From a225d8bac3a7a71aebd430e73627e558248703f7 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: May 04 2009 17:24:51 +0000 Subject: updated to 75, restrict mount.ecryptfs_private to members of ecryptfs group only --- diff --git a/.cvsignore b/.cvsignore index a3c0658..35620f5 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -ecryptfs-utils_73.orig.tar.gz +ecryptfs-utils_75.orig.tar.gz diff --git a/ecryptfs-utils-74-build.patch b/ecryptfs-utils-74-build.patch new file mode 100644 index 0000000..29dac61 --- /dev/null +++ b/ecryptfs-utils-74-build.patch @@ -0,0 +1,44 @@ +diff -up ecryptfs-utils-74/src/libecryptfs/Makefile.am.486139 ecryptfs-utils-74/src/libecryptfs/Makefile.am +--- ecryptfs-utils-74/src/libecryptfs/Makefile.am.486139 2009-04-20 11:03:03.000000000 +0200 ++++ ecryptfs-utils-74/src/libecryptfs/Makefile.am 2009-04-23 17:03:16.178703120 +0200 +@@ -2,6 +2,8 @@ MAINTAINERCLEANFILES = $(srcdir)/Makefil + + lib_LTLIBRARIES = libecryptfs.la + ++noinst_LIBRARIES = libecryptfs.a ++ + pkgconfig_DATA = libecryptfs.pc + + libecryptfs_la_SOURCES = \ +@@ -20,10 +22,13 @@ libecryptfs_la_SOURCES = \ + ecryptfs-stat.c \ + $(top_srcdir)/src/key_mod/ecryptfs_key_mod_passphrase.c + ++libecryptfs_a_SOURCES = $(libecryptfs_la_SOURCES) ++ + libecryptfs_la_LDFLAGS = \ + -version-info @LIBECRYPTFS_LT_CURRENT@:@LIBECRYPTFS_LT_REVISION@:@LIBECRYPTFS_LT_AGE@ \ + -no-undefined + libecryptfs_la_CFLAGS = $(AM_CFLAGS) $(CRYPTO_CFLAGS) $(KEYUTILS_CFLAGS) ++libecryptfs_a_CFLAGS = $(libecryptfs_la_CFLAGS) + libecryptfs_la_LIBADD = $(CRYPTO_LIBS) $(KEYUTILS_LIBS) + + splint: +diff -up ecryptfs-utils-74/src/utils/Makefile.am.486139 ecryptfs-utils-74/src/utils/Makefile.am +--- ecryptfs-utils-74/src/utils/Makefile.am.486139 2009-04-20 11:03:03.000000000 +0200 ++++ ecryptfs-utils-74/src/utils/Makefile.am 2009-04-23 17:12:38.297756365 +0200 +@@ -35,12 +35,12 @@ mount_ecryptfs_CFLAGS = $(AM_CFLAGS) $(K + mount_ecryptfs_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la $(KEYUTILS_LIBS) $(LIBGCRYPT_LIBS) + umount_ecryptfs_SOURCES = umount.ecryptfs.c + umount_ecryptfs_CFLAGS = $(AM_CFLAGS) $(KEYUTILS_CFLAGS) +-umount_ecryptfs_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la ++umount_ecryptfs_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.a $(KEYUTILS_LIBS) $(CRYPTO_LIBS) + ecryptfs_manager_SOURCES = manager.c io.c io.h gen_key.c + ecryptfs_manager_CFLAGS = $(AM_CFLAGS) $(KEYUTILS_CFLAGS) $(LIBGCRYPT_CFLAGS) + ecryptfs_manager_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la $(KEYUTILS_LIBS) $(LIBGCRYPT_LIBS) + ecryptfs_wrap_passphrase_SOURCES = ecryptfs_wrap_passphrase.c +-ecryptfs_wrap_passphrase_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la ++ecryptfs_wrap_passphrase_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la + ecryptfs_unwrap_passphrase_SOURCES = ecryptfs_unwrap_passphrase.c + ecryptfs_unwrap_passphrase_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la + ecryptfs_insert_wrapped_passphrase_into_keyring_SOURCES = ecryptfs_insert_wrapped_passphrase_into_keyring.c