gdmsetup: Don't offer autologin for ecryptfs users

Bug #284443 reported by Michael Kofler on 2008-10-16
38
This bug affects 5 people
Affects Status Importance Assigned to Milestone
ecryptfs-utils (Ubuntu)
Undecided
Dustin Kirkland 
gdm (Ubuntu)
Low
Robert Ancell

Bug Description

if autologin is enabled in gdm, the encrypted private directory is not automatically mounted

as ubiquitiy now has an autologin option, this will affect many users who later manually create an encrypted directory

from the security point of view, no auto mount for auto login this is certainly good and not a 'bug'; but it is unexpected and should be documented; also, both ecryptfs-utils and gdmsetup should explicitly warn for this case

Claudiu Vlad (claudiu-vlad) wrote :

Confirmed on Intrepid.

Dustin Kirkland  (kirkland) wrote :

The encrypted private directory should absolutely NOT be mounted on automatic, password-less logins. That would entirely defeat its purpose. In fact, auto logins should never be used on any system where you care at all about security.

I'll document this in the EncryptedPrivateDirectory wiki page, and eventually in the ecryptfs-setup-private manpage in a subsequent upstream release.

I'm not going to clutter the ecryptfs dialogs with this information. I'll leave it to the gdmsetup developers to decide whether they want to include a note.

:-Dustin

Changed in ecryptfs-utils:
assignee: nobody → kirkland
status: New → Won't Fix
Changed in gdm:
importance: Undecided → Low

I don't think it makes sense at all in gdm:

 - You do not actually "see" gdm if you have autologin enabled.
 - Once you installed your system that way, the damage is done.

IMHO it should be pointed out right at the place when the user can still do something about it to not break it: The autologin and ecryptfs options should mutually exclude themselves in the installer.

Ideally, if you create an ecryptfs with command line tools in an installed system, it would point out that it doesn't work with autologin, but that would encode gdm specific knowledge into the scripts, so we should avoid that. It could just generally tell the user about it.

But it is totally doable in the installer.

Changed in gdm:
status: New → Incomplete

Okay, per discussion with pitti in IRC, I think the proper solution
would involve:

 * changing the symlink in an un-mounted ~/Private directory to point
to a wrapper script, instead of /sbin/mount.ecryptfs_private
 * having that wrapper script:
   * first try to perform the mount
   * if the required key is not found
     * Explain the situation
     * Prompt for the password using gksu/zenity/kdesu
     * Perform the mount

This is Jaunty material, and will probably involve assistance from the
desktop folks.

:-Dustin

that's not a gdm issue

Changed in gdm:
status: Incomplete → Invalid

Confirmed for Maverick! Probably you may wish to rethink your opinion

/usr/share/gdm/autostart/LoginWindow

ecryptfs behaves absolutely in correct manner, as it as it has to interpret this action as an attempted burglary.

Not really much more to add exept that it has cost a few hours of my lifespan to settle this matter within the given opportunities to recover data and avoid reinstall - as many "fresh" users would take this option as 1st prefered choice.

Help making Ubuntu better!

Dustin Kirkland  (kirkland) wrote :

Martin,

Is there anything we can do on the desktop side, to keep people from choosing "auto login" if their system is setup for encrypted home? That's easy enough to test. Just look for ~/.ecryptfs/auto-mount.

Its a logical contradiction, mate.

If you choose to have encrypted folder, you want security.

If you want autologin, you dont give a s**t about security.

Anyways, for decrypting the folder, YOU NEED THE PASSWORD, which must be
supplied one way or another.

So think about it.

