Proposal: remove user-downloaded components when a user is deleted |
|||||||
Issue descriptionComponent on Chrome OS is optional system software downloaded on-demand by any user. A component is stored to encrypted stateful partition and is shared by all users. We locally keeps track of who is using a Component by Chrome Local Preference (https://cs.chromium.org/chromium/src/chrome/browser/component_updater/metadata_table_chromeos.h) in order to properly delete components when no longer being used and avoid deleting a component when being used. In Chrome, cryptohome is invoked when a user is deleted (https://cs.chromium.org/chromium/src/chrome/browser/chromeos/login/users/chrome_user_manager_impl.cc?type=cs&g=0&l=1381) via dbus RemoveAsync method to remove the cryptohome of a user. Cryptohome itself automatically removes user account when disk space is low (https://cs.corp.google.com/chromeos_public/src/platform2/cryptohome/homedirs.cc?l=105). Problem: components should also be removed properly when accounts are deleted. Proposal: - Add an API in cryptohome - DoesUserExist which takes a sanitized username and return if it exists or not. - In metadata_table_chromeos.c, switch to call GetSanitizedUsername dbus method call of cryptohome to get hased username. - Chrome calls DoesUserExist at starting for each santized username that uses a component. If it returns 'not exist', we try to delete the component. Alternate proposal: - add an API in CrOSComponentManager - UnloadForUser which takes a sanitized username. - figure out all places (cryptohome, Chrome, etc.) that deletes account and call this API at the same time. This approach is less maintenable since we have to enforce all places that delete account to delete components as well. And it's possible that the account was removed during an active session, then component is still mounted and could not be deleted immediately (the preferred proposal cleans up component during system boot). Design doc: https://docs.google.com/document/d/1KCJiqK3G9b5W3t25W6vzfqCOK5KOPY2G8bPCcpBlH6U/
,
May 25 2018
Please make sure you're talking to people in the cryptohome OWNERS file to get their opinions. I'd also recommend writing a brief design doc to gather feedback.
,
May 25 2018
At first sight I think it might be problematic if we have a way to tell whether users exist. Not sure we want to expose that kind of tracking to Chrome.
,
May 25 2018
#3: I'm not sure about that. As I understand it, Chrome already knows which users have logged in before and not been explicitly removed so it can display them on the login screen (IIRC it stores the list in Local State). I think the request here is to be able to check users have cryptohomes, which is presumably a subset of what Chrome already knows.
,
May 25 2018
That makes sense, I was confused when I read the API because Chrome clearly knows what users are on the system. Which I guess means the API probably needs to be refined.
,
May 25 2018
+hashimoto, +gwendal who are cryptohome owners. Sorry for the confusion. Yes, this API is to check whether a user's cryptohome exists (because it could be deleted by cryptohome and Chrome does not know it). I'm writing a doc now and will send for further review.
,
May 30 2018
Sorry for the delay. Here is the design doc (proposal): https://docs.google.com/document/d/1KCJiqK3G9b5W3t25W6vzfqCOK5KOPY2G8bPCcpBlH6U/
,
May 30 2018
,
Jun 4 2018
,
Jun 4 2018
,
Aug 3
This bug has an owner, thus, it's been triaged. Changing status to "assigned". |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by xiaochu@chromium.org
, May 23 2018