diff --git a/ecryptfs-utils-74-group.patch b/ecryptfs-utils-74-group.patch new file mode 100644 index 0000000..e7e159f --- /dev/null +++ b/ecryptfs-utils-74-group.patch @@ -0,0 +1,64 @@ +diff -up ecryptfs-utils-74/doc/manpage/ecryptfs-mount-private.1.group ecryptfs-utils-74/doc/manpage/ecryptfs-mount-private.1 +--- ecryptfs-utils-74/doc/manpage/ecryptfs-mount-private.1.group 2009-03-05 22:17:36.000000000 +0100 ++++ ecryptfs-utils-74/doc/manpage/ecryptfs-mount-private.1 2009-05-04 13:14:54.861539319 +0200 +@@ -6,7 +6,7 @@ ecryptfs-mount-private \- interactive eC + \fBecryptfs-mount-private\fP + + .SH DESCRIPTION +-\fBecryptfs-mount-private\fP is a wrapper script for the \fBmount.ecryptfs_private\fP utility that will interactively prompt for the user's login password, if necessary. ++\fBecryptfs-mount-private\fP is a wrapper script for the \fBmount.ecryptfs_private\fP utility that will interactively prompt for the user's login password, if necessary. You need to be a member of \fBecryptfs\fB group to use this. + + .SH FILES + \fI~/.Private\fP - underlying directory containing encrypted data +diff -up ecryptfs-utils-74/doc/manpage/ecryptfs-setup-private.1.group ecryptfs-utils-74/doc/manpage/ecryptfs-setup-private.1 +--- ecryptfs-utils-74/doc/manpage/ecryptfs-setup-private.1.group 2009-03-18 22:59:07.000000000 +0100 ++++ ecryptfs-utils-74/doc/manpage/ecryptfs-setup-private.1 2009-05-04 13:14:54.861539319 +0200 +@@ -43,7 +43,7 @@ Setup this user such that the encrypted + + + .SH DESCRIPTION +-\fBecryptfs-setup-private\fP is a program that sets up a private cryptographic mountpoint for a non-root user. ++\fBecryptfs-setup-private\fP is a program that sets up a private cryptographic mountpoint for a non-root user, who is a member of \fBecryptfs\fP group. + + Be sure to properly escape your parameters according to your shell's special character nuances, and also surround the parameters by double quotes, if necessary. Any of the parameters may be: + +diff -up ecryptfs-utils-74/doc/manpage/mount.ecryptfs.8.group ecryptfs-utils-74/doc/manpage/mount.ecryptfs.8 +diff -up ecryptfs-utils-74/doc/manpage/mount.ecryptfs_private.1.group ecryptfs-utils-74/doc/manpage/mount.ecryptfs_private.1 +--- ecryptfs-utils-74/doc/manpage/mount.ecryptfs_private.1.group 2009-03-05 22:17:36.000000000 +0100 ++++ ecryptfs-utils-74/doc/manpage/mount.ecryptfs_private.1 2009-05-04 13:20:07.673112485 +0200 +@@ -8,7 +8,7 @@ mount.ecryptfs_private \- eCryptfs priva + \fBNOTE:\fP This program will \fBnot\fP dynamically load the relevant keys. For this reason, it is recommended that users use \fBecryptfs-mount-private\fP(1) instead! + + .SH DESCRIPTION +-\fBmount.ecryptfs_private\fP is a mount helper utility for non-root users to cryptographically mount a private directory, ~/Private. ++\fBmount.ecryptfs_private\fP is a mount helper utility for non-root users, who are members of \fBecryptfs\fP group, to cryptographically mount a private directory, ~/Private. + + If, and only if: + - the private