site  contact  subhomenews

Fscrypt now works in user spot

September 12, 2021 — BarryK

Continuing from yesterday:

Analysed it a bit more. In the 'init' script in the initrd, /proc is getting mounted like this:

mount -o hidepid=1 -t proc none /proc #20210407

That "hidepid=1" is a security feature, which seemed like a good idea at the time. I think a repercussion is, when login as spot, it won't see all of root's /proc.

To get around this, I have created a new group, in /etc/group:


Then I changed the mounting of /proc in the 'init' script:

mount -o hidepid=1,gid=118 -t proc none /proc #20210407 20210912

...this disables the "hidepid=1" for any users belonging to group "fscryptgrp".

I now have fscrypt working, but had to do a few more things... writing it down here, as just got it working, and want to record exactly what I did! Here we go...

As root, did this:

# keyctl show
Session Keyring
5898855 --alswrv 0 65534 keyring: _uid_ses.0
382717390 --alswrv 0 65534 \_ keyring: _uid.0
448736447 --alsw-v 0 0 \_ logon: ext4:6db5ac6afa4a5042
# keyctl setperm 448736447 0x3f3f3f3f
# keyctl chgrp 448736447 118

...I don't know if changing the permissions to "0x3f3f3f3f", which means everything enabled, is necessary.

Now login as spot:

# su -l spot
# cat /proc/keys
02547b7e I--Q--- 1 perm 1f3f0000 502 65534 keyring _uid_ses.502: 1
1abf2cbf I--Q--- 1 perm 3f3f3f3f 0 118 logon ext4:6db5ac6afa4a5042: 72
341d39dd I--Q--- 2 perm 1f3f0000 502 65534 keyring _uid.502: empty
# keyctl link 0x1abf2cbf @us
# ls -a
. .cache .didiwiki Downloads .local spot.png .Xauthority
.. .config .DirIcon .history README.txt
# echo 'abc' > testfile1
# cat testfile1


Tags: easy