[ecryptfs-utils/f18] do not crash in pam module when non-existent user name is used (#859766)

Thu Sep 27 13:27:07 UTC 2012

commit 83a747072b18470c742c569c30887a71163e5a19
Author: Michal Hlavinka <mhlavink at redhat.com>
Date:   Thu Sep 27 15:27:03 2012 +0200

    do not crash in pam module when non-existent user name is used (#859766)

 ecryptfs-utils-87-pamdata.patch |   36 +++++++++++++-----------
 ecryptfs-utils-87-syslog.patch  |   58 +++++++++++++++++++-------------------
 ecryptfs-utils.spec             |    5 +++-
 3 files changed, 53 insertions(+), 46 deletions(-)
---

diff --git a/ecryptfs-utils-87-pamdata.patch b/ecryptfs-utils-87-pamdata.patch
index 01fe08e..bc8319d 100644
--- a/ecryptfs-utils-87-pamdata.patch
+++ b/ecryptfs-utils-87-pamdata.patch
@@ -1,6 +1,6 @@
 diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c
---- ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.pamdata	2012-08-20 14:39:10.895860230 +0200
-+++ ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c	2012-08-20 14:39:52.177176922 +0200
+--- ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.pamdata	2012-09-27 15:00:56.127148058 +0200
++++ ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c	2012-09-27 15:03:45.105625179 +0200
 @@ -47,6 +47,26 @@
  
  #define PRIVATE_DIR "Private"
@@ -37,7 +37,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-uti
  {
  	char *unwrapped_pw_filename = NULL;
  	struct stat s;
-@@ -98,138 +118,63 @@ static int wrap_passphrase_if_necessary(
+@@ -96,138 +116,66 @@ static int wrap_passphrase_if_necessary(
  PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
  				   const char **argv)
  {
@@ -54,10 +54,10 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-uti
  	char *private_mnt = NULL;
 -	pid_t child_pid, tmp_pid;
  	long rc;
-+	struct ecryptfs_pam_data *epd = {0,};
++	struct ecryptfs_pam_data *epd;
  
 -	rc = pam_get_user(pamh, &username, NULL);
-+	if ((epd = malloc(sizeof(struct ecryptfs_pam_data))) == NULL) {
++	if ((epd = calloc(1, sizeof(struct ecryptfs_pam_data))) == NULL) {
 +		syslog(LOG_ERR,"Memory allocation failed");
 +		rc = -ENOMEM;
 +		goto out;
@@ -68,21 +68,23 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-uti
  		struct passwd *pwd;
  
 -		pwd = getpwnam(username);
++		errno = 0;
 +		pwd = getpwnam(epd->username);
  		if (pwd) {
 -			uid = pwd->pw_uid;
 -			gid = pwd->pw_gid;
 -			homedir = pwd->pw_dir;
+-		}
+-	} else {
+-		syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%ld]\n", username, rc);
+-		goto out;
 +			epd->uid = pwd->pw_uid;
 +			epd->gid = pwd->pw_gid;
 +			epd->homedir = pwd->pw_dir;
- 		}
- 	} else {
--		syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%ld]\n", username, rc);
-+		syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user; rc = [%ld]\n", rc);
- 		goto out;
++			rc = 0;
++		} else rc = errno;
  	}
- 
+-
 -	if ((oeuid = geteuid()) < 0 || (oegid = getegid()) < 0 ||
 -	    (ngids = getgroups(sizeof(groups)/sizeof(gid_t), groups)) < 0) {
 -		syslog(LOG_ERR, "pam_ecryptfs: geteuid error");
@@ -91,12 +93,14 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-uti
 -
 -	if (setegid(gid) < 0 || setgroups(1, &gid) < 0 || seteuid(uid) < 0) {
 -		syslog(LOG_ERR, "pam_ecryptfs: seteuid error");
-+	if (!file_exists_dotecryptfs(epd->homedir, "auto-mount"))
++	if (!epd->homedir) {
++		syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user; rc = [%ld]\n", rc);
  		goto out;
--	}
--
+ 	}
+ 
 -	if (!file_exists_dotecryptfs(homedir, "auto-mount"))
--		goto out;
++	if (!file_exists_dotecryptfs(epd->homedir, "auto-mount"))
+ 		goto out;
 -	private_mnt = ecryptfs_fetch_private_mnt(homedir);
 +	private_mnt = ecryptfs_fetch_private_mnt(epd->homedir);
  	if (ecryptfs_private_is_mounted(NULL, private_mnt, NULL, 1)) {
@@ -203,7 +207,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-uti
  	if (private_mnt != NULL)
  		free(private_mnt);
  	return PAM_SUCCESS;
-@@ -374,10 +319,119 @@ static int umount_private_dir(pam_handle
+@@ -372,10 +320,119 @@ static int umount_private_dir(pam_handle
  	return private_dir(pamh, 0);
  }
  
