[ecryptfs-utils/f18] do not crash in pam module when non-existent user name is used (#859766)
Michal Hlavinka
mhlavink at fedoraproject.org
Thu Sep 27 13:27:07 UTC 2012
commit 83a747072b18470c742c569c30887a71163e5a19
Author: Michal Hlavinka <mhlavink at redhat.com>
Date: Thu Sep 27 15:27:03 2012 +0200
do not crash in pam module when non-existent user name is used (#859766)
ecryptfs-utils-87-pamdata.patch | 36 +++++++++++++-----------
ecryptfs-utils-87-syslog.patch | 58 +++++++++++++++++++-------------------
ecryptfs-utils.spec | 5 +++-
3 files changed, 53 insertions(+), 46 deletions(-)
---
diff --git a/ecryptfs-utils-87-pamdata.patch b/ecryptfs-utils-87-pamdata.patch
index 01fe08e..bc8319d 100644
--- a/ecryptfs-utils-87-pamdata.patch
+++ b/ecryptfs-utils-87-pamdata.patch
@@ -1,6 +1,6 @@
diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c
---- ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.pamdata 2012-08-20 14:39:10.895860230 +0200
-+++ ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c 2012-08-20 14:39:52.177176922 +0200
+--- ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.pamdata 2012-09-27 15:00:56.127148058 +0200
++++ ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c 2012-09-27 15:03:45.105625179 +0200
@@ -47,6 +47,26 @@
#define PRIVATE_DIR "Private"
@@ -37,7 +37,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-uti
{
char *unwrapped_pw_filename = NULL;
struct stat s;
-@@ -98,138 +118,63 @@ static int wrap_passphrase_if_necessary(
+@@ -96,138 +116,66 @@ static int wrap_passphrase_if_necessary(
PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
const char **argv)
{
@@ -54,10 +54,10 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-uti
char *private_mnt = NULL;
- pid_t child_pid, tmp_pid;
long rc;
-+ struct ecryptfs_pam_data *epd = {0,};
++ struct ecryptfs_pam_data *epd;
- rc = pam_get_user(pamh, &username, NULL);
-+ if ((epd = malloc(sizeof(struct ecryptfs_pam_data))) == NULL) {
++ if ((epd = calloc(1, sizeof(struct ecryptfs_pam_data))) == NULL) {
+ syslog(LOG_ERR,"Memory allocation failed");
+ rc = -ENOMEM;
+ goto out;
@@ -68,21 +68,23 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-uti
struct passwd *pwd;
- pwd = getpwnam(username);
++ errno = 0;
+ pwd = getpwnam(epd->username);
if (pwd) {
- uid = pwd->pw_uid;
- gid = pwd->pw_gid;
- homedir = pwd->pw_dir;
+- }
+- } else {
+- syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%ld]\n", username, rc);
+- goto out;
+ epd->uid = pwd->pw_uid;
+ epd->gid = pwd->pw_gid;
+ epd->homedir = pwd->pw_dir;
- }
- } else {
-- syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%ld]\n", username, rc);
-+ syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user; rc = [%ld]\n", rc);
- goto out;
++ rc = 0;
++ } else rc = errno;
}
-
+-
- if ((oeuid = geteuid()) < 0 || (oegid = getegid()) < 0 ||
- (ngids = getgroups(sizeof(groups)/sizeof(gid_t), groups)) < 0) {
- syslog(LOG_ERR, "pam_ecryptfs: geteuid error");
@@ -91,12 +93,14 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-uti
-
- if (setegid(gid) < 0 || setgroups(1, &gid) < 0 || seteuid(uid) < 0) {
- syslog(LOG_ERR, "pam_ecryptfs: seteuid error");
-+ if (!file_exists_dotecryptfs(epd->homedir, "auto-mount"))
++ if (!epd->homedir) {
++ syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user; rc = [%ld]\n", rc);
goto out;
-- }
--
+ }
+
- if (!file_exists_dotecryptfs(homedir, "auto-mount"))
-- goto out;
++ if (!file_exists_dotecryptfs(epd->homedir, "auto-mount"))
+ goto out;
- private_mnt = ecryptfs_fetch_private_mnt(homedir);
+ private_mnt = ecryptfs_fetch_private_mnt(epd->homedir);
if (ecryptfs_private_is_mounted(NULL, private_mnt, NULL, 1)) {
@@ -203,7 +207,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-uti
if (private_mnt != NULL)
free(private_mnt);
return PAM_SUCCESS;
-@@ -374,10 +319,119 @@ static int umount_private_dir(pam_handle
+@@ -372,10 +320,119 @@ static int umount_private_dir(pam_handle
return private_dir(pamh, 0);
}
diff --git a/ecryptfs-utils-87-syslog.patch b/ecryptfs-utils-87-syslog.patch
index 24166f6..5024953 100644
--- a/ecryptfs-utils-87-syslog.patch
+++ b/ecryptfs-utils-87-syslog.patch
@@ -1,6 +1,6 @@
diff -up ecryptfs-utils-100/src/include/ecryptfs.h.syslog ecryptfs-utils-100/src/include/ecryptfs.h
---- ecryptfs-utils-100/src/include/ecryptfs.h.syslog 2012-08-20 15:49:24.351952427 +0200
-+++ ecryptfs-utils-100/src/include/ecryptfs.h 2012-08-20 15:49:24.355952459 +0200
