit applies the same ownership validations to the
above four directories as are done on the metadata files themselves.
In addition, it is validated that none of these directories are symlinks
except for ".fscrypt" where this is explicitly supported.
Eric Biggers [Wed, 23 Feb 2022 20:35:04 +0000 (12:35 -0800)]
Strictly validate metadata file ownership by default
The metadata validation checks introduced by the previous commits are
good, but to reduce the attack surface it would be much better to avoid
reading and parsing files owned by other users in the first place.
There are some possible use cases for users sharing fscrypt metadata
files, but I think that for the vast majority of users it is unneeded
and just opens up attack surface. Thus, make fscrypt (and pam_fscrypt)
not process policies or protectors owned by other users by default.
Specifically,
* If fscrypt or pam_fscrypt is running as a non-root user, only
policies and protectors owned by the user or by root can be used.
* If fscrypt is running as root, any policy or protector can be used.
(This is to match user expectations -- starting a sudo session
should gain rights, not remove rights.)
* If pam_fscrypt is running as root, only policies and protectors
owned by root can be used. Note that this only applies when the
root user themselves has an fscrypt login protector, which is rare.
Add an option 'allow_cross_user_metadata' to /etc/fscrypt.conf which
allows restoring the old behavior for anyone who really needs it.
Eric Biggers [Wed, 23 Feb 2022 20:35:04 +0000 (12:35 -0800)]
Make 'fscrypt setup' offer a choice of directory modes
World-writable directories are not appropriate for some systems, so
offer a choice of single-user-writable and world-writable modes, with
single-user-writable being the default. Add a new documentation section
to help users decide which one to use.
Eric Biggers [Wed, 23 Feb 2022 20:35:04 +0000 (12:35 -0800)]
filesystem: fall back to non-atomic overwrites when required
To allow users to update fscrypt metadata they own in
single-user-writable metadata directories (introduced by the next
commit), fall back to non-atomic overwrites when atomic ones can't be
done due to not having write access to the directory.
Eric Biggers [Wed, 23 Feb 2022 20:35:04 +0000 (12:35 -0800)]
filesystem: reject spoofed login protectors
If a login protector contains a UID that differs from the file owner
(and the file owner is not root), it might be a spoofed file that was
created maliciously, so make sure to consider such files to be invalid.
Eric Biggers [Wed, 23 Feb 2022 20:35:04 +0000 (12:35 -0800)]
filesystem: validate size and type of metadata files
Don't allow reading metadata files that are very large, as they can
crash the program due to the memory required. Similarly, don't allow
reading metadata files that aren't regular files, such as FIFOs, or
symlinks (which could point to a device node like /dev/zero), as that
can hang the program. Both issues were particularly problematic for
pam_fscrypt, as they could prevent users from being able to log in.
Note: these checks are arguably unneeded if we strictly check the file
ownership too, which a later commit will do. But there's no reason not
to do these basic checks too.
Eric Biggers [Wed, 23 Feb 2022 20:35:04 +0000 (12:35 -0800)]
bash_completion: fix command injection and incorrect completions
Mountpoint paths might be untrusted arbitrary strings; the fscrypt bash
completion script might need to complete to such strings.
Unfortunately, the design of bash completion places some major footguns
in the way of doing this correctly and securely:
- "compgen -W" expands anything passed to it, so the argument to -W
must be single-quoted to avoid an extra level of expansion.
- The backslashes needed to escape meta-characters in the completed
text aren't added automatically; they must be explicitly added.
Note that the completion script for 'umount' used to have these same
bugs (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179,
https://github.com/util-linux/util-linux/issues/539).
Fix these bugs in roughly the same way that 'umount' fixed them.
Eric Biggers [Wed, 23 Feb 2022 20:35:04 +0000 (12:35 -0800)]
Make the output of 'fscrypt status' unambiguous
Following the example of /proc/self/mountinfo, replace the space,
newline, tab, and backslash characters with octal escape sequences so
that the output can be parsed unambiguously.
