From a225d8bac3a7a71aebd430e73627e558248703f7 Mon Sep 17 00:00:00 2001
From: Michal Hlavinka <mhlavink@fedoraproject.org>
Date: May 04 2009 17:24:51 +0000
Subject: updated to 75, restrict mount.ecryptfs_private to members of ecryptfs group

    only

---

diff --git a/.cvsignore b/.cvsignore
index a3c0658..35620f5 100644
--- a/.cvsignore
+++ b/.cvsignore
@@ -1 +1 @@
-ecryptfs-utils_73.orig.tar.gz
+ecryptfs-utils_75.orig.tar.gz
diff --git a/ecryptfs-utils-74-build.patch b/ecryptfs-utils-74-build.patch
new file mode 100644
index 0000000..29dac61
--- /dev/null
+++ b/ecryptfs-utils-74-build.patch
@@ -0,0 +1,44 @@
+diff -up ecryptfs-utils-74/src/libecryptfs/Makefile.am.486139 ecryptfs-utils-74/src/libecryptfs/Makefile.am
+--- ecryptfs-utils-74/src/libecryptfs/Makefile.am.486139	2009-04-20 11:03:03.000000000 +0200
++++ ecryptfs-utils-74/src/libecryptfs/Makefile.am	2009-04-23 17:03:16.178703120 +0200
+@@ -2,6 +2,8 @@ MAINTAINERCLEANFILES = $(srcdir)/Makefil
+ 
+ lib_LTLIBRARIES = libecryptfs.la
+ 
++noinst_LIBRARIES = libecryptfs.a
++
+ pkgconfig_DATA = libecryptfs.pc
+ 
+ libecryptfs_la_SOURCES = \
+@@ -20,10 +22,13 @@ libecryptfs_la_SOURCES = \
+ 	ecryptfs-stat.c \
+ 	$(top_srcdir)/src/key_mod/ecryptfs_key_mod_passphrase.c
+ 
++libecryptfs_a_SOURCES = $(libecryptfs_la_SOURCES)
++
+ libecryptfs_la_LDFLAGS = \
+ 	-version-info @LIBECRYPTFS_LT_CURRENT@:@LIBECRYPTFS_LT_REVISION@:@LIBECRYPTFS_LT_AGE@ \
+ 	-no-undefined
+ libecryptfs_la_CFLAGS = $(AM_CFLAGS) $(CRYPTO_CFLAGS) $(KEYUTILS_CFLAGS)
++libecryptfs_a_CFLAGS = $(libecryptfs_la_CFLAGS)
+ libecryptfs_la_LIBADD = $(CRYPTO_LIBS) $(KEYUTILS_LIBS)
+ 
+ splint:
+diff -up ecryptfs-utils-74/src/utils/Makefile.am.486139 ecryptfs-utils-74/src/utils/Makefile.am
+--- ecryptfs-utils-74/src/utils/Makefile.am.486139	2009-04-20 11:03:03.000000000 +0200
++++ ecryptfs-utils-74/src/utils/Makefile.am	2009-04-23 17:12:38.297756365 +0200
+@@ -35,12 +35,12 @@ mount_ecryptfs_CFLAGS = $(AM_CFLAGS) $(K
+ mount_ecryptfs_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la $(KEYUTILS_LIBS) $(LIBGCRYPT_LIBS)
+ umount_ecryptfs_SOURCES = umount.ecryptfs.c
+ umount_ecryptfs_CFLAGS = $(AM_CFLAGS) $(KEYUTILS_CFLAGS)
+-umount_ecryptfs_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la
++umount_ecryptfs_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.a $(KEYUTILS_LIBS) $(CRYPTO_LIBS)
+ ecryptfs_manager_SOURCES = manager.c io.c io.h gen_key.c
+ ecryptfs_manager_CFLAGS = $(AM_CFLAGS) $(KEYUTILS_CFLAGS) $(LIBGCRYPT_CFLAGS)
+ ecryptfs_manager_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la $(KEYUTILS_LIBS) $(LIBGCRYPT_LIBS)
+ ecryptfs_wrap_passphrase_SOURCES = ecryptfs_wrap_passphrase.c
+-ecryptfs_wrap_passphrase_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la
++ecryptfs_wrap_passphrase_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la 
+ ecryptfs_unwrap_passphrase_SOURCES = ecryptfs_unwrap_passphrase.c
+ ecryptfs_unwrap_passphrase_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la
+ ecryptfs_insert_wrapped_passphrase_into_keyring_SOURCES = ecryptfs_insert_wrapped_passphrase_into_keyring.c
diff --git a/ecryptfs-utils-74-group.patch b/ecryptfs-utils-74-group.patch
new file mode 100644
index 0000000..e7e159f
--- /dev/null
+++ b/ecryptfs-utils-74-group.patch
@@ -0,0 +1,64 @@
+diff -up ecryptfs-utils-74/doc/manpage/ecryptfs-mount-private.1.group ecryptfs-utils-74/doc/manpage/ecryptfs-mount-private.1
+--- ecryptfs-utils-74/doc/manpage/ecryptfs-mount-private.1.group	2009-03-05 22:17:36.000000000 +0100
++++ ecryptfs-utils-74/doc/manpage/ecryptfs-mount-private.1	2009-05-04 13:14:54.861539319 +0200
+@@ -6,7 +6,7 @@ ecryptfs-mount-private \- interactive eC
+ \fBecryptfs-mount-private\fP
+ 
+ .SH DESCRIPTION
+-\fBecryptfs-mount-private\fP is a wrapper script for the \fBmount.ecryptfs_private\fP utility that will interactively prompt for the user's login password, if necessary.
++\fBecryptfs-mount-private\fP is a wrapper script for the \fBmount.ecryptfs_private\fP utility that will interactively prompt for the user's login password, if necessary. You need to be a member of \fBecryptfs\fB group to use this.
+ 
+ .SH FILES
+ \fI~/.Private\fP - underlying directory containing encrypted data
+diff -up ecryptfs-utils-74/doc/manpage/ecryptfs-setup-private.1.group ecryptfs-utils-74/doc/manpage/ecryptfs-setup-private.1
+--- ecryptfs-utils-74/doc/manpage/ecryptfs-setup-private.1.group	2009-03-18 22:59:07.000000000 +0100
++++ ecryptfs-utils-74/doc/manpage/ecryptfs-setup-private.1	2009-05-04 13:14:54.861539319 +0200
+@@ -43,7 +43,7 @@ Setup this user such that the encrypted 
+ 
+ 
+ .SH DESCRIPTION
+-\fBecryptfs-setup-private\fP is a program that sets up a private cryptographic mountpoint for a non-root user.
