[ecryptfs-utils/f16] improve logging messages of ecryptfs pam module keep own copy of passphrase, pam clears it too early
Michal Hlavinka
mhlavink at fedoraproject.org
Tue Aug 9 12:43:06 UTC 2011
commit aeb5f9e317d2452d3cfa1c0b05eb33d20f96f2ab
Author: Michal Hlavinka <mhlavink at redhat.com>
Date: Tue Aug 9 14:42:50 2011 +0200
improve logging messages of ecryptfs pam module
keep own copy of passphrase, pam clears it too early
ecryptfs-utils-87-pamdata.patch | 24 ++--
ecryptfs-utils-87-prefixsyslog.patch | 240 ++++++++++++++++++++++++++++++++
ecryptfs-utils-87-syslog.patch | 252 ++++++++++++++++++++++++++++++++++
ecryptfs-utils.spec | 9 +-
4 files changed, 514 insertions(+), 11 deletions(-)
---
diff --git a/ecryptfs-utils-87-pamdata.patch b/ecryptfs-utils-87-pamdata.patch
index 9553414..127499c 100644
--- a/ecryptfs-utils-87-pamdata.patch
+++ b/ecryptfs-utils-87-pamdata.patch
@@ -1,7 +1,7 @@
diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c
--- ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.pamdata 2011-08-03 15:40:01.743949759 +0200
+++ ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c 2011-08-03 15:52:05.676388743 +0200
-@@ -45,6 +45,22 @@
+@@ -45,6 +45,25 @@
#define PRIVATE_DIR "Private"
@@ -18,13 +18,16 @@ diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-util
+
+static void pam_free_ecryptfsdata(pam_handle_t *pamh, void *data, int error_status)
+{
-+ free(data);
++ if (data) {
++ free(((struct ecryptfs_pam_data *)data)->passphrase);
++ free(data);
++ }
+}
+
/* returns: 0 if file does not exist, 1 if it exists, <0 for error */
static int file_exists_dotecryptfs(const char *homedir, char *filename)
{
-@@ -64,7 +80,7 @@ out:
+@@ -64,7 +83,7 @@ out:
return rc;
}
@@ -33,7 +36,7 @@ diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-util
{
char *unwrapped_pw_filename = NULL;
struct stat s;
-@@ -96,42 +112,43 @@ static int wrap_passphrase_if_necessary(
+@@ -96,42 +115,43 @@ static int wrap_passphrase_if_necessary(
PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
const char **argv)
{
@@ -94,7 +97,7 @@ diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-util
/* If private/home is already mounted, then we can skip
costly loading of keys */
goto out;
-@@ -141,82 +158,31 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+@@ -141,82 +161,32 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
if (ecryptfs_get_version(&version) != 0)
syslog(LOG_WARNING, "Can't check if kernel supports ecryptfs\n");
saved_uid = geteuid();
@@ -107,6 +110,7 @@ diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-util
else
- rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&passphrase);
+ rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&epd->passphrase);
++ epd->passphrase = strdup(epd->passphrase);
seteuid(saved_uid);
if (rc != PAM_SUCCESS) {
syslog(LOG_ERR, "Error retrieving passphrase; rc = [%ld]\n",
@@ -177,9 +181,9 @@ diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-util
- free(auth_tok_sig);
- _exit(0);
+ epd->unwrap = ((argc == 1) && (memcmp(argv[0], "unwrap\0", 7) == 0));
-+ if (pam_set_data(pamh, ECRYPTFS_PAM_DATA, epd, pam_free_ecryptfsdata) != PAM_SUCCESS) {
++ if ((rc=pam_set_data(pamh, ECRYPTFS_PAM_DATA, epd, pam_free_ecryptfsdata)) != PAM_SUCCESS) {
+
-+ syslog(LOG_ERR, "Unable to store ecryptfs pam data : %m");
++ syslog(LOG_ERR, "Unable to store ecryptfs pam data : %s", pam_strerror(pamh, rc));
+ goto out;
}
- tmp_pid = waitpid(child_pid, NULL, 0);
@@ -190,7 +194,7 @@ diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-util
out:
if (private_mnt != NULL)
free(private_mnt);
-@@ -361,10 +327,88 @@ static int umount_private_dir(pam_handle
+@@ -361,10 +331,88 @@ static int umount_private_dir(pam_handle
return private_dir(pamh, 0);
}
@@ -206,9 +210,9 @@ diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-util
+ return -ENOMEM;
+ }
+
-+ if (pam_get_data(pamh, ECRYPTFS_PAM_DATA, (const void **)&epd) != PAM_SUCCESS)
++ if ((rc=pam_get_data(pamh, ECRYPTFS_PAM_DATA, (const void **)&epd)) != PAM_SUCCESS)
+ {
-+ syslog(LOG_ERR,"Unable to get ecryptfs pam data : %m");
++ syslog(LOG_ERR,"Unable to get ecryptfs pam data : %s", pam_strerror(pamh, rc));
+ return -EINVAL;
+ }
+
diff --git a/ecryptfs-utils-87-prefixsyslog.patch b/ecryptfs-utils-87-prefixsyslog.patch
new file mode 100644
index 0000000..02fbad4
--- /dev/null
+++ b/ecryptfs-utils-87-prefixsyslog.patch
@@ -0,0 +1,240 @@
+diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.pamsyslog ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c
+--- ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.pamsyslog 2011-08-09 11:39:28.404766037 +0200
++++ ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c 2011-08-09 11:39:28.428765549 +0200
+@@ -91,7 +91,7 @@ static int wrap_passphrase_if_necessary(
+
+ rc = asprintf(&unwrapped_pw_filename, "/dev/shm/.ecryptfs-%s", username);
+ if (rc == -1) {
+- syslog(LOG_ERR, "Unable to allocate memory\n");
++ pamsyslog(LOG_ERR, "Unable to allocate memory\n");
+ return -ENOMEM;
+ }
+ /* If /dev/shm/.ecryptfs-$USER exists and owned by the user
+@@ -105,7 +105,7 @@ static int wrap_passphrase_if_necessary(
+ setuid(uid);
+ rc = ecryptfs_wrap_passphrase_file(wrapped_pw_filename, passphrase, salt, unwrapped_pw_filename);
+ if (rc != 0) {
+- syslog(LOG_ERR, "Error wrapping cleartext password; " "rc = [%d]\n", rc);
++ pamsyslog(LOG_ERR, "Error wrapping cleartext password; " "rc = [%d]\n", rc);
+ }
+ return rc;
+ }
+@@ -122,10 +122,10 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+ uint32_t version;
+ struct ecryptfs_pam_data *epd = {0,};
+
+- syslog(LOG_INFO, "%s: Called\n", __FUNCTION__);
++ pamsyslog(LOG_INFO, "%s: Called\n", __FUNCTION__);
+
+ if ((epd = malloc(sizeof(struct ecryptfs_pam_data))) == NULL) {
+- syslog(LOG_ERR,"Memory allocation failed");
++ pamsyslog(LOG_ERR,"Memory allocation failed");
+ rc = -ENOMEM;
+ goto out;
+ }
+@@ -134,7 +134,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+ if (rc == PAM_SUCCESS) {
+ struct passwd *pwd;
+
+- syslog(LOG_INFO, "%s: username = [%s]\n", __FUNCTION__,
++ pamsyslog(LOG_INFO, "%s: username = [%s]\n", __FUNCTION__,
+ epd->username);
+ pwd = getpwnam(epd->username);
+ if (pwd) {
+@@ -142,7 +142,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+ epd->homedir = pwd->pw_dir;
+ }
+ } else {
+- syslog(LOG_ERR, "Error getting passwd info for user [%s]; "
++ pamsyslog(LOG_ERR, "Error getting passwd info for user [%s]; "
+ "rc = [%ld]\n", epd->username, rc);
+ goto out;
+ }
+@@ -150,7 +150,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+ goto out;
+ private_mnt = ecryptfs_fetch_private_mnt(epd->homedir);
+ if (ecryptfs_private_is_mounted(NULL, private_mnt, NULL, 1)) {
+- syslog(LOG_INFO, "%s: %s is already mounted\n", __FUNCTION__,
++ pamsyslog(LOG_INFO, "%s: %s is already mounted\n", __FUNCTION__,
+ epd->homedir);
+ /* If private/home is already mounted, then we can skip
+ costly loading of keys */
+@@ -159,7 +159,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+ /* we need side effect of this check:
+ load ecryptfs module if not loaded already */
+ if (ecryptfs_get_version(&version) != 0)
+- syslog(LOG_WARNING, "Can't check if kernel supports ecryptfs\n");
++ pamsyslog(LOG_WARNING, "Can't check if kernel supports ecryptfs\n");
+ saved_uid = geteuid();
+ seteuid(epd->uid);
+ if(file_exists_dotecryptfs(epd->homedir, "wrapping-independent") == 1)
+@@ -168,7 +168,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+ rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&epd->passphrase);
+ seteuid(saved_uid);
+ if (rc != PAM_SUCCESS) {
+- syslog(LOG_ERR, "Error retrieving passphrase; rc = [%ld]\n",
++ pamsyslog(LOG_ERR, "Error retrieving passphrase; rc = [%ld]\n",
+ rc);
+ goto out;
+ }
+@@ -182,7 +182,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+ epd->unwrap = ((argc == 1) && (memcmp(argv[0], "unwrap\0", 7) == 0));
+ if (pam_set_data(pamh, ECRYPTFS_PAM_DATA, epd, pam_free_ecryptfsdata) != PAM_SUCCESS) {
+
+- syslog(LOG_ERR, "Unable to store ecryptfs pam data : %m");
++ pamsyslog(LOG_ERR, "Unable to store ecryptfs pam data : %m");
+ goto out;
+ }
+
+@@ -206,13 +206,13 @@ static struct passwd *fetch_pwd(pam_hand
+
+ rc = pam_get_user(pamh, &username, NULL);
+ if (rc != PAM_SUCCESS || username == NULL) {
+- syslog(LOG_ERR, "Error getting passwd info for user [%s]; "
++ pamsyslog(LOG_ERR, "Error getting passwd info for user [%s]; "
+ "rc = [%ld]\n", username, rc);
+ return NULL;
+ }
+ pwd = getpwnam(username);
+ if (pwd == NULL) {
+- syslog(LOG_ERR, "Error getting passwd info for user [%s]; "
++ pamsyslog(LOG_ERR, "Error getting passwd info for user [%s]; "
+ "rc = [%ld]\n", username, rc);
+ return NULL;
+ }
+@@ -244,13 +244,13 @@ static int private_dir(pam_handle_t *pam
+ if (
+ (asprintf(&autofile, "%s/.ecryptfs/%s", pwd->pw_dir, a) < 0)
+ || autofile == NULL) {
+- syslog(LOG_ERR, "Error allocating memory for autofile name");
++ pamsyslog(LOG_ERR, "Error allocating memory for autofile name");
+ return 1;
+ }
+ if (
+ (asprintf(&sigfile, "%s/.ecryptfs/%s.sig", pwd->pw_dir,