Eric Biggers [Thu, 23 Dec 2021 04:46:16 +0000 (22:46 -0600)]
filesystem: store mountpoint in link files as a fallback
Currently, linked protectors use filesystem link files of the form
"UUID=<uuid>". These links get broken if the filesystem's UUID changes,
e.g. due to the filesystem being re-created even if the ".fscrypt"
directory is backed up and restored.
To prevent links from being broken (in most cases), start storing the
mountpoint path in the link files too, in the form
"UUID=<uuid>\nPATH=<path>\n". When following a link, try the UUID
first, and if it doesn't work try the PATH. While it's possible that
the path changed too, for login protectors (the usual use case of linked
protectors) this won't be an issue as the path will always be "/".
An alternative solution would be to fall back to scanning all
filesystems for the needed protector descriptor. I decided not to do
that, since relying on a global scan doesn't seem to be a good design.
It wouldn't scale to large numbers of filesystems, it could cross
security boundaries, and it would make it possible for adding a new
filesystem to break fscrypt on existing filesystems. And if a global
scan was an acceptable way to find protectors during normal use, then
there would be no need for link files in the first place.
Note: this change is backwards compatible (i.e., fscrypt will continue
to recognize old link files) but not forwards-compatible (i.e., previous
versions of fscrypt won't recognize new link files).
Eric Biggers [Wed, 22 Dec 2021 02:38:03 +0000 (20:38 -0600)]
pam_fscrypt: warn user if OLDAUTHTOK not given in chauthtok
If someone runs 'passwd USER' as root, the user is assigned a new login
passphrase without their fscrypt login protector being updated. Detect
this case and show a warning message using pam_info().
Forbid 'fscrypt setup' on filesystems that aren't expected to support
encryption (other than the root filesystem), and skip looking for
fscrypt metadata directories on such filesystems. This has two
benefits. First, it avoids the printing of annoying warnings like:
pam_fscrypt[75038]: stat /run/user/0/.fscrypt: permission denied
pam_fscrypt[75038]: stat /run/user/0/.fscrypt/policies: permission denied
pam_fscrypt[75038]: stat /run/user/0/.fscrypt/protectors: permission denied
pam_fscrypt[75038]: stat /sys/firmware/efi/efivars/.fscrypt: invalid argument
pam_fscrypt[75038]: stat /sys/firmware/efi/efivars/.fscrypt/policies: invalid argument
pam_fscrypt[75038]: stat /sys/firmware/efi/efivars/.fscrypt/protectors: invalid argument
pam_fscrypt[75038]: stat /sys/fs/pstore/.fscrypt: permission denied
pam_fscrypt[75038]: stat /sys/fs/pstore/.fscrypt/policies: permission denied
pam_fscrypt[75038]: stat /sys/fs/pstore/.fscrypt/protectors: permission denied
Second, it avoids long delays or side effects on some filesystems.
To do this, introduce an allowlist of filesystem types that fscrypt will
recognize. I wanted to avoid doing this, since this list will need to
be updated in the future, but I don't see a better solution.
Eric Biggers [Mon, 20 Dec 2021 03:19:25 +0000 (21:19 -0600)]
Set owner of login protectors to correct user
When the root user creates a login protector for a non-root user, make
sure to chown() the protector file to make it owned by the user.
Without this, the protector cannot be updated by the user, which causes
it to get out of sync if the user changes their login passphrase.
Eric Biggers [Mon, 20 Dec 2021 03:20:54 +0000 (21:20 -0600)]
pam: avoid compiler warning in copyIntoSecret()
gcc 11 enabled -Wmaybe-uninitialized by default. It causes a
false-positive warning in copyIntoSecret() because gcc doesn't
understand that mlock() is special and doesn't read from the memory.
Eric Biggers [Tue, 14 Sep 2021 21:12:39 +0000 (14:12 -0700)]
Adjust recovery passphrase generation
As per the feedback at https://github.com/google/fscrypt/issues/115
where users didn't understand that the recovery passphrase is important,
restore the original behavior where recovery passphrase generation
happens automatically without a prompt. This applies to the case where
'fscrypt encrypt' is using a login protector on a non-root filesystem.