diff --git a/ecryptfs-utils-87-syslog.patch b/ecryptfs-utils-87-syslog.patch
index 24166f6..5024953 100644
--- a/ecryptfs-utils-87-syslog.patch
+++ b/ecryptfs-utils-87-syslog.patch
@@ -1,6 +1,6 @@
 diff -up ecryptfs-utils-100/src/include/ecryptfs.h.syslog ecryptfs-utils-100/src/include/ecryptfs.h
---- ecryptfs-utils-100/src/include/ecryptfs.h.syslog	2012-08-20 15:49:24.351952427 +0200
-+++ ecryptfs-utils-100/src/include/ecryptfs.h	2012-08-20 15:49:24.355952459 +0200
+--- ecryptfs-utils-100/src/include/ecryptfs.h.syslog	2012-09-27 15:04:15.639901578 +0200
++++ ecryptfs-utils-100/src/include/ecryptfs.h	2012-09-27 15:04:15.659901767 +0200
 @@ -143,7 +143,7 @@
  #define ECRYPTFS_TAG_67_PACKET 0x43
  
@@ -11,8 +11,8 @@ diff -up ecryptfs-utils-100/src/include/ecryptfs.h.syslog ecryptfs-utils-100/src
  #define ECRYPTFS_MAX_NUM_CIPHERS 64
  #define ECRYPTFS_ECHO_ON 1
 diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c
---- ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog	2012-08-20 15:49:24.348952403 +0200
-+++ ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c	2012-08-20 15:49:34.357033235 +0200
+--- ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog	2012-09-27 15:04:15.626901456 +0200
++++ ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c	2012-09-27 15:04:59.003302383 +0200
 @@ -94,7 +94,7 @@ static int wrap_passphrase_if_necessary(
  
  	rc = asprintf(&unwrapped_pw_filename, "/dev/shm/.ecryptfs-%s", username);
@@ -32,24 +32,24 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
  		return rc;
  	}
 @@ -122,7 +122,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
- 	struct ecryptfs_pam_data *epd = {0,};
+ 	struct ecryptfs_pam_data *epd;
  
- 	if ((epd = malloc(sizeof(struct ecryptfs_pam_data))) == NULL) {
+ 	if ((epd = calloc(1, sizeof(struct ecryptfs_pam_data))) == NULL) {
 -		syslog(LOG_ERR,"Memory allocation failed");
 +		ecryptfs_syslog(LOG_ERR,"Memory allocation failed");
  		rc = -ENOMEM;
  		goto out;
  	}
-@@ -138,7 +138,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
- 			epd->homedir = pwd->pw_dir;
- 		}
- 	} else {
+@@ -141,7 +141,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+ 		} else rc = errno;
+ 	}
+ 	if (!epd->homedir) {
 -		syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user; rc = [%ld]\n", rc);
 +		ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user; rc = [%ld]\n", rc);
  		goto out;
  	}
  
