cmd/fscrypt: Add explanations for keyring failures

Now the user is persented with help when they try to access a keyring that isn't theirs or try to use fscrypt without a user keyring linked into the session keyring.
google · Sep 1, 2017 · 0dfbbf6 · 0dfbbf6
1 parent 079ee25
commit 0dfbbf6
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/cmd/fscrypt/errors.go b/cmd/fscrypt/errors.go
@@ -35,6 +35,7 @@ import (
 	"github.com/google/fscrypt/crypto"
 	"github.com/google/fscrypt/filesystem"
 	"github.com/google/fscrypt/metadata"
+	"github.com/google/fscrypt/security"
 	"github.com/google/fscrypt/util"
 )
 
@@ -93,6 +94,14 @@ func getErrorSuggestions(err error) string {
 			needs to be enabled for this filesystem. See the
 			documentation on how to enable encryption on ext4
 			systems (and the risks of doing so).`
+	case security.ErrSessionUserKeying:
+		return `This is usually the result of a bad PAM configuration.
+			Either correct the problem in your PAM stack, enable
+			pam_keyinit.so, or run "keyctl link @u @s".`
+	case security.ErrAccessUserKeyring:
+		return fmt.Sprintf(`You can only use %s to access the user
+			keyring of another user if you are running as root.`,
+			shortDisplay(userFlag))
 	case actions.ErrBadConfigFile:
 		return `Run "sudo fscrypt setup" to recreate the file.`
 	case actions.ErrNoConfigFile: