debops-padlock unusable with encfs > 1.9

[timitos]

A problem with the dependency tinyxml2 of encfs >1.9 makes debops-padlock unusable on stretch for the moment.

Errors that appear with encfs > 1.9: 2016-12-16 20:59:43,610 ERROR [default] Failed to load config file /tmp/ks_lij9g9 2016-12-16 20:59:43,610 ERROR [default] Found config file /tmp/ks_lij9g9, but failed to load - exiting

Related issues: https://github.com/vgough/encfs/issues/253 https://github.com/leethomason/tinyxml2/issues/514

[drybjed]

@timitos, do you know if there's a related Debian Bug about this? I don't see any related bugs on the encfs Debian bug page, perhaps it would be useful to report it?

[antofthy]

Okay as the file is /tmp/ks_lij9g9 it means you are probably using the "Key Storage" wrapper around "encyptfs" that I developed to secure "encryptfs" keys and config files separate to the "encryptfs" data.

This broke because encryptfs swicthed to the use of tinyxml library, such that it can nolonger read from a named pipe (device). I have updated that script to use a plain test file (with heavy comment as to why!) Arrrggghhhhh...

If you download the updated version of the "ks" script at... http://www.ict.griffith.edu.au/anthony/software/#ks and the associated "encrypt" script http://www.ict.griffith.edu.au/anthony/software/#encrypt

These versions also understands the use of password helper environment variables SSH_ASKPASS and TTY_ASKPASS that lest you specify programs for secure password sourcing. As well as quite a few other incremental changes made since first released.

Anthony Thyssen

[johbo]

Did look into this issue, going to try a solution, since we'd like to use the padlock mechanism.

It seems to me that there are two good options available when looking from the debops perspective:

1. Create a patch for EncFS, so that it reads the configuration data into memory and then uses XMLDocument->Parse() instead of XMLDocument->Load(). This way the issue with tinyxml2 would be avoided.
2. Change debops-padlock so that we write the configuration data into a file and then start the encfs command.

Trying to adjust EncFS has the nice property, that we could keep using a named pipe for the configuration. That means not worrying about a potential security impact by using a regular file instead of a named pipe.

[drybjed]

I think that updating EncFS to support piping is the way to go in the long run, but this means that the Debian/Ubuntu packages won't be updated until the next release, when changes from upstream make their way into the distribution sources. So perhaps doing both things at once, so that debops-padlock can work in the meantime could be the best solution?

[johbo]

Started a tweak to encfs in this PR: https://github.com/vgough/encfs/pull/319

[antofthy]

That is now in the encfs code. And is waiting for the next release of encfs (next one after encfs v1.9.1) TinyXML the source of the problem, has refused to update, removing its unwarranted use of fseek() (to find the length of the XML file for pre-allocation) dispite an alternative (getdelim()) being commonly available.