diff --git a/ecryptfs-utils-75-nocryptdisks.patch b/ecryptfs-utils-75-nocryptdisks.patch index 763dc90..e48411f 100644 --- a/ecryptfs-utils-75-nocryptdisks.patch +++ b/ecryptfs-utils-75-nocryptdisks.patch @@ -1,6 +1,6 @@ -diff -up ecryptfs-utils-81/src/utils/ecryptfs-setup-swap.nocryptdisks ecryptfs-utils-81/src/utils/ecryptfs-setup-swap ---- ecryptfs-utils-81/src/utils/ecryptfs-setup-swap.nocryptdisks 2009-09-19 01:41:21.000000000 +0200 -+++ ecryptfs-utils-81/src/utils/ecryptfs-setup-swap 2009-09-29 10:25:07.481996541 +0200 +diff -up ecryptfs-utils-106/src/utils/ecryptfs-setup-swap.nocryptdisks ecryptfs-utils-106/src/utils/ecryptfs-setup-swap +--- ecryptfs-utils-106/src/utils/ecryptfs-setup-swap.nocryptdisks 2015-03-11 16:15:31.000000000 +0100 ++++ ecryptfs-utils-106/src/utils/ecryptfs-setup-swap 2015-03-30 11:07:17.042580187 +0200 @@ -37,23 +37,20 @@ warn() { usage() { echo @@ -27,7 +27,7 @@ diff -up ecryptfs-utils-81/src/utils/ecryptfs-setup-swap.nocryptdisks ecryptfs-u *) usage ;; -@@ -166,7 +163,6 @@ for swap in $swaps; do +@@ -168,7 +165,6 @@ for swap in $swaps; do # Add fstab entry echo "/dev/mapper/cryptswap$i none swap sw 0 0" >> /etc/fstab done @@ -35,8 +35,8 @@ diff -up ecryptfs-utils-81/src/utils/ecryptfs-setup-swap.nocryptdisks ecryptfs-u if [ "$NO_RELOAD" != 1 ]; then # Turn swap off swapoff -a -@@ -179,3 +175,4 @@ if [ "$NO_RELOAD" != 1 ]; then +@@ -181,3 +177,4 @@ if [ "$NO_RELOAD" != 1 ]; then fi - info `gettext "Successfully setup encrypted swap!"` + info `gettext "Successfully encrypted swap!"` +info "This will take effect after reboot" diff --git a/ecryptfs-utils-86-manpage.patch b/ecryptfs-utils-86-manpage.patch index 58e7902..d1ef9b9 100644 --- a/ecryptfs-utils-86-manpage.patch +++ b/ecryptfs-utils-86-manpage.patch @@ -1,6 +1,6 @@ -diff -up ecryptfs-utils-104/doc/manpage/ecryptfs.7.GQgRwl ecryptfs-utils-104/doc/manpage/ecryptfs.7 ---- ecryptfs-utils-104/doc/manpage/ecryptfs.7.GQgRwl 2014-01-23 19:09:48.000000000 +0100 -+++ ecryptfs-utils-104/doc/manpage/ecryptfs.7 2014-07-22 16:16:08.040929713 +0200 +diff -up ecryptfs-utils-106/doc/manpage/ecryptfs.7.manfix ecryptfs-utils-106/doc/manpage/ecryptfs.7 +--- ecryptfs-utils-106/doc/manpage/ecryptfs.7.manfix 2015-02-10 17:59:34.000000000 +0100 ++++ ecryptfs-utils-106/doc/manpage/ecryptfs.7 2015-03-30 11:08:58.583678996 +0200 @@ -1,6 +1,6 @@ .TH ecryptfs 7 2009-03-24 ecryptfs-utils "eCryptfs" .SH NAME @@ -13,8 +13,8 @@ diff -up ecryptfs-utils-104/doc/manpage/ecryptfs.7.GQgRwl ecryptfs-utils-104/doc The actual password is passphrase. Since the password is visible to utilities (like ps under Unix) this form should only be used where security is not important. .TP .B passphrase_passwd_file=(filename) --The password should be specified in a file with passwd=(passphrase). It is highly recommended that the file be stored on a secure medium such as a personal usb key. -+The password should be specified in a file with passwd=(passphrase). It is highly recommended that the file be stored on a secure medium such as a personal USB key. +-The password should be specified in a file with passphrase_passwd_file=(passphrase). It is highly recommended that the file be stored on a secure medium such as a personal usb key. ++The password should be specified in a file with passphrase_passwd_file=(passphrase). It is highly recommended that the file be stored on a secure medium such as a personal USB key. .TP .B passphrase_passwd_fd=(file descriptor) The password is specified through the specified file descriptor. @@ -27,9 +27,9 @@ diff -up ecryptfs-utils-104/doc/manpage/ecryptfs.7.GQgRwl ecryptfs-utils-104/doc .TP .B openssl_passwd_fd=(file descriptor) The password is specified through the specified file descriptor. -diff -up ecryptfs-utils-104/doc/manpage/ecryptfs-rewrite-file.1.GQgRwl ecryptfs-utils-104/doc/manpage/ecryptfs-rewrite-file.1 ---- ecryptfs-utils-104/doc/manpage/ecryptfs-rewrite-file.1.GQgRwl 2014-01-23 19:09:48.000000000 +0100 -+++ ecryptfs-utils-104/doc/manpage/ecryptfs-rewrite-file.1 2014-07-22 16:14:00.434530133 +0200 +diff -up ecryptfs-utils-106/doc/manpage/ecryptfs-rewrite-file.1.manfix ecryptfs-utils-106/doc/manpage/ecryptfs-rewrite-file.1 +--- ecryptfs-utils-106/doc/manpage/ecryptfs-rewrite-file.1.manfix 2015-02-10 17:59:34.000000000 +0100 ++++ ecryptfs-utils-106/doc/manpage/ecryptfs-rewrite-file.1 2015-03-30 11:07:51.019950149 +0200 @@ -14,7 +14,7 @@ This script may be combined with \fBfind ecryptfs-umount-private sync diff --git a/ecryptfs-utils-87-fixconst.patch b/ecryptfs-utils-87-fixconst.patch index e68a989..c5d027e 100644 --- a/ecryptfs-utils-87-fixconst.patch +++ b/ecryptfs-utils-87-fixconst.patch @@ -1,6 +1,6 @@ -diff -up ecryptfs-utils-103/src/include/ecryptfs.h.fixconst ecryptfs-utils-103/src/include/ecryptfs.h ---- ecryptfs-utils-103/src/include/ecryptfs.h.fixconst 2013-01-28 17:24:34.165260633 +0100 -+++ ecryptfs-utils-103/src/include/ecryptfs.h 2013-01-28 17:24:34.172260689 +0100 +diff -up ecryptfs-utils-106/src/include/ecryptfs.h.fixconst ecryptfs-utils-106/src/include/ecryptfs.h +--- ecryptfs-utils-106/src/include/ecryptfs.h.fixconst 2015-03-30 11:35:35.478375245 +0200 ++++ ecryptfs-utils-106/src/include/ecryptfs.h 2015-03-30 11:38:18.400269788 +0200 @@ -479,8 +479,8 @@ int ecryptfs_eval_decision_graph(struct struct val_node **head, struct param_node *root_node, @@ -27,20 +27,20 @@ diff -up ecryptfs-utils-103/src/include/ecryptfs.h.fixconst ecryptfs-utils-103/s int ecryptfs_generate_key_payload(struct ecryptfs_auth_tok *auth_tok, struct ecryptfs_key_mod *key_mod, char *sig, -@@ -515,15 +515,15 @@ int ecryptfs_read_salt_hex_from_rc(char - int ecryptfs_check_sig(char *auth_tok_sig, char *sig_cache_filename, - int *flags); +@@ -517,15 +517,15 @@ int ecryptfs_check_sig(char *auth_tok_si int ecryptfs_append_sig(char *auth_tok_sig, char *sig_cache_filename); + int __ecryptfs_detect_wrapped_passphrase_file_version(const char *filename, + uint8_t *version); -int ecryptfs_wrap_passphrase_file(char *dest, char *wrapping_passphrase, - char *wrapping_salt, char *src); -int ecryptfs_wrap_passphrase(char *filename, char *wrapping_passphrase, -- char *wrapping_salt, char *decrypted_passphrase); +- char *unused, char *decrypted_passphrase); -int ecryptfs_unwrap_passphrase(char *decrypted_passphrase, char *filename, - char *wrapping_passphrase, char *wrapping_salt); +int ecryptfs_wrap_passphrase_file(const char *dest, const char *wrapping_passphrase, -+ const char *wrapping_salt, const char *src); ++ const char *wrapping_salt, const char *src); +int ecryptfs_wrap_passphrase(const char *filename, const char *wrapping_passphrase, -+ const char *wrapping_salt, char *decrypted_passphrase); ++ const char *unused, char *decrypted_passphrase); +int ecryptfs_unwrap_passphrase(char *decrypted_passphrase, const char *filename, + const char *wrapping_passphrase, const char *wrapping_salt); int ecryptfs_insert_wrapped_passphrase_into_keyring( @@ -51,7 +51,7 @@ diff -up ecryptfs-utils-103/src/include/ecryptfs.h.fixconst ecryptfs-utils-103/s char *ecryptfs_get_wrapped_passphrase_filename(); struct ecryptfs_key_mod_ops *passphrase_get_key_mod_ops(void); int ecryptfs_validate_keyring(void); -@@ -571,7 +571,7 @@ char *ecryptfs_get_passphrase(char *prom +@@ -573,7 +573,7 @@ char *ecryptfs_get_passphrase(char *prom int ecryptfs_run_daemon(struct ecryptfs_messaging_ctx *mctx); #define ECRYPTFS_PRIVATE_DIR "Private" @@ -60,9 +60,9 @@ diff -up ecryptfs-utils-103/src/include/ecryptfs.h.fixconst ecryptfs-utils-103/s int ecryptfs_private_is_mounted(char *dev, char *mnt, char *sig, int mounting); #endif -diff -up ecryptfs-utils-103/src/libecryptfs/key_management.c.fixconst ecryptfs-utils-103/src/libecryptfs/key_management.c ---- ecryptfs-utils-103/src/libecryptfs/key_management.c.fixconst 2013-01-28 17:24:34.129260347 +0100 -+++ ecryptfs-utils-103/src/libecryptfs/key_management.c 2013-01-28 17:24:34.172260689 +0100 +diff -up ecryptfs-utils-106/src/libecryptfs/key_management.c.fixconst ecryptfs-utils-106/src/libecryptfs/key_management.c +--- ecryptfs-utils-106/src/libecryptfs/key_management.c.fixconst 2015-03-30 11:35:35.422376313 +0200 ++++ ecryptfs-utils-106/src/libecryptfs/key_management.c 2015-03-30 11:39:44.026637663 +0200 @@ -55,7 +55,7 @@ */ int ecryptfs_generate_passphrase_auth_tok(struct ecryptfs_auth_tok **auth_tok, @@ -72,7 +72,7 @@ diff -up ecryptfs-utils-103/src/libecryptfs/key_management.c.fixconst ecryptfs-u { int rc; -@@ -192,8 +192,8 @@ int ecryptfs_add_blob_to_keyring(char *b +@@ -195,8 +195,8 @@ int ecryptfs_add_blob_to_keyring(char *b * * Returns 0 on add, 1 on pre-existed, negative on failure. */ @@ -83,7 +83,7 @@ diff -up ecryptfs-utils-103/src/libecryptfs/key_management.c.fixconst ecryptfs-u { int rc; char fekek[ECRYPTFS_MAX_KEY_BYTES]; -@@ -222,8 +222,8 @@ out: +@@ -382,8 +382,8 @@ out: return rc; } @@ -94,18 +94,18 @@ diff -up ecryptfs-utils-103/src/libecryptfs/key_management.c.fixconst ecryptfs-u { int rc = 0; ssize_t size; -@@ -264,8 +264,8 @@ out: - return rc; - } - +@@ -540,8 +540,8 @@ out: + * + * Returns 0 upon success. Negative upon error. + */ -int ecryptfs_wrap_passphrase(char *filename, char *wrapping_passphrase, -- char *wrapping_salt, char *decrypted_passphrase) +- char *unused, char *decrypted_passphrase) +int ecryptfs_wrap_passphrase(const char *filename, const char *wrapping_passphrase, -+ const char *wrapping_salt, char *decrypted_passphrase) ++ const char *unused, char *decrypted_passphrase) { + char wrapping_salt[ECRYPTFS_SALT_SIZE]; char wrapping_auth_tok_sig[ECRYPTFS_SIG_SIZE_HEX + 1]; - char wrapping_key[ECRYPTFS_MAX_KEY_BYTES]; -@@ -410,8 +410,8 @@ out: +@@ -822,8 +822,8 @@ out: * decryptfs_passphrase must be able to hold * ECRYPTFS_MAX_PASSPHRASE_BYTES + 1 bytes */ @@ -114,9 +114,9 @@ diff -up ecryptfs-utils-103/src/libecryptfs/key_management.c.fixconst ecryptfs-u +int ecryptfs_unwrap_passphrase(char *decrypted_passphrase, const char *filename, + const char *wrapping_passphrase, const char *wrapping_salt) { + char v2_wrapping_salt[ECRYPTFS_SALT_SIZE]; char wrapping_auth_tok_sig[ECRYPTFS_SIG_SIZE_HEX + 1]; - char wrapping_auth_tok_sig_from_file[ECRYPTFS_SIG_SIZE_HEX + 1]; -@@ -549,8 +549,8 @@ out: +@@ -976,8 +976,8 @@ out: * into the user session keyring. */ int ecryptfs_insert_wrapped_passphrase_into_keyring( @@ -127,10 +127,10 @@ diff -up ecryptfs-utils-103/src/libecryptfs/key_management.c.fixconst ecryptfs-u { char decrypted_passphrase[ECRYPTFS_MAX_PASSPHRASE_BYTES + 1] ; int rc = 0; -diff -up ecryptfs-utils-103/src/libecryptfs/main.c.fixconst ecryptfs-utils-103/src/libecryptfs/main.c ---- ecryptfs-utils-103/src/libecryptfs/main.c.fixconst 2013-01-28 17:24:34.166260641 +0100 -+++ ecryptfs-utils-103/src/libecryptfs/main.c 2013-01-28 17:24:34.173260697 +0100 -@@ -93,7 +93,7 @@ out: +diff -up ecryptfs-utils-106/src/libecryptfs/main.c.fixconst ecryptfs-utils-106/src/libecryptfs/main.c +--- ecryptfs-utils-106/src/libecryptfs/main.c.fixconst 2015-03-30 11:35:35.479375226 +0200 ++++ ecryptfs-utils-106/src/libecryptfs/main.c 2015-03-30 11:35:35.492374978 +0200 +@@ -92,7 +92,7 @@ out: /* Read ecryptfs private mount from file * Allocate and return a string */ @@ -139,7 +139,7 @@ diff -up ecryptfs-utils-103/src/libecryptfs/main.c.fixconst ecryptfs-utils-103/s char *mnt_file = NULL; char *mnt_default = NULL; char *mnt = NULL; -@@ -209,7 +209,7 @@ int ecryptfs_private_is_mounted(char *de +@@ -212,7 +212,7 @@ int ecryptfs_private_is_mounted(char *de */ int generate_passphrase_sig(char *passphrase_sig, char *fekek, @@ -148,7 +148,7 @@ diff -up ecryptfs-utils-103/src/libecryptfs/main.c.fixconst ecryptfs-utils-103/s { char salt_and_passphrase[ECRYPTFS_MAX_PASSPHRASE_BYTES + ECRYPTFS_SALT_SIZE]; -@@ -253,7 +253,7 @@ generate_passphrase_sig(char *passphrase +@@ -256,7 +256,7 @@ generate_passphrase_sig(char *passphrase */ int generate_payload(struct ecryptfs_auth_tok *auth_tok, char *passphrase_sig, diff --git a/ecryptfs-utils-87-fixexecgid.patch b/ecryptfs-utils-87-fixexecgid.patch index d5cd0c2..7b29841 100644 --- a/ecryptfs-utils-87-fixexecgid.patch +++ b/ecryptfs-utils-87-fixexecgid.patch @@ -1,27 +1,27 @@ -diff -up ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c.fixexecgid ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c ---- ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c.fixexecgid 2013-01-28 17:23:15.389634398 +0100 -+++ ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c 2013-01-28 17:23:15.392634422 +0100 -@@ -330,8 +330,10 @@ static int private_dir(pam_handle_t *pam +diff -up ecryptfs-utils-106/src/pam_ecryptfs/pam_ecryptfs.c.fixexecgid ecryptfs-utils-106/src/pam_ecryptfs/pam_ecryptfs.c +--- ecryptfs-utils-106/src/pam_ecryptfs/pam_ecryptfs.c.fixexecgid 2015-03-30 11:13:48.419194024 +0200 ++++ ecryptfs-utils-106/src/pam_ecryptfs/pam_ecryptfs.c 2015-03-30 11:16:44.434863028 +0200 +@@ -365,8 +365,10 @@ static int private_dir(pam_handle_t *pam _exit(0); } clearenv(); - if (setgroups(1, &pwd->pw_gid) < 0 || setgid(pwd->pw_gid) < 0) + if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) { + syslog(LOG_ERR, "Unable to set user's groups : %m"); - _exit(255); + _exit(-1); + } /* run mount.ecryptfs_private as the user */ if (setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid) < 0) - _exit(255); -@@ -345,8 +347,10 @@ static int private_dir(pam_handle_t *pam + _exit(-1); +@@ -380,8 +382,10 @@ static int private_dir(pam_handle_t *pam _exit(0); } clearenv(); - if (setgroups(1, &pwd->pw_gid) < 0 || setgid(pwd->pw_gid) < 0) + if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) { + syslog(LOG_ERR, "Unable to set user's groups : %m"); - _exit(255); + _exit(-1); + } /* run umount.ecryptfs_private as the user */ if (setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid) < 0) - _exit(255); + _exit(-1); diff --git a/ecryptfs-utils-87-fixpamfork.patch b/ecryptfs-utils-87-fixpamfork.patch index 966c397..1c415fe 100644 --- a/ecryptfs-utils-87-fixpamfork.patch +++ b/ecryptfs-utils-87-fixpamfork.patch @@ -1,7 +1,7 @@ -diff -up ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c.fixpamfork ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c ---- ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c.fixpamfork 2013-01-28 17:23:47.372888664 +0100 -+++ ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c 2013-01-28 17:23:47.418889029 +0100 -@@ -221,7 +221,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h +diff -up ecryptfs-utils-106/src/pam_ecryptfs/pam_ecryptfs.c.fixpamfork ecryptfs-utils-106/src/pam_ecryptfs/pam_ecryptfs.c +--- ecryptfs-utils-106/src/pam_ecryptfs/pam_ecryptfs.c.fixpamfork 2015-03-30 11:09:51.498677610 +0200 ++++ ecryptfs-utils-106/src/pam_ecryptfs/pam_ecryptfs.c 2015-03-30 11:13:32.209500784 +0200 +@@ -253,7 +253,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h } out_child: free(auth_tok_sig); @@ -10,7 +10,7 @@ diff -up ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c.fixpamfork ecryptfs- } tmp_pid = waitpid(child_pid, NULL, 0); if (tmp_pid == -1) -@@ -315,7 +315,7 @@ static int private_dir(pam_handle_t *pam +@@ -349,7 +349,7 @@ static int private_dir(pam_handle_t *pam "%s/.ecryptfs/.wrapped-passphrase.recorded", pwd->pw_dir) < 0) || recorded == NULL) { syslog(LOG_ERR, "pam_ecryptfs: Error allocating memory for recorded name"); @@ -19,7 +19,7 @@ diff -up ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c.fixpamfork ecryptfs- } if (stat(recorded, &s) != 0 && stat("/usr/share/ecryptfs-utils/ecryptfs-record-passphrase", &s) == 0) { /* User has not recorded their passphrase */ -@@ -327,33 +327,35 @@ static int private_dir(pam_handle_t *pam +@@ -362,33 +362,35 @@ static int private_dir(pam_handle_t *pam if (stat(autofile, &s) != 0) { /* User does not want to auto-mount */ syslog(LOG_DEBUG, "pam_ecryptfs: Skipping automatic eCryptfs mount"); @@ -28,15 +28,15 @@ diff -up ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c.fixpamfork ecryptfs- } clearenv(); if (setgroups(1, &pwd->pw_gid) < 0 || setgid(pwd->pw_gid) < 0) -- return -1; -+ _exit(255); +- exit(-1); ++ _exit(-1); /* run mount.ecryptfs_private as the user */ if (setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid) < 0) -- return -1; -+ _exit(255); +- exit(-1); ++ _exit(-1); execl("/sbin/mount.ecryptfs_private", "mount.ecryptfs_private", NULL); -+ syslog(LOG_ERR,"unable to execute mount.ecryptfs_private : %m"); ++ syslog(LOG_ERR, "unable to execute mount.ecryptfs_private : %m"); } else { if (stat(autofile, &s) != 0) { /* User does not want to auto-unmount */ @@ -46,24 +46,24 @@ diff -up ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c.fixpamfork ecryptfs- } clearenv(); if (setgroups(1, &pwd->pw_gid) < 0 || setgid(pwd->pw_gid) < 0) -- return -1; -+ _exit(255); +- exit(-1); ++ _exit(-1); /* run umount.ecryptfs_private as the user */ if (setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid) < 0) -- return -1; -+ _exit(255); +- exit(-1); ++ _exit(-1); execl("/sbin/umount.ecryptfs_private", "umount.ecryptfs_private", NULL); - exit(1); -+ syslog(LOG_ERR,"unable to execute umount.ecryptfs_private : %m"); -+ _exit(255); ++ syslog(LOG_ERR, "unable to execute umount.ecryptfs_private : %m"); ++ _exit(-1); } - exit(1); -+ _exit(255); ++ _exit(-1); } else { waitpid(pid, &rc, 0); } -@@ -501,7 +503,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand +@@ -536,7 +538,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand goto out_child; } out_child: diff --git a/ecryptfs-utils-87-pamdata.patch b/ecryptfs-utils-87-pamdata.patch index 2a48a8b..9e294ca 100644 --- a/ecryptfs-utils-87-pamdata.patch +++ b/ecryptfs-utils-87-pamdata.patch @@ -1,6 +1,6 @@ -diff -up ecryptfs-utils-104/src/pam_ecryptfs/pam_ecryptfs.c.ekHssg ecryptfs-utils-104/src/pam_ecryptfs/pam_ecryptfs.c ---- ecryptfs-utils-104/src/pam_ecryptfs/pam_ecryptfs.c.ekHssg 2014-07-23 13:31:32.332095003 +0200 -+++ ecryptfs-utils-104/src/pam_ecryptfs/pam_ecryptfs.c 2014-07-23 14:49:05.903394057 +0200 +diff -up ecryptfs-utils-106/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-utils-106/src/pam_ecryptfs/pam_ecryptfs.c +--- ecryptfs-utils-106/src/pam_ecryptfs/pam_ecryptfs.c.pamdata 2015-03-30 12:35:15.001400416 +0200 ++++ ecryptfs-utils-106/src/pam_ecryptfs/pam_ecryptfs.c 2015-03-30 12:35:27.938155898 +0200 @@ -46,6 +46,26 @@ #define PRIVATE_DIR "Private" @@ -37,7 +37,16 @@ diff -up ecryptfs-utils-104/src/pam_ecryptfs/pam_ecryptfs.c.ekHssg ecryptfs-util { char *unwrapped_pw_filename = NULL; struct stat s; -@@ -95,143 +115,68 @@ static int wrap_passphrase_if_necessary( +@@ -93,7 +113,7 @@ static int wrap_passphrase_if_necessary( + } + + static int rewrap_passphrase_if_necessary(char *wrapped_pw_filename, +- char *wrapping_passphrase, char *salt) ++ char *wrapping_passphrase, const char *salt) + { + char passphrase[ECRYPTFS_MAX_PASSPHRASE_BYTES + 1]; + uint8_t version; +@@ -123,147 +143,68 @@ static int rewrap_passphrase_if_necessar PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { @@ -78,13 +87,6 @@ diff -up ecryptfs-utils-104/src/pam_ecryptfs/pam_ecryptfs.c.ekHssg ecryptfs-util - } else { - syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%ld]\n", username, rc); - goto out; -- } -- -- oeuid = geteuid(); -- oegid = getegid(); -- if ((ngids = getgroups(sizeof(groups)/sizeof(gid_t), groups)) < 0) { -- syslog(LOG_ERR, "pam_ecryptfs: geteuid error"); -- goto outnouid; + epd->uid = pwd->pw_uid; + epd->gid = pwd->pw_gid; + epd->homedir = pwd->pw_dir; @@ -92,6 +94,13 @@ diff -up ecryptfs-utils-104/src/pam_ecryptfs/pam_ecryptfs.c.ekHssg ecryptfs-util + } else rc = errno; } - +- oeuid = geteuid(); +- oegid = getegid(); +- if ((ngids = getgroups(sizeof(groups)/sizeof(gid_t), groups)) < 0) { +- syslog(LOG_ERR, "pam_ecryptfs: geteuid error"); +- goto outnouid; +- } +- - if (setegid(gid) < 0 || setgroups(1, &gid) < 0 || seteuid(uid) < 0) { - syslog(LOG_ERR, "pam_ecryptfs: seteuid error"); + if (!epd->homedir) { @@ -123,13 +132,13 @@ diff -up ecryptfs-utils-104/src/pam_ecryptfs/pam_ecryptfs.c.ekHssg ecryptfs-util rc); goto out; } -+ epd->passphrase = strdup(epd->passphrase); - auth_tok_sig = malloc(ECRYPTFS_SIG_SIZE_HEX + 1); - if (!auth_tok_sig) { - rc = -ENOMEM; - syslog(LOG_ERR, "pam_ecryptfs: Out of memory\n"); - goto out; - } ++ epd->passphrase = strdup(epd->passphrase); rc = ecryptfs_read_salt_hex_from_rc(salt_hex); if (rc) { - from_hex(salt, ECRYPTFS_DEFAULT_SALT_HEX, ECRYPTFS_SALT_SIZE); @@ -170,6 +179,10 @@ diff -up ecryptfs-utils-104/src/pam_ecryptfs/pam_ecryptfs.c.ekHssg ecryptfs-util - } else { - goto out_child; - } +- if (rewrap_passphrase_if_necessary(wrapped_pw_filename, passphrase, salt)) { +- /* Non fatal condition. Log a warning. */ +- syslog(LOG_WARNING, "pam_ecryptfs: Unable to rewrap passphrase file\n"); +- } - rc = ecryptfs_insert_wrapped_passphrase_into_keyring( - auth_tok_sig, wrapped_pw_filename, passphrase, - salt); @@ -198,11 +211,11 @@ diff -up ecryptfs-utils-104/src/pam_ecryptfs/pam_ecryptfs.c.ekHssg ecryptfs-util - if (tmp_pid == -1) - syslog(LOG_WARNING, "pam_ecryptfs: waitpid() returned with error condition\n"); -out: -- + - seteuid(oeuid); - setegid(oegid); - setgroups(ngids, groups); - +- -outnouid: +out: if (private_mnt != NULL) @@ -212,7 +225,7 @@ diff -up ecryptfs-utils-104/src/pam_ecryptfs/pam_ecryptfs.c.ekHssg ecryptfs-util return PAM_SUCCESS; } -@@ -375,10 +320,120 @@ static int umount_private_dir(pam_handle +@@ -407,10 +348,124 @@ static int