mount passphrase is in their kernel keyring, and +diff -up ecryptfs-utils-74/doc/manpage/umount.ecryptfs_private.1.group ecryptfs-utils-74/doc/manpage/umount.ecryptfs_private.1 +--- ecryptfs-utils-74/doc/manpage/umount.ecryptfs_private.1.group 2009-03-05 22:17:36.000000000 +0100 ++++ ecryptfs-utils-74/doc/manpage/umount.ecryptfs_private.1 2009-05-04 13:14:54.862538533 +0200 +@@ -14,7 +14,7 @@ Options available for the \fBumount.ecry + Force the unmount, ignoring the value of the mount counter in \fI/tmp/ecryptfs-USERNAME-Private\fP + + .SH DESCRIPTION +-\fBumount.ecryptfs_private\fP is a mount helper utility for non-root users to unmount a cryptographically mounted private directory, ~/Private. ++\fBumount.ecryptfs_private\fP is a mount helper utility for non-root users, who ares members of \fBecryptfs\fP group, to unmount a cryptographically mounted private directory, ~/Private. + + If, and only if: + - the private mount passphrase is in their kernel keyring, and +diff -up ecryptfs-utils-74/src/utils/ecryptfs-setup-private.group ecryptfs-utils-74/src/utils/ecryptfs-setup-private +--- ecryptfs-utils-74/src/utils/ecryptfs-setup-private.group 2009-03-24 20:32:52.000000000 +0100 ++++ ecryptfs-utils-74/src/utils/ecryptfs-setup-private 2009-05-04 13:14:54.862538533 +0200 +@@ -188,6 +188,11 @@ else + id "$USER" >/dev/null || error "User [$USER] does not exist" + fi + ++# Check if user is member of ecryptfs group ++if ! groups "$USER" | sed -e 's| |\n|g' | grep -n 'ecryptfs$'; then ++ error "User needs to be a member of ecryptfs group" ++fi ++ + # Obtain the user's home directory + HOME=`getent passwd "$USER" | awk -F: '{print $6}'` + if [ ! -d "$HOME" ]; then diff --git a/ecryptfs-utils-75-werror.patch b/ecryptfs-utils-75-werror.patch new file mode 100644 index 0000000..b779408 --- /dev/null +++ b/ecryptfs-utils-75-werror.patch @@ -0,0 +1,30 @@ +diff -up ecryptfs-utils-75/src/libecryptfs/key_management.c.werror ecryptfs-utils-75/src/libecryptfs/key_management.c +--- ecryptfs-utils-75/src/libecryptfs/key_management.c.werror 2009-05-01 00:53:13.000000000 +0200 ++++ ecryptfs-utils-75/src/libecryptfs/key_management.c 2009-05-04 17:49:49.940220924 +0200 +@@ -18,6 +18,7 @@ + * 02111-1307, USA. + */ + ++#include "config.h" + #include + #ifdef ENABLE_NSS + #include +@@ -39,7 +40,6 @@ + #include + #include + #include +-#include "config.h" + #include "../include/ecryptfs.h" + + #ifndef ENOKEY +diff -up ecryptfs-utils-75/src/utils/ecryptfs_unwrap_passphrase.c.werror ecryptfs-utils-75/src/utils/ecryptfs_unwrap_passphrase.c +--- ecryptfs-utils-75/src/utils/ecryptfs_unwrap_passphrase.c.werror 2009-05-04 17:50:33.587240171 +0200 ++++ ecryptfs-utils-75/src/utils/ecryptfs_unwrap_passphrase.c 2009-05-04 17:50:33.615345763 +0200 +@@ -42,7 +42,6 @@ int main(int argc, char *argv[]) + char *wrapping_passphrase; + char salt[ECRYPTFS_SALT_SIZE]; + char salt_hex[ECRYPTFS_SALT_SIZE_HEX]; +- struct passwd *pwd; + int rc = 0; + + if (argc == 1) { diff --git a/ecryptfs-utils.spec b/ecryptfs-utils.spec