From d22ddac4198f0e083f0b005d51f7a29217e3b3f4 Mon Sep 17 00:00:00 2001 From: Peter Georg Date: Jan 23 2022 17:33:22 +0000 Subject: Change to exploded SRPM format for CBS --- diff --git a/.gitignore b/.gitignore deleted file mode 100644 index ad782c5..0000000 --- a/.gitignore +++ /dev/null @@ -1,22 +0,0 @@ -ecryptfs-utils_83.orig.tar.gz -ecryptfs-mount-private.png -/ecryptfs-mount-private.png -/ecryptfs-utils_84.orig.tar.gz -/ecryptfs-utils_85.orig.tar.gz -/ecryptfs-utils_86.orig.tar.gz -/ecryptfs-utils_87.orig.tar.gz -/ecryptfs-utils_90.orig.tar.gz -/ecryptfs-utils_93.orig.tar.gz -/ecryptfs-utils_95.orig.tar.gz -/ecryptfs-utils_96.orig.tar.gz -/ecryptfs-utils_97.orig.tar.gz -/ecryptfs-utils_99.orig.tar.gz -/ecryptfs-utils_100.orig.tar.gz -/ecryptfs-utils_101.orig.tar.gz -/ecryptfs-utils_103.orig.tar.gz -/ecryptfs-utils_104.orig.tar.gz -/ecryptfs-utils_106.orig.tar.gz -/ecryptfs-utils_108.orig.tar.gz -/ecryptfs-utils_109.orig.tar.gz -/ecryptfs-utils_110.orig.tar.gz -/ecryptfs-utils_111.orig.tar.gz diff --git a/SOURCES/ecryptfs-mount-private.desktop b/SOURCES/ecryptfs-mount-private.desktop new file mode 100644 index 0000000..087898a --- /dev/null +++ b/SOURCES/ecryptfs-mount-private.desktop @@ -0,0 +1,7 @@ +[Desktop Entry] +Name=Access Your Private Data +GenericName=Access Your Private Data +Exec=/usr/bin/ecryptfs-mount-private +Terminal=true +Type=Application +Categories=System;Security; diff --git a/SOURCES/ecryptfs-utils-100-sudokeyring.patch b/SOURCES/ecryptfs-utils-100-sudokeyring.patch new file mode 100644 index 0000000..6972fae --- /dev/null +++ b/SOURCES/ecryptfs-utils-100-sudokeyring.patch @@ -0,0 +1,21 @@ +diff -up ecryptfs-utils-108/src/utils/ecryptfs-setup-private.sudokeyring ecryptfs-utils-108/src/utils/ecryptfs-setup-private +--- ecryptfs-utils-108/src/utils/ecryptfs-setup-private.sudokeyring 2015-08-11 14:44:05.213807245 +0200 ++++ ecryptfs-utils-108/src/utils/ecryptfs-setup-private 2015-08-11 14:44:05.231807198 +0200 +@@ -427,8 +427,16 @@ if [ "$BOOTSTRAP" = "1" ]; then + else + sig_opt="ecryptfs_sig=$sig" + fi ++ # If we are running under sudo, the session keyring may not link ++ # to root's user keyring, where the auth tok is stored ++ # Need to join root's keyring, otherwise the mount will fail ++ if [ "$(keyctl describe @s | awk '{ print $3; }')" -ne 0 ]; then ++ _KEK_="keyctl session _uid.0" ++ else ++ _KEK_= ++ fi + # Do the mount, and provide some helpful symlinks +- mount -i -t ecryptfs -o "rw,$sig_opt,ecryptfs_cipher=$CIPHER,ecryptfs_key_bytes=$KEYBYTES" "$CRYPTDIR" "$MOUNTPOINT" || error "Could not mount" ++ $_KEK_ mount -i -t ecryptfs -o "rw,$sig_opt,ecryptfs_cipher=$CIPHER,ecryptfs_key_bytes=$KEYBYTES" "$CRYPTDIR" "$MOUNTPOINT" || error "Could not mount" + ln -sf $ECRYPTFS_DIR/$USER/.ecryptfs $MOUNTPOINT/.ecryptfs + ln -sf $ECRYPTFS_DIR/$USER/.$PRIVATE_DIR $MOUNTPOINT/.$PRIVATE_DIR + chown -R $USER:$GROUP $ECRYPTFS_DIR/$USER diff --git a/SOURCES/ecryptfs-utils-111-authselect.patch b/SOURCES/ecryptfs-utils-111-authselect.patch new file mode 100644 index 0000000..52e534d --- /dev/null +++ b/SOURCES/ecryptfs-utils-111-authselect.patch @@ -0,0 +1,12 @@ +diff -Naur old/src/utils/ecryptfs-migrate-home new/src/utils/ecryptfs-migrate-home +--- old/src/utils/ecryptfs-migrate-home 2018-09-07 12:29:47.600730369 +0200 ++++ new/src/utils/ecryptfs-migrate-home 2018-09-07 12:32:07.781704748 +0200 +@@ -101,7 +101,7 @@ + # Check for ecryptfs pam module + if ! grep -q ecryptfs /etc/pam.d/postlogin + then +- error "You must enable ecryptfs pam module first. It can be enabled by using: authconfig --enableecryptfs --updateall" ++ error "You must enable ecryptfs pam module first. It can be enabled by using: authselect enable-feature with-ecryptfs" + fi + # Check free space: make sure we have sufficient disk space + # available. To make a full copy, we will need at least 2.5x the diff --git a/SOURCES/ecryptfs-utils-111-cve_2016_5224.patch b/SOURCES/ecryptfs-utils-111-cve_2016_5224.patch new file mode 100644 index 0000000..d30ff8d --- /dev/null +++ b/SOURCES/ecryptfs-utils-111-cve_2016_5224.patch @@ -0,0 +1,21 @@ +=== modified file 'src/utils/ecryptfs-setup-swap' +--- a/src/utils/ecryptfs-setup-swap 2015-08-04 15:42:02 +0000 ++++ a/src/utils/ecryptfs-setup-swap 2016-07-06 22:31:21 +0000 +@@ -166,8 +166,14 @@ + # If this is a GPT partition, mark it as no-auto mounting, to avoid + # auto-activating it on boot + if [ "$(blkid -p -s PART_ENTRY_SCHEME -o value "$swap")" = "gpt" ]; then +- drive="${swap%[0-9]*}" +- partno="${swap#$drive}" ++ # Correctly handle NVMe/MMC drives, as well as any similar physical ++ # block device that follow the "/dev/foo0p1" pattern (LP: #1597154) ++ if echo "$swap" | grep -qE "^/dev/.+[0-9]+p[0-9]+$"; then ++ drive=$(echo "$swap" | sed "s:\(.\+[0-9]\)p[0-9]\+:\1:") ++ else ++ drive=$(echo "$swap" | sed "s:\(.\+[^0-9]\)[0-9]\+:\1:") ++ fi ++ partno=$(echo "$swap" | sed "s:.\+[^0-9]\([0-9]\+\):\1:") + if [ -b "$drive" ]; then + if printf "x\np\n" | fdisk "$drive" | grep -q "^$swap .* GUID:.*\b63\b"; then + echo "$swap is already marked as no-auto" + diff --git a/SOURCES/ecryptfs-utils-111-nopasswd.patch b/SOURCES/ecryptfs-utils-111-nopasswd.patch new file mode 100644 index 0000000..fd5e38e --- /dev/null +++ b/SOURCES/ecryptfs-utils-111-nopasswd.patch @@ -0,0 +1,14 @@ +diff -up ecryptfs-utils-111/src/pam_ecryptfs/pam_ecryptfs.c.nopasswd ecryptfs-utils-111/src/pam_ecryptfs/pam_ecryptfs.c +--- ecryptfs-utils-111/src/pam_ecryptfs/pam_ecryptfs.c.nopasswd 2017-02-01 14:04:48.313349236 +0100 ++++ ecryptfs-utils-111/src/pam_ecryptfs/pam_ecryptfs.c 2017-02-01 14:05:34.461694263 +0100 +@@ -190,6 +190,10 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + rc); + goto out; + } ++ if (!epd->passphrase) { ++ ecryptfs_syslog(LOG_WARNING, "pam_ecryptfs: No passphrase available"); ++ goto out; ++ } + epd->passphrase = strdup(epd->passphrase); + rc = ecryptfs_read_salt_hex_from_rc(salt_hex); + if (rc) { diff --git a/SOURCES/ecryptfs-utils-75-nocryptdisks.patch b/SOURCES/ecryptfs-utils-75-nocryptdisks.patch new file mode 100644 index 0000000..0dabed7 --- /dev/null +++ b/SOURCES/ecryptfs-utils-75-nocryptdisks.patch @@ -0,0 +1,42 @@ +diff -up ecryptfs-utils-108/src/utils/ecryptfs-setup-swap.nocryptdisks ecryptfs-utils-108/src/utils/ecryptfs-setup-swap +--- ecryptfs-utils-108/src/utils/ecryptfs-setup-swap.nocryptdisks 2015-08-04 17:41:39.000000000 +0200 ++++ ecryptfs-utils-108/src/utils/ecryptfs-setup-swap 2015-08-11 14:43:51.787842611 +0200 +@@ -37,23 +37,20 @@ warn() { + usage() { + echo + echo `gettext "Usage:"` +- echo " $0 [-f|--force] [-n|--no-reload]" ++ echo " $0 [-f|--force]" + echo + exit 1 + } + + # Handle command line options + FORCE=0 ++NO_RELOAD=1 + while [ ! -z "$1" ]; do + case "$1" in + -f|--force) + FORCE=1 + shift 1 + ;; +- -n|--no-reload) +- NO_RELOAD=1 +- shift 1 +- ;; + *) + usage + ;; +@@ -188,7 +185,6 @@ for swap in $swaps; do + # Add fstab entry + echo "/dev/mapper/cryptswap$i none swap sw 0 0" >> /etc/fstab + done +- + if [ "$NO_RELOAD" != 1 ]; then + # Turn swap off + swapoff -a +@@ -201,3 +197,4 @@ if [ "$NO_RELOAD" != 1 ]; then + fi + + info `gettext "Successfully encrypted swap!"` ++info "This will take effect after reboot" diff --git a/SOURCES/ecryptfs-utils-75-werror.patch b/SOURCES/ecryptfs-utils-75-werror.patch new file mode 100644 index 0000000..c089d7f --- /dev/null +++ b/SOURCES/ecryptfs-utils-75-werror.patch @@ -0,0 +1,256 @@ +diff -up ecryptfs-utils-109/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.werror ecryptfs-utils-109/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c +--- ecryptfs-utils-109/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.werror 2016-01-26 17:01:19.803230193 +0100 ++++ ecryptfs-utils-109/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c 2016-01-26 17:01:19.810230176 +0100 +@@ -98,7 +98,7 @@ static int ecryptfs_pkcs11h_deserialize( + pkcs11h_data->serialized_id = NULL; + } + else { +- pkcs11h_data->serialized_id = blob + i; ++ pkcs11h_data->serialized_id = (char *)blob + i; + i += serialized_id_length; + } + pkcs11h_data->certificate_blob_size = blob[i++] % 256; +@@ -116,12 +116,11 @@ static int ecryptfs_pkcs11h_deserialize( + pkcs11h_data->passphrase = NULL; + } + else { +- pkcs11h_data->passphrase = blob + i; ++ pkcs11h_data->passphrase = (char *)blob + i; + i += passphrase_length; + } + + rc = 0; +-out: + return rc; + } + +@@ -379,15 +379,15 @@ static int ecryptfs_pkcs11h_get_key_sig( + data[i++] = (char)(nbits >> 8); + data[i++] = (char)nbits; + RSA_get0_key(rsa, &rsa_n, NULL, NULL); +- BN_bn2bin(rsa_n, &(data[i])); ++ BN_bn2bin(rsa_n, (unsigned char *)&(data[i])); + i += nbytes; + data[i++] = (char)(ebits >> 8); + data[i++] = (char)ebits; + RSA_get0_key(rsa, NULL, &rsa_e, NULL); +- BN_bn2bin(rsa_e, &(data[i])); ++ BN_bn2bin(rsa_e, (unsigned char *)&(data[i])); + i += ebytes; +- SHA1(data, len + 3, hash); +- to_hex(sig, hash, ECRYPTFS_SIG_SIZE); ++ SHA1((unsigned char *)data, len + 3, (unsigned char *)hash); ++ to_hex((char *)sig, hash, ECRYPTFS_SIG_SIZE); + sig[ECRYPTFS_SIG_SIZE_HEX] = '\0'; + + rc = 0; +@@ -423,8 +422,8 @@ static int ecryptfs_pkcs11h_encrypt(char + if ( + (rc = RSA_public_encrypt( + from_size, +- from, +- to, ++ (unsigned char *)from, ++ (unsigned char *)to, + rsa, + RSA_PKCS1_PADDING + )) == -1 +@@ -518,9 +517,9 @@ static int ecryptfs_pkcs11h_decrypt(char + (rv = pkcs11h_certificate_decryptAny ( + certificate, + CKM_RSA_PKCS, +- from, ++ (unsigned char *)from, + from_size, +- to, ++ (unsigned char *)to, + to_size + )) != CKR_OK + ) { +@@ -546,9 +545,9 @@ static int ecryptfs_pkcs11h_decrypt(char + pkcs11h_certificate_decryptAny ( + certificate, + CKM_RSA_PKCS, +- from, ++ (unsigned char *)from, + from_size, +- tmp, ++ (unsigned char *)tmp, + to_size + ); + +@@ -863,7 +862,7 @@ static int ecryptfs_pkcs11h_process_key( + rc = MOUNT_ERROR; + goto out; + } +- if ((rc = ecryptfs_pkcs11h_serialize(subgraph_key_ctx->key_mod->blob, ++ if ((rc = ecryptfs_pkcs11h_serialize((unsigned char *)subgraph_key_ctx->key_mod->blob, + &subgraph_key_ctx->key_mod->blob_size, + pkcs11h_data))) { + syslog(LOG_ERR, "PKCS#11: Error serializing pkcs11; rc=[%d]\n", rc); +@@ -942,7 +941,7 @@ static int tf_pkcs11h_global_loglevel(st + + rc = DEFAULT_TOK; + node->val = NULL; +-out: ++// out: + return rc; + } + +@@ -955,7 +954,7 @@ static int tf_pkcs11h_global_pincache(st + + rc = DEFAULT_TOK; + node->val = NULL; +-out: ++// out: + return rc; + } + +@@ -1025,7 +1024,7 @@ static int tf_pkcs11h_provider_prot_auth + sscanf (node->val, "%x", &subgraph_provider_ctx->allow_protected_authentication); + rc = DEFAULT_TOK; + node->val = NULL; +-out: ++ + return rc; + } + +@@ -1039,7 +1038,7 @@ static int tf_pkcs11h_provider_cert_priv + sscanf (node->val, "%x", &subgraph_provider_ctx->certificate_is_private); + rc = DEFAULT_TOK; + node->val = NULL; +-out: ++ + return rc; + } + +@@ -1054,7 +1053,7 @@ static int tf_pkcs11h_provider_private_m + + rc = DEFAULT_TOK; + node->val = NULL; +-out: ++ + return rc; + } + +@@ -1085,7 +1084,7 @@ static int tf_pkcs11h_provider_end(struc + free(subgraph_provider_ctx); + *foo = NULL; + rc = DEFAULT_TOK; +-out: ++ + return rc; + } + +@@ -1132,7 +1131,7 @@ static int tf_pkcs11h_key_x509file(struc + X509 *x509 = NULL; + unsigned char *p = NULL; + FILE *fp = NULL; +- int rc; ++ int rc = 0; + + subgraph_key_ctx = (struct pkcs11h_subgraph_key_ctx *)(*foo); + +diff -up ecryptfs-utils-109/src/pam_ecryptfs/pam_ecryptfs.c.werror ecryptfs-utils-109/src/pam_ecryptfs/pam_ecryptfs.c +--- ecryptfs-utils-109/src/pam_ecryptfs/pam_ecryptfs.c.werror 2015-12-21 21:38:59.000000000 +0100 ++++ ecryptfs-utils-109/src/pam_ecryptfs/pam_ecryptfs.c 2016-01-26 17:01:19.810230176 +0100 +@@ -84,9 +84,7 @@ static int wrap_passphrase_if_necessary( + stat(wrapped_pw_filename, &s) != 0 && + passphrase != NULL && *passphrase != '\0' && + username != NULL && *username != '\0') { +- setuid(uid); +- rc = ecryptfs_wrap_passphrase_file(wrapped_pw_filename, passphrase, salt, unwrapped_pw_filename); +- if (rc != 0) { ++ if ((rc = setuid(uid))<0 || ((rc = ecryptfs_wrap_passphrase_file(wrapped_pw_filename, passphrase, salt, unwrapped_pw_filename)) != 0)) { + syslog(LOG_ERR, "pam_ecryptfs: Error wrapping cleartext password; " "rc = [%d]\n", rc); + } + return rc; +@@ -356,7 +354,7 @@ static int private_dir(pam_handle_t *pam + if (stat(recorded, &s) != 0 && stat("/usr/share/ecryptfs-utils/ecryptfs-record-passphrase", &s) == 0) { + /* User has not recorded their passphrase */ + unlink("/var/lib/update-notifier/user.d/ecryptfs-record-passphrase"); +- symlink("/usr/share/ecryptfs-utils/ecryptfs-record-passphrase", "/var/lib/update-notifier/user.d/ecryptfs-record-passphrase"); ++ rc=symlink("/usr/share/ecryptfs-utils/ecryptfs-record-passphrase", "/var/lib/update-notifier/user.d/ecryptfs-record-passphrase"); + fd = open("/var/lib/update-notifier/dpkg-run-stamp", O_WRONLY|O_CREAT|O_NONBLOCK, 0666); + if (fd != -1) + close(fd); +@@ -517,7 +515,10 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand + char passphrase[ECRYPTFS_MAX_PASSWORD_LENGTH + 1]; + + /* temp regain uid 0 to drop privs */ +- seteuid(oeuid); ++ if (seteuid(oeuid) < 0) { ++ syslog(LOG_ERR, "pam_ecryptfs: seteuid error"); ++ goto out_child; ++ } + /* setgroups() already called */ + if (setgid(gid) < 0 || setuid(uid) < 0) + goto out_child; +@@ -542,9 +543,9 @@ out_child: + free(wrapped_pw_filename); + out: + +- seteuid(oeuid); +- setegid(oegid); +- setgroups(ngids, groups); ++ rc = seteuid(oeuid); ++ rc = setegid(oegid); ++ rc = setgroups(ngids, groups); + + outnouid: + return rc; +diff -up ecryptfs-utils-109/src/utils/ecryptfs_generate_tpm_key.c.werror ecryptfs-utils-109/src/utils/ecryptfs_generate_tpm_key.c +--- ecryptfs-utils-109/src/utils/ecryptfs_generate_tpm_key.c.werror 2015-12-21 21:38:59.000000000 +0100 ++++ ecryptfs-utils-109/src/utils/ecryptfs_generate_tpm_key.c 2016-01-26 17:01:19.810230176 +0100 +@@ -89,7 +89,7 @@ int main(int argc, char **argv) + int i, c, *pcrsSelected = NULL, numPcrsSelected = 0; + TSS_UUID *uuid; + BYTE wellknown[] = TSS_WELL_KNOWN_SECRET; +- char *tmp_pcrs; ++ int *tmp_pcrs; + + while (1) { + c = getopt(argc, argv, "p:"); +diff -up ecryptfs-utils-109/src/utils/mount.ecryptfs_private.c.werror ecryptfs-utils-109/src/utils/mount.ecryptfs_private.c +--- ecryptfs-utils-109/src/utils/mount.ecryptfs_private.c.werror 2016-01-26 17:01:19.807230183 +0100 ++++ ecryptfs-utils-109/src/utils/mount.ecryptfs_private.c 2016-01-26 17:01:30.262205251 +0100 +@@ -232,7 +232,7 @@ static int check_cwd_f_type() + * + * This whitelist is to prevent malicious mount.ecryptfs_private users + * from mounting over filesystem types such as PROC_SUPER_MAGIC to +- * deceive other programs with a crafted /proc/self/*. See ++ * deceive other programs with a crafted /proc/self/ *. See + * https://launchpad.net/bugs/1530566 for more details. + */ + __SWORD_TYPE f_type_whitelist[] = { +@@ -276,7 +276,7 @@ static int check_cwd_f_type() + + fprintf(stderr, + "Refusing to mount over an unapproved filesystem type: %#lx\n", +- buf.f_type); ++ (long unsigned int)buf.f_type); + return 1; + } + +@@ -829,8 +829,8 @@ int main(int argc, char *argv[]) { + * update mtab for us, and replace the current process. + * Do not use the umount.ecryptfs helper (-i). + */ +- setresuid(0,0,0); +- setresgid(0,0,0); ++ rc=setresuid(0,0,0); ++ rc=setresgid(0,0,0); + clearenv(); + + /* Since we're doing a lazy unmount anyway, just unmount the current +diff -up ecryptfs-utils-109/tests/kernel/inode-race-stat/test.c.werror ecryptfs-utils-109/tests/kernel/inode-race-stat/test.c +--- ecryptfs-utils-109/tests/kernel/inode-race-stat/test.c.werror 2015-12-21 21:38:59.000000000 +0100 ++++ ecryptfs-utils-109/tests/kernel/inode-race-stat/test.c 2016-01-26 17:01:19.811230174 +0100 +@@ -364,6 +364,7 @@ abort: + + if (write(pipe_to[i][1], cmd, 1) != 1) + continue; ++ (void)ret; + (void)waitpid(pids[i], &status, 0); + + (void)close(pipe_to[i][1]); diff --git a/SOURCES/ecryptfs-utils-83-fixsalt.patch b/SOURCES/ecryptfs-utils-83-fixsalt.patch new file mode 100644 index 0000000..bb661d8 --- /dev/null +++ b/SOURCES/ecryptfs-utils-83-fixsalt.patch @@ -0,0 +1,12 @@ +diff -up ecryptfs-utils-108/src/key_mod/ecryptfs_key_mod_passphrase.c.fixsalt ecryptfs-utils-108/src/key_mod/ecryptfs_key_mod_passphrase.c +--- ecryptfs-utils-108/src/key_mod/ecryptfs_key_mod_passphrase.c.fixsalt 2015-02-10 17:59:34.000000000 +0100 ++++ ecryptfs-utils-108/src/key_mod/ecryptfs_key_mod_passphrase.c 2015-08-11 14:43:52.660840311 +0200 +@@ -105,7 +105,7 @@ static int tf_pass_file(struct ecryptfs_ + out: + free(node->val); + node->val = NULL; +- return rc; ++ return rc ? rc : DEFAULT_TOK; + } + + static int tf_salt(struct ecryptfs_ctx *ctx, struct param_node *node, diff --git a/SOURCES/ecryptfs-utils-83-splitnss.patch b/SOURCES/ecryptfs-utils-83-splitnss.patch new file mode 100644 index 0000000..bfde60d --- /dev/null +++ b/SOURCES/ecryptfs-utils-83-splitnss.patch @@ -0,0 +1,86 @@ +diff -up ecryptfs-utils-108/src/libecryptfs/key_management.c.splitnss ecryptfs-utils-108/src/libecryptfs/key_management.c +--- ecryptfs-utils-108/src/libecryptfs/key_management.c.splitnss 2015-03-26 14:28:59.000000000 +0100 ++++ ecryptfs-utils-108/src/libecryptfs/key_management.c 2015-08-11 14:43:53.489838127 +0200 +@@ -138,28 +138,8 @@ out: + } + + +-int ecryptfs_remove_auth_tok_from_keyring(char *auth_tok_sig) +-{ +- int rc; ++#include "key_management.inc.c" + +- rc = (int)keyctl_search(KEY_SPEC_USER_KEYRING, "user", auth_tok_sig, 0); +- if (rc < 0) { +- rc = errno; +- syslog(LOG_ERR, "Failed to find key with sig [%s]: %m\n", +- auth_tok_sig); +- goto out; +- } +- rc = keyctl_unlink(rc, KEY_SPEC_USER_KEYRING); +- if (rc < 0) { +- rc = errno; +- syslog(LOG_ERR, "Failed to unlink key with sig [%s]: %s\n", +- auth_tok_sig, strerror(rc)); +- goto out; +- } +- rc = 0; +-out: +- return rc; +-} + int ecryptfs_add_auth_tok_to_keyring(struct ecryptfs_auth_tok *auth_tok, + char *auth_tok_sig) + { +diff -up ecryptfs-utils-108/src/libecryptfs/key_management.inc.c.splitnss ecryptfs-utils-108/src/libecryptfs/key_management.inc.c +--- ecryptfs-utils-108/src/libecryptfs/key_management.inc.c.splitnss 2015-08-11 14:43:53.489838127 +0200 ++++ ecryptfs-utils-108/src/libecryptfs/key_management.inc.c 2015-08-11 14:43:53.489838127 +0200 +@@ -0,0 +1,22 @@ ++int ecryptfs_remove_auth_tok_from_keyring(char *auth_tok_sig) ++{ ++ int rc; ++ ++ rc = (int)keyctl_search(KEY_SPEC_USER_KEYRING, "user", auth_tok_sig, 0); ++ if (rc < 0) { ++ rc = errno; ++ syslog(LOG_ERR, "Failed to find key with sig [%s]: %m\n", ++ auth_tok_sig); ++ goto out; ++ } ++ rc = keyctl_unlink(rc, KEY_SPEC_USER_KEYRING); ++ if (rc < 0) { ++ rc = errno; ++ syslog(LOG_ERR, "Failed to unlink key with sig [%s]: %s\n", ++ auth_tok_sig, strerror(rc)); ++ goto out; ++ } ++ rc = 0; ++out: ++ return rc; ++} +diff -up ecryptfs-utils-108/src/utils/Makefile.am.splitnss ecryptfs-utils-108/src/utils/Makefile.am +--- ecryptfs-utils-108/src/utils/Makefile.am.splitnss 2015-02-10 17:59:34.000000000 +0100 ++++ ecryptfs-utils-108/src/utils/Makefile.am 2015-08-11 14:43:53.489838127 +0200 +@@ -39,7 +39,7 @@ mount_ecryptfs_CFLAGS = $(AM_CFLAGS) $(K + mount_ecryptfs_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la $(KEYUTILS_LIBS) $(LIBGCRYPT_LIBS) + umount_ecryptfs_SOURCES = umount.ecryptfs.c + umount_ecryptfs_CFLAGS = $(AM_CFLAGS) $(KEYUTILS_CFLAGS) +-umount_ecryptfs_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la ++umount_ecryptfs_LDADD = -lkeyutils + ecryptfs_manager_SOURCES = manager.c io.c io.h gen_key.c + ecryptfs_manager_CFLAGS = $(AM_CFLAGS) $(KEYUTILS_CFLAGS) $(LIBGCRYPT_CFLAGS) + ecryptfs_manager_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la $(KEYUTILS_LIBS) $(LIBGCRYPT_LIBS) +diff -up ecryptfs-utils-108/src/utils/umount.ecryptfs.c.splitnss ecryptfs-utils-108/src/utils/umount.ecryptfs.c +--- ecryptfs-utils-108/src/utils/umount.ecryptfs.c.splitnss 2015-02-10 17:59:34.000000000 +0100 ++++ ecryptfs-utils-108/src/utils/umount.ecryptfs.c 2015-08-11 14:43:53.489838127 +0200 +@@ -24,7 +24,10 @@ + #include + #include + #include +-#include "ecryptfs.h" ++#include ++#include ++ ++#include "../libecryptfs/key_management.inc.c" + + static void usage() + { diff --git a/SOURCES/ecryptfs-utils-84-fixsigness.patch b/SOURCES/ecryptfs-utils-84-fixsigness.patch new file mode 100644 index 0000000..2e2c20b --- /dev/null +++ b/SOURCES/ecryptfs-utils-84-fixsigness.patch @@ -0,0 +1,21 @@ +diff -up ecryptfs-utils-108/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.fixsigness ecryptfs-utils-108/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c +--- ecryptfs-utils-108/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.fixsigness 2015-02-10 17:59:34.000000000 +0100 ++++ ecryptfs-utils-108/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c 2015-08-11 14:43:54.331835910 +0200 +@@ -1157,7 +1157,7 @@ static int tf_pkcs11h_key_x509file(struc + goto out; + } + +- if ((subgraph_key_ctx->pkcs11h_data.certificate_blob_size = i2d_X509 (x509, NULL)) < 0 ) { ++ if ((ssize_t)(subgraph_key_ctx->pkcs11h_data.certificate_blob_size = i2d_X509 (x509, NULL)) < 0 ) { + syslog(LOG_ERR, "PKCS#11: Cannot read decode certificate"); + rc = -EIO; + goto out; +@@ -1178,7 +1178,7 @@ static int tf_pkcs11h_key_x509file(struc + */ + p = subgraph_key_ctx->pkcs11h_data.certificate_blob; + +- if ((subgraph_key_ctx->pkcs11h_data.certificate_blob_size = i2d_X509 (x509, &p)) < 0) { ++ if ((ssize_t)(subgraph_key_ctx->pkcs11h_data.certificate_blob_size = i2d_X509 (x509, &p)) < 0) { + syslog(LOG_ERR, "PKCS#11: Cannot read decode certificate"); + goto out; + } diff --git a/SOURCES/ecryptfs-utils-86-manpage.patch b/SOURCES/ecryptfs-utils-86-manpage.patch new file mode 100644 index 0000000..8ee89a4 --- /dev/null +++ b/SOURCES/ecryptfs-utils-86-manpage.patch @@ -0,0 +1,41 @@ +diff -up ecryptfs-utils-108/doc/manpage/ecryptfs-rewrite-file.1.manfix ecryptfs-utils-108/doc/manpage/ecryptfs-rewrite-file.1 +--- ecryptfs-utils-108/doc/manpage/ecryptfs-rewrite-file.1.manfix 2015-02-10 17:59:34.000000000 +0100 ++++ ecryptfs-utils-108/doc/manpage/ecryptfs-rewrite-file.1 2015-08-11 14:43:55.128833810 +0200 +@@ -14,7 +14,7 @@ This script may be combined with \fBfind + ecryptfs-umount-private + sync + +-It is advised that this script is executed in runlevel 1 or 3, to avoid simultanteous writes and race conditions with targeted files. ++It is advised that this script is executed in runlevel 1 or 3, to avoid simultaneous writes and race conditions with targeted files. + + \fBUSING THIS SCRIPT WHILE GNOME, KDE, OR OTHER APPLICATIONS ARE RUNNING MAY CAUSE DATA LOSS.\fP + +diff -up ecryptfs-utils-108/doc/manpage/ecryptfs.7.manfix ecryptfs-utils-108/doc/manpage/ecryptfs.7 +--- ecryptfs-utils-108/doc/manpage/ecryptfs.7.manfix 2015-02-10 17:59:34.000000000 +0100 ++++ ecryptfs-utils-108/doc/manpage/ecryptfs.7 2015-08-11 14:43:55.128833810 +0200 +@@ -1,6 +1,6 @@ + .TH ecryptfs 7 2009-03-24 ecryptfs-utils "eCryptfs" + .SH NAME +-eCryptfs \- an enterprise-class cryptographic filesystem for linux ++eCryptfs \- an enterprise-class cryptographic filesystem for Linux + + .SH SYNOPSIS + .BI "mount -t ecryptfs [SRC DIR] [DST DIR] -o [OPTIONS]" +@@ -67,7 +67,7 @@ Parameters that apply to individual key + The actual password is passphrase. Since the password is visible to utilities (like ps under Unix) this form should only be used where security is not important. + .TP + .B passphrase_passwd_file=(filename) +-The password should be specified in a file with passphrase_passwd_file=(passphrase). It is highly recommended that the file be stored on a secure medium such as a personal usb key. ++The password should be specified in a file with passphrase_passwd_file=(passphrase). It is highly recommended that the file be stored on a secure medium such as a personal USB key. + .TP + .B passphrase_passwd_fd=(file descriptor) + The password is specified through the specified file descriptor. +@@ -79,7 +79,7 @@ The salt should be specified as a 16 dig + The filename should be the filename of a file containing an RSA SSL key. + .TP + .B openssl_passwd_file=(filename) +-The password should be specified in a file with openssl_passwd=(openssl-password). It is highly recommended that the file be stored on a secure medium such as a personal usb key. ++The password should be specified in a file with openssl_passwd=(openssl-password). It is highly recommended that the file be stored on a secure medium such as a personal USB key. + .TP + .B openssl_passwd_fd=(file descriptor) + The password is specified through the specified file descriptor. diff --git a/SOURCES/ecryptfs-utils-87-authconfig.patch b/SOURCES/ecryptfs-utils-87-authconfig.patch new file mode 100644 index 0000000..3476b91 --- /dev/null +++ b/SOURCES/ecryptfs-utils-87-authconfig.patch @@ -0,0 +1,15 @@ +diff -up ecryptfs-utils-108/src/utils/ecryptfs-migrate-home.authconfig ecryptfs-utils-108/src/utils/ecryptfs-migrate-home +--- ecryptfs-utils-108/src/utils/ecryptfs-migrate-home.authconfig 2015-02-10 17:59:34.000000000 +0100 ++++ ecryptfs-utils-108/src/utils/ecryptfs-migrate-home 2015-08-11 14:43:56.758829517 +0200 +@@ -98,6 +98,11 @@ sanity_check () { + if ! which rsync >/dev/null 2>&1; then + error "Please install the rsync package." + fi ++ # Check for ecryptfs pam module ++ if ! grep -q ecryptfs /etc/pam.d/postlogin ++ then ++ error "You must enable ecryptfs pam module first. It can be enabled by using: authconfig --enableecryptfs --updateall" ++ fi + # Check free space: make sure we have sufficient disk space + # available. To make a full copy, we will need at least 2.5x the + # disk usage of the target home directory. diff --git a/SOURCES/ecryptfs-utils-87-autoload.patch b/SOURCES/ecryptfs-utils-87-autoload.patch new file mode 100644 index 0000000..26cbdf0 --- /dev/null +++ b/SOURCES/ecryptfs-utils-87-autoload.patch @@ -0,0 +1,41 @@ +diff -up ecryptfs-utils-108/src/utils/ecryptfs-mount-private.autoload ecryptfs-utils-108/src/utils/ecryptfs-mount-private +--- ecryptfs-utils-108/src/utils/ecryptfs-mount-private.autoload 2015-02-10 17:59:34.000000000 +0100 ++++ ecryptfs-utils-108/src/utils/ecryptfs-mount-private 2015-08-11 14:43:55.946831655 +0200 +@@ -33,6 +33,9 @@ if /sbin/mount.ecryptfs_private >/dev/nu + exit 0 + fi + ++#load kernel module if it's missing, FNE support check would fail otherwise ++[ ! -e /sys/fs/ecryptfs/version ] && modinfo ecryptfs >/dev/null 2>&1 && /sbin/mount.ecryptfs_private --loadmodule ++ + # Otherwise, interactively prompt for the user's password + if [ -f "$WRAPPED_PASSPHRASE_FILE" -a -f "$MOUNT_PASSPHRASE_SIG_FILE" ]; then + tries=0 +diff -up ecryptfs-utils-108/src/utils/ecryptfs-setup-private.autoload ecryptfs-utils-108/src/utils/ecryptfs-setup-private +--- ecryptfs-utils-108/src/utils/ecryptfs-setup-private.autoload 2015-02-10 20:10:13.000000000 +0100 ++++ ecryptfs-utils-108/src/utils/ecryptfs-setup-private 2015-08-11 14:43:55.946831655 +0200 +@@ -101,6 +101,7 @@ random_passphrase () { + } + + filename_encryption_available() { ++ [ ! -e /sys/fs/ecryptfs/version ] && modinfo ecryptfs >/dev/null 2>&1 && /sbin/mount.ecryptfs_private --loadmodule + version=$(cat /sys/fs/ecryptfs/version 2>/dev/null) + [ -z "$version" ] && error "$(gettext 'Cannot get ecryptfs version, ecryptfs kernel module not loaded?')" + [ $(($version & 0x100)) -eq 0 ] && return 1 +diff -up ecryptfs-utils-108/src/utils/mount.ecryptfs_private.c.autoload ecryptfs-utils-108/src/utils/mount.ecryptfs_private.c +--- ecryptfs-utils-108/src/utils/mount.ecryptfs_private.c.autoload 2015-08-05 23:37:17.000000000 +0200 ++++ ecryptfs-utils-108/src/utils/mount.ecryptfs_private.c 2015-08-11 14:43:55.946831655 +0200 +@@ -577,6 +577,13 @@ int main(int argc, char *argv[]) { + char **sigs; + FILE *fh_counter = NULL; + ++ if (argc == 2 && !strcmp(argv[1],"--loadmodule")) ++ { ++ execl("/sbin/modprobe","modprobe","ecryptfs",NULL); ++ perror("Unable to load ecryptfs module"); ++ return -1; ++ } ++ + uid = getuid(); + gid = getgid(); + /* Non-privileged effective uid is sufficient for all but the code diff --git a/SOURCES/ecryptfs-utils-87-fixconst.patch b/SOURCES/ecryptfs-utils-87-fixconst.patch new file mode 100644 index 0000000..21c4c5a --- /dev/null +++ b/SOURCES/ecryptfs-utils-87-fixconst.patch @@ -0,0 +1,159 @@ +diff -up ecryptfs-utils-108/src/include/ecryptfs.h.fixconst ecryptfs-utils-108/src/include/ecryptfs.h +--- ecryptfs-utils-108/src/include/ecryptfs.h.fixconst 2015-08-11 14:44:01.791816259 +0200 ++++ ecryptfs-utils-108/src/include/ecryptfs.h 2015-08-11 14:44:01.794816251 +0200 +@@ -479,8 +479,8 @@ int ecryptfs_eval_decision_graph(struct + struct val_node **head, + struct param_node *root_node, + struct ecryptfs_name_val_pair *nvp_head); +-int ecryptfs_add_passphrase_key_to_keyring(char *auth_tok_sig, char *passphrase, +- char *salt); ++int ecryptfs_add_passphrase_key_to_keyring(char *auth_tok_sig, const char *passphrase, ++ const char *salt); + int ecryptfs_add_key_module_key_to_keyring(char *auth_tok_sig, + struct ecryptfs_key_mod *key_mod); + int ecryptfs_read_salt_hex_from_rc(char *salt_hex); +@@ -494,11 +494,11 @@ int parse_packet(struct ecryptfs_ctx *ct + struct ecryptfs_message **reply); + int ecryptfs_find_key_mod(struct ecryptfs_key_mod **key_mod, + struct ecryptfs_ctx *ctx, char *key_mod_alias); +-int generate_passphrase_sig(char *passphrase_sig, char *fekek, char *salt, +- char *passphrase); ++int generate_passphrase_sig(char *passphrase_sig, char *fekek, const char *salt, ++ const char *passphrase); + int + generate_payload(struct ecryptfs_auth_tok *auth_tok, char *passphrase_sig, +- char *salt, char *session_key_encryption_key); ++ const char *salt, char *session_key_encryption_key); + int + ecryptfs_generate_key_payload(struct ecryptfs_auth_tok *auth_tok, + struct ecryptfs_key_mod *key_mod, char *sig, +@@ -517,15 +517,15 @@ int ecryptfs_check_sig(char *auth_tok_si + int ecryptfs_append_sig(char *auth_tok_sig, char *sig_cache_filename); + int __ecryptfs_detect_wrapped_passphrase_file_version(const char *filename, + uint8_t *version); +-int ecryptfs_wrap_passphrase_file(char *dest, char *wrapping_passphrase, +- char *wrapping_salt, char *src); +-int ecryptfs_wrap_passphrase(char *filename, char *wrapping_passphrase, +- char *unused, char *decrypted_passphrase); +-int ecryptfs_unwrap_passphrase(char *decrypted_passphrase, char *filename, +- char *wrapping_passphrase, char *wrapping_salt); ++int ecryptfs_wrap_passphrase_file(const char *dest, const char *wrapping_passphrase, ++ const char *wrapping_salt, const char *src); ++int ecryptfs_wrap_passphrase(const char *filename, const char *wrapping_passphrase, ++ const char *unused, char *decrypted_passphrase); ++int ecryptfs_unwrap_passphrase(char *decrypted_passphrase, const char *filename, ++ const char *wrapping_passphrase, const char *wrapping_salt); + int ecryptfs_insert_wrapped_passphrase_into_keyring( +- char *auth_tok_sig, char *filename, char *wrapping_passphrase, +- char *salt); ++ char *auth_tok_sig, char *filename, const char *wrapping_passphrase, ++ const char *salt); + char *ecryptfs_get_wrapped_passphrase_filename(); + struct ecryptfs_key_mod_ops *passphrase_get_key_mod_ops(void); + int ecryptfs_validate_keyring(void); +@@ -573,7 +573,7 @@ char *ecryptfs_get_passphrase(char *prom + int ecryptfs_run_daemon(struct ecryptfs_messaging_ctx *mctx); + + #define ECRYPTFS_PRIVATE_DIR "Private" +-char *ecryptfs_fetch_private_mnt(char *pw_dir); ++char *ecryptfs_fetch_private_mnt(const char *pw_dir); + int ecryptfs_private_is_mounted(char *dev, char *mnt, char *sig, int mounting); + + #endif +diff -up ecryptfs-utils-108/src/libecryptfs/key_management.c.fixconst ecryptfs-utils-108/src/libecryptfs/key_management.c +--- ecryptfs-utils-108/src/libecryptfs/key_management.c.fixconst 2015-08-11 14:44:01.777816296 +0200 ++++ ecryptfs-utils-108/src/libecryptfs/key_management.c 2015-08-11 14:44:01.795816249 +0200 +@@ -55,7 +55,7 @@ + */ + int ecryptfs_generate_passphrase_auth_tok(struct ecryptfs_auth_tok **auth_tok, + char *auth_tok_sig, char *fekek, +- char *salt, char *passphrase) ++ const char *salt, const char *passphrase) + { + int rc; + +@@ -195,8 +195,8 @@ int ecryptfs_add_blob_to_keyring(char *b + * + * Returns 0 on add, 1 on pre-existed, negative on failure. + */ +-int ecryptfs_add_passphrase_key_to_keyring(char *auth_tok_sig, char *passphrase, +- char *salt) ++int ecryptfs_add_passphrase_key_to_keyring(char *auth_tok_sig, const char *passphrase, ++ const char *salt) + { + int rc; + char fekek[ECRYPTFS_MAX_KEY_BYTES]; +@@ -382,8 +382,8 @@ out: + return rc; + } + +-int ecryptfs_wrap_passphrase_file(char *dest, char *wrapping_passphrase, +- char *salt, char *src) ++int ecryptfs_wrap_passphrase_file(const char *dest, const char *wrapping_passphrase, ++ const char *salt, const char *src) + { + int rc = 0; + ssize_t size; +@@ -540,8 +540,8 @@ out: + * + * Returns 0 upon success. Negative upon error. + */ +-int ecryptfs_wrap_passphrase(char *filename, char *wrapping_passphrase, +- char *unused, char *decrypted_passphrase) ++int ecryptfs_wrap_passphrase(const char *filename, const char *wrapping_passphrase, ++ const char *unused, char *decrypted_passphrase) + { + char wrapping_salt[ECRYPTFS_SALT_SIZE]; + char wrapping_auth_tok_sig[ECRYPTFS_SIG_SIZE_HEX + 1]; +@@ -822,8 +822,8 @@ out: + * decryptfs_passphrase must be able to hold + * ECRYPTFS_MAX_PASSPHRASE_BYTES + 1 bytes + */ +-int ecryptfs_unwrap_passphrase(char *decrypted_passphrase, char *filename, +- char *wrapping_passphrase, char *wrapping_salt) ++int ecryptfs_unwrap_passphrase(char *decrypted_passphrase, const char *filename, ++ const char *wrapping_passphrase, const char *wrapping_salt) + { + char v2_wrapping_salt[ECRYPTFS_SALT_SIZE]; + char wrapping_auth_tok_sig[ECRYPTFS_SIG_SIZE_HEX + 1]; +@@ -976,8 +976,8 @@ out: + * into the user session keyring. + */ + int ecryptfs_insert_wrapped_passphrase_into_keyring( +- char *auth_tok_sig, char *filename, char *wrapping_passphrase, +- char *salt) ++ char *auth_tok_sig, char *filename, const char *wrapping_passphrase, ++ const char *salt) + { + char decrypted_passphrase[ECRYPTFS_MAX_PASSPHRASE_BYTES + 1] ; + int rc = 0; +diff -up ecryptfs-utils-108/src/libecryptfs/main.c.fixconst ecryptfs-utils-108/src/libecryptfs/main.c +--- ecryptfs-utils-108/src/libecryptfs/main.c.fixconst 2015-08-11 14:44:01.791816259 +0200 ++++ ecryptfs-utils-108/src/libecryptfs/main.c 2015-08-11 14:44:01.795816249 +0200 +@@ -92,7 +92,7 @@ out: + /* Read ecryptfs private mount from file + * Allocate and return a string + */ +-char *ecryptfs_fetch_private_mnt(char *pw_dir) { ++char *ecryptfs_fetch_private_mnt(const char *pw_dir) { + char *mnt_file = NULL; + char *mnt_default = NULL; + char *mnt = NULL; +@@ -212,7 +212,7 @@ int ecryptfs_private_is_mounted(char *de + */ + int + generate_passphrase_sig(char *passphrase_sig, char *fekek, +- char *salt, char *passphrase) ++ const char *salt, const char *passphrase) + { + char salt_and_passphrase[ECRYPTFS_MAX_PASSPHRASE_BYTES + + ECRYPTFS_SALT_SIZE]; +@@ -257,7 +257,7 @@ generate_passphrase_sig(char *passphrase + */ + int + generate_payload(struct ecryptfs_auth_tok *auth_tok, char *passphrase_sig, +- char *salt, char *session_key_encryption_key) ++ const char *salt, char *session_key_encryption_key) + { + int rc = 0; + int major, minor; diff --git a/SOURCES/ecryptfs-utils-87-fixexecgid.patch b/SOURCES/ecryptfs-utils-87-fixexecgid.patch new file mode 100644 index 0000000..e47c56a --- /dev/null +++ b/SOURCES/ecryptfs-utils-87-fixexecgid.patch @@ -0,0 +1,27 @@ +diff -up ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c.fixexecgid ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c +--- ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c.fixexecgid 2015-08-11 14:43:59.298822826 +0200 ++++ ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c 2015-08-11 14:43:59.299822823 +0200 +@@ -365,8 +365,10 @@ static int private_dir(pam_handle_t *pam + _exit(0); + } + clearenv(); +- if (setgroups(1, &pwd->pw_gid) < 0 || setgid(pwd->pw_gid) < 0) ++ if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) { ++ syslog(LOG_ERR, "Unable to set user's groups : %m"); + _exit(-1); ++ } + /* run mount.ecryptfs_private as the user */ + if (setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid) < 0) + _exit(-1); +@@ -380,8 +382,10 @@ static int private_dir(pam_handle_t *pam + _exit(0); + } + clearenv(); +- if (setgroups(1, &pwd->pw_gid) < 0 || setgid(pwd->pw_gid) < 0) ++ if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) { ++ syslog(LOG_ERR, "Unable to set user's groups : %m"); + _exit(-1); ++ } + /* run umount.ecryptfs_private as the user */ + if (setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid) < 0) + _exit(-1); diff --git a/SOURCES/ecryptfs-utils-87-fixpamfork.patch b/SOURCES/ecryptfs-utils-87-fixpamfork.patch new file mode 100644 index 0000000..b498aa7 --- /dev/null +++ b/SOURCES/ecryptfs-utils-87-fixpamfork.patch @@ -0,0 +1,74 @@ +diff -up ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c.fixpamfork ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c +--- ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c.fixpamfork 2015-08-11 14:43:58.438825091 +0200 ++++ ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c 2015-08-11 14:43:58.439825089 +0200 +@@ -253,7 +253,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + } + out_child: + free(auth_tok_sig); +- exit(0); ++ _exit(0); + } + tmp_pid = waitpid(child_pid, NULL, 0); + if (tmp_pid == -1) +@@ -349,7 +349,7 @@ static int private_dir(pam_handle_t *pam + "%s/.ecryptfs/.wrapped-passphrase.recorded", + pwd->pw_dir) < 0) || recorded == NULL) { + syslog(LOG_ERR, "pam_ecryptfs: Error allocating memory for recorded name"); +- exit(1); ++ _exit(255); + } + if (stat(recorded, &s) != 0 && stat("/usr/share/ecryptfs-utils/ecryptfs-record-passphrase", &s) == 0) { + /* User has not recorded their passphrase */ +@@ -362,33 +362,35 @@ static int private_dir(pam_handle_t *pam + if (stat(autofile, &s) != 0) { + /* User does not want to auto-mount */ + syslog(LOG_DEBUG, "pam_ecryptfs: Skipping automatic eCryptfs mount"); +- exit(0); ++ _exit(0); + } + clearenv(); + if (setgroups(1, &pwd->pw_gid) < 0 || setgid(pwd->pw_gid) < 0) +- exit(-1); ++ _exit(-1); + /* run mount.ecryptfs_private as the user */ + if (setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid) < 0) +- exit(-1); ++ _exit(-1); + execl("/sbin/mount.ecryptfs_private", + "mount.ecryptfs_private", NULL); ++ syslog(LOG_ERR, "unable to execute mount.ecryptfs_private : %m"); + } else { + if (stat(autofile, &s) != 0) { + /* User does not want to auto-unmount */ + syslog(LOG_DEBUG, "pam_ecryptfs: Skipping automatic eCryptfs unmount"); +- exit(0); ++ _exit(0); + } + clearenv(); + if (setgroups(1, &pwd->pw_gid) < 0 || setgid(pwd->pw_gid) < 0) +- exit(-1); ++ _exit(-1); + /* run umount.ecryptfs_private as the user */ + if (setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid) < 0) +- exit(-1); ++ _exit(-1); + execl("/sbin/umount.ecryptfs_private", + "umount.ecryptfs_private", "-d", NULL); +- exit(1); ++ syslog(LOG_ERR, "unable to execute umount.ecryptfs_private : %m"); ++ _exit(1); + } +- exit(1); ++ _exit(1); + } else { + waitpid(pid, &rc, 0); + } +@@ -536,7 +538,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand + goto out_child; + } + out_child: +- exit(0); ++ _exit(0); + } + if ((tmp_pid = waitpid(child_pid, NULL, 0)) == -1) + syslog(LOG_WARNING, "pam_ecryptfs: waitpid() returned with error condition\n"); diff --git a/SOURCES/ecryptfs-utils-87-memcpyfix.patch b/SOURCES/ecryptfs-utils-87-memcpyfix.patch new file mode 100644 index 0000000..638bdbb --- /dev/null +++ b/SOURCES/ecryptfs-utils-87-memcpyfix.patch @@ -0,0 +1,12 @@ +diff -up ecryptfs-utils-103/src/utils/mount.ecryptfs.c.memcpyfix ecryptfs-utils-103/src/utils/mount.ecryptfs.c +--- ecryptfs-utils-103/src/utils/mount.ecryptfs.c.memcpyfix 2012-07-13 16:50:29.000000000 +0200 ++++ ecryptfs-utils-103/src/utils/mount.ecryptfs.c 2013-01-28 17:22:53.769462509 +0100 +@@ -355,7 +355,7 @@ static int opts_str_contains_option(char + *end = '\0'; + break; + } +- memcpy(opt, next_opt, end - next_opt); ++ memmove(opt, next_opt, end - next_opt); + end = end - (next_opt - opt); + *end = '\0'; + } diff --git a/SOURCES/ecryptfs-utils-87-nozombies.patch b/SOURCES/ecryptfs-utils-87-nozombies.patch new file mode 100644 index 0000000..2d4ea3f --- /dev/null +++ b/SOURCES/ecryptfs-utils-87-nozombies.patch @@ -0,0 +1,528 @@ +diff -up ecryptfs-utils-108/src/include/ecryptfs.h.nozombies ecryptfs-utils-108/src/include/ecryptfs.h +--- ecryptfs-utils-108/src/include/ecryptfs.h.nozombies 2015-03-11 16:07:01.000000000 +0100 ++++ ecryptfs-utils-108/src/include/ecryptfs.h 2015-08-11 14:44:00.122820656 +0200 +@@ -532,10 +532,6 @@ int ecryptfs_validate_keyring(void); + #define ECRYPTFS_SHM_KEY 0x3c81b7f5 + #define ECRYPTFS_SEM_KEY 0x3c81b7f6 + #define ECRYPTFS_SHM_SIZE 4096 +-#define ECRYPTFS_ZOMBIE_SLEEP_SECONDS 300 +-int ecryptfs_set_zombie_session_placeholder(void); +-int ecryptfs_kill_and_clear_zombie_session_placeholder(void); +-int ecryptfs_list_zombie_session_placeholders(void); + int ecryptfs_build_linear_subgraph_from_nvp(struct transition_node **trans_node, + struct ecryptfs_key_mod *key_mod); + int ecryptfs_build_linear_subgraph(struct transition_node **trans_node, +diff -up ecryptfs-utils-108/src/libecryptfs/main.c.nozombies ecryptfs-utils-108/src/libecryptfs/main.c +--- ecryptfs-utils-108/src/libecryptfs/main.c.nozombies 2015-03-26 14:28:59.000000000 +0100 ++++ ecryptfs-utils-108/src/libecryptfs/main.c 2015-08-11 14:44:00.122820656 +0200 +@@ -384,495 +384,6 @@ out: + return rc; + } + +-static int zombie_semaphore_get(void) +-{ +- int sem_id; +- struct semid_ds semid_ds; +- struct sembuf sb; +- int i; +- int rc; +- +- sem_id = semget(ECRYPTFS_SEM_KEY, 1, (0666 | IPC_EXCL | IPC_CREAT)); +- if (sem_id >= 0) { +- sb.sem_op = 1; +- sb.sem_flg = 0; +- sb.sem_num = 0; +- +- rc = semop(sem_id, &sb, 1); +- if (rc == -1) { +- semctl(sem_id, 0, IPC_RMID); +- syslog(LOG_ERR, "Error initializing semaphore\n"); +- rc = -1; +- goto out; +- } +- } else if (errno == EEXIST) { +- int initialized = 0; +- +- sem_id = semget(ECRYPTFS_SEM_KEY, 1, 0); +- if (sem_id < 0) { +- syslog(LOG_ERR, "Error getting existing semaphore"); +- rc = -1; +- goto out; +- } +-#define RETRY_LIMIT 3 +- for (i = 0; i < RETRY_LIMIT; i++) { +- semctl(sem_id, 0, IPC_STAT, &semid_ds); +- if (semid_ds.sem_otime != 0) { +- initialized = 1; +- break; +- } else +- sleep(1); +- } +- if (!initialized) { +- syslog(LOG_ERR, "Waited too long for initialized " +- "semaphore; something's wrong\n"); +- rc = -1; +- goto out; +- } +- } else { +- syslog(LOG_ERR, "Error attempting to get semaphore\n"); +- rc = -1; +- goto out; +- } +- rc = sem_id; +-out: +- return rc; +-} +- +-static void zombie_semaphore_lock(int sem_id) +-{ +- struct sembuf sb; +- int i; +- int rc; +- +- sb.sem_num = 0; +- sb.sem_op = -1; +- sb.sem_flg = IPC_NOWAIT; +- for (i = 0; i < RETRY_LIMIT; i++) { +- rc = semop(sem_id, &sb, 1); +- if (rc == -1 && errno == EAGAIN) { +- sleep(1); +- } else if (rc == -1) { +- syslog(LOG_ERR, "Error locking semaphore; errno " +- "string = [%m]\n"); +- goto out; +- } else +- goto out; +- } +- syslog(LOG_ERR, "Error locking semaphore; hit max retries\n"); +-out: +- return; +-} +- +-static void zombie_semaphore_unlock(int sem_id) +-{ +- struct sembuf sb; +- int rc; +- +- sb.sem_num = 0; +- sb.sem_op = 1; +- sb.sem_flg = 0; +- rc = semop(sem_id, &sb, 1); +- if (rc == -1) { +- syslog(LOG_ERR, "Error unlocking semaphore\n"); +- goto out; +- } +-out: +- return; +-} +- +-static int get_zombie_shared_mem_locked(int *shm_id, int *sem_id) +-{ +- int rc; +- +- (*sem_id) = zombie_semaphore_get(); +- if ((*sem_id) == -1) { +- syslog(LOG_ERR, "Error attempting to get zombie semaphore\n"); +- rc = -EIO; +- goto out; +- } +- zombie_semaphore_lock((*sem_id)); +- rc = shmget(ECRYPTFS_SHM_KEY, ECRYPTFS_SHM_SIZE, (0666 | IPC_CREAT +- | IPC_EXCL)); +- if (rc == -1 && errno == EEXIST) +- rc = shmget(ECRYPTFS_SHM_KEY, ECRYPTFS_SHM_SIZE, 0); +- else { +- char *shm_virt; +- +- if (rc == -1) { +- syslog(LOG_ERR, "Error allocating shared memory; " +- "errno string = [%m]\n"); +- rc = -EIO; +- zombie_semaphore_unlock((*sem_id)); +- goto out; +- } +- +- (*shm_id) = rc; +- shm_virt = shmat((*shm_id), NULL, 0); +- if (shm_virt == (void *)-1) { +- syslog(LOG_ERR, "Error attaching to newly allocated " +- "shared memory; errno string = [%m]\n"); +- rc = -EIO; +- zombie_semaphore_unlock((*sem_id)); +- goto out; +- } +- memset(shm_virt, 0, ECRYPTFS_SHM_SIZE); +- if ((rc = shmdt(shm_virt))) { +- rc = -EIO; +- zombie_semaphore_unlock((*sem_id)); +- goto out; +- } +- rc = shmget(ECRYPTFS_SHM_KEY, ECRYPTFS_SHM_SIZE, 0); +- } +- if (rc == -1) { +- syslog(LOG_ERR, "Error attempting to get identifier for " +- "shared memory with key [0x%.8x]\n", ECRYPTFS_SHM_KEY); +- rc = -EIO; +- zombie_semaphore_unlock((*sem_id)); +- goto out; +- } +- (*shm_id) = rc; +- rc = 0; +-out: +- return rc; +-} +- +-static int list_pid_sid_pairs(int shm_id) +-{ +- pid_t sid_tmp; +- pid_t pid_tmp; +- char *shm_virt; +- int i; +- int rc; +- +- if (sizeof(pid_t) != sizeof(uint32_t)) { +- syslog(LOG_ERR, "sizeof(pid_t) != sizeof(uint32_t); the code " +- "needs some tweaking to work on this architecture\n"); +- rc = -EINVAL; +- goto out; +- } +- shm_virt = shmat(shm_id, NULL, 0); +- if (shm_virt == (void *)-1) { +- rc = -EIO; +- goto out; +- } +- i = 0; +- memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t)); +- i += sizeof(pid_t); +- sid_tmp = ntohl(sid_tmp); /* uint32_t */ +- memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t)); +- i += sizeof(pid_t); +- pid_tmp = ntohl(pid_tmp); /* uint32_t */ +- while (!(sid_tmp == 0 && pid_tmp == 0)) { +- if ((i + (2 * sizeof(pid_t))) > ECRYPTFS_SHM_SIZE) +- break; +- memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t)); +- i += sizeof(pid_t); +- sid_tmp = ntohl(sid_tmp); /* uint32_t */ +- memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t)); +- i += sizeof(pid_t); +- pid_tmp = ntohl(pid_tmp); /* uint32_t */ +- } +- if ((rc = shmdt(shm_virt))) +- rc = -EIO; +-out: +- return rc; +-} +- +-static int find_pid_for_this_sid(pid_t *pid, int shm_id) +-{ +- pid_t sid_tmp; +- pid_t sid; +- pid_t pid_tmp; +- pid_t this_pid; +- char *shm_virt; +- int i; +- int rc; +- +- (*pid) = 0; +- if (sizeof(pid_t) != sizeof(uint32_t)) { +- syslog(LOG_ERR, "sizeof(pid_t) != sizeof(uint32_t); the code " +- "needs some tweaking to work on this architecture\n"); +- rc = -EINVAL; +- goto out; +- } +- shm_virt = shmat(shm_id, NULL, 0); +- if (shm_virt == (void *)-1) { +- rc = -EIO; +- goto out; +- } +- i = 0; +- memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t)); +- i += sizeof(pid_t); +- sid_tmp = ntohl(sid_tmp); /* uint32_t */ +- memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t)); +- i += sizeof(pid_t); +- pid_tmp = ntohl(pid_tmp); /* uint32_t */ +- this_pid = getpid(); +- sid = getsid(this_pid); +- while (!(sid_tmp == 0 && pid_tmp == 0)) { +- if (sid_tmp == sid) { +- (*pid) = pid_tmp; +- goto end_search; +- } +- if ((i + (2 * sizeof(pid_t))) > ECRYPTFS_SHM_SIZE) +- break; +- memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t)); +- i += sizeof(pid_t); +- sid_tmp = ntohl(sid_tmp); /* uint32_t */ +- memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t)); +- i += sizeof(pid_t); +- pid_tmp = ntohl(pid_tmp); /* uint32_t */ +- } +-end_search: +- if ((rc = shmdt(shm_virt))) { +- rc = -EIO; +- (*pid) = 0; +- } +-out: +- return rc; +-} +- +-static int remove_pid_for_this_sid(int shm_id) +-{ +- pid_t sid_tmp; +- pid_t sid; +- pid_t pid_tmp; +- pid_t pid; +- pid_t this_pid; +- char *shm_virt; +- int i; +- int rc; +- +- pid = 0; +- if (sizeof(pid_t) != sizeof(uint32_t)) { +- syslog(LOG_ERR, "sizeof(pid_t) != sizeof(uint32_t); the code " +- "needs some tweaking to work on this architecture\n"); +- rc = -EINVAL; +- goto out; +- } +- shm_virt = shmat(shm_id, NULL, 0); +- if (shm_virt == (void *)-1) { +- rc = -EIO; +- goto out; +- } +- i = 0; +- memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t)); +- i += sizeof(pid_t); +- sid_tmp = ntohl(sid_tmp); /* uint32_t */ +- memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t)); +- i += sizeof(pid_t); +- pid_tmp = ntohl(pid_tmp); /* uint32_t */ +- this_pid = getpid(); +- sid = getsid(this_pid); +- while (!(sid_tmp == 0 && pid_tmp == 0)) { +- if (sid_tmp == sid) { +- pid = pid_tmp; +- break; +- } +- if ((i + (2 * sizeof(pid_t))) > ECRYPTFS_SHM_SIZE) +- break; +- memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t)); +- i += sizeof(pid_t); +- sid_tmp = ntohl(sid_tmp); /* uint32_t */ +- memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t)); +- i += sizeof(pid_t); +- pid_tmp = ntohl(pid_tmp); /* uint32_t */ +- } +- if (pid != 0) { +- char *tmp; +- int remainder = (ECRYPTFS_SHM_SIZE - i); +- +- if (remainder != 0) { +- if ((tmp = malloc(remainder)) == NULL) { +- rc = -ENOMEM; +- shmdt(shm_virt); +- goto out; +- } +- memcpy(tmp, &shm_virt[i], remainder); +- i -= (2 * sizeof(pid_t)); +- memcpy(&shm_virt[i], tmp, remainder); +- i += remainder; +- } else +- i -= (2 * sizeof(pid_t)); +- memset(&shm_virt[i], 0, (2 * sizeof(pid_t))); +- if (remainder != 0) +- free(tmp); +- } +- if ((rc = shmdt(shm_virt))) +- rc = -EIO; +-out: +- return rc; +-} +- +-static int add_sid_pid_pair_to_shm(int shm_id) +-{ +- pid_t sid_tmp; +- pid_t sid; +- pid_t pid_tmp; +- pid_t pid; +- char *shm_virt; +- int i; +- int rc; +- +- if (sizeof(pid_t) != sizeof(uint32_t)) { +- syslog(LOG_ERR, "sizeof(pid_t) != sizeof(uint32_t); the code " +- "needs some tweaking to work on this architecture\n"); +- rc = -EINVAL; +- goto out; +- } +- shm_virt = shmat(shm_id, NULL, 0); +- if (shm_virt == (void *)-1) { +- syslog(LOG_ERR, "Error attaching to shared memory; error " +- "string = [%m]\n"); +- shm_virt = shmat(shm_id, NULL, 0); +- if (shm_virt == (void *)-1) { +- syslog(LOG_ERR, "Error attaching to shared memory; error " +- "string = [%m]\n"); +- rc = -EIO; +- goto out; +- } +- rc = -EIO; +- goto out; +- } +- i = 0; +- memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t)); +- i += sizeof(pid_t); +- sid_tmp = ntohl(sid_tmp); /* uint32_t */ +- memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t)); +- i += sizeof(pid_t); +- pid_tmp = ntohl(pid_tmp); /* uint32_t */ +- while (!(sid_tmp == 0 && pid_tmp == 0)) { +- if ((i + (2 * sizeof(pid_t))) > ECRYPTFS_SHM_SIZE) { +- syslog(LOG_ERR, +- "No space left in shared memory region\n"); +- rc = -ENOMEM; +- shmdt(shm_virt); +- goto out; +- } +- memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t)); +- i += sizeof(pid_t); +- sid_tmp = ntohl(sid_tmp); /* uint32_t */ +- memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t)); +- i += sizeof(pid_t); +- pid_tmp = ntohl(pid_tmp); /* uint32_t */ +- } +- pid = getpid(); +- sid = getsid(pid); +- sid = htonl(sid); +- pid = htonl(pid); +- i -= (2 * sizeof(pid_t)); +- memcpy(&shm_virt[i], &sid, sizeof(pid_t)); +- i += sizeof(pid_t); +- memcpy(&shm_virt[i], &pid, sizeof(pid_t)); +- i += sizeof(pid_t); +- if ((i + (2 * sizeof(pid_t))) <= ECRYPTFS_SHM_SIZE) +- memset(&shm_virt[i], 0, (i + (2 * sizeof(pid_t)))); +- if ((rc = shmdt(shm_virt))) { +- syslog(LOG_ERR, "Error detaching from shared memory\n"); +- rc = -EIO; +- } +-out: +- return rc; +-} +- +-int ecryptfs_set_zombie_session_placeholder(void) +-{ +- int shm_id; +- int sem_id; +- int rc = 0; +- +- if ((rc = get_zombie_shared_mem_locked(&shm_id, &sem_id))) { +- syslog(LOG_ERR, +- "Error getting shared memory segment\n"); +- goto out; +- } +- if ((rc = add_sid_pid_pair_to_shm(shm_id))) { +- syslog(LOG_ERR, "Error adding sid/pid pair to shared memory " +- "segment; rc = [%d]\n", rc); +- zombie_semaphore_unlock(sem_id); +- goto out; +- } +- zombie_semaphore_unlock(sem_id); +- sleep(ECRYPTFS_ZOMBIE_SLEEP_SECONDS); +- if ((rc = get_zombie_shared_mem_locked(&shm_id, &sem_id))) { +- syslog(LOG_ERR, +- "Error getting shared memory segment\n"); +- goto out; +- } +- if ((rc = remove_pid_for_this_sid(shm_id))) { +- syslog(LOG_ERR, "Error attempting to remove pid/sid " +- "pair from shared memory segment; rc = [%d]\n", +- rc); +- zombie_semaphore_unlock(sem_id); +- goto out; +- } +- zombie_semaphore_unlock(sem_id); +- exit(1); +-out: +- return rc; +-} +- +-int ecryptfs_kill_and_clear_zombie_session_placeholder(void) +-{ +- int shm_id; +- int sem_id; +- int pid; +- int rc = 0; +- +- if ((rc = get_zombie_shared_mem_locked(&shm_id, &sem_id))) { +- syslog(LOG_ERR, "Error getting shared memory segment\n"); +- goto out; +- } +- if ((rc = find_pid_for_this_sid(&pid, shm_id))) { +- syslog(LOG_ERR, "Error finding pid for sid in shared memory " +- "segment; rc = [%d]\n", rc); +- zombie_semaphore_unlock(sem_id); +- goto out; +- } +- if (pid == 0) { +- syslog(LOG_WARNING, "No valid pid found for this sid\n"); +- } else { +- if ((rc = kill(pid, SIGKILL))) { +- syslog(LOG_ERR, "Error attempting to kill process " +- "[%d]; rc = [%d]; errno string = [%m]\n", pid, +- rc); +- } +- if ((rc = remove_pid_for_this_sid(shm_id))) { +- syslog(LOG_ERR, "Error attempting to remove pid/sid " +- "pair from shared memory segment; rc = [%d]\n", +- rc); +- zombie_semaphore_unlock(sem_id); +- goto out; +- } +- } +- zombie_semaphore_unlock(sem_id); +-out: +- return rc; +-} +- +-int ecryptfs_list_zombie_session_placeholders(void) +-{ +- int shm_id; +- int sem_id; +- int rc = 0; +- +- if ((rc = get_zombie_shared_mem_locked(&shm_id, &sem_id))) { +- syslog(LOG_ERR, +- "Error getting shared memory segment\n"); +- goto out; +- } +- if ((rc = list_pid_sid_pairs(shm_id))) { +- syslog(LOG_ERR, "Error listing sid/pid pairs in shared memory " +- "segment; rc = [%d]\n", rc); +- zombie_semaphore_unlock(sem_id); +- goto out; +- } +- zombie_semaphore_unlock(sem_id); +-out: +- return rc; +-} +- + static struct ecryptfs_ctx_ops ctx_ops; + + struct ecryptfs_ctx_ops *cryptfs_get_ctx_opts (void) +diff -up ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c.nozombies ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c +--- ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c.nozombies 2015-08-11 14:44:00.120820661 +0200 ++++ ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c 2015-08-11 14:44:00.122820656 +0200 +@@ -246,11 +246,6 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + syslog(LOG_ERR, "pam_ecryptfs: Error adding passphrase key token to user session keyring; rc = [%ld]\n", rc); + goto out_child; + } +- if (fork() == 0) { +- if ((rc = ecryptfs_set_zombie_session_placeholder())) { +- syslog(LOG_ERR, "pam_ecryptfs: Error attempting to create and register zombie process; rc = [%ld]\n", rc); +- } +- } + out_child: + free(auth_tok_sig); + _exit(0); diff --git a/SOURCES/ecryptfs-utils-87-pamdata.patch b/SOURCES/ecryptfs-utils-87-pamdata.patch new file mode 100644 index 0000000..ec4dd2b --- /dev/null +++ b/SOURCES/ecryptfs-utils-87-pamdata.patch @@ -0,0 +1,352 @@ +diff -up ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c +--- ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c.pamdata 2015-08-11 14:44:00.963818440 +0200 ++++ ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c 