Fixed failures in PAM module #56
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Now the offending panic will just be logged and the module will fail. This is important as to not crash the login process.
This was creating an issue becasuse fully dropping privileges required spawning a goroutine and using rutime.DropOSThread().
Now instead of spawning a seperate thread we alternate between changing the euid and ruid to both find the keyring and link it to the process keyring. Note that we also ensure that the user keyring is linked into the root keyring whenever possible.
Chaning the --user flag to (optionally) check for a proper keyring setup allows us to fail early in cases where we need a working keyring.
Now the user is persented with help when they try to access a keyring that isn't theirs or try to use fscrypt without a user keyring linked into the session keyring.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR stops certain functionality from failing in the PAM module. This is mainly done by changing how we lookup the user keyring. We no longer user goroutines, which were part of the problem.
The PAM functions are now (mostly) insulated against panics making them crash. This fixes #53