FS#54670 - [systemd]Systemd breaks eCryptfs

Attached to Project: Arch Linux
Opened by slack3r (slack3r) - Monday, 03 July 2017, 08:28 GMT
Last edited by Christian Hesse (eworm) - Thursday, 06 July 2017, 07:30 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Christian Hesse (eworm)
Architecture x86_64
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 6
Private No

Details

Description:
Systemd 233-6 breaks usage of ecryptfs-utils.

Additional info:
* packages version:
systemd 233-6
ecryptfs-utils 111-2


Steps to reproduce:
- follow https://wiki.archlinux.org/index.php/ECryptfs#With_configuration_files;
- try to mount 'secret' directory with 'mount.ecryptfs_private secret';
in dmesg you'll get an error like this or similar:
'Could not find key with description:[...] Could not find valid key in user session keyring for sig specified in mount option'.


Solution:
- roll-back to 232-8 version.

This task depends upon

Closed by  Christian Hesse (eworm)
Thursday, 06 July 2017, 07:30 GMT
Reason for closing:  Fixed
Additional comments about closing:  systemd 233.75-2
Comment by John (graysky) - Tuesday, 04 July 2017, 13:03 GMT
Since I am using ecryptfs in a linux container, the error is a little different but the result is the same:

% ecryptfs-mount-private
Enter your login passphrase:
Inserted auth tok with sig [ed8e04bcbf11a9e2] into the user session keyring
mount: No such file or directory

Version that work: systemd libsystemd systemd-sysvcompat 232-8
Versions that do not work: 233-6 233-7 and 233.75-1
Comment by Mark Conway Wirt (mcw) - Tuesday, 04 July 2017, 17:02 GMT
Like John (graysky), I can confirm the same behaviour. ecryptfs-mount-private stopped working, and a rollback to 232-8 restored my ability to mount my encrypted home directory.
Comment by Christian Hesse (eworm) - Tuesday, 04 July 2017, 20:45 GMT
Possibly we need something like this on top:
https://github.com/eworm-de/systemd/commit/b1d4ff7708b13623ee84002c89e483bfe1c9532f

Can you rebuild systemd with this patch applied and test again?
Comment by Christian Hesse (eworm) - Tuesday, 04 July 2017, 21:03 GMT
Or just install these packages, which have the required changes:
https://pkgbuild.com/~eworm/systemd/

(Had to add more changes, commit is https://github.com/eworm-de/systemd/commit/fbef069b2799db1c5ce461e450e7bc3ef3acf069)
Comment by slack3r (slack3r) - Wednesday, 05 July 2017, 07:15 GMT
@Christian Hesse (eworm)

Nope, does not work for me:

[2017-07-05 08:47] [ALPM] upgraded libsystemd (232-8 -> 233.75-1.1)
[2017-07-05 08:47] [ALPM] upgraded systemd (232-8 -> 233.75-1.1)
[2017-07-05 08:47] [ALPM] upgraded systemd-sysvcompat (232-8 -> 233.75-1.1)
[2017-07-05 08:47] [ALPM] transaction completed

Reboot.

Then:

$ mount.ecryptfs_private <my_directory>
mount: No such file or directory

$ dmesg | tail
[ 156.756992] Could not find key with description: [*****]
[ 156.756996] process_request_key_err: No key
[ 156.756998] Could not find valid key in user session keyring for sig specified in mount option: [*****]
[ 156.757000] One or more global auth toks could not properly register; rc = [-2]
[ 156.757002] Error parsing options; rc = [-2]

$ keyctl list @u
1 key in keyring:
86706593: --alswrv 1000 1000 user: *********

Comment by Christian Hesse (eworm) - Wednesday, 05 July 2017, 07:23 GMT
*sigh*

Wondering why the error messages are about user session keyring but you list the user keyring? ("@u" vs. "@us")
Comment by slack3r (slack3r) - Wednesday, 05 July 2017, 07:52 GMT
@Christian Hesse (eworm)

Sorry, my mistake.

Again:

$ ecryptfs-add-passphrase
Passphrase:
Inserted auth tok with sig [676****4f] into the user session keyring

$ mount.ecryptfs_private <my_directory>
mount: No such file or directory

$dmesg | tail
[ 262.267818] Key type trusted registered
[ 262.288751] Key type encrypted registered
[ 262.305998] Could not find key with description: [676****4f]
[ 262.305999] process_request_key_err: No key
[ 262.305999] Could not find valid key in user session keyring for sig specified in mount option: [676****4f]
[ 262.306000] One or more global auth toks could not properly register; rc = [-2]
[ 262.306000] Error parsing options; rc = [-2]

# user default session keyring:
$ keyctl list @us
1 key in keyring:
424010271: --alswrv 1000 65534 keyring: _uid.1000
Comment by Christian Hesse (eworm) - Thursday, 06 July 2017, 07:24 GMT
I reverted the keyring stuff in systemd 233.75-2. This should fix eCryptfs as well.

Loading...