index c2e1b73..e1265ea 100644 --- a/ecryptfs-utils.spec +++ b/ecryptfs-utils.spec @@ -2,19 +2,29 @@ %{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} Name: ecryptfs-utils -Version: 73 +Version: 75 Release: 1%{?dist} Summary: The eCryptfs mount helper and support libraries Group: System Environment/Base License: GPLv2+ URL: https://launchpad.net/ecryptfs -Source0: http://launchpad.net/ecryptfs/trunk/%{version}/+download/ecryptfs-utils_%{version}.orig.tar.gz -Source1: http://bazaar.launchpad.net/%7Eecryptfs/ecryptfs/ecryptfs-utils/annotate/head%3A/src/desktop/ecryptfs-mount-private.desktop +Source0: http://launchpad.net/ecryptfs/trunk/%{version}/+download/%{name}_%{version}.orig.tar.gz + +#fix wrong Makefile for umount.ecryptfs +Patch2: ecryptfs-utils-74-build.patch + +#restrict suid mount.ecryptfs_private to ecryptfs group only +#required for ecryptfs-utils <=75 +Patch3: ecryptfs-utils-74-group.patch + +#allow building with -Werror +#required for ecryptfs-utils <= 75 +Patch4: ecryptfs-utils-75-werror.patch + BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) Requires: keyutils BuildRequires: libgcrypt-devel keyutils-libs-devel openssl-devel pam-devel -BuildRequires: trousers-devel python python-devel nss-devel desktop-file-utils -Conflicts: kernel < 2.6.19 +BuildRequires: trousers-devel nss-devel desktop-file-utils %description eCryptfs is a stacked cryptographic filesystem that ships in Linux @@ -28,6 +38,7 @@ Install ecryptfs-utils if you would like to mount eCryptfs. Summary: The eCryptfs userspace development package Group: System Environment/Base Requires: keyutils-libs-devel %{name} = %{version}-%{release} +Requires: pkgconfig %description devel Userspace development files for eCryptfs. @@ -36,6 +47,7 @@ Userspace development files for eCryptfs. Summary: Python bindings for the eCryptfs utils Group: System Environment/Base Requires: ecryptfs-utils %{name} = %{version}-%{release} +BuildRequires: python python-devel swig >= 1.3.31 %description python The ecryptfs-utils-python package contains a module that permits @@ -44,23 +56,41 @@ the interface supplied by the ecryptfs-utils library. %prep %setup -q +%patch2 -p1 -b .build +%patch3 -p1 -b .group +%patch4 -p1 -b .werror %build -%configure --disable-rpath --enable-tspi --enable-nss +export CFLAGS="$RPM_OPT_FLAGS -ggdb -O2 -Werror" +%configure --disable-rpath --enable-tspi --enable-nss --enable-static +make clean #disable rpath sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool + +#remove -Werror flag for swig temporarily (swig is nasty #496613) +sed -i 's|-Werror||' src/libecryptfs-swig/Makefile make %{?