You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I expected the contents of the backing files in the user's homedir to be ciphertext, once the user had fully logged out. Instead, the contents of the files were visible in the clear.
The names of the files appear to be ciphertext, though!
Unexpected behaviour you saw
0 root@unstable-amd64:~# date
Tue Apr 30 08:38:28 PM EDT 2024
0 root@unstable-amd64:~# journalctl --since '19:41' | grep moogly
Apr 30 19:41:48 unstable-amd64 systemd-homed[803]: moogly: changing state absent → creating
Apr 30 19:41:48 unstable-amd64 systemd-homed[803]: moogly: changing state creating → inactive
Apr 30 19:42:12 unstable-amd64 systemd-homed[803]: moogly: changing state inactive → activating-for-acquire
Apr 30 19:42:12 unstable-amd64 systemd-homed[803]: moogly: changing state activating-for-acquire → inactive
Apr 30 19:42:12 unstable-amd64 systemd-homed[803]: Got notification that all sessions of user moogly ended, deactivating automatically.
Apr 30 19:42:12 unstable-amd64 systemd-homed[803]: Home moogly already deactivated, no automatic deactivation needed.
Apr 30 19:42:23 unstable-amd64 systemd-homed[803]: moogly: changing state inactive → activating-for-acquire
Apr 30 19:42:23 unstable-amd64 systemd-homework[1146]: Moving to final mount point /home/moogly completed.
Apr 30 19:42:23 unstable-amd64 systemd-homed[803]: Home moogly is signed exclusively by our key, accepting.
Apr 30 19:42:23 unstable-amd64 systemd-homed[803]: moogly: changing state activating-for-acquire → active
Apr 30 19:42:23 unstable-amd64 login[437]: pam_systemd_home(login:auth): Home for user moogly successfully acquired.
Apr 30 19:42:23 unstable-amd64 login[437]: pam_unix(login:session): session opened for user moogly(uid=60240) by moogly(uid=0)
Apr 30 19:42:23 unstable-amd64 systemd-logind[371]: New session 3 of user moogly.
Apr 30 19:42:23 unstable-amd64 (systemd)[1155]: pam_systemd_home(systemd-user:account): Home for user moogly successfully acquired.
Apr 30 19:42:23 unstable-amd64 (systemd)[1155]: pam_unix(systemd-user:session): session opened for user moogly(uid=60240) by moogly(uid=0)
Apr 30 19:42:23 unstable-amd64 systemd[1]: Started session-3.scope - Session 3 of User moogly.
Apr 30 19:42:41 unstable-amd64 login[437]: pam_systemd_home(login:session): Not deactivating home directory of moogly, as it is still used.
Apr 30 19:42:41 unstable-amd64 login[437]: pam_unix(login:session): session closed for user moogly
Apr 30 19:42:52 unstable-amd64 systemd-homed[803]: Got notification that all sessions of user moogly ended, deactivating automatically.
Apr 30 19:42:52 unstable-amd64 systemd-homed[803]: moogly: changing state active → deactivating
Apr 30 19:42:52 unstable-amd64 systemd[1]: home-moogly.mount: Deactivated successfully.
Apr 30 19:42:52 unstable-amd64 systemd-homed[803]: moogly: changing state deactivating → inactive
0 root@unstable-amd64:~# cat /home/moogly.homedir/fk15lbYrZ_LgLMkvOjbBUc0wLPIXRS31In8-9hskDAUS_wIvZH94Zw
test
0 root@unstable-amd64:~#
Steps to reproduce the problem
as the superuser, create user:
homectl create --storage=fscrypt moogly
from a terminal, log in, create a file with cleartext:
unstable-amd64 login: moogly
Password:
Linux unstable-amd64 6.7.12-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.7.12-1 (2024-04-24) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
moogly@unstable-amd64:~$ echo test > test.txt
moogly@unstable-amd64:~$ exit
logout
wait a minute, then as the superuser, inspect the contents of the files in /home/moogly.homedir. One of them contains test\n in the clear.
According to homectl(1), --drop-caches defaults to true when --storage=fscrypt, so i would have expected the result to look the way that it does after a reboot:
0 root@unstable-amd64:~# cat /home/moogly.homedir/fk15lbYrZ_LgLMkvOjbBUc0wLPIXRS31In8-9hskDAUS_wIvZH94Zw
cat: /home/moogly.homedir/fk15lbYrZ_LgLMkvOjbBUc0wLPIXRS31In8-9hskDAUS_wIvZH94Zw: Required key not available
1 root@unstable-amd64:~#
Any word on this? I'm reluctant to set up any users with --storage=fscrypt if i am not convinced that the files will actually be opaque after full logout.
systemd version the issue has been seen with
255.5
Used distribution
debian unstable
Linux kernel version used
6.7.12-amd64
CPU architectures issue was seen on
x86_64
Component
systemd-homed
Expected behaviour you didn't see
I expected the contents of the backing files in the user's homedir to be ciphertext, once the user had fully logged out. Instead, the contents of the files were visible in the clear.
The names of the files appear to be ciphertext, though!
Unexpected behaviour you saw
Steps to reproduce the problem
as the superuser, create user:
from a terminal, log in, create a file with cleartext:
wait a minute, then as the superuser, inspect the contents of the files in
/home/moogly.homedir
. One of them containstest\n
in the clear.This seems related to #20857 and #20968
Additional program output to the terminal or log subsystem illustrating the issue
No response
The text was updated successfully, but these errors were encountered: