[ecryptfs-utils] fix pam module to set ecryptfs gid before mount helper execution do not use zombie process, it cause

Thu Jul 21 15:14:36 UTC 2011

commit be2a3c9c1ff3526d45ac38d160f299344c2e502d
Author: Michal Hlavinka <mhlavink at redhat.com>
Date:   Thu Jul 21 17:14:24 2011 +0200

    fix pam module to set ecryptfs gid before mount helper execution
    do not use zombie process, it causes lock ups in ssh

 ecryptfs-utils-87-fixexecgid.patch                 |   35 ++
 ...gid.patch => ecryptfs-utils-87-fixpamfork.patch |   15 +-
 ecryptfs-utils-87-nozombies.patch                  |  522 ++++++++++++++++++++
 ecryptfs-utils.spec                                |   20 +-
 4 files changed, 582 insertions(+), 10 deletions(-)
---

diff --git a/ecryptfs-utils-87-fixexecgid.patch b/ecryptfs-utils-87-fixexecgid.patch
new file mode 100644
index 0000000..2da6c24
--- /dev/null
+++ b/ecryptfs-utils-87-fixexecgid.patch
@@ -0,0 +1,35 @@
+diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.fixexecgid ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c
+--- ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.fixexecgid	2011-07-21 14:20:31.773602653 +0200
++++ ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c	2011-07-21 14:21:12.302160125 +0200
+@@ -33,6 +33,7 @@
+ #include <errno.h>
+ #include <syslog.h>
+ #include <pwd.h>
++#include <grp.h>
+ #include <sys/types.h>
+ #include <sys/wait.h>
+ #include <sys/types.h>
+@@ -303,6 +304,23 @@ static int private_dir(pam_handle_t *pam
+ 		return 1;
+ 	}
+ 	if (pid == 0) {
++		/* explicitely change group to ecryptfs if user is member of that group, changing uid is not enough */
++		errno=0;
++		struct group *efsg = getgrnam("ecryptfs");
++		if (efsg==NULL && errno) syslog(LOG_ERR, "unable to list members of ecryptfs group : %m");
++		else
++		{
++			while (*efsg->gr_mem)
++			{
++				if (!strcmp(*efsg->gr_mem, pwd->pw_name))
++				{
++					if (setgid(efsg->gr_gid)<0) syslog(LOG_ERR, "Unable to change group to ecryptfs : %m");
++					break;
++				}
++				efsg->gr_mem++;
++			}
++		}
++
+ 		if (mount == 1) {
+ 		        if ((asprintf(&recorded,
+ 			    "%s/.ecryptfs/.wrapped-passphrase.recorded",
diff --git a/ecryptfs-utils-87-fixgid.patch b/ecryptfs-utils-87-fixpamfork.patch
similarity index 81%
rename from ecryptfs-utils-87-fixgid.patch
rename to ecryptfs-utils-87-fixpamfork.patch
index 5b8e39e..fe1d85d 100644
--- a/ecryptfs-utils-87-fixgid.patch
+++ b/ecryptfs-utils-87-fixpamfork.patch
@@ -1,6 +1,6 @@
 diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.fixgid ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c
---- ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.fixgid	2011-07-19 15:58:45.337539138 +0200
-+++ ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c	2011-07-19 16:02:09.542029724 +0200
+--- ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.fixgid	2011-07-21 13:35:47.968581526 +0200
++++ ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c	2011-07-21 13:37:08.411188936 +0200
 @@ -217,7 +217,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
  		}
  out_child:
@@ -19,7 +19,7 @@ diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.fixgid ecryptfs-utils
  			}
  			if (stat(recorded, &s) != 0 && stat("/usr/share/ecryptfs-utils/ecryptfs-record-passphrase", &s) == 0) {
  				/* User has not recorded their passphrase */
-@@ -322,23 +322,25 @@ static int private_dir(pam_handle_t *pam
+@@ -322,25 +322,27 @@ static int private_dir(pam_handle_t *pam
  				/* User does not want to auto-mount */
  				syslog(LOG_INFO,
  					"Skipping automatic eCryptfs mount");
@@ -30,7 +30,7 @@ diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.fixgid ecryptfs-utils
  			setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid);
  			execl("/sbin/mount.ecryptfs_private",
  			      "mount.ecryptfs_private", NULL);
-+			_exit(255);
++			syslog(LOG_ERR,"unable to execute mount.ecryptfs_private : %m");
  		} else {
  			if (stat(autofile, &s) != 0) {
  				/* User does not want to auto-unmount */
@@ -43,10 +43,13 @@ diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.fixgid ecryptfs-utils
  			setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid);
  			execl("/sbin/umount.ecryptfs_private",
   			      "umount.ecryptfs_private", NULL);
-+			_exit(255);
++			syslog(LOG_ERR,"unable to execute umount.ecryptfs_private : %m");
  		}
- 		return 1;
+-		return 1;
++		_exit(255);
  	} else {
+ 		waitpid(pid, &rc, 0);
+ 		goto out;
 @@ -482,7 +484,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
  			goto out_child;
  		}
diff --git a/ecryptfs-utils-87-nozombies.patch b/ecryptfs-utils-87-nozombies.patch
new file mode 100644
index 0000000..32b0147
--- /dev/null
+++ b/ecryptfs-utils-87-nozombies.patch
@@ -0,0 +1,522 @@
+diff -up ecryptfs-utils-87/src/include/ecryptfs.h.nozombies ecryptfs-utils-87/src/include/ecryptfs.h
+--- ecryptfs-utils-87/src/include/ecryptfs.h.nozombies	2011-03-09 14:30:32.000000000 +0100
++++ ecryptfs-utils-87/src/include/ecryptfs.h	2011-07-21 14:17:33.539120662 +0200
+@@ -588,10 +588,6 @@ int ecryptfs_validate_keyring(void);
+ #define ECRYPTFS_SHM_KEY 0x3c81b7f5
+ #define ECRYPTFS_SEM_KEY 0x3c81b7f6
+ #define ECRYPTFS_SHM_SIZE 4096
+-#define ECRYPTFS_ZOMBIE_SLEEP_SECONDS 300
+-int ecryptfs_set_zombie_session_placeholder(void);
+-int ecryptfs_kill_and_clear_zombie_session_placeholder(void);
+-int ecryptfs_list_zombie_session_placeholders(void);
+ int ecryptfs_build_linear_subgraph_from_nvp(struct transition_node **trans_node,
+ 					    struct ecryptfs_key_mod *key_mod);
+ int ecryptfs_build_linear_subgraph(struct transition_node **trans_node,
+diff -up ecryptfs-utils-87/src/libecryptfs/main.c.nozombies ecryptfs-utils-87/src/libecryptfs/main.c
+--- ecryptfs-utils-87/src/libecryptfs/main.c.nozombies	2011-03-09 14:30:32.000000000 +0100
++++ ecryptfs-utils-87/src/libecryptfs/main.c	2011-07-21 14:19:02.384364121 +0200
+@@ -480,487 +480,6 @@ out:
+ 	return rc;
+ }
+ 
+-static int zombie_semaphore_get(void)
+-{
+-	int sem_id;