umount_private_dir(pam_handle return private_dir(pamh, 0); } @@ -289,6 +302,10 @@ diff -up ecryptfs-utils-104/src/pam_ecryptfs/pam_ecryptfs.c.ekHssg ecryptfs-util + } else { + goto out_child; + } ++ if (rewrap_passphrase_if_necessary(wrapped_pw_filename, epd->passphrase, epd->salt)) { ++ /* Non fatal condition. Log a warning. */ ++ syslog(LOG_WARNING, "pam_ecryptfs: Unable to rewrap passphrase file\n"); ++ } + rc = ecryptfs_insert_wrapped_passphrase_into_keyring( + auth_tok_sig, wrapped_pw_filename, epd->passphrase, + epd->salt); diff --git a/ecryptfs-utils-87-syslog.patch b/ecryptfs-utils-87-syslog.patch index 5850c60..6fe2dfd 100644 --- a/ecryptfs-utils-87-syslog.patch +++ b/ecryptfs-utils-87-syslog.patch @@ -1,6 +1,6 @@ -diff -up ecryptfs-utils-103/src/include/ecryptfs.h.syslog ecryptfs-utils-103/src/include/ecryptfs.h ---- ecryptfs-utils-103/src/include/ecryptfs.h.syslog 2013-01-28 17:24:50.811392951 +0100 -+++ ecryptfs-utils-103/src/include/ecryptfs.h 2013-01-28 17:24:50.814392975 +0100 +diff -up ecryptfs-utils-106/src/include/ecryptfs.h.syslog ecryptfs-utils-106/src/include/ecryptfs.h +--- ecryptfs-utils-106/src/include/ecryptfs.h.syslog 2015-03-30 11:44:14.242490372 +0200 ++++ ecryptfs-utils-106/src/include/ecryptfs.h 2015-03-30 11:44:14.249490239 +0200 @@ -137,7 +137,7 @@ #define ECRYPTFS_TAG_67_PACKET 0x43 @@ -10,10 +10,10 @@ diff -up ecryptfs-utils-103/src/include/ecryptfs.h.syslog ecryptfs-utils-103/src #define ECRYPTFS_MAX_NUM_CIPHERS 64 #define ECRYPTFS_ECHO_ON 1 -diff -up ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c ---- ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c.syslog 2013-01-28 17:24:50.808392927 +0100 -+++ ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c 2013-01-28 17:24:50.815392983 +0100 -@@ -94,7 +94,7 @@ static int wrap_passphrase_if_necessary( +diff -up ecryptfs-utils-106/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils-106/src/pam_ecryptfs/pam_ecryptfs.c +--- ecryptfs-utils-106/src/pam_ecryptfs/pam_ecryptfs.c.syslog 2015-03-30 11:44:14.235490506 +0200 ++++ ecryptfs-utils-106/src/pam_ecryptfs/pam_ecryptfs.c 2015-03-30 11:47:23.825882697 +0200 +@@ -93,7 +93,7 @@ static int wrap_passphrase_if_necessary( rc = asprintf(&unwrapped_pw_filename, "/dev/shm/.ecryptfs-%s", username); if (rc == -1) { @@ -22,7 +22,7 @@ diff -up ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util return -ENOMEM; } /* If /dev/shm/.ecryptfs-$USER exists and owned by the user -@@ -106,7 +106,7 @@ static int wrap_passphrase_if_necessary( +@@ -105,7 +105,7 @@ static int wrap_passphrase_if_necessary( passphrase != NULL && *passphrase != '\0' && username != NULL && *username != '\0') { if ((rc = setuid(uid))<0 || ((rc = ecryptfs_wrap_passphrase_file(wrapped_pw_filename, passphrase, salt, unwrapped_pw_filename)) != 0)) { @@ -31,7 +31,7 @@ diff -up ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util } return rc; } -@@ -122,7 +122,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h +@@ -149,7 +149,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h struct ecryptfs_pam_data *epd; if ((epd = calloc(1, sizeof(struct ecryptfs_pam_data))) == NULL) { @@ -40,7 +40,7 @@ diff -up ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util rc = -ENOMEM; goto out; } -@@ -141,7 +141,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h +@@ -168,7 +168,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h } else rc = errno; } if (!epd->homedir) { @@ -49,7 +49,7 @@ diff -up ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util goto out; } -@@ -149,7 +149,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h +@@ -176,7 +176,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h goto out; private_mnt = ecryptfs_fetch_private_mnt(epd->homedir); if (ecryptfs_private_is_mounted(NULL, private_mnt, NULL, 1)) { @@ -58,7 +58,8 @@ diff -up ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util /* If private/home is already mounted, then we can skip costly loading of keys */ goto out; -@@ -160,7 +160,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h +@@ -186,7 +186,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + else rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&epd->passphrase); if (rc != PAM_SUCCESS) { - syslog(LOG_ERR, "pam_ecryptfs: Error retrieving