Compile without libpam?

google / fscrypt

Go tool for managing Linux filesystem encryption

Apache License 2.0

906 stars 99 forks source link

Compile without libpam? #232

Open BlueMax opened 4 years ago

BlueMax commented 4 years ago

Is it possible to compile fscrypt without libpam for systems that do not support it?

ebiggers commented 4 years ago

The following should do it:

make bin/fscrypt

That builds just the fscrypt binary, not the PAM module pam_fscrypt.so. See https://github.com/google/fscrypt/blob/master/README.md#building-and-installing

BlueMax commented 4 years ago

True, but i'm compiling a static binary and it always holds all the libpam data and it looks like it tries to make use of it at startup indeed (the error is due to missing /etc/passwd).

[ERROR] fscrypt setup: user: lookup userid 0:
no such file or directory

That's my compile command (cross-compile environment is set up):

GO_FLAGS=-buildmode=exe GOARCH=arm64 CGO_ENABLED=1 make LDFLAGS="-static -ldl -laudit -lcap-ng" CFLAGS="-O2 -g0 -s -static -pipe -pthread -Wp,-I/home/user/sysroot-aarch64/usr/include -Wl,-L/home/user/sysroot-aarch64/usr/lib" CGO_CFLAGS="--sysroot /home/user/sysroot-aarch64" CGO_LDFLAGS="--sysroot /home/user/sysroot-aarch64"

josephlr commented 4 years ago

So I think the issue here is that you just don't want to use user login passwords at all. @BlueMax is that right?

In that case, we should should have a way to compile the fscrypt binary without any PAM support whatsoever. We could do this with a nopam build constraint. That way:

Building without support for PAM and user login passphrases is possible
fscrypt by default still supports user passphrases.

BlueMax commented 4 years ago

Yes, a new make target nopam would be great that doesn't link libpam at all. The target system doesn't provide pam at all. Actually its an Android device (and fscrypt is on musl not bionic). The current workaround is to create a dummy /etc/passwd file and it will pass the error above. Not sure if it has any more side effects.

blubbafett commented 1 year ago

@BlueMax did you get this running on the Android device? Looking to build binaries for both 32bit and 64bit arm to run on newer Android devices but not luck so far to make a static build, unfortunately.

@josephlr any updates on the flag to compile fscryptc without pam, ref. what you mentioned a few posts above.

badhhui commented 1 year ago

I also encountered this error when I copied the generated executable to qemu's linux kernel using static compilation, how should I solve it?

BlueMax commented 1 year ago

did you get this running on the Android device?

I could compile and run it but i haven't checked for actual functionality. It needs dummy/existing /etc/passwd file if i reckon correctly (error: cannot look up userids).

I used the compile line below. The make bin/fscrypt might be the trick. Can't remember anymore.

GO_FLAGS=-buildmode=exe GOARCH=arm64 CGO_ENABLED=1 make bin/fscrypt LDFLAGS="-static -ldl -laudit -lcap-ng" CFLAGS="-O2 -g0 -s -static -pipe -pthread -Wp,-I/home/user/android/sysroot-aarch64/usr/include -Wl,-L/home/user/android/sysroot-aarch64/usr/lib" CGO_CFLAGS="--sysroot /home/user/android/sysroot-aarch64" CGO_LDFLAGS="--sysroot /home/user/android/sysroot-aarch64"