+-	struct semid_ds semid_ds;
+-	struct sembuf sb;
+-	int i;
+-	int rc;
+-
+-	sem_id = semget(ECRYPTFS_SEM_KEY, 1, (0666 | IPC_EXCL | IPC_CREAT));
+-	if (sem_id >= 0) {
+-		sb.sem_op = 1;
+-		sb.sem_flg = 0;
+-		sb.sem_num = 0;
+-
+-		rc = semop(sem_id, &sb, 1);
+-		if (rc == -1) {
+-			semctl(sem_id, 0, IPC_RMID);
+-			syslog(LOG_ERR, "Error initializing semaphore\n");
+-			rc = -1;
+-			goto out;
+-		}
+-	} else if (errno == EEXIST) {
+-		int initialized = 0;
+-
+-		sem_id = semget(ECRYPTFS_SEM_KEY, 1, 0);
+-		if (sem_id < 0) {
+-			syslog(LOG_ERR, "Error getting existing semaphore");
+-			rc = -1;
+-			goto out;
+-		}
+-#define RETRY_LIMIT 3
+-		for (i = 0; i < RETRY_LIMIT; i++) {
+-			semctl(sem_id, 0, IPC_STAT, &semid_ds);
+-			if (semid_ds.sem_otime != 0) {
+-				initialized = 1;
+-				break;
+-			} else
+-				sleep(1);
+-		}
+-		if (!initialized) {
+-			syslog(LOG_ERR, "Waited too long for initialized "
+-			       "semaphore; something's wrong\n");
+-			rc = -1;
+-			goto out;
+-		}
+-	} else {
+-		syslog(LOG_ERR, "Error attempting to get semaphore\n");
+-		rc = -1;
+-		goto out;
+-	}
+-	rc = sem_id;
+-out:
+-	return rc;
+-}
+-
+-static void zombie_semaphore_lock(int sem_id)
+-{
+-	struct sembuf sb;
+-	int i;
+-	int rc;
+-
+-	sb.sem_num = 0;
+-	sb.sem_op = -1;
+-	sb.sem_flg = IPC_NOWAIT;
+-	for (i = 0; i < RETRY_LIMIT; i++) {
+-		rc = semop(sem_id, &sb, 1);
+-		if (rc == -1 && errno == EAGAIN) {
+-			sleep(1);
+-		} else if (rc == -1) {
+-			syslog(LOG_ERR, "Error locking semaphore; errno "
+-			       "string = [%m]\n");
+-			goto out;
+-		} else
+-			goto out;
+-	}
+-	syslog(LOG_ERR, "Error locking semaphore; hit max retries\n");
+-out:
+-	return;
+-}
+-
+-static void zombie_semaphore_unlock(int sem_id)
+-{
+-	struct sembuf sb;
+-	int rc;
+-
+-	sb.sem_num = 0;
+-	sb.sem_op = 1;
+-	sb.sem_flg = 0;
+-	rc = semop(sem_id, &sb, 1);
+-	if (rc == -1) {
+-		syslog(LOG_ERR, "Error unlocking semaphore\n");
+-		goto out;
+-	}
+-out:
+-	return;
+-}
+-
+-static int get_zombie_shared_mem_locked(int *shm_id, int *sem_id)
+-{
+-	int rc;
+-	
+-	(*sem_id) = zombie_semaphore_get();
+-	if ((*sem_id) == -1) {
+-		syslog(LOG_ERR, "Error attempting to get zombie semaphore\n");
+-		rc = -EIO;
+-		goto out;
+-	}
+-	zombie_semaphore_lock((*sem_id));
+-	rc = shmget(ECRYPTFS_SHM_KEY, ECRYPTFS_SHM_SIZE, (0666 | IPC_CREAT
+-							  | IPC_EXCL));
+-	if (rc == -1 && errno == EEXIST)
+-		rc = shmget(ECRYPTFS_SHM_KEY, ECRYPTFS_SHM_SIZE, 0);
+-	else {
+-		char *shm_virt;
+-
+-		(*shm_id) = rc;
+-		shm_virt = shmat((*shm_id), NULL, 0);
+-		if (shm_virt == (void *)-1) {
+-			syslog(LOG_ERR, "Error attaching to newly allocated "
+-			       "shared memory; errno string = [%m]\n");
+-			rc = -EIO;
+-			zombie_semaphore_unlock((*sem_id));
+-			goto out;
+-		}
+-		memset(shm_virt, 0, ECRYPTFS_SHM_SIZE);
+-		if ((rc = shmdt(shm_virt))) {
+-			rc = -EIO;
+-			zombie_semaphore_unlock((*sem_id));
+-			goto out;
+-		}
+-		rc = shmget(ECRYPTFS_SHM_KEY, ECRYPTFS_SHM_SIZE, 0);
+-	}
+-	if (rc == -1) {
