[ecryptfs-utils] keyring from auth stack does not survive, use pam_data and delayed keyring initialization
Michal Hlavinka
mhlavink at fedoraproject.org
Wed Aug 3 14:02:41 UTC 2011
commit 8b569554f2afcccdddaa0f6ad1dce6147116964c
Author: Michal Hlavinka <mhlavink at redhat.com>
Date: Wed Aug 3 16:02:27 2011 +0200
keyring from auth stack does not survive, use pam_data and delayed
keyring initialization
ecryptfs-utils-87-fixconst.patch | 159 ++++++++++++++++++++
ecryptfs-utils-87-fixexecgid.patch | 18 +--
ecryptfs-utils-87-pamdata.patch | 281 ++++++++++++++++++++++++++++++++++++
ecryptfs-utils.spec | 14 ++-
4 files changed, 457 insertions(+), 15 deletions(-)
---
diff --git a/ecryptfs-utils-87-fixconst.patch b/ecryptfs-utils-87-fixconst.patch
new file mode 100644
index 0000000..af01752
--- /dev/null
+++ b/ecryptfs-utils-87-fixconst.patch
@@ -0,0 +1,159 @@
+diff -up ecryptfs-utils-87/src/include/ecryptfs.h.fixconst ecryptfs-utils-87/src/include/ecryptfs.h
+--- ecryptfs-utils-87/src/include/ecryptfs.h.fixconst 2011-08-03 15:35:28.552079157 +0200
++++ ecryptfs-utils-87/src/include/ecryptfs.h 2011-08-03 15:39:40.654497299 +0200
+@@ -528,8 +528,8 @@ int ecryptfs_eval_decision_graph(struct
+ struct val_node **head,
+ struct param_node *root_node,
+ struct ecryptfs_name_val_pair *nvp_head);
+-int ecryptfs_add_passphrase_key_to_keyring(char *auth_tok_sig, char *passphrase,
+- char *salt);
++int ecryptfs_add_passphrase_key_to_keyring(char *auth_tok_sig, const char *passphrase,
++ const char *salt);
+ int ecryptfs_add_key_module_key_to_keyring(char *auth_tok_sig,
+ struct ecryptfs_key_mod *key_mod);
+ int ecryptfs_read_salt_hex_from_rc(char *salt_hex);
+@@ -545,11 +545,11 @@ int parse_packet(struct ecryptfs_ctx *ct
+ struct ecryptfs_message **reply);
+ int ecryptfs_find_key_mod(struct ecryptfs_key_mod **key_mod,
+ struct ecryptfs_ctx *ctx, char *key_mod_alias);
+-int generate_passphrase_sig(char *passphrase_sig, char *fekek, char *salt,
+- char *passphrase);
++int generate_passphrase_sig(char *passphrase_sig, char *fekek, const char *salt,
++ const char *passphrase);
+ int
+ generate_payload(struct ecryptfs_auth_tok *auth_tok, char *passphrase_sig,
+- char *salt, char *session_key_encryption_key);
++ const char *salt, char *session_key_encryption_key);
+ int
+ ecryptfs_generate_key_payload(struct ecryptfs_auth_tok *auth_tok,
+ struct ecryptfs_key_mod *key_mod, char *sig,
+@@ -573,15 +573,15 @@ int ecryptfs_read_salt_hex_from_rc(char
+ int ecryptfs_check_sig(char *auth_tok_sig, char *sig_cache_filename,
+ int *flags);
+ int ecryptfs_append_sig(char *auth_tok_sig, char *sig_cache_filename);
+-int ecryptfs_wrap_passphrase_file(char *dest, char *wrapping_passphrase,
+- char *wrapping_salt, char *src);
+-int ecryptfs_wrap_passphrase(char *filename, char *wrapping_passphrase,
+- char *wrapping_salt, char *decrypted_passphrase);
+-int ecryptfs_unwrap_passphrase(char *decrypted_passphrase, char *filename,
+- char *wrapping_passphrase, char *wrapping_salt);
++int ecryptfs_wrap_passphrase_file(const char *dest, const char *wrapping_passphrase,
++ const char *wrapping_salt, const char *src);
++int ecryptfs_wrap_passphrase(const char *filename, const char *wrapping_passphrase,
++ const char *wrapping_salt, char *decrypted_passphrase);
++int ecryptfs_unwrap_passphrase(char *decrypted_passphrase, const char *filename,
++ const char *wrapping_passphrase, const char *wrapping_salt);
+ int ecryptfs_insert_wrapped_passphrase_into_keyring(
+- char *auth_tok_sig, char *filename, char *wrapping_passphrase,
+- char *salt);
++ char *auth_tok_sig, char *filename, const char *wrapping_passphrase,
++ const char *salt);
+ char *ecryptfs_get_wrapped_passphrase_filename();
+ struct ecryptfs_key_mod_ops *passphrase_get_key_mod_ops(void);
+ int ecryptfs_validate_keyring(void);
+@@ -629,7 +629,7 @@ char *ecryptfs_get_passphrase(char *prom
+ int ecryptfs_run_daemon(struct ecryptfs_messaging_ctx *mctx);
+
+ #define ECRYPTFS_PRIVATE_DIR "Private"
+-char *ecryptfs_fetch_private_mnt(char *pw_dir);
++char *ecryptfs_fetch_private_mnt(const char *pw_dir);
+ int ecryptfs_private_is_mounted(char *dev, char *mnt, char *sig, int mounting);
+
+ #endif
+diff -up ecryptfs-utils-87/src/libecryptfs/key_management.c.fixconst ecryptfs-utils-87/src/libecryptfs/key_management.c
+--- ecryptfs-utils-87/src/libecryptfs/key_management.c.fixconst 2011-08-03 15:35:28.434082255 +0200
++++ ecryptfs-utils-87/src/libecryptfs/key_management.c 2011-08-03 15:39:26.382868090 +0200
+@@ -53,7 +53,7 @@
+ */
+ int ecryptfs_generate_passphrase_auth_tok(struct ecryptfs_auth_tok **auth_tok,
+ char *auth_tok_sig, char *fekek,
+- char *salt, char *passphrase)
++ const char *salt, const char *passphrase)
+ {
+ int rc;
+
+@@ -190,8 +190,8 @@ int ecryptfs_add_blob_to_keyring(char *b
+ *
+ * Returns 0 on add, 1 on pre-existed, negative on failure.
+ */
+-int ecryptfs_add_passphrase_key_to_keyring(char *auth_tok_sig, char *passphrase,
+- char *salt)
++int ecryptfs_add_passphrase_key_to_keyring(char *auth_tok_sig, const char *passphrase,
++ const char *salt)
+ {
+ int rc;
+ char fekek[ECRYPTFS_MAX_KEY_BYTES];
+@@ -220,8 +220,8 @@ out:
+ return rc;
+ }
+
+-int ecryptfs_wrap_passphrase_file(char *dest, char *wrapping_passphrase,
+- char *salt, char *src)
++int ecryptfs_wrap_passphrase_file(const char *dest, const char *wrapping_passphrase,
++ const char *salt, const char *src)
+ {
+ int rc = 0;
+ ssize_t size;
+@@ -264,8 +264,8 @@ out:
+ return rc;
+ }
+
+-int ecryptfs_wrap_passphrase(char *filename, char *wrapping_passphrase,
+- char *wrapping_salt, char *decrypted_passphrase)
++int ecryptfs_wrap_passphrase(const char *filename, const char *wrapping_passphrase,
++ const char *wrapping_salt, char *decrypted_passphrase)
+ {
+ char wrapping_auth_tok_sig[ECRYPTFS_SIG_SIZE_HEX + 1];
+ char wrapping_key[ECRYPTFS_MAX_KEY_BYTES];
+@@ -410,8 +410,8 @@ out:
+ * decryptfs_passphrase must be able to hold
+ * ECRYPTFS_MAX_PASSPHRASE_BYTES + 1 bytes
+ */
+-int ecryptfs_unwrap_passphrase(char *decrypted_passphrase, char *filename,
+- char *wrapping_passphrase, char *wrapping_salt)
++int ecryptfs_unwrap_passphrase(char *decrypted_passphrase, const char *filename,
++ const char *wrapping_passphrase, const char *wrapping_salt)
+ {
+ char wrapping_auth_tok_sig[ECRYPTFS_SIG_SIZE_HEX + 1];
+ char wrapping_auth_tok_sig_from_file[ECRYPTFS_SIG_SIZE_HEX + 1];
+@@ -546,8 +546,8 @@ out:
+ * into the user session keyring.
