pam_fscrypt: eliminate unnecessary options and improve documentation #281
Conversation
There was a problem hiding this comment.
This looks really good. Thanks for simplifying things!
One question, if we're already changing the functionality of the PAM module, do we even need an unlock_only flag? Personally, I don't really see the need for such a flag. Looking at #25 I didn't gave a rationale for why we shouldn't always relock a directory.
I think originally we were considering the case where two users shared a directory and it was protected by both their login passphrases. But I don't think that should be an issue now. With V2 policies, both users can provision and deprovision the same fscrypt key without any issues.
So unless there's a compelling reason to keep the old functionality, I say we just get rid of it.
I intended the It's unlikely though, and v2 encryption policies made things work better. So I think you're right that for simplicity we just shouldn't add the option, unless someone asks for it. |
Configuring whether pam_fscrypt drops caches or not isn't really something the user should have to do, and it's also irrelevant for v2 encryption policies (the default on newer systems). It's better to have pam_fscrypt automatically decide whether it needs to drop caches or not. Do this by making pam_fscrypt check whether any encryption policy keys are being removed from a user keyring (rather than from a filesystem keyring). If so, it drops caches; otherwise it doesn't. This supersedes the "drop_caches" option, which won't do anything anymore.
All pam_fscrypt configuration guides that I'm aware of say to use the "lock_policies" option for the pam_fscrypt.so session hook. The Debian/Ubuntu pam-config-framework config file has it too. Make locking the default behavior, since this is what everyone wants. Existing configuration files that contain the "lock_policies" option will continue to work, but that option won't do anything anymore. (We could add an option "unlock_only" to restore the old default behavior, but it's not clear that it would be useful. So for simplicity, leave it out for now.)
There are several mentions of pam_fscrypt handling unlocking directories. Make sure to mention locking alongside this.
Make some more corrections: - pam-config-framework isn't actually Ubuntu-specific but actually applies to Debian and any Debian derivative. - The pam-config-framework file is indeed installed by `make install`, just not into the correct location. - On Debian (and Debian derivatives), the PAM configuration isn't actually part of the 'fscrypt' package but rather 'libpam-fscrypt'. - Clarify where to add the pam_fscrypt.so session hook.
|
Updated to not add the |
|
Hello, I'm sorry if I'm late but I got bitten by the new behaviour only now that I upgraded to the latest Ubuntu LTS release. My use case is quite simple, I'm using fscrypt on a machine that's partially headless and now that every directory gets locked after I logout from my SSH session I can't use screen/tmux for long running processes, nor I can run VMs. Is having back the option to not lock everything at logout still possible, or is there any alternative to prevent locking when screen/tmux are running? Thanks. |
pam_fscryptdecide automatically whether dropping caches is needed, so that the "drop_caches" option is no longer needed.pam_fscryptlock directories by default, so that the "lock_policies" option is no longer needed. As there is a chance that a small number of users might want the previous default behavior of unlock-only, add an option "unlock_only" to get that behavior.pam_fscrypt.