2015-08-11 14:44:00.965818435 +0200 +@@ -46,6 +46,26 @@ + + #define PRIVATE_DIR "Private" + ++#define ECRYPTFS_PAM_DATA "ecryptfs:passphrase" ++ ++struct ecryptfs_pam_data { ++ int unwrap; ++ uid_t uid; ++ gid_t gid; ++ char *passphrase; ++ const char *homedir; ++ const char *username; ++ char salt[ECRYPTFS_SALT_SIZE]; ++}; ++ ++static void pam_free_ecryptfsdata(pam_handle_t *pamh, void *data, int error_status) ++{ ++ if (data) { ++ free(((struct ecryptfs_pam_data *)data)->passphrase); ++ free(data); ++ } ++} ++ + /* returns: 0 if file does not exist, 1 if it exists, <0 for error */ + static int file_exists_dotecryptfs(const char *homedir, char *filename) + { +@@ -65,7 +85,7 @@ out: + return rc; + } + +-static int wrap_passphrase_if_necessary(const char *username, uid_t uid, char *wrapped_pw_filename, char *passphrase, char *salt) ++static int wrap_passphrase_if_necessary(const char *username, uid_t uid, const char *wrapped_pw_filename, const char *passphrase, const char *salt) + { + char *unwrapped_pw_filename = NULL; + struct stat s; +@@ -93,7 +113,7 @@ static int wrap_passphrase_if_necessary( + } + + static int rewrap_passphrase_if_necessary(char *wrapped_pw_filename, +- char *wrapping_passphrase, char *salt) ++ char *wrapping_passphrase, const char *salt) + { + char passphrase[ECRYPTFS_MAX_PASSPHRASE_BYTES + 1]; + uint8_t version; +@@ -123,147 +143,68 @@ static int rewrap_passphrase_if_necessar + PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, + const char **argv) + { +- uid_t uid = 0, oeuid = 0; +- long ngroups_max = sysconf(_SC_NGROUPS_MAX); +- gid_t gid = 0, oegid = 0, groups[ngroups_max+1]; +- int ngids = 0; +- char *homedir = NULL; +- const char *username; +- char *passphrase = NULL; +- char salt[ECRYPTFS_SALT_SIZE]; + char salt_hex[ECRYPTFS_SALT_SIZE_HEX]; +- char *auth_tok_sig = NULL; + char *private_mnt = NULL; +- pid_t child_pid, tmp_pid; + long rc; ++ struct ecryptfs_pam_data *epd; + +- rc = pam_get_user(pamh, &username, NULL); ++ if ((epd = calloc(1, sizeof(struct ecryptfs_pam_data))) == NULL) { ++ syslog(LOG_ERR,"Memory allocation failed"); ++ rc = -ENOMEM; ++ goto out; ++ } ++ ++ rc = pam_get_user(pamh, &epd->username, NULL); + if (rc == PAM_SUCCESS) { + struct passwd *pwd; + +- pwd = getpwnam(username); ++ errno = 0; ++ pwd = getpwnam(epd->username); + if (pwd) { +- uid = pwd->pw_uid; +- gid = pwd->pw_gid; +- homedir = pwd->pw_dir; +- } +- } else { +- syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%ld]\n", username, rc); +- goto out; ++ epd->uid = pwd->pw_uid; ++ epd->gid = pwd->pw_gid; ++ epd->homedir = pwd->pw_dir; ++ rc = 0; ++ } else rc = errno; + } +- +- oeuid = geteuid(); +- oegid = getegid(); +- if ((ngids = getgroups(sizeof(groups)/sizeof(gid_t), groups)) < 0) { +- syslog(LOG_ERR, "pam_ecryptfs: geteuid error"); +- goto outnouid; +- } +- +- if (setegid(gid) < 0 || setgroups(1, &gid) < 0 || seteuid(uid) < 0) { +- syslog(LOG_ERR, "pam_ecryptfs: seteuid error"); ++ if (!epd->homedir) { ++ syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user; rc = [%ld]\n", rc); + goto out; + } + +- if (!file_exists_dotecryptfs(homedir, "auto-mount")) ++ if (!file_exists_dotecryptfs(epd->homedir, "auto-mount")) + goto out; +- private_mnt = ecryptfs_fetch_private_mnt(homedir); ++ private_mnt = ecryptfs_fetch_private_mnt(epd->homedir); + if (ecryptfs_private_is_mounted(NULL, private_mnt, NULL, 1)) { +- syslog(LOG_DEBUG, "pam_ecryptfs: %s: %s is already mounted\n", __FUNCTION__, homedir); ++ syslog(LOG_DEBUG, "pam_ecryptfs: %s: %s is already mounted\n", __FUNCTION__, epd->homedir); + /* If private/home is already mounted, then we can skip + costly loading of keys */ + goto out; + } +- if(file_exists_dotecryptfs(homedir, "wrapping-independent") == 1) +- rc = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &passphrase, "Encryption passphrase: "); ++ if(file_exists_dotecryptfs(epd->homedir, "wrapping-independent") == 1) ++ rc = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &epd->passphrase, "Encryption passphrase: "); + else +- rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&passphrase); ++ rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&epd->passphrase); + if (rc != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_ecryptfs: Error retrieving passphrase; rc = [%ld]\n", + rc); + goto out; + } +- auth_tok_sig = malloc(ECRYPTFS_SIG_SIZE_HEX + 1); +- if (!auth_tok_sig) { +- rc = -ENOMEM; +- syslog(LOG_ERR, "pam_ecryptfs: Out of memory\n"); +- goto out; +- } ++ epd->passphrase = strdup(epd->passphrase); + rc = ecryptfs_read_salt_hex_from_rc(salt_hex); + if (rc) { +- from_hex(salt, ECRYPTFS_DEFAULT_SALT_HEX, ECRYPTFS_SALT_SIZE); ++ from_hex(epd->salt, ECRYPTFS_DEFAULT_SALT_HEX, ECRYPTFS_SALT_SIZE); + } else +- from_hex(salt, salt_hex, ECRYPTFS_SALT_SIZE); +- if ((child_pid = fork()) == 0) { +- /* temp regain uid 0 to drop privs */ +- seteuid(oeuid); +- /* setgroups() already called */ +- if (setgid(gid) < 0 || setuid(uid) < 0) +- goto out_child; +- +- if (passphrase == NULL) { +- syslog(LOG_ERR, "pam_ecryptfs: NULL passphrase; aborting\n"); +- rc = -EINVAL; +- goto out_child; +- } +- if ((rc = ecryptfs_validate_keyring())) { +- syslog(LOG_WARNING, "pam_ecryptfs: Cannot validate keyring integrity\n"); +- } +- rc = 0; +- if ((argc == 1) +- && (memcmp(argv[0], "unwrap\0", 7) == 0)) { +- char *wrapped_pw_filename; +- +- rc = asprintf( +- &wrapped_pw_filename, "%s/.ecryptfs/%s", +- homedir, +- ECRYPTFS_DEFAULT_WRAPPED_PASSPHRASE_FILENAME); +- if (rc == -1) { +- syslog(LOG_ERR, "pam_ecryptfs: Unable to allocate memory\n"); +- rc = -ENOMEM; +- goto out_child; +- } +- if (wrap_passphrase_if_necessary(username, uid, wrapped_pw_filename, passphrase, salt) == 0) { +- syslog(LOG_DEBUG, "pam_ecryptfs: Passphrase file wrapped"); +- } else { +- goto out_child; +- } +- if (rewrap_passphrase_if_necessary(wrapped_pw_filename, passphrase, salt)) { +- /* Non fatal condition. Log a warning. */ +- syslog(LOG_WARNING, "pam_ecryptfs: Unable to rewrap passphrase file\n"); +- } +- rc = ecryptfs_insert_wrapped_passphrase_into_keyring( +- auth_tok_sig, wrapped_pw_filename, passphrase, +- salt); +- free(wrapped_pw_filename); +- } else { +- rc = ecryptfs_add_passphrase_key_to_keyring( +- auth_tok_sig, passphrase, salt); +- } +- if (rc == 1) { +- goto out_child; +- } +- if (rc) { +- syslog(LOG_ERR, "pam_ecryptfs: Error adding passphrase key token to user session keyring; rc = [%ld]\n", rc); +- goto out_child; +- } +-out_child: +- free(auth_tok_sig); +- _exit(0); ++ from_hex(epd->salt, salt_hex, ECRYPTFS_SALT_SIZE); ++ epd->unwrap = ((argc == 1) && (memcmp(argv[0], "unwrap\0", 7) == 0)); ++ if ((rc=pam_set_data(pamh, ECRYPTFS_PAM_DATA, epd, pam_free_ecryptfsdata)) != PAM_SUCCESS) { ++ syslog(LOG_ERR, "Unable to store ecryptfs pam data : %s", pam_strerror(pamh, rc)); ++ goto out; + } +- tmp_pid = waitpid(child_pid, NULL, 0); +- if (tmp_pid == -1) +- syslog(LOG_WARNING, "pam_ecryptfs: waitpid() returned with error condition\n"); +-out: + +- seteuid(oeuid); +- setegid(oegid); +- setgroups(ngids, groups); +- +-outnouid: ++out: + if (private_mnt != NULL) + free(private_mnt); +- if (auth_tok_sig != NULL) +- free(auth_tok_sig); + return PAM_SUCCESS; + } + +@@ -407,10 +348,124 @@ static int umount_private_dir(pam_handle + return private_dir(pamh, 0); + } + ++static int fill_keyring(pam_handle_t *pamh) ++{ ++ pid_t child_pid,tmp_pid; ++ uid_t oeuid = 0; ++ long ngroups_max = sysconf(_SC_NGROUPS_MAX); ++ gid_t oegid = 0, groups[ngroups_max+1]; ++ int ngids = 0; ++ int rc = 0; ++ const struct ecryptfs_pam_data *epd; ++ char *auth_tok_sig = NULL; ++ auth_tok_sig = malloc(ECRYPTFS_SIG_SIZE_HEX + 1); ++ ++ if ((rc=pam_get_data(pamh, ECRYPTFS_PAM_DATA, (const void **)&epd)) != PAM_SUCCESS) ++ { ++ syslog(LOG_ERR,"Unable to get ecryptfs pam data : %s", pam_strerror(pamh, rc)); ++ return -EINVAL; ++ } ++ ++ oeuid = geteuid(); ++ oegid = getegid(); ++ if ((ngids = getgroups(sizeof(groups)/sizeof(gid_t), groups)) < 0) { ++ syslog(LOG_ERR, "pam_ecryptfs: geteuid error"); ++ goto outnouid; ++ } ++ ++ if (setegid(epd->gid) < 0 || setgroups(1, &epd->gid) < 0 || seteuid(epd->uid) < 0) { ++ syslog(LOG_ERR, "pam_ecryptfs: seteuid error"); ++ goto out; ++ } ++ ++ if (!auth_tok_sig) { ++ syslog(LOG_ERR, "Out of memory\n"); ++ return -ENOMEM; ++ } ++ ++ if ((child_pid = fork()) == 0) { ++ /* temp regain uid 0 to drop privs */ ++ if (seteuid(oeuid) < 0) ++ { ++ syslog(LOG_ERR, "pam_ecryptfs: seteuid error"); ++ goto out_child; ++ } ++ /* setgroups() already called */ ++ if (setgid(epd->gid) < 0 || setuid(epd->uid) < 0) ++ goto out_child; ++ ++ if (epd->passphrase == NULL) { ++ syslog(LOG_ERR, "NULL passphrase; aborting\n"); ++ rc = -EINVAL; ++ goto out_child; ++ } ++ if ((rc = ecryptfs_validate_keyring())) { ++ syslog(LOG_WARNING, ++ "Cannot validate keyring integrity\n"); ++ } ++ rc = 0; ++ if (epd->unwrap) { ++ char *wrapped_pw_filename; ++ ++ rc = asprintf( ++ &wrapped_pw_filename, "%s/.ecryptfs/%s", ++ epd->homedir, ++ ECRYPTFS_DEFAULT_WRAPPED_PASSPHRASE_FILENAME); ++ if (rc == -1) { ++ syslog(LOG_ERR, "Unable to allocate memory\n"); ++ rc = -ENOMEM; ++ goto out_child; ++ } ++ if (wrap_passphrase_if_necessary(epd->username, epd->uid, wrapped_pw_filename, epd->passphrase, epd->salt) == 0) { ++ syslog(LOG_INFO, "Passphrase file wrapped"); ++ } else { ++ goto out_child; ++ } ++ if (rewrap_passphrase_if_necessary(wrapped_pw_filename, epd->passphrase, epd->salt)) { ++ /* Non fatal condition. Log a warning. */ ++ syslog(LOG_WARNING, "pam_ecryptfs: Unable to rewrap passphrase file\n"); ++ } ++ rc = ecryptfs_insert_wrapped_passphrase_into_keyring( ++ auth_tok_sig, wrapped_pw_filename, epd->passphrase, ++ epd->salt); ++ free(wrapped_pw_filename); ++ } else { ++ rc = ecryptfs_add_passphrase_key_to_keyring( ++ auth_tok_sig, epd->passphrase, epd->salt); ++ } ++ if (rc == 1) { ++ goto out_child; ++ } ++ if (rc) { ++ syslog(LOG_ERR, "Error adding passphrase key token to " ++ "user session keyring; rc = [%d]\n", rc); ++ goto out_child; ++ } ++out_child: ++ free(auth_tok_sig); ++ _exit(0); ++ } ++ tmp_pid = waitpid(child_pid, NULL, 0); ++ if (tmp_pid == -1) ++ syslog(LOG_WARNING, ++ "waitpid() returned with error condition\n"); ++out: ++ rc = seteuid(oeuid); ++ rc = setegid(oegid); ++ rc = setgroups(ngids, groups); ++ ++outnouid: ++ if (auth_tok_sig != NULL) ++ free(auth_tok_sig); ++ return 0; ++} ++ ++ + PAM_EXTERN int + pam_sm_open_session(pam_handle_t *pamh, int flags, + int argc, const char *argv[]) + { ++ fill_keyring(pamh); + mount_private_dir(pamh); + return PAM_SUCCESS; + } diff --git a/SOURCES/ecryptfs-utils-87-prefixsyslog.patch b/SOURCES/ecryptfs-utils-87-prefixsyslog.patch new file mode 100644 index 0000000..02fbad4 --- /dev/null +++ b/SOURCES/ecryptfs-utils-87-prefixsyslog.patch @@ -0,0 +1,240 @@ +diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.pamsyslog ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c +--- ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.pamsyslog 2011-08-09 11:39:28.404766037 +0200 ++++ ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c 2011-08-09 11:39:28.428765549 +0200 +@@ -91,7 +91,7 @@ static int wrap_passphrase_if_necessary( + + rc = asprintf(&unwrapped_pw_filename, "/dev/shm/.ecryptfs-%s", username); + if (rc == -1) { +- syslog(LOG_ERR, "Unable to allocate memory\n"); ++ pamsyslog(LOG_ERR, "Unable to allocate memory\n"); + return -ENOMEM; + } + /* If /dev/shm/.ecryptfs-$USER exists and owned by the user +@@ -105,7 +105,7 @@ static int wrap_passphrase_if_necessary( + setuid(uid); + rc = ecryptfs_wrap_passphrase_file(wrapped_pw_filename, passphrase, salt, unwrapped_pw_filename); + if (rc != 0) { +- syslog(LOG_ERR, "Error wrapping cleartext password; " "rc = [%d]\n", rc); ++ pamsyslog(LOG_ERR, "Error wrapping cleartext password; " "rc = [%d]\n", rc); + } + return rc; + } +@@ -122,10 +122,10 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + uint32_t version; + struct ecryptfs_pam_data *epd = {0,}; + +- syslog(LOG_INFO, "%s: Called\n", __FUNCTION__); ++ pamsyslog(LOG_INFO, "%s: Called\n", __FUNCTION__); + + if ((epd = malloc(sizeof(struct ecryptfs_pam_data))) == NULL) { +- syslog(LOG_ERR,"Memory allocation failed"); ++ pamsyslog(LOG_ERR,"Memory allocation failed"); + rc = -ENOMEM; + goto out; + } +@@ -134,7 +134,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + if (rc == PAM_SUCCESS) { + struct passwd *pwd; + +- syslog(LOG_INFO, "%s: username = [%s]\n", __FUNCTION__, ++ pamsyslog(LOG_INFO, "%s: username = [%s]\n", __FUNCTION__, + epd->username); + pwd = getpwnam(epd->username); + if (pwd) { +@@ -142,7 +142,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + epd->homedir = pwd->pw_dir; + } + } else { +- syslog(LOG_ERR, "Error getting passwd info for user [%s]; " ++ pamsyslog(LOG_ERR, "Error getting passwd info for user [%s]; " + "rc = [%ld]\n", epd->username, rc); + goto out; + } +@@ -150,7 +150,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + goto out; + private_mnt = ecryptfs_fetch_private_mnt(epd->homedir); + if (ecryptfs_private_is_mounted(NULL, private_mnt, NULL, 1)) { +- syslog(LOG_INFO, "%s: %s is already mounted\n", __FUNCTION__, ++ pamsyslog(LOG_INFO, "%s: %s is already mounted\n", __FUNCTION__, + epd->homedir); + /* If private/home is already mounted, then we can skip + costly loading of keys */ +@@ -159,7 +159,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + /* we need side effect of this check: + load ecryptfs module if not loaded already */ + if (ecryptfs_get_version(&version) != 0) +- syslog(LOG_WARNING, "Can't check if kernel supports ecryptfs\n"); ++ pamsyslog(LOG_WARNING, "Can't check if kernel supports ecryptfs\n"); + saved_uid = geteuid(); + seteuid(epd->uid); + if(file_exists_dotecryptfs(epd->homedir, "wrapping-independent") == 1) +@@ -168,7 +168,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&epd->passphrase); + seteuid(saved_uid); + if (rc != PAM_SUCCESS) { +- syslog(LOG_ERR, "Error retrieving passphrase; rc = [%ld]\n", ++ pamsyslog(LOG_ERR, "Error retrieving passphrase; rc = [%ld]\n", + rc); + goto out; + } +@@ -182,7 +182,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + epd->unwrap = ((argc == 1) && (memcmp(argv[0], "unwrap\0", 7) == 0)); + if (pam_set_data(pamh, ECRYPTFS_PAM_DATA, epd, pam_free_ecryptfsdata) != PAM_SUCCESS) { + +- syslog(LOG_ERR, "Unable to store ecryptfs pam data : %m"); ++ pamsyslog(LOG_ERR, "Unable to store ecryptfs pam data : %m"); + goto out; + } + +@@ -206,13 +206,13 @@ static struct passwd *fetch_pwd(pam_hand + + rc = pam_get_user(pamh, &username, NULL); + if (rc != PAM_SUCCESS || username == NULL) { +- syslog(LOG_ERR, "Error getting passwd info for user [%s]; " ++ pamsyslog(LOG_ERR, "Error getting passwd info for user [%s]; " + "rc = [%ld]\n", username, rc); + return NULL; + } + pwd = getpwnam(username); + if (pwd == NULL) { +- syslog(LOG_ERR, "Error getting passwd info for user [%s]; " ++ pamsyslog(LOG_ERR, "Error getting passwd info for user [%s]; " + "rc = [%ld]\n", username, rc); + return NULL; + } +@@ -244,13 +244,13 @@ static int private_dir(pam_handle_t *pam + if ( + (asprintf(&autofile, "%s/.ecryptfs/%s", pwd->pw_dir, a) < 0) + || autofile == NULL) { +- syslog(LOG_ERR, "Error allocating memory for autofile name"); ++ pamsyslog(LOG_ERR, "Error allocating memory for autofile name"); + return 1; + } + if ( + (asprintf(&sigfile, "%s/.ecryptfs/%s.sig", pwd->pw_dir, + PRIVATE_DIR) < 0) || sigfile == NULL) { +- syslog(LOG_ERR, "Error allocating memory for sigfile name"); ++ pamsyslog(LOG_ERR, "Error allocating memory for sigfile name"); + return 1; + } + if (stat(sigfile, &s) != 0) { +@@ -262,13 +262,13 @@ static int private_dir(pam_handle_t *pam + goto out; + } + if ((pid = fork()) < 0) { +- syslog(LOG_ERR, "Error setting up private mount"); ++ pamsyslog(LOG_ERR, "Error setting up private mount"); + return 1; + } + if (pid == 0) { + /* set user's groups, we may need ecryptfs group for (u)mount */ + if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) { +- syslog(LOG_ERR, "Unable to set user's groups : %m"); ++ pamsyslog(LOG_ERR, "Unable to set user's groups : %m"); + _exit(255); + } + +@@ -276,7 +276,7 @@ static int private_dir(pam_handle_t *pam + if ((asprintf(&recorded, + "%s/.ecryptfs/.wrapped-passphrase.recorded", + pwd->pw_dir) < 0) || recorded == NULL) { +- syslog(LOG_ERR, ++ pamsyslog(LOG_ERR, + "Error allocating memory for recorded name"); + _exit(255); + } +@@ -289,7 +289,7 @@ static int private_dir(pam_handle_t *pam + } + if (stat(autofile, &s) != 0) { + /* User does not want to auto-mount */ +- syslog(LOG_INFO, ++ pamsyslog(LOG_INFO, + "Skipping automatic eCryptfs mount"); + _exit(0); + } +@@ -297,11 +297,11 @@ static int private_dir(pam_handle_t *pam + setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid); + execl("/sbin/mount.ecryptfs_private", + "mount.ecryptfs_private", NULL); +- syslog(LOG_ERR,"unable to execute mount.ecryptfs_private : %m"); ++ pamsyslog(LOG_ERR,"unable to execute mount.ecryptfs_private : %m"); + } else { + if (stat(autofile, &s) != 0) { + /* User does not want to auto-unmount */ +- syslog(LOG_INFO, ++ pamsyslog(LOG_INFO, + "Skipping automatic eCryptfs unmount"); + _exit(0); + } +@@ -309,7 +309,7 @@ static int private_dir(pam_handle_t *pam + setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid); + execl("/sbin/umount.ecryptfs_private", + "umount.ecryptfs_private", NULL); +- syslog(LOG_ERR,"unable to execute umount.ecryptfs_private : %m"); ++ pamsyslog(LOG_ERR,"unable to execute umount.ecryptfs_private : %m"); + } + _exit(255); + } else { +@@ -338,25 +338,25 @@ static int fill_keyring(pam_handle_t *pa + char *auth_tok_sig; + auth_tok_sig = malloc(ECRYPTFS_SIG_SIZE_HEX + 1); + if (!auth_tok_sig) { +- syslog(LOG_ERR, "Out of memory\n"); ++ pamsyslog(LOG_ERR, "Out of memory\n"); + return -ENOMEM; + } + + if (pam_get_data(pamh, ECRYPTFS_PAM_DATA, (const void **)&epd) != PAM_SUCCESS) + { +- syslog(LOG_ERR,"Unable to get ecryptfs pam data : %m"); ++ pamsyslog(LOG_ERR,"Unable to get ecryptfs pam data : %m"); + return -EINVAL; + } + + if ((child_pid = fork()) == 0) { + setuid(epd->uid); + if (epd->passphrase == NULL) { +- syslog(LOG_ERR, "NULL passphrase; aborting\n"); ++ pamsyslog(LOG_ERR, "NULL passphrase; aborting\n"); + rc = -EINVAL; + goto out_child; + } + if ((rc = ecryptfs_validate_keyring())) { +- syslog(LOG_WARNING, ++ pamsyslog(LOG_WARNING, + "Cannot validate keyring integrity\n"); + } + rc = 0; +@@ -368,12 +368,12 @@ static int fill_keyring(pam_handle_t *pa + epd->homedir, + ECRYPTFS_DEFAULT_WRAPPED_PASSPHRASE_FILENAME); + if (rc == -1) { +- syslog(LOG_ERR, "Unable to allocate memory\n"); ++ pamsyslog(LOG_ERR, "Unable to allocate memory\n"); + rc = -ENOMEM; + goto out_child; + } + if (wrap_passphrase_if_necessary(epd->username, epd->uid, wrapped_pw_filename, epd->passphrase, epd->salt) == 0) { +- syslog(LOG_INFO, "Passphrase file wrapped"); ++ pamsyslog(LOG_INFO, "Passphrase file wrapped"); + } else { + goto out_child; + } +@@ -389,7 +389,7 @@ static int fill_keyring(pam_handle_t *pa + goto out_child; + } + if (rc) { +- syslog(LOG_ERR, "Error adding passphrase key token to " ++ pamsyslog(LOG_ERR, "Error adding passphrase key token to " + "user session keyring; rc = [%d]\n", rc); + goto out_child; + } +@@ -399,7 +399,7 @@ out_child: + } + tmp_pid = waitpid(child_pid, NULL, 0); + if (tmp_pid == -1) +- syslog(LOG_WARNING, ++ pamsyslog(LOG_WARNING, + "waitpid() returned with error condition\n"); + + diff --git a/SOURCES/ecryptfs-utils-87-syslog.patch b/SOURCES/ecryptfs-utils-87-syslog.patch new file mode 100644 index 0000000..0ead855 --- /dev/null +++ b/SOURCES/ecryptfs-utils-87-syslog.patch @@ -0,0 +1,12 @@ +diff -up ecryptfs-utils-108/src/include/ecryptfs.h.syslog ecryptfs-utils-108/src/include/ecryptfs.h +--- ecryptfs-utils-108/src/include/ecryptfs.h.syslog 2015-08-11 14:44:02.641814020 +0200 ++++ ecryptfs-utils-108/src/include/ecryptfs.h 2015-08-11 14:44:02.643814015 +0200 +@@ -137,7 +137,7 @@ + #define ECRYPTFS_TAG_67_PACKET 0x43 + + #define ecryptfs_syslog(type, fmt, arg...) \ +- syslog(type, "%s: " fmt, __FUNCTION__, ## arg); ++ syslog(type, "ecryptfs: %s: " fmt, __FUNCTION__, ## arg); + + #define ECRYPTFS_MAX_NUM_CIPHERS 64 + #define ECRYPTFS_ECHO_ON 1 diff --git a/SOURCES/ecryptfs-utils-90-CVE-2011-3145.patch b/SOURCES/ecryptfs-utils-90-CVE-2011-3145.patch new file mode 100644 index 0000000..0c9e3cd --- /dev/null +++ b/SOURCES/ecryptfs-utils-90-CVE-2011-3145.patch @@ -0,0 +1,86 @@ +diff -up ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c.CVE-2011-3145 ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c +--- ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c.CVE-2011-3145 2011-08-31 12:08:26.479493949 +0200 ++++ ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c 2011-08-31 12:10:09.014666213 +0200 +@@ -274,12 +274,14 @@ int update_mtab(char *dev, char *mnt, ch + int fd; + FILE *old_mtab, *new_mtab; + struct mntent *old_ent, new_ent; ++ mode_t old_umask; + + /* Make an attempt to play nice with other mount helpers + * by creating an /etc/mtab~ lock file. Of course this + * only works if those other helpers actually check for + * this. + */ ++ old_umask = umask(033); + fd = open("/etc/mtab~", O_RDONLY | O_CREAT | O_EXCL, 0644); + if (fd < 0) { + perror("open"); +@@ -332,6 +334,8 @@ int update_mtab(char *dev, char *mnt, ch + + unlink("/etc/mtab~"); + ++ umask(old_umask); ++ + return 0; + + fail: +@@ -341,6 +345,7 @@ fail_late: + fail_early: + endmntent(old_mtab); + unlink("/etc/mtab~"); ++ umask(old_umask); + return 1; + } + +@@ -476,7 +481,7 @@ int zero(FILE *fh) { + * c) updating /etc/mtab + */ + int main(int argc, char *argv[]) { +- int uid, mounting; ++ int uid, gid, mounting; + int force = 0; + struct passwd *pwd; + char *alias, *src, *dest, *opt, *opts2; +@@ -491,6 +496,7 @@ int main(int argc, char *argv[]) { + } + + uid = getuid(); ++ gid = getgid(); + /* Non-privileged effective uid is sufficient for all but the code + * that mounts, unmounts, and updates /etc/mtab. + * Run at a lower privilege until we need it. +@@ -618,7 +624,14 @@ int main(int argc, char *argv[]) { + * the real uid to be that of the user. + * And we need the effective uid to be root in order to mount. + */ +- setreuid(-1, 0); ++ if (setreuid(-1, 0) < 0) { ++ perror("setreuid"); ++ goto fail; ++ } ++ if (setregid(-1, 0) < 0) { ++ perror("setregid"); ++ goto fail; ++ } + /* Perform mount */ + if (mount(src, ".", FSTYPE, 0, opt) == 0) { + if (update_mtab(src, dest, opt) != 0) { +@@ -630,6 +643,9 @@ int main(int argc, char *argv[]) { + if (setreuid(uid, uid) < 0) { + perror("setreuid"); + } ++ if (setregid(gid, gid) < 0) { ++ perror("setregid"); ++ } + goto fail; + } + } else { +@@ -665,6 +681,7 @@ int main(int argc, char *argv[]) { + * Do not use the umount.ecryptfs helper (-i). + */ + setresuid(0,0,0); ++ setresgid(0,0,0); + + /* Since we're doing a lazy unmount anyway, just unmount the current + * directory. This avoids a lot of complexity in dealing with race diff --git a/SOURCES/ecryptfs-utils-96-groupcheck.patch b/SOURCES/ecryptfs-utils-96-groupcheck.patch new file mode 100644 index 0000000..9aa53bc --- /dev/null +++ b/SOURCES/ecryptfs-utils-96-groupcheck.patch @@ -0,0 +1,21 @@ +diff -up ecryptfs-utils-108/src/utils/ecryptfs-mount-private.groupcheck ecryptfs-utils-108/src/utils/ecryptfs-mount-private +--- ecryptfs-utils-108/src/utils/ecryptfs-mount-private.groupcheck 2015-08-11 14:44:03.505811744 +0200 ++++ ecryptfs-utils-108/src/utils/ecryptfs-mount-private 2015-08-11 14:44:03.524811694 +0200 +@@ -69,7 +69,16 @@ if [ -f "$WRAPPED_PASSPHRASE_FILE" -a -f + echo `gettext "ERROR:"` `gettext "Too many incorrect password attempts, exiting"` + exit 1 + fi +- /sbin/mount.ecryptfs_private ++ if ! /sbin/mount.ecryptfs_private; ++ then ++ # Check if the ecryptfs group exists, and user is member of ecryptfs group ++ if grep -qs "^ecryptfs:" /etc/group; then ++ if ! id "$USER" | grep -qs "\(ecryptfs\)"; then ++ echo $(gettext 'ERROR: ') $(gettext 'User needs to be a member of ecryptfs group') ++ exit 1 ++ fi ++ fi ++ fi + else + echo `gettext "ERROR:"` `gettext "Encrypted private directory is not setup properly"` + exit 1 diff --git a/SOURCES/ecryptfs-utils-99-selinux.patch b/SOURCES/ecryptfs-utils-99-selinux.patch new file mode 100644 index 0000000..884d728 --- /dev/null +++ b/SOURCES/ecryptfs-utils-99-selinux.patch @@ -0,0 +1,24 @@ +diff -up ecryptfs-utils-108/src/utils/ecryptfs-migrate-home.selinux ecryptfs-utils-108/src/utils/ecryptfs-migrate-home +--- ecryptfs-utils-108/src/utils/ecryptfs-migrate-home.selinux 2015-08-11 14:44:04.362809487 +0200 ++++ ecryptfs-utils-108/src/utils/ecryptfs-migrate-home 2015-08-11 14:44:04.377809448 +0200 +@@ -136,6 +136,7 @@ encrypt_dir () { + error "Cannot proceed." + fi + # start encryption ++ [[ "$(getsebool use_ecryptfs_home_dirs 2>/dev/null)" =~ off$ ]] && setsebool -P use_ecryptfs_home_dirs=1 1>/dev/null 2>&1 ||: + orig=$(mktemp /home/$USER_NAME.XXXXXXXX) + rm "$orig" && mv "$USER_HOME" "$orig" + chmod 700 "$orig" +@@ -158,8 +159,12 @@ encrypt_dir () { + fi + info "Encrypted home has been set up, encrypting files now...this may take a while." + # Show progress, but on stderr, in case the user wants to filter that out ++ semanage fcontext -a -e /home /home/.ecryptfs >/dev/null 2>&1 ||: ++ restorecon /home/.ecryptfs/ /home/.ecryptfs/$USER_NAME >/dev/null 2>&1 ||: + rsync -aP "$orig/" "$USER_HOME/" 1>&2 ++ restorecon -R /home/.ecryptfs/$USER_NAME >/dev/null 2>&1 ||: + umount "$USER_HOME/" ++ restorecon -R "$USER_HOME" >/dev/null 2>&1 ||: + echo + echo "========================================================================" + echo "Some Important Notes!" diff --git a/SOURCES/ecryptfs-utils-openssl11.patch b/SOURCES/ecryptfs-utils-openssl11.patch new file mode 100644 index 0000000..b5ff7b6 --- /dev/null +++ b/SOURCES/ecryptfs-utils-openssl11.patch @@ -0,0 +1,166 @@ +=== modified file 'src/key_mod/ecryptfs_key_mod_openssl.c' +--- src/key_mod/ecryptfs_key_mod_openssl.c 2013-10-25 19:45:09 +0000 ++++ src/key_mod/ecryptfs_key_mod_openssl.c 2017-06-02 18:27:28 +0000 +@@ -41,6 +41,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -55,6 +56,19 @@ + char *passphrase; + }; + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++static void RSA_get0_key(const RSA *r, ++ const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) ++{ ++ if (n != NULL) ++ *n = r->n; ++ if (e != NULL) ++ *e = r->e; ++ if (d != NULL) ++ *d = r->d; ++} ++#endif ++ + static void + ecryptfs_openssl_destroy_openssl_data(struct openssl_data *openssl_data) + { +@@ -142,6 +156,7 @@ + { + int len, nbits, ebits, i; + int nbytes, ebytes; ++ const BIGNUM *key_n, *key_e; + unsigned char *hash; + unsigned char *data = NULL; + int rc = 0; +@@ -152,11 +167,13 @@ + rc = -ENOMEM; + goto out; + } +- nbits = BN_num_bits(key->n); ++ RSA_get0_key(key, &key_n, NULL, NULL); ++ nbits = BN_num_bits(key_n); + nbytes = nbits / 8; + if (nbits % 8) + nbytes++; +- ebits = BN_num_bits(key->e); ++ RSA_get0_key(key, NULL, &key_e, NULL); ++ ebits = BN_num_bits(key_e); + ebytes = ebits / 8; + if (ebits % 8) + ebytes++; +@@ -179,11 +196,13 @@ + data[i++] = '\02'; + data[i++] = (nbits >> 8); + data[i++] = nbits; +- BN_bn2bin(key->n, &(data[i])); ++ RSA_get0_key(key, &key_n, NULL, NULL); ++ BN_bn2bin(key_n, &(data[i])); + i += nbytes; + data[i++] = (ebits >> 8); + data[i++] = ebits; +- BN_bn2bin(key->e, &(data[i])); ++ RSA_get0_key(key, NULL, &key_e, NULL); ++ BN_bn2bin(key_e, &(data[i])); + i += ebytes; + SHA1(data, len + 3, hash); + to_hex(sig, (char *)hash, ECRYPTFS_SIG_SIZE); +@@ -278,7 +297,9 @@ + BIO *in = NULL; + int rc; + ++ #if OPENSSL_VERSION_NUMBER < 0x10100000L + CRYPTO_malloc_init(); ++ #endif + ERR_load_crypto_strings(); + OpenSSL_add_all_algorithms(); + ENGINE_load_builtin_engines(); + +=== modified file 'src/key_mod/ecryptfs_key_mod_pkcs11_helper.c' +--- src/key_mod/ecryptfs_key_mod_pkcs11_helper.c 2013-10-25 19:45:09 +0000 ++++ src/key_mod/ecryptfs_key_mod_pkcs11_helper.c 2017-06-02 18:27:28 +0000 +@@ -41,6 +41,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -77,6 +78,19 @@ + typedef const unsigned char *__pkcs11_openssl_d2i_t; + #endif + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++static void RSA_get0_key(const RSA *r, ++ const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) ++{ ++ if (n != NULL) ++ *n = r->n; ++ if (e != NULL) ++ *e = r->e; ++ if (d != NULL) ++ *d = r->d; ++} ++#endif ++ + /** + * ecryptfs_pkcs11h_deserialize + * @pkcs11h_data: The deserialized version of the key module data; +@@ -282,7 +296,11 @@ + goto out; + } + ++ #if OPENSSL_VERSION_NUMBER < 0x10100000L + if (pubkey->type != EVP_PKEY_RSA) { ++ #else ++ if (EVP_PKEY_base_id(pubkey) != EVP_PKEY_RSA) { ++ #endif + syslog(LOG_ERR, "PKCS#11: Invalid public key algorithm"); + rc = -EIO; + goto out; +@@ -318,6 +336,7 @@ + int nbytes, ebytes; + char *hash = NULL; + char *data = NULL; ++ const BIGNUM *rsa_n, *rsa_e; + int rc; + + if ((rc = ecryptfs_pkcs11h_get_public_key(&rsa, blob))) { +@@ -331,11 +350,13 @@ + rc = -ENOMEM; + goto out; + } +- nbits = BN_num_bits(rsa->n); ++ RSA_get0_key(rsa, &rsa_n, NULL, NULL); ++ nbits = BN_num_bits(rsa_n); + nbytes = nbits / 8; + if (nbits % 8) + nbytes++; +- ebits = BN_num_bits(rsa->e); ++ RSA_get0_key(rsa, NULL, &rsa_e, NULL); ++ ebits = BN_num_bits(rsa_e); + ebytes = ebits / 8; + if (ebits % 8) + ebytes++; +@@ -358,11 +379,13 @@ + data[i++] = '\02'; + data[i++] = (char)(nbits >> 8); + data[i++] = (char)nbits; +- BN_bn2bin(rsa->n, &(data[i])); ++ RSA_get0_key(rsa, &rsa_n, NULL, NULL); ++ BN_bn2bin(rsa_n, &(data[i])); + i += nbytes; + data[i++] = (char)(ebits >> 8); + data[i++] = (char)ebits; +- BN_bn2bin(rsa->e, &(data[i])); ++ RSA_get0_key(rsa, NULL, &rsa_e, NULL); ++ BN_bn2bin(rsa_e, &(data[i])); + i += ebytes; + SHA1(data, len + 3, hash); + to_hex(sig, hash, ECRYPTFS_SIG_SIZE); + diff --git a/SPECS/ecryptfs-utils.spec b/SPECS/ecryptfs-utils.spec new file mode 100644 index 0000000..890ebe7 --- /dev/null +++ b/SPECS/ecryptfs-utils.spec @@ -0,0 +1,795 @@ +# FIXME rhbz#533920, automake does not support python3 +%bcond_with python3 + +%bcond_without unittests + +%global confflags %{shrink: \ + --enable-pywrap --enable-tspi --enable-nss \ + --enable-pkcs11-helper --enable-tests \ + --with-pamdir=%{_libdir}/security \ +} + +%global pydesc \ +The package contains a module that permits\ +applications written in the Python programming language to use\ +the interface supplied by the %{name} library. + +Name: ecryptfs-utils +Version: 111 +Release: 26%{?dist} +Summary: The eCryptfs mount helper and support libraries +License: GPLv2+ +URL: https://launchpad.net/ecryptfs + +Source0: http://launchpad.net/ecryptfs/trunk/%{version}/+download/%{name}_%{version}.orig.tar.gz +Source1: ecryptfs-mount-private.png + +### upstream patches +# rhbz#1384023, openssl 1.1.x +Patch1: https://code.launchpad.net/~jelle-vdwaa/ecryptfs/ecryptfs/+merge/319746/+preview-diff/792383/+files/preview.diff#/%{name}-openssl11.patch + +### downstream patches +# rhbz#500829, do not use ubuntu/debian only service +Patch92: %{name}-75-nocryptdisks.patch + +# rhbz#553629, fix usage of salt together with file_passwd +Patch93: %{name}-83-fixsalt.patch + +# fedora/rhel specific, rhbz#486139, remove nss dependency from umount.ecryptfs +Patch94: %{name}-83-splitnss.patch + +# rhbz#664474, fix unsigned < 0 test +Patch95: %{name}-84-fixsigness.patch + +# fix man pages +Patch98: %{name}-86-manpage.patch + +# autoload ecryptfs module in ecryptfs-setup-private when needed, rhbz#707608 +Patch99: %{name}-87-autoload.patch + +# fedora/rhel specific, check for pam ecryptfs module before home migration +Patch911: %{name}-87-authconfig.patch + +# using return after fork() in pam module has some nasty side effects, rhbz#722445 +Patch914: %{name}-87-fixpamfork.patch + +# we need gid==ecryptfs in pam module before mount.ecryptfs_private execution +Patch915: %{name}-87-fixexecgid.patch + +# do not use zombie process, it causes lock ups at least for ssh login +Patch916: %{name}-87-nozombies.patch + +# if we do not use zombies, we have to store passphrase in pam_data and init keyring later +Patch917: %{name}-87-pamdata.patch + +# patch17 needs propper const on some places +Patch918: %{name}-87-fixconst.patch + +Patch919: %{name}-87-syslog.patch + +# if e-m-p fails, check if user is member of ecryptfs group +Patch921: %{name}-96-groupcheck.patch +Patch922: %{name}-99-selinux.patch + +# rhbz#868330 +Patch923: %{name}-100-sudokeyring.patch + +# for e-u < 112 +Patch924: %{name}-111-cve_2016_5224.patch + +# do not crash if no password is available #1339714 +Patch925: %{name}-111-nopasswd.patch + +# Authconfig should no longer be used since F28 +Patch926: %{name}-111-authselect.patch + +### patches for general cleanup, should be kept and executed after all others +# allow building with -Werror +Patch999: %{name}-75-werror.patch + +BuildRequires: python-rpm-macros +BuildRequires: swig >= 1.3.31 +BuildRequires: libgcrypt-devel keyutils-libs-devel openssl-devel pam-devel +BuildRequires: trousers-devel nss-devel desktop-file-utils intltool +BuildRequires: pkcs11-helper-devel +BuildRequires: automake autoconf libtool glib2-devel gettext-devel perl-podlators libattr-devel + +Requires: kernel-modules, keyutils, cryptsetup, util-linux, gettext + +%description +eCryptfs is a stacked cryptographic filesystem that ships in Linux +kernel versions 2.6.19 and above. This package provides the mount +helper and supporting libraries to perform key management and mount +functions. + +Install %{name} if you would like to mount eCryptfs. + +%package devel +Summary: The eCryptfs userspace development package +Requires: %{name} = %{version}-%{release} +Requires: keyutils-libs-devel %{name} = %{version}-%{release} +Requires: pkgconfig + +%description devel +Userspace development files for eCryptfs. + +%if %{with python3} +%package -n python%{python3_pkgversion}-%{name} +Summary: Python bindings for the eCryptfs utils +Requires: %{name} = %{version}-%{release} +BuildRequires: python%{python3_pkgversion}-devel +BuildRequires: make +Provides: %{name}-python +Obsoletes: %{name}-python < %{version}-%{release} +%{?python_provide:%python_provide python%{python3_pkgversion}-%{name}} + +%description -n python%{python3_pkgversion}-%{name} %pydesc +%endif + + +%prep +%setup -q + +%patch1 -p0 -b .openssl11 + +%patch92 -p1 -b .nocryptdisks +%patch93 -p1 -b .fixsalt +%patch94 -p1 -b .splitnss +%patch95 -p1 -b .fixsigness +%patch98 -p1 -b .manfix +%patch99 -p1 -b .autoload +%patch911 -p1 -b .authconfig +%patch914 -p1 -b .fixpamfork +%patch915 -p1 -b .fixexecgid +%patch916 -p1 -b .nozombies +%patch917 -p1 -b .pamdata +%patch918 -p1 -b .fixconst +%patch919 -p1 -b .syslog +%patch921 -p1 -b .groupcheck +%patch922 -p1 -b .selinux +%patch923 -p1 -b .sudokeyring +%patch924 -p1 -b .cve_2016_5224 +%patch925 -p1 -b .nopasswd +%patch926 -p1 -b .authselect + +%patch999 -p1 -b .werror + +sed -i -r 's:^_syslog\(LOG:ecryptfs_\0:' src/pam_ecryptfs/pam_ecryptfs.c + +# snprintf directive output may be truncated +sed -i -r 's:(snprintf.*"\%)(s/\%)(s"):\1.42\2.23\3:' \ + tests/kernel/inotify/test.c + +# fix usr-move +sed -i -r 's:(rootsbindir=).*:\1"%{_sbindir}":' configure.ac +autoreconf -fiv + +%build +# openssl 1.1 marks some functions as deprecated +export ERRFLAGS="-Werror -Wtype-limits -Wno-unused -Wno-error=deprecated-declarations" + +%if %{with python3} +export PYTHON_VERSION=3 +export PYTHON=%{__python3} +export PYTHON_NOVERSIONCHECK=1 +export PY3FLAGS='%(pkg-config --cflags --libs python3)' +export CFLAGS="$RPM_OPT_FLAGS $PY3FLAGS $ERRFLAGS" +%configure %{confflags} +%else +%configure %{confflags} --disable-pywrap +%endif +%make_build + +%install +%make_install + +find $RPM_BUILD_ROOT/ -name '*.la' -print -delete +rm -rf $RPM_BUILD_ROOT%{_docdir}/%{name} + +#install files Makefile forgot to install +install -p -m644 %{SOURCE1} $RPM_BUILD_ROOT%{_datadir}/%{name}/ecryptfs-mount-private.png +printf "Encoding=UTF-8\n" >>$RPM_BUILD_ROOT/%{_datadir}/%{name}/ecryptfs-mount-private.desktop +printf "Encoding=UTF-8\n" >>$RPM_BUILD_ROOT/%{_datadir}/%{name}/ecryptfs-setup-private.desktop +printf "Icon=%{_datadir}/%{name}/ecryptfs-mount-private.png\n" >>$RPM_BUILD_ROOT/%{_datadir}/%{name}/ecryptfs-mount-private.desktop +printf "Icon=%{_datadir}/%{name}/ecryptfs-mount-private.png\n" >>$RPM_BUILD_ROOT/%{_datadir}/%{name}/ecryptfs-setup-private.desktop +sed -i 's|^_||' $RPM_BUILD_ROOT/%{_datadir}/%{name}/ecryptfs-mount-private.desktop +sed -i 's|^_||' $RPM_BUILD_ROOT/%{_datadir}/%{name}/ecryptfs-setup-private.desktop +chmod +x $RPM_BUILD_ROOT%{_datadir}/%{name}/ecryptfs-mount-private.desktop +chmod +x $RPM_BUILD_ROOT%{_datadir}/%{name}/ecryptfs-setup-private.desktop +for file in $(find py2/src/desktop -name ¸*.desktop) ; do + touch -r $file $RPM_BUILD_ROOT%{_datadir}/%{name}/$(basename $file) +done +rm -f $RPM_BUILD_ROOT/%{_datadir}/%{name}/ecryptfs-record-passphrase + +#we need ecryptfs kernel module +mkdir -p $RPM_BUILD_ROOT/usr/lib/modules-load.d/ +echo -e "# ecryptfs module is needed before ecryptfs mount, so mount helper can \n# check for file name encryption support\necryptfs" \ + >$RPM_BUILD_ROOT/usr/lib/modules-load.d/ecryptfs.conf + +%find_lang %{name} + + +%check +desktop-file-validate $RPM_BUILD_ROOT%{_datadir}/%{name}/*.desktop + +if ldd $RPM_BUILD_ROOT%{_sbindir}/umount.ecryptfs | grep -q '%{_prefix}/' +then + exit 1 +fi + +%if %{with unittests} +for folder in $(find . -name py\* -type d) ; do + export LD_LIBRARY_PATH=${folder}/src/libecryptfs/.libs + make check -C $folder +done +%endif + +%pre +groupadd -r -f ecryptfs + +%post +/sbin/ldconfig +if [ $1 -eq 1 ] ; then + # Initial installation + authselect enable-feature with-ecryptfs >/dev/null 2>&1 +fi + +%postun +/sbin/ldconfig +if [ $1 -eq 0 ] ; then + # Package removal, not upgrade + authselect disable-feature with-ecryptfs >/dev/null 2>&1 +fi + +%files -f %{name}.lang +%license COPYING +%doc README AUTHORS NEWS THANKS +%doc doc/ecryptfs-faq.html +%doc doc/ecryptfs-pkcs11-helper-doc.txt +%{_sbindir}/mount.ecryptfs +%{_sbindir}/umount.ecryptfs +%attr(4750,root,ecryptfs) %{_sbindir}/mount.ecryptfs_private +%{_sbindir}/umount.ecryptfs_private +%{_bindir}/ecryptfs-add-passphrase +%{_bindir}/ecryptfs-find +%{_bindir}/ecryptfs-generate-tpm-key +%{_bindir}/ecryptfs-insert-wrapped-passphrase-into-keyring +%{_bindir}/ecryptfs-manager +%{_bindir}/ecryptfs-migrate-home +%{_bindir}/ecryptfs-mount-private +%{_bindir}/ecryptfs-recover-private +%{_bindir}/ecryptfs-rewrap-passphrase +%{_bindir}/ecryptfs-rewrite-file +%{_bindir}/ecryptfs-setup-private +%{_bindir}/ecryptfs-setup-swap +%{_bindir}/ecryptfs-stat +%{_bindir}/ecryptfs-umount-private +%{_bindir}/ecryptfs-unwrap-passphrase +%{_bindir}/ecryptfs-verify +%{_bindir}/ecryptfs-wrap-passphrase +%{_bindir}/ecryptfsd +%{_libdir}/ecryptfs +%{_libdir}/libecryptfs.so.* +%{_libdir}/security/pam_ecryptfs.so +%{_prefix}/lib/modules-load.d/ecryptfs.conf +%dir %{_datadir}/%{name} +%{_datadir}/%{name}/ecryptfs-mount-private.txt +%{_datadir}/%{name}/ecryptfs-mount-private.desktop +%{_datadir}/%{name}/ecryptfs-mount-private.png +%{_datadir}/%{name}/ecryptfs-setup-private.desktop +%{_mandir}/man1/ecryptfs-add-passphrase.1.gz +%{_mandir}/man1/ecryptfs-find.1* +%{_mandir}/man1/ecryptfs-generate-tpm-key.1.gz +%{_mandir}/man1/ecryptfs-insert-wrapped-passphrase-into-keyring.1.gz +%{_mandir}/man1/ecryptfs-mount-private.1.gz +%{_mandir}/man1/ecryptfs-recover-private.1.gz +%{_mandir}/man1/ecryptfs-rewrap-passphrase.1.gz +%{_mandir}/man1/ecryptfs-rewrite-file.1.gz +%{_mandir}/man1/ecryptfs-setup-private.1.gz +%{_mandir}/man1/ecryptfs-setup-swap.1.gz +%{_mandir}/man1/ecryptfs-stat.1.gz +%{_mandir}/man1/ecryptfs-umount-private.1.gz +%{_mandir}/man1/ecryptfs-unwrap-passphrase.1.gz +%{_mandir}/man1/ecryptfs-verify.1* +%{_mandir}/man1/ecryptfs-wrap-passphrase.1.gz +%{_mandir}/man1/mount.ecryptfs_private.1.gz +%{_mandir}/man1/umount.ecryptfs_private.1.gz +%{_mandir}/man7/ecryptfs.7.gz +%{_mandir}/man8/ecryptfs-manager.8.gz +%{_mandir}/man8/ecryptfs-migrate-home.8* +%{_mandir}/man8/ecryptfsd.8.gz +%{_mandir}/man8/mount.ecryptfs.8.gz +%{_mandir}/man8/pam_ecryptfs.8.gz +%{_mandir}/man8/umount.ecryptfs.8.gz + +%files devel +%{_libdir}/libecryptfs.so +%{_libdir}/pkgconfig/libecryptfs.pc +%{_includedir}/ecryptfs.h + +%if %{with python3} +%files -n python%{python3_pkgversion}-%{name} +%{python3_sitearch}/%{name}/ +%{python3_sitelib}/%{name}/ +%endif + + +%changelog +* Thu Jan 20 2022 Fedora Release Engineering - 111-26 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Tue Sep 14 2021 Sahana Prasad - 111-25 +- Rebuilt with OpenSSL 3.0.0 + +* Wed Jul 21 2021 Fedora Release Engineering - 111-24 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Wed Jul 14 2021 Michal Hlavinka - 111-23 +- fix fail to install #1978884 + +* Tue Jan 26 2021 Fedora Release Engineering - 111-22 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Mon Jul 27 2020 Fedora Release Engineering - 111-21 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jan 28 2020 Fedora Release Engineering - 111-20 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Wed Jul 24 2019 Fedora Release Engineering - 111-19 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Tue Jun 25 2019 Michal Hlavinka - 111-18 +- require kernel-modules, where ecryptfs kernel module lives + +* Thu Jan 31 2019 Fedora Release Engineering - 111-17 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Nov 16 2018 Michal Hlavinka - 111-16 +- drop python2 subpackage is python2 is no longer supported in Fedora 30+ (#1627433) + +* Fri Sep 07 2018 Michal Hlavinka - 111-15 +- switch to authselect since it replaced authconfig in F28 (RHBZ#1577174) + +* Tue Jul 31 2018 Florian Weimer - 111-14 +- Rebuild with fixed binutils + +* Thu Jul 12 2018 Fedora Release Engineering - 111-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Mon Mar 05 2018 Raphael Groner - 111-12 +- avoid unversioned python executable +- add python3 subpackage (experimental, found odd bug in automake) +- optimize generally here and there + +* Fri Feb 09 2018 Igor Gnatenko - 111-11 +- Escape macros in %%changelog + +* Wed Feb 07 2018 Fedora Release Engineering - 111-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Sun Aug 20 2017 Zbigniew Jędrzejewski-Szmek - 111-9 +- Add Provides for the old name without %%_isa + +* Sat Aug 19 2017 Zbigniew Jędrzejewski-Szmek - 111-8 +- Python 2 binary package renamed to python2-ecryptfs-utils + See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 + +* Wed Aug 02 2017 Fedora Release Engineering - 111-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 111-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sun Jun 04 2017 Raphael Groner - 111-5 +- add patch for openssl 1.1.x, rhbz#1384023 +- mark patches of upstream and downstream +- fix legacy patches to still work, drop obsolete patch for memcpyfix +- general modernization according to guidelines, drop obsolete commands + +* Fri Feb 10 2017 Fedora Release Engineering - 111-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Wed Feb 01 2017 Michal Hlavinka - 111-3 +- do not crash when using fingerprint reader #1339714 + +* Tue Jul 19 2016 Fedora Release Engineering - 111-2 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Fri Jul 15 2016 Michal Hlavinka - 111-1 +- %%{name} updated to 111 +- fix ecryptfs-setup-swap improperly configures encrypted swap when using GPT + partitioning on a NVMe or MMC drive (CVE-2016-6224, rhbz#1356828) + +* Mon Feb 29 2016 Michal Hlavinka - 110-1 +- %%{name} updated to 110 + +* Wed Feb 03 2016 Fedora Release Engineering - 109-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Jan 26 2016 Michal Hlavinka - 109-1 +- %%{name} updated to 109 + +* Tue Aug 11 2015 Michal Hlavinka - 108-1 +- %%{name} updated to 108 + +* Wed Jun 17 2015 Fedora Release Engineering - 106-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon Mar 30 2015 Michal Hlavinka - 106-1 +- %%{name} updated to 106 + +* Mon Jan 26 2015 Michal Hlavinka - 104-3 +- fix pam sigsegv (#1184645) + +* Sat Aug 16 2014 Fedora Release Engineering - 104-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Wed Jul 23 2014 Michal Hlavinka - 104-1 +- %%{name} updated to 104 + +* Sat Jun 07 2014 Fedora Release Engineering - 103-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Wed Nov 13 2013 Michal Hlavinka - 103-4 +- ecryptfs-migrate-home did not restore selinux labels (#1017402) + +* Sat Aug 03 2013 Fedora Release Engineering - 103-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Thu May 23 2013 Michal Hlavinka - 103-2 +- make executables hardened (#965505) + +* Wed Jan 30 2013 Michal Hlavinka - 103-1 +- %%{name} updated to 103 + +* Mon Oct 29 2012 Michal Hlavinka - 101-1 +- %%{name} updated to 101 + +* Thu Oct 25 2012 Michal Hlavinka - 100-6 +- home migration did not work under sudo (#868330) + +* Mon Oct 22 2012 Michal Hlavinka - 100-5 +- set selinux boolean only if not already set (#868298) + +* Thu Oct 18 2012 Michal Hlavinka - 100-4 +- fix typo in restorecon path (#865839) + +* Thu Sep 27 2012 Michal Hlavinka - 100-3 +- do not crash in pam module when non-existent user name is used (#859766) + +* Mon Aug 20 2012 Michal Hlavinka - 100-2 +- fix Werror messages in new build environment + +* Fri Aug 03 2012 Michal Hlavinka - 100-1 +- %%{name} updated to 100 + +* Tue Jul 24 2012 Michal Hlavinka - 99-1 +- %%{name} updated to 99 +- fixes: suid helper does not restrict mounting filesystems with + nosuid, nodev leading to possible privilege escalation (CVE-2012-3409) + +* Wed Jul 18 2012 Fedora Release Engineering - 97-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Mon Jun 25 2012 Michal Hlavinka - 97-1 +- %%{name} updated to 97 + +* Mon Jun 04 2012 Michal Hlavinka - 96-3 +- for file name encryption support check, module must be loaded already + +* Mon Apr 16 2012 Michal Hlavinka - 96-2 +- when ecryptfs-mount-fails, check if user is member of ecryptfs group + +* Mon Feb 20 2012 Michal Hlavinka - 96-1 +- %%{name} updated to 96 + +* Mon Feb 13 2012 Michal Hlavinka - 95-3 +- blowfish and twofish support check did not work with on 3.2.x kernels (#785036) + +* Fri Jan 13 2012 Fedora Release Engineering - 95-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Fri Dec 16 2011 Michal Hlavinka - 95-1 +- updated to v. 95 + +* Wed Dec 07 2011 Michal Hlavinka - 93-2 +- update pam config in post install phase + +* Mon Oct 31 2011 Michal Hlavinka - 93-1 +- updated to v. 93 + +* Wed Aug 31 2011 Michal Hlavinka - 90-2 +- set the group id in mount.ecryptfs_private (CVE-2011-3145) + +* Thu Aug 11 2011 Michal Hlavinka - 90-1 +- security fixes: +- privilege escalation via mountpoint race conditions (CVE-2011-1831, CVE-2011-1832) +- race condition when checking source during mount (CVE-2011-1833) +- mtab corruption via improper handling (CVE-2011-1834) +- key poisoning via insecure temp directory handling (CVE-2011-1835) +- information disclosure via recovery mount in /tmp (CVE-2011-1836) +- arbitrary file overwrite via lock counter race (CVE-2011-1837) + +* Tue Aug 09 2011 Michal Hlavinka - 87-9 +- improve logging messages of ecryptfs pam module +- keep own copy of passphrase, pam clears it too early + +* Wed Aug 03 2011 Michal Hlavinka - 87-8 +- keyring from auth stack does not survive, use pam_data and delayed + keyring initialization + +* Thu Jul 21 2011 Michal Hlavinka - 87-7 +- fix pam module to set ecryptfs gid before mount helper execution +- do not use zombie process, it causes lock ups in ssh + +* Tue Jul 19 2011 Michal Hlavinka - 87-6 +- do not use memcpy for overlaping areas +- fix broken pam module resulting in session with wrong gid + +* Mon Jul 11 2011 Michal Hlavinka - 87-5 +- fix mtab handling everywhere + +* Thu Jun 09 2011 Michal Hlavinka - 87-4 +- check for ecryptfs pam module before home dir migration + +* Tue Jun 07 2011 Michal Hlavinka - 87-3 +- update of mtab does not work if it's a symlink (#706911) + +* Thu May 26 2011 Michal Hlavinka - 87-2 +- auto-load ecryptfs module in ecryptfs-setup-private + +* Tue May 24 2011 Michal Hlavinka - 87-1 +- updated to v. 87 + +* Fri Mar 11 2011 Michal Hlavinka - 86-3 +- fix man pages + +* Wed Mar 02 2011 Michal Hlavinka - 86-2 +- fix selinux context + +* Fri Feb 25 2011 Michal Hlavinka - 86-1 +- updated to v. 86 + +* Tue Feb 08 2011 Fedora Release Engineering - 85-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Tue Feb 01 2011 Michal Hlavinka - 85-1 +- %%{name} updated to 85 + +* Tue Jan 11 2011 Dan Horák - 84-3 +- fix build on arches where char is unsigned by default + +* Tue Jan 04 2011 Michal Hlavinka - 84-2 +- fix unsigned < 0 test (#664474) + +* Mon Dec 20 2010 Michal Hlavinka - 84-1 +- %%{name} updated to 84 + +* Wed Sep 29 2010 jkeating - 83-9 +- Rebuilt for gcc bug 634757 + +* Wed Sep 22 2010 Michal Hlavinka - 83-8 +- add missing gettext require (#630212) + +* Mon Jul 26 2010 Michal Hlavinka - 83-7 +- fix ftbfs for python mass rebuild + +* Wed Jul 21 2010 David Malcolm - 83-6 +- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild + +* Tue May 04 2010 Michal Hlavinka - 83-5 +- remove nss dependency from umount.ecryptfs + +* Fri Apr 16 2010 Michal Hlavinka - 83-4 +- make salt working together with passwd_file + +* Mon Mar 22 2010 Michal Hlavinka - 83-3 +- enable PKCS#11 support + +* Wed Mar 10 2010 Michal Hlavinka - 83-2 +- blkid moved from e2fsprogs to util-linux-ng, follow the change (#569996) + +* Thu Feb 18 2010 Michal Hlavinka - 83-1 +- updated to v. 83 + +* Wed Jan 27 2010 Michal Hlavinka - 82-2 +- better fix for (#486139) + +* Wed Nov 11 2009 Michal Hlavinka - 82-1 +- updated to 82 + +* Mon Nov 09 2009 Michal Hlavinka - 81-2 +- fix getext typos (#532732) + +* Tue Sep 29 2009 Michal Hlavinka - 81-1 +- updated to 81 + +* Fri Aug 21 2009 Tomas Mraz - 79-2 +- rebuilt with new openssl + +* Tue Aug 18 2009 Michal Hlavinka - 79-1 +- updated to 79 + +* Wed Jul 29 2009 Michal Hlavinka - 78-2 +- ecryptfs-dot-private is no longer used + +* Wed Jul 29 2009 Michal Hlavinka - 78-1 +- updated to 78 + +* Fri Jul 24 2009 Fedora Release Engineering - 76-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Mon Jul 20 2009 Michal Hlavinka 76-1 +- updated to 76 + +* Thu May 21 2009 Michal Hlavinka 75-1 +- removed executable permission from ecryptfs-dot-private (#500817) +- require cryptsetup-luks for encrypted swap (#500824) +- use blkid instead of vol_id (#500820) +- don't rely on cryptdisks service (#500829) +- add icon for Access-Your-Private-Data.desktop file +- updated to 75 +- restrict mount.ecryptfs_private to ecryptfs group members only + +* Thu Apr 23 2009 Michal Hlavinka 74-1 +- updated to 74 + +* Sat Mar 21 2009 Michal Hlavinka 73-1 +- updated to 73 +- move libs from /usr/lib to /lib (#486139) +- fix symlinks created by ecryptfs-setup-private (#486146) + +* Tue Feb 24 2009 Michal Hlavinka 71-1 +- updated to 71 +- remove .la files + +* Mon Feb 16 2009 Michal Hlavinka 70-1 +- updated to 70 +- fix: #479762 - ecryptfsecryptfs-setup-private broken +- added umount option to clear per-user keyring + +* Mon Feb 02 2009 Michal Hlavinka 69-4 +- fix list of onwed directories + +* Tue Jan 27 2009 Michal Hlavinka 69-3 +- add missing requires: keyutils + +* Tue Jan 27 2009 Michal Hlavinka 69-2 +- bump release for rebuild + +* Tue Jan 27 2009 Michal Hlavinka 69-1 +- updated to 69 + +* Mon Jan 12 2009 Michal Hlavinka 68-0 +- updated to 68 +- fix #478464 - /usr/bin/ecryptfs-setup-private errors out + +* Mon Dec 29 2008 Michal Hlavinka 67-1 +- bump release for rebuild + +* Mon Dec 29 2008 Michal Hlavinka 67-0 +- updated to 67 + +* Wed Oct 22 2008 Mike Halcrow 61-0 +- Add support for filename encryption enablement (future kernel feature) +- Replace uint32_t with size_t for x86_64 compatibility (patch by Eric Sandeen) + +* Fri Oct 17 2008 Eric Sandeen 59-2 +- Remove duplicate doc files from rpm + +* Tue Oct 07 2008 Mike Halcrow 59-1 +- Put attr declaration in the right spot + +* Tue Oct 07 2008 Mike Halcrow 59-0 +- Make /sbin/*ecryptfs* files setuid +- Add /sbin path to ecryptfs-setup-private + +* Mon Oct 06 2008 Mike Halcrow 58-0 +- TSPI key module update to avoid flooding TrouSerS library with requests +- OpenSSL key module parameter fixes +- Updates to mount-on-login utilities + +* Wed Aug 13 2008 Mike Halcrow 56-0 +- Namespace fixes for the key module parameter aliases +- Updates to the man page and the README + +* Wed Jul 30 2008 Eric Sandeen 53-0 +- New upstream version +- Many new manpages, new ecryptfs-stat util + +* Thu Jul 17 2008 Tom "spot" Callaway 50-1 +- fix license tag + +* Fri Jun 27 2008 Mike Halcrow 50-0 +- Add umount.ecryptfs_private symlink +- Add pam_mount session hooks for mount and unmount + +* Fri Jun 27 2008 Eric Sandeen 49-1 +- build with TrouSerS key module + +* Fri Jun 27 2008 Eric Sandeen 49-0 +- New upstream version + +* Tue Jun 03 2008 Eric Sandeen 46-0 +- New upstream version + +* Mon Feb 18 2008 Mike Halcrow 40-0 +- Enable passwd_file option in openssl key module + +* Wed Feb 13 2008 Mike Halcrow 39-0 +- Fix include upstream + +* Wed Feb 13 2008 Karsten Hopp 38-1 +- fix includes + +* Tue Jan 8 2008 Mike Halcrow 38-0 + - Fix passthrough mount option prompt + - Clarify man page + - Add HMAC option (for future kernel versions) + - Bump to version 38 + +* Wed Dec 19 2007 Mike Halcrow 37-0 +- Remove unsupported ciphers; bump to version 37 + +* Tue Dec 18 2007 Mike Halcrow 36-0 +- Cipher selection detects .gz ko files; bump to version 36 + +* Mon Dec 17 2007 Mike Halcrow 35-0 +- Cleanups to cipher selection; bump to version 35 + +* Mon Dec 17 2007 Mike Halcrow 34-0 +- Fix OpenSSL key module; bump to version 34 + +* Fri Dec 14 2007 Mike Halcrow 33-1 +- Add files to package + +* Fri Dec 14 2007 Mike Halcrow 33-0 +- update to version 33 + +* Thu Dec 13 2007 Karsten Hopp 32-1 +- update to version 32 + +* Thu Nov 29 2007 Karsten Hopp 30-2 +- fix ia64 libdir +- build initial RHEL-5 version + +* Thu Nov 29 2007 Karsten Hopp 30-1 +- build version 30 + +* Fri Oct 05 2007 Mike Halcrow - 30-0 +- Bump to version 30. Several bugfixes. Key modules are overhauled + with a more sane API. +* Wed Aug 29 2007 Fedora Release Engineering - 18-1 +- Rebuild for selinux ppc32 issue. + +* Thu Jun 28 2007 Mike Halcrow - 18-0 +- Bump to version 18 with an OpenSSL key module fix +* Thu Jun 21 2007 Kevin Fenzi - 17-1 +- Change kernel Requires to Conflicts +- Remove un-needed devel buildrequires +* Wed Jun 20 2007 Mike Halcrow - 17-0 +- Provide built-in fallback passphrase key module. Remove keyutils, + openssl, and pam requirements (library dependencies take care of + this). Include wrapped passphrase executables in file set. +* Fri Apr 20 2007 Mike Halcrow - 15-1 +- Change permission of pam_ecryptfs.so from 644 to 755. +* Thu Apr 19 2007 Mike Halcrow - 15-0 +- Fix mount option parse segfault. Fix pam_ecryptfs.so semaphore + issue when logging in via ssh. +* Thu Mar 01 2007 Mike Halcrow - 10-0 +- Remove verbose syslog() calls; change key module build to allow + OpenSSL module to be disabled from build; add AUTHORS, NEWS, and + THANKS to docs; update Requires with variables instead of hardcoded + name and version. +* Tue Feb 06 2007 Mike Halcrow - 9-1 +- Minor update in README, add dist tag to Release, add --disable-rpath + to configure step, and remove keyutils-libs from Requires. +* Tue Jan 09 2007 Mike Halcrow - 9-0 +- Correct install directories for 64-bit; add support for xattr and + encrypted_view mount options +* Tue Jan 02 2007 Mike Halcrow - 8-0 +- Introduce build support for openCryptoki key module. Fix -dev build + dependencies for devel package +* Mon Dec 11 2006 Mike Halcrow - 7-0 +- Initial package creation diff --git a/ecryptfs-mount-private.desktop b/ecryptfs-mount-private.desktop deleted file mode 100644 index 087898a..0000000 --- a/ecryptfs-mount-private.desktop +++ /dev/null @@ -1,7 +0,0 @@ -[Desktop Entry] -Name=Access Your Private Data -GenericName=Access Your Private Data -Exec=/usr/bin/ecryptfs-mount-private -Terminal=true -Type=Application -Categories=System;Security; diff --git a/ecryptfs-utils-100-sudokeyring.patch b/ecryptfs-utils-100-sudokeyring.patch deleted file mode 100644 index 6972fae..0000000 --- a/ecryptfs-utils-100-sudokeyring.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -up ecryptfs-utils-108/src/utils/ecryptfs-setup-private.sudokeyring ecryptfs-utils-108/src/utils/ecryptfs-setup-private ---- ecryptfs-utils-108/src/utils/ecryptfs-setup-private.sudokeyring 2015-08-11 14:44:05.213807245 +0200 -+++ ecryptfs-utils-108/src/utils/ecryptfs-setup-private 2015-08-11 14:44:05.231807198 +0200 -@@ -427,8 +427,16 @@ if [ "$BOOTSTRAP" = "1" ]; then - else - sig_opt="ecryptfs_sig=$sig" - fi -+ # If we are running under sudo, the session keyring may not link -+ # to root's user keyring, where the auth tok is stored -+ # Need to join root's keyring, otherwise the mount will fail -+ if [ "$(keyctl describe @s | awk '{ print $3; }')" -ne 0 ]; then -+ _KEK_="keyctl session _uid.0" -+ else -+ _KEK_= -+ fi - # Do the mount, and provide some helpful symlinks -- mount -i -t ecryptfs -o "rw,$sig_opt,ecryptfs_cipher=$CIPHER,ecryptfs_key_bytes=$KEYBYTES" "$CRYPTDIR" "$MOUNTPOINT" || error "Could not mount" -+ $_KEK_ mount -i -t ecryptfs -o "rw,$sig_opt,ecryptfs_cipher=$CIPHER,ecryptfs_key_bytes=$KEYBYTES" "$CRYPTDIR" "$MOUNTPOINT" || error "Could not mount" - ln -sf $ECRYPTFS_DIR/$USER/.ecryptfs $MOUNTPOINT/.ecryptfs - ln -sf $ECRYPTFS_DIR/$USER/.$PRIVATE_DIR $MOUNTPOINT/.$PRIVATE_DIR - chown -R $USER:$GROUP $ECRYPTFS_DIR/$USER diff --git a/ecryptfs-utils-111-authselect.patch b/ecryptfs-utils-111-authselect.patch deleted file mode 100644 index 52e534d..0000000 --- a/ecryptfs-utils-111-authselect.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -Naur old/src/utils/ecryptfs-migrate-home new/src/utils/ecryptfs-migrate-home ---- old/src/utils/ecryptfs-migrate-home 2018-09-07 12:29:47.600730369 +0200 -+++ new/src/utils/ecryptfs-migrate-home 2018-09-07 12:32:07.781704748 +0200 -@@ -101,7 +101,7 @@ - # Check for ecryptfs pam module - if ! grep -q ecryptfs /etc/pam.d/postlogin - then -- error "You must enable ecryptfs pam module first. It can be enabled by using: authconfig --enableecryptfs --updateall" -+ error "You must enable ecryptfs pam module first. It can be enabled by using: authselect enable-feature with-ecryptfs" - fi - # Check free space: make sure we have sufficient disk space - # available. To make a full copy, we will need at least 2.5x the diff --git a/ecryptfs-utils-111-cve_2016_5224.patch b/ecryptfs-utils-111-cve_2016_5224.patch deleted file mode 100644 index d30ff8d..0000000 --- a/ecryptfs-utils-111-cve_2016_5224.patch +++ /dev/null @@ -1,21 +0,0 @@ -=== modified file 'src/utils/ecryptfs-setup-swap' ---- a/src/utils/ecryptfs-setup-swap 2015-08-04 15:42:02 +0000 -+++ a/src/utils/ecryptfs-setup-swap 2016-07-06 22:31:21 +0000 -@@ -166,8 +166,14 @@ - # If this is a GPT partition, mark it as no-auto mounting, to avoid - # auto-activating it on boot - if [ "$(blkid -p -s PART_ENTRY_SCHEME -o value "$swap")" = "gpt" ]; then -- drive="${swap%[0-9]*}" -- partno="${swap#$drive}" -+ # Correctly handle NVMe/MMC drives, as well as any similar physical -+ # block device that follow the "/dev/foo0p1" pattern (LP: #1597154) -+ if echo "$swap" | grep -qE "^/dev/.+[0-9]+p[0-9]+$"; then -+ drive=$(echo "$swap" | sed "s:\(.\+[0-9]\)p[0-9]\+:\1:") -+ else -+ drive=$(echo "$swap" | sed "s:\(.\+[^0-9]\)[0-9]\+:\1:") -+ fi -+ partno=$(echo "$swap" | sed "s:.\+[^0-9]\([0-9]\+\):\1:") - if [ -b "$drive" ]; then - if printf "x\np\n" | fdisk "$drive" | grep -q "^$swap .* GUID:.*\b63\b"; then - echo "$swap is already marked as no-auto" - diff --git a/ecryptfs-utils-111-nopasswd.patch b/ecryptfs-utils-111-nopasswd.patch deleted file mode 100644 index fd5e38e..0000000 --- a/ecryptfs-utils-111-nopasswd.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff -up ecryptfs-utils-111/src/pam_ecryptfs/pam_ecryptfs.c.nopasswd ecryptfs-utils-111/src/pam_ecryptfs/pam_ecryptfs.c ---- ecryptfs-utils-111/src/pam_ecryptfs/pam_ecryptfs.c.nopasswd 2017-02-01 14:04:48.313349236 +0100 -+++ ecryptfs-utils-111/src/pam_ecryptfs/pam_ecryptfs.c 2017-02-01 14:05:34.461694263 +0100 -@@ -190,6 +190,10 @@ PAM_EXTERN int pam_sm_authenticate(pam_h - rc); - goto out; - } -+ if (!epd->passphrase) { -+ ecryptfs_syslog(LOG_WARNING, "pam_ecryptfs: No passphrase available"); -+ goto out; -+ } - epd->passphrase = strdup(epd->passphrase); - rc = ecryptfs_read_salt_hex_from_rc(salt_hex); - if (rc) { diff --git a/ecryptfs-utils-75-nocryptdisks.patch b/ecryptfs-utils-75-nocryptdisks.patch deleted file mode 100644 index 0dabed7..0000000 --- a/ecryptfs-utils-75-nocryptdisks.patch +++ /dev/null @@ -1,42 +0,0 @@ -diff -up ecryptfs-utils-108/src/utils/ecryptfs-setup-swap.nocryptdisks ecryptfs-utils-108/src/utils/ecryptfs-setup-swap ---- ecryptfs-utils-108/src/utils/ecryptfs-setup-swap.nocryptdisks 2015-08-04 17:41:39.000000000 +0200 -+++ ecryptfs-utils-108/src/utils/ecryptfs-setup-swap 2015-08-11 14:43:51.787842611 +0200 -@@ -37,23 +37,20 @@ warn() { - usage() { - echo - echo `gettext "Usage:"` -- echo " $0 [-f|--force] [-n|--no-reload]" -+ echo " $0 [-f|--force]" - echo - exit 1 - } - - # Handle command line options - FORCE=0 -+NO_RELOAD=1 - while [ ! -z "$1" ]; do - case "$1" in - -f|--force) - FORCE=1 - shift 1 - ;; -- -n|--no-reload) -- NO_RELOAD=1 -- shift 1 -- ;; - *) - usage - ;; -@@ -188,7 +185,6 @@ for swap in $swaps; do - # Add fstab entry - echo "/dev/mapper/cryptswap$i none swap sw 0 0" >> /etc/fstab - done -- - if [ "$NO_RELOAD" != 1 ]; then - # Turn swap off - swapoff -a -@@ -201,3 +197,4 @@ if [ "$NO_RELOAD" != 1 ]; then - fi - - info `gettext "Successfully encrypted swap!"` -+info "This will take effect after reboot" diff --git a/ecryptfs-utils-75-werror.patch b/ecryptfs-utils-75-werror.patch deleted file mode 100644 index c089d7f..0000000 --- a/ecryptfs-utils-75-werror.patch +++ /dev/null @@ -1,256 +0,0 @@ -diff -up ecryptfs-utils-109/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.werror ecryptfs-utils-109/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c ---- ecryptfs-utils-109/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.werror 2016-01-26 17:01:19.803230193 +0100 -+++ ecryptfs-utils-109/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c 2016-01-26 17:01:19.810230176 +0100 -@@ -98,7 +98,7 @@ static int ecryptfs_pkcs11h_deserialize( - pkcs11h_data->serialized_id = NULL; - } - else { -- pkcs11h_data->serialized_id = blob + i; -+ pkcs11h_data->serialized_id = (char *)blob + i; - i += serialized_id_length; - } - pkcs11h_data->certificate_blob_size = blob[i++] % 256; -@@ -116,12 +116,11 @@ static int ecryptfs_pkcs11h_deserialize( - pkcs11h_data->passphrase = NULL; - } - else { -- pkcs11h_data->passphrase = blob + i; -+ pkcs11h_data->passphrase = (char *)blob + i; - i += passphrase_length; - } - - rc = 0; --out: - return rc; - } - -@@ -379,15 +379,15 @@ static int ecryptfs_pkcs11h_get_key_sig( - data[i++] = (char)(nbits >> 8); - data[i++] = (char)nbits; - RSA_get0_key(rsa, &rsa_n, NULL, NULL); -- BN_bn2bin(rsa_n, &(data[i])); -+ BN_bn2bin(rsa_n, (unsigned char *)&(data[i])); - i += nbytes; - data[i++] = (char)(ebits >> 8); - data[i++] = (char)ebits; - RSA_get0_key(rsa, NULL, &rsa_e, NULL); -- BN_bn2bin(rsa_e, &(data[i])); -+ BN_bn2bin(rsa_e, (unsigned char *)&(data[i])); - i += ebytes; -- SHA1(data, len + 3, hash); -- to_hex(sig, hash, ECRYPTFS_SIG_SIZE); -+ SHA1((unsigned char *)data, len + 3, (unsigned char *)hash); -+ to_hex((char *)sig, hash, ECRYPTFS_SIG_SIZE); - sig[ECRYPTFS_SIG_SIZE_HEX] = '\0'; - - rc = 0; -@@ -423,8 +422,8 @@ static int ecryptfs_pkcs11h_encrypt(char - if ( - (rc = RSA_public_encrypt( - from_size, -- from, -- to, -+ (unsigned char *)from, -+ (unsigned char *)to, - rsa, - RSA_PKCS1_PADDING - )) == -1 -@@ -518,9 +517,9 @@ static int ecryptfs_pkcs11h_decrypt(char - (rv = pkcs11h_certificate_decryptAny ( - certificate, - CKM_RSA_PKCS, -- from, -+ (unsigned char *)from, - from_size, -- to, -+ (unsigned char *)to, - to_size - )) != CKR_OK - ) { -@@ -546,9 +545,9 @@ static int ecryptfs_pkcs11h_decrypt(char - pkcs11h_certificate_decryptAny ( - certificate, - CKM_RSA_PKCS, -- from, -+ (unsigned char *)from, - from_size, -- tmp, -+ (unsigned char *)tmp, - to_size - ); - -@@ -863,7 +862,7 @@ static int ecryptfs_pkcs11h_process_key( - rc = MOUNT_ERROR; - goto out; - } -- if ((rc = ecryptfs_pkcs11h_serialize(subgraph_key_ctx->key_mod->blob, -+ if ((rc = ecryptfs_pkcs11h_serialize((unsigned char *)subgraph_key_ctx->key_mod->blob, - &subgraph_key_ctx->key_mod->blob_size, - pkcs11h_data))) { - syslog(LOG_ERR, "PKCS#11: Error serializing pkcs11; rc=[%d]\n", rc); -@@ -942,7 +941,7 @@ static int tf_pkcs11h_global_loglevel(st - - rc = DEFAULT_TOK; - node->val = NULL; --out: -+// out: - return rc; - } - -@@ -955,7 +954,7 @@ static int tf_pkcs11h_global_pincache(st - - rc = DEFAULT_TOK; - node->val = NULL; --out: -+// out: - return rc; - } - -@@ -1025,7 +1024,7 @@ static int tf_pkcs11h_provider_prot_auth - sscanf (node->val, "%x", &subgraph_provider_ctx->allow_protected_authentication); - rc = DEFAULT_TOK; - node->val = NULL; --out: -+ - return rc; - } - -@@ -1039,7 +1038,7 @@ static int tf_pkcs11h_provider_cert_priv - sscanf (node->val, "%x", &subgraph_provider_ctx->certificate_is_private); - rc = DEFAULT_TOK; - node->val = NULL; --out: -+ - return rc; - } - -@@ -1054,7 +1053,7 @@ static int tf_pkcs11h_provider_private_m - - rc = DEFAULT_TOK; - node->val = NULL; --out: -+ - return rc; - } - -@@ -1085,7 +1084,7 @@ static int tf_pkcs11h_provider_end(struc - free(subgraph_provider_ctx); - *foo = NULL; - rc = DEFAULT_TOK; --out: -+ - return rc; - } - -@@ -1132,7 +1131,7 @@ static int tf_pkcs11h_key_x509file(struc - X509 *x509 = NULL; - unsigned char *p = NULL; - FILE *fp = NULL; -- int rc; -+ int rc = 0; - - subgraph_key_ctx = (struct pkcs11h_subgraph_key_ctx *)(*foo); - -diff -up ecryptfs-utils-109/src/pam_ecryptfs/pam_ecryptfs.c.werror ecryptfs-utils-109/src/pam_ecryptfs/pam_ecryptfs.c ---- ecryptfs-utils-109/src/pam_ecryptfs/pam_ecryptfs.c.werror 2015-12-21 21:38:59.000000000 +0100 -+++ ecryptfs-utils-109/src/pam_ecryptfs/pam_ecryptfs.c 2016-01-26 17:01:19.810230176 +0100 -@@ -84,9 +84,7 @@ static int wrap_passphrase_if_necessary( - stat(wrapped_pw_filename, &s) != 0 && - passphrase != NULL && *passphrase != '\0' && - username != NULL && *username != '\0') { -- setuid(uid); -- rc = ecryptfs_wrap_passphrase_file(wrapped_pw_filename, passphrase, salt, unwrapped_pw_filename); -- if (rc != 0) { -+ if ((rc = setuid(uid))<0 || ((rc = ecryptfs_wrap_passphrase_file(wrapped_pw_filename, passphrase, salt, unwrapped_pw_filename)) != 0)) { - syslog(LOG_ERR, "pam_ecryptfs: Error wrapping cleartext password; " "rc = [%d]\n", rc); - } - return rc; -@@ -356,7 +354,7 @@ static int private_dir(pam_handle_t *pam - if (stat(recorded, &s) != 0 && stat("/usr/share/ecryptfs-utils/ecryptfs-record-passphrase", &s) == 0) { - /* User has not recorded their passphrase */ - unlink("/var/lib/update-notifier/user.d/ecryptfs-record-passphrase"); -- symlink("/usr/share/ecryptfs-utils/ecryptfs-record-passphrase", "/var/lib/update-notifier/user.d/ecryptfs-record-passphrase"); -+ rc=symlink("/usr/share/ecryptfs-utils/ecryptfs-record-passphrase", "/var/lib/update-notifier/user.d/ecryptfs-record-passphrase"); - fd = open("/var/lib/update-notifier/dpkg-run-stamp", O_WRONLY|O_CREAT|O_NONBLOCK, 0666); - if (fd != -1) - close(fd); -@@ -517,7 +515,10 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand - char passphrase[ECRYPTFS_MAX_PASSWORD_LENGTH + 1]; - - /* temp regain uid 0 to drop privs */ -- seteuid(oeuid); -+ if (seteuid(oeuid) < 0) { -+ syslog(LOG_ERR, "pam_ecryptfs: seteuid error"); -+ goto out_child; -+ } - /* setgroups() already called */ - if (setgid(gid) < 0 || setuid(uid) < 0) - goto out_child; -@@ -542,9 +543,9 @@ out_child: - free(wrapped_pw_filename); - out: - -- seteuid(oeuid); -- setegid(oegid); -- setgroups(ngids, groups); -+ rc = seteuid(oeuid); -+ rc = setegid(oegid); -+ rc = setgroups(ngids, groups); - - outnouid: - return rc; -diff -up ecryptfs-utils-109/src/utils/ecryptfs_generate_tpm_key.c.werror ecryptfs-utils-109/src/utils/ecryptfs_generate_tpm_key.c ---- ecryptfs-utils-109/src/utils/ecryptfs_generate_tpm_key.c.werror 2015-12-21 21:38:59.000000000 +0100 -+++ ecryptfs-utils-109/src/utils/ecryptfs_generate_tpm_key.c 2016-01-26 17:01:19.810230176 +0100 -@@ -89,7 +89,7 @@ int main(int argc, char **argv) - int i, c, *pcrsSelected = NULL, numPcrsSelected = 0; - TSS_UUID *uuid; - BYTE wellknown[] = TSS_WELL_KNOWN_SECRET; -- char *tmp_pcrs; -+ int *tmp_pcrs; - - while (1) { - c = getopt(argc, argv, "p:"); -diff -up ecryptfs-utils-109/src/utils/mount.ecryptfs_private.c.werror ecryptfs-utils-109/src/utils/mount.ecryptfs_private.c ---- ecryptfs-utils-109/src/utils/mount.ecryptfs_private.c.werror 2016-01-26 17:01:19.807230183 +0100 -+++ ecryptfs-utils-109/src/utils/mount.ecryptfs_private.c 2016-01-26 17:01:30.262205251 +0100 -@@ -232,7 +232,7 @@ static int check_cwd_f_type() - * - * This whitelist is to prevent malicious mount.ecryptfs_private users - * from mounting over filesystem types such as PROC_SUPER_MAGIC to -- * deceive other programs with a crafted /proc/self/*. See -+ * deceive other programs with a crafted /proc/self/ *. See - * https://launchpad.net/bugs/1530566 for more details. - */ - __SWORD_TYPE f_type_whitelist[] = { -@@ -276,7 +276,7 @@ static int check_cwd_f_type() - - fprintf(stderr, - "Refusing to mount over an unapproved filesystem type: %#lx\n", -- buf.f_type); -+ (long unsigned int)buf.f_type); - return 1; - } - -@@ -829,8 +829,8 @@ int main(int argc, char *argv[]) { - * update mtab for us, and replace the current process. - * Do not use the umount.ecryptfs helper (-i). - */ -- setresuid(0,0,0); -- setresgid(0,0,0); -+ rc=setresuid(0,0,0); -+ rc=setresgid(0,0,0); - clearenv(); - - /* Since we're doing a lazy unmount anyway, just unmount the current -diff -up ecryptfs-utils-109/tests/kernel/inode-race-stat/test.c.werror ecryptfs-utils-109/tests/kernel/inode-race-stat/test.c ---- ecryptfs-utils-109/tests/kernel/inode-race-stat/test.c.werror 2015-12-21 21:38:59.000000000 +0100 -+++ ecryptfs-utils-109/tests/kernel/inode-race-stat/test.c 2016-01-26 17:01:19.811230174 +0100 -@@ -364,6 +364,7 @@ abort: - - if (write(pipe_to[i][1], cmd, 1) != 1) - continue; -+ (void)ret; - (void)waitpid(pids[i], &status, 0); - - (void)close(pipe_to[i][1]); diff --git a/ecryptfs-utils-83-fixsalt.patch b/ecryptfs-utils-83-fixsalt.patch deleted file mode 100644 index bb661d8..0000000 --- a/ecryptfs-utils-83-fixsalt.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up ecryptfs-utils-108/src/key_mod/ecryptfs_key_mod_passphrase.c.fixsalt ecryptfs-utils-108/src/key_mod/ecryptfs_key_mod_passphrase.c ---- ecryptfs-utils-108/src/key_mod/ecryptfs_key_mod_passphrase.c.fixsalt 2015-02-10 17:59:34.000000000 +0100 -+++ ecryptfs-utils-108/src/key_mod/ecryptfs_key_mod_passphrase.c 2015-08-11 14:43:52.660840311 +0200 -@@ -105,7 +105,7 @@ static int tf_pass_file(struct ecryptfs_ - out: - free(node->val); - node->val = NULL; -- return rc; -+ return rc ? rc : DEFAULT_TOK; - } - - static int tf_salt(struct ecryptfs_ctx *ctx, struct param_node *node, diff --git a/ecryptfs-utils-83-splitnss.patch b/ecryptfs-utils-83-splitnss.patch deleted file mode 100644 index bfde60d..0000000 --- a/ecryptfs-utils-83-splitnss.patch +++ /dev/null @@ -1,86 +0,0 @@ -diff -up ecryptfs-utils-108/src/libecryptfs/key_management.c.splitnss ecryptfs-utils-108/src/libecryptfs/key_management.c ---- ecryptfs-utils-108/src/libecryptfs/key_management.c.splitnss 2015-03-26 14:28:59.000000000 +0100 -+++ ecryptfs-utils-108/src/libecryptfs/key_management.c 2015-08-11 14:43:53.489838127 +0200 -@@ -138,28 +138,8 @@ out: - } - - --int ecryptfs_remove_auth_tok_from_keyring(char *auth_tok_sig) --{ -- int rc; -+#include "key_management.inc.c" - -- rc = (int)keyctl_search(KEY_SPEC_USER_KEYRING, "user", auth_tok_sig, 0); -- if (rc < 0) { -- rc = errno; -- syslog(LOG_ERR, "Failed to find key with sig [%s]: %m\n", -- auth_tok_sig); -- goto out; -- } -- rc = keyctl_unlink(rc, KEY_SPEC_USER_KEYRING); -- if (rc < 0) { -- rc = errno; -- syslog(LOG_ERR, "Failed to unlink key with sig [%s]: %s\n", -- auth_tok_sig, strerror(rc)); -- goto out; -- } -- rc = 0; --out: -- return rc; --} - int ecryptfs_add_auth_tok_to_keyring(struct ecryptfs_auth_tok *auth_tok, - char *auth_tok_sig) - { -diff -up ecryptfs-utils-108/src/libecryptfs/key_management.inc.c.splitnss ecryptfs-utils-108/src/libecryptfs/key_management.inc.c ---- ecryptfs-utils-108/src/libecryptfs/key_management.inc.c.splitnss 2015-08-11 14:43:53.489838127 +0200 -+++ ecryptfs-utils-108/src/libecryptfs/key_management.inc.c 2015-08-11 14:43:53.489838127 +0200 -@@ -0,0 +1,22 @@ -+int ecryptfs_remove_auth_tok_from_keyring(char *auth_tok_sig) -+{ -+ int rc; -+ -+ rc = (int)keyctl_search(KEY_SPEC_USER_KEYRING, "user", auth_tok_sig, 0); -+ if (rc < 0) { -+ rc = errno; -+ syslog(LOG_ERR, "Failed to find key with sig [%s]: %m\n", -+ auth_tok_sig); -+ goto out; -+ } -+ rc = keyctl_unlink(rc, KEY_SPEC_USER_KEYRING); -+ if (rc < 0) { -+ rc = errno; -+ syslog(LOG_ERR, "Failed to unlink key with sig [%s]: %s\n", -+ auth_tok_sig, strerror(rc)); -+ goto out; -+ } -+ rc = 0; -+out: -+ return rc; -+} -diff -up ecryptfs-utils-108/src/utils/Makefile.am.splitnss ecryptfs-utils-108/src/utils/Makefile.am ---- ecryptfs-utils-108/src/utils/Makefile.am.splitnss 2015-02-10 17:59:34.000000000 +0100 -+++ ecryptfs-utils-108/src/utils/Makefile.am 2015-08-11 14:43:53.489838127 +0200 -@@ -39,7 +39,7 @@ mount_ecryptfs_CFLAGS = $(AM_CFLAGS) $(K - mount_ecryptfs_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la $(KEYUTILS_LIBS) $(LIBGCRYPT_LIBS) - umount_ecryptfs_SOURCES = umount.ecryptfs.c - umount_ecryptfs_CFLAGS = $(AM_CFLAGS) $(KEYUTILS_CFLAGS) --umount_ecryptfs_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la -+umount_ecryptfs_LDADD = -lkeyutils - ecryptfs_manager_SOURCES = manager.c io.c io.h gen_key.c - ecryptfs_manager_CFLAGS = $(AM_CFLAGS) $(KEYUTILS_CFLAGS) $(LIBGCRYPT_CFLAGS) - ecryptfs_manager_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la $(KEYUTILS_LIBS) $(LIBGCRYPT_LIBS) -diff -up ecryptfs-utils-108/src/utils/umount.ecryptfs.c.splitnss ecryptfs-utils-108/src/utils/umount.ecryptfs.c ---- ecryptfs-utils-108/src/utils/umount.ecryptfs.c.splitnss 2015-02-10 17:59:34.000000000 +0100 -+++ ecryptfs-utils-108/src/utils/umount.ecryptfs.c 2015-08-11 14:43:53.489838127 +0200 -@@ -24,7 +24,10 @@ - #include - #include - #include --#include "ecryptfs.h" -+#include -+#include -+ -+#include "../libecryptfs/key_management.inc.c" - - static void usage() - { diff --git a/ecryptfs-utils-84-fixsigness.patch b/ecryptfs-utils-84-fixsigness.patch deleted file mode 100644 index 2e2c20b..0000000 --- a/ecryptfs-utils-84-fixsigness.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -up ecryptfs-utils-108/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.fixsigness ecryptfs-utils-108/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c ---- ecryptfs-utils-108/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.fixsigness 2015-02-10 17:59:34.000000000 +0100 -+++ ecryptfs-utils-108/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c 2015-08-11 14:43:54.331835910 +0200 -@@ -1157,7 +1157,7 @@ static int tf_pkcs11h_key_x509file(struc - goto out; - } - -- if ((subgraph_key_ctx->pkcs11h_data.certificate_blob_size = i2d_X509 (x509, NULL)) < 0 ) { -+ if ((ssize_t)(subgraph_key_ctx->pkcs11h_data.certificate_blob_size = i2d_X509 (x509, NULL)) < 0 ) { - syslog(LOG_ERR, "PKCS#11: Cannot read decode certificate"); - rc = -EIO; - goto out; -@@ -1178,7 +1178,7 @@ static int tf_pkcs11h_key_x509file(struc - */ - p = subgraph_key_ctx->pkcs11h_data.certificate_blob; - -- if ((subgraph_key_ctx->pkcs11h_data.certificate_blob_size = i2d_X509 (x509, &p)) < 0) { -+ if ((ssize_t)(subgraph_key_ctx->pkcs11h_data.certificate_blob_size = i2d_X509 (x509, &p)) < 0) { - syslog(LOG_ERR, "PKCS#11: Cannot read decode certificate"); - goto out; - } diff --git a/ecryptfs-utils-86-manpage.patch b/ecryptfs-utils-86-manpage.patch deleted file mode 100644 index 8ee89a4..0000000 --- a/ecryptfs-utils-86-manpage.patch +++ /dev/null @@ -1,41 +0,0 @@ -diff -up ecryptfs-utils-108/doc/manpage/ecryptfs-rewrite-file.1.manfix ecryptfs-utils-108/doc/manpage/ecryptfs-rewrite-file.1 ---- ecryptfs-utils-108/doc/manpage/ecryptfs-rewrite-file.1.manfix 2015-02-10 17:59:34.000000000 +0100 -+++ ecryptfs-utils-108/doc/manpage/ecryptfs-rewrite-file.1 2015-08-11 14:43:55.128833810 +0200 -@@ -14,7 +14,7 @@ This script may be combined with \fBfind - ecryptfs-umount-private - sync - --It is advised that this script is executed in runlevel 1 or 3, to avoid simultanteous writes and race conditions with targeted files. -+It is advised that this script is executed in runlevel 1 or 3, to avoid simultaneous writes and race conditions with targeted files. - - \fBUSING THIS SCRIPT WHILE GNOME, KDE, OR OTHER APPLICATIONS ARE RUNNING MAY CAUSE DATA LOSS.\fP - -diff -up ecryptfs-utils-108/doc/manpage/ecryptfs.7.manfix ecryptfs-utils-108/doc/manpage/ecryptfs.7 ---- ecryptfs-utils-108/doc/manpage/ecryptfs.7.manfix 2015-02-10 17:59:34.000000000 +0100 -+++ ecryptfs-utils-108/doc/manpage/ecryptfs.7 2015-08-11 14:43:55.128833810 +0200 -@@ -1,6 +1,6 @@ - .TH ecryptfs 7 2009-03-24 ecryptfs-utils "eCryptfs" - .SH NAME --eCryptfs \- an enterprise-class cryptographic filesystem for linux -+eCryptfs \- an enterprise-class cryptographic filesystem for Linux - - .SH SYNOPSIS - .BI "mount -t ecryptfs [SRC DIR] [DST DIR] -o [OPTIONS]" -@@ -67,7 +67,7 @@ Parameters that apply to individual key - The actual password is passphrase. Since the password is visible to utilities (like ps under Unix) this form should only be used where security is not important. - .TP - .B passphrase_passwd_file=(filename) --The password should be specified in a file with passphrase_passwd_file=(passphrase). It is highly recommended that the file be stored on a secure medium such as a personal usb key. -+The password should be specified in a file with passphrase_passwd_file=(passphrase). It is highly recommended that the file be stored on a secure medium such as a personal USB key. - .TP - .B passphrase_passwd_fd=(file descriptor) - The password is specified through the specified file descriptor. -@@ -79,7 +79,7 @@ The salt should be specified as a 16 dig - The filename should be the filename of a file containing an RSA SSL key. - .TP - .B openssl_passwd_file=(filename) --The password should be specified in a file with openssl_passwd=(openssl-password). It is highly recommended that the file be stored on a secure medium such as a personal usb key. -+The password should be specified in a file with openssl_passwd=(openssl-password). It is highly recommended that the file be stored on a secure medium such as a personal USB key. - .TP - .B openssl_passwd_fd=(file descriptor) - The password is specified through the specified file descriptor. diff --git a/ecryptfs-utils-87-authconfig.patch b/ecryptfs-utils-87-authconfig.patch deleted file mode 100644 index 3476b91..0000000 --- a/ecryptfs-utils-87-authconfig.