Closed fira959 closed 1 month ago
ebiggers
commented
1 month ago This is a known issue with v1 encryption policies which are obsolete but are still used by systemd-homed. This was all already fixed in this project (fscrypt) years ago by upgrading to v2, but we have no control over what systemd-homed does. Please direct your feedback to the systemd developers at https://github.com/systemd/systemd/issues/18280.
fira959
commented
1 month ago Thanks for the heads up.
Is there any known workaround to cache the keys for specific files that a service running as root may want to access?
ebiggers
commented
1 month ago IIRC, workarounds that people used to use for this issue include holding the files open in another process, or adding the keys to root's user keyring (may or may not work depending on the distro). I don't want to waste time thinking about this more, though, as I already fixed this 5 years ago. Please go bother the systemd people instead -- thanks :-)
For several years I have occasionally noticed strange errors when I tried accessing my encrypted home files as root and I seem to have figured out how to reproduce this now:
Reproduction:
Additional observations:
sudo -ito get a root shell and then accesses /home/UserA/test the files are always accessible. The issue only occurs when a shell is started directly as root.The home directory in question is created by systemd-homed, but I noticed the issue before migrating to homed a few years back as well. Not sure if it is related.
Kernel version 6.9 fscrypt version v0.3.5