+ */
+ int ecryptfs_insert_wrapped_passphrase_into_keyring(
+- char *auth_tok_sig, char *filename, char *wrapping_passphrase,
+- char *salt)
++ char *auth_tok_sig, char *filename, const char *wrapping_passphrase,
++ const char *salt)
+ {
+ char decrypted_passphrase[ECRYPTFS_MAX_PASSPHRASE_BYTES + 1] ;
+ uint32_t version;
+diff -up ecryptfs-utils-87/src/libecryptfs/main.c.fixconst ecryptfs-utils-87/src/libecryptfs/main.c
+--- ecryptfs-utils-87/src/libecryptfs/main.c.fixconst 2011-08-03 15:35:28.553079131 +0200
++++ ecryptfs-utils-87/src/libecryptfs/main.c 2011-08-03 15:35:28.577078501 +0200
+@@ -93,7 +93,7 @@ out:
+ /* Read ecryptfs private mount from file
+ * Allocate and return a string
+ */
+-char *ecryptfs_fetch_private_mnt(char *pw_dir) {
++char *ecryptfs_fetch_private_mnt(const char *pw_dir) {
+ char *mnt_file = NULL;
+ char *mnt_default = NULL;
+ char *mnt = NULL;
+@@ -209,7 +209,7 @@ int ecryptfs_private_is_mounted(char *de
+ */
+ int
+ generate_passphrase_sig(char *passphrase_sig, char *fekek,
+- char *salt, char *passphrase)
++ const char *salt, const char *passphrase)
+ {
+ char salt_and_passphrase[ECRYPTFS_MAX_PASSPHRASE_BYTES
+ + ECRYPTFS_SALT_SIZE];
+@@ -253,7 +253,7 @@ generate_passphrase_sig(char *passphrase
+ */
+ int
+ generate_payload(struct ecryptfs_auth_tok *auth_tok, char *passphrase_sig,
+- char *salt, char *session_key_encryption_key)
++ const char *salt, char *session_key_encryption_key)
+ {
+ int rc = 0;
+ int major, minor;
diff --git a/ecryptfs-utils-87-fixexecgid.patch b/ecryptfs-utils-87-fixexecgid.patch
index 2367a2a..ed9c2e6 100644
--- a/ecryptfs-utils-87-fixexecgid.patch
+++ b/ecryptfs-utils-87-fixexecgid.patch
@@ -9,23 +9,13 @@ diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.fixexecgid ecryptfs-u
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/types.h>
-@@ -303,6 +304,22 @@ static int private_dir(pam_handle_t *pam
+@@ -303,6 +304,12 @@ static int private_dir(pam_handle_t *pam
return 1;
}
if (pid == 0) {
-+ /* explicitely change group to ecryptfs if user is member of that group, changing uid is not enough */
-+ gid_t *groups;
-+ int grn = 0;
-+
-+ getgrouplist(pwd->pw_name,pwd->pw_gid,NULL,&grn);
-+ groups = malloc(sizeof(gid_t)*grn);
-+ if (groups == NULL) {
-+ syslog(LOG_ERR, "Error allocating memory for group list");
-+ _exit(255);
-+ }
-+ getgrouplist(pwd->pw_name, pwd->pw_gid, groups, &grn);
-+ if (setgroups(grn, groups) < 0) {
-+ syslog(LOG_ERR, "Unable to set user's supplementary groups : %m");
++ /* set user's groups, we may need ecryptfs group for (u)mount */
++ if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) {
++ syslog(LOG_ERR, "Unable to set user's groups : %m");
+ _exit(255);
+ }
+
diff --git a/ecryptfs-utils-87-pamdata.patch b/ecryptfs-utils-87-pamdata.patch
new file mode 100644
index 0000000..9553414
--- /dev/null
+++ b/ecryptfs-utils-87-pamdata.patch
@@ -0,0 +1,281 @@
+diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c
+--- ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.pamdata 2011-08-03 15:40:01.743949759 +0200
++++ ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c 2011-08-03 15:52:05.676388743 +0200
+@@ -45,6 +45,22 @@
+
+ #define PRIVATE_DIR "Private"
+