+-		syslog(LOG_ERR, "Error attempting to get identifier for "
+-		       "shared memory with key [0x%.8x]\n", ECRYPTFS_SHM_KEY);
+-		rc = -EIO;
+-		zombie_semaphore_unlock((*sem_id));
+-		goto out;
+-	}
+-	(*shm_id) = rc;
+-	rc = 0;
+-out:
+-	return rc;
+-}
+-
+-static int list_pid_sid_pairs(int shm_id)
+-{
+-	pid_t sid_tmp;
+-	pid_t pid_tmp;
+-	char *shm_virt;
+-	int i;
+-	int rc;
+-
+-	if (sizeof(pid_t) != sizeof(uint32_t)) {
+-		syslog(LOG_ERR, "sizeof(pid_t) != sizeof(uint32_t); the code "
+-		       "needs some tweaking to work on this architecture\n");
+-		rc = -EINVAL;
+-		goto out;
+-	}
+-	shm_virt = shmat(shm_id, NULL, 0);
+-	if (shm_virt == (void *)-1) {
+-		rc = -EIO;
+-		goto out;
+-	}
+-	i = 0;
+-	memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t));
+-	i += sizeof(pid_t);
+-	sid_tmp = ntohl(sid_tmp); /* uint32_t */
+-	memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t));
+-	i += sizeof(pid_t);
+-	pid_tmp = ntohl(pid_tmp); /* uint32_t */
+-	while (!(sid_tmp == 0 && pid_tmp == 0)) {
+-		if ((i + (2 * sizeof(pid_t))) > ECRYPTFS_SHM_SIZE)
+-			break;
+-		memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t));
+-		i += sizeof(pid_t);
+-		sid_tmp = ntohl(sid_tmp); /* uint32_t */
+-		memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t));
+-		i += sizeof(pid_t);
+-		pid_tmp = ntohl(pid_tmp); /* uint32_t */
+-	}
+-	if ((rc = shmdt(shm_virt)))
+-		rc = -EIO;
+-out:
+-	return rc;
+-}
+-
+-static int find_pid_for_this_sid(pid_t *pid, int shm_id)
+-{
+-	pid_t sid_tmp;
+-	pid_t sid;
+-	pid_t pid_tmp;
+-	pid_t this_pid;
+-	char *shm_virt;
+-	int i;
+-	int rc;
+-
+-	(*pid) = 0;
+-	if (sizeof(pid_t) != sizeof(uint32_t)) {
+-		syslog(LOG_ERR, "sizeof(pid_t) != sizeof(uint32_t); the code "
+-		       "needs some tweaking to work on this architecture\n");
+-		rc = -EINVAL;
+-		goto out;
+-	}
+-	shm_virt = shmat(shm_id, NULL, 0);
+-	if (shm_virt == (void *)-1) {
+-		rc = -EIO;
+-		goto out;
+-	}
+-	i = 0;
+-	memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t));
+-	i += sizeof(pid_t);
+-	sid_tmp = ntohl(sid_tmp); /* uint32_t */
+-	memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t));
+-	i += sizeof(pid_t);
+-	pid_tmp = ntohl(pid_tmp); /* uint32_t */
+-	this_pid = getpid();
+-	sid = getsid(this_pid);
+-	while (!(sid_tmp == 0 && pid_tmp == 0)) {
+-		if (sid_tmp == sid) {
+-			(*pid) = pid_tmp;
+-			goto end_search;
+-		}
+-		if ((i + (2 * sizeof(pid_t))) > ECRYPTFS_SHM_SIZE)
+-			break;
+-		memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t));
+-		i += sizeof(pid_t);
+-		sid_tmp = ntohl(sid_tmp); /* uint32_t */
+-		memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t));
+-		i += sizeof(pid_t);
+-		pid_tmp = ntohl(pid_tmp); /* uint32_t */
+-	}
+-end_search:
+-	if ((rc = shmdt(shm_virt))) {
+-		rc = -EIO;
+-		(*pid) = 0;
+-	}
+-out:
+-	return rc;
+-}
+-
+-static int remove_pid_for_this_sid(int shm_id)
+-{
+-	pid_t sid_tmp;
+-	pid_t sid;
+-	pid_t pid_tmp;
+-	pid_t pid;
+-	pid_t this_pid;
+-	char *shm_virt;
+-	int i;
+-	int rc;
+-
+-	pid = 0;
+-	if (sizeof(pid_t) != sizeof(uint32_t)) {
+-		syslog(LOG_ERR, "sizeof(pid_t) != sizeof(uint32_t); the code "
+-		       "needs some tweaking to work on this architecture\n");
+-		rc = -EINVAL;
+-		goto out;
+-	}
+-	shm_virt = shmat(shm_id, NULL, 0);
+-	if (shm_virt == (void *)-1) {
+-		rc = -EIO;
+-		goto out;
+-	}
+-	i = 0;
+-	memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t));
+-	i += sizeof(pid_t);
+-	sid_tmp = ntohl(sid_tmp); /* uint32_t */
+-	memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t));
+-	i += sizeof(pid_t);
+-	pid_tmp = ntohl(pid_tmp); /* uint32_t */
+-	this_pid = getpid();
+-	sid = getsid(this_pid);
+-	while (!(sid_tmp == 0 && pid_tmp == 0)) {
+-		if (sid_tmp == sid) {
+-			pid = pid_tmp;
+-			break;
+-		}
+-		if ((i + (2 * sizeof(pid_t))) > ECRYPTFS_SHM_SIZE)
+-			break;
+-		memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t));
+-		i += sizeof(pid_t);
+-		sid_tmp = ntohl(sid_tmp); /* uint32_t */
+-		memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t));
+-		i += sizeof(pid_t);
+-		pid_tmp = ntohl(pid_tmp); /* uint32_t */
+-	}
+-	if (pid != 0) {
+-		char *tmp;
+-		int remainder = (ECRYPTFS_SHM_SIZE - i);
+-
+-		if (remainder != 0) {
+-			if ((tmp = malloc(remainder)) == NULL) {
+-				rc = -ENOMEM;
+-				shmdt(shm_virt);
+-				goto out;
+-			}
+-			memcpy(tmp, &shm_virt[i], remainder);
+-			i -= (2 * sizeof(pid_t));
+-			memcpy(&shm_virt[i], tmp, remainder);
+-			i += remainder;
+-		} else
+-			i -= (2 * sizeof(pid_t));
+-		memset(&shm_virt[i], 0, (2 * sizeof(pid_t)));
+-		if (remainder != 0)
+-			free(tmp);
+-	}
+-	if ((rc = shmdt(shm_virt)))
+-		rc = -EIO;
+-out:
+-	return rc;
+-}
+-
+-static int add_sid_pid_pair_to_shm(int shm_id)
+-{
+-	pid_t sid_tmp;
+-	pid_t sid;
+-	pid_t pid_tmp;
+-	pid_t pid;
+-	char *shm_virt;
+-	int i;
+-	int rc;
+-
+-	if (sizeof(pid_t) != sizeof(uint32_t)) {
+-		syslog(LOG_ERR, "sizeof(pid_t) != sizeof(uint32_t); the code "
+-		       "needs some tweaking to work on this architecture\n");
+-		rc = -EINVAL;
+-		goto out;
+-	}
+-	shm_virt = shmat(shm_id, NULL, 0);
+-	if (shm_virt == (void *)-1) {
+-		syslog(LOG_ERR, "Error attaching to shared memory; error "
+-		       "string = [%m]\n");
+-		shm_virt = shmat(shm_id, NULL, 0);
+-		if (shm_virt == (void *)-1) {
+-			syslog(LOG_ERR, "Error attaching to shared memory; error "
+-			       "string = [%m]\n");
+-			rc = -EIO;
+-			goto out;
+-		}
+-		rc = -EIO;
+-		goto out;
+-	}
+-	i = 0;
+-	memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t));
+-	i += sizeof(pid_t);
+-	sid_tmp = ntohl(sid_tmp); /* uint32_t */
+-	memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t));
+-	i += sizeof(pid_t);
+-	pid_tmp = ntohl(pid_tmp); /* uint32_t */
+-	while (!(sid_tmp == 0 && pid_tmp == 0)) {
+-		if ((i + (2 * sizeof(pid_t))) > ECRYPTFS_SHM_SIZE) {
+-			syslog(LOG_ERR,
+-			       "No space left in shared memory region\n");
+-			rc = -ENOMEM;
+-			shmdt(shm_virt);
+-			goto out;
+-		}
+-		memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t));
