site  contact  subhomenews

Fscrypt broken in user spot

September 12, 2021 — BarryK

I have posted about being unable to get Chromium and Chrome to run as user spot:

https://bkhome.org/news/202109/cannot-run-chromium-browser-as-user-spot.html

It turns out that there is a fundamental problem in EasyOS. If a person entered a password at the very first bootup, Easy creates encrypted folders in the ext4 working-partition. So, if anyone steals your usb-stick or hard drive, they won't be able to access the files in those folders.

The encryption mechanism works on a per-folder basis, and the init script in the initrd will unlock those folders when the correct password is entered at bootup. It works great, however, falls apart if login as a non-root user...

I have a utility, 'keyctl', from the 'keyutils' package. I have today compiled that in OE and added it to the package list, so it will be in future releases of EasyOS. It is for managing the kernel keys. I know hardly anything about this topic, but let's explore...

# keyctl show
Session Keyring
1025593870 --alswrv 0 65534 keyring: _uid_ses.0
668976992 --alswrv 0 65534 \_ keyring: _uid.0
291187953 --alsw-v 0 0 \_ logon: ext4:6db5ac6afa4a5041
# ls -a /root/spot
. .cache .didiwiki Downloads .local spot.png
.. .config .DirIcon .history README.txt .Xauthority

That highlighted entry looks like the encryption of the ext4 filesystem. OK, now let's login as spot:

# su -l spot
# keyctl show
Session Keyring
766538552 --alswrv 502 65534 keyring: _uid_ses.502
676258719 --alswrv 502 65534 \_ keyring: _uid.502
# pwd
/root/spot
# echo 'abc' > testfile1
-sh: testfile1: Required key not available
# ls
6rW37WId+lKMnweIIvtagzdl6yDbnlwV oqjFdCBsfmOhji42Vcl25rPB11d8rQhm
8njV2L9wUPwq00z9kbB9h5gewrv31HGY README.txt
adx4yf4hAOVnM2cVKKvWawXQLPXCBMOz spot.png
cTXh+5oKTshqUql5A30nVWaCWTLObsx2 UCUPdY5gOs0rEYI,6tpi9Ap,n7nh4ppB
Downloads Y09MYYqmfJzqU7sPrUbUDnuZV55Dctsp
E3lquNhL1RiXxPvFoSUWSW87Q77hnI8A yCXJJnoom8XbLB65uNAZ,anhMcUHIV+W
k9ve6dS0fixgrADNHU,eS9YMXJpljvCt
#

Now isn't that interesting!

It seems that the ext4 filesystem key is not available when logged into spot.

Note that "ls" does list some files and one folder correctly. The others are encrypted.

So, the big question, how do I activate that "ext4:6db5ac6afa4a5041" key when logged in as spot?

I haven't solved this yet, as don't know much about kernel keys, how they work and how to manage.

EDIT:
Progress! Was reading the 'e4crypt' man page:

https://man7.org/linux/man-pages/man8/e4crypt.8.html

 e4crypt add_key [-vq] [-S salt ] [-k keyring ] [ -p pad ] [ path
       ... ]
              Prompts the user for a passphrase and inserts it into the
              specified keyring.  If no keyring is specified, e4crypt
              will use the session keyring if it exists or the user
              session keyring if it does not.

'e4crypt' is a utility in the 'e2fsprogs' package. It is compiled statically and used in the initrd to create the encrypted folders. What turned on the lights for me is this: "e4crypt will use the session keyring if it exists or the user session keyring if it does not".

"user session" is the root user. The 'keyctl' utility has names for these: "@s" and "@us". The session keyring should be available if I login later on as spot. Let's find out...

# keyctl link @s @us
# su -l spot
# pwd
/root/spot# keyctl show
Session Keyring
766538552 --alswrv 502 65534 keyring: _uid_ses.502
676258719 --alswrv 502 65534 \_ keyring: _uid.502
# echo 'abc' > testfile1
-sh: testfile1: Required key not available
# whoami
spot
# ls -a
. .cache .didiwiki Downloads .local spot.png
.. .config .DirIcon .history README.txt .Xauthority
#

The improvement is that the folders are now unencrypted, but still cannot write a file.

EDIT 2021-09-12:
Ignore that "keyctl link @s @us", I was just learning, don't think that does anything.

Have got fscrypt to work in spot, see next blog post:

https://bkhome.org/news/202109/fscrypt-now-works-in-user-spot.html       

Tags: easy