From 19c13e861996c3503be5b0dc5a2cecfe186b1744 Mon Sep 17 00:00:00 2001 From: Joseph Richey Date: Thu, 24 Aug 2017 00:29:54 -0700 Subject: [PATCH] Updated documentation for PAM module help --- CONTRIBUTING.md | 4 ++-- README.md | 9 ++++----- pam_fscrypt/pam_fscrypt.go | 4 ++-- 3 files changed, 8 insertions(+), 9 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 6b7be43..357661c 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -22,8 +22,8 @@ Any bugs or problems found in fscrypt should be reported though the reporting an issue, be sure to give as much information about the problem as possible. If reporting an issue around the fscrypt command-line tool, post the relevant output from fscrypt, running with the `--verbose` flag. For the -pam_fscrypt module, use the `debug` flag with the module and post the relevant -parts of the syslog (at ``). +pam_fscrypt module, use the `debug` option with the module and post the relevant +parts of the syslog (usually at `/var/log/syslog`). ## Code reviews diff --git a/README.md b/README.md index 342fe66..2214dad 100644 --- a/README.md +++ b/README.md @@ -568,12 +568,11 @@ fscrypt metadata change-passphrase --protector=/:ID #### Directories using my login passphrase are not automatically unlocking. Either the PAM module is not installed correctly, or your login passphrase -changed and things got out of sync. +changed and things got out of sync. Another reason that these directories might +not unlock is if your session starts without password authentication. The most +common case of this is public-key ssh login. -#### I can still see files or filenames after running `fscrypt purge MOUNTPOINT` - -You need to unmount `MOUNTPOINT` to clear the necessary caches. See -`fscrypt purge --help` for more information +To trigger a password authentication event, run `su $(whoami) -c exit`. #### Getting "encryption not enabled" on an ext4 filesystem. diff --git a/pam_fscrypt/pam_fscrypt.go b/pam_fscrypt/pam_fscrypt.go index 2eecd3a..21bc779 100644 --- a/pam_fscrypt/pam_fscrypt.go +++ b/pam_fscrypt/pam_fscrypt.go @@ -78,7 +78,7 @@ func OpenSession(handle *pam.Handle, _ map[string]bool) error { // We will always clear the the AUTHTOK data defer handle.ClearData(authtokLabel) // Increment the count as we add a session - if _, err := AdjustCount(handle, 1); err != nil { + if _, err := AdjustCount(handle, +1); err != nil { return err } @@ -150,6 +150,7 @@ func OpenSession(handle *pam.Handle, _ map[string]bool) error { func CloseSession(handle *pam.Handle, args map[string]bool) error { // Only do stuff on session close when we are the last session if count, err := AdjustCount(handle, -1); err != nil || count != 0 { + log.Printf("count is %d and we are not locking", count) return err } @@ -275,7 +276,6 @@ func pam_sm_close_session(pamh unsafe.Pointer, flags, argc C.int, argv **C.char) func pam_sm_chauthtok(pamh unsafe.Pointer, flags, argc C.int, argv **C.char) C.int { // Only do rewrapping if we have both AUTHTOKs and a login protector. if pam.Flag(flags)&pam.PrelimCheck != 0 { - log.Print("no preliminary checks need to run") return C.PAM_SUCCESS } -- 2.39.5