kwallet-pam >= 5.18.4 and ecryptfs homes
Albert Astals Cid
aacid at kde.org
Sun May 3 23:02:37 BST 2020
Remember to CC me, I'm not subscribed to the list
Sadly, a fix i made for Plasma 5.18.4 so that kwallet-pam reads/stores the salt file inside the encrypted home dir (if there is one) means that if you had used kwallet-pam < 5.18.4 and now use kwallet-pam the salt file is not found and your kwallet is not auto-opened on login as you wanted.
SOLUTION 1:
* read the salt file in the "authenticate step" (encrypted home if there is one still not mounted), keep it in memory
* Read file the file again in the "open_session step" (encrypted home if there is one is now mounted), if there is no salt file, write it with what we have in memory
Problem A) The "old" file is still there outside the unencrypted home, which is not optimal
Problem B) This doesn't help people that have already updated to 5.18.4, since those will have a new salt file already in place
Potential solution to A) Keep the file descriptor for the "salt file from authenticate step" and if we find we have to use that file, delete or empty that fd
This is assuming that fd to "now unexisting paths because a folder was mounted or" are still valid/usable
Potential solution to B) If opening the wallet failed and there was a different salt file in the authenticate step file try to use the contents of the old salt file to open the wallet, if that succeds show a long dialog with instructions of what they should do (i would rather not overwrite salt files just in case)
SOLUTION 2:
* Ignore it and hope people will read my blog https://tsdgeos.blogspot.com/2020/05/kwallet-pam-5184-and-ecryptfs-homes.html
Problem with SOLUTION 1 is that it adds lots of code in a relative "sensitive" piece of code like a pam module for for what it is a one time thing.
Problem with SOLUTION 2 is that it's not a solution :D
Opinions?
Cheers,
Albert
Remember to CC me, I'm not subscribed to the list
More information about the Plasma-devel
mailing list