Difference between revisions of "Encfs"
m |
|||
Line 23: | Line 23: | ||
Another cool use of fuse is [http://shfs.sourceforge.net/ sshfs] (apt-get install sshfs) |
Another cool use of fuse is [http://shfs.sourceforge.net/ sshfs] (apt-get install sshfs) |
||
<br>For other cool stuffs, check [http://fuse.sourceforge.net/wiki/index.php/FileSystems here], among others the amazing [http://unit.aist.go.jp/itri/knoppix/http-fuse/index-en.html HTTP-FUSE-KNOPPIX] |
<br>For other cool stuffs, check [http://fuse.sourceforge.net/wiki/index.php/FileSystems here], among others the amazing [http://unit.aist.go.jp/itri/knoppix/http-fuse/index-en.html HTTP-FUSE-KNOPPIX] |
||
+ | <br>Note on [http://www.ricardis.tudelft.nl/~vincent/fusesmb/ fusesmb]: contrary to use of smbfs where users are identified as USER/DOMAIN, here ~/.smb/fusesmb.conf must use username=DOMAIN/USER notation. On big Windows networks, I've problems discovering the neighborhood, in that case it's much easier to populate ~/.smb/fusesmb.cache by yourself with lines such as /WORKGROUP/COMPUTER/SHARE |
||
==Encfs homedir== |
==Encfs homedir== |
Revision as of 12:46, 21 May 2007
Install
apt-get install encfs
You'll also need the fuse module:
apt-get install fuse-source fuse-utils cd /usr/src; tar xjf fuse.tar.bz2 cd linux; make-kpkg --us --uc --revision $REVISION --append-to-version $APPEND modules_image
Note that fuse is already present in the last kernel versions (at least 2.6.15)
Test:
- Under Debian, the user must be member of the fuse group to have the right to use fuse:
adduser phil fuse
- To load automatically the module fuse:
echo fuse >> /etc/modules
- To mount:
encfs /home/user/crypt-raw /home/user/crypt%%%First time, choose "p" for paranoia settings
- To unmount:
fusermount -u /home/user/crypt
Another cool use of fuse is sshfs (apt-get install sshfs)
For other cool stuffs, check here, among others the amazing HTTP-FUSE-KNOPPIX
Note on fusesmb: contrary to use of smbfs where users are identified as USER/DOMAIN, here ~/.smb/fusesmb.conf must use username=DOMAIN/USER notation. On big Windows networks, I've problems discovering the neighborhood, in that case it's much easier to populate ~/.smb/fusesmb.cache by yourself with lines such as /WORKGROUP/COMPUTER/SHARE
Encfs homedir
Personal script
My first attempt was a bash script:
#!/bin/bash # This scripts automatically attempts to mount # an encrypted home directory at login time # # Usage: how to setup this for e.g. user <foo> # Put this script as shell of the user foo in /etc/passwd instead of /bin/bash # Encrypted data will be under /home/.foo and mount point will be /home/foo # Don't forget to put user foo in the group "fuse": adduser foo fuse # # Requirements: # Encfs, module fuse and fuse-utils # # Copyright: # 2005, Philippe Teuwen <phil@teuwen.org> # # License: # This script is under GPL # # History: # v0.02 # Change $(whoami) to $(USER) # v0.01 # Initial version # # TODO: # Check [xkg]dm login capability # Abs paths # Test presence of progs # Test used only as login # When using several users with the same UID, only environment # variables USER and HOME tell the difference # So don't use whoami but USER echo "Welcome $USER, please type your master key :-)" # Mount the home dir /usr/bin/encfs /home/.$USER $HOME # Check if encrypted fs was mounted properly otherwise exit /bin/cat /etc/mtab|/bin/grep -q "^encfs $HOME"||exit 1 # Required to refresh the home directory cd $HOME # Finally gives a bash to the user /bin/bash # Required to exit the home dir to be able to unmount it cd / # Unmount the home dir /usr/bin/fusermount -u $HOME
PAM module
There exists an encfs PAM.
My notes for a Debian installation:
cp pam_encfs.so /lib/security /etc/pam.d/common-auth: #auth required pam_unix.so nullok_secure auth sufficient pam_encfs.so auth required pam_unix.so use_first_pass nullok_secure /etc/pam.d/common-session: session required pam_encfs.so session required pam_unix.so /etc/pam_encfs.conf: drop_permissions encfs_default fuse_default - /home/encfs - - - #To add a user with encfs homedir: adduser testuser (put him in the fuse group if you have one) mkdir -p /home/encfs/testuser /home/testuser chown testuser:testuser /home/encfs/testuser /home/testuser su testuser encfs /home/encfs/testuser /home/testuser #*use same password as your login atm* fusermount -u /home/testuser #To enable encfs homedir on existing user: sudo mkdir -p /home/encfs/phil /home/encfs/tmp sudo chmod 777 /home/encfs/tmp sudo chown phil:phil /home/encfs/phil #*use your main password on next part* encfs /home/encfs/phil /home/encfs/tmp cd /home/phil find . -xdev | cpio -pamd /home/encfs/tmp fusermount -u /home/encfs/tmp cd / sudo mv /home/phil /home/phil.BAK sudo mkdir /home/phil sudo chown phil:phil /home/phil sudo rmdir /home/encfs/tmp #*logout*
Problems:
- --idle=1 is nice but how to avoid unwanted auto umount when still logged? (pam_encfs.so should maybe keep a file/dir open)
- if drop_permissions disabled, root needs explicit write access to user's home mount point
- if drop_permissions disabled and --public disabled, HOME env var set by default to / (while it was apparently defined in pam_encfs as mount point path was correctly found)
- No directory, logging in with HOME=/
- if drop_permissions disabled and --public enabled, no problem.
