PAM/eCryptfs now able to mount ecryptfs'd home directories on login

9 years ago · e5d4624420
parent b452bd40e1
commit e5d4624420
4 changed files with 65 additions and 14 deletions
--- a/lib/maintainers.nix
+++ b/lib/maintainers.nix
@ -131,6 +131,7 @@
  notthemessiah = "Brian Cohen <brian.cohen.88@gmail.com>";
  np = "Nicolas Pouillard <np.nix@nicolaspouillard.fr>";
  nslqqq = "Nikita Mikhailov <nslqqq@gmail.com>";
+  obadz = "obadz <dav-nixos@odav.org>";
  ocharles = "Oliver Charles <ollie@ocharles.org.uk>";
  offline = "Jaka Hudoklin <jakahudoklin@gmail.com>";
  olcai = "Erik Timan <dev@timan.info>";
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@ -211,7 +211,9 @@ let
          ${optionalString cfg.usbAuth
              "auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"}
          ${optionalString cfg.unixAuth
-              "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth"}
+              "auth ${if config.security.pam.enableEcryptfs then "required" else "sufficient"} pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth"}
+          ${optionalString config.security.pam.enableEcryptfs
+              "auth required ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"}
          ${optionalString cfg.otpwAuth
              "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}
          ${optionalString cfg.oathAuth
@ -223,9 +225,11 @@ let
            auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass
            auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass
          ''}
-          auth required   pam_deny.so
+          ${optionalString (! config.security.pam.enableEcryptfs) "auth required pam_deny.so"}

          # Password management.
+          ${optionalString config.security.pam.enableEcryptfs
+              "password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
          password requisite pam_unix.so nullok sha512
          ${optionalString config.users.ldap.enable
              "password sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
@ -245,6 +249,8 @@ let
              "session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=/etc/skel umask=0022"}
          ${optionalString cfg.updateWtmp
              "session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"}
+          ${optionalString config.security.pam.enableEcryptfs
+              "session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
          ${optionalString config.users.ldap.enable
              "session optional ${pam_ldap}/lib/security/pam_ldap.so"}
          ${optionalString config.krb5.enable
@ -357,6 +363,13 @@ in
      '';
    };

+    security.pam.enableEcryptfs = mkOption {
+      default = false;
+      description = ''
+        Enable eCryptfs PAM module (mounting ecryptfs home directory on login).
+      '';
+    };
+
    users.motd = mkOption {
      default = null;
      example = "Today is Sweetmorn, the 4th day of The Aftermath in the YOLD 3178.";
@ -377,7 +390,11 @@ in
      ++ optional config.users.ldap.enable pam_ldap
      ++ optionals config.krb5.enable [pam_krb5 pam_ccreds]
      ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ]
-      ++ optionals config.security.pam.enableOATH [ pkgs.oathToolkit ];
+      ++ optionals config.security.pam.enableOATH [ pkgs.oathToolkit ]
+      ++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ];
+
+    security.setuidPrograms =
+        optionals config.security.pam.enableEcryptfs [ "mount.ecryptfs_private" "umount.ecryptfs_private" ];

    environment.etc =
      mapAttrsToList (n: v: makePAMService v) config.security.pam.services;
--- a/nixos/modules/services/x11/display-managers/gdm.nix
+++ b/nixos/modules/services/x11/display-managers/gdm.nix
@ -95,15 +95,23 @@ in

        auth     required       pam_succeed_if.so uid >= 1000 quiet
        auth     optional       ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so
-        auth     sufficient     pam_unix.so nullok likeauth
-        auth     required       pam_deny.so
+        auth     ${if config.security.pam.enableEcryptfs then "required" else "sufficient"} pam_unix.so nullok likeauth
+        ${optionalString config.security.pam.enableEcryptfs
+          "auth required ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"}
+
+        ${optionalString (! config.security.pam.enableEcryptfs)
+          "auth     required       pam_deny.so"}

        account  sufficient     pam_unix.so

        password requisite      pam_unix.so nullok sha512
+        ${optionalString config.security.pam.enableEcryptfs
+          "password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}

        session  required       pam_env.so envfile=${config.system.build.pamEnvironment}
        session  required       pam_unix.so
+        ${optionalString config.security.pam.enableEcryptfs
+          "session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
        session  required       pam_loginuid.so
        session  optional       ${pkgs.systemd}/lib/security/pam_systemd.so
        session  optional       ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so auto_start
@ -115,15 +123,22 @@ in

