Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lock folder after logout #196

Closed
maklor78 opened this issue Feb 2, 2020 · 4 comments
Closed

Lock folder after logout #196

maklor78 opened this issue Feb 2, 2020 · 4 comments
Labels
bug duplicate

Comments

@maklor78
Copy link

maklor78 commented Feb 2, 2020
edited
Loading

With the newest features in kernel 5.4 I wanted to use fscrypt with the new unprivileged lock feature to have the home directory of a user locked after logout.

I used the instruction in the arch wiki to have the home automatically unlocked during login
https://wiki.archlinux.org/index.php/Fscrypt#Auto-unlocking_directories

However have still to figure out how to lock the folder after logout.

running 'sudo -u myuser fscrypt lock /home/myuser --user=myuser' (as root) works fine, but having fscrypt lock in .bash_logout results in errors about files still being opened.
So how do I let pam handle this? Is this already supported in fscrypt?

I don't know if this is related but the only error message from fscrypt I could find in my logs is this:

pam_fscrypt[787]: OpenSession(map[drop_caches:true lock_policies:true]) failed: unlocking protector 4b86a936757c4793: AUTHTOK data missing: No module specific data is present

However this is generated during login and the unlocking works fine

Here is my fscrypt.conf

{
"source": "custom_passphrase",
"hash_costs": {
"time": "61",
"memory": "88263",
"parallelism": "16"
},
"compatibility": "",
"options": {
"padding": "32",
"contents": "AES_256_XTS",
"filenames": "AES_256_CTS",
"policy_version": "2"
},
"use_fs_keyring_for_v1_policies": false
}
@ebiggers
Copy link
Collaborator

ebiggers commented Feb 2, 2020

The short answer is that following the directions on the Wiki is already supposed to result in directories being automatically locked after logout, but it doesn't work reliably due to systemd/systemd#8598, and possibly due to an additional ordering issue as well. We might be able to solve this by implementing #95.

@maklor78
Copy link
Author

maklor78 commented Feb 8, 2020

I found a workaround based on what is describes in systemd/systemd#8598 that seems to work as long as no systemd-user services are used.

After removing /etc/pam.d/systemd-user the folders are locked immediately after logout.
So far nothing seems to be broken because of this

@josephlr
Copy link
Member

@maklor78 thanks for reporting this. This is further justification for implementing #95. I'm going to close this bug in favor of that one.

@josephlr josephlr mentioned this issue Mar 23, 2020
Open
@mikunimaru
Copy link

mikunimaru commented Nov 19, 2023
edited
Loading

There is a slightly more elegant solution.

# /etc/systemd/system/fscryptLockSample@.service

[Unit]
Description="fscrypt lock sample"
PartOf=user@%i.service

[Service]
Type=simple
Slice=user-%i.slice
RemainAfterExit=yes
SyslogIdentifier=fscryptLockSample
ExecStart=/usr/bin/true
ExecStop=/usr/bin/sh -c "/usr/bin/sudo -u $(id -nu %i) /usr/bin/fscrypt lock /home/$(id -nu %i)"

[Install]
WantedBy=user@%i.service

After that, just enable it for the user you want to lock folder after logout.

sudo systemctl enable fscryptLockSample@1000

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ebiggers @josephlr @mikunimaru @maklor78