+-		i += sizeof(pid_t);
+-		sid_tmp = ntohl(sid_tmp); /* uint32_t */
+-		memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t));
+-		i += sizeof(pid_t);
+-		pid_tmp = ntohl(pid_tmp); /* uint32_t */
+-	}
+-	pid = getpid();
+-	sid = getsid(pid);
+-	sid = htonl(sid);
+-	pid = htonl(pid);
+-	i -= (2 * sizeof(pid_t));
+-	memcpy(&shm_virt[i], &sid, sizeof(pid_t));
+-	i += sizeof(pid_t);
+-	memcpy(&shm_virt[i], &pid, sizeof(pid_t));
+-	i += sizeof(pid_t);
+-	if ((i + (2 * sizeof(pid_t))) <= ECRYPTFS_SHM_SIZE)
+-		memset(&shm_virt[i], 0, (i + (2 * sizeof(pid_t))));
+-	if ((rc = shmdt(shm_virt))) {
+-		syslog(LOG_ERR, "Error detaching from shared memory\n");
+-		rc = -EIO;
+-	}
+-out:
+-	return rc;
+-}
+-
+-int ecryptfs_set_zombie_session_placeholder(void)
+-{
+-	int shm_id;
+-	int sem_id;
+-	int rc = 0;
+-
+-	if ((rc = get_zombie_shared_mem_locked(&shm_id, &sem_id))) {
+-		syslog(LOG_ERR,
+-		       "Error getting shared memory segment\n");
+-		goto out;
+-	}
+-	if ((rc = add_sid_pid_pair_to_shm(shm_id))) {
+-		syslog(LOG_ERR, "Error adding sid/pid pair to shared memory "
+-		       "segment; rc = [%d]\n", rc);
+-		zombie_semaphore_unlock(sem_id);
+-		goto out;
+-	}
+-	zombie_semaphore_unlock(sem_id);
+-	sleep(ECRYPTFS_ZOMBIE_SLEEP_SECONDS);
+-	if ((rc = get_zombie_shared_mem_locked(&shm_id, &sem_id))) {
+-		syslog(LOG_ERR,
+-		       "Error getting shared memory segment\n");
+-		goto out;
+-	}
+-	if ((rc = remove_pid_for_this_sid(shm_id))) {
+-		syslog(LOG_ERR, "Error attempting to remove pid/sid "
+-		       "pair from shared memory segment; rc = [%d]\n",
+-		       rc);
+-		zombie_semaphore_unlock(sem_id);
+-		goto out;
+-	}
+-	zombie_semaphore_unlock(sem_id);
+-	exit(1);
+-out:
+-	return rc;
+-}
+-
+-int ecryptfs_kill_and_clear_zombie_session_placeholder(void)
+-{
+-	int shm_id;
+-	int sem_id;
+-	int pid;
+-	int rc = 0;
+-
+-	if ((rc = get_zombie_shared_mem_locked(&shm_id, &sem_id))) {
+-		syslog(LOG_ERR, "Error getting shared memory segment\n");
+-		goto out;
+-	}
+-	if ((rc = find_pid_for_this_sid(&pid, shm_id))) {
+-		syslog(LOG_ERR, "Error finding pid for sid in shared memory "
+-		       "segment; rc = [%d]\n", rc);
+-		zombie_semaphore_unlock(sem_id);
+-		goto out;
+-	}
+-	if (pid == 0) {
+-		syslog(LOG_WARNING, "No valid pid found for this sid\n");
+-	} else {
+-		if ((rc = kill(pid, SIGKILL))) {
+-			syslog(LOG_ERR, "Error attempting to kill process "
+-			       "[%d]; rc = [%d]; errno string = [%m]\n", pid,
+-			       rc);
+-		}
+-		if ((rc = remove_pid_for_this_sid(shm_id))) {
+-			syslog(LOG_ERR, "Error attempting to remove pid/sid "
+-			       "pair from shared memory segment; rc = [%d]\n",
+-			       rc);
+-			zombie_semaphore_unlock(sem_id);
+-			goto out;
+-		}
+-	}
+-	zombie_semaphore_unlock(sem_id);
+-out:
+-	return rc;
+-}
+-
+-int ecryptfs_list_zombie_session_placeholders(void)
+-{
+-	int shm_id;
+-	int sem_id;
+-	int rc = 0;
+-
+-	if ((rc = get_zombie_shared_mem_locked(&shm_id, &sem_id))) {
+-		syslog(LOG_ERR,
