Fedora 13 Update: pam_mount-2.4-2.fc13
updates at fedoraproject.org
updates at fedoraproject.org
Tue Jul 13 07:26:24 UTC 2010
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2010-8664
2010-05-17 17:45:41
--------------------------------------------------------------------------------
Name : pam_mount
Product : Fedora 13
Version : 2.4
Release : 2.fc13
URL : http://pam-mount.sourceforge.net/
Summary : A PAM module that can mount volumes for a user session
Description :
This module is aimed at environments with central file servers that a
user wishes to mount on login and unmount on logout, such as
(semi-)diskless stations where many users can logon.
The module also supports mounting local filesystems of any kind the
normal mount utility supports, with extra code to make sure certain
volumes are set up properly because often they need more than just a
mount call, such as encrypted volumes. This includes SMB/CIFS, NCP,
davfs2, FUSE, losetup crypto, dm-crypt/cryptsetup and truecrypt.
If you intend to use pam_mount to protect volumes on your computer
using an encrypted filesystem system, please know that there are many
other issues you need to consider in order to protect your data. For
example, you probably want to disable or encrypt your swap partition.
Don't assume a system is secure without carefully considering
potential threats.
--------------------------------------------------------------------------------
Update Information:
For pam_mount: Notes: - see doc/bugs.txt for cryptsetup behavior that impacts
pam_mount users since version 2.0 Fixes: - umount.crypt: fix use of a wrong
field for smtab/cmtab staleness check - umount.crypt had erroneously mounted
instead of umounted - mount.crypt: fix memory scribble crash when crypto device
could not be initialized - mount.crypt: do not fail when unlocking key slot
other than #0 - fusermount is now called with supplementary groups initialized
- rdconf: do not warn about missing fskeyhash when no fskey specified - mount:
prefer sysv mount API over bsd - pmt-ehd: reword help text for -k option -
pmt-ehd: apply default value for -k option - pmt-ehd: fix fskey generation
which was pegged at 256 bits - pmt-ehd: avoid needless
overtruncation/sparsifying - pmt-ehd: zero LUKS header to avoid setup failure
of PLAIN volume Changes: - pmt-ehd: speed up writing random data - pmt-ehd:
reword help text for -k option - mount.crypt: ignore cmtab update errors -
mount.crypt: add support for keyfile passthru using -ofsk_cipher=none - doc:
document mount.crypt's -o hash option - mount.crypt: warn on ignored options
Fixes: - config: rdconf1 static data had unclosed %(if) tags - config: rdconf1
static data had extraneous %(OPTIONS) parameter Changes: - mount.crypt: make
use of libcryptsetup - cmtab is now stored below localstatedir (usually
/var/run) - use HXformat2. This invalidates old constructs like
%(before=\"-o\"...), which need to be replaced with the new syntax. (See
below.) In general, the old syntax was only used by commands Note to
updaters: As the old syntax %(after=...) %(before=...) %(ifempty=...)
%(ifnempty=...) %(lower=...) %(upper=...) only appeared in commands, and
commands are not part of the default config file anymore since v1.0~15^2~15,
there should be little worry. The configuration options in question are
<cifsmount>, <cryptmount>, <cryptumount>, <fd0ssh>, <fsck>, <fusemount>,
<fuseumount>, <lclmount>, <nfsmount>, <ncpmount>, <ncpumount>, <pmvarrun>,
<smbmount>, <smbumount> <umount> and should normally not be needed in
pam_mount.conf.xml. Changes: - cope better with cryptsetup's assumption that
keysize=256 - augment doc/bugs.txt about caveats with cryptsetup create
Fixes: - avoid a mlock(NULL) when there is no auth token Changes: - print
error code when mkmountpoint failed - print warning when cmtab is not creatable
Changes: - update for libHX 3.4 Fixes: - do decrease the login refcount on
logout when no volumes are defined Fixes: - avoid multi-free of auth token
when pam_mount is rerun in a PAM stack - avoid NULL dereference when there is
an empty line in mtab For cryptsetup: - Fix device alignment ioctl calls
parameters. - Fix activate_by_* API calls to handle NULL device name as
documented. - Fix luksFormat/luksOpen reading passphrase from stdin and "-"
keyfile. - Support --key-file/-d option for luksFormat. - Fix description of
--key-file and add --verbose and --debug options to man page. - Add verbose log
level and move unlocking message there. - Remove device even if underlying
device disappeared. - Fix (deprecated) reload device command to accept new
device argument. - Fix luksClose operation for stacked DM devices. - Fix
automatic dm-crypt module loading. - Escape hyphens in man page. - Try to use
pkgconfig for device mapper library. - Detect old dm-crypt module and disable
LUKS suspend/resume. - Fix apitest to work on older systems. - Allow no hash
specification in plain device constructor. - Fix luksOpen reading of passphrase
on stdin (if "-" keyfile specified). - Fix isLuks to initialise crypto backend
(blkid instead is suggested anyway). - Fix package config to use proper package
version. - Avoid class C++ keyword in library header. - Detect and use
devmapper udev support if available (disable by --disable-udev). - Prefer some
device paths in status display. - Support device topology detectionfor data
alignment. - Do not verify unlocking passphrase in luksAddKey command. -
Properly initialise crypto backend in header backup/restore commands. - Fix
udev support for old libdevmapper with not compatible definition.
--------------------------------------------------------------------------------
ChangeLog:
* Sat Jul 3 2010 Till Maas <opensource at till.name> - 2.4-2
- Add cryptsetup-luks-libs Requires
- list all manpages explicitly
* Fri Jul 2 2010 Till Maas <opensource at till.name> - 2.4-1
- Update to new release
- add patch to keep cmtab at /etc
- add patch to use mount -t crypt instead of mount.crypt for crypto volumes
- BR cryptsetup-luks-devel >= 1.1.2
- add man-db BR for Fedora >= 14 for pam_mount.8 to pam_mount.txt conversion
- add Patch to remove man-db BR for Fedora < 14
* Wed May 19 2010 Till Maas <opensource at till.name> - 2.3-1
- Update to new release
* Sun May 16 2010 Till Maas <opensource at till.name> - 2.2-1
- Update to new release
* Sun May 16 2010 Till Maas <opensource at till.name> - 2.1-1
- Update to new release
- Add BuildRequires: cryptsetup-luks-devel
- Cleanup BRs
- Add Requires: /bin/readlink
- Update libHX dependency
* Mon Jan 4 2010 Till Maas <opensource at till.name> - 1.32-2
- Do not package compatibility symlinks anymore
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #608400 - pam_mount-2.4 is available
https://bugzilla.redhat.com/show_bug.cgi?id=608400
[ 2 ] Bug #599609 - use mount -t crypt instead of mount.crypt for pam_mount crypt volumes for selinux support
https://bugzilla.redhat.com/show_bug.cgi?id=599609
[ 3 ] Bug #610885 - update cryptsetup-luks to 1.1.2 for pam_mount
https://bugzilla.redhat.com/show_bug.cgi?id=610885
[ 4 ] Bug #570315 - pmt-ehd has problems has problems creating large loopback containers
https://bugzilla.redhat.com/show_bug.cgi?id=570315
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update pam_mount' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
More information about the package-announce
mailing list