eCryptfs

Encrypted Home mount regression when eCryptfs is built as a module

Bug #1024476 reported by Tyler Hicks
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
eCryptfs
Fix Released
High
Tyler Hicks

Bug Description

ecryptfs-utils-99 is affected by this regression.

The privilege dropping changes contributed in bug #1020904 caused a regression when eCryptfs is built as a kernel module and the module is not loaded when the Encrypted Home user first logs in.

When the user logs in, their home directory will not be properly mounted. This error message will be found in the auth.log:

pam_ecryptfs: Can't check if kernel supports ecryptfs

pam_ecryptfs attempts to load the eCryptfs kernel module and errors out because that fails. The module load is attempted after the privileges have been dropped, so this will always fail.

Workaround:

Add ecryptfs to the list of modules to be autoloaded at boot. /etc/modules is the appropriate file to modify in Ubuntu.

See original description
Revision history for this message
Tyler Hicks (tyhicks) wrote :

I tried to simply remove the ecryptfs_get_version() call from pam_sm_authenticate() but that resulted in a strange race condition where the module was loaded, the mount was performed, but filenames were not decrypted.

I believe removing the ecryptfs_get_version() call is the correct fix, but more investigation is needed to understand/correct the race condition.

description: updated
Revision history for this message
Tyler Hicks (tyhicks) wrote :

There's no race condition, just some crusty logic in the code.

1) pam_ecryptfs adds the fnek to the kernel keyring if the kernel supports filename encryption. The eCryptfs module need to be loaded to check for filename encryption support. If it can't be loaded (because appropriate privileges are not available, in this case), then the fnek is not added to the kernel keyring.

2) mount.ecryptfs_private constructs a ecryptfs_fnek_sig= mount option if the Private.sig file contains two sigs and the fnek is already loaded into the kernel keyring. The Private.sig file does contain two sigs in this case, but the fnek was not loaded by pam_ecryptfs so the mount is done without filename encryption enabled.

After talking with Dustin, we can drop the filename encryption kernel support check in pam_ecryptfs and always add the fnek to the kernel keyring nowadays. It has been years since the kernel didn't support filename encryption.

Tyler Hicks (tyhicks)
description: updated
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Fix was committed as revno 713

Changed in ecryptfs:
status: Triaged → Fix Committed
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Released in ecryptfs-utils-100

Changed in ecryptfs:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.