fscrypt icon indicating copy to clipboard operation
fscrypt copied to clipboard

Published 20 hours ago verified publisher icon google

`fscrypt unlock </dev/null` hangs indefinitely

Open jyn514 opened this issue 6 months ago • 1 comments

Steps to reproduce:

  1. Create a directory managed by fscrypt
  2. Run fscrypt unlock DIR </dev/null

I expect that this exits with an error, because it's never going to get a password (ideally it would say that it's unable to read stdin). Instead, it loops forever until canceled:

Enter login passphrase for jyn: Incorrect Passphrase
Enter login passphrase for jyn: Incorrect Passphrase
Enter login passphrase for jyn: Incorrect Passphrase
Enter login passphrase for jyn: Incorrect Passphrase
...

This bit me originally because I put fscrypt unlock in /etc/ssh/sshrc, so it completely locked me out of my machine until I was able to get physical access to it.

jyn514 avatar May 31 '25 22:05 jyn514

there are two bugs here:

  1. unwrapProtectorKey should have a limit on the number of passphrase attempts (maybe 3 is reasonable, to match sudo?): https://github.com/google/fscrypt/blob/5980fd92efebb449adf2b2826da9ac761b1c68b3/actions/callback.go#L83-L106
  2. passphraseReader.Read should notice that it is not getting any input from stdin and return an error: https://github.com/google/fscrypt/blob/5980fd92efebb449adf2b2826da9ac761b1c68b3/cmd/fscrypt/keys.go#L59-L84

jyn514 avatar May 31 '25 23:05 jyn514