Cheers,

On Sat, Feb 5, 2011 at 5:45 PM, Dustin Kirkland
<email address hidden>wrote:

> Martin,
>
> Is there anything we can do on the desktop side, to keep people from
> choosing "auto login" if their system is setup for encrypted home?
> That's easy enough to test. Just look for ~/.ecryptfs/auto-mount.
>
> --
> You received this bug notification because you are a direct subscriber
> of the bug.
> https://bugs.launchpad.net/bugs/284443
>
> Title:
> Encrypted Private Directory is not automatically mounted when using
> gdm auto-login
>

Martin Pitt (pitti) wrote :

The installer does the right thing these days, and in comment 4 I spoke about gdm as in the login manager. But indeed you can still select ecryptfs users in gdmsetup for autologin; this should be fixed indeed. Robert, as gdmsetup is your's, do you have a couple of minutes to check for this and remove users with an ~/.ecryptfs/auto-mount from the autologin list? Thanks!

summary: - Encrypted Private Directory is not automatically mounted when using gdm
- auto-login
+ gdmsetup: Don't offer autologin for ecryptfs users
Changed in gdm (Ubuntu):
assignee: nobody → Robert Ancell (robert-ancell)
status: Invalid → Triaged
Robert Ancell (robert-ancell) wrote :

This is actually non-trivial as gdmsetup is run as an unprivileged user and so wont necessarily be able to check ~/.ecryptfs/auto-mount. Would it be OK for GDM to instead check for this and just select the logged in user (i.e. prompt for a password) instead of logging in automatically?

Robert Ancell [2011-02-08 6:34 -0000]:
> This is actually non-trivial as gdmsetup is run as an unprivileged user
> and so wont necessarily be able to check ~/.ecryptfs/auto-mount.

Ah, ok. I thought that gdmsetup would talk to the gdm-binary D-BUS
service (which runs as root), but if it's not then..

>Would it be OK for GDM to instead check for this and just select the
>logged in user (i.e. prompt for a password) instead of logging in
>automatically?

... this sounds just fine as well.

Thanks!

--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)

Robert Ancell (robert-ancell) wrote :

OK, I think the solution has to be:
1. /etc/pam.d/gdm-autologin has to force a password request if the user is using an encrypted home directory
2. GDM has to detect this, and launch the greeter if this occurs (normal case is to run without launching the greeter)

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gdm - 2.32.0-0ubuntu14

---------------
gdm (2.32.0-0ubuntu14) natty; urgency=low

  * debian/patches/24_respect_system_minuid.patch:
    - Ignore entries from ck-history that are using system UIDs (LP: #696038)
  * debian/patches/42_no_ecryptfs_autologin.patch:
    - Don't autologin ecryptfs users (LP: #284443)
 -- Robert Ancell <email address hidden> Fri, 01 Apr 2011 15:49:50 +1100

Changed in gdm (Ubuntu):
status: Triaged → Fix Released
Robert Ancell (robert-ancell) wrote :

Hmm, I tried to do this properly but GDM has beaten me.
So then I tried to make it look for the auto-mount file in the home directory and start the login process but still prompt the user but GDM wasn't having any of that either.
I've got it now checking for the file, and just ignoring the autologin entirely if the user has ecryptfs.

TomasHnyk (sup) wrote :

Robert: does this mean that bug 753707 was introduced? It seems that autologin now does not work when .ecryptfs is present in the $HOME directory of the user to be autologged in.

If I can add my two cents, that seems to be a bit unfortunate, because now gdm does not ask me for password anyway (it just wants me to select myself as the user to be logged in) so the encrypted directory is not mounted anyway and autlogin does not work either.

There is a README in my Private directory that reads as follows:

THIS DIRECTORY HAS BEEN UNMOUNTED TO PROTECT YOUR DATA.

From the graphical desktop, click on:
 "Access Your Private Data"

or

From the command line, run:
 ecryptfs-mount-private

Why don't we change it so something like this (I am not a native speaker so the English might be dubious, I am not sure if autlogin can be made into a verb) :

THIS DIRECTORY HAS BEEN UNMOUNTED TO PROTECT YOUR DATA.

This may be because you were autologged in and thus did not enter your password.

From the graphical desktop, click on:
 "Access Your Private Data"

or

From the command line, run:
 ecryptfs-mount-private

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers