[ecryptfs-utils/f15] do not use memcpy for overlaping areas fix broken pam module resulting in session with wrong gid
Michal Hlavinka
mhlavink at fedoraproject.org
Thu Jul 21 13:14:02 UTC 2011
commit 4ad13956ba4a822bed754eaa1f9ce15852ff1c9a
Author: Michal Hlavinka <mhlavink at redhat.com>
Date: Thu Jul 21 15:13:47 2011 +0200
do not use memcpy for overlaping areas
fix broken pam module resulting in session with wrong gid
ecryptfs-utils-87-fixexecgid.patch | 35 ++
...gid.patch => ecryptfs-utils-87-fixpamfork.patch | 15 +-
ecryptfs-utils-87-nozombies.patch | 522 ++++++++++++++++++++
ecryptfs-utils.spec | 16 +-
4 files changed, 578 insertions(+), 10 deletions(-)
---
diff --git a/ecryptfs-utils-87-fixexecgid.patch b/ecryptfs-utils-87-fixexecgid.patch
new file mode 100644
index 0000000..2da6c24
--- /dev/null
+++ b/ecryptfs-utils-87-fixexecgid.patch
@@ -0,0 +1,35 @@
+diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.fixexecgid ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c
+--- ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.fixexecgid 2011-07-21 14:20:31.773602653 +0200
++++ ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c 2011-07-21 14:21:12.302160125 +0200
+@@ -33,6 +33,7 @@
+ #include <errno.h>
+ #include <syslog.h>
+ #include <pwd.h>
++#include <grp.h>
+ #include <sys/types.h>
+ #include <sys/wait.h>
+ #include <sys/types.h>
+@@ -303,6 +304,23 @@ static int private_dir(pam_handle_t *pam
+ return 1;
+ }
+ if (pid == 0) {
++ /* explicitely change group to ecryptfs if user is member of that group, changing uid is not enough */
++ errno=0;
++ struct group *efsg = getgrnam("ecryptfs");
++ if (efsg==NULL && errno) syslog(LOG_ERR, "unable to list members of ecryptfs group : %m");
++ else
++ {
++ while (*efsg->gr_mem)
++ {
++ if (!strcmp(*efsg->gr_mem, pwd->pw_name))
++ {
++ if (setgid(efsg->gr_gid)<0) syslog(LOG_ERR, "Unable to change group to ecryptfs : %m");
++ break;
++ }
++ efsg->gr_mem++;
++ }
++ }
++
+ if (mount == 1) {
+ if ((asprintf(&recorded,
+ "%s/.ecryptfs/.wrapped-passphrase.recorded",
diff --git a/ecryptfs-utils-87-fixgid.patch b/ecryptfs-utils-87-fixpamfork.patch
similarity index 81%
rename from ecryptfs-utils-87-fixgid.patch
rename to ecryptfs-utils-87-fixpamfork.patch
index 5b8e39e..fe1d85d 100644
--- a/ecryptfs-utils-87-fixgid.patch
+++ b/ecryptfs-utils-87-fixpamfork.patch
@@ -1,6 +1,6 @@
diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.fixgid ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c
---- ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.fixgid 2011-07-19 15:58:45.337539138 +0200
-+++ ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c 2011-07-19 16:02:09.542029724 +0200
+--- ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.fixgid 2011-07-21 13:35:47.968581526 +0200
++++ ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c 2011-07-21 13:37:08.411188936 +0200
@@ -217,7 +217,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
}
out_child:
@@ -19,7 +19,7 @@ diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.fixgid ecryptfs-utils
}
if (stat(recorded, &s) != 0 && stat("/usr/share/ecryptfs-utils/ecryptfs-record-passphrase", &s) == 0) {
/* User has not recorded their passphrase */
-@@ -322,23 +322,25 @@ static int private_dir(pam_handle_t *pam
+@@ -322,25 +322,27 @@ static int private_dir(pam_handle_t *pam
/* User does not want to auto-mount */
syslog(LOG_INFO,
"Skipping automatic eCryptfs mount");
@@ -30,7 +30,7 @@ diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.fixgid ecryptfs-utils
setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid);
execl("/sbin/mount.ecryptfs_private",
"mount.ecryptfs_private", NULL);
-+ _exit(255);
++ syslog(LOG_ERR,"unable to execute mount.ecryptfs_private : %m");
} else {
if (stat(autofile, &s) != 0) {
/* User does not want to auto-unmount */
@@ -43,10 +43,13 @@ diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.fixgid ecryptfs-utils
setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid);
execl("/sbin/umount.ecryptfs_private",
"umount.ecryptfs_private", NULL);
-+ _exit(255);
++ syslog(LOG_ERR,"unable to execute umount.ecryptfs_private : %m");
}
- return 1;
+- return 1;
++ _exit(255);
} else {
+ waitpid(pid, &rc, 0);
+ goto out;
@@ -482,7 +484,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
goto out_child;
}
diff --git a/ecryptfs-utils-87-nozombies.patch b/ecryptfs-utils-87-nozombies.patch
new file mode 100644
index 0000000..32b0147
--- /dev/null
+++ b/ecryptfs-utils-87-nozombies.patch
@@ -0,0 +1,522 @@
+diff -up ecryptfs-utils-87/src/include/ecryptfs.h.nozombies ecryptfs-utils-87/src/include/ecryptfs.h
+--- ecryptfs-utils-87/src/include/ecryptfs.h.nozombies 2011-03-09 14:30:32.000000000 +0100
++++ ecryptfs-utils-87/src/include/ecryptfs.h 2011-07-21 14:17:33.539120662 +0200
+@@ -588,10 +588,6 @@ int ecryptfs_validate_keyring(void);
+ #define ECRYPTFS_SHM_KEY 0x3c81b7f5
+ #define ECRYPTFS_SEM_KEY 0x3c81b7f6
+ #define ECRYPTFS_SHM_SIZE 4096
+-#define ECRYPTFS_ZOMBIE_SLEEP_SECONDS 300
+-int ecryptfs_set_zombie_session_placeholder(void);
+-int ecryptfs_kill_and_clear_zombie_session_placeholder(void);
+-int ecryptfs_list_zombie_session_placeholders(void);
+ int ecryptfs_build_linear_subgraph_from_nvp(struct transition_node **trans_node,
+ struct ecryptfs_key_mod *key_mod);
+ int ecryptfs_build_linear_subgraph(struct transition_node **trans_node,
+diff -up ecryptfs-utils-87/src/libecryptfs/main.c.nozombies ecryptfs-utils-87/src/libecryptfs/main.c
+--- ecryptfs-utils-87/src/libecryptfs/main.c.nozombies 2011-03-09 14:30:32.000000000 +0100
++++ ecryptfs-utils-87/src/libecryptfs/main.c 2011-07-21 14:19:02.384364121 +0200
+@@ -480,487 +480,6 @@ out:
+ return rc;
+ }
+
+-static int zombie_semaphore_get(void)
+-{
+- int sem_id;
+- struct semid_ds semid_ds;
+- struct sembuf sb;
+- int i;
+- int rc;
+-
+- sem_id = semget(ECRYPTFS_SEM_KEY, 1, (0666 | IPC_EXCL | IPC_CREAT));
+- if (sem_id >= 0) {
+- sb.sem_op = 1;
+- sb.sem_flg = 0;
+- sb.sem_num = 0;
+-
+- rc = semop(sem_id, &sb, 1);
+- if (rc == -1) {
+- semctl(sem_id, 0, IPC_RMID);
+- syslog(LOG_ERR, "Error initializing semaphore\n");
+- rc = -1;
+- goto out;
+- }
+- } else if (errno == EEXIST) {
+- int initialized = 0;
+-
+- sem_id = semget(ECRYPTFS_SEM_KEY, 1, 0);
+- if (sem_id < 0) {
+- syslog(LOG_ERR, "Error getting existing semaphore");
+- rc = -1;
+- goto out;
+- }
+-#define RETRY_LIMIT 3
+- for (i = 0; i < RETRY_LIMIT; i++) {
+- semctl(sem_id, 0, IPC_STAT, &semid_ds);
+- if (semid_ds.sem_otime != 0) {
+- initialized = 1;
+- break;
+- } else
+- sleep(1);
+- }
+- if (!initialized) {
+- syslog(LOG_ERR, "Waited too long for initialized "
+- "semaphore; something's wrong\n");
+- rc = -1;
+- goto out;
+- }
+- } else {
+- syslog(LOG_ERR, "Error attempting to get semaphore\n");
+- rc = -1;
+- goto out;
+- }
+- rc = sem_id;
+-out:
+- return rc;
+-}
+-
+-static void zombie_semaphore_lock(int sem_id)
+-{
+- struct sembuf sb;
+- int i;
+- int rc;
+-
+- sb.sem_num = 0;
+- sb.sem_op = -1;
+- sb.sem_flg = IPC_NOWAIT;
+- for (i = 0; i < RETRY_LIMIT; i++) {
+- rc = semop(sem_id, &sb, 1);
+- if (rc == -1 && errno == EAGAIN) {
+- sleep(1);
+- } else if (rc == -1) {
+- syslog(LOG_ERR, "Error locking semaphore; errno "
+- "string = [%m]\n");
+- goto out;
+- } else
+- goto out;
+- }
+- syslog(LOG_ERR, "Error locking semaphore; hit max retries\n");
+-out:
+- return;
+-}
+-
+-static void zombie_semaphore_unlock(int sem_id)
+-{
+- struct sembuf sb;
+- int rc;
+-
+- sb.sem_num = 0;
+- sb.sem_op = 1;
+- sb.sem_flg = 0;
+- rc = semop(sem_id, &sb, 1);
+- if (rc == -1) {
+- syslog(LOG_ERR, "Error unlocking semaphore\n");
+- goto out;
+- }
+-out:
+- return;
+-}
+-
+-static int get_zombie_shared_mem_locked(int *shm_id, int *sem_id)
+-{
+- int rc;
+-
+- (*sem_id) = zombie_semaphore_get();
+- if ((*sem_id) == -1) {
+- syslog(LOG_ERR, "Error attempting to get zombie semaphore\n");
+- rc = -EIO;
+- goto out;
+- }
+- zombie_semaphore_lock((*sem_id));
+- rc = shmget(ECRYPTFS_SHM_KEY, ECRYPTFS_SHM_SIZE, (0666 | IPC_CREAT
+- | IPC_EXCL));
+- if (rc == -1 && errno == EEXIST)
+- rc = shmget(ECRYPTFS_SHM_KEY, ECRYPTFS_SHM_SIZE, 0);
+- else {
+- char *shm_virt;
+-
+- (*shm_id) = rc;
+- shm_virt = shmat((*shm_id), NULL, 0);
+- if (shm_virt == (void *)-1) {
+- syslog(LOG_ERR, "Error attaching to newly allocated "
+- "shared memory; errno string = [%m]\n");
+- rc = -EIO;
+- zombie_semaphore_unlock((*sem_id));
+- goto out;
+- }
+- memset(shm_virt, 0, ECRYPTFS_SHM_SIZE);
+- if ((rc = shmdt(shm_virt))) {
+- rc = -EIO;
+- zombie_semaphore_unlock((*sem_id));
+- goto out;
+- }
+- rc = shmget(ECRYPTFS_SHM_KEY, ECRYPTFS_SHM_SIZE, 0);
+- }
+- if (rc == -1) {
+- syslog(LOG_ERR, "Error attempting to get identifier for "
+- "shared memory with key [0x%.8x]\n", ECRYPTFS_SHM_KEY);
+- rc = -EIO;
+- zombie_semaphore_unlock((*sem_id));
+- goto out;
+- }
+- (*shm_id) = rc;
+- rc = 0;
+-out:
+- return rc;
+-}
+-
+-static int list_pid_sid_pairs(int shm_id)
+-{
+- pid_t sid_tmp;
+- pid_t pid_tmp;
+- char *shm_virt;
+- int i;
+- int rc;
+-
+- if (sizeof(pid_t) != sizeof(uint32_t)) {
+- syslog(LOG_ERR, "sizeof(pid_t) != sizeof(uint32_t); the code "
+- "needs some tweaking to work on this architecture\n");
+- rc = -EINVAL;
+- goto out;
+- }
+- shm_virt = shmat(shm_id, NULL, 0);
+- if (shm_virt == (void *)-1) {
+- rc = -EIO;
+- goto out;
+- }
+- i = 0;
+- memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t));
+- i += sizeof(pid_t);
+- sid_tmp = ntohl(sid_tmp); /* uint32_t */
+- memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t));
+- i += sizeof(pid_t);
+- pid_tmp = ntohl(pid_tmp); /* uint32_t */
+- while (!(sid_tmp == 0 && pid_tmp == 0)) {
+- if ((i + (2 * sizeof(pid_t))) > ECRYPTFS_SHM_SIZE)
+- break;
+- memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t));
+- i += sizeof(pid_t);
+- sid_tmp = ntohl(sid_tmp); /* uint32_t */
+- memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t));
+- i += sizeof(pid_t);
+- pid_tmp = ntohl(pid_tmp); /* uint32_t */