+ PRIVATE_DIR) < 0) || sigfile == NULL) {
+- syslog(LOG_ERR, "Error allocating memory for sigfile name");
++ pamsyslog(LOG_ERR, "Error allocating memory for sigfile name");
+ return 1;
+ }
+ if (stat(sigfile, &s) != 0) {
+@@ -262,13 +262,13 @@ static int private_dir(pam_handle_t *pam
+ goto out;
+ }
+ if ((pid = fork()) < 0) {
+- syslog(LOG_ERR, "Error setting up private mount");
++ pamsyslog(LOG_ERR, "Error setting up private mount");
+ return 1;
+ }
+ if (pid == 0) {
+ /* set user's groups, we may need ecryptfs group for (u)mount */
+ if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) {
+- syslog(LOG_ERR, "Unable to set user's groups : %m");
++ pamsyslog(LOG_ERR, "Unable to set user's groups : %m");
+ _exit(255);
+ }
+
+@@ -276,7 +276,7 @@ static int private_dir(pam_handle_t *pam
+ if ((asprintf(&recorded,
+ "%s/.ecryptfs/.wrapped-passphrase.recorded",
+ pwd->pw_dir) < 0) || recorded == NULL) {
+- syslog(LOG_ERR,
++ pamsyslog(LOG_ERR,
+ "Error allocating memory for recorded name");
+ _exit(255);
+ }
+@@ -289,7 +289,7 @@ static int private_dir(pam_handle_t *pam
+ }
+ if (stat(autofile, &s) != 0) {
+ /* User does not want to auto-mount */
+- syslog(LOG_INFO,
++ pamsyslog(LOG_INFO,
+ "Skipping automatic eCryptfs mount");
+ _exit(0);
+ }
+@@ -297,11 +297,11 @@ static int private_dir(pam_handle_t *pam
+ setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid);
+ execl("/sbin/mount.ecryptfs_private",
+ "mount.ecryptfs_private", NULL);
+- syslog(LOG_ERR,"unable to execute mount.ecryptfs_private : %m");
++ pamsyslog(LOG_ERR,"unable to execute mount.ecryptfs_private : %m");
+ } else {
+ if (stat(autofile, &s) != 0) {
+ /* User does not want to auto-unmount */
+- syslog(LOG_INFO,
++ pamsyslog(LOG_INFO,
+ "Skipping automatic eCryptfs unmount");
+ _exit(0);
+ }
+@@ -309,7 +309,7 @@ static int private_dir(pam_handle_t *pam
+ setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid);
+ execl("/sbin/umount.ecryptfs_private",
+ "umount.ecryptfs_private", NULL);
+- syslog(LOG_ERR,"unable to execute umount.ecryptfs_private : %m");
++ pamsyslog(LOG_ERR,"unable to execute umount.ecryptfs_private : %m");
+ }
+ _exit(255);
+ } else {
+@@ -338,25 +338,25 @@ static int fill_keyring(pam_handle_t *pa
+ char *auth_tok_sig;
+ auth_tok_sig = malloc(ECRYPTFS_SIG_SIZE_HEX + 1);
+ if (!auth_tok_sig) {
+- syslog(LOG_ERR, "Out of memory\n");
++ pamsyslog(LOG_ERR, "Out of memory\n");
+ return -ENOMEM;
+ }
+
+ if (pam_get_data(pamh, ECRYPTFS_PAM_DATA, (const void **)&epd) != PAM_SUCCESS)
+ {
+- syslog(LOG_ERR,"Unable to get ecryptfs pam data : %m");
++ pamsyslog(LOG_ERR,"Unable to get ecryptfs pam data : %m");
+ return -EINVAL;
+ }
+
+ if ((child_pid = fork()) == 0) {
+ setuid(epd->uid);
+ if (epd->passphrase == NULL) {
+- syslog(LOG_ERR, "NULL passphrase; aborting\n");
++ pamsyslog(LOG_ERR, "NULL passphrase; aborting\n");
+ rc = -EINVAL;
+ goto out_child;
+ }
+ if ((rc = ecryptfs_validate_keyring())) {
+- syslog(LOG_WARNING,
++ pamsyslog(LOG_WARNING,
+ "Cannot validate keyring integrity\n");
+ }
+ rc = 0;