++\fBecryptfs-setup-private\fP is a program that sets up a private cryptographic mountpoint for a non-root user, who is a member of \fBecryptfs\fP group.
+ 
+ Be sure to properly escape your parameters according to your shell's special character nuances, and also surround the parameters by double quotes, if necessary. Any of the parameters may be:
+ 
+diff -up ecryptfs-utils-74/doc/manpage/mount.ecryptfs.8.group ecryptfs-utils-74/doc/manpage/mount.ecryptfs.8
+diff -up ecryptfs-utils-74/doc/manpage/mount.ecryptfs_private.1.group ecryptfs-utils-74/doc/manpage/mount.ecryptfs_private.1
+--- ecryptfs-utils-74/doc/manpage/mount.ecryptfs_private.1.group	2009-03-05 22:17:36.000000000 +0100
++++ ecryptfs-utils-74/doc/manpage/mount.ecryptfs_private.1	2009-05-04 13:20:07.673112485 +0200
+@@ -8,7 +8,7 @@ mount.ecryptfs_private \- eCryptfs priva
+ \fBNOTE:\fP This program will \fBnot\fP dynamically load the relevant keys.  For this reason, it is recommended that users use \fBecryptfs-mount-private\fP(1) instead!
+ 
+ .SH DESCRIPTION
+-\fBmount.ecryptfs_private\fP is a mount helper utility for non-root users to cryptographically mount a private directory, ~/Private.
++\fBmount.ecryptfs_private\fP is a mount helper utility for non-root users, who are members of \fBecryptfs\fP group, to cryptographically mount a private directory, ~/Private.
+ 
+ If, and only if:
+   - the private mount passphrase is in their kernel keyring, and
+diff -up ecryptfs-utils-74/doc/manpage/umount.ecryptfs_private.1.group ecryptfs-utils-74/doc/manpage/umount.ecryptfs_private.1
+--- ecryptfs-utils-74/doc/manpage/umount.ecryptfs_private.1.group	2009-03-05 22:17:36.000000000 +0100
++++ ecryptfs-utils-74/doc/manpage/umount.ecryptfs_private.1	2009-05-04 13:14:54.862538533 +0200
+@@ -14,7 +14,7 @@ Options available for the \fBumount.ecry
+ Force the unmount, ignoring the value of the mount counter in \fI/tmp/ecryptfs-USERNAME-Private\fP
+ 
+ .SH DESCRIPTION
+-\fBumount.ecryptfs_private\fP is a mount helper utility for non-root users to unmount a cryptographically mounted private directory, ~/Private.
++\fBumount.ecryptfs_private\fP is a mount helper utility for non-root users, who ares members of \fBecryptfs\fP group, to unmount a cryptographically mounted private directory, ~/Private.
+ 
+ If, and only if:
+   - the private mount passphrase is in their kernel keyring, and
+diff -up ecryptfs-utils-74/src/utils/ecryptfs-setup-private.group ecryptfs-utils-74/src/utils/ecryptfs-setup-private
+--- ecryptfs-utils-74/src/utils/ecryptfs-setup-private.group	2009-03-24 20:32:52.000000000 +0100
++++ ecryptfs-utils-74/src/utils/ecryptfs-setup-private	2009-05-04 13:14:54.862538533 +0200
+@@ -188,6 +188,11 @@ else
+ 	id "$USER" >/dev/null || error "User [$USER] does not exist"
+ fi
+ 
++# Check if user is member of ecryptfs group
++if ! groups "$USER" | sed  -e 's| |\n|g' | grep -n 'ecryptfs$'; then
++       error "User needs to be a member of ecryptfs group"
++fi
++
+ # Obtain the user's home directory
+ HOME=`getent passwd "$USER" | awk -F: '{print $6}'`
+ if [ ! -d "$HOME" ]; then
diff --git a/ecryptfs-utils-75-werror.patch b/ecryptfs-utils-75-werror.patch
new file mode 100644
index 0000000..b779408
--- /dev/null
+++ b/ecryptfs-utils-75-werror.patch
@@ -0,0 +1,30 @@
+diff -up ecryptfs-utils-75/src/libecryptfs/key_management.c.werror ecryptfs-utils-75/src/libecryptfs/key_management.c
+--- ecryptfs-utils-75/src/libecryptfs/key_management.c.werror	2009-05-01 00:53:13.000000000 +0200
++++ ecryptfs-utils-75/src/libecryptfs/key_management.c	2009-05-04 17:49:49.940220924 +0200
+@@ -18,6 +18,7 @@
+  * 02111-1307, USA.
+  */
+ 
++#include "config.h"
+ #include <errno.h>
+ #ifdef ENABLE_NSS
+ #include <nss.h>
+@@ -39,7 +40,6 @@
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <pwd.h>
+-#include "config.h"
+ #include "../include/ecryptfs.h"
+ 
+ #ifndef ENOKEY
+diff -up ecryptfs-utils-75/src/utils/ecryptfs_unwrap_passphrase.c.werror ecryptfs-utils-75/src/utils/ecryptfs_unwrap_passphrase.c
+--- ecryptfs-utils-75/src/utils/ecryptfs_unwrap_passphrase.c.werror	2009-05-04 17:50:33.587240171 +0200
++++ ecryptfs-utils-75/src/utils/ecryptfs_unwrap_passphrase.c	2009-05-04 17:50:33.615345763 +0200
+@@ -42,7 +42,6 @@ int main(int argc, char *argv[])
+ 	char *wrapping_passphrase;
+ 	char salt[ECRYPTFS_SALT_SIZE];
+ 	char salt_hex[ECRYPTFS_SALT_SIZE_HEX];
+-	struct passwd *pwd;
+ 	int rc = 0;
+ 
+ 	if (argc == 1) {
diff --git a/ecryptfs-utils.spec b/ecryptfs-utils.spec
index c2e1b73..e1265ea 100644
--- a/ecryptfs-utils.spec
+++ b/ecryptfs-utils.spec
@@ -2,19 +2,29 @@
 %{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
 
