Fscrypt now works in user spot

September 12, 2021 — BarryK

Continuing from yesterday:

https://bkhome.org/news/202109/fscrypt-broken-in-user-spot.html

Analysed it a bit more. In the 'init' script in the initrd, /proc is getting mounted like this:

mount -o hidepid=1 -t proc none /proc #20210407

That "hidepid=1" is a security feature, which seemed like a good idea at the time. I think a repercussion is, when login as spot, it won't see all of root's /proc.

To get around this, I have created a new group, in /etc/group:

fscryptgrp::118:root,spot

Then I changed the mounting of /proc in the 'init' script:

mount -o hidepid=1,gid=118 -t proc none /proc #20210407 20210912

...this disables the "hidepid=1" for any users belonging to group "fscryptgrp".

I now have fscrypt working, but had to do a few more things... writing it down here, as just got it working, and want to record exactly what I did! Here we go...

As root, did this:

# keyctl show
Session Keyring
   5898855 --alswrv      0 65534  keyring: _uid_ses.0
 382717390 --alswrv      0 65534   \_ keyring: _uid.0
 448736447 --alsw-v      0     0   \_ logon: ext4:6db5ac6afa4a5042
# keyctl setperm 448736447 0x3f3f3f3f
# keyctl chgrp 448736447 118

...I don't know if changing the permissions to "0x3f3f3f3f", which means everything enabled, is necessary.

Now login as spot:

# su -l spot
# cat /proc/keys
02547b7e I--Q---     1 perm 1f3f0000   502 65534 keyring   _uid_ses.502: 1
1abf2cbf I--Q---     1 perm 3f3f3f3f     0   118 logon     ext4:6db5ac6afa4a5042: 72
341d39dd I--Q---     2 perm 1f3f0000   502 65534 keyring   _uid.502: empty
# keyctl link 0x1abf2cbf @us
# ls -a
.   .cache   .didiwiki  Downloads  .local      spot.png   .Xauthority
..  .config  .DirIcon   .history   README.txt
# echo 'abc' > testfile1
# cat testfile1
abc

...yay!

Tags: easy