Check if unencrypted swap is zram. If it is zram check whether a writeback to
disk is configured.
Unencrypted zramswap not written to disk is accepted.
ToDo (as for other unencrypted swap): check if the writeback happens on an
already encrypted disk/partition.
If there is no free loop device, the call of loopsetup -f will create one and return it. For this it needs privilege escalation.
It doesn't need those, if there is already an used device, but that cannot be guaranteed.
Closes#436
* KDF support for argon2 memory intensive algorithm
following many requests, here is support for argon2 KDF to be switched
on using --kdftype argon2 (--kdf iterations --kdfmem memory)
effective memory required is 2^memory KiB, defaults to 18 (262 MiB)
number of iterations are still specified as --kdf argument
requires the argon2 reference C implementation from P-H-C
also requires tomb-kdb-pbkdf2-gensalt in extras/kdf-keys
example usage:
tomb forge -k argon.key --kdf 10 --kdftype argon2
* manual updates for argon2
* small improvements to loopback setup and --sudo
* support reading hostname from file
also tolerate not finding the hostname (fill localhost)
address #428
* cleanup and support sup,sud,pkexec
now supporting also pkexec (polkit daemon), suckless' sup and
sud.dyne.org
pkexec is autodetected when polkit is running
manpage documents the --sudo flag which overrides any autodetection
Depending script invokation, behavior is not exactly similar.
Assuming that if SUDO_USER is set, the _sudo invokation can be dropped (EUID=0).
In the other case, user has created file, owner is already good, don't call chown.
Preparation:
$ tomb dig foo.tomb -s 10
Method 1:
$ sudo tomb forge foo.tomb.key -v
Method 2:
$ tomb forge foo.tomb.key -v
... ask user password to gain superuser privileges
...
Sorry, user <username> is not allowed to execute '/bin/chown <uid>:<gid> foo.tomb.key' as root on <hostname>.
Signed-off-by: Matthieu Crapet <mcrapet@gmail.com>
Depending script invokation, behavior is not exactly similar.
Assuming that if SUDO_USER is set, the _sudo invokation can be dropped (EUID=0).
In the other case, user has created file, owner is already good, don't call chown.
Method 1:
$ sudo tomb dig foo.tomb -s 10 -v
Method 2:
$ tomb dig foo.tomb -s 10 -v
... ask user password to gain superuser privileges
...
Sorry, user <username> is not allowed to execute '/bin/chown <uid>:<gid> foo.tomb' as root on <hostname>.
Signed-off-by: Matthieu Crapet <mcrapet@gmail.com>
http://zsh.sourceforge.net/Doc/Release/Files.html
TMPPREFIX defaults to /tmp/zsh (for zsh shell)
Note: --tmp command line switch is not documented?
Signed-off-by: Matthieu Crapet <mcrapet@gmail.com>
check works both for empty ("") and non-existing vars and is a fix
for regression #398 to work on older Zsh versions. It is normalized
through all tomb's code.
simplified function calls for tracking of loop mount by using global
variables whose scope is limited to execution, most computation is now
included in the `is_valid_tomb` function.
fixes bug mentioned in issue #333 that made tomb append space to a
tomb file before checking for correct password, leading to file
corruption in case the wrong password is inserted 3 times.
also changes to priority order of invokation and some code cleanups and
indentations. Invokation order is now:
- WAYLAND? pinentry-gnome3
- X11?
1. pinentry-x11 (distro specific wrapper)
2. pinentry-gtk2 (legacy, removable)
3. pinentry-gnome3
4. pinentry-qt5
5. pinentry-qt4
- NO DISPLAY? pinentry-curses
Change the mapper path using a hash of the tomb file path,
making it unique and reproducible to check if tomb is in use.
Check happens inside the new render_mapper() function which is
executed right after the key file opening.