+@@ -368,12 +368,12 @@ static int fill_keyring(pam_handle_t *pa
+ epd->homedir,
+ ECRYPTFS_DEFAULT_WRAPPED_PASSPHRASE_FILENAME);
+ if (rc == -1) {
+- syslog(LOG_ERR, "Unable to allocate memory\n");
++ pamsyslog(LOG_ERR, "Unable to allocate memory\n");
+ rc = -ENOMEM;
+ goto out_child;
+ }
+ if (wrap_passphrase_if_necessary(epd->username, epd->uid, wrapped_pw_filename, epd->passphrase, epd->salt) == 0) {
+- syslog(LOG_INFO, "Passphrase file wrapped");
++ pamsyslog(LOG_INFO, "Passphrase file wrapped");
+ } else {
+ goto out_child;
+ }
+@@ -389,7 +389,7 @@ static int fill_keyring(pam_handle_t *pa
+ goto out_child;
+ }
+ if (rc) {
+- syslog(LOG_ERR, "Error adding passphrase key token to "
++ pamsyslog(LOG_ERR, "Error adding passphrase key token to "
+ "user session keyring; rc = [%d]\n", rc);
+ goto out_child;
+ }
+@@ -399,7 +399,7 @@ out_child:
+ }
+ tmp_pid = waitpid(child_pid, NULL, 0);
+ if (tmp_pid == -1)
+- syslog(LOG_WARNING,
++ pamsyslog(LOG_WARNING,
+ "waitpid() returned with error condition\n");
+
+
diff --git a/ecryptfs-utils-87-syslog.patch b/ecryptfs-utils-87-syslog.patch
new file mode 100644
index 0000000..b1d2382
--- /dev/null
+++ b/ecryptfs-utils-87-syslog.patch
@@ -0,0 +1,252 @@
+diff -up ecryptfs-utils-87/src/include/ecryptfs.h.syslog ecryptfs-utils-87/src/include/ecryptfs.h
+--- ecryptfs-utils-87/src/include/ecryptfs.h.syslog 2011-08-09 14:38:08.941531270 +0200
++++ ecryptfs-utils-87/src/include/ecryptfs.h 2011-08-09 14:38:08.951531067 +0200
+@@ -143,7 +143,7 @@
+ #define ECRYPTFS_TAG_67_PACKET 0x43
+
+ #define ecryptfs_syslog(type, fmt, arg...) \
+- syslog(type, "%s: " fmt, __FUNCTION__, ## arg);
++ syslog(type, "ecryptfs: %s: " fmt, __FUNCTION__, ## arg);
+
+ #define ECRYPTFS_MAX_NUM_CIPHERS 64
+ #define ECRYPTFS_ECHO_ON 1
+diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c
+--- ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.syslog 2011-08-09 14:38:08.933531435 +0200
++++ ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c 2011-08-09 14:38:08.955530985 +0200
+@@ -91,7 +91,7 @@ static int wrap_passphrase_if_necessary(
+
+ rc = asprintf(&unwrapped_pw_filename, "/dev/shm/.ecryptfs-%s", username);
+ if (rc == -1) {
+- syslog(LOG_ERR, "Unable to allocate memory\n");
++ ecryptfs_syslog(LOG_ERR, "Unable to allocate memory\n");
+ return -ENOMEM;
+ }
+ /* If /dev/shm/.ecryptfs-$USER exists and owned by the user
+@@ -105,7 +105,7 @@ static int wrap_passphrase_if_necessary(
+ setuid(uid);
+ rc = ecryptfs_wrap_passphrase_file(wrapped_pw_filename, passphrase, salt, unwrapped_pw_filename);
+ if (rc != 0) {
+- syslog(LOG_ERR, "Error wrapping cleartext password; " "rc = [%d]\n", rc);
++ ecryptfs_syslog(LOG_ERR, "Error wrapping cleartext password; " "rc = [%d]\n", rc);
+ }
+ return rc;
+ }
+@@ -122,10 +122,10 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+ uint32_t version;
+ struct ecryptfs_pam_data *epd = {0,};
+
+- syslog(LOG_INFO, "%s: Called\n", __FUNCTION__);
++ ecryptfs_syslog(LOG_INFO, "pam auth stack calls pam_ecryptfs module");
+
