Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] xfce4-screensaver pam not unlocking mount point #360

Open
Flawm opened this issue Aug 15, 2022 · 1 comment
Open

[Bug] xfce4-screensaver pam not unlocking mount point #360

Flawm opened this issue Aug 15, 2022 · 1 comment

Comments

@Flawm
Copy link

Flawm commented Aug 15, 2022
edited
Loading

I'm using arch linux & followed the wiki to setup fcrypt. It's great. Now, additionally I've configured a systemd hook to lock my home directory on a sleep call. It works great. Now, waking & logging back in, my mount point remains locked with no changes to the pam structure, which I thought was weird.

I'm using xfce and I noticed the lock screen has it's own pam configuration it calls xfce4-screensaver in /etc/pam.d/

I've tried setting it up to mimic the existing pam-stack but to no avail, and in fact the minimal-reproducible case is this, which is the bare-minimum as mentioned in the docs.

auth required pam_unix.so
auth optional pam_fscrypt.so debug

session required pam_unix.so
session optional pam_fscrypt.so debug

and it's unfortunately not working with this error:

Aug 15 14:45:24 super pam_fscrypt[12965]: Current privs (real, effective): uid=(1000,1000) gid=(1000,1000) groups=[998 1000]
Aug 15 14:45:24 super pam_fscrypt[12965]: Setting euid=1000 egid=1000 groups=[1000 998]
Aug 15 14:45:24 super pam_fscrypt[12965]: Authenticate(map[debug:true]) failed: setting groups: operation not permitted

Looking into it a bit, it's coming from here which is simply calling libc here.

I'm guessing it's something to do with the xfce process running as user 1000 and perms not chaining right, but ideally this would just work ™️ like the system-login pam stack via the light-dm greeter service. I think I can (maybe?) get around it with a systemd hook but the issue is that I need the password passed in and this is precisely what pam is for
@Flawm
Copy link
Author

Flawm commented Aug 15, 2022

Here's a hacky work around. First add this line to the auth

auth optional pam_exec.so seteuid expose_authtok /bin/unlock_fscrypt_sh

Then make these two scripts
/bin/unlock_fscrypt_sh

#!/bin/sh

PASS="$(cat -)"

echo "$PASS" | /bin/unlock_fscrypt_expect "$(id -nu)"

/bin/unlock_fscrypt_expect

#!/bin/expect

set password [gets stdin]
set user [lindex $argv 0]

spawn fscrypt unlock /home/$user --user=$user

expect "*Enter the number*"

send "0\r"

expect "*Enter the login*"

send "$password\r"

expect "*is now unlocked*"

exit

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Flawm