+- }
+- if ((rc = shmdt(shm_virt)))
+- rc = -EIO;
+-out:
+- return rc;
+-}
+-
+-static int find_pid_for_this_sid(pid_t *pid, int shm_id)
+-{
+- pid_t sid_tmp;
+- pid_t sid;
+- pid_t pid_tmp;
+- pid_t this_pid;
+- char *shm_virt;
+- int i;
+- int rc;
+-
+- (*pid) = 0;
+- if (sizeof(pid_t) != sizeof(uint32_t)) {
+- syslog(LOG_ERR, "sizeof(pid_t) != sizeof(uint32_t); the code "
+- "needs some tweaking to work on this architecture\n");
+- rc = -EINVAL;
+- goto out;
+- }
+- shm_virt = shmat(shm_id, NULL, 0);
+- if (shm_virt == (void *)-1) {
+- rc = -EIO;
+- goto out;
+- }
+- i = 0;
+- memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t));
+- i += sizeof(pid_t);
+- sid_tmp = ntohl(sid_tmp); /* uint32_t */
+- memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t));
+- i += sizeof(pid_t);
+- pid_tmp = ntohl(pid_tmp); /* uint32_t */
+- this_pid = getpid();
+- sid = getsid(this_pid);
+- while (!(sid_tmp == 0 && pid_tmp == 0)) {
+- if (sid_tmp == sid) {
+- (*pid) = pid_tmp;
+- goto end_search;
+- }
+- if ((i + (2 * sizeof(pid_t))) > ECRYPTFS_SHM_SIZE)
+- break;
+- memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t));
+- i += sizeof(pid_t);
+- sid_tmp = ntohl(sid_tmp); /* uint32_t */
+- memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t));
+- i += sizeof(pid_t);
+- pid_tmp = ntohl(pid_tmp); /* uint32_t */
+- }
+-end_search:
+- if ((rc = shmdt(shm_virt))) {
+- rc = -EIO;
+- (*pid) = 0;
+- }
+-out:
+- return rc;
+-}
+-
+-static int remove_pid_for_this_sid(int shm_id)
+-{
+- pid_t sid_tmp;
+- pid_t sid;
+- pid_t pid_tmp;
+- pid_t pid;
+- pid_t this_pid;
+- char *shm_virt;
+- int i;
+- int rc;
+-
+- pid = 0;
+- if (sizeof(pid_t) != sizeof(uint32_t)) {
+- syslog(LOG_ERR, "sizeof(pid_t) != sizeof(uint32_t); the code "
+- "needs some tweaking to work on this architecture\n");
+- rc = -EINVAL;
+- goto out;
+- }
+- shm_virt = shmat(shm_id, NULL, 0);
+- if (shm_virt == (void *)-1) {
+- rc = -EIO;
+- goto out;
+- }
+- i = 0;
+- memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t));
+- i += sizeof(pid_t);
+- sid_tmp = ntohl(sid_tmp); /* uint32_t */
+- memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t));
+- i += sizeof(pid_t);
+- pid_tmp = ntohl(pid_tmp); /* uint32_t */
+- this_pid = getpid();
+- sid = getsid(this_pid);
+- while (!(sid_tmp == 0 && pid_tmp == 0)) {
+- if (sid_tmp == sid) {
+- pid = pid_tmp;
+- break;
+- }
+- if ((i + (2 * sizeof(pid_t))) > ECRYPTFS_SHM_SIZE)
+- break;
+- memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t));
+- i += sizeof(pid_t);
+- sid_tmp = ntohl(sid_tmp); /* uint32_t */
+- memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t));
+- i += sizeof(pid_t);
+- pid_tmp = ntohl(pid_tmp); /* uint32_t */
+- }
+- if (pid != 0) {
+- char *tmp;
+- int remainder = (ECRYPTFS_SHM_SIZE - i);
+-
+- if (remainder != 0) {
+- if ((tmp = malloc(remainder)) == NULL) {
+- rc = -ENOMEM;
+- shmdt(shm_virt);
+- goto out;
+- }
+- memcpy(tmp, &shm_virt[i], remainder);
+- i -= (2 * sizeof(pid_t));
+- memcpy(&shm_virt[i], tmp, remainder);
+- i += remainder;
+- } else
+- i -= (2 * sizeof(pid_t));
+- memset(&shm_virt[i], 0, (2 * sizeof(pid_t)));
+- if (remainder != 0)
+- free(tmp);
+- }
+- if ((rc = shmdt(shm_virt)))
+- rc = -EIO;
+-out:
+- return rc;
+-}
+-
+-static int add_sid_pid_pair_to_shm(int shm_id)