+ if ((epd = malloc(sizeof(struct ecryptfs_pam_data))) == NULL) {
+- syslog(LOG_ERR,"Memory allocation failed");
++ ecryptfs_syslog(LOG_ERR,"Memory allocation failed");
+ rc = -ENOMEM;
+ goto out;
+ }
+@@ -134,7 +134,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+ if (rc == PAM_SUCCESS) {
+ struct passwd *pwd;
+
+- syslog(LOG_INFO, "%s: username = [%s]\n", __FUNCTION__,
++ ecryptfs_syslog(LOG_INFO, "pam_ecryptfs: username = [%s]\n",
+ epd->username);
+ pwd = getpwnam(epd->username);
+ if (pwd) {
+@@ -142,7 +142,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+ epd->homedir = pwd->pw_dir;
+ }
+ } else {
+- syslog(LOG_ERR, "Error getting passwd info for user [%s]; "
++ ecryptfs_syslog(LOG_ERR, "Error getting passwd info for user [%s]; "
+ "rc = [%ld]\n", epd->username, rc);
+ goto out;
+ }
+@@ -150,7 +150,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+ goto out;
+ private_mnt = ecryptfs_fetch_private_mnt(epd->homedir);
+ if (ecryptfs_private_is_mounted(NULL, private_mnt, NULL, 1)) {
+- syslog(LOG_INFO, "%s: %s is already mounted\n", __FUNCTION__,
++ ecryptfs_syslog(LOG_INFO, "%s is already mounted",
+ epd->homedir);
+ /* If private/home is already mounted, then we can skip
+ costly loading of keys */
+@@ -159,7 +159,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+ /* we need side effect of this check:
+ load ecryptfs module if not loaded already */
+ if (ecryptfs_get_version(&version) != 0)
+- syslog(LOG_WARNING, "Can't check if kernel supports ecryptfs\n");
++ ecryptfs_syslog(LOG_WARNING, "Can't check if kernel supports ecryptfs\n");
+ saved_uid = geteuid();
+ seteuid(epd->uid);
+ if(file_exists_dotecryptfs(epd->homedir, "wrapping-independent") == 1)
+@@ -169,7 +169,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+ epd->passphrase = strdup(epd->passphrase);
+ seteuid(saved_uid);
+ if (rc != PAM_SUCCESS) {
+- syslog(LOG_ERR, "Error retrieving passphrase; rc = [%ld]\n",
++ ecryptfs_syslog(LOG_ERR, "Error retrieving passphrase; rc = [%ld]\n",
+ rc);
+ goto out;
+ }
+@@ -183,7 +183,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+ epd->unwrap = ((argc == 1) && (memcmp(argv[0], "unwrap\0", 7) == 0));
+ if ((rc=pam_set_data(pamh, ECRYPTFS_PAM_DATA, epd, pam_free_ecryptfsdata)) != PAM_SUCCESS) {
+
+- syslog(LOG_ERR, "Unable to store ecryptfs pam data : %s", pam_strerror(pamh, rc));
++ ecryptfs_syslog(LOG_ERR, "Unable to store ecryptfs pam data : %s", pam_strerror(pamh, rc));
+ goto out;
+ }
+
+@@ -207,13 +207,13 @@ static struct passwd *fetch_pwd(pam_hand
+
+ rc = pam_get_user(pamh, &username, NULL);
+ if (rc != PAM_SUCCESS || username == NULL) {
+- syslog(LOG_ERR, "Error getting passwd info for user [%s]; "
++ ecryptfs_syslog(LOG_ERR, "Error getting passwd info for user [%s]; "
+ "rc = [%ld]\n", username, rc);
+ return NULL;
+ }
+ pwd = getpwnam(username);
+ if (pwd == NULL) {
+- syslog(LOG_ERR, "Error getting passwd info for user [%s]; "
++ ecryptfs_syslog(LOG_ERR, "Error getting passwd info for user [%s]; "
+ "rc = [%ld]\n", username, rc);