passphrase; rc = [%ld]\n", @@ -66,8 +67,7 @@ diff -up ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util rc); goto out; } - epd->passphrase = strdup(epd->passphrase); -@@ -171,7 +171,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h +@@ -198,7 +198,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h from_hex(epd->salt, salt_hex, ECRYPTFS_SALT_SIZE); epd->unwrap = ((argc == 1) && (memcmp(argv[0], "unwrap\0", 7) == 0)); if ((rc=pam_set_data(pamh, ECRYPTFS_PAM_DATA, epd, pam_free_ecryptfsdata)) != PAM_SUCCESS) { @@ -76,7 +76,7 @@ diff -up ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util goto out; } -@@ -195,12 +195,12 @@ static struct passwd *fetch_pwd(pam_hand +@@ -222,12 +222,12 @@ static struct passwd *fetch_pwd(pam_hand rc = pam_get_user(pamh, &username, NULL); if (rc != PAM_SUCCESS || username == NULL) { @@ -91,7 +91,7 @@ diff -up ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util return NULL; } return pwd; -@@ -231,13 +231,13 @@ static int private_dir(pam_handle_t *pam +@@ -258,13 +258,13 @@ static int private_dir(pam_handle_t *pam if ( (asprintf(&autofile, "%s/.ecryptfs/%s", pwd->pw_dir, a) < 0) || autofile == NULL) { @@ -107,7 +107,7 @@ diff -up ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util return 1; } if (stat(sigfile, &s) != 0) { -@@ -249,7 +249,7 @@ static int private_dir(pam_handle_t *pam +@@ -276,7 +276,7 @@ static int private_dir(pam_handle_t *pam goto out; } if ((pid = fork()) < 0) { @@ -116,7 +116,7 @@ diff -up ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util return 1; } if (pid == 0) { -@@ -257,7 +257,7 @@ static int private_dir(pam_handle_t *pam +@@ -284,7 +284,7 @@ static int private_dir(pam_handle_t *pam if ((asprintf(&recorded, "%s/.ecryptfs/.wrapped-passphrase.recorded", pwd->pw_dir) < 0) || recorded == NULL) { @@ -125,7 +125,7 @@ diff -up ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util _exit(255); } if (stat(recorded, &s) != 0 && stat("/usr/share/ecryptfs-utils/ecryptfs-record-passphrase", &s) == 0) { -@@ -269,12 +269,12 @@ static int private_dir(pam_handle_t *pam +@@ -297,12 +297,12 @@ static int private_dir(pam_handle_t *pam } if (stat(autofile, &s) != 0) { /* User does not want to auto-mount */ @@ -137,15 +137,15 @@ diff -up ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) { - syslog(LOG_ERR, "Unable to set user's groups : %m"); + ecryptfs_syslog(LOG_ERR, "Unable to set user's groups : %m"); - _exit(255); + _exit(-1); } /* run mount.ecryptfs_private as the user */ -@@ -282,16 +282,16 @@ static int private_dir(pam_handle_t *pam - _exit(255); +@@ -310,16 +310,16 @@ static int private_dir(pam_handle_t *pam + _exit(-1); execl("/sbin/mount.ecryptfs_private", "mount.ecryptfs_private", NULL); -- syslog(LOG_ERR,"unable to execute mount.ecryptfs_private : %m"); -+ ecryptfs_syslog(LOG_ERR,"unable to execute mount.ecryptfs_private : %m"); +- syslog(LOG_ERR, "unable to execute mount.ecryptfs_private : %m"); ++ ecryptfs_syslog(LOG_ERR, "unable to execute mount.ecryptfs_private : %m"); } else { if (stat(autofile, &s) != 0) { /* User does not want to auto-unmount */ @@ -157,19 +157,19 @@ diff -up ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) { - syslog(LOG_ERR, "Unable to set user's groups : %m"); + ecryptfs_syslog(LOG_ERR, "Unable to set user's groups : %m"); - _exit(255); + _exit(-1); } /* run umount.ecryptfs_private as the user */ -@@ -299,7 +299,7 @@ static int private_dir(pam_handle_t *pam - _exit(255); +@@ -327,7 +327,7 @@ static int private_dir(pam_handle_t *pam + _exit(-1); execl("/sbin/umount.ecryptfs_private", "umount.ecryptfs_private", NULL); -- syslog(LOG_ERR,"unable to execute umount.ecryptfs_private : %m"); -+ ecryptfs_syslog(LOG_ERR,"unable to execute umount.ecryptfs_private : %m"); - _exit(255); +- syslog(LOG_ERR, "unable to execute umount.ecryptfs_private : %m"); ++ ecryptfs_syslog(LOG_ERR, "unable to execute umount.ecryptfs_private : %m"); + _exit(-1); } - _exit(255); -@@ -334,24 +334,24 @@ static int fill_keyring(pam_handle_t *pa + _exit(-1); +@@ -362,24 +362,24 @@ static int fill_keyring(pam_handle_t *pa if ((rc=pam_get_data(pamh, ECRYPTFS_PAM_DATA, (const void **)&epd)) != PAM_SUCCESS) { @@ -198,7 +198,16 @@ diff -up ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util return -ENOMEM; } -@@ -367,12 +367,12 @@ static int fill_keyring(pam_handle_t *pa +@@ -387,7 +387,7 @@ static int fill_keyring(pam_handle_t *pa + /* temp regain uid 0 to drop privs */ + if (seteuid(oeuid) < 0) + { +- syslog(LOG_ERR, "pam_ecryptfs: seteuid error"); ++ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: seteuid error"); + goto out_child; + } + /* setgroups() already called */ +@@ -395,12 +395,12 @@ static int fill_keyring(pam_handle_t *pa goto out_child; if (epd->passphrase == NULL) { @@ -213,7 +222,7 @@ diff -up ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util "Cannot validate keyring integrity\n"); } rc = 0; -@@ -384,12 +384,12 @@ static int fill_keyring(pam_handle_t *pa +@@ -412,18 +412,18 @@ static int fill_keyring(pam_handle_t *pa epd->homedir, ECRYPTFS_DEFAULT_WRAPPED_PASSPHRASE_FILENAME); if (rc == -1) { @@ -228,7 +237,14 @@ diff -up ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util } else { goto out_child; } -@@ -405,7 +405,7 @@ static int fill_keyring(pam_handle_t *pa + if (rewrap_passphrase_if_necessary(wrapped_pw_filename, epd->passphrase, epd->salt)) { + /* Non fatal condition. Log a warning. */ +- syslog(LOG_WARNING, "pam_ecryptfs: Unable to rewrap passphrase file\n"); ++ ecryptfs_syslog(LOG_WARNING, "pam_ecryptfs: Unable to rewrap passphrase file\n"); + } + rc = ecryptfs_insert_wrapped_passphrase_into_keyring( + auth_tok_sig, wrapped_pw_filename, epd->passphrase, +@@ -437,7 +437,7 @@ static int fill_keyring(pam_handle_t *pa goto out_child; } if (rc) { @@ -237,7 +253,7 @@ diff -up ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util "user session keyring; rc = [%d]\n", rc); goto out_child; } -@@ -415,7 +415,7 @@ out_child: +@@ -447,7 +447,7 @@ out_child: } tmp_pid = waitpid(child_pid, NULL, 0); if (tmp_pid == -1) @@ -246,7 +262,7 @@ diff -up ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util "waitpid() returned with error condition\n"); out: rc = seteuid(oeuid); -@@ -473,33 +473,33 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand +@@ -506,33 +506,33 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand homedir = pwd->pw_dir; } } else { @@ -285,7 +301,7 @@ diff -up ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util rc = PAM_AUTHTOK_RECOVER_ERR; } goto out; -@@ -507,13 +507,13 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand +@@ -540,13 +540,13 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand if ((rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&new_passphrase)) != PAM_SUCCESS) { @@ -301,7 +317,7 @@ diff -up ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util rc = -ENOMEM; goto out; } -@@ -523,13 +523,13 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand +@@ -556,13 +556,13 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand from_hex(salt, salt_hex, ECRYPTFS_SALT_SIZE); } if (wrap_passphrase_if_necessary(username, uid, wrapped_pw_filename, new_passphrase, salt) == 0) { @@ -317,7 +333,16 @@ diff -up ecryptfs-utils-103/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util rc = PAM_AUTHTOK_RECOVER_ERR; goto out; } -@@ -549,20 +549,20 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand +@@ -572,7 +572,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand + + /* temp regain uid 0 to drop privs */ + if (seteuid(oeuid) < 0) { +- syslog(LOG_ERR, "pam_ecryptfs: seteuid error"); ++ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: seteuid error"); + goto out_child; + } + /* setgroups() already called */ +@@ -582,20 +582,20 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand if ((rc = ecryptfs_unwrap_passphrase(passphrase, wrapped_pw_filename, old_passphrase, salt))) { diff --git a/ecryptfs-utils.spec b/ecryptfs-utils.spec index 955523f..006eab8 100644 --- a/ecryptfs-utils.spec +++ b/ecryptfs-utils.spec @@ -4,8 +4,8 @@ %global _sbindir /sbin Name: ecryptfs-utils -Version: 104 -Release: 3%{?dist} +Version: 106 +Release: 1%{?dist} Summary: The eCryptfs mount helper and support libraries Group: System Environment/Base License: GPLv2+ @@ -269,6 +269,9 @@ rm -rf $RPM_BUILD_ROOT %{python_sitearch}/ecryptfs-utils/_libecryptfs.so %changelog +* Mon Mar 30 2015 Michal Hlavinka - 106-1 +- ecryptfs-utils updated to 106 + * Mon Jan 26 2015 Michal Hlavinka - 104-3 - fix pam sigsegv (#1184645)