 Name: ecryptfs-utils
-Version: 73
+Version: 75
 Release: 1%{?dist}
 Summary: The eCryptfs mount helper and support libraries
 Group: System Environment/Base
 License: GPLv2+
 URL: https://launchpad.net/ecryptfs
-Source0: http://launchpad.net/ecryptfs/trunk/%{version}/+download/ecryptfs-utils_%{version}.orig.tar.gz
-Source1: http://bazaar.launchpad.net/%7Eecryptfs/ecryptfs/ecryptfs-utils/annotate/head%3A/src/desktop/ecryptfs-mount-private.desktop
+Source0: http://launchpad.net/ecryptfs/trunk/%{version}/+download/%{name}_%{version}.orig.tar.gz
+
+#fix wrong Makefile for umount.ecryptfs
+Patch2: ecryptfs-utils-74-build.patch
+
+#restrict suid mount.ecryptfs_private to ecryptfs group only
+#required for ecryptfs-utils <=75
+Patch3: ecryptfs-utils-74-group.patch
+
+#allow building with -Werror
+#required for ecryptfs-utils <= 75
+Patch4: ecryptfs-utils-75-werror.patch
+
 BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 Requires: keyutils
 BuildRequires: libgcrypt-devel keyutils-libs-devel openssl-devel pam-devel
-BuildRequires: trousers-devel python python-devel nss-devel desktop-file-utils
-Conflicts: kernel < 2.6.19
+BuildRequires: trousers-devel nss-devel desktop-file-utils
 