+ return NULL;
+ }
+@@ -245,13 +245,13 @@ static int private_dir(pam_handle_t *pam
+ if (
+ (asprintf(&autofile, "%s/.ecryptfs/%s", pwd->pw_dir, a) < 0)
+ || autofile == NULL) {
+- syslog(LOG_ERR, "Error allocating memory for autofile name");
++ ecryptfs_syslog(LOG_ERR, "Error allocating memory for autofile name");
+ return 1;
+ }
+ if (
+ (asprintf(&sigfile, "%s/.ecryptfs/%s.sig", pwd->pw_dir,
+ PRIVATE_DIR) < 0) || sigfile == NULL) {
+- syslog(LOG_ERR, "Error allocating memory for sigfile name");
++ ecryptfs_syslog(LOG_ERR, "Error allocating memory for sigfile name");
+ return 1;
+ }
+ if (stat(sigfile, &s) != 0) {
+@@ -263,13 +263,13 @@ static int private_dir(pam_handle_t *pam
+ goto out;
+ }
+ if ((pid = fork()) < 0) {
+- syslog(LOG_ERR, "Error setting up private mount");
++ ecryptfs_syslog(LOG_ERR, "Error setting up private mount");
+ return 1;
+ }
+ if (pid == 0) {
+ /* set user's groups, we may need ecryptfs group for (u)mount */
+ if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) {
+- syslog(LOG_ERR, "Unable to set user's groups : %m");
++ ecryptfs_syslog(LOG_ERR, "Unable to set user's groups : %m");
+ _exit(255);
+ }
+
+@@ -277,7 +277,7 @@ static int private_dir(pam_handle_t *pam
+ if ((asprintf(&recorded,
+ "%s/.ecryptfs/.wrapped-passphrase.recorded",
+ pwd->pw_dir) < 0) || recorded == NULL) {
+- syslog(LOG_ERR,
++ ecryptfs_syslog(LOG_ERR,
+ "Error allocating memory for recorded name");
+ _exit(255);
+ }
+@@ -290,7 +290,7 @@ static int private_dir(pam_handle_t *pam
+ }
+ if (stat(autofile, &s) != 0) {
+ /* User does not want to auto-mount */
+- syslog(LOG_INFO,
++ ecryptfs_syslog(LOG_INFO,
+ "Skipping automatic eCryptfs mount");
+ _exit(0);
+ }
+@@ -298,11 +298,11 @@ static int private_dir(pam_handle_t *pam
+ setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid);
+ execl("/sbin/mount.ecryptfs_private",
+ "mount.ecryptfs_private", NULL);
+- syslog(LOG_ERR,"unable to execute mount.ecryptfs_private : %m");
++ ecryptfs_syslog(LOG_ERR,"unable to execute mount.ecryptfs_private : %m");
+ } else {
+ if (stat(autofile, &s) != 0) {
+ /* User does not want to auto-unmount */
+- syslog(LOG_INFO,
++ ecryptfs_syslog(LOG_INFO,
+ "Skipping automatic eCryptfs unmount");
+ _exit(0);
+ }
+@@ -310,7 +310,7 @@ static int private_dir(pam_handle_t *pam
+ setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid);
+ execl("/sbin/umount.ecryptfs_private",
+ "umount.ecryptfs_private", NULL);
+- syslog(LOG_ERR,"unable to execute umount.ecryptfs_private : %m");
++ ecryptfs_syslog(LOG_ERR,"unable to execute umount.ecryptfs_private : %m");
+ }
+ _exit(255);
+ } else {
+@@ -339,25 +339,25 @@ static int fill_keyring(pam_handle_t *pa
+ char *auth_tok_sig;
+ auth_tok_sig = malloc(ECRYPTFS_SIG_SIZE_HEX + 1);
+ if (!auth_tok_sig) {
+- syslog(LOG_ERR, "Out of memory\n");
++ ecryptfs_syslog(LOG_ERR, "Out of memory\n");
+ return -ENOMEM;
+ }
+
+ if ((rc=pam_get_data(pamh, ECRYPTFS_PAM_DATA, (const void **)&epd)) != PAM_SUCCESS)
+ {
+- syslog(LOG_ERR,"Unable to get ecryptfs pam data : %s", pam_strerror(pamh, rc));