-@@ -146,7 +146,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+@@ -149,7 +149,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
  		goto out;
  	private_mnt = ecryptfs_fetch_private_mnt(epd->homedir);
  	if (ecryptfs_private_is_mounted(NULL, private_mnt, NULL, 1)) {
@@ -58,7 +58,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
  		/* If private/home is already mounted, then we can skip
  		   costly loading of keys */
  		goto out;
-@@ -157,7 +157,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+@@ -160,7 +160,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
  		rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&epd->passphrase);
  	epd->passphrase = strdup(epd->passphrase);
  	if (rc != PAM_SUCCESS) {
@@ -67,7 +67,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
  		       rc);
  		goto out;
  	}
-@@ -168,7 +168,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+@@ -171,7 +171,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
  		from_hex(epd->salt, salt_hex, ECRYPTFS_SALT_SIZE);
  	epd->unwrap = ((argc == 1) && (memcmp(argv[0], "unwrap\0", 7) == 0));
  	if ((rc=pam_set_data(pamh, ECRYPTFS_PAM_DATA, epd, pam_free_ecryptfsdata)) != PAM_SUCCESS) {
@@ -76,7 +76,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
  		goto out;
  	}
  
-@@ -192,12 +192,12 @@ static struct passwd *fetch_pwd(pam_hand
+@@ -195,12 +195,12 @@ static struct passwd *fetch_pwd(pam_hand
  
  	rc = pam_get_user(pamh, &username, NULL);
  	if (rc != PAM_SUCCESS || username == NULL) {
@@ -91,7 +91,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
  		return NULL;
  	}
  	return pwd;
-@@ -228,13 +228,13 @@ static int private_dir(pam_handle_t *pam
+@@ -231,13 +231,13 @@ static int private_dir(pam_handle_t *pam
  	if (
  	    (asprintf(&autofile, "%s/.ecryptfs/%s", pwd->pw_dir, a) < 0)
  	     || autofile == NULL) {
@@ -107,7 +107,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
  		return 1;
          }
  	if (stat(sigfile, &s) != 0) {
-@@ -246,7 +246,7 @@ static int private_dir(pam_handle_t *pam
+@@ -249,7 +249,7 @@ static int private_dir(pam_handle_t *pam
  		goto out;
  	}
  	if ((pid = fork()) < 0) {
@@ -116,7 +116,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
  		return 1;
  	}
  	if (pid == 0) {
-@@ -254,7 +254,7 @@ static int private_dir(pam_handle_t *pam
+@@ -257,7 +257,7 @@ static int private_dir(pam_handle_t *pam
  		        if ((asprintf(&recorded,
  			    "%s/.ecryptfs/.wrapped-passphrase.recorded",
  			    pwd->pw_dir) < 0) || recorded == NULL) {
@@ -125,7 +125,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
  				_exit(255);
  			}
  			if (stat(recorded, &s) != 0 && stat("/usr/share/ecryptfs-utils/ecryptfs-record-passphrase", &s) == 0) {
-@@ -266,12 +266,12 @@ static int private_dir(pam_handle_t *pam
+@@ -269,12 +269,12 @@ static int private_dir(pam_handle_t *pam
  			}
  			if (stat(autofile, &s) != 0) {
  				/* User does not want to auto-mount */
@@ -140,7 +140,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
  				_exit(255);
  			}
  			/* run mount.ecryptfs_private as the user */
-@@ -279,16 +279,16 @@ static int private_dir(pam_handle_t *pam
+@@ -282,16 +282,16 @@ static int private_dir(pam_handle_t *pam
  				_exit(255);
  			execl("/sbin/mount.ecryptfs_private",
  			      "mount.ecryptfs_private", NULL);
@@ -160,7 +160,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
  				_exit(255);
  			}
  			/* run umount.ecryptfs_private as the user */
-@@ -296,7 +296,7 @@ static int private_dir(pam_handle_t *pam
+@@ -299,7 +299,7 @@ static int private_dir(pam_handle_t *pam
  				_exit(255);
  			execl("/sbin/umount.ecryptfs_private",
   			      "umount.ecryptfs_private", NULL);
@@ -169,7 +169,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
  			_exit(255);
  		}
  		_exit(255);
-@@ -331,24 +331,24 @@ static int fill_keyring(pam_handle_t *pa
+@@ -334,24 +334,24 @@ static int fill_keyring(pam_handle_t *pa
  	
  	if ((rc=pam_get_data(pamh, ECRYPTFS_PAM_DATA, (const void **)&epd)) != PAM_SUCCESS)
  	{
@@ -198,7 +198,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
  		return -ENOMEM;
  	}
    