++#define ECRYPTFS_PAM_DATA "ecryptfs:passphrase"
++
++struct ecryptfs_pam_data {
++ int unwrap;
++ uid_t uid;
++ char *passphrase;
++ const char *homedir;
++ const char *username;
++ char salt[ECRYPTFS_SALT_SIZE];
++};
++
++static void pam_free_ecryptfsdata(pam_handle_t *pamh, void *data, int error_status)
++{
++ free(data);
++}
++
+ /* returns: 0 if file does not exist, 1 if it exists, <0 for error */
+ static int file_exists_dotecryptfs(const char *homedir, char *filename)
+ {
+@@ -64,7 +80,7 @@ out:
+ return rc;
+ }
+
+-static int wrap_passphrase_if_necessary(const char *username, uid_t uid, char *wrapped_pw_filename, char *passphrase, char *salt)
++static int wrap_passphrase_if_necessary(const char *username, uid_t uid, const char *wrapped_pw_filename, const char *passphrase, const char *salt)
+ {
+ char *unwrapped_pw_filename = NULL;
+ struct stat s;
+@@ -96,42 +112,43 @@ static int wrap_passphrase_if_necessary(
+ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
+ const char **argv)
+ {
+- uid_t uid = 0;
+- char *homedir = NULL;
+ uid_t saved_uid = 0;
+- const char *username;
+- char *passphrase = NULL;
+- char salt[ECRYPTFS_SALT_SIZE];
+ char salt_hex[ECRYPTFS_SALT_SIZE_HEX];
+- char *auth_tok_sig;
+ char *private_mnt = NULL;
+- pid_t child_pid, tmp_pid;
+- long rc;
++ long rc = 0;
+ uint32_t version;
++ struct ecryptfs_pam_data *epd = {0,};
+
+ syslog(LOG_INFO, "%s: Called\n", __FUNCTION__);
+- rc = pam_get_user(pamh, &username, NULL);
++
++ if ((epd = malloc(sizeof(struct ecryptfs_pam_data))) == NULL) {
++ syslog(LOG_ERR,"Memory allocation failed");
++ rc = -ENOMEM;
++ goto out;
++ }
++
++ rc = pam_get_user(pamh, &epd->username, NULL);
+ if (rc == PAM_SUCCESS) {
+ struct passwd *pwd;
+
+ syslog(LOG_INFO, "%s: username = [%s]\n", __FUNCTION__,
+- username);
+- pwd = getpwnam(username);
++ epd->username);
++ pwd = getpwnam(epd->username);
+ if (pwd) {
+- uid = pwd->pw_uid;
+- homedir = pwd->pw_dir;
++ epd->uid = pwd->pw_uid;
++ epd->homedir = pwd->pw_dir;
+ }
+ } else {
+ syslog(LOG_ERR, "Error getting passwd info for user [%s]; "
+- "rc = [%ld]\n", username, rc);
++ "rc = [%ld]\n", epd->username, rc);
+ goto out;
+ }
+- if (!file_exists_dotecryptfs(homedir, "auto-mount"))
++ if (!file_exists_dotecryptfs(epd->homedir, "auto-mount"))
+ goto out;
+- private_mnt = ecryptfs_fetch_private_mnt(homedir);
++ private_mnt = ecryptfs_fetch_private_mnt(epd->homedir);
+ if (ecryptfs_private_is_mounted(NULL, private_mnt, NULL, 1)) {
+ syslog(LOG_INFO, "%s: %s is already mounted\n", __FUNCTION__,
+- homedir);
++ epd->homedir);
+ /* If private/home is already mounted, then we can skip
+ costly loading of keys */
+ goto out;
+@@ -141,82 +158,31 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+ if (ecryptfs_get_version(&version) != 0)
+ syslog(LOG_WARNING, "Can't check if kernel supports ecryptfs\n");
+ saved_uid = geteuid();
+- seteuid(uid);
+- if(file_exists_dotecryptfs(homedir, "wrapping-independent") == 1)
+- rc = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &passphrase, "Encryption passphrase: ");
++ seteuid(epd->uid);
++ if(file_exists_dotecryptfs(epd->homedir, "wrapping-independent") == 1)
++ rc = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &epd->passphrase, "Encryption passphrase: ");