++ ecryptfs_syslog(LOG_ERR,"Unable to get ecryptfs pam data : %s", pam_strerror(pamh, rc));
+ return -EINVAL;
+ }
+
+ if ((child_pid = fork()) == 0) {
+ setuid(epd->uid);
+ if (epd->passphrase == NULL) {
+- syslog(LOG_ERR, "NULL passphrase; aborting\n");
++ ecryptfs_syslog(LOG_ERR, "NULL passphrase; aborting\n");
+ rc = -EINVAL;
+ goto out_child;
+ }
+ if ((rc = ecryptfs_validate_keyring())) {
+- syslog(LOG_WARNING,
++ ecryptfs_syslog(LOG_WARNING,
+ "Cannot validate keyring integrity\n");
+ }
+ rc = 0;
+@@ -369,12 +369,12 @@ static int fill_keyring(pam_handle_t *pa
+ epd->homedir,
+ ECRYPTFS_DEFAULT_WRAPPED_PASSPHRASE_FILENAME);
+ if (rc == -1) {
+- syslog(LOG_ERR, "Unable to allocate memory\n");
++ ecryptfs_syslog(LOG_ERR, "Unable to allocate memory\n");
+ rc = -ENOMEM;
+ goto out_child;
+ }
+ if (wrap_passphrase_if_necessary(epd->username, epd->uid, wrapped_pw_filename, epd->passphrase, epd->salt) == 0) {
+- syslog(LOG_INFO, "Passphrase file wrapped");
++ ecryptfs_syslog(LOG_INFO, "Passphrase file wrapped");
+ } else {
+ goto out_child;
+ }
+@@ -390,7 +390,7 @@ static int fill_keyring(pam_handle_t *pa
+ goto out_child;
+ }
+ if (rc) {
+- syslog(LOG_ERR, "Error adding passphrase key token to "
++ ecryptfs_syslog(LOG_ERR, "Error adding passphrase key token to "
+ "user session keyring; rc = [%d]\n", rc);
+ goto out_child;
+ }
+@@ -400,7 +400,7 @@ out_child:
+ }
+ tmp_pid = waitpid(child_pid, NULL, 0);
+ if (tmp_pid == -1)
+- syslog(LOG_WARNING,
++ ecryptfs_syslog(LOG_WARNING,
+ "waitpid() returned with error condition\n");
+
+
diff --git a/ecryptfs-utils.spec b/ecryptfs-utils.spec
index 8046854..7ffcc3e 100644
--- a/ecryptfs-utils.spec
+++ b/ecryptfs-utils.spec
@@ -5,7 +5,7 @@
Name: ecryptfs-utils
Version: 87
-Release: 8%{?dist}
+Release: 9%{?dist}
Summary: The eCryptfs mount helper and support libraries
Group: System Environment/Base
License: GPLv2+
@@ -62,6 +62,8 @@ Patch16: ecryptfs-utils-87-pamdata.patch
# patch16 needs propper const on some places
Patch17: ecryptfs-utils-87-fixconst.patch
+Patch18: ecryptfs-utils-87-syslog.patch
+
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
Requires: keyutils, cryptsetup-luks, util-linux-ng, gettext
BuildRequires: libgcrypt-devel keyutils-libs-devel openssl-devel pam-devel
@@ -115,6 +117,7 @@ the interface supplied by the ecryptfs-utils library.
%patch15 -p1 -b .nozombies
%patch16 -p1 -b .pamdata
%patch17 -p1 -b .fixconst
+%patch18 -p1 -b .syslog
%build
export CFLAGS="$RPM_OPT_FLAGS -Werror -Wtype-limits"
@@ -242,6 +245,10 @@ rm -rf $RPM_BUILD_ROOT
%{python_sitearch}/ecryptfs-utils/_libecryptfs.so
%changelog
+* Tue Aug 09 2011 Michal Hlavinka <mhlavink at redhat.com> - 87-9
+- improve logging messages of ecryptfs pam module
+- keep own copy of passphrase, pam clears it too early
+
* Wed Aug 03 2011 Michal Hlavinka <mhlavink at redhat.com> - 87-8
- keyring from auth stack does not survive, use pam_data and delayed
keyring initialization
More information about the scm-commits
mailing list