_smp_mflags} %install rm -rf $RPM_BUILD_ROOT make install DESTDIR=$RPM_BUILD_ROOT -rm -f $RPM_BUILD_ROOT%{_libdir}/*.a +find $RPM_BUILD_ROOT%{_libdir}/ -name '*.a' | xargs rm -f find $RPM_BUILD_ROOT%{_libdir}/ -name '*.la' | xargs rm -f -mv $RPM_BUILD_ROOT/%{_libdir}/libecryptfs.so* $RPM_BUILD_ROOT/%{_lib} rm -rf $RPM_BUILD_ROOT%{_docdir}/%{name} -install -D -m 644 doc/ecryptfs-mount-private.txt $RPM_BUILD_ROOT%{_datadir}/%{name}/ecryptfs-mount-private.txt -desktop-file-install --dir=${RPM_BUILD_ROOT}%{_datadir}/%{name} %{SOURCE1} +#install files Makefile forgot install +printf "Encoding=UTF-8\n" >>$RPM_BUILD_ROOT/%{_datadir}/%{name}/ecryptfs-mount-private.desktop +printf "Encoding=UTF-8\n" >>$RPM_BUILD_ROOT/%{_datadir}/%{name}/ecryptfs-setup-private.desktop +desktop-file-validate $RPM_BUILD_ROOT%{_datadir}/%{name}/ecryptfs-mount-private.desktop +desktop-file-validate $RPM_BUILD_ROOT%{_datadir}/%{name}/ecryptfs-setup-private.desktop +touch -r src/desktop/ecryptfs-mount-private.desktop \ + $RPM_BUILD_ROOT%{_datadir}/%{name}/ecryptfs-mount-private.desktop +touch -r src/desktop/ecryptfs-setup-private.desktop \ + $RPM_BUILD_ROOT%{_datadir}/%{name}/ecryptfs-mount-private.desktop +rm -f $RPM_BUILD_ROOT/%{_datadir}/%{name}/ecryptfs-record-passphrase + +%pre +groupadd -r -f ecryptfs %post -p /sbin/ldconfig @@ -74,10 +104,10 @@ rm -rf $RPM_BUILD_ROOT %doc README COPYING AUTHORS NEWS THANKS %doc doc/ecryptfs-faq.html doc/ecryptfs-pam-doc.txt %doc doc/ecryptfs-pkcs11-helper-doc.txt -%attr(4755,root,root) /sbin/mount.ecryptfs -%attr(4755,root,root) /sbin/umount.ecryptfs -%attr(4755,root,root) /sbin/mount.ecryptfs_private -%attr(4755,root,root) /sbin/umount.ecryptfs_private +/sbin/mount.ecryptfs +/sbin/umount.ecryptfs +%attr(4750,root,ecryptfs) /sbin/mount.ecryptfs_private +/sbin/umount.ecryptfs_private %{_bindir}/ecryptfs-manager %{_bindir}/ecryptfs-insert-wrapped-passphrase-into-keyring %{_bindir}/ecryptfs-rewrap-passphrase @@ -92,13 +122,15 @@ rm -rf $RPM_BUILD_ROOT %{_bindir}/ecryptfs-umount-private %{_bindir}/ecryptfs-stat %{_bindir}/ecryptfsd -/%{_lib}/libecryptfs.so.0.0.0 -/%{_lib}/libecryptfs.so.0 +%{_bindir}/ecryptfs-dot-private %{_libdir}/ecryptfs +%{_libdir}/libecryptfs.so.0 +%{_libdir}/libecryptfs.so.0.0.0 /%{_lib}/security/pam_ecryptfs.so %dir %{_datadir}/%{name} %{_datadir}/%{name}/ecryptfs-mount-private.txt %{_datadir}/%{name}/ecryptfs-mount-private.desktop +%{_datadir}/%{name}/ecryptfs-setup-private.desktop %{_mandir}/man1/ecryptfs-add-passphrase.1.gz %{_mandir}/man1/ecryptfs-generate-tpm-key.1.gz %{_mandir}/man1/ecryptfs-insert-wrapped-passphrase-into-keyring.1.gz @@ -119,7 +151,7 @@ rm -rf $RPM_BUILD_ROOT %files devel %defattr(-,root,root,-) -/%{_lib}/libecryptfs.so +%{_libdir}/libecryptfs.so %{_libdir}/pkgconfig/libecryptfs.pc %{_includedir}/ecryptfs.h @@ -135,6 +167,13 @@ rm -rf $RPM_BUILD_ROOT %{python_sitearch}/ecryptfs-utils/_libecryptfs.so %changelog +* Mon May 04 2009 Michal Hlavinka 75-1 +- updated to 75 +- restrict mount.ecryptfs_private to ecryptfs group members only + +* Thu Apr 23 2009 Michal Hlavinka 74-1 +- updated to 74 + * Sat Mar 21 2009 Michal Hlavinka 73-1 - updated to 73 - move libs from /usr/lib to /lib (#486139) diff --git a/sources b/sources index 38fb41a..44a52e3 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -8e651749b9d75ee9a4d4894483022857 ecryptfs-utils_73.orig.tar.gz +2c4e8be38d1ea8cadd9f870f15430f07 ecryptfs-utils_75.orig.tar.gz