Unable to add the group to a shared folder

[majid021]

Hi, I am not able to add the group to a shared folder via lpass cli, getting the following error:

Error: Unable to encrypt sharing key with pubkey (-1)

But able to add it via UI.

Can you please help us in fixing the issue ?

command used: lpass share useradd shared-folder group_name

[majid021]

Hi, Any update on when the above issue will be fixed. ?

[dimic00l]

Anything on this ?? I desperately need this fix in order to add group permissions to shared folders. Can someone tell me how to get this ?? (I need to script more than 100 folders.. otherwise this needs to be done via the UI !! :-| )

[rsyring]

Looks like it's possible. Documented here: https://github.com/lastpass/lastpass-cli/issues/305#issuecomment-305245788

It would probably help to add this as an example in the manpage.

[dimic00l]

Maybe I 'm missing something but #305 handles about adding entries to shared folders, I don't have any issues with that. What I need to do now is add group permissions to all my ( + 100) shared folders... using:

lpass share useradd shared-folder group_name

when adding 1 user it works., but the above gives me: Error: Unable to encrypt sharing key with pubkey (-1)

thanks !

[duffpop]

@rsyring Any chance you could shed light on your comment? Can't seem to figure out group additions to a Shared Folder

[rsyring]

@dimic00l sorry, I misunderstood what you were trying to do.

@duffpop did you look at the example in the comment I linked to? The example command is right there, adjust as needed.

[duffpop]

I'm trying to do the same as @dimic00l actually, essentially: lpass share useradd shared-folder group_name

I can't quite make that out in your linked post, but that is probably my idiocy.

[MeOnGitHub123]

Hi there,

I guess in most comments on GitHub there´s not clear about Groups vs SharedFolders but here @dimic00l explained it correct:

just to make clear what we need:

• There are Groups in LastPass.
• We are looking how to add those Groups in to SharedFolders.

what we expect anything simliar to $lpass share useradd <shared-folder> <group_name>

what we tried (as far as I got from the above comments and I tried on my own) @rsyring I also don´t get your reference to #305 - its not dealing with Groups !? as its not clear to both of us may I ask to show @duffpop and me the magic trick? next beers on us ;)

as you mentioned to adjust the command on our own:

$lpass share useradd <Shared Folder> <SharedFolder>\<GroupNameInLastPassGUI>
Error: Unable to encrypt sharing key with pubkey (-1)

$ lpass add <SharedFolder> <Group>
Usage: lpass add [--sync=auto|now|no] [--non-interactive] [--color=auto|never|always] {--username|--password|--url|--notes|--field=FIELD|--note-type=NOTETYPE} NAME

$ lpass share useradd <SharedFolder> <Group> 
Usage: lpass share useradd [--read-only=[true|false] --hidden=[true|false] --admin=[true|false] SHARE USERNAME

last command is from #120

like @dimic00l also checked #467 which won´t fix our issue

any help is still appriciated

[duffpop]

I have a tiny update on this, when trying the above: $lpass share useradd <shared-folder> <group_name> I also get the pubkey encryption error. Out of curiousity, I made a new group with the same members and tried the above format again and it worked right away. I know it's not an ideal workaround as if you have a lot of nested groups with the original group, you'll need to re-add your new group to them, but it worked for my scenario.

I am curious as to why the encryption error is occuring though, as I wouldn't want this happening again to my new group.

[rsyring]

@MeOnGitHub123 and @duffpop: sorry for the confusion. It was not clear to me until just now that the issue here was about adding Groups to a shared folder, not entries. My comment and references to #305 do not apply. Sorry I can't take you up on that beer offer. :)

[MeOnGitHub123]

@duffpop rested again and can confirm your findings !

Tl;Dr: in my case it seems be related to special characters in the Group name (underscore in my case) which will easily being solved by quoting it: "". Btw. same for Shared-Folders ;)

---

It seems not to matter who created the groups - for me it works for both self-created or by another admin created groups In case you have any special characts you should put your Groupname in "

Furthermore it seems not to matter if the Shared-Folders has been created via GUI or via lpass. I could add my Groups in both cases

e.g. your Group is called: Team_A. ->

#general syntax:
$lpass share useradd <shared-folder> <group_name>

#syntax with special char in group name:
$lpass share useradd <Shared-Folder> "Team_A"

• next step for myself will be to run import via GUI (or even better with lpass import) for tons of accounts using lpass create appropriate SharedFolders and adding Groups. ... just in case somebody can give me some adivces here much appreciated

[jonathanlking]

Hey, looks like I'm late to the party! :smiley_cat:

I believe that the issue is caused by missing "sharing" (public) keys for members in the group. If a sharing key is missing then the CLI application just quits - specifically at endpoints-share.c:135 the call of cipher_rsa_encrypt fails when share_user->sharing_key contains a null key (i.e. length 0).

The (Chrome) browser extension handles missing keys differently though. We can monitor the network requests by following this guide and under "Inspect views" you'll want to click on "background.html". When sharing with a group through the GUI, the share.php endpoint will be called to get the group details - in the network Preview tab values for cgid, pubkey, uid and username will be listed. Note that some of the pubkey values will be "" for groups that fail to be added via the CLI.

In the headers of the successful POST (also to share.php) which adds the group, it looks like sharedkeys are only provided for members that have a sharing key. Users are partitioned by those with and without sharing keys - the request appears to have the following structure:

add: 1
give: 0 -- Not sure what this is for
id: <Group Id?>
lpversion: <version>
method: cr -- Create?
name: <Shared folder name>
notify:0 -- Boolean (0/1) on whether to send email notification?
sharename: -- Left empty, not sure what it's for
update: 1 -- Not sure
xmlr: 1 -- Boolean (0/1) on whether response type is XML?

-- Users with sharing keys
canadminister[i]
cgid[i]
give[i]
readonly[i]
sharekey[i]
uid[i]

-- Users without sharing keys
msfcanadminister[i]
msfcgid[i]
msfgive[i]
msfreadonly[i]
msfuser[i] -- Appears to be the same as 'uid'

I think the next step is to look through the browser extension code and work out exactly what's happening, and update the CLI to behave the same.

[duffpop]

@jonathanlking thanks for the thorough response, I look forward to your PR being merged!

[FloraMina]

Hi, We are facing this issue that prevents us from going live as users don't have any access to shared folders, and adding faulty groups manually on more than 300 folders is not considered. Is this PR expected to be merged soon ? Kind regards.