+--- ecryptfs-utils-100/src/include/ecryptfs.h.syslog 2012-09-27 15:04:15.639901578 +0200
++++ ecryptfs-utils-100/src/include/ecryptfs.h 2012-09-27 15:04:15.659901767 +0200
@@ -143,7 +143,7 @@
#define ECRYPTFS_TAG_67_PACKET 0x43
@@ -11,8 +11,8 @@ diff -up ecryptfs-utils-100/src/include/ecryptfs.h.syslog ecryptfs-utils-100/src
#define ECRYPTFS_MAX_NUM_CIPHERS 64
#define ECRYPTFS_ECHO_ON 1
diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c
---- ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog 2012-08-20 15:49:24.348952403 +0200
-+++ ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c 2012-08-20 15:49:34.357033235 +0200
+--- ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog 2012-09-27 15:04:15.626901456 +0200
++++ ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c 2012-09-27 15:04:59.003302383 +0200
@@ -94,7 +94,7 @@ static int wrap_passphrase_if_necessary(
rc = asprintf(&unwrapped_pw_filename, "/dev/shm/.ecryptfs-%s", username);
@@ -32,24 +32,24 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
return rc;
}
@@ -122,7 +122,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
- struct ecryptfs_pam_data *epd = {0,};
+ struct ecryptfs_pam_data *epd;
- if ((epd = malloc(sizeof(struct ecryptfs_pam_data))) == NULL) {
+ if ((epd = calloc(1, sizeof(struct ecryptfs_pam_data))) == NULL) {
- syslog(LOG_ERR,"Memory allocation failed");
+ ecryptfs_syslog(LOG_ERR,"Memory allocation failed");
rc = -ENOMEM;
goto out;
}
-@@ -138,7 +138,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
- epd->homedir = pwd->pw_dir;
- }
- } else {
+@@ -141,7 +141,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+ } else rc = errno;
+ }
+ if (!epd->homedir) {
- syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user; rc = [%ld]\n", rc);
+ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user; rc = [%ld]\n", rc);
goto out;
}
-@@ -146,7 +146,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+@@ -149,7 +149,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
goto out;
private_mnt = ecryptfs_fetch_private_mnt(epd->homedir);
if (ecryptfs_private_is_mounted(NULL, private_mnt, NULL, 1)) {
@@ -58,7 +58,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
/* If private/home is already mounted, then we can skip
costly loading of keys */
goto out;
-@@ -157,7 +157,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+@@ -160,7 +160,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&epd->passphrase);
epd->passphrase = strdup(epd->passphrase);
if (rc != PAM_SUCCESS) {
@@ -67,7 +67,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
rc);
goto out;
}
-@@ -168,7 +168,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+@@ -171,7 +171,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
from_hex(epd->salt, salt_hex, ECRYPTFS_SALT_SIZE);
epd->unwrap = ((argc == 1) && (memcmp(argv[0], "unwrap\0", 7) == 0));
if ((rc=pam_set_data(pamh, ECRYPTFS_PAM_DATA, epd, pam_free_ecryptfsdata)) != PAM_SUCCESS) {
@@ -76,7 +76,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
goto out;
}
-@@ -192,12 +192,12 @@ static struct passwd *fetch_pwd(pam_hand
+@@ -195,12 +195,12 @@ static struct passwd *fetch_pwd(pam_hand
rc = pam_get_user(pamh, &username, NULL);
if (rc != PAM_SUCCESS || username == NULL) {
@@ -91,7 +91,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
return NULL;
}
return pwd;
-@@ -228,13 +228,13 @@ static int private_dir(pam_handle_t *pam
+@@ -231,13 +231,13 @@ static int private_dir(pam_handle_t *pam
if (
(asprintf(&autofile, "%s/.ecryptfs/%s", pwd->pw_dir, a) < 0)
|| autofile == NULL) {
@@ -107,7 +107,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
return 1;
}
if (stat(sigfile, &s) != 0) {
-@@ -246,7 +246,7 @@ static int private_dir(pam_handle_t *pam
+@@ -249,7 +249,7 @@ static int private_dir(pam_handle_t *pam
goto out;
}
if ((pid = fork()) < 0) {
@@ -116,7 +116,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
return 1;
}
if (pid == 0) {
-@@ -254,7 +254,7 @@ static int private_dir(pam_handle_t *pam
+@@ -257,7 +257,7 @@ static int private_dir(pam_handle_t *pam
if ((asprintf(&recorded,
"%s/.ecryptfs/.wrapped-passphrase.recorded",
pwd->pw_dir) < 0) || recorded == NULL) {
@@ -125,7 +125,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
_exit(255);
}
if (stat(recorded, &s) != 0 && stat("/usr/share/ecryptfs-utils/ecryptfs-record-passphrase", &s) == 0) {
-@@ -266,12 +266,12 @@ static int private_dir(pam_handle_t *pam
