Date: Tue, 20 Aug 2024 21:23:23 +0200 From: Steffen Nurpmeso <steffen@sdaoden.eu> To: Gleb Popov <arrowd@freebsd.org> Cc: freebsd-current@freebsd.org Subject: Re: a zfs thank you :) Message-ID: <20240820192323.OaLjIO5I@steffen%sdaoden.eu> In-Reply-To: <CALH631=RDwEcLCPTWNttYrq6F=_UeuSyMYFnGPBA3FOwryj%2B7g@mail.gmail.com> References: <ZqpSHAPDcSlikhnC@int21h> <d8c5a0b1-6162-4b7a-8bbe-4fea2dd4ee4c@rlwinm.de> <20240819190714.mtYVCmQC@steffen%sdaoden.eu> <CALH631=RDwEcLCPTWNttYrq6F=_UeuSyMYFnGPBA3FOwryj%2B7g@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Gleb Popov wrote in
<CALH631=3DRDwEcLCPTWNttYrq6F=3D_UeuSyMYFnGPBA3FOwryj+7g@mail.gmail.com>:
|On Tue, Aug 20, 2024 at 12:18=E2=80=AFAM Steffen Nurpmeso <steffen@sdaode=
n.eu> \
|wrote:
|> Jan Bramkamp wrote in
|> <d8c5a0b1-6162-4b7a-8bbe-4fea2dd4ee4c@rlwinm.de>:
|>|On 31.07.24 17:02, void wrote:
...
|>|> [.] when adduser was invoked, I was given the option to
|>|> encrypt the homedir. This is a great feature for my context [2].
|>|>
|>|> It doesn't automount on boot but I think this is more of a feature
|>|> rather than a bug. One can have a different password to the GELI \
|>|> one used
|>|> to boot up the whole system.
|>|>
|>|> I have not tested yet whether one can have the user, once logged in,
|>|> mount
|>|> their homedir with doas(1). Right now, I mount the homedir like so:
|>|>
|>|> zfs load-key -a (prompts for password)
|>|> zfs mount -a
|>|>
|>|> as root.
...
|>|> Can anyone suggest any better ideas please?
|>
|>|There is the pam_zfs_key.so PAM session module that should do exactly
|>|what you're looking for if your users login with a password. It should
...
|> To suggest a screen locker for "warm" security.
|> Ie here this is (on Linux, in /root/bin/zzz.sh upon lid close etc)
...
|> for p in $(pgrep X); do
...
|> act "DISPLAY=3D:$disp $SUPER -u $uid slock </dev/null=
\
|> >/dev/null 2>&1 &"
|> done
...
|> Unfortunately there is no other easy way i know to lock all
|> X sessions otherwise.
|>
|> This is the problem i have with "encrypted home directories" per
|> se, i do not use that, but have several encfs directories, like,
...
|> [.]all these are unmounted upon LID close etc. (Unless some
|> process uses any directory within as CWD/pwd(1), then not. Force
|> unmounting does not work.)
|>
|> Ie that is all pretty uncomfortable (it is even more complicated
|> in practice), but like this data i care of a bit more is not
[.]
|> Anyhow. To remark that PAM sessions can easily be bypassed by any
|> shell script (script </dev/null >/dev/null 2>&1 &), and, i looked
|> at the ZFS PAM module in particular a few years ago, it did not
...
|> It would be cool if the PAM implementations i know (Open and
|> Linux) would consider adding a dedicated session reaper, with all
|> session related modules stopping doing lots of dances, but instead
|> relying on some generic PAM library support mechanism.
|> Sounds a bit like a sophisticated and relevant Google Summer of
|> Code or something project.
|
|It feels like you're reimplementing ConsoleKit. I'm not sure if it can
|react to lid closing out of the box, but it manages sessions and
|locks/unlocks them depending on circumstances.
I .. do not know consolekit, but it does not look as if i want it:
$ prt-get info consolekit|grep Dep
Dependencies: dbus,gobject-introspection,linux-pam,xorg-libx11
(Funnily i do have the dependencies installed, gobject stuff for
harfbuzz for mupdf, DBUS for iwd (wireless) and bluez.)
No, but i am happy that noone wants to start introducing systemd
into FreeBSD, i think it can do something like this.
PAM sessions are broken unless anybody plays nice for sure, and
with dedicated reapers that could be overcome.
For my LID close things, there is software which allows paranoia,
gpg-agent for example supports
SIGHUP This signal flushes all cached passphrases
Unfortunately i failed to upstream the same for ssh-agent, 'thus
i have to workaround it (or patch forever). And unfortunately
encfs does not support auto-unmount on SIGHUP, also.
So it cannot be as easy as
pkill -HUP ssh-agent
pkill -HUP encfs
...
called by root on LID close or so if one wants to increase "warm
security" (i think this warm / cold terminology is from PHK).
And that there is no general way that offers automatic screen
locking for all X and console sessions on LID close, requiring
password entry for unlocking, that is really strange. Maybe
ConsoleKit can do that more easily, and portably so. (But i keep
on using the simple shell script loop, as the shell script is
anyway running on LID close.)
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20240820192323.OaLjIO5I>