- Don't know how to solve that
- specific fuse options added only if generic fuse_default declared
- patch:
--- pam_encfs.c.orig :50:29.000000000 +0200 +++ pam_encfs.c:34:46.000000000 +0200 @@ -427,11 +427,11 @@ arg_pos += buildCmd(arg,arg_pos,path); arg_pos += buildCmd(arg,arg_pos,targetpath); - if (strlen(default_fuse_options) > 0) { - if (strlen(fuse_options) > 0) { + if (strlen(default_fuse_options) > 0 && strlen(fuse_options) > 0) { strcat(fuse_options,","); } - strcat(fuse_options,default_fuse_options); + strcat(fuse_options,default_fuse_options); + if (strlen(fuse_options) > 0) { arg_pos += buildCmd(arg,arg_pos,"--"); arg_pos += buildCmd(arg,arg_pos,"-o"); arg_pos += buildCmd(arg,arg_pos,fuse_options);
- if fuse_default or encfs_default empty, garbage produced on call to encfs or fuse
- patch:
@@ -235,13 +235,12 @@ continue; } if (strcmp("encfs_default",username) == 0) { - - if (!strcmp("-",path) == 0) + if (parsed == 2 && !strcmp("-",path) == 0) strcpy(default_encfs_options,path); continue; } if (strcmp("fuse_default",username) == 0) { - if (!strcmp("-",path) == 0) + if (parsed == 2 && !strcmp("-",path) == 0) strcpy(default_fuse_options,path); continue; }
- multiple options not supported for encfs_default
- patch:
@@ -253,6 +252,7 @@ if (strcmp("-",fuse_options) == 0) strcpy(fuse_options,""); + searchAndReplace(default_encfs_options); searchAndReplace(encfs_options); if ((strcmp(user,username) == 0) || (strcmp("-",username) == 0)) {
- On some circumstances, fusermount fails while it shouldn't:
testphil@mercure:~$ mount [...] encfs on /home/phil type fuse (rw,nosuid,nodev,default_permissions,user=phil) encfs on /home/testphil type fuse (rw,nosuid,nodev,default_permissions,user=testphil) testphil@mercure:~$ logout fusermount: entry for /home/testphil not found in /etc/mtab phil@mercure:~$ mount [...] encfs on /home/phil type fuse (rw,nosuid,nodev,default_permissions,user=phil) encfs on /home/testphil type fuse (rw,nosuid,nodev,default_permissions,user=testphil) phil@mercure:~$ sudo su testphil -c "fusermount -u /home/testphil" * and here it works with exactly the same command*
- /etc/pam_encfs.conf is not the best place
- /usr/share/doc/libpam0g/Debian-PAM-~MiniPolicy.gz tells to have /lib/security/encfs.conf which is awful
- but libpam-modules has e.g. /etc/security/pam_env.conf so we will have /etc/security/pam_encfs.conf
- I should ask Sam Hartman <hartmans at ...> about this incoherence
- patch:
@@ -81,7 +81,7 @@ #define USERNAME_MAX 127 #define PATH_MAX 256 #define BUFSIZE ((USERNAME_MAX +1) + ((PATH_MAX+1) * 2)) -#define CONFIGFILE "/etc/pam_encfs.conf" +#define CONFIGFILE "/etc/security/pam_encfs.conf" static void _pam_log ( int err, const char *format, ... ); static char default_encfs_options[USERNAME_MAX];
- It looks like the argument allow_root given to fuse is transformed into allow_other when displayed by mount
Problems linked to the absence of locking support:
- encfs or fuse doesn't allow locking, cf similar problem with samba
- Not sure which operation fails, flock() or open with O_EXCL flag.
- with KDE: could not read network connection list /home/.../.DCOPserver_machine__0
- Indeed dcopserver refuses to start (error in locking .ICEauthority)
- Solution: add to ~/.bashrc (or ~/.bash_profile if ~/.bash_profile does not include ~/.bashrc)
- export XAUTHORITY=/tmp/.Xauthority-$USER
- export ICEAUTHORITY=/tmp/.ICEauthority-$USER
- with unison: error (error message is not adequate...)
Fatal error: Warning: the archives are locked.
If no other instance of unison is running, the locks should be removed.
Please delete lock files as appropriate and try again.- Create a soft link from ~/.unison to an dir out of the encfs
- with courier-imap: this doesn't work if Maildir is on encfs
- For read-only IMAP, create a soft link from e.g. /home/user_noencfs/Maildir out of the encfs to ~/Maildir (so your mails will remain encrypted!) and tell to courier-imap that your homedir is the /home/user_noencfs
- For read-write, this is not possible
Problems with tiger
I get a very similar problem as this guy: I always get the following msg
--CONFIG-- [con010c] Filesystem 'fuse' used by 'encfs' is not recognised as a local filesystem
and no way to get rid of it via /etc/tiger (except skipping all "system" tests) so I had also to add to /usr/lib/tiger/systems/Linux/2/gen_mounts a line with
[ "$2" = "encfs" ] && LOCAL=0
but I know next Debian upgrade will silently restore the original (or new) version :-(