+@@ -269,12 +269,12 @@ static int private_dir(pam_handle_t *pam
}
if (stat(autofile, &s) != 0) {
/* User does not want to auto-mount */
@@ -140,7 +140,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
_exit(255);
}
/* run mount.ecryptfs_private as the user */
-@@ -279,16 +279,16 @@ static int private_dir(pam_handle_t *pam
+@@ -282,16 +282,16 @@ static int private_dir(pam_handle_t *pam
_exit(255);
execl("/sbin/mount.ecryptfs_private",
"mount.ecryptfs_private", NULL);
@@ -160,7 +160,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
_exit(255);
}
/* run umount.ecryptfs_private as the user */
-@@ -296,7 +296,7 @@ static int private_dir(pam_handle_t *pam
+@@ -299,7 +299,7 @@ static int private_dir(pam_handle_t *pam
_exit(255);
execl("/sbin/umount.ecryptfs_private",
"umount.ecryptfs_private", NULL);
@@ -169,7 +169,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
_exit(255);
}
_exit(255);
-@@ -331,24 +331,24 @@ static int fill_keyring(pam_handle_t *pa
+@@ -334,24 +334,24 @@ static int fill_keyring(pam_handle_t *pa
if ((rc=pam_get_data(pamh, ECRYPTFS_PAM_DATA, (const void **)&epd)) != PAM_SUCCESS)
{
@@ -198,7 +198,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
return -ENOMEM;
}
-@@ -364,12 +364,12 @@ static int fill_keyring(pam_handle_t *pa
+@@ -367,12 +367,12 @@ static int fill_keyring(pam_handle_t *pa
goto out_child;
if (epd->passphrase == NULL) {
@@ -213,7 +213,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
"Cannot validate keyring integrity\n");
}
rc = 0;
-@@ -381,12 +381,12 @@ static int fill_keyring(pam_handle_t *pa
+@@ -384,12 +384,12 @@ static int fill_keyring(pam_handle_t *pa
epd->homedir,
ECRYPTFS_DEFAULT_WRAPPED_PASSPHRASE_FILENAME);
if (rc == -1) {
@@ -228,7 +228,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
} else {
goto out_child;
}
-@@ -402,7 +402,7 @@ static int fill_keyring(pam_handle_t *pa
+@@ -405,7 +405,7 @@ static int fill_keyring(pam_handle_t *pa
goto out_child;
}
if (rc) {
@@ -237,7 +237,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
"user session keyring; rc = [%d]\n", rc);
goto out_child;
}
-@@ -412,7 +412,7 @@ out_child:
+@@ -415,7 +415,7 @@ out_child:
}
tmp_pid = waitpid(child_pid, NULL, 0);
if (tmp_pid == -1)
@@ -246,7 +246,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
"waitpid() returned with error condition\n");
out:
rc = seteuid(oeuid);
-@@ -470,33 +470,33 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
+@@ -473,33 +473,33 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
homedir = pwd->pw_dir;
}
} else {
@@ -285,7 +285,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
rc = PAM_AUTHTOK_RECOVER_ERR;
}
goto out;
-@@ -504,13 +504,13 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
+@@ -507,13 +507,13 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
if ((rc = pam_get_item(pamh, PAM_AUTHTOK,
(const void **)&new_passphrase))
!= PAM_SUCCESS) {
@@ -301,7 +301,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
rc = -ENOMEM;
goto out;
}
-@@ -520,13 +520,13 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
+@@ -523,13 +523,13 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
from_hex(salt, salt_hex, ECRYPTFS_SALT_SIZE);
}
if (wrap_passphrase_if_necessary(username, uid, wrapped_pw_filename, new_passphrase, salt) == 0) {
@@ -317,7 +317,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util
rc = PAM_AUTHTOK_RECOVER_ERR;
goto out;
}
-@@ -546,20 +546,20 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
+@@ -549,20 +549,20 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
if ((rc = ecryptfs_unwrap_passphrase(passphrase,
wrapped_pw_filename,
old_passphrase, salt))) {
diff --git a/ecryptfs-utils.spec b/ecryptfs-utils.spec
index 83c6a24..58d8488 100644
--- a/ecryptfs-utils.spec
+++ b/ecryptfs-utils.spec
@@ -5,7 +5,7 @@
Name: ecryptfs-utils
Version: 100
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: The eCryptfs mount helper and support libraries
Group: System Environment/Base
License: GPLv2+
@@ -262,6 +262,9 @@ rm -rf $RPM_BUILD_ROOT
%{python_sitearch}/ecryptfs-utils/_libecryptfs.so
%changelog
+* Thu Sep 27 2012 Michal Hlavinka <mhlavink at redhat.com> - 100-3
+- do not crash in pam module when non-existent user name is used (#859766)
+
* Mon Aug 20 2012 Michal Hlavinka <mhlavink at redhat.com> - 100-2
- fix Werror messages in new build environment
More information about the scm-commits
mailing list