 %description
 eCryptfs is a stacked cryptographic filesystem that ships in Linux
@@ -28,6 +38,7 @@ Install ecryptfs-utils if you would like to mount eCryptfs.
 Summary: The eCryptfs userspace development package
 Group: System Environment/Base
 Requires: keyutils-libs-devel %{name} = %{version}-%{release}
+Requires: pkgconfig
 
 %description devel
 Userspace development files for eCryptfs.
@@ -36,6 +47,7 @@ Userspace development files for eCryptfs.
 Summary: Python bindings for the eCryptfs utils
 Group: System Environment/Base
 Requires: ecryptfs-utils %{name} = %{version}-%{release}
+BuildRequires: python python-devel swig >= 1.3.31
 
 %description python
 The ecryptfs-utils-python package contains a module that permits 
@@ -44,23 +56,41 @@ the interface supplied by the ecryptfs-utils library.
 
 %prep
 %setup -q
+%patch2 -p1 -b .build
+%patch3 -p1 -b .group
+%patch4 -p1 -b .werror
 
 %build
-%configure --disable-rpath --enable-tspi --enable-nss
+export CFLAGS="$RPM_OPT_FLAGS -ggdb -O2 -Werror"
+%configure --disable-rpath --enable-tspi --enable-nss --enable-static
+make clean
 #disable rpath
 sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
 sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
+
+#remove -Werror flag for swig temporarily (swig is nasty #496613)
+sed -i 's|-Werror||' src/libecryptfs-swig/Makefile
 make %{?_smp_mflags}
 
 %install
 rm -rf $RPM_BUILD_ROOT
 make install DESTDIR=$RPM_BUILD_ROOT
-rm -f $RPM_BUILD_ROOT%{_libdir}/*.a
+find $RPM_BUILD_ROOT%{_libdir}/ -name '*.a' | xargs rm -f
 find $RPM_BUILD_ROOT%{_libdir}/ -name '*.la' | xargs rm -f
-mv $RPM_BUILD_ROOT/%{_libdir}/libecryptfs.so* $RPM_BUILD_ROOT/%{_lib}
 rm -rf $RPM_BUILD_ROOT%{_docdir}/%{name}
-install -D -m 644 doc/ecryptfs-mount-private.txt $RPM_BUILD_ROOT%{_datadir}/%{name}/ecryptfs-mount-private.txt
-desktop-file-install --dir=${RPM_BUILD_ROOT}%{_datadir}/%{name} %{SOURCE1}
+#install files Makefile forgot install
+printf "Encoding=UTF-8\n" >>$RPM_BUILD_ROOT/%{_datadir}/%{name}/ecryptfs-mount-private.desktop
+printf "Encoding=UTF-8\n" >>$RPM_BUILD_ROOT/%{_datadir}/%{name}/ecryptfs-setup-private.desktop
+desktop-file-validate $RPM_BUILD_ROOT%{_datadir}/%{name}/ecryptfs-mount-private.desktop
+desktop-file-validate $RPM_BUILD_ROOT%{_datadir}/%{name}/ecryptfs-setup-private.desktop
+touch -r src/desktop/ecryptfs-mount-private.desktop \
+     $RPM_BUILD_ROOT%{_datadir}/%{name}/ecryptfs-mount-private.desktop
+touch -r src/desktop/ecryptfs-setup-private.desktop \
+     $RPM_BUILD_ROOT%{_datadir}/%{name}/ecryptfs-mount-private.desktop
+rm -f $RPM_BUILD_ROOT/%{_datadir}/%{name}/ecryptfs-record-passphrase
+
+%pre
+groupadd -r -f ecryptfs
 
