pam_fscrypt auth module crashes login process

[ghost]

After adding pam_fscrypt module to pam auth config it crashes login process after providing password:

systemd[1]: Started Getty on tty2.
systemd-coredump[14940]: Process 1777 (login) of user 0 dumped core.
                                                
Stack trace of thread 1777:
#0  0x000064ee5d0edc64 n/a (pam_fscrypt.so)
#1  0x000064ee5d0d5f4b n/a (pam_fscrypt.so)
#2  0x000064ee5d0c2180 n/a (pam_fscrypt.so)
#3  0x000064ee5d0e8d7e n/a (pam_fscrypt.so)
#4  0x000064ee5d0ea082 n/a (pam_fscrypt.so)

my pam sytem-login:

#%PAM-1.0

auth       required   pam_shells.so
auth       requisite  pam_nologin.so
auth      required   pam_unix.so          try_first_pass
auth      optional  pam_permit.so
auth      required  pam_env.so
auth       optional   pam_fscrypt.so
account    required   pam_access.so
account    required   pam_nologin.so
account    include    system-auth

password   include    system-auth

session    optional   pam_keyinit.so       force revoke
session    optional   pam_fscrypt.so       drop_caches lock_policies debug
session    optional   pam_loginuid.so
session    include    system-auth
session    optional   pam_motd.so          motd=/etc/motd
session    optional   pam_mail.so          dir=/var/spool/mail standard quiet
-session    optional   pam_systemd.so
session    required   pam_env.so

my pam system-auth:

#%PAM-1.0

auth      required  pam_unix.so     try_first_pass
auth      optional  pam_permit.so
auth      required  pam_env.so

account   required  pam_unix.so
account   optional  pam_permit.so
account   required  pam_time.so

password  required  pam_unix.so     try_first_pass sha512 shadow
password  optional  pam_permit.so
password  optional  pam_fscrypt.so

session   required  pam_limits.so
session   required  pam_unix.so
session   optional  pam_permit.so

I didn't setup any passwords or protectors yet. Only run fscrypt setup

System: Archlinux
Kernel: 4.12.8

[josephlr]

@fancytenseletters can you run fscrypt encrypt with the --verbose flag? You are correct in that the pam module is not necessary for encrypting a directory with the login passphrase.

It also appears that the pam module is not being loaded. Did sudo make install install it alongside your other pam modules? If it is installed, can you check the syslog (/var/log/syslog on my system) for any entries about fscrypt?

Also, for the PAM configuration, I'm not sure what the correct setup will be for arch. Try removing any entries in system-login and only put the entries in system-auth as described here (except with the debug option used for all three).

[josephlr]

I'm going to try out fscrypt on a fresh arch installation. After that, I'll update the docs with some arch specific stuff. Right now the docs are really only useful for Ubuntu and Ubuntu-based distributions.

[ghost]

pam_fscrypt is correctly installed under /usr/lib/securitywhich is Archlinux directory for pam modules.

There are no any other messages in syslog. I'm reproducing it by switching to new VT and it crashes instantly after providing password. I tried to disable every pam auth module except pam_unix and pam_fscrypt with same result.

I can add session pam_fscrypt module only and successfully log in. It shows messages in journal so I assume it's working (albeit doesn't do anything as auth module is missing).

Here's my recipe for build, you can try it on Archlinux by executing makepkg -sr in the same directory as this file (just remove .txt which I added only to satisfy github upload):
PKGBUILD.txt

Archlinux AUR package is here (it's for older fscrypt version but you can see comments with updated version which is what I'm using above): https://aur.archlinux.org/packages/fscrypt-git/

BTW: don't hesitate from closing https://github.com/google/fscrypt/pull/43/files and fixing this readme typo yourself if those goglebot concerns are serious.

[josephlr]

@ebiggers (package maintainer) Any thoughts on this? Does Arch's pam system do anything funky compared to Ubuntu's?

[ghost]

I tried to log in with sddm display manager and it provides more verbose output:

fscrypt.txt

Especially those lines:

localhost sddm[629]: panic: runtime error: invalid memory address or nil pointer dereference
localhost sddm[629]: [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x65f02dd660b3]
localhost sddm[629]: goroutine 17 [running, locked to thread]:
localhost sddm[629]: main.parseArgs(0x0, 0x0, 0x0)
localhost sddm[629]:         /build/fscrypt-git/src/go/src/github.com/google/fscrypt/pam_fscrypt/run_fscrypt.go:85 +0x53
localhost sddm[629]: main.RunPamFunc(0x65f02dfef5e8, 0x7b6fcdff610, 0x0, 0x0, 0x0)
localhost sddm[629]:         /build/fscrypt-git/src/go/src/github.com/google/fscrypt/pam_fscrypt/run_fscrypt.go:66 +0x3f
localhost sddm[629]: main.pam_sm_authenticate(0x7b6fcdff610, 0x0, 0x0, 0xc400000008)
localhost sddm[629]:         /build/fscrypt-git/src/go/src/github.com/google/fscrypt/pam_fscrypt/pam_fscrypt.go:256 +0x4b
localhost sddm[629]: main._cgoexpwrap_6fa6346da506_pam_sm_authenticate(0x7b6fcdff610, 0x0, 0x0, 0x0)
localhost sddm[629]:         github.com/google/fscrypt/pam_fscrypt/_obj/_cgo_gotypes.go:62 +0x47

[ghost]

I've found that adding debug option to pam_fscrypt auth module allows to successful log in. (It didn't occurred to me that each module has it's own debug option before, sorry). Here's new log:
fscrypt-user.log.txt

995 is UID for sddm user, 1001 is UID for login user.

Notable errors:

pam_fscrypt[1047]: system error: could not find user keyring
pam_fscrypt[1901]: open /run/fscrypt/995.count: permission denied

[josephlr]

Ya, it looks like two issues.

• Improper argument processing when there are zero arguments.
• Assumption that a user keyring is always visible

These are currently being fixed in the 'keyrings' branch.

[ghost]

Just one more log when trying to log in as root:
fscrypt-root.log.txt

pam_fscrypt[990]: resource deadlock avoided: system error: could not link keyring
pam_fscrypt[990]: resource deadlock avoided: system error: could not link keyring
pam_fscrypt[1120]: resource deadlock avoided: system error: could not link keyring
pam_fscrypt[1150]: resource deadlock avoided: system error: could not link keyring
pam_fscrypt[1150]: resource deadlock avoided: system error: could not link keyring
pam_fscrypt[1162]: resource deadlock avoided: system error: could not link keyring

It seems to me as fscrypt always links user keyring to root in that case it tries to link root keyring to itself.