New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
implement fscrypt for PAM #101604
implement fscrypt for PAM #101604
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the contribution. Only had a brief look at this would like you to take a moment to reformat the changes in this PR.
You seem to be mixing tabs and spaces whereas we are (mostly) only using spaces in this repository. Usually these settings can be automatically applied by your editor (so you can keep on pressing TAB but still emit the correct number of spaces) by telling your to read editorconfig
files. There are a lot of plugins available for most of the common editors: https://editorconfig.org/#download
Furthermore you can probably squash all of the changes into one commit that follows our commit style guide.
In your case this is likely something like this:
nixos/security/pam: support fscrypt
This PR adds support for doing XYZ using fscrypt in combination with PAM. This is desireable because reasons ….
This PR enables fscrypt pam module from fscrypt package. It allows the end users to use their passphrase to unlock encrypted directories on supported filesystems while logging in.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@NeoTheFox I would like to add some changes to this Pull Request (already tested). Alternateively I can comment here about them. If you prefer the former could you please grant me access to your repo? You need to check the box in the pull request that says “Allow edits from maintainers.”
The box was checked! I'm ok with any changes as long as fscrypt gets implemented |
I continue not to have rights. Could you please allow access to contributors in your fork so that I try to commit in NeoTheFox:master? |
@kamentomov “Allow edits from maintainers.” won't work for you because you need commit access to Nixpkgs. I'd probably be better to suggest changes via the GH UI or link to your commit / post a patch so that @NeoTheFox could cherry-pick/apply it. But in any case I'm not sure if this PR can get merged anytime soon (I'd recommend to find/ping some more appropriate reviewers).
|
@primeos Thanks for commenting. This looked so dead.
I pushed to @NeoTheFox's repo and that worked. @NeoTheFox thanks for graning me access.
Could you please help us with this? I don't know who is qualified to review this.
Stragely the package is not experimental in other OSes. Nevertheless,
The currently used approach to enable
Moving to specific modules is a larger task so shouldn't we fit to the current approach until there is a volunteer to do a refactoring? |
I also think that this is not disruptive/overreaching. Since fscrypt-experimental exists in the repos and provides the required PAM module not having a way to enable it without resorting to hacks seems incomplete to me. After all this only adds a few lines of text to the config just to enable the functionality that's already there. |
In general I'd try to ping the users that contributed the most (or recently) to the file you're changing (listed here or via I can try to review and help with the
Yeah, the name is pretty non-standard (this is my mistake because IIRC I packaged it pretty early and at that time there where some rough edges and I didn't want anyone to accidentally loose their data without knowing the risks).
Ok, I'll have a closer look at it.
This PR would of course only have to "move" the fscrypt part into a specific module (if that's possible without much effort). But maybe it's also fine in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for the delay...
I added a few style nitpicks/improvements but overall the diff LGTM (though unfortunately I also realized how unfamiliar I'm with PAM and our NixOS module for it).
Edit: https://github.com/google/fscrypt/releases/tag/v0.3.0 is also relevant now.
@@ -207,6 +207,14 @@ let | |||
''; | |||
}; | |||
|
|||
enableFscrypt = mkOption { | |||
default = config.security.pam.enableFscrypt; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It isn't clear to me why we need two options for this (e.g. config.security.pam.enableOTPW
does the same but I don't immediately see an obvious reason for it / understand that part of the module).
Update: After looking at this a bit closer it seems like this part (pamOpts
function, etc.) does the actual work to set/apply the config per PAM program/service and config.security.pam.enableFscrypt
is used as a convenience option to easily enable it for all programs/services - in that case it might make sense to have both but security.pam.services.<name>.enableFscrypt
is basically only useful to disable/blacklist it for some PAM programs/services or for "whitelisting" but then pkgs.fscrypt-experimental
won't be installed (though it shouldn't be required anyway, only for the setup?)).
Update2: E.g. for eCryptfs only security.pam.enableEcryptfs
is used, not the second per program/service option.
(And I'm also not sure if the NixOS approach of setting this for every PAM program/service by default makes that much sense - e.g. in the Arch Wiki it's only set for system-login
and passwd
: https://wiki.archlinux.org/index.php/Fscrypt#PAM_module)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update3: It seems to me like the best approach to implement this would be default = false
and set security.pam.services.$name.enableFscrypt = config.security.pam.enableFscrypt
(the actual implementation would be a bit different) for the relevant services. But I'm not sure how realistic that approach currently is for NixOS.
description = '' | ||
Unlocks fscrypt-encrypted filesystems on login via PAM | ||
''; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
description = '' | |
Unlocks fscrypt-encrypted filesystems on login via PAM | |
''; | |
description = '' | |
Unlocks fscrypt-encrypted filesystems on login via PAM. | |
''; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we should also link to e.g. https://github.com/google/fscrypt/blob/master/README.md via the description?
${optionalString cfg.pamMount | ||
"auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so"} | ||
${optionalString cfg.enableFscrypt | ||
"auth optional ${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so"} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
${optionalString cfg.pamMount | |
"auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so"} | |
${optionalString cfg.enableFscrypt | |
"auth optional ${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so"} | |
${optionalString cfg.enableFscrypt | |
"auth optional ${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so"} | |
${optionalString cfg.pamMount | |
"auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so"} |
Nitpick but let's keep the order consistent with above.
@@ -622,6 +637,8 @@ in | |||
|
|||
security.pam.enableOTPW = mkEnableOption "the OTPW (one-time password) PAM module"; | |||
|
|||
security.pam.enableFscrypt = mkEnableOption "fscrypt filesystem encryption PAM module"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
security.pam.enableFscrypt = mkEnableOption "fscrypt filesystem encryption PAM module"; | |
security.pam.enableFscrypt = mkEnableOption "the fscrypt filesystem encryption PAM module"; |
@@ -851,6 +868,7 @@ in | |||
++ optional config.services.sssd.enable pkgs.sssd | |||
++ optionals config.krb5.enable [pam_krb5 pam_ccreds] | |||
++ optionals config.security.pam.enableOTPW [ pkgs.otpw ] | |||
++ optionals config.security.pam.enableFscrypt [pkgs.fscrypt-experimental] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
++ optionals config.security.pam.enableFscrypt [pkgs.fscrypt-experimental] | |
++ optionals config.security.pam.enableFscrypt [ pkgs.fscrypt-experimental ] |
@@ -886,6 +904,7 @@ in | |||
vlock = {}; | |||
xlock = {}; | |||
xscreensaver = {}; | |||
fscrypt = {}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is that part actually required / what is the use-case here?
Update: https://github.com/google/fscrypt#allowing-fscrypt-to-check-your-login-passphrase explains it and we seem to have a restrictive /etc/pam.d/other
. But I'm starting to get the feeling that our NixOS module for PAM could need a rewrite and uses a bit of a lazy approach (setting options of every PAM module/service instead of only the ones that need it).
@@ -886,6 +904,7 @@ in | |||
vlock = {}; | |||
xlock = {}; | |||
xscreensaver = {}; | |||
fscrypt = {}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fscrypt = {}; | |
fscrypt.text = "auth required pam_unix.so"; |
Maybe this would be better (https://github.com/google/fscrypt#allowing-fscrypt-to-check-your-login-passphrase)?
@NeoTheFox Do you want to continue working on this? I'd like to see this merged and could take this over. |
@lorenz feel free to take over, it's been a long time and I don't have a system to test it on anymore |
I marked this as stale due to inactivity. → More info |
Still important. Any updates on this? |
This has been superseded by #199587 which has since been merged and is available as of 22.11 as |
Adresses #92352
Tested on a running NixOS 20.90