However, leave the --no-recovery option so that the recovery passphrase
can still be disabled if the user really wants to. Also, clarify the
information provided about the recovery passphrase.
In Linux 5.15, the no-key name format is changing again; see
https://git.kernel.org/linus/ba47b515f5940603. isPossibleNoKeyName()
sometimes doesn't recognize the new no-key names. Update it accordingly
to recognize all possible no-key names.
Note: isPossibleNoKeyName() is only used as a heuristic to check whether
a v1-encrypted directory is incompletely locked or not. Therefore, it's
not too important whether it works. However, this change is needed for
cli-tests/t_v1_policy to pass.
Eric Biggers [Tue, 14 Sep 2021 21:27:59 +0000 (14:27 -0700)]
cli-tests/common.sh: remove argument count checks
These confuse the latest version of shellcheck into thinking that
functions which take no arguments actually take arguments, which
triggers a bunch of warnings like "Use func "$@" if function's $1 should
mean script's $1", which causes 'make lint' to fail. These checks
aren't too useful, so just remove them.
Eric Biggers [Mon, 13 Sep 2021 19:40:14 +0000 (12:40 -0700)]
README: remove note about stability
A lot of people are already using fscrypt, so in practice we haven't
been breaking backwards compatibility and aren't going to. Just remove
the scary-sounding "Note about stability".
Eric Biggers [Mon, 13 Sep 2021 19:40:14 +0000 (12:40 -0700)]
README: remove note about planned commands
These would still be nice to add. However, the mention of them in the
README is misleading because people reading it might come away with the
impression that there is currently no way to back up fscrypt metadata or
to recover directories -- which isn't true. (The fscrypt metadata is
just a directory which can be backed up like any other directory. And
'fscrypt encrypt' already offers to generate a recovery passphrase when
the directory and protector are on different filesystems.)
Just remove this note; it doesn't really add any value.
Eric Biggers [Sun, 27 Jun 2021 20:13:10 +0000 (13:13 -0700)]
cmd/fscrypt: fix detection of GRUB installation
Fix the GRUB detection logic to take into account that
MOUNTPOINT/boot/grub might not be on the same filesystem as MOUNTPOINT,
due to MOUNTPOINT/boot being another mountpoint. The warning is only
appropriate when GRUB is installed on the same filesystem that
encryption is going to be enabled on.
Eric Biggers [Thu, 10 Jun 2021 04:21:22 +0000 (21:21 -0700)]
README: improve troubleshooting tips for unlocked encrypted files
Rename the troubleshooting section "Can't log in with ssh even when
user's encrypted home directory is unlocked" to the more general "Some
processes can't access unlocked encrypted files", and rewrite it to
provide clearer directions for how to fix the problem by upgrading
encrypted directories to policy version 2.
Also add a related section "Users can access other users' unlocked
encrypted files" which covers the reverse "issue", i.e. people expecting
some processes to *not* be able to access unlocked encrypted files.
Joe Richey [Mon, 24 May 2021 10:42:01 +0000 (03:42 -0700)]
Run the Garbage Collector in the timing loop
Running `crypto.PassphraseHash` in a loop allocates a lot of memory.
Golang is not always prudent about collecting the garbage from previous
runs, resulting in a OOM error on memory-pressured systems.
With a `maxMemoryBytes` of 128 MiB, this change reduces the maximum
resident memory for `fscrypt setup` to 141 MiB (was perviously 405 MiB)
Eric Biggers [Thu, 6 May 2021 05:09:26 +0000 (22:09 -0700)]
Specify -buildmode=c-shared after GO_FLAGS rather than before
When building pam_fscrypt.so, specify -buildmode=c-shared after
$(GO_FLAGS) so that it overrides any user-specified buildmode.
This is needed to allow -buildmode=pie to be specified in GO_FLAGS if
the packager wants to build fscrypt as a position-independent executable
(e.g. following https://wiki.archlinux.org/title/Go_package_guidelines).
Previously, trying to do this caused pam_fscrypt.so to be incorrectly
built as an executable rather than as a shared library.