 %post -p /sbin/ldconfig
 
@@ -74,10 +104,10 @@ rm -rf $RPM_BUILD_ROOT
 %doc README COPYING AUTHORS NEWS THANKS
 %doc doc/ecryptfs-faq.html doc/ecryptfs-pam-doc.txt
 %doc doc/ecryptfs-pkcs11-helper-doc.txt
-%attr(4755,root,root) /sbin/mount.ecryptfs
-%attr(4755,root,root) /sbin/umount.ecryptfs
-%attr(4755,root,root) /sbin/mount.ecryptfs_private
-%attr(4755,root,root) /sbin/umount.ecryptfs_private
+/sbin/mount.ecryptfs
+/sbin/umount.ecryptfs
+%attr(4750,root,ecryptfs) /sbin/mount.ecryptfs_private
+/sbin/umount.ecryptfs_private
 %{_bindir}/ecryptfs-manager
 %{_bindir}/ecryptfs-insert-wrapped-passphrase-into-keyring
 %{_bindir}/ecryptfs-rewrap-passphrase
@@ -92,13 +122,15 @@ rm -rf $RPM_BUILD_ROOT
 %{_bindir}/ecryptfs-umount-private
 %{_bindir}/ecryptfs-stat
 %{_bindir}/ecryptfsd
-/%{_lib}/libecryptfs.so.0.0.0
-/%{_lib}/libecryptfs.so.0
+%{_bindir}/ecryptfs-dot-private
 %{_libdir}/ecryptfs
+%{_libdir}/libecryptfs.so.0
+%{_libdir}/libecryptfs.so.0.0.0
 /%{_lib}/security/pam_ecryptfs.so
 %dir %{_datadir}/%{name}
 %{_datadir}/%{name}/ecryptfs-mount-private.txt
 %{_datadir}/%{name}/ecryptfs-mount-private.desktop
+%{_datadir}/%{name}/ecryptfs-setup-private.desktop
 %{_mandir}/man1/ecryptfs-add-passphrase.1.gz
 %{_mandir}/man1/ecryptfs-generate-tpm-key.1.gz
 %{_mandir}/man1/ecryptfs-insert-wrapped-passphrase-into-keyring.1.gz
@@ -119,7 +151,7 @@ rm -rf $RPM_BUILD_ROOT
 
 %files devel
 %defattr(-,root,root,-)
-/%{_lib}/libecryptfs.so
+%{_libdir}/libecryptfs.so
 %{_libdir}/pkgconfig/libecryptfs.pc
 %{_includedir}/ecryptfs.h
 
@@ -135,6 +167,13 @@ rm -rf $RPM_BUILD_ROOT
 %{python_sitearch}/ecryptfs-utils/_libecryptfs.so
 
 %changelog
+* Mon May 04 2009 Michal Hlavinka <mhlavink@redhat.com> 75-1
+- updated to 75
+- restrict mount.ecryptfs_private to ecryptfs group members only
+
+* Thu Apr 23 2009 Michal Hlavinka <mhlavink@redhat.com> 74-1
+- updated to 74
+
 * Sat Mar 21 2009 Michal Hlavinka <mhlavink@redhat.com> 73-1
 - updated to 73
 - move libs from /usr/lib to /lib (#486139)
diff --git a/sources b/sources
index 38fb41a..44a52e3 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-8e651749b9d75ee9a4d4894483022857  ecryptfs-utils_73.orig.tar.gz
+2c4e8be38d1ea8cadd9f870f15430f07  ecryptfs-utils_75.orig.tar.gz