cc @edolstra @grahamc @ttuegel @globin

Ping.

I admit I don't totally understand what this does, but if it's upstream-recommended and it fixes ecryptfs, then I'm all for it! 😄

We're not in a great place as this is a regression in 17.09. When we get this approved I think we should keep it in master for at least 2 weeks before cherry-picking it in 17.09 to make sure there are no side-effect to the pam change. The saving grace is this probably affects very few people…

Any updates?

Debian and Ubuntu only have it in a few PAM configs:

$ grep keyinit /etc/pam.d/ -R
/etc/pam.d/runuser:session		optional	pam_keyinit.so revoke
/etc/pam.d/runuser-l:session		optional	pam_keyinit.so force revoke
/etc/pam.d/sshd:session    optional     pam_keyinit.so force revoke

This can also be done with our NixOS PAM module.

Can somebody test that this is enough to make ecryptfs work?

@fpletz, well I'm biased but I've been running with it since I opened the PR & it's worked for me..

Okay. I'll try to give this a spin soon. We'll also have to find out why our ecryptfs test doesn't catch this.

I vaguely recall trying to extend the test to cover the failing usecases but it went nowhere (and now don't recall much of the subtleties). Mostly I think it had to do with mounting encrypted directories at other times than login.

(I've rebased this on fresh master)

@fpletz, shall we merge this?

Looks like this fixes other issues: #32279 (comment)

So @eternaleye, based on #32279 (comment), you don't think we should merge it?

I would like to see this merged, bcachefs with it's own encryption is very alluring.

@obadz Sorry I took so long to reply - that is correct, I think this should not be merged.

The issue is that this exposes shared, mutable, security-relevant state (the keyring) to all PAM sessions.

In addition, the issue with ecryptfs and bcachefs was fixed upstream; as a result, the next release of systemd (v238) will make this workaround superfluous.

This should be fixed now by #37647 and 361bd59...2d2ab94 which upgraded systemd to 238.

My comment on the bottom of #32279 may be relevant here.

Could one of you please try a recent 18.03 beta release with the systemd bump #36918? It's supposed to also fix this issue.

@fpletz That's what I did. See #32279
Unfortunately, for some strange reason the same problem exists. Have there been any other changes since #36918 that I should attempt a new try with?

Thanks! There was a bump to systemd to use the stable tree but I haven't checked if fixes for this issue went in there.

I'll try again with that commit to make sure it's just not user error, we'll see if this is still the case.

@fpletz
I can confirm that the same problem is occurring. It is having trouble requesting the key, and then can't allocate memory. I tested on a staging-18.03 USB drive.

I am still experiencing #27574 after the systemd-238 update.