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -up ecryptfs-utils-108/src/utils/ecryptfs-migrate-home.authconfig ecryptfs-utils-108/src/utils/ecryptfs-migrate-home ---- ecryptfs-utils-108/src/utils/ecryptfs-migrate-home.authconfig 2015-02-10 17:59:34.000000000 +0100 -+++ ecryptfs-utils-108/src/utils/ecryptfs-migrate-home 2015-08-11 14:43:56.758829517 +0200 -@@ -98,6 +98,11 @@ sanity_check () { - if ! which rsync >/dev/null 2>&1; then - error "Please install the rsync package." - fi -+ # Check for ecryptfs pam module -+ if ! grep -q ecryptfs /etc/pam.d/postlogin -+ then -+ error "You must enable ecryptfs pam module first. It can be enabled by using: authconfig --enableecryptfs --updateall" -+ fi - # Check free space: make sure we have sufficient disk space - # available. To make a full copy, we will need at least 2.5x the - # disk usage of the target home directory. diff --git a/ecryptfs-utils-87-autoload.patch b/ecryptfs-utils-87-autoload.patch deleted file mode 100644 index 26cbdf0..0000000 --- a/ecryptfs-utils-87-autoload.patch +++ /dev/null @@ -1,41 +0,0 @@ -diff -up ecryptfs-utils-108/src/utils/ecryptfs-mount-private.autoload ecryptfs-utils-108/src/utils/ecryptfs-mount-private ---- ecryptfs-utils-108/src/utils/ecryptfs-mount-private.autoload 2015-02-10 17:59:34.000000000 +0100 -+++ ecryptfs-utils-108/src/utils/ecryptfs-mount-private 2015-08-11 14:43:55.946831655 +0200 -@@ -33,6 +33,9 @@ if /sbin/mount.ecryptfs_private >/dev/nu - exit 0 - fi - -+#load kernel module if it's missing, FNE support check would fail otherwise -+[ ! -e /sys/fs/ecryptfs/version ] && modinfo ecryptfs >/dev/null 2>&1 && /sbin/mount.ecryptfs_private --loadmodule -+ - # Otherwise, interactively prompt for the user's password - if [ -f "$WRAPPED_PASSPHRASE_FILE" -a -f "$MOUNT_PASSPHRASE_SIG_FILE" ]; then - tries=0 -diff -up ecryptfs-utils-108/src/utils/ecryptfs-setup-private.autoload ecryptfs-utils-108/src/utils/ecryptfs-setup-private ---- ecryptfs-utils-108/src/utils/ecryptfs-setup-private.autoload 2015-02-10 20:10:13.000000000 +0100 -+++ ecryptfs-utils-108/src/utils/ecryptfs-setup-private 2015-08-11 14:43:55.946831655 +0200 -@@ -101,6 +101,7 @@ random_passphrase () { - } - - filename_encryption_available() { -+ [ ! -e /sys/fs/ecryptfs/version ] && modinfo ecryptfs >/dev/null 2>&1 && /sbin/mount.ecryptfs_private --loadmodule - version=$(cat /sys/fs/ecryptfs/version 2>/dev/null) - [ -z "$version" ] && error "$(gettext 'Cannot get ecryptfs version, ecryptfs kernel module not loaded?')" - [ $(($version & 0x100)) -eq 0 ] && return 1 -diff -up ecryptfs-utils-108/src/utils/mount.ecryptfs_private.c.autoload ecryptfs-utils-108/src/utils/mount.ecryptfs_private.c ---- ecryptfs-utils-108/src/utils/mount.ecryptfs_private.c.autoload 2015-08-05 23:37:17.000000000 +0200 -+++ ecryptfs-utils-108/src/utils/mount.ecryptfs_private.c 2015-08-11 14:43:55.946831655 +0200 -@@ -577,6 +577,13 @@ int main(int argc, char *argv[]) { - char **sigs; - FILE *fh_counter = NULL; - -+ if (argc == 2 && !strcmp(argv[1],"--loadmodule")) -+ { -+ execl("/sbin/modprobe","modprobe","ecryptfs",NULL); -+ perror("Unable to load ecryptfs module"); -+ return -1; -+ } -+ - uid = getuid(); - gid = getgid(); - /* Non-privileged effective uid is sufficient for all but the code diff --git a/ecryptfs-utils-87-fixconst.patch b/ecryptfs-utils-87-fixconst.patch deleted file mode 100644 index 21c4c5a..0000000 --- a/ecryptfs-utils-87-fixconst.patch +++ /dev/null @@ -1,159 +0,0 @@ -diff -up ecryptfs-utils-108/src/include/ecryptfs.h.fixconst ecryptfs-utils-108/src/include/ecryptfs.h ---- ecryptfs-utils-108/src/include/ecryptfs.h.fixconst 2015-08-11 14:44:01.791816259 +0200 -+++ ecryptfs-utils-108/src/include/ecryptfs.h 2015-08-11 14:44:01.794816251 +0200 -@@ -479,8 +479,8 @@ int ecryptfs_eval_decision_graph(struct - struct val_node **head, - struct param_node *root_node, - struct ecryptfs_name_val_pair *nvp_head); --int ecryptfs_add_passphrase_key_to_keyring(char *auth_tok_sig, char *passphrase, -- char *salt); -+int ecryptfs_add_passphrase_key_to_keyring(char *auth_tok_sig, const char *passphrase, -+ const char *salt); - int ecryptfs_add_key_module_key_to_keyring(char *auth_tok_sig, - struct ecryptfs_key_mod *key_mod); - int ecryptfs_read_salt_hex_from_rc(char *salt_hex); -@@ -494,11 +494,11 @@ int parse_packet(struct ecryptfs_ctx *ct - struct ecryptfs_message **reply); - int ecryptfs_find_key_mod(struct ecryptfs_key_mod **key_mod, - struct ecryptfs_ctx *ctx, char *key_mod_alias); --int generate_passphrase_sig(char *passphrase_sig, char *fekek, char *salt, -- char *passphrase); -+int generate_passphrase_sig(char *passphrase_sig, char *fekek, const char *salt, -+ const char *passphrase); - int - generate_payload(struct ecryptfs_auth_tok *auth_tok, char *passphrase_sig, -- char *salt, char *session_key_encryption_key); -+ const char *salt, char *session_key_encryption_key); - int - ecryptfs_generate_key_payload(struct ecryptfs_auth_tok *auth_tok, - struct ecryptfs_key_mod *key_mod, char *sig, -@@ -517,15 +517,15 @@ int ecryptfs_check_sig(char *auth_tok_si - int ecryptfs_append_sig(char *auth_tok_sig, char *sig_cache_filename); - int __ecryptfs_detect_wrapped_passphrase_file_version(const char *filename, - uint8_t *version); --int ecryptfs_wrap_passphrase_file(char *dest, char *wrapping_passphrase, -- char *wrapping_salt, char *src); --int ecryptfs_wrap_passphrase(char *filename, char *wrapping_passphrase, -- char *unused, char *decrypted_passphrase); --int ecryptfs_unwrap_passphrase(char *decrypted_passphrase, char *filename, -- char *wrapping_passphrase, char *wrapping_salt); -+int ecryptfs_wrap_passphrase_file(const char *dest, const char *wrapping_passphrase, -+ const char *wrapping_salt, const char *src); -+int ecryptfs_wrap_passphrase(const char *filename, const char *wrapping_passphrase, -+ const char *unused, char *decrypted_passphrase); -+int ecryptfs_unwrap_passphrase(char *decrypted_passphrase, const char *filename, -+ const char *wrapping_passphrase, const char *wrapping_salt); - int ecryptfs_insert_wrapped_passphrase_into_keyring( -- char *auth_tok_sig, char *filename, char *wrapping_passphrase, -- char *salt); -+ char *auth_tok_sig, char *filename, const char *wrapping_passphrase, -+ const char *salt); - char *ecryptfs_get_wrapped_passphrase_filename(); - struct ecryptfs_key_mod_ops *passphrase_get_key_mod_ops(void); - int ecryptfs_validate_keyring(void); -@@ -573,7 +573,7 @@ char *ecryptfs_get_passphrase(char *prom - int ecryptfs_run_daemon(struct ecryptfs_messaging_ctx *mctx); - - #define ECRYPTFS_PRIVATE_DIR "Private" --char *ecryptfs_fetch_private_mnt(char *pw_dir); -+char *ecryptfs_fetch_private_mnt(const char *pw_dir); - int ecryptfs_private_is_mounted(char *dev, char *mnt, char *sig, int mounting); - - #endif -diff -up ecryptfs-utils-108/src/libecryptfs/key_management.c.fixconst ecryptfs-utils-108/src/libecryptfs/key_management.c ---- ecryptfs-utils-108/src/libecryptfs/key_management.c.fixconst 2015-08-11 14:44:01.777816296 +0200 -+++ ecryptfs-utils-108/src/libecryptfs/key_management.c 2015-08-11 14:44:01.795816249 +0200 -@@ -55,7 +55,7 @@ - */ - int ecryptfs_generate_passphrase_auth_tok(struct ecryptfs_auth_tok **auth_tok, - char *auth_tok_sig, char *fekek, -- char *salt, char *passphrase) -+ const char *salt, const char *passphrase) - { - int rc; - -@@ -195,8 +195,8 @@ int ecryptfs_add_blob_to_keyring(char *b - * - * Returns 0 on add, 1 on pre-existed, negative on failure. - */ --int ecryptfs_add_passphrase_key_to_keyring(char *auth_tok_sig, char *passphrase, -- char *salt) -+int ecryptfs_add_passphrase_key_to_keyring(char *auth_tok_sig, const char *passphrase, -+ const char *salt) - { - int rc; - char fekek[ECRYPTFS_MAX_KEY_BYTES]; -@@ -382,8 +382,8 @@ out: - return rc; - } - --int ecryptfs_wrap_passphrase_file(char *dest, char *wrapping_passphrase, -- char *salt, char *src) -+int ecryptfs_wrap_passphrase_file(const char *dest, const char *wrapping_passphrase, -+ const char *salt, const char *src) - { - int rc = 0; - ssize_t size; -@@ -540,8 +540,8 @@ out: - * - * Returns 0 upon success. Negative upon error. - */ --int ecryptfs_wrap_passphrase(char *filename, char *wrapping_passphrase, -- char *unused, char *decrypted_passphrase) -+int ecryptfs_wrap_passphrase(const char *filename, const char *wrapping_passphrase, -+ const char *unused, char *decrypted_passphrase) - { - char wrapping_salt[ECRYPTFS_SALT_SIZE]; - char wrapping_auth_tok_sig[ECRYPTFS_SIG_SIZE_HEX + 1]; -@@ -822,8 +822,8 @@ out: - * decryptfs_passphrase must be able to hold - * ECRYPTFS_MAX_PASSPHRASE_BYTES + 1 bytes - */ --int ecryptfs_unwrap_passphrase(char *decrypted_passphrase, char *filename, -- char *wrapping_passphrase, char *wrapping_salt) -+int ecryptfs_unwrap_passphrase(char *decrypted_passphrase, const char *filename, -+ const char *wrapping_passphrase, const char *wrapping_salt) - { - char v2_wrapping_salt[ECRYPTFS_SALT_SIZE]; - char wrapping_auth_tok_sig[ECRYPTFS_SIG_SIZE_HEX + 1]; -@@ -976,8 +976,8 @@ out: - * into the user session keyring. - */ - int ecryptfs_insert_wrapped_passphrase_into_keyring( -- char *auth_tok_sig, char *filename, char *wrapping_passphrase, -- char *salt) -+ char *auth_tok_sig, char *filename, const char *wrapping_passphrase, -+ const char *salt) - { - char decrypted_passphrase[ECRYPTFS_MAX_PASSPHRASE_BYTES + 1] ; - int rc = 0; -diff -up ecryptfs-utils-108/src/libecryptfs/main.c.fixconst ecryptfs-utils-108/src/libecryptfs/main.c ---- ecryptfs-utils-108/src/libecryptfs/main.c.fixconst 2015-08-11 14:44:01.791816259 +0200 -+++ ecryptfs-utils-108/src/libecryptfs/main.c 2015-08-11 14:44:01.795816249 +0200 -@@ -92,7 +92,7 @@ out: - /* Read ecryptfs private mount from file - * Allocate and return a string - */ --char *ecryptfs_fetch_private_mnt(char *pw_dir) { -+char *ecryptfs_fetch_private_mnt(const char *pw_dir) { - char *mnt_file = NULL; - char *mnt_default = NULL; - char *mnt = NULL; -@@ -212,7 +212,7 @@ int ecryptfs_private_is_mounted(char *de - */ - int - generate_passphrase_sig(char *passphrase_sig, char *fekek, -- char *salt, char *passphrase) -+ const char *salt, const char *passphrase) - { - char salt_and_passphrase[ECRYPTFS_MAX_PASSPHRASE_BYTES - + ECRYPTFS_SALT_SIZE]; -@@ -257,7 +257,7 @@ generate_passphrase_sig(char *passphrase - */ - int - generate_payload(struct ecryptfs_auth_tok *auth_tok, char *passphrase_sig, -- char *salt, char *session_key_encryption_key) -+ const char *salt, char *session_key_encryption_key) - { - int rc = 0; - int major, minor; diff --git a/ecryptfs-utils-87-fixexecgid.patch b/ecryptfs-utils-87-fixexecgid.patch deleted file mode 100644 index e47c56a..0000000 --- a/ecryptfs-utils-87-fixexecgid.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff -up ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c.fixexecgid ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c ---- ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c.fixexecgid 2015-08-11 14:43:59.298822826 +0200 -+++ ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c 2015-08-11 14:43:59.299822823 +0200 -@@ -365,8 +365,10 @@ static int private_dir(pam_handle_t *pam - _exit(0); - } - clearenv(); -- if (setgroups(1, &pwd->pw_gid) < 0 || setgid(pwd->pw_gid) < 0) -+ if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) { -+ syslog(LOG_ERR, "Unable to set user's groups : %m"); - _exit(-1); -+ } - /* run mount.ecryptfs_private as the user */ - if (setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid) < 0) - _exit(-1); -@@ -380,8 +382,10 @@ static int private_dir(pam_handle_t *pam - _exit(0); - } - clearenv(); -- if (setgroups(1, &pwd->pw_gid) < 0 || setgid(pwd->pw_gid) < 0) -+ if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) { -+ syslog(LOG_ERR, "Unable to set user's groups : %m"); - _exit(-1); -+ } - /* run umount.ecryptfs_private as the user */ - if (setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid) < 0) - _exit(-1); diff --git a/ecryptfs-utils-87-fixpamfork.patch b/ecryptfs-utils-87-fixpamfork.patch deleted file mode 100644 index b498aa7..0000000 --- a/ecryptfs-utils-87-fixpamfork.patch +++ /dev/null @@ -1,74 +0,0 @@ -diff -up ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c.fixpamfork ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c ---- ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c.fixpamfork 2015-08-11 14:43:58.438825091 +0200 -+++ ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c 2015-08-11 14:43:58.439825089 +0200 -@@ -253,7 +253,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h - } - out_child: - free(auth_tok_sig); -- exit(0); -+ _exit(0); - } - tmp_pid = waitpid(child_pid, NULL, 0); - if (tmp_pid == -1) -@@ -349,7 +349,7 @@ static int private_dir(pam_handle_t *pam - "%s/.ecryptfs/.wrapped-passphrase.recorded", - pwd->pw_dir) < 0) || recorded == NULL) { - syslog(LOG_ERR, "pam_ecryptfs: Error allocating memory for recorded name"); -- exit(1); -+ _exit(255); - } - if (stat(recorded, &s) != 0 && stat("/usr/share/ecryptfs-utils/ecryptfs-record-passphrase", &s) == 0) { - /* User has not recorded their passphrase */ -@@ -362,33 +362,35 @@ static int private_dir(pam_handle_t *pam - if (stat(autofile, &s) != 0) { - /* User does not want to auto-mount */ - syslog(LOG_DEBUG, "pam_ecryptfs: Skipping automatic eCryptfs mount"); -- exit(0); -+ _exit(0); - } - clearenv(); - if (setgroups(1, &pwd->pw_gid) < 0 || setgid(pwd->pw_gid) < 0) -- exit(-1); -+ _exit(-1); - /* run mount.ecryptfs_private as the user */ - if (setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid) < 0) -- exit(-1); -+ _exit(-1); - execl("/sbin/mount.ecryptfs_private", - "mount.ecryptfs_private", NULL); -+ syslog(LOG_ERR, "unable to execute mount.ecryptfs_private : %m"); - } else { - if (stat(autofile, &s) != 0) { - /* User does not want to auto-unmount */ - syslog(LOG_DEBUG, "pam_ecryptfs: Skipping automatic eCryptfs unmount"); -- exit(0); -+ _exit(0); - } - clearenv(); - if (setgroups(1, &pwd->pw_gid) < 0 || setgid(pwd->pw_gid) < 0) -- exit(-1); -+ _exit(-1); - /* run umount.ecryptfs_private as the user */ - if (setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid) < 0) -- exit(-1); -+ _exit(-1); - execl("/sbin/umount.ecryptfs_private", - "umount.ecryptfs_private", "-d", NULL); -- exit(1); -+ syslog(LOG_ERR, "unable to execute umount.ecryptfs_private : %m"); -+ _exit(1); - } -- exit(1); -+ _exit(1); - } else { - waitpid(pid, &rc, 0); - } -@@ -536,7 +538,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand - goto out_child; - } - out_child: -- exit(0); -+ _exit(0); - } - if ((tmp_pid = waitpid(child_pid, NULL, 0)) == -1) - syslog(LOG_WARNING, "pam_ecryptfs: waitpid() returned with error condition\n"); diff --git a/ecryptfs-utils-87-memcpyfix.patch b/ecryptfs-utils-87-memcpyfix.patch deleted file mode 100644 index 638bdbb..0000000 --- a/ecryptfs-utils-87-memcpyfix.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up ecryptfs-utils-103/src/utils/mount.ecryptfs.c.memcpyfix ecryptfs-utils-103/src/utils/mount.ecryptfs.c ---- ecryptfs-utils-103/src/utils/mount.ecryptfs.c.memcpyfix 2012-07-13 16:50:29.000000000 +0200 -+++ ecryptfs-utils-103/src/utils/mount.ecryptfs.c 2013-01-28 17:22:53.769462509 +0100 -@@ -355,7 +355,7 @@ static int opts_str_contains_option(char - *end = '\0'; - break; - } -- memcpy(opt, next_opt, end - next_opt); -+ memmove(opt, next_opt, end - next_opt); - end = end - (next_opt - opt); - *end = '\0'; - } diff --git a/ecryptfs-utils-87-nozombies.patch b/ecryptfs-utils-87-nozombies.patch deleted file mode 100644 index 2d4ea3f..0000000 --- a/ecryptfs-utils-87-nozombies.patch +++ /dev/null @@ -1,528 +0,0 @@ -diff -up ecryptfs-utils-108/src/include/ecryptfs.h.nozombies ecryptfs-utils-108/src/include/ecryptfs.h ---- ecryptfs-utils-108/src/include/ecryptfs.h.nozombies 2015-03-11 16:07:01.000000000 +0100 -+++ ecryptfs-utils-108/src/include/ecryptfs.h 2015-08-11 14:44:00.122820656 +0200 -@@ -532,10 +532,6 @@ int ecryptfs_validate_keyring(void); - #define ECRYPTFS_SHM_KEY 0x3c81b7f5 - #define ECRYPTFS_SEM_KEY 0x3c81b7f6 - #define ECRYPTFS_SHM_SIZE 4096 --#define ECRYPTFS_ZOMBIE_SLEEP_SECONDS 300 --int ecryptfs_set_zombie_session_placeholder(void); --int ecryptfs_kill_and_clear_zombie_session_placeholder(void); --int ecryptfs_list_zombie_session_placeholders(void); - int ecryptfs_build_linear_subgraph_from_nvp(struct transition_node **trans_node, - struct ecryptfs_key_mod *key_mod); - int ecryptfs_build_linear_subgraph(struct transition_node **trans_node, -diff -up ecryptfs-utils-108/src/libecryptfs/main.c.nozombies ecryptfs-utils-108/src/libecryptfs/main.c ---- ecryptfs-utils-108/src/libecryptfs/main.c.nozombies 2015-03-26 14:28:59.000000000 +0100 -+++ ecryptfs-utils-108/src/libecryptfs/main.c 2015-08-11 14:44:00.122820656 +0200 -@@ -384,495 +384,6 @@ out: - return rc; - } - --static int zombie_semaphore_get(void) --{ -- int sem_id; -- struct semid_ds semid_ds; -- struct sembuf sb; -- int i; -- int rc; -- -- sem_id = semget(ECRYPTFS_SEM_KEY, 1, (0666 | IPC_EXCL | IPC_CREAT)); -- if (sem_id >= 0) { -- sb.sem_op = 1; -- sb.sem_flg = 0; -- sb.sem_num = 0; -- -- rc = semop(sem_id, &sb, 1); -- if (rc == -1) { -- semctl(sem_id, 0, IPC_RMID); -- syslog(LOG_ERR, "Error initializing semaphore\n"); -- rc = -1; -- goto out; -- } -- } else if (errno == EEXIST) { -- int initialized = 0; -- -- sem_id = semget(ECRYPTFS_SEM_KEY, 1, 0); -- if (sem_id < 0) { -- syslog(LOG_ERR, "Error getting existing semaphore"); -- rc = -1; -- goto out; -- } --#define RETRY_LIMIT 3 -- for (i = 0; i < RETRY_LIMIT; i++) { -- semctl(sem_id, 0, IPC_STAT, &semid_ds); -- if (semid_ds.sem_otime != 0) { -- initialized = 1; -- break; -- } else -- sleep(1); -- } -- if (!initialized) { -- syslog(LOG_ERR, "Waited too long for initialized " -- "semaphore; something's wrong\n"); -- rc = -1; -- goto out; -- } -- } else { -- syslog(LOG_ERR, "Error attempting to get semaphore\n"); -- rc = -1; -- goto out; -- } -- rc = sem_id; --out: -- return rc; --} -- --static void zombie_semaphore_lock(int sem_id) --{ -- struct sembuf sb; -- int i; -- int rc; -- -- sb.sem_num = 0; -- sb.sem_op = -1; -- sb.sem_flg = IPC_NOWAIT; -- for (i = 0; i < RETRY_LIMIT; i++) { -- rc = semop(sem_id, &sb, 1); -- if (rc == -1 && errno == EAGAIN) { -- sleep(1); -- } else if (rc == -1) { -- syslog(LOG_ERR, "Error locking semaphore; errno " -- "string = [%m]\n"); -- goto out; -- } else -- goto out; -- } -- syslog(LOG_ERR, "Error locking semaphore; hit max retries\n"); --out: -- return; --} -- --static void zombie_semaphore_unlock(int sem_id) --{ -- struct sembuf sb; -- int rc; -- -- sb.sem_num = 0; -- sb.sem_op = 1; -- sb.sem_flg = 0; -- rc = semop(sem_id, &sb, 1); -- if (rc == -1) { -- syslog(LOG_ERR, "Error unlocking semaphore\n"); -- goto out; -- } --out: -- return; --} -- --static int get_zombie_shared_mem_locked(int *shm_id, int *sem_id) --{ -- int rc; -- -- (*sem_id) = zombie_semaphore_get(); -- if ((*sem_id) == -1) { -- syslog(LOG_ERR, "Error attempting to get zombie semaphore\n"); -- rc = -EIO; -- goto out; -- } -- zombie_semaphore_lock((*sem_id)); -- rc = shmget(ECRYPTFS_SHM_KEY, ECRYPTFS_SHM_SIZE, (0666 | IPC_CREAT -- | IPC_EXCL)); -- if (rc == -1 && errno == EEXIST) -- rc = shmget(ECRYPTFS_SHM_KEY, ECRYPTFS_SHM_SIZE, 0); -- else { -- char *shm_virt; -- -- if (rc == -1) { -- syslog(LOG_ERR, "Error allocating shared memory; " -- "errno string = [%m]\n"); -- rc = -EIO; -- zombie_semaphore_unlock((*sem_id)); -- goto out; -- } -- -- (*shm_id) = rc; -- shm_virt = shmat((*shm_id), NULL, 0); -- if (shm_virt == (void *)-1) { -- syslog(LOG_ERR, "Error attaching to newly allocated " -- "shared memory; errno string = [%m]\n"); -- rc = -EIO; -- zombie_semaphore_unlock((*sem_id)); -- goto out; -- } -- memset(shm_virt, 0, ECRYPTFS_SHM_SIZE); -- if ((rc = shmdt(shm_virt))) { -- rc = -EIO; -- zombie_semaphore_unlock((*sem_id)); -- goto out; -- } -- rc = shmget(ECRYPTFS_SHM_KEY, ECRYPTFS_SHM_SIZE, 0); -- } -- if (rc == -1) { -- syslog(LOG_ERR, "Error attempting to get identifier for " -- "shared memory with key [0x%.8x]\n", ECRYPTFS_SHM_KEY); -- rc = -EIO; -- zombie_semaphore_unlock((*sem_id)); -- goto out; -- } -- (*shm_id) = rc; -- rc = 0; --out: -- return rc; --} -- --static int list_pid_sid_pairs(int shm_id) --{ -- pid_t sid_tmp; -- pid_t pid_tmp; -- char *shm_virt; -- int i; -- int rc; -- -- if (sizeof(pid_t) != sizeof(uint32_t)) { -- syslog(LOG_ERR, "sizeof(pid_t) != sizeof(uint32_t); the code " -- "needs some tweaking to work on this architecture\n"); -- rc = -EINVAL; -- goto out; -- } -- shm_virt = shmat(shm_id, NULL, 0); -- if (shm_virt == (void *)-1) { -- rc = -EIO; -- goto out; -- } -- i = 0; -- memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t)); -- i += sizeof(pid_t); -- sid_tmp = ntohl(sid_tmp); /* uint32_t */ -- memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t)); -- i += sizeof(pid_t); -- pid_tmp = ntohl(pid_tmp); /* uint32_t */ -- while (!(sid_tmp == 0 && pid_tmp == 0)) { -- if ((i + (2 * sizeof(pid_t))) > ECRYPTFS_SHM_SIZE) -- break; -- memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t)); -- i += sizeof(pid_t); -- sid_tmp = ntohl(sid_tmp); /* uint32_t */ -- memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t)); -- i += sizeof(pid_t); -- pid_tmp = ntohl(pid_tmp); /* uint32_t */ -- } -- if ((rc = shmdt(shm_virt))) -- rc = -EIO; --out: -- return rc; --} -- --static int find_pid_for_this_sid(pid_t *pid, int shm_id) --{ -- pid_t sid_tmp; -- pid_t sid; -- pid_t pid_tmp; -- pid_t this_pid; -- char *shm_virt; -- int i; -- int rc; -- -- (*pid) = 0; -- if (sizeof(pid_t) != sizeof(uint32_t)) { -- syslog(LOG_ERR, "sizeof(pid_t) != sizeof(uint32_t); the code " -- "needs some tweaking to work on this architecture\n"); -- rc = -EINVAL; -- goto out; -- } -- shm_virt = shmat(shm_id, NULL, 0); -- if (shm_virt == (void *)-1) { -- rc = -EIO; -- goto out; -- } -- i = 0; -- memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t)); -- i += sizeof(pid_t); -- sid_tmp = ntohl(sid_tmp); /* uint32_t */ -- memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t)); -- i += sizeof(pid_t); -- pid_tmp = ntohl(pid_tmp); /* uint32_t */ -- this_pid = getpid(); -- sid = getsid(this_pid); -- while (!(sid_tmp == 0 && pid_tmp == 0)) { -- if (sid_tmp == sid) { -- (*pid) = pid_tmp; -- goto end_search; -- } -- if ((i + (2 * sizeof(pid_t))) > ECRYPTFS_SHM_SIZE) -- break; -- memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t)); -- i += sizeof(pid_t); -- sid_tmp = ntohl(sid_tmp); /* uint32_t */ -- memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t)); -- i += sizeof(pid_t); -- pid_tmp = ntohl(pid_tmp); /* uint32_t */ -- } --end_search: -- if ((rc = shmdt(shm_virt))) { -- rc = -EIO; -- (*pid) = 0; -- } --out: -- return rc; --} -- --static int remove_pid_for_this_sid(int shm_id) --{ -- pid_t sid_tmp; -- pid_t sid; -- pid_t pid_tmp; -- pid_t pid; -- pid_t this_pid; -- char *shm_virt; -- int i; -- int rc; -- -- pid = 0; -- if (sizeof(pid_t) != sizeof(uint32_t)) { -- syslog(LOG_ERR, "sizeof(pid_t) != sizeof(uint32_t); the code " -- "needs some tweaking to work on this architecture\n"); -- rc = -EINVAL; -- goto out; -- } -- shm_virt = shmat(shm_id, NULL, 0); -- if (shm_virt == (void *)-1) { -- rc = -EIO; -- goto out; -- } -- i = 0; -- memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t)); -- i += sizeof(pid_t); -- sid_tmp = ntohl(sid_tmp); /* uint32_t */ -- memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t)); -- i += sizeof(pid_t); -- pid_tmp = ntohl(pid_tmp); /* uint32_t */ -- this_pid = getpid(); -- sid = getsid(this_pid); -- while (!(sid_tmp == 0 && pid_tmp == 0)) { -- if (sid_tmp == sid) { -- pid = pid_tmp; -- break; -- } -- if ((i + (2 * sizeof(pid_t))) > ECRYPTFS_SHM_SIZE) -- break; -- memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t)); -- i += sizeof(pid_t); -- sid_tmp = ntohl(sid_tmp); /* uint32_t */ -- memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t)); -- i += sizeof(pid_t); -- pid_tmp = ntohl(pid_tmp); /* uint32_t */ -- } -- if (pid != 0) { -- char *tmp; -- int remainder = (ECRYPTFS_SHM_SIZE - i); -- -- if (remainder != 0) { -- if ((tmp = malloc(remainder)) == NULL) { -- rc = -ENOMEM; -- shmdt(shm_virt); -- goto out; -- } -- memcpy(tmp, &shm_virt[i], remainder); -- i -= (2 * sizeof(pid_t)); -- memcpy(&shm_virt[i], tmp, remainder); -- i += remainder; -- } else -- i -= (2 * sizeof(pid_t)); -- memset(&shm_virt[i], 0, (2 * sizeof(pid_t))); -- if (remainder != 0) -- free(tmp); -- } -- if ((rc = shmdt(shm_virt))) -- rc = -EIO; --out: -- return rc; --} -- --static int add_sid_pid_pair_to_shm(int shm_id) --{ -- pid_t sid_tmp; -- pid_t sid; -- pid_t pid_tmp; -- pid_t pid; -- char *shm_virt; -- int i; -- int rc; -- -- if (sizeof(pid_t) != sizeof(uint32_t)) { -- syslog(LOG_ERR, "sizeof(pid_t) != sizeof(uint32_t); the code " -- "needs some tweaking to work on this architecture\n"); -- rc = -EINVAL; -- goto out; -- } -- shm_virt = shmat(shm_id, NULL, 0); -- if (shm_virt == (void *)-1) { -- syslog(LOG_ERR, "Error attaching to shared memory; error " -- "string = [%m]\n"); -- shm_virt = shmat(shm_id, NULL, 0); -- if (shm_virt == (void *)-1) { -- syslog(LOG_ERR, "Error attaching to shared memory; error " -- "string = [%m]\n"); -- rc = -EIO; -- goto out; -- } -- rc = -EIO; -- goto out; -- } -- i = 0; -- memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t)); -- i += sizeof(pid_t); -- sid_tmp = ntohl(sid_tmp); /* uint32_t */ -- memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t)); -- i += sizeof(pid_t); -- pid_tmp = ntohl(pid_tmp); /* uint32_t */ -- while (!(sid_tmp == 0 && pid_tmp == 0)) { -- if ((i + (2 * sizeof(pid_t))) > ECRYPTFS_SHM_SIZE) { -- syslog(LOG_ERR, -- "No space left in shared memory region\n"); -- rc = -ENOMEM; -- shmdt(shm_virt); -- goto out; -- } -- memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t)); -- i += sizeof(pid_t); -- sid_tmp = ntohl(sid_tmp); /* uint32_t */ -- memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t)); -- i += sizeof(pid_t); -- pid_tmp = ntohl(pid_tmp); /* uint32_t */ -- } -- pid = getpid(); -- sid = getsid(pid); -- sid = htonl(sid); -- pid = htonl(pid); -- i -= (2 * sizeof(pid_t)); -- memcpy(&shm_virt[i], &sid, sizeof(pid_t)); -- i += sizeof(pid_t); -- memcpy(&shm_virt[i], &pid, sizeof(pid_t)); -- i += sizeof(pid_t); -- if ((i + (2 * sizeof(pid_t))) <= ECRYPTFS_SHM_SIZE) -- memset(&shm_virt[i], 0, (i + (2 * sizeof(pid_t)))); -- if ((rc = shmdt(shm_virt))) { -- syslog(LOG_ERR, "Error detaching from shared memory\n"); -- rc = -EIO; -- } --out: -- return rc; --} -- --int ecryptfs_set_zombie_session_placeholder(void) --{ -- int shm_id; -- int sem_id; -- int rc = 0; -- -- if ((rc = get_zombie_shared_mem_locked(&shm_id, &sem_id))) { -- syslog(LOG_ERR, -- "Error getting shared memory segment\n"); -- goto out; -- } -- if ((rc = add_sid_pid_pair_to_shm(shm_id))) { -- syslog(LOG_ERR, "Error adding sid/pid pair to shared memory " -- "segment; rc = [%d]\n", rc); -- zombie_semaphore_unlock(sem_id); -- goto out; -- } -- zombie_semaphore_unlock(sem_id); -- sleep(ECRYPTFS_ZOMBIE_SLEEP_SECONDS); -- if ((rc = get_zombie_shared_mem_locked(&shm_id, &sem_id))) { -- syslog(LOG_ERR, -- "Error getting shared memory segment\n"); -- goto out; -- } -- if ((rc = remove_pid_for_this_sid(shm_id))) { -- syslog(LOG_ERR, "Error attempting to remove pid/sid " -- "pair from shared memory segment; rc = [%d]\n", -- rc); -- zombie_semaphore_unlock(sem_id); -- goto out; -- } -- zombie_semaphore_unlock(sem_id); -- exit(1); --out: -- return rc; --} -- --int ecryptfs_kill_and_clear_zombie_session_placeholder(void) --{ -- int shm_id; -- int sem_id; -- int pid; -- int rc = 0; -- -- if ((rc = get_zombie_shared_mem_locked(&shm_id, &sem_id))) { -- syslog(LOG_ERR, "Error getting shared memory segment\n"); -- goto out; -- } -- if ((rc = find_pid_for_this_sid(&pid, shm_id))) { -- syslog(LOG_ERR, "Error finding pid for sid in shared memory " -- "segment; rc = [%d]\n", rc); -- zombie_semaphore_unlock(sem_id); -- goto out; -- } -- if (pid == 0) { -- syslog(LOG_WARNING, "No valid pid found for this sid\n"); -- } else { -- if ((rc = kill(pid, SIGKILL))) { -- syslog(LOG_ERR, "Error attempting to kill process " -- "[%d]; rc = [%d]; errno string = [%m]\n", pid, -- rc); -- } -- if ((rc = remove_pid_for_this_sid(shm_id))) { -- syslog(LOG_ERR, "Error attempting to remove pid/sid " -- "pair from shared memory segment; rc = [%d]\n", -- rc); -- zombie_semaphore_unlock(sem_id); -- goto out; -- } -- } -- zombie_semaphore_unlock(sem_id); --out: -- return rc; --} -- --int ecryptfs_list_zombie_session_placeholders(void) --{ -- int shm_id; -- int sem_id; -- int rc = 0; -- -- if ((rc = get_zombie_shared_mem_locked(&shm_id, &sem_id))) { -- syslog(LOG_ERR, -- "Error getting shared memory segment\n"); -- goto out; -- } -- if ((rc = list_pid_sid_pairs(shm_id))) { -- syslog(LOG_ERR, "Error listing sid/pid pairs in shared memory " -- "segment; rc = [%d]\n", rc); -- zombie_semaphore_unlock(sem_id); -- goto out; -- } -- zombie_semaphore_unlock(sem_id); --out: -- return rc; --} -- - static struct ecryptfs_ctx_ops ctx_ops; - - struct ecryptfs_ctx_ops *cryptfs_get_ctx_opts (void) -diff -up ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c.nozombies ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c ---- ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c.nozombies 2015-08-11 14:44:00.120820661 +0200 -+++ ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c 2015-08-11 14:44:00.122820656 +0200 -@@ -246,11 +246,6 @@ PAM_EXTERN int pam_sm_authenticate(pam_h - syslog(LOG_ERR, "pam_ecryptfs: Error adding passphrase key token to user session keyring; rc = [%ld]\n", rc); - goto out_child; - } -- if (fork() == 0) { -- if ((rc = ecryptfs_set_zombie_session_placeholder())) { -- syslog(LOG_ERR, "pam_ecryptfs: Error attempting to create and register zombie process; rc = [%ld]\n", rc); -- } -- } - out_child: - free(auth_tok_sig); - _exit(0); diff --git a/ecryptfs-utils-87-pamdata.patch b/ecryptfs-utils-87-pamdata.patch deleted file mode 100644 index ec4dd2b..0000000 --- a/ecryptfs-utils-87-pamdata.patch +++ /dev/null @@ -1,352 +0,0 @@ -diff -up ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c ---- ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c.pamdata 2015-08-11 14:44:00.963818440 +0200 -+++ ecryptfs-utils-108/src/pam_ecryptfs/pam_ecryptfs.c 2015-08-11 14:44:00.965818435 +0200 -@@ -46,6 +46,26 @@ - - #define PRIVATE_DIR "Private" - -+#define ECRYPTFS_PAM_DATA "ecryptfs:passphrase" -+ -+struct ecryptfs_pam_data { -+ int unwrap; -+ uid_t uid; -+ gid_t gid; -+ char *passphrase; -+ const char *homedir; -+ const char *username; -+ char salt[ECRYPTFS_SALT_SIZE]; -+}; -+ -+static void pam_free_ecryptfsdata(pam_handle_t *pamh, void *data, int error_status) -+{ -+ if (data) { -+ free(((struct ecryptfs_pam_data *)data)->passphrase); -+ free(data); -+ } -+} -+ - /* returns: 0 if file does not exist, 1 if it exists, <0 for error */ - static int file_exists_dotecryptfs(const char *homedir, char *filename) - { -@@ -65,7 +85,7 @@ out: - return rc; - } - --static int wrap_passphrase_if_necessary(const char *username, uid_t uid, char *wrapped_pw_filename, char *passphrase, char *salt) -+static int wrap_passphrase_if_necessary(const char *username, uid_t uid, const char *wrapped_pw_filename, const char *passphrase, const char *salt) - { - char *unwrapped_pw_filename = NULL; - struct stat s; -@@ -93,7 +113,7 @@ static int wrap_passphrase_if_necessary( - } - - static int rewrap_passphrase_if_necessary(char *wrapped_pw_filename, -- char *wrapping_passphrase, char *salt) -+ char *wrapping_passphrase, const char *salt) - { - char passphrase[ECRYPTFS_MAX_PASSPHRASE_BYTES + 1]; - uint8_t version; -@@ -123,147 +143,68 @@ static int rewrap_passphrase_if_necessar - PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, - const char **argv) - { -- uid_t uid = 0, oeuid = 0; -- long ngroups_max = sysconf(_SC_NGROUPS_MAX); -- gid_t gid = 0, oegid = 0, groups[ngroups_max+1]; -- int ngids = 0; -- char *homedir = NULL; -- const char *username; -- char *passphrase = NULL; -- char salt[ECRYPTFS_SALT_SIZE]; - char salt_hex[ECRYPTFS_SALT_SIZE_HEX]; -- char *auth_tok_sig = NULL; - char *private_mnt = NULL; -- pid_t child_pid, tmp_pid; - long rc; -+ struct ecryptfs_pam_data *epd; - -- rc = pam_get_user(pamh, &username, NULL); -+ if ((epd = calloc(1, sizeof(struct ecryptfs_pam_data))) == NULL) { -+ syslog(LOG_ERR,"Memory allocation failed"); -+ rc = -ENOMEM; -+ goto out; -+ } -+ -+ rc = pam_get_user(pamh, &epd->username, NULL); - if (rc == PAM_SUCCESS) { - struct passwd *pwd; - -- pwd = getpwnam(username); -+ errno = 0; -+ pwd = getpwnam(epd->username); - if (pwd) { -- uid = pwd->pw_uid; -- gid = pwd->pw_gid; -- homedir = pwd->pw_dir; -- } -- } else { -- syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%ld]\n", username, rc); -- goto out; -+ epd->uid = pwd->pw_uid; -+ epd->gid = pwd->pw_gid; -+ epd->homedir = pwd->pw_dir; -+ rc = 0; -+ } else rc = errno; - } -- -- oeuid = geteuid(); -- oegid = getegid(); -- if ((ngids = getgroups(sizeof(groups)/sizeof(gid_t), groups)) < 0) { -- syslog(LOG_ERR, "pam_ecryptfs: geteuid error"); -- goto outnouid; -- } -- -- if (setegid(gid) < 0 || setgroups(1, &gid) < 0 || seteuid(uid) < 0) { -- syslog(LOG_ERR, "pam_ecryptfs: seteuid error"); -+ if (!epd->homedir) { -+ syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user; rc = [%ld]\n", rc); - goto out; - } - -- if (!file_exists_dotecryptfs(homedir, "auto-mount")) -+ if (!file_exists_dotecryptfs(epd->homedir, "auto-mount")) - goto out; -- private_mnt = ecryptfs_fetch_private_mnt(homedir); -+ private_mnt = ecryptfs_fetch_private_mnt(epd->homedir); - if (ecryptfs_private_is_mounted(NULL, private_mnt, NULL, 1)) { -- syslog(LOG_DEBUG, "pam_ecryptfs: %s: %s is already mounted\n", __FUNCTION__, homedir); -+ syslog(LOG_DEBUG, "pam_ecryptfs: %s: %s is already mounted\n", __FUNCTION__, epd->homedir); - /* If private/home is already mounted, then we can skip - costly loading of keys */ - goto out; - } -- if(file_exists_dotecryptfs(homedir, "wrapping-independent") == 1) -- rc = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &passphrase, "Encryption passphrase: "); -+ if(file_exists_dotecryptfs(epd->homedir, "wrapping-independent") == 1) -+ rc = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &epd->passphrase, "Encryption passphrase: "); - else -- rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&passphrase); -+ rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&epd->passphrase); - if (rc != PAM_SUCCESS) { - syslog(LOG_ERR, "pam_ecryptfs: Error retrieving passphrase; rc = [%ld]\n", - rc); - goto out; - } -- auth_tok_sig = malloc(ECRYPTFS_SIG_SIZE_HEX + 1); -- if (!auth_tok_sig) { -- rc = -ENOMEM; -- syslog(LOG_ERR, "pam_ecryptfs: Out of memory\n"); -- goto out; -- } -+ epd->passphrase = strdup(epd->passphrase); - rc = ecryptfs_read_salt_hex_from_rc(salt_hex); - if (rc) { -- from_hex(salt, ECRYPTFS_DEFAULT_SALT_HEX, ECRYPTFS_SALT_SIZE); -+ from_hex(epd->salt, ECRYPTFS_DEFAULT_SALT_HEX, ECRYPTFS_SALT_SIZE); - } else -- from_hex(salt, salt_hex, ECRYPTFS_SALT_SIZE); -- if ((child_pid = fork()) == 0) { -- /* temp regain uid 0 to drop privs */ -- seteuid(oeuid); -- /* setgroups() already called */ -- if (setgid(gid) < 0 || setuid(uid) < 0) -- goto out_child; -- -- if (passphrase == NULL) { -- syslog(LOG_ERR, "pam_ecryptfs: NULL passphrase; aborting\n"); -- rc = -EINVAL; -- goto out_child; -- } -- if ((rc = ecryptfs_validate_keyring())) { -- syslog(LOG_WARNING, "pam_ecryptfs: Cannot validate keyring integrity\n"); -- } -- rc = 0; -- if ((argc == 1) -- && (memcmp(argv[0], "unwrap\0", 7) == 0)) { -- char *wrapped_pw_filename; -- -- rc = asprintf( -- &wrapped_pw_filename, "%s/.ecryptfs/%s", -- homedir, -- ECRYPTFS_DEFAULT_WRAPPED_PASSPHRASE_FILENAME); -- if (rc == -1) { -- syslog(LOG_ERR, "pam_ecryptfs: Unable to allocate memory\n"); -- rc = -ENOMEM; -- goto out_child; -- } -- if (wrap_passphrase_if_necessary(username, uid, wrapped_pw_filename, passphrase, salt) == 0) { -- syslog(LOG_DEBUG, "pam_ecryptfs: Passphrase file wrapped"); -- } else { -- goto out_child; -- } -- if (rewrap_passphrase_if_necessary(wrapped_pw_filename, passphrase, salt)) { -- /* Non fatal condition. Log a warning. */ -- syslog(LOG_WARNING, "pam_ecryptfs: Unable to rewrap passphrase file\n"); -- } -- rc = ecryptfs_insert_wrapped_passphrase_into_keyring( -- auth_tok_sig, wrapped_pw_filename, passphrase, -- salt); -- free(wrapped_pw_filename); -- } else { -- rc = ecryptfs_add_passphrase_key_to_keyring( -- auth_tok_sig, passphrase, salt); -- } -- if (rc == 1) { -- goto out_child; -- } -- if (rc) { -- syslog(LOG_ERR, "pam_ecryptfs: Error adding passphrase key token to user session keyring; rc = [%ld]\n", rc); -- goto out_child; -- } --out_child: -- free(auth_tok_sig); -- _exit(0); -+ from_hex(epd->salt, salt_hex, ECRYPTFS_SALT_SIZE); -+ epd->unwrap = ((argc == 1) && (memcmp(argv[0], "unwrap\0", 7) == 0)); -+ if ((rc=pam_set_data(pamh, ECRYPTFS_PAM_DATA, epd, pam_free_ecryptfsdata)) != PAM_SUCCESS) { -+ syslog(LOG_ERR, "Unable to store ecryptfs pam data : %s", pam_strerror(pamh, rc)); -+ goto out; - } -- tmp_pid = waitpid(child_pid, NULL, 0); -- if (tmp_pid == -1) -- syslog(LOG_WARNING, "pam_ecryptfs: waitpid() returned with error condition\n"); --out: - -- seteuid(oeuid); -- setegid(oegid); -- setgroups(ngids, groups); -- --outnouid: -+out: - if (private_mnt != NULL) - free(private_mnt); -- if (auth_tok_sig != NULL) -- free(auth_tok_sig); - return PAM_SUCCESS; - } - -@@ -407,10 +348,124 @@ static int umount_private_dir(pam_handle - return private_dir(pamh, 0); - } - -+static int fill_keyring(pam_handle_t *pamh) -+{ -+ pid_t child_pid,tmp_pid; -+ uid_t oeuid = 0; -+ long ngroups_max = sysconf(_SC_NGROUPS_MAX); -+ gid_t oegid = 0, groups[ngroups_max+1]; -+ int ngids = 0; -+ int rc = 0; -+ const struct ecryptfs_pam_data *epd; -+ char *auth_tok_sig = NULL; -+ auth_tok_sig = malloc(ECRYPTFS_SIG_SIZE_HEX + 1); -+ -+ if ((rc=pam_get_data(pamh, ECRYPTFS_PAM_DATA, (const void **)&epd)) != PAM_SUCCESS) -+ { -+ syslog(LOG_ERR,"Unable to get ecryptfs pam data : %s", pam_strerror(pamh, rc)); -+ return -EINVAL; -+ } -+ -+ oeuid = geteuid(); -+ oegid = getegid(); -+ if ((ngids = getgroups(sizeof(groups)/sizeof(gid_t), groups)) < 0) { -+ syslog(LOG_ERR, "pam_ecryptfs: geteuid error"); -+ goto outnouid; -+ } -+ -+ if (setegid(epd->gid) < 0 || setgroups(1, &epd->gid) < 0 || seteuid(epd->uid) < 0) { -+ syslog(LOG_ERR, "pam_ecryptfs: seteuid error"); -+ goto out; -+ } -+ -+ if (!auth_tok_sig) { -+ syslog(LOG_ERR, "Out of memory\n"); -+ return -ENOMEM; -+ } -+ -+ if ((child_pid = fork()) == 0) { -+ /* temp regain uid 0 to drop privs */ -+ if (seteuid(oeuid) < 0) -+ { -+ syslog(LOG_ERR, "pam_ecryptfs: seteuid error"); -+ goto out_child; -+ } -+ /* setgroups() already called */ -+ if (setgid(epd->gid) < 0 || setuid(epd->uid) < 0) -+ goto out_child; -+ -+ if (epd->passphrase == NULL) { -+ syslog(LOG_ERR, "NULL passphrase; aborting\n"); -+ rc = -EINVAL; -+ goto out_child; -+ } -+ if ((rc = ecryptfs_validate_keyring())) { -+ syslog(LOG_WARNING, -+ "Cannot validate keyring integrity\n"); -+ } -+ rc = 0; -+ if (epd->unwrap) { -+ char *wrapped_pw_filename; -+ -+ rc = asprintf( -+ &wrapped_pw_filename, "%s/.ecryptfs/%s", -+ epd->homedir, -+ ECRYPTFS_DEFAULT_WRAPPED_PASSPHRASE_FILENAME); -+ if (rc == -1) { -+ syslog(LOG_ERR, "Unable to allocate memory\n"); -+ rc = -ENOMEM; -+ goto out_child; -+ } -+ if (wrap_passphrase_if_necessary(epd->username, epd->uid, wrapped_pw_filename, epd->passphrase, epd->salt) == 0) { -+ syslog(LOG_INFO, "Passphrase file wrapped"); -+ } else { -+ goto out_child; -+ } -+ if (rewrap_passphrase_if_necessary(wrapped_pw_filename, epd->passphrase, epd->salt)) { -+ /* Non fatal condition. Log a warning. */ -+ syslog(LOG_WARNING, "pam_ecryptfs: Unable to rewrap passphrase file\n"); -+ } -+ rc = ecryptfs_insert_wrapped_passphrase_into_keyring( -+ auth_tok_sig, wrapped_pw_filename, epd->passphrase, -+ epd->salt); -+ free(wrapped_pw_filename); -+ } else { -+ rc = ecryptfs_add_passphrase_key_to_keyring( -+ auth_tok_sig, epd->passphrase, epd->salt); -+ } -+ if (rc == 1) { -+ goto out_child; -+ } -+ if (rc) { -+ syslog(LOG_ERR, "Error adding passphrase key token to " -+ "user session keyring; rc = [%d]\n", rc); -+ goto out_child; -+ } -+out_child: -+ free(auth_tok_sig); -+ _exit(0); -+ } -+ tmp_pid = waitpid(child_pid, NULL, 0); -+ if (tmp_pid == -1) -+ syslog(LOG_WARNING, -+ "waitpid() returned with error condition\n"); -+out: -+ rc = seteuid(oeuid); -+ rc = setegid(oegid); -+ rc = setgroups(ngids, groups); -+ -+outnouid: -+ if (auth_tok_sig != NULL) -+ free(auth_tok_sig); -+ return 0; -+} -+ -+ - PAM_EXTERN int - pam_sm_open_session(pam_handle_t *pamh, int flags, - int argc, const char *argv[]) - { -+ fill_keyring(pamh); - mount_private_dir(pamh); - return PAM_SUCCESS; - } diff --git a/ecryptfs-utils-87-prefixsyslog.patch b/ecryptfs-utils-87-prefixsyslog.patch deleted file mode 100644 index 02fbad4..0000000 --- a/ecryptfs-utils-87-prefixsyslog.patch +++ /dev/null @@ -1,240 +0,0 @@ -diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.pamsyslog ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c ---- ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.pamsyslog 2011-08-09 11:39:28.404766037 +0200 -+++ ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c 2011-08-09 11:39:28.428765549 +0200 -@@ -91,7 +91,7 @@ static int wrap_passphrase_if_necessary( - - rc = asprintf(&unwrapped_pw_filename, "/dev/shm/.ecryptfs-%s", username); - if (rc == -1) { -- syslog(LOG_ERR, "Unable to allocate memory\n"); -+ pamsyslog(LOG_ERR, "Unable to allocate memory\n"); - return -ENOMEM; - } - /* If /dev/shm/.ecryptfs-$USER exists and owned by the user -@@ -105,7 +105,7 @@ static int wrap_passphrase_if_necessary( - setuid(uid); - rc = ecryptfs_wrap_passphrase_file(wrapped_pw_filename, passphrase, salt, unwrapped_pw_filename); - if (rc != 0) { -- syslog(LOG_ERR, "Error wrapping cleartext password; " "rc = [%d]\n", rc); -+ pamsyslog(LOG_ERR, "Error wrapping cleartext password; " "rc = [%d]\n", rc); - } - return rc; - } -@@ -122,10 +122,10 @@ PAM_EXTERN int pam_sm_authenticate(pam_h - uint32_t version; - struct ecryptfs_pam_data *epd = {0,}; - -- syslog(LOG_INFO, "%s: Called\n", __FUNCTION__); -+ pamsyslog(LOG_INFO, "%s: Called\n", __FUNCTION__); - - if ((epd = malloc(sizeof(struct ecryptfs_pam_data))) == NULL) { -- syslog(LOG_ERR,"Memory allocation failed"); -+ pamsyslog(LOG_ERR,"Memory allocation failed"); - rc = -ENOMEM; - goto out; - } -@@ -134,7 +134,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h - if (rc == PAM_SUCCESS) { - struct passwd *pwd; - -- syslog(LOG_INFO, "%s: username = [%s]\n", __FUNCTION__, -+ pamsyslog(LOG_INFO, "%s: username = [%s]\n", __FUNCTION__, - epd->username); - pwd = getpwnam(epd->username); - if (pwd) { -@@ -142,7 +142,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h - epd->homedir = pwd->pw_dir; - } - } else { -- syslog(LOG_ERR, "Error getting passwd info for user [%s]; " -+ pamsyslog(LOG_ERR, "Error getting passwd info for user [%s]; " - "rc = [%ld]\n", epd->username, rc); - goto out; - } -@@ -150,7 +150,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h - goto out; - private_mnt = ecryptfs_fetch_private_mnt(epd->homedir); - if (ecryptfs_private_is_mounted(NULL, private_mnt, NULL, 1)) { -- syslog(LOG_INFO, "%s: %s is already mounted\n", __FUNCTION__, -+ pamsyslog(LOG_INFO, "%s: %s is already mounted\n", __FUNCTION__, - epd->homedir); - /* If private/home is already mounted, then we can skip - costly loading of keys */ -@@ -159,7 +159,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h - /* we need side effect of this check: - load ecryptfs module if not loaded already */ - if (ecryptfs_get_version(&version) != 0) -- syslog(LOG_WARNING, "Can't check if kernel supports ecryptfs\n"); -+ pamsyslog(LOG_WARNING, "Can't check if kernel supports ecryptfs\n"); - saved_uid = geteuid(); - seteuid(epd->uid); - if(file_exists_dotecryptfs(epd->homedir, "wrapping-independent") == 1) -@@ -168,7 +168,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h - rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&epd->passphrase); - seteuid(saved_uid); - if (rc != PAM_SUCCESS) { -- syslog(LOG_ERR, "Error retrieving passphrase; rc = [%ld]\n", -+ pamsyslog(LOG_ERR, "Error retrieving passphrase; rc = [%ld]\n", - rc); - goto out; - } -@@ -182,7 +182,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h - epd->unwrap = ((argc == 1) && (memcmp(argv[0], "unwrap\0", 7) == 0)); - if (pam_set_data(pamh, ECRYPTFS_PAM_DATA, epd, pam_free_ecryptfsdata) != PAM_SUCCESS) { - -- syslog(LOG_ERR, "Unable to store ecryptfs pam data : %m"); -+ pamsyslog(LOG_ERR, "Unable to store ecryptfs pam data : %m"); - goto out; - } - -@@ -206,13 +206,13 @@ static struct passwd *fetch_pwd(pam_hand - - rc = pam_get_user(pamh, &username, NULL); - if (rc != PAM_SUCCESS || username == NULL) { -- syslog(LOG_ERR, "Error getting passwd info for user [%s]; " -+ pamsyslog(LOG_ERR, "Error getting passwd info for user [%s]; " - "rc = [%ld]\n", username, rc); - return NULL; - } - pwd = getpwnam(username); - if (pwd == NULL) { -- syslog(LOG_ERR, "Error getting passwd info for user [%s]; " -+ pamsyslog(LOG_ERR, "Error getting passwd info for user [%s]; " - "rc = [%ld]\n", username, rc); - return NULL; - } -@@ -244,13 +244,13 @@ static int private_dir(pam_handle_t *pam - if ( - (asprintf(&autofile, "%s/.ecryptfs/%s", pwd->pw_dir, a) < 0) - || autofile == NULL) { -- syslog(LOG_ERR, "Error allocating memory for autofile name"); -+ pamsyslog(LOG_ERR, "Error allocating memory for autofile name"); - return 1; - } - if ( - (asprintf(&sigfile, "%s/.ecryptfs/%s.sig", pwd->pw_dir, - PRIVATE_DIR) < 0) || sigfile == NULL) { -- syslog(LOG_ERR, "Error allocating memory for sigfile name"); -+ pamsyslog(LOG_ERR, "Error allocating memory for sigfile name"); - return 1; - } - if (stat(sigfile, &s) != 0) { -@@ -262,13 +262,13 @@ static int private_dir(pam_handle_t *pam - goto out; - } - if ((pid = fork()) < 0) { -- syslog(LOG_ERR, "Error setting up private mount"); -+ pamsyslog(LOG_ERR, "Error setting up private mount"); - return 1; - } - if (pid == 0) { - /* set user's groups, we may need ecryptfs group for (u)mount */ - if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) { -- syslog(LOG_ERR, "Unable to set user's groups : %m"); -+ pamsyslog(LOG_ERR, "Unable to set user's groups : %m"); - _exit(255); - } - -@@ -276,7 +276,7 @@ static int private_dir(pam_handle_t *pam - if ((asprintf(&recorded, - "%s/.ecryptfs/.wrapped-passphrase.recorded", - pwd->pw_dir) < 0) || recorded == NULL) { -- syslog(LOG_ERR, -+ pamsyslog(LOG_ERR, - "Error allocating memory for recorded name"); - _exit(255); - } -@@ -289,7 +289,7 @@ static int private_dir(pam_handle_t *pam - } - if (stat(autofile, &s) != 0) { - /* User does not want to auto-mount */ -- syslog(LOG_INFO, -+ pamsyslog(LOG_INFO, - "Skipping automatic eCryptfs mount"); - _exit(0); - } -@@ -297,11 +297,11 @@ static int private_dir(pam_handle_t *pam - setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid); - execl("/sbin/mount.ecryptfs_private", - "mount.ecryptfs_private", NULL); -- syslog(LOG_ERR,"unable to execute mount.ecryptfs_private : %m"); -+ pamsyslog(LOG_ERR,"unable to execute mount.ecryptfs_private : %m"); - } else { - if (stat(autofile, &s) != 0) { - /* User does not want to auto-unmount */ -- syslog(LOG_INFO, -+ pamsyslog(LOG_INFO, - "Skipping automatic eCryptfs unmount"); - _exit(0); - } -@@ -309,7 +309,7 @@ static int private_dir(pam_handle_t *pam - setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid); - execl("/sbin/umount.ecryptfs_private", - "umount.ecryptfs_private", NULL); -- syslog(LOG_ERR,"unable to execute umount.ecryptfs_private : %m"); -+ pamsyslog(LOG_ERR,"unable to execute umount.ecryptfs_private : %m"); - } - _exit(255); - } else { -@@ -338,25 +338,25 @@ static int fill_keyring(pam_handle_t *pa - char *auth_tok_sig; - auth_tok_sig = malloc(ECRYPTFS_SIG_SIZE_HEX + 1); - if (!auth_tok_sig) { -- syslog(LOG_ERR, "Out of memory\n"); -+ pamsyslog(LOG_ERR, "Out of memory\n"); - return -ENOMEM; - } - - if (pam_get_data(pamh, ECRYPTFS_PAM_DATA, (const void **)&epd) != PAM_SUCCESS) - { -- syslog(LOG_ERR,"Unable to get ecryptfs pam data : %m"); -+ pamsyslog(LOG_ERR,"Unable to get ecryptfs pam data : %m"); - return -EINVAL; - } - - if ((child_pid = fork()) == 0) { - setuid(epd->uid); - if (epd->passphrase == NULL) { -- syslog(LOG_ERR, "NULL passphrase; aborting\n"); -+ pamsyslog(LOG_ERR, "NULL passphrase; aborting\n"); - rc = -EINVAL; - goto out_child; - } - if ((rc = ecryptfs_validate_keyring())) { -- syslog(LOG_WARNING, -+ pamsyslog(LOG_WARNING, - "Cannot validate keyring integrity\n"); - } - rc = 0; -@@ -368,12 +368,12 @@ static int fill_keyring(pam_handle_t *pa - epd->homedir, - ECRYPTFS_DEFAULT_WRAPPED_PASSPHRASE_FILENAME); - if (rc == -1) { -- syslog(LOG_ERR, "Unable to allocate memory\n"); -+ pamsyslog(LOG_ERR, "Unable to allocate memory\n"); - rc = -ENOMEM; - goto out_child; - } - if (wrap_passphrase_if_necessary(epd->username, epd->uid, wrapped_pw_filename, epd->passphrase, epd->salt) == 0) { -- syslog(LOG_INFO, "Passphrase file wrapped"); -+ pamsyslog(LOG_INFO, "Passphrase file wrapped"); - } else { - goto out_child; - } -@@ -389,7 +389,7 @@ static int fill_keyring(pam_handle_t *pa - goto out_child; - } - if (rc) { -- syslog(LOG_ERR, "Error adding passphrase key token to " -+ pamsyslog(LOG_ERR, "Error adding passphrase key token to " - "user session keyring; rc = [%d]\n", rc); - goto out_child; - } -@@ -399,7 +399,7 @@ out_child: - } - tmp_pid = waitpid(child_pid, NULL, 0); - if (tmp_pid == -1) -- syslog(LOG_WARNING, -+ pamsyslog(LOG_WARNING, - "waitpid() returned with error condition\n"); - - diff --git a/ecryptfs-utils-87-syslog.patch b/ecryptfs-utils-87-syslog.patch deleted file mode 100644 index 0ead855..0000000 --- a/ecryptfs-utils-87-syslog.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up ecryptfs-utils-108/src/include/ecryptfs.h.syslog ecryptfs-utils-108/src/include/ecryptfs.h ---- ecryptfs-utils-108/src/include/ecryptfs.h.syslog 2015-08-11 14:44:02.641814020 +0200 -+++ ecryptfs-utils-108/src/include/ecryptfs.h 2015-08-11 14:44:02.643814015 +0200 -@@ -137,7 +137,7 @@ - #define ECRYPTFS_TAG_67_PACKET 0x43 - - #define ecryptfs_syslog(type, fmt, arg...) \ -- syslog(type, "%s: " fmt, __FUNCTION__, ## arg); -+ syslog(type, "ecryptfs: %s: " fmt, __FUNCTION__, ## arg); - - #define ECRYPTFS_MAX_NUM_CIPHERS 64 - #define ECRYPTFS_ECHO_ON 1 diff --git a/ecryptfs-utils-90-CVE-2011-3145.patch b/ecryptfs-utils-90-CVE-2011-3145.patch deleted file mode 100644 index 0c9e3cd..0000000 --- a/ecryptfs-utils-90-CVE-2011-3145.patch +++ /dev/null @@ -1,86 +0,0 @@ -diff -up ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c.CVE-2011-3145 ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c ---- ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c.CVE-2011-3145 2011-08-31 12:08:26.479493949 +0200 -+++ ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c 2011-08-31 12:10:09.014666213 +0200 -@@ -274,12 +274,14 @@ int update_mtab(char *dev, char *mnt, ch - int fd; - FILE *old_mtab, *new_mtab; - struct mntent *old_ent, new_ent; -+ mode_t old_umask; - - /* Make an attempt to play nice with other mount helpers - * by creating an /etc/mtab~ lock file. Of course this - * only works if those other helpers actually check for - * this. - */ -+ old_umask = umask(033); - fd = open("/etc/mtab~", O_RDONLY | O_CREAT | O_EXCL, 0644); - if (fd < 0) { - perror("open"); -@@ -332,6 +334,8 @@ int update_mtab(char *dev, char *mnt, ch - - unlink("/etc/mtab~"); - -+ umask(old_umask); -+ - return 0; - - fail: -@@ -341,6 +345,7 @@ fail_late: - fail_early: - endmntent(old_mtab); - unlink("/etc/mtab~"); -+ umask(old_umask); - return 1; - } - -@@ -476,7 +481,7 @@ int zero(FILE *fh) { - * c) updating /etc/mtab - */ - int main(int argc, char *argv[]) { -- int uid, mounting; -+ int uid, gid, mounting; - int force = 0; - struct passwd *pwd; - char *alias, *src, *dest, *opt, *opts2; -@@ -491,6 +496,7 @@ int main(int argc, char *argv[]) { - } - - uid = getuid(); -+ gid = getgid(); - /* Non-privileged effective uid is sufficient for all but the code - * that mounts, unmounts, and updates /etc/mtab. - * Run at a lower privilege until we need it. -@@ -618,7 +624,14 @@ int main(int argc, char *argv[]) { - * the real uid to be that of the user. - * And we need the effective uid to be root in order to mount. - */ -- setreuid(-1, 0); -+ if (setreuid(-1, 0) < 0) { -+ perror("setreuid"); -+ goto fail; -+ } -+ if (setregid(-1, 0) < 0) { -+ perror("setregid"); -+ goto fail; -+ } - /* Perform mount */ - if (mount(src, ".", FSTYPE, 0, opt) == 0) { - if (update_mtab(src, dest, opt) != 0) { -@@ -630,6 +643,9 @@ int main(int argc, char *argv[]) { - if (setreuid(uid, uid) < 0) { - perror("setreuid"); - } -+ if (setregid(gid, gid) < 0) { -+ perror("setregid"); -+ } - goto fail; - } - } else { -@@ -665,6 +681,7 @@ int main(int argc, char *argv[]) { - * Do not use the umount.ecryptfs helper (-i). - */ - setresuid(0,0,0); -+ setresgid(0,0,0); - - /* Since we're doing a lazy unmount anyway, just unmount the current - * directory. This avoids a lot of complexity in dealing with race diff --git a/ecryptfs-utils-96-groupcheck.patch b/ecryptfs-utils-96-groupcheck.patch deleted file mode 100644 index 9aa53bc..0000000 --- a/ecryptfs-utils-96-groupcheck.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -up ecryptfs-utils-108/src/utils/ecryptfs-mount-private.groupcheck ecryptfs-utils-108/src/utils/ecryptfs-mount-private ---- ecryptfs-utils-108/src/utils/ecryptfs-mount-private.groupcheck 2015-08-11 14:44:03.505811744 +0200 -+++ ecryptfs-utils-108/src/utils/ecryptfs-mount-private 2015-08-11 14:44:03.524811694 +0200 -@@ -69,7 +69,16 @@ if [ -f "$WRAPPED_PASSPHRASE_FILE" -a -f - echo `gettext "ERROR:"` `gettext "Too many incorrect password attempts, exiting"` - exit 1 - fi -- /sbin/mount.ecryptfs_private -+ if ! /sbin/mount.ecryptfs_private; -+ then -+ # Check if the ecryptfs group exists, and user is member of ecryptfs group -+ if grep -qs "^ecryptfs:" /etc/group; then -+ if ! id "$USER" | grep -qs "\(ecryptfs\)"; then -+ echo $(gettext 'ERROR: ') $(gettext 'User needs to be a member of ecryptfs group') -+ exit 1 -+ fi -+ fi -+ fi - else - echo `gettext "ERROR:"` `gettext "Encrypted private directory is not setup properly"` - exit 1 diff --git a/ecryptfs-utils-99-selinux.patch b/ecryptfs-utils-99-selinux.patch deleted file mode 100644 index 884d728..0000000 --- a/ecryptfs-utils-99-selinux.