+-		       "Error getting shared memory segment\n");
+-		goto out;
+-	}
+-	if ((rc = list_pid_sid_pairs(shm_id))) {
+-		syslog(LOG_ERR, "Error listing sid/pid pairs in shared memory "
+-		       "segment; rc = [%d]\n", rc);
+-		zombie_semaphore_unlock(sem_id);
+-		goto out;
+-	}
+-	zombie_semaphore_unlock(sem_id);
+-out:
+-	return rc;
+-}
+-
+ static struct ecryptfs_ctx_ops ctx_ops;
+ 
+ struct ecryptfs_ctx_ops *cryptfs_get_ctx_opts (void)
+diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.nozombies ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c
+--- ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.nozombies	2011-07-21 14:17:33.525120467 +0200
++++ ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c	2011-07-21 14:17:33.541120690 +0200
+@@ -208,13 +208,6 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+ 			       "user session keyring; rc = [%ld]\n", rc);
+ 			goto out_child;
+ 		}
+-		if (fork() == 0) {
+-			if ((rc = ecryptfs_set_zombie_session_placeholder())) {
+-				syslog(LOG_ERR, "Error attempting to create "
+-						"and register zombie process; "
+-						"rc = [%ld]\n", rc);
+-			}
+-		}
+ out_child:
+ 		free(auth_tok_sig);
+ 		_exit(0);
diff --git a/ecryptfs-utils.spec b/ecryptfs-utils.spec
index 2ef3d5e..91a55bf 100644
--- a/ecryptfs-utils.spec
+++ b/ecryptfs-utils.spec
@@ -5,7 +5,7 @@
 
 Name: ecryptfs-utils
 Version: 87
-Release: 6%{?dist}
+Release: 7%{?dist}
 Summary: The eCryptfs mount helper and support libraries
 Group: System Environment/Base
 License: GPLv2+
@@ -47,8 +47,14 @@ Patch12: ecryptfs-utils-87-memcpyfix.patch
 # allow building with -Werror
 Patch999: ecryptfs-utils-75-werror.patch
 
-# rhbz#722445
-Patch13: ecryptfs-utils-87-fixgid.patch
+# using return after fork() in pam module has some nasty side effects, rhbz#722445
+Patch13: ecryptfs-utils-87-fixpamfork.patch
+
+# we need gid==ecryptfs in pam module before mount.ecryptfs_private execution
+Patch14: ecryptfs-utils-87-fixexecgid.patch
+
+# do not use zombie process, it causes lock ups at least for ssh login
+Patch15: ecryptfs-utils-87-nozombies.patch
 
 BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 Requires: keyutils, cryptsetup-luks, util-linux-ng, gettext
@@ -98,7 +104,9 @@ the interface supplied by the ecryptfs-utils library.
 %patch11 -p1 -b .authconfig
 %patch12 -p1 -b .memcpyfix
 %patch999 -p1 -b .werror
-%patch13 -p1 -b .fixgid
+%patch13 -p1 -b .fixpamfork
+%patch14 -p1 -b .fixexecgid
+%patch15 -p1 -b .nozombies
 
 %build
 export CFLAGS="$RPM_OPT_FLAGS -Werror -Wtype-limits"
@@ -226,6 +234,10 @@ rm -rf $RPM_BUILD_ROOT
 %{python_sitearch}/ecryptfs-utils/_libecryptfs.so
 
 %changelog
+* Thu Jul 21 2011 Michal Hlavinka <mhlavink at redhat.com> - 87-7
+- fix pam module to set ecryptfs gid before mount helper execution
+- do not use zombie process, it causes lock ups in ssh
+
 * Tue Jul 19 2011 Michal Hlavinka <mhlavink at redhat.com> - 87-6
 - do not use memcpy for overlaping areas
 - fix broken pam module resulting in session with wrong gid