+ else
+- rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&passphrase);
++ rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&epd->passphrase);
+ seteuid(saved_uid);
+ if (rc != PAM_SUCCESS) {
+ syslog(LOG_ERR, "Error retrieving passphrase; rc = [%ld]\n",
+ rc);
+ goto out;
+ }
+- auth_tok_sig = malloc(ECRYPTFS_SIG_SIZE_HEX + 1);
+- if (!auth_tok_sig) {
+- rc = -ENOMEM;
+- syslog(LOG_ERR, "Out of memory\n");
+- goto out;
+- }
++
+ rc = ecryptfs_read_salt_hex_from_rc(salt_hex);
+ if (rc) {
+- from_hex(salt, ECRYPTFS_DEFAULT_SALT_HEX, ECRYPTFS_SALT_SIZE);
++ from_hex(epd->salt, ECRYPTFS_DEFAULT_SALT_HEX, ECRYPTFS_SALT_SIZE);
+ } else
+- from_hex(salt, salt_hex, ECRYPTFS_SALT_SIZE);
+- if ((child_pid = fork()) == 0) {
+- setuid(uid);
+- if (passphrase == NULL) {
+- syslog(LOG_ERR, "NULL passphrase; aborting\n");
+- rc = -EINVAL;
+- goto out_child;
+- }
+- if ((rc = ecryptfs_validate_keyring())) {
+- syslog(LOG_WARNING,
+- "Cannot validate keyring integrity\n");
+- }
+- rc = 0;
+- if ((argc == 1)
+- && (memcmp(argv[0], "unwrap\0", 7) == 0)) {
+- char *wrapped_pw_filename;
++ from_hex(epd->salt, salt_hex, ECRYPTFS_SALT_SIZE);
+
+- rc = asprintf(
+- &wrapped_pw_filename, "%s/.ecryptfs/%s",
+- homedir,
+- ECRYPTFS_DEFAULT_WRAPPED_PASSPHRASE_FILENAME);
+- if (rc == -1) {
+- syslog(LOG_ERR, "Unable to allocate memory\n");
+- rc = -ENOMEM;
+- goto out_child;
+- }
+- if (wrap_passphrase_if_necessary(username, uid, wrapped_pw_filename, passphrase, salt) == 0) {
+- syslog(LOG_INFO, "Passphrase file wrapped");
+- } else {
+- goto out_child;
+- }
+- rc = ecryptfs_insert_wrapped_passphrase_into_keyring(
+- auth_tok_sig, wrapped_pw_filename, passphrase,
+- salt);
+- free(wrapped_pw_filename);
+- } else {
+- rc = ecryptfs_add_passphrase_key_to_keyring(
+- auth_tok_sig, passphrase, salt);
+- }
+- if (rc == 1) {
+- goto out_child;
+- }
+- if (rc) {
+- syslog(LOG_ERR, "Error adding passphrase key token to "
+- "user session keyring; rc = [%ld]\n", rc);
+- goto out_child;
+- }
+-out_child:
+- free(auth_tok_sig);
+- _exit(0);
++ epd->unwrap = ((argc == 1) && (memcmp(argv[0], "unwrap\0", 7) == 0));
++ if (pam_set_data(pamh, ECRYPTFS_PAM_DATA, epd, pam_free_ecryptfsdata) != PAM_SUCCESS) {
++
++ syslog(LOG_ERR, "Unable to store ecryptfs pam data : %m");
++ goto out;
+ }
+- tmp_pid = waitpid(child_pid, NULL, 0);
+- if (tmp_pid == -1)
+- syslog(LOG_WARNING,
+- "waitpid() returned with error condition\n");
++
+ out:
+ if (private_mnt != NULL)
+ free(private_mnt);
+@@ -361,10 +327,88 @@ static int umount_private_dir(pam_handle
+ return private_dir(pamh, 0);
+ }
+
++static int fill_keyring(pam_handle_t *pamh)
++{
++ pid_t child_pid,tmp_pid;
++ int rc = 0;
++ const struct ecryptfs_pam_data *epd;
++ char *auth_tok_sig;
++ auth_tok_sig = malloc(ECRYPTFS_SIG_SIZE_HEX + 1);
++ if (!auth_tok_sig) {
++ syslog(LOG_ERR, "Out of memory\n");
++ return -ENOMEM;
++ }
++
++ if (pam_get_data(pamh, ECRYPTFS_PAM_DATA, (const void **)&epd) != PAM_SUCCESS)
++ {
++ syslog(LOG_ERR,"Unable to get ecryptfs pam data : %m");
++ return -EINVAL;
++ }
++
++ if ((child_pid = fork()) == 0) {
++ setuid(epd->uid);
++ if (epd->passphrase == NULL) {
++ syslog(LOG_ERR, "NULL passphrase; aborting\n");