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff -up ecryptfs-utils-108/src/utils/ecryptfs-migrate-home.selinux ecryptfs-utils-108/src/utils/ecryptfs-migrate-home ---- ecryptfs-utils-108/src/utils/ecryptfs-migrate-home.selinux 2015-08-11 14:44:04.362809487 +0200 -+++ ecryptfs-utils-108/src/utils/ecryptfs-migrate-home 2015-08-11 14:44:04.377809448 +0200 -@@ -136,6 +136,7 @@ encrypt_dir () { - error "Cannot proceed." - fi - # start encryption -+ [[ "$(getsebool use_ecryptfs_home_dirs 2>/dev/null)" =~ off$ ]] && setsebool -P use_ecryptfs_home_dirs=1 1>/dev/null 2>&1 ||: - orig=$(mktemp /home/$USER_NAME.XXXXXXXX) - rm "$orig" && mv "$USER_HOME" "$orig" - chmod 700 "$orig" -@@ -158,8 +159,12 @@ encrypt_dir () { - fi - info "Encrypted home has been set up, encrypting files now...this may take a while." - # Show progress, but on stderr, in case the user wants to filter that out -+ semanage fcontext -a -e /home /home/.ecryptfs >/dev/null 2>&1 ||: -+ restorecon /home/.ecryptfs/ /home/.ecryptfs/$USER_NAME >/dev/null 2>&1 ||: - rsync -aP "$orig/" "$USER_HOME/" 1>&2 -+ restorecon -R /home/.ecryptfs/$USER_NAME >/dev/null 2>&1 ||: - umount "$USER_HOME/" -+ restorecon -R "$USER_HOME" >/dev/null 2>&1 ||: - echo - echo "========================================================================" - echo "Some Important Notes!" diff --git a/ecryptfs-utils-openssl11.patch b/ecryptfs-utils-openssl11.patch deleted file mode 100644 index b5ff7b6..0000000 --- a/ecryptfs-utils-openssl11.patch +++ /dev/null @@ -1,166 +0,0 @@ -=== modified file 'src/key_mod/ecryptfs_key_mod_openssl.c' ---- src/key_mod/ecryptfs_key_mod_openssl.c 2013-10-25 19:45:09 +0000 -+++ src/key_mod/ecryptfs_key_mod_openssl.c 2017-06-02 18:27:28 +0000 -@@ -41,6 +41,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -55,6 +56,19 @@ - char *passphrase; - }; - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+static void RSA_get0_key(const RSA *r, -+ const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) -+{ -+ if (n != NULL) -+ *n = r->n; -+ if (e != NULL) -+ *e = r->e; -+ if (d != NULL) -+ *d = r->d; -+} -+#endif -+ - static void - ecryptfs_openssl_destroy_openssl_data(struct openssl_data *openssl_data) - { -@@ -142,6 +156,7 @@ - { - int len, nbits, ebits, i; - int nbytes, ebytes; -+ const BIGNUM *key_n, *key_e; - unsigned char *hash; - unsigned char *data = NULL; - int rc = 0; -@@ -152,11 +167,13 @@ - rc = -ENOMEM; - goto out; - } -- nbits = BN_num_bits(key->n); -+ RSA_get0_key(key, &key_n, NULL, NULL); -+ nbits = BN_num_bits(key_n); - nbytes = nbits / 8; - if (nbits % 8) - nbytes++; -- ebits = BN_num_bits(key->e); -+ RSA_get0_key(key, NULL, &key_e, NULL); -+ ebits = BN_num_bits(key_e); - ebytes = ebits / 8; - if (ebits % 8) - ebytes++; -@@ -179,11 +196,13 @@ - data[i++] = '\02'; - data[i++] = (nbits >> 8); - data[i++] = nbits; -- BN_bn2bin(key->n, &(data[i])); -+ RSA_get0_key(key, &key_n, NULL, NULL); -+ BN_bn2bin(key_n, &(data[i])); - i += nbytes; - data[i++] = (ebits >> 8); - data[i++] = ebits; -- BN_bn2bin(key->e, &(data[i])); -+ RSA_get0_key(key, NULL, &key_e, NULL); -+ BN_bn2bin(key_e, &(data[i])); - i += ebytes; - SHA1(data, len + 3, hash); - to_hex(sig, (char *)hash, ECRYPTFS_SIG_SIZE); -@@ -278,7 +297,9 @@ - BIO *in = NULL; - int rc; - -+ #if OPENSSL_VERSION_NUMBER < 0x10100000L - CRYPTO_malloc_init(); -+ #endif - ERR_load_crypto_strings(); - OpenSSL_add_all_algorithms(); - ENGINE_load_builtin_engines(); - -=== modified file 'src/key_mod/ecryptfs_key_mod_pkcs11_helper.c' ---- src/key_mod/ecryptfs_key_mod_pkcs11_helper.c 2013-10-25 19:45:09 +0000 -+++ src/key_mod/ecryptfs_key_mod_pkcs11_helper.c 2017-06-02 18:27:28 +0000 -@@ -41,6 +41,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -77,6 +78,19 @@ - typedef const unsigned char *__pkcs11_openssl_d2i_t; - #endif - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+static void RSA_get0_key(const RSA *r, -+ const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) -+{ -+ if (n != NULL) -+ *n = r->n; -+ if (e != NULL) -+ *e = r->e; -+ if (d != NULL) -+ *d = r->d; -+} -+#endif -+ - /** - * ecryptfs_pkcs11h_deserialize - * @pkcs11h_data: The deserialized version of the key module data; -@@ -282,7 +296,11 @@ - goto out; - } - -+ #if OPENSSL_VERSION_NUMBER < 0x10100000L - if (pubkey->type != EVP_PKEY_RSA) { -+ #else -+ if (EVP_PKEY_base_id(pubkey) != EVP_PKEY_RSA) { -+ #endif - syslog(LOG_ERR, "PKCS#11: Invalid public key algorithm"); - rc = -EIO; - goto out; -@@ -318,6 +336,7 @@ - int nbytes, ebytes; - char *hash = NULL; - char *data = NULL; -+ const BIGNUM *rsa_n, *rsa_e; - int rc; - - if ((rc = ecryptfs_pkcs11h_get_public_key(&rsa, blob))) { -@@ -331,11 +350,13 @@ - rc = -ENOMEM; - goto out; - } -- nbits = BN_num_bits(rsa->n); -+ RSA_get0_key(rsa, &rsa_n, NULL, NULL); -+ nbits = BN_num_bits(rsa_n); - nbytes = nbits / 8; - if (nbits % 8) - nbytes++; -- ebits = BN_num_bits(rsa->e); -+ RSA_get0_key(rsa, NULL, &rsa_e, NULL); -+ ebits = BN_num_bits(rsa_e); - ebytes = ebits / 8; - if (ebits % 8) - ebytes++; -@@ -358,11 +379,13 @@ - data[i++] = '\02'; - data[i++] = (char)(nbits >> 8); - data[i++] = (char)nbits; -- BN_bn2bin(rsa->n, &(data[i])); -+ RSA_get0_key(rsa, &rsa_n, NULL, NULL); -+ BN_bn2bin(rsa_n, &(data[i])); - i += nbytes; - data[i++] = (char)(ebits >> 8); - data[i++] = (char)ebits; -- BN_bn2bin(rsa->e, &(data[i])); -+ RSA_get0_key(rsa, NULL, &rsa_e, NULL); -+ BN_bn2bin(rsa_e, &(data[i])); - i += ebytes; - SHA1(data, len + 3, hash); - to_hex(sig, hash, ECRYPTFS_SIG_SIZE); - diff --git a/ecryptfs-utils.spec b/ecryptfs-utils.spec deleted file mode 100644 index 890ebe7..0000000 --- a/ecryptfs-utils.spec +++ /dev/null @@ -1,795 +0,0 @@ -# FIXME rhbz#533920, automake does not support python3 -%bcond_with python3 - -%bcond_without unittests - -%global confflags %{shrink: \ - --enable-pywrap --enable-tspi --enable-nss \ - --enable-pkcs11-helper --enable-tests \ - --with-pamdir=%{_libdir}/security \ -} - -%global pydesc \ -The package contains a module that permits\ -applications written in the Python programming language to use\ -the interface supplied by the %{name} library. - -Name: ecryptfs-utils -Version: 111 -Release: 26%{?dist} -Summary: The eCryptfs mount helper and support libraries -License: GPLv2+ -URL: https://launchpad.net/ecryptfs - -Source0: http://launchpad.net/ecryptfs/trunk/%{version}/+download/%{name}_%{version}.orig.tar.gz -Source1: ecryptfs-mount-private.png - -### upstream patches -# rhbz#1384023, openssl 1.1.x -Patch1: https://code.launchpad.net/~jelle-vdwaa/ecryptfs/ecryptfs/+merge/319746/+preview-diff/792383/+files/preview.diff#/%{name}-openssl11.patch - -### downstream patches -# rhbz#500829, do not use ubuntu/debian only service -Patch92: %{name}-75-nocryptdisks.patch - -# rhbz#553629, fix usage of salt together with file_passwd -Patch93: %{name}-83-fixsalt.patch - -# fedora/rhel specific, rhbz#486139, remove nss dependency from umount.ecryptfs -Patch94: %{name}-83-splitnss.patch - -# rhbz#664474, fix unsigned < 0 test -Patch95: %{name}-84-fixsigness.patch - -# fix man pages -Patch98: %{name}-86-manpage.patch - -# autoload ecryptfs module in ecryptfs-setup-private when needed, rhbz#707608 -Patch99: %{name}-87-autoload.patch - -# fedora/rhel specific, check for pam ecryptfs module before home migration -Patch911: %{name}-87-authconfig.patch - -# using return after fork() in pam module has some nasty side effects, rhbz#722445 -Patch914: %{name}-87-fixpamfork.patch - -# we need gid==ecryptfs in pam module before mount.ecryptfs_private execution -Patch915: %{name}-87-fixexecgid.patch - -# do not use zombie process, it causes lock ups at least for ssh login -Patch916: %{name}-87-nozombies.patch - -# if we do not use zombies, we have to store passphrase in pam_data and init keyring later -Patch917: %{name}-87-pamdata.patch - -# patch17 needs propper const on some places -Patch918: %{name}-87-fixconst.patch - -Patch919: %{name}-87-syslog.patch - -# if e-m-p fails, check if user is member of ecryptfs group -Patch921: %{name}-96-groupcheck.patch -Patch922: %{name}-99-selinux.patch - -# rhbz#868330 -Patch923: %{name}-100-sudokeyring.patch - -# for e-u < 112 -Patch924: %{name}-111-cve_2016_5224.patch - -# do not crash if no password is available #1339714 -Patch925: %{name}-111-nopasswd.patch - -# Authconfig should no longer be used since F28 -Patch926: %{name}-111-authselect.patch - -### patches for general cleanup, should be kept and executed after all others -# allow building with -Werror -Patch999: %{name}-75-werror.patch - -BuildRequires: python-rpm-macros -BuildRequires: swig >= 1.3.31 -BuildRequires: libgcrypt-devel keyutils-libs-devel openssl-devel pam-devel -BuildRequires: trousers-devel nss-devel desktop-file-utils intltool -BuildRequires: pkcs11-helper-devel -BuildRequires: automake autoconf libtool glib2-devel gettext-devel perl-podlators libattr-devel - -Requires: kernel-modules, keyutils, cryptsetup, util-linux, gettext - -%description -eCryptfs is a stacked cryptographic filesystem that ships in Linux -kernel versions 2.6.19 and above. This package provides the mount -helper and supporting libraries to perform key management and mount -functions. - -Install %{name} if you would like to mount eCryptfs. - -%package devel -Summary: The eCryptfs userspace development package -Requires: %{name} = %{version}-%{release} -Requires: keyutils-libs-devel %{name} = %{version}-%{release} -Requires: pkgconfig - -%description devel -Userspace development files for eCryptfs. - -%if %{with python3} -%package -n python%{python3_pkgversion}-%{name} -Summary: Python bindings for the eCryptfs utils -Requires: %{name} = %{version}-%{release} -BuildRequires: python%{python3_pkgversion}-devel -BuildRequires: make -Provides: %{name}-python -Obsoletes: %{name}-python < %{version}-%{release} -%{?python_provide:%python_provide python%{python3_pkgversion}-%{name}} - -%description -n python%{python3_pkgversion}-%{name} %pydesc -%endif - - -%prep -%setup -q - -%patch1 -p0 -b .openssl11 - -%patch92 -p1 -b .nocryptdisks -%patch93 -p1 -b .fixsalt -%patch94 -p1 -b .splitnss -%patch95 -p1 -b .fixsigness -%patch98 -p1 -b .manfix -%patch99 -p1 -b .autoload -%patch911 -p1 -b .authconfig -%patch914 -p1 -b .fixpamfork -%patch915 -p1 -b .fixexecgid -%patch916 -p1 -b .nozombies -%patch917 -p1 -b .pamdata -%patch918 -p1 -b .fixconst -%patch919 -p1 -b .syslog -%patch921 -p1 -b .groupcheck -%patch922 -p1 -b .selinux -%patch923 -p1 -b .sudokeyring -%patch924 -p1 -b .cve_2016_5224 -%patch925 -p1 -b .nopasswd -%patch926 -p1 -b .authselect - -%patch999 -p1 -b .werror - -sed -i -r 's:^_syslog\(LOG:ecryptfs_\0:' src/pam_ecryptfs/pam_ecryptfs.c - -# snprintf directive output may be truncated -sed -i -r 's:(snprintf.*"\%)(s/\%)(s"):\1.42\2.23\3:' \ - tests/kernel/inotify/test.c - -# fix usr-move -sed -i -r 's:(rootsbindir=).*:\1"%{_sbindir}":' configure.ac -autoreconf -fiv - -%build -# openssl 1.1 marks some functions as deprecated -export ERRFLAGS="-Werror -Wtype-limits -Wno-unused -Wno-error=deprecated-declarations" - -%if %{with python3} -export PYTHON_VERSION=3 -export PYTHON=%{__python3} -export PYTHON_NOVERSIONCHECK=1 -export PY3FLAGS='%(pkg-config --cflags --libs python3)' -export CFLAGS="$RPM_OPT_FLAGS $PY3FLAGS $ERRFLAGS" -%configure %{confflags} -%else -%configure %{confflags} --disable-pywrap -%endif -%make_build - -%install -%make_install - -find $RPM_BUILD_ROOT/ -name '*.la' -print -delete -rm -rf $RPM_BUILD_ROOT%{_docdir}/%{name} - -#install files Makefile forgot to install -install -p -m644 %{SOURCE1} $RPM_BUILD_ROOT%{_datadir}/%{name}/ecryptfs-mount-private.png -printf "Encoding=UTF-8\n" >>$RPM_BUILD_ROOT/%{_datadir}/%{name}/ecryptfs-mount-private.desktop -printf "Encoding=UTF-8\n" >>$RPM_BUILD_ROOT/%{_datadir}/%{name}/ecryptfs-setup-private.desktop -printf "Icon=%{_datadir}/%{name}/ecryptfs-mount-private.png\n" >>$RPM_BUILD_ROOT/%{_datadir}/%{name}/ecryptfs-mount-private.desktop -printf "Icon=%{_datadir}/%{name}/ecryptfs-mount-private.png\n" >>$RPM_BUILD_ROOT/%{_datadir}/%{name}/ecryptfs-setup-private.desktop -sed -i 's|^_||' $RPM_BUILD_ROOT/%{_datadir}/%{name}/ecryptfs-mount-private.desktop -sed -i 's|^_||' $RPM_BUILD_ROOT/%{_datadir}/%{name}/ecryptfs-setup-private.desktop -chmod +x $RPM_BUILD_ROOT%{_datadir}/%{name}/ecryptfs-mount-private.desktop -chmod +x $RPM_BUILD_ROOT%{_datadir}/%{name}/ecryptfs-setup-private.desktop -for file in $(find py2/src/desktop -name ¸*.desktop) ; do - touch -r $file $RPM_BUILD_ROOT%{_datadir}/%{name}/$(basename $file) -done -rm -f $RPM_BUILD_ROOT/%{_datadir}/%{name}/ecryptfs-record-passphrase - -#we need ecryptfs kernel module -mkdir -p $RPM_BUILD_ROOT/usr/lib/modules-load.d/ -echo -e "# ecryptfs module is needed before ecryptfs mount, so mount helper can \n# check for file name encryption support\necryptfs" \ - >$RPM_BUILD_ROOT/usr/lib/modules-load.d/ecryptfs.conf - -%find_lang %{name} - - -%check -desktop-file-validate $RPM_BUILD_ROOT%{_datadir}/%{name}/*.desktop - -if ldd $RPM_BUILD_ROOT%{_sbindir}/umount.ecryptfs | grep -q '%{_prefix}/' -then - exit 1 -fi - -%if %{with unittests} -for folder in $(find . -name py\* -type d) ; do - export LD_LIBRARY_PATH=${folder}/src/libecryptfs/.libs - make check -C $folder -done -%endif - -%pre -groupadd -r -f ecryptfs - -%post -/sbin/ldconfig -if [ $1 -eq 1 ] ; then - # Initial installation - authselect enable-feature with-ecryptfs >/dev/null 2>&1 -fi - -%postun -/sbin/ldconfig -if [ $1 -eq 0 ] ; then - # Package removal, not upgrade - authselect disable-feature with-ecryptfs >/dev/null 2>&1 -fi - -%files -f %{name}.lang -%license COPYING -%doc README AUTHORS NEWS THANKS -%doc doc/ecryptfs-faq.html -%doc doc/ecryptfs-pkcs11-helper-doc.txt -%{_sbindir}/mount.ecryptfs -%{_sbindir}/umount.ecryptfs -%attr(4750,root,ecryptfs) %{_sbindir}/mount.ecryptfs_private -%{_sbindir}/umount.ecryptfs_private -%{_bindir}/ecryptfs-add-passphrase -%{_bindir}/ecryptfs-find -%{_bindir}/ecryptfs-generate-tpm-key -%{_bindir}/ecryptfs-insert-wrapped-passphrase-into-keyring -%{_bindir}/ecryptfs-manager -%{_bindir}/ecryptfs-migrate-home -%{_bindir}/ecryptfs-mount-private -%{_bindir}/ecryptfs-recover-private -%{_bindir}/ecryptfs-rewrap-passphrase -%{_bindir}/ecryptfs-rewrite-file -%{_bindir}/ecryptfs-setup-private -%{_bindir}/ecryptfs-setup-swap -%{_bindir}/ecryptfs-stat -%{_bindir}/ecryptfs-umount-private -%{_bindir}/ecryptfs-unwrap-passphrase -%{_bindir}/ecryptfs-verify -%{_bindir}/ecryptfs-wrap-passphrase -%{_bindir}/ecryptfsd -%{_libdir}/ecryptfs -%{_libdir}/libecryptfs.so.* -%{_libdir}/security/pam_ecryptfs.so -%{_prefix}/lib/modules-load.d/ecryptfs.conf -%dir %{_datadir}/%{name} -%{_datadir}/%{name}/ecryptfs-mount-private.txt -%{_datadir}/%{name}/ecryptfs-mount-private.desktop -%{_datadir}/%{name}/ecryptfs-mount-private.png -%{_datadir}/%{name}/ecryptfs-setup-private.desktop -%{_mandir}/man1/ecryptfs-add-passphrase.1.gz -%{_mandir}/man1/ecryptfs-find.1* -%{_mandir}/man1/ecryptfs-generate-tpm-key.1.gz -%{_mandir}/man1/ecryptfs-insert-wrapped-passphrase-into-keyring.1.gz -%{_mandir}/man1/ecryptfs-mount-private.1.gz -%{_mandir}/man1/ecryptfs-recover-private.1.gz -%{_mandir}/man1/ecryptfs-rewrap-passphrase.1.gz -%{_mandir}/man1/ecryptfs-rewrite-file.1.gz -%{_mandir}/man1/ecryptfs-setup-private.1.gz -%{_mandir}/man1/ecryptfs-setup-swap.1.gz -%{_mandir}/man1/ecryptfs-stat.1.gz -%{_mandir}/man1/ecryptfs-umount-private.1.gz -%{_mandir}/man1/ecryptfs-unwrap-passphrase.1.gz -%{_mandir}/man1/ecryptfs-verify.1* -%{_mandir}/man1/ecryptfs-wrap-passphrase.1.gz -%{_mandir}/man1/mount.ecryptfs_private.1.gz -%{_mandir}/man1/umount.ecryptfs_private.1.gz -%{_mandir}/man7/ecryptfs.7.gz -%{_mandir}/man8/ecryptfs-manager.8.gz -%{_mandir}/man8/ecryptfs-migrate-home.8* -%{_mandir}/man8/ecryptfsd.8.gz -%{_mandir}/man8/mount.ecryptfs.8.gz -%{_mandir}/man8/pam_ecryptfs.8.gz -%{_mandir}/man8/umount.ecryptfs.8.gz - -%files devel -%{_libdir}/libecryptfs.so -%{_libdir}/pkgconfig/libecryptfs.pc -%{_includedir}/ecryptfs.h - -%if %{with python3} -%files -n python%{python3_pkgversion}-%{name} -%{python3_sitearch}/%{name}/ -%{python3_sitelib}/%{name}/ -%endif - - -%changelog -* Thu Jan 20 2022 Fedora Release Engineering - 111-26 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - -* Tue Sep 14 2021 Sahana Prasad - 111-25 -- Rebuilt with OpenSSL 3.0.0 - -* Wed Jul 21 2021 Fedora Release Engineering - 111-24 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Wed Jul 14 2021 Michal Hlavinka - 111-23 -- fix fail to install #1978884 - -* Tue Jan 26 2021 Fedora Release Engineering - 111-22 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - -* Mon Jul 27 2020 Fedora Release Engineering - 111-21 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Tue Jan 28 2020 Fedora Release Engineering - 111-20 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Wed Jul 24 2019 Fedora Release Engineering - 111-19 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Tue Jun 25 2019 Michal Hlavinka - 111-18 -- require kernel-modules, where ecryptfs kernel module lives - -* Thu Jan 31 2019 Fedora Release Engineering - 111-17 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Fri Nov 16 2018 Michal Hlavinka - 111-16 -- drop python2 subpackage is python2 is no longer supported in Fedora 30+ (#1627433) - -* Fri Sep 07 2018 Michal Hlavinka - 111-15 -- switch to authselect since it replaced authconfig in F28 (RHBZ#1577174) - -* Tue Jul 31 2018 Florian Weimer - 111-14 -- Rebuild with fixed binutils - -* Thu Jul 12 2018 Fedora Release Engineering - 111-13 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Mon Mar 05 2018 Raphael Groner - 111-12 -- avoid unversioned python executable -- add python3 subpackage (experimental, found odd bug in automake) -- optimize generally here and there - -* Fri Feb 09 2018 Igor Gnatenko - 111-11 -- Escape macros in %%changelog - -* Wed Feb 07 2018 Fedora Release Engineering - 111-10 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - -* Sun Aug 20 2017 Zbigniew Jędrzejewski-Szmek - 111-9 -- Add Provides for the old name without %%_isa - -* Sat Aug 19 2017 Zbigniew Jędrzejewski-Szmek - 111-8 -- Python 2 binary package renamed to python2-ecryptfs-utils - See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 - -* Wed Aug 02 2017 Fedora Release Engineering - 111-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Wed Jul 26 2017 Fedora Release Engineering - 111-6 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Sun Jun 04 2017 Raphael Groner - 111-5 -- add patch for openssl 1.1.x, rhbz#1384023 -- mark patches of upstream and downstream -- fix legacy patches to still work, drop obsolete patch for memcpyfix -- general modernization according to guidelines, drop obsolete commands - -* Fri Feb 10 2017 Fedora Release Engineering - 111-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Wed Feb 01 2017 Michal Hlavinka - 111-3 -- do not crash when using fingerprint reader #1339714 - -* Tue Jul 19 2016 Fedora Release Engineering - 111-2 -- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages - -* Fri Jul 15 2016 Michal Hlavinka - 111-1 -- %%{name} updated to 111 -- fix ecryptfs-setup-swap improperly configures encrypted swap when using GPT - partitioning on a NVMe or MMC drive (CVE-2016-6224, rhbz#1356828) - -* Mon Feb 29 2016 Michal Hlavinka - 110-1 -- %%{name} updated to 110 - -* Wed Feb 03 2016 Fedora Release Engineering - 109-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - -* Tue Jan 26 2016 Michal Hlavinka - 109-1 -- %%{name} updated to 109 - -* Tue Aug 11 2015 Michal Hlavinka - 108-1 -- %%{name} updated to 108 - -* Wed Jun 17 2015 Fedora Release Engineering - 106-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild - -* Mon Mar 30 2015 Michal Hlavinka - 106-1 -- %%{name} updated to 106 - -* Mon Jan 26 2015 Michal Hlavinka - 104-3 -- fix pam sigsegv (#1184645) - -* Sat Aug 16 2014 Fedora Release Engineering - 104-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild - -* Wed Jul 23 2014 Michal Hlavinka - 104-1 -- %%{name} updated to 104 - -* Sat Jun 07 2014 Fedora Release Engineering - 103-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild - -* Wed Nov 13 2013 Michal Hlavinka - 103-4 -- ecryptfs-migrate-home did not restore selinux labels (#1017402) - -* Sat Aug 03 2013 Fedora Release Engineering - 103-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild - -* Thu May 23 2013 Michal Hlavinka - 103-2 -- make executables hardened (#965505) - -* Wed Jan 30 2013 Michal Hlavinka - 103-1 -- %%{name} updated to 103 - -* Mon Oct 29 2012 Michal Hlavinka - 101-1 -- %%{name} updated to 101 - -* Thu Oct 25 2012 Michal Hlavinka - 100-6 -- home migration did not work under sudo (#868330) - -* Mon Oct 22 2012 Michal Hlavinka - 100-5 -- set selinux boolean only if not already set (#868298) - -* Thu Oct 18 2012 Michal Hlavinka - 100-4 -- fix typo in restorecon path (#865839) - -* Thu Sep 27 2012 Michal Hlavinka - 100-3 -- do not crash in pam module when non-existent user name is used (#859766) - -* Mon Aug 20 2012 Michal Hlavinka - 100-2 -- fix Werror messages in new build environment - -* Fri Aug 03 2012 Michal Hlavinka - 100-1 -- %%{name} updated to 100 - -* Tue Jul 24 2012 Michal Hlavinka - 99-1 -- %%{name} updated to 99 -- fixes: suid helper does not restrict mounting filesystems with - nosuid, nodev leading to possible privilege escalation (CVE-2012-3409) - -* Wed Jul 18 2012 Fedora Release Engineering - 97-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild - -* Mon Jun 25 2012 Michal Hlavinka - 97-1 -- %%{name} updated to 97 - -* Mon Jun 04 2012 Michal Hlavinka - 96-3 -- for file name encryption support check, module must be loaded already - -* Mon Apr 16 2012 Michal Hlavinka - 96-2 -- when ecryptfs-mount-fails, check if user is member of ecryptfs group - -* Mon Feb 20 2012 Michal Hlavinka - 96-1 -- %%{name} updated to 96 - -* Mon Feb 13 2012 Michal Hlavinka - 95-3 -- blowfish and twofish support check did not work with on 3.2.x kernels (#785036) - -* Fri Jan 13 2012 Fedora Release Engineering - 95-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild - -* Fri Dec 16 2011 Michal Hlavinka - 95-1 -- updated to v. 95 - -* Wed Dec 07 2011 Michal Hlavinka - 93-2 -- update pam config in post install phase - -* Mon Oct 31 2011 Michal Hlavinka - 93-1 -- updated to v. 93 - -* Wed Aug 31 2011 Michal Hlavinka - 90-2 -- set the group id in mount.ecryptfs_private (CVE-2011-3145) - -* Thu Aug 11 2011 Michal Hlavinka - 90-1 -- security fixes: -- privilege escalation via mountpoint race conditions (CVE-2011-1831, CVE-2011-1832) -- race condition when checking source during mount (CVE-2011-1833) -- mtab corruption via improper handling (CVE-2011-1834) -- key poisoning via insecure temp directory handling (CVE-2011-1835) -- information disclosure via recovery mount in /tmp (CVE-2011-1836) -- arbitrary file overwrite via lock counter race (CVE-2011-1837) - -* Tue Aug 09 2011 Michal Hlavinka - 87-9 -- improve logging messages of ecryptfs pam module -- keep own copy of passphrase, pam clears it too early - -* Wed Aug 03 2011 Michal Hlavinka - 87-8 -- keyring from auth stack does not survive, use pam_data and delayed - keyring initialization - -* Thu Jul 21 2011 Michal Hlavinka - 87-7 -- fix pam module to set ecryptfs gid before mount helper execution -- do not use zombie process, it causes lock ups in ssh - -* Tue Jul 19 2011 Michal Hlavinka - 87-6 -- do not use memcpy for overlaping areas -- fix broken pam module resulting in session with wrong gid - -* Mon Jul 11 2011 Michal Hlavinka - 87-5 -- fix mtab handling everywhere - -* Thu Jun 09 2011 Michal Hlavinka - 87-4 -- check for ecryptfs pam module before home dir migration - -* Tue Jun 07 2011 Michal Hlavinka - 87-3 -- update of mtab does not work if it's a symlink (#706911) - -* Thu May 26 2011 Michal Hlavinka - 87-2 -- auto-load ecryptfs module in ecryptfs-setup-private - -* Tue May 24 2011 Michal Hlavinka - 87-1 -- updated to v. 87 - -* Fri Mar 11 2011 Michal Hlavinka - 86-3 -- fix man pages - -* Wed Mar 02 2011 Michal Hlavinka - 86-2 -- fix selinux context - -* Fri Feb 25 2011 Michal Hlavinka - 86-1 -- updated to v. 86 - -* Tue Feb 08 2011 Fedora Release Engineering - 85-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild - -* Tue Feb 01 2011 Michal Hlavinka - 85-1 -- %%{name} updated to 85 - -* Tue Jan 11 2011 Dan Horák - 84-3 -- fix build on arches where char is unsigned by default - -* Tue Jan 04 2011 Michal Hlavinka - 84-2 -- fix unsigned < 0 test (#664474) - -* Mon Dec 20 2010 Michal Hlavinka - 84-1 -- %%{name} updated to 84 - -* Wed Sep 29 2010 jkeating - 83-9 -- Rebuilt for gcc bug 634757 - -* Wed Sep 22 2010 Michal Hlavinka - 83-8 -- add missing gettext require (#630212) - -* Mon Jul 26 2010 Michal Hlavinka - 83-7 -- fix ftbfs for python mass rebuild - -* Wed Jul 21 2010 David Malcolm - 83-6 -- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild - -* Tue May 04 2010 Michal Hlavinka - 83-5 -- remove nss dependency from umount.ecryptfs - -* Fri Apr 16 2010 Michal Hlavinka - 83-4 -- make salt working together with passwd_file - -* Mon Mar 22 2010 Michal Hlavinka - 83-3 -- enable PKCS#11 support - -* Wed Mar 10 2010 Michal Hlavinka - 83-2 -- blkid moved from e2fsprogs to util-linux-ng, follow the change (#569996) - -* Thu Feb 18 2010 Michal Hlavinka - 83-1 -- updated to v. 83 - -* Wed Jan 27 2010 Michal Hlavinka - 82-2 -- better fix for (#486139) - -* Wed Nov 11 2009 Michal Hlavinka - 82-1 -- updated to 82 - -* Mon Nov 09 2009 Michal Hlavinka - 81-2 -- fix getext typos (#532732) - -* Tue Sep 29 2009 Michal Hlavinka - 81-1 -- updated to 81 - -* Fri Aug 21 2009 Tomas Mraz - 79-2 -- rebuilt with new openssl - -* Tue Aug 18 2009 Michal Hlavinka - 79-1 -- updated to 79 - -* Wed Jul 29 2009 Michal Hlavinka - 78-2 -- ecryptfs-dot-private is no longer used - -* Wed Jul 29 2009 Michal Hlavinka - 78-1 -- updated to 78 - -* Fri Jul 24 2009 Fedora Release Engineering - 76-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild - -* Mon Jul 20 2009 Michal Hlavinka 76-1 -- updated to 76 - -* Thu May 21 2009 Michal Hlavinka 75-1 -- removed executable permission from ecryptfs-dot-private (#500817) -- require cryptsetup-luks for encrypted swap (#500824) -- use blkid instead of vol_id (#500820) -- don't rely on cryptdisks service (#500829) -- add icon for Access-Your-Private-Data.desktop file -- updated to 75 -- restrict mount.ecryptfs_private to ecryptfs group members only - -* Thu Apr 23 2009 Michal Hlavinka 74-1 -- updated to 74 - -* Sat Mar 21 2009 Michal Hlavinka 73-1 -- updated to 73 -- move libs from /usr/lib to /lib (#486139) -- fix symlinks created by ecryptfs-setup-private (#486146) - -* Tue Feb 24 2009 Michal Hlavinka 71-1 -- updated to 71 -- remove .la files - -* Mon Feb 16 2009 Michal Hlavinka 70-1 -- updated to 70 -- fix: #479762 - ecryptfsecryptfs-setup-private broken -- added umount option to clear per-user keyring - -* Mon Feb 02 2009 Michal Hlavinka 69-4 -- fix list of onwed directories - -* Tue Jan 27 2009 Michal Hlavinka 69-3 -- add missing requires: keyutils - -* Tue Jan 27 2009 Michal Hlavinka 69-2 -- bump release for rebuild - -* Tue Jan 27 2009 Michal Hlavinka 69-1 -- updated to 69 - -* Mon Jan 12 2009 Michal Hlavinka 68-0 -- updated to 68 -- fix #478464 - /usr/bin/ecryptfs-setup-private errors out - -* Mon Dec 29 2008 Michal Hlavinka 67-1 -- bump release for rebuild - -* Mon Dec 29 2008 Michal Hlavinka 67-0 -- updated to 67 - -* Wed Oct 22 2008 Mike Halcrow 61-0 -- Add support for filename encryption enablement (future kernel feature) -- Replace uint32_t with size_t for x86_64 compatibility (patch by Eric Sandeen) - -* Fri Oct 17 2008 Eric Sandeen 59-2 -- Remove duplicate doc files from rpm - -* Tue Oct 07 2008 Mike Halcrow 59-1 -- Put attr declaration in the right spot - -* Tue Oct 07 2008 Mike Halcrow 59-0 -- Make /sbin/*ecryptfs* files setuid -- Add /sbin path to ecryptfs-setup-private - -* Mon Oct 06 2008 Mike Halcrow 58-0 -- TSPI key module update to avoid flooding TrouSerS library with requests -- OpenSSL key module parameter fixes -- Updates to mount-on-login utilities - -* Wed Aug 13 2008 Mike Halcrow 56-0 -- Namespace fixes for the key module parameter aliases -- Updates to the man page and the README - -* Wed Jul 30 2008 Eric Sandeen 53-0 -- New upstream version -- Many new manpages, new ecryptfs-stat util - -* Thu Jul 17 2008 Tom "spot" Callaway 50-1 -- fix license tag - -* Fri Jun 27 2008 Mike Halcrow 50-0 -- Add umount.ecryptfs_private symlink -- Add pam_mount session hooks for mount and unmount - -* Fri Jun 27 2008 Eric Sandeen 49-1 -- build with TrouSerS key module - -* Fri Jun 27 2008 Eric Sandeen 49-0 -- New upstream version - -* Tue Jun 03 2008 Eric Sandeen 46-0 -- New upstream version - -* Mon Feb 18 2008 Mike Halcrow 40-0 -- Enable passwd_file option in openssl key module - -* Wed Feb 13 2008 Mike Halcrow 39-0 -- Fix include upstream - -* Wed Feb 13 2008 Karsten Hopp 38-1 -- fix includes - -* Tue Jan 8 2008 Mike Halcrow 38-0 - - Fix passthrough mount option prompt - - Clarify man page - - Add HMAC option (for future kernel versions) - - Bump to version 38 - -* Wed Dec 19 2007 Mike Halcrow 37-0 -- Remove unsupported ciphers; bump to version 37 - -* Tue Dec 18 2007 Mike Halcrow 36-0 -- Cipher selection detects .gz ko files; bump to version 36 - -* Mon Dec 17 2007 Mike Halcrow 35-0 -- Cleanups to cipher selection; bump to version 35 - -* Mon Dec 17 2007 Mike Halcrow 34-0 -- Fix OpenSSL key module; bump to version 34 - -* Fri Dec 14 2007 Mike Halcrow 33-1 -- Add files to package - -* Fri Dec 14 2007 Mike Halcrow 33-0 -- update to version 33 - -* Thu Dec 13 2007 Karsten Hopp 32-1 -- update to version 32 - -* Thu Nov 29 2007 Karsten Hopp 30-2 -- fix ia64 libdir -- build initial RHEL-5 version - -* Thu Nov 29 2007 Karsten Hopp 30-1 -- build version 30 - -* Fri Oct 05 2007 Mike Halcrow - 30-0 -- Bump to version 30. Several bugfixes. Key modules are overhauled - with a more sane API. -* Wed Aug 29 2007 Fedora Release Engineering - 18-1 -- Rebuild for selinux ppc32 issue. - -* Thu Jun 28 2007 Mike Halcrow - 18-0 -- Bump to version 18 with an OpenSSL key module fix -* Thu Jun 21 2007 Kevin Fenzi - 17-1 -- Change kernel Requires to Conflicts -- Remove un-needed devel buildrequires -* Wed Jun 20 2007 Mike Halcrow - 17-0 -- Provide built-in fallback passphrase key module. Remove keyutils, - openssl, and pam requirements (library dependencies take care of - this). Include wrapped passphrase executables in file set. -* Fri Apr 20 2007 Mike Halcrow - 15-1 -- Change permission of pam_ecryptfs.so from 644 to 755. -* Thu Apr 19 2007 Mike Halcrow - 15-0 -- Fix mount option parse segfault. Fix pam_ecryptfs.so semaphore - issue when logging in via ssh. -* Thu Mar 01 2007 Mike Halcrow - 10-0 -- Remove verbose syslog() calls; change key module build to allow - OpenSSL module to be disabled from build; add AUTHORS, NEWS, and - THANKS to docs; update Requires with variables instead of hardcoded - name and version. -* Tue Feb 06 2007 Mike Halcrow - 9-1 -- Minor update in README, add dist tag to Release, add --disable-rpath - to configure step, and remove keyutils-libs from Requires. -* Tue Jan 09 2007 Mike Halcrow - 9-0 -- Correct install directories for 64-bit; add support for xattr and - encrypted_view mount options -* Tue Jan 02 2007 Mike Halcrow - 8-0 -- Introduce build support for openCryptoki key module. Fix -dev build - dependencies for devel package -* Mon Dec 11 2006 Mike Halcrow - 7-0 -- Initial package creation diff --git a/sources b/sources deleted file mode 100644 index 6a85677..0000000 --- a/sources +++ /dev/null @@ -1,2 +0,0 @@ -e612ddb9ccb17f8fec79df26e626a8c6 ecryptfs-mount-private.png -83513228984f671930752c3518cac6fd ecryptfs-utils_111.orig.tar.gz