+-{
+- pid_t sid_tmp;
+- pid_t sid;
+- pid_t pid_tmp;
+- pid_t pid;
+- char *shm_virt;
+- int i;
+- int rc;
+-
+- if (sizeof(pid_t) != sizeof(uint32_t)) {
+- syslog(LOG_ERR, "sizeof(pid_t) != sizeof(uint32_t); the code "
+- "needs some tweaking to work on this architecture\n");
+- rc = -EINVAL;
+- goto out;
+- }
+- shm_virt = shmat(shm_id, NULL, 0);
+- if (shm_virt == (void *)-1) {
+- syslog(LOG_ERR, "Error attaching to shared memory; error "
+- "string = [%m]\n");
+- shm_virt = shmat(shm_id, NULL, 0);
+- if (shm_virt == (void *)-1) {
+- syslog(LOG_ERR, "Error attaching to shared memory; error "
+- "string = [%m]\n");
+- rc = -EIO;
+- goto out;
+- }
+- rc = -EIO;
+- goto out;
+- }
+- i = 0;
+- memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t));
+- i += sizeof(pid_t);
+- sid_tmp = ntohl(sid_tmp); /* uint32_t */
+- memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t));
+- i += sizeof(pid_t);
+- pid_tmp = ntohl(pid_tmp); /* uint32_t */
+- while (!(sid_tmp == 0 && pid_tmp == 0)) {
+- if ((i + (2 * sizeof(pid_t))) > ECRYPTFS_SHM_SIZE) {
+- syslog(LOG_ERR,
+- "No space left in shared memory region\n");
+- rc = -ENOMEM;
+- shmdt(shm_virt);
+- goto out;
+- }
+- memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t));
+- i += sizeof(pid_t);
+- sid_tmp = ntohl(sid_tmp); /* uint32_t */
+- memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t));
+- i += sizeof(pid_t);
+- pid_tmp = ntohl(pid_tmp); /* uint32_t */
+- }
+- pid = getpid();
+- sid = getsid(pid);
+- sid = htonl(sid);
+- pid = htonl(pid);
+- i -= (2 * sizeof(pid_t));
+- memcpy(&shm_virt[i], &sid, sizeof(pid_t));
+- i += sizeof(pid_t);
+- memcpy(&shm_virt[i], &pid, sizeof(pid_t));
+- i += sizeof(pid_t);
+- if ((i + (2 * sizeof(pid_t))) <= ECRYPTFS_SHM_SIZE)
+- memset(&shm_virt[i], 0, (i + (2 * sizeof(pid_t))));
+- if ((rc = shmdt(shm_virt))) {
+- syslog(LOG_ERR, "Error detaching from shared memory\n");
+- rc = -EIO;
+- }
+-out:
+- return rc;
+-}
+-
+-int ecryptfs_set_zombie_session_placeholder(void)
+-{
+- int shm_id;
+- int sem_id;
+- int rc = 0;
+-
+- if ((rc = get_zombie_shared_mem_locked(&shm_id, &sem_id))) {
+- syslog(LOG_ERR,
+- "Error getting shared memory segment\n");
+- goto out;
+- }
+- if ((rc = add_sid_pid_pair_to_shm(shm_id))) {
+- syslog(LOG_ERR, "Error adding sid/pid pair to shared memory "
+- "segment; rc = [%d]\n", rc);
+- zombie_semaphore_unlock(sem_id);
+- goto out;
+- }
+- zombie_semaphore_unlock(sem_id);
+- sleep(ECRYPTFS_ZOMBIE_SLEEP_SECONDS);
+- if ((rc = get_zombie_shared_mem_locked(&shm_id, &sem_id))) {
+- syslog(LOG_ERR,
+- "Error getting shared memory segment\n");
+- goto out;
+- }
+- if ((rc = remove_pid_for_this_sid(shm_id))) {
+- syslog(LOG_ERR, "Error attempting to remove pid/sid "
+- "pair from shared memory segment; rc = [%d]\n",
+- rc);
+- zombie_semaphore_unlock(sem_id);
+- goto out;
+- }
+- zombie_semaphore_unlock(sem_id);
+- exit(1);
+-out:
+- return rc;
+-}
+-
+-int ecryptfs_kill_and_clear_zombie_session_placeholder(void)
+-{
+- int shm_id;
+- int sem_id;
+- int pid;
+- int rc = 0;
+-
+- if ((rc = get_zombie_shared_mem_locked(&shm_id, &sem_id))) {
+- syslog(LOG_ERR, "Error getting shared memory segment\n");
+- goto out;
+- }
+- if ((rc = find_pid_for_this_sid(&pid, shm_id))) {
+- syslog(LOG_ERR, "Error finding pid for sid in shared memory "