++ rc = -EINVAL;
++ goto out_child;
++ }
++ if ((rc = ecryptfs_validate_keyring())) {
++ syslog(LOG_WARNING,
++ "Cannot validate keyring integrity\n");
++ }
++ rc = 0;
++ if (epd->unwrap) {
++ char *wrapped_pw_filename;
++
++ rc = asprintf(
++ &wrapped_pw_filename, "%s/.ecryptfs/%s",
++ epd->homedir,
++ ECRYPTFS_DEFAULT_WRAPPED_PASSPHRASE_FILENAME);
++ if (rc == -1) {
++ syslog(LOG_ERR, "Unable to allocate memory\n");
++ rc = -ENOMEM;
++ goto out_child;
++ }
++ if (wrap_passphrase_if_necessary(epd->username, epd->uid, wrapped_pw_filename, epd->passphrase, epd->salt) == 0) {
++ syslog(LOG_INFO, "Passphrase file wrapped");
++ } else {
++ goto out_child;
++ }
++ rc = ecryptfs_insert_wrapped_passphrase_into_keyring(
++ auth_tok_sig, wrapped_pw_filename, epd->passphrase,
++ epd->salt);
++ free(wrapped_pw_filename);
++ } else {
++ rc = ecryptfs_add_passphrase_key_to_keyring(
++ auth_tok_sig, epd->passphrase, epd->salt);
++ }
++ if (rc == 1) {
++ goto out_child;
++ }
++ if (rc) {
++ syslog(LOG_ERR, "Error adding passphrase key token to "
++ "user session keyring; rc = [%d]\n", rc);
++ goto out_child;
++ }
++out_child:
++ free(auth_tok_sig);
++ _exit(0);
++ }
++ tmp_pid = waitpid(child_pid, NULL, 0);
++ if (tmp_pid == -1)
++ syslog(LOG_WARNING,
++ "waitpid() returned with error condition\n");
++
++
++ return 0;
++}
++
++
+ PAM_EXTERN int
+ pam_sm_open_session(pam_handle_t *pamh, int flags,
+ int argc, const char *argv[])
+ {
++ fill_keyring(pamh);
+ mount_private_dir(pamh);
+ return PAM_SUCCESS;
+ }
diff --git a/ecryptfs-utils.spec b/ecryptfs-utils.spec
index 91a55bf..8046854 100644
--- a/ecryptfs-utils.spec
+++ b/ecryptfs-utils.spec
@@ -5,7 +5,7 @@
Name: ecryptfs-utils
Version: 87
-Release: 7%{?dist}
+Release: 8%{?dist}
Summary: The eCryptfs mount helper and support libraries
Group: System Environment/Base
License: GPLv2+
@@ -56,6 +56,12 @@ Patch14: ecryptfs-utils-87-fixexecgid.patch
# do not use zombie process, it causes lock ups at least for ssh login
Patch15: ecryptfs-utils-87-nozombies.patch
+# if we do not use zombies, we have to store passphrase in pam_data and init keyring later
+Patch16: ecryptfs-utils-87-pamdata.patch
+
+# patch16 needs propper const on some places
+Patch17: ecryptfs-utils-87-fixconst.patch
+
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
Requires: keyutils, cryptsetup-luks, util-linux-ng, gettext
BuildRequires: libgcrypt-devel keyutils-libs-devel openssl-devel pam-devel
@@ -107,6 +113,8 @@ the interface supplied by the ecryptfs-utils library.
%patch13 -p1 -b .fixpamfork
%patch14 -p1 -b .fixexecgid
%patch15 -p1 -b .nozombies
+%patch16 -p1 -b .pamdata
+%patch17 -p1 -b .fixconst
%build
export CFLAGS="$RPM_OPT_FLAGS -Werror -Wtype-limits"
@@ -234,6 +242,10 @@ rm -rf $RPM_BUILD_ROOT
%{python_sitearch}/ecryptfs-utils/_libecryptfs.so
%changelog
+* Wed Aug 03 2011 Michal Hlavinka <mhlavink at redhat.com> - 87-8
+- keyring from auth stack does not survive, use pam_data and delayed
+ keyring initialization
+
* Thu Jul 21 2011 Michal Hlavinka <mhlavink at redhat.com> - 87-7
- fix pam module to set ecryptfs gid before mount helper execution
- do not use zombie process, it causes lock ups in ssh
More information about the scm-commits
mailing list