[Bug] xfce4-screensaver pam not unlocking mount point
Flawm opened this issue · comments
I'm using arch linux & followed the wiki to setup fcrypt. It's great. Now, additionally I've configured a systemd hook to lock my home directory on a sleep call. It works great. Now, waking & logging back in, my mount point remains locked with no changes to the pam structure, which I thought was weird.
I'm using xfce and I noticed the lock screen has it's own pam configuration it calls xfce4-screensaver
in /etc/pam.d/
I've tried setting it up to mimic the existing pam-stack but to no avail, and in fact the minimal-reproducible case is this, which is the bare-minimum as mentioned in the docs.
auth required pam_unix.so
auth optional pam_fscrypt.so debug
session required pam_unix.so
session optional pam_fscrypt.so debug
and it's unfortunately not working with this error:
Aug 15 14:45:24 super pam_fscrypt[12965]: Current privs (real, effective): uid=(1000,1000) gid=(1000,1000) groups=[998 1000]
Aug 15 14:45:24 super pam_fscrypt[12965]: Setting euid=1000 egid=1000 groups=[1000 998]
Aug 15 14:45:24 super pam_fscrypt[12965]: Authenticate(map[debug:true]) failed: setting groups: operation not permitted
Looking into it a bit, it's coming from here which is simply calling libc here.
I'm guessing it's something to do with the xfce process running as user 1000 and perms not chaining right, but ideally this would just work ™️ like the system-login pam stack via the light-dm greeter service. I think I can (maybe?) get around it with a systemd hook but the issue is that I need the password passed in and this is precisely what pam is for
Here's a hacky work around. First add this line to the auth
auth optional pam_exec.so seteuid expose_authtok /bin/unlock_fscrypt_sh
Then make these two scripts
/bin/unlock_fscrypt_sh
#!/bin/sh
PASS="$(cat -)"
echo "$PASS" | /bin/unlock_fscrypt_expect "$(id -nu)"
/bin/unlock_fscrypt_expect
#!/bin/expect
set password [gets stdin]
set user [lindex $argv 0]
spawn fscrypt unlock /home/$user --user=$user
expect "*Enter the number*"
send "0\r"
expect "*Enter the login*"
send "$password\r"
expect "*is now unlocked*"
exit