-@@ -364,12 +364,12 @@ static int fill_keyring(pam_handle_t *pa
+@@ -367,12 +367,12 @@ static int fill_keyring(pam_handle_t *pa
  			goto out_child;
  	  
  		if (epd->passphrase == NULL) {
@@ -213,7 +213,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
  			       "Cannot validate keyring integrity\n");
  		}
  		rc = 0;
-@@ -381,12 +381,12 @@ static int fill_keyring(pam_handle_t *pa
+@@ -384,12 +384,12 @@ static int fill_keyring(pam_handle_t *pa
  				epd->homedir,
  				ECRYPTFS_DEFAULT_WRAPPED_PASSPHRASE_FILENAME);
  			if (rc == -1) {
@@ -228,7 +228,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
  			} else {
  				goto out_child;
  			}
-@@ -402,7 +402,7 @@ static int fill_keyring(pam_handle_t *pa
+@@ -405,7 +405,7 @@ static int fill_keyring(pam_handle_t *pa
  			goto out_child;
  		}
  		if (rc) {
@@ -237,7 +237,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
  			       "user session keyring; rc = [%d]\n", rc);
  			goto out_child;
  		}
-@@ -412,7 +412,7 @@ out_child:
+@@ -415,7 +415,7 @@ out_child:
  	}
  	tmp_pid = waitpid(child_pid, NULL, 0);
  	if (tmp_pid == -1)
@@ -246,7 +246,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
  		       "waitpid() returned with error condition\n"); 
  out:
  	rc = seteuid(oeuid);
-@@ -470,33 +470,33 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
+@@ -473,33 +473,33 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
  			homedir = pwd->pw_dir;
  		}
  	} else {
@@ -285,7 +285,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
  			rc = PAM_AUTHTOK_RECOVER_ERR;
  		}
  		goto out;
-@@ -504,13 +504,13 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
+@@ -507,13 +507,13 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
  	if ((rc = pam_get_item(pamh, PAM_AUTHTOK,
  			       (const void **)&new_passphrase))
  	    != PAM_SUCCESS) {
@@ -301,7 +301,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
  		rc = -ENOMEM;
  		goto out;
  	}
-@@ -520,13 +520,13 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
+@@ -523,13 +523,13 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
  		from_hex(salt, salt_hex, ECRYPTFS_SALT_SIZE);
  	}
  	if (wrap_passphrase_if_necessary(username, uid, wrapped_pw_filename, new_passphrase, salt) == 0) {
@@ -317,7 +317,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
  		rc = PAM_AUTHTOK_RECOVER_ERR;
  		goto out;
  	}
-@@ -546,20 +546,20 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
+@@ -549,20 +549,20 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
  		if ((rc = ecryptfs_unwrap_passphrase(passphrase,
  						     wrapped_pw_filename,
  						     old_passphrase, salt))) {
diff --git a/ecryptfs-utils.spec b/ecryptfs-utils.spec
index 83c6a24..58d8488 100644
--- a/ecryptfs-utils.spec
+++ b/ecryptfs-utils.spec
@@ -5,7 +5,7 @@
 
 Name: ecryptfs-utils
 Version: 100
-Release: 2%{?dist}
+Release: 3%{?dist}
 Summary: The eCryptfs mount helper and support libraries
 Group: System Environment/Base
 License: GPLv2+
@@ -262,6 +262,9 @@ rm -rf $RPM_BUILD_ROOT
 %{python_sitearch}/ecryptfs-utils/_libecryptfs.so
 
 %changelog
+* Thu Sep 27 2012 Michal Hlavinka <mhlavink at redhat.com> - 100-3
+- do not crash in pam module when non-existent user name is used (#859766)
+
 * Mon Aug 20 2012 Michal Hlavinka <mhlavink at redhat.com> - 100-2
 - fix Werror messages in new build environment
 