Eric Biggers [Mon, 8 Mar 2021 23:20:08 +0000 (15:20 -0800)]
pam_fscrypt: make "lock_policies" the default behavior
All pam_fscrypt configuration guides that I'm aware of say to use the
"lock_policies" option for the pam_fscrypt.so session hook. The
Debian/Ubuntu pam-config-framework config file has it too.
Make locking the default behavior, since this is what everyone wants.
Existing configuration files that contain the "lock_policies" option
will continue to work, but that option won't do anything anymore.
(We could add an option "unlock_only" to restore the old default
behavior, but it's not clear that it would be useful. So for
simplicity, leave it out for now.)
Configuring whether pam_fscrypt drops caches or not isn't really
something the user should have to do, and it's also irrelevant for v2
encryption policies (the default on newer systems). It's better to have
pam_fscrypt automatically decide whether it needs to drop caches or not.
Do this by making pam_fscrypt check whether any encryption policy keys
are being removed from a user keyring (rather than from a filesystem
keyring). If so, it drops caches; otherwise it doesn't. This
supersedes the "drop_caches" option, which won't do anything anymore.
Robert McQueen [Wed, 3 Mar 2021 11:34:55 +0000 (11:34 +0000)]
pam_fscrypt/config: prioritise over other session modules
Services launched by systemd user sessions on Debian / Ubuntu systems
are often not able to access the home directory, because there is no
guarantee / requirement that pam_fscrypt is sequenced before
pam_systemd.
Although this pam-config mechanism is Debian-specific, the config file
is provided here upstream and unmodified in Debian. Raising the
priority here so that it's always ordered ahead of pam_systemd will
solve issues such as https://github.com/google/fscrypt/issues/270,
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964951 and
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1889416.
After a survey of pam-config files available in Debian bullseye, the
value of 100 was chosen as it appears after most other plugins that
could be involved in more explicit homedir configuration (eg pam_mount
at 128) but before those which seem unlikely to work without a home
directory (eg pam_ssh at 64).
Eric Biggers [Sat, 21 Nov 2020 23:29:26 +0000 (15:29 -0800)]
Switch from Travis CI to GitHub Actions
travis-ci.org is being shut down, so switch to GitHub Actions.
It should be mostly equivalent, but I did drop functionality in a couple
cases:
- Publishing release binaries. I don't think providing Linux binaries
is useful, since people build their own anyway. So I left this out.
- Build and testing on ppc64le. GitHub Actions only natively supports
x86. I tried uraimo/run-on-arch-action, which uses Docker and QEMU
user-mode emulation, but the fscrypt tests can't be run because
QEMU user-mode emulation doesn't support all the needed system calls.
Eric Biggers [Sun, 8 Nov 2020 04:30:51 +0000 (20:30 -0800)]
cmd/fscrypt: fix race condition in getPassphraseKey()
Set the terminal to raw mode *before* printing the prompt.
Otherwise the user (or the automated test) might enter the
passphrase before the terminal gets put into raw mode.
This is needed for some of the CLI tests to pass reliably in Travis CI.
Eric Biggers [Sat, 7 Nov 2020 22:20:45 +0000 (14:20 -0800)]
cmd/fscrypt: fix isDirUnlockedHeuristic() on latest kernels
On an "incompletely locked" directory, isDirUnlockedHeuristic() is
supposed to return true, but on Linux v5.10-rc1 and later it returns
false since now creating a subdirectory fails rather than succeeds.
This change was intentional, so make isDirUnlockedHeuristic() apply a
second heuristic too: also return true if any filenames in the directory
don't appear to be valid no-key names.
This fixes cli-tests/t_v1_encrypt on Linux v5.10-rc1 and later.
Eric Biggers [Fri, 7 Aug 2020 23:37:05 +0000 (16:37 -0700)]
README.md: recommend 'sudo make install PREFIX=/usr' on Ubuntu (#244)
Ubuntu's PAM configuration framework only recognizes files in /usr, not
/usr/local. So for installs from source, unfortunately we have to
recommend installing to /usr, despite this not being conventional.