        auth     required       pam_succeed_if.so uid >= 1000 quiet
        auth     optional       ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so
-        auth     sufficient     pam_unix.so nullok likeauth
-        auth     required       pam_deny.so 
+        auth     ${if config.security.pam.enableEcryptfs then "required" else "sufficient"} pam_unix.so nullok likeauth
+        ${optionalString config.security.pam.enableEcryptfs
+          "auth required ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"}
+        ${optionalString (! config.security.pam.enableEcryptfs)
+          "auth     required       pam_deny.so"}

        account  sufficient     pam_unix.so
        
        password requisite      pam_unix.so nullok sha512
+        ${optionalString config.security.pam.enableEcryptfs
+          "password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}

        session  required       pam_env.so envfile=${config.system.build.pamEnvironment}
        session  required       pam_unix.so
+        ${optionalString config.security.pam.enableEcryptfs
+          "session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
        session  required       pam_loginuid.so
        session  optional       ${pkgs.systemd}/lib/security/pam_systemd.so
        session  optional       ${gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so auto_start
--- a/pkgs/tools/security/ecryptfs/default.nix
+++ b/pkgs/tools/security/ecryptfs/default.nix
@ -1,5 +1,5 @@
-{ stdenv, fetchurl, pkgconfig, perl, keyutils, nss, nspr, python, pam
-, intltool, makeWrapper, coreutils, gettext, cryptsetup, lvm2, rsync, which }:
+{ stdenv, fetchurl, pkgconfig, perl, utillinux, keyutils, nss, nspr, python, pam
+, intltool, makeWrapper, coreutils, bash, gettext, cryptsetup, lvm2, rsync, which }:

 stdenv.mkDerivation {
  name = "ecryptfs-104";
@ -9,16 +9,33 @@ stdenv.mkDerivation {
    sha256 = "0f3lzpjw97vcdqzzgii03j3knd6pgwn1y0lpaaf46iidaiv0282a";
  };

+  #TODO: replace wrapperDir below with from <nixos> config.security.wrapperDir;
+  preConfigure = ''
+    FILES="$(grep -r '/bin/sh' src/utils -l; find src -name \*.c)"
+    for file in $FILES; do
+      substituteInPlace "$file" \
+        --replace /sbin/mount.ecryptfs_private /var/setuid-wrappers/mount.ecryptfs_private \
+        --replace /sbin/umount.ecryptfs_private /var/setuid-wrappers/umount.ecryptfs_private \
+        --replace /sbin/mount.ecryptfs $out/sbin/mount.ecryptfs \
+        --replace /sbin/umount.ecryptfs $out/sbin/umount.ecryptfs \
+        --replace /usr/bin/ecryptfs-rewrite-file $out/bin/ecryptfs-rewrite-file \
+        --replace /usr/bin/ecryptfs-mount-private $out/bin/ecryptfs-mount-private \
+        --replace /usr/bin/ecryptfs-setup-private $out/bin/ecryptfs-setup-private \
+        --replace /sbin/cryptsetup ${cryptsetup}/sbin/cryptsetup \
+        --replace /sbin/dmsetup ${lvm2}/sbin/dmsetup \
+        --replace /bin/mount ${utillinux}/bin/mount \
+        --replace /bin/umount ${utillinux}/bin/umount \
+        --replace /sbin/unix_chkpwd /var/setuid-wrappers/unix_chkpwd \
+        --replace /bin/bash ${bash}/bin/bash
+    done
+  '';
+
  buildInputs = [ pkgconfig perl nss nspr python pam intltool makeWrapper ];
  propagatedBuildInputs = [ coreutils gettext cryptsetup lvm2 rsync keyutils which ];

  postInstall = ''
-    FILES="$(grep -r '/bin/sh' $out/bin | sed 's,:.*,,' | uniq)"
+    FILES="$(grep -r '/bin/sh' $out/bin -l)"
    for file in $FILES; do
-      sed -i $file -e "s,\(/sbin/u\?mount.ecryptfs\(_private\)\?\),$out\1," \
-        -e "s,\(/sbin/cryptsetup\),${cryptsetup}\1," \
-        -e "s,\(/sbin/dmsetup\),${lvm2}\1," \
-        -e 's,/sbin/\(unix_chkpwd\),\1,'
      wrapProgram $file \
        --prefix PATH ":" "${coreutils}/bin" \
        --prefix PATH ":" "${gettext}/bin" \
@ -32,6 +49,7 @@ stdenv.mkDerivation {
  meta = with stdenv.lib; {
    description = "Enterprise-class stacked cryptographic filesystem";
    license = licenses.gpl2Plus;
+    maintainers = [ lib.maintainers.obadz ];
    platforms = platforms.linux;
  };
 }