+- "segment; rc = [%d]\n", rc);
+- zombie_semaphore_unlock(sem_id);
+- goto out;
+- }
+- if (pid == 0) {
+- syslog(LOG_WARNING, "No valid pid found for this sid\n");
+- } else {
+- if ((rc = kill(pid, SIGKILL))) {
+- syslog(LOG_ERR, "Error attempting to kill process "
+- "[%d]; rc = [%d]; errno string = [%m]\n", pid,
+- rc);
+- }
+- if ((rc = remove_pid_for_this_sid(shm_id))) {
+- syslog(LOG_ERR, "Error attempting to remove pid/sid "
+- "pair from shared memory segment; rc = [%d]\n",
+- rc);
+- zombie_semaphore_unlock(sem_id);
+- goto out;
+- }
+- }
+- zombie_semaphore_unlock(sem_id);
+-out:
+- return rc;
+-}
+-
+-int ecryptfs_list_zombie_session_placeholders(void)
+-{
+- int shm_id;
+- int sem_id;
+- int rc = 0;
+-
+- if ((rc = get_zombie_shared_mem_locked(&shm_id, &sem_id))) {
+- syslog(LOG_ERR,
+- "Error getting shared memory segment\n");
+- goto out;
+- }
+- if ((rc = list_pid_sid_pairs(shm_id))) {
+- syslog(LOG_ERR, "Error listing sid/pid pairs in shared memory "
+- "segment; rc = [%d]\n", rc);
+- zombie_semaphore_unlock(sem_id);
+- goto out;
+- }
+- zombie_semaphore_unlock(sem_id);
+-out:
+- return rc;
+-}
+-
+ static struct ecryptfs_ctx_ops ctx_ops;
+
+ struct ecryptfs_ctx_ops *cryptfs_get_ctx_opts (void)
+diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.nozombies ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c
+--- ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.nozombies 2011-07-21 14:17:33.525120467 +0200
++++ ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c 2011-07-21 14:17:33.541120690 +0200
+@@ -208,13 +208,6 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+ "user session keyring; rc = [%ld]\n", rc);
+ goto out_child;
+ }
+- if (fork() == 0) {
+- if ((rc = ecryptfs_set_zombie_session_placeholder())) {
+- syslog(LOG_ERR, "Error attempting to create "
+- "and register zombie process; "
+- "rc = [%ld]\n", rc);
+- }
+- }
+ out_child:
+ free(auth_tok_sig);
+ _exit(0);
diff --git a/ecryptfs-utils.spec b/ecryptfs-utils.spec
index 8adba50..ff2c7e9 100644
--- a/ecryptfs-utils.spec
+++ b/ecryptfs-utils.spec
@@ -5,7 +5,7 @@
Name: ecryptfs-utils
Version: 87
-Release: 6%{?dist}
+Release: 7%{?dist}
Summary: The eCryptfs mount helper and support libraries
Group: System Environment/Base
License: GPLv2+
@@ -47,8 +47,14 @@ Patch12: ecryptfs-utils-87-memcpyfix.patch
# allow building with -Werror
Patch999: ecryptfs-utils-75-werror.patch
-# rhbz#722445
-Patch13: ecryptfs-utils-87-fixgid.patch
+# using return after fork() in pam module has some nasty side effects, rhbz#722445
+Patch13: ecryptfs-utils-87-fixpamfork.patch
+
+# we need gid==ecryptfs in pam module before mount.ecryptfs_private execution
+Patch14: ecryptfs-utils-87-fixexecgid.patch
+
+# do not use zombie process, it causes lock ups at least for ssh login
+Patch15: ecryptfs-utils-87-nozombies.patch
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
Requires: keyutils, cryptsetup-luks, util-linux-ng, gettext
@@ -98,7 +104,9 @@ the interface supplied by the ecryptfs-utils library.
%patch11 -p1 -b .authconfig
%patch12 -p1 -b .memcpyfix
%patch999 -p1 -b .werror
-%patch13 -p1 -b .fixgid
+%patch13 -p1 -b .fixpamfork
+%patch14 -p1 -b .fixexecgid
+%patch15 -p1 -b .nozombies
%build
export CFLAGS="$RPM_OPT_FLAGS -Werror -Wtype-limits"
More information about the scm-commits
mailing list