[ecryptfs-utils/f17] ecryptfs-utils updated to 99
Michal Hlavinka
mhlavink at fedoraproject.org
Tue Jul 24 13:55:08 UTC 2012
commit ab10c901681f82c57ef62c85f8695bc372b119a1
Author: Michal Hlavinka <mhlavink at redhat.com>
Date: Tue Jul 24 15:54:57 2012 +0200
ecryptfs-utils updated to 99
- fixes: suid helper does not restrict mounting filesystems with
nosuid, nodev leading to possible privilege escalation (CVE-2012-3409)
.gitignore | 1 +
ecryptfs-utils-75-werror.patch | 133 +++++++++++++++----------------
ecryptfs-utils-87-fixexecgid.patch | 51 ++++++------
ecryptfs-utils-87-fixpamfork.patch | 30 +++++--
ecryptfs-utils-87-pamdata.patch | 106 ++++++++++++++++++------
ecryptfs-utils-87-syslog.patch | 155 +++++++++++++++++++++--------------
ecryptfs-utils-99-selinux.patch | 20 +++++
ecryptfs-utils.spec | 12 +++-
sources | 2 +-
9 files changed, 316 insertions(+), 194 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 516bcb1..de51268 100644
--- a/.gitignore
+++ b/.gitignore
@@ -10,3 +10,4 @@ ecryptfs-mount-private.png
/ecryptfs-utils_95.orig.tar.gz
/ecryptfs-utils_96.orig.tar.gz
/ecryptfs-utils_97.orig.tar.gz
+/ecryptfs-utils_99.orig.tar.gz
diff --git a/ecryptfs-utils-75-werror.patch b/ecryptfs-utils-75-werror.patch
index 9cedf2a..60cc559 100644
--- a/ecryptfs-utils-75-werror.patch
+++ b/ecryptfs-utils-75-werror.patch
@@ -1,6 +1,6 @@
-diff -up ecryptfs-utils-97/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.werror ecryptfs-utils-97/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c
---- ecryptfs-utils-97/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.werror 2012-06-25 15:25:21.915772946 +0200
-+++ ecryptfs-utils-97/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c 2012-06-25 15:25:21.928773050 +0200
+diff -up ecryptfs-utils-99/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.werror ecryptfs-utils-99/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c
+--- ecryptfs-utils-99/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.werror 2012-07-23 18:59:05.223406369 +0200
++++ ecryptfs-utils-99/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c 2012-07-23 18:59:05.237406445 +0200
@@ -99,7 +99,7 @@ static int ecryptfs_pkcs11h_deserialize(
pkcs11h_data->serialized_id = NULL;
}
@@ -150,9 +150,9 @@ diff -up ecryptfs-utils-97/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.werror e
subgraph_key_ctx = (struct pkcs11h_subgraph_key_ctx *)(*foo);
-diff -up ecryptfs-utils-97/src/libecryptfs/ecryptfs-stat.c.werror ecryptfs-utils-97/src/libecryptfs/ecryptfs-stat.c
---- ecryptfs-utils-97/src/libecryptfs/ecryptfs-stat.c.werror 2012-05-18 21:06:17.000000000 +0200
-+++ ecryptfs-utils-97/src/libecryptfs/ecryptfs-stat.c 2012-06-25 15:25:21.929773058 +0200
+diff -up ecryptfs-utils-99/src/libecryptfs/ecryptfs-stat.c.werror ecryptfs-utils-99/src/libecryptfs/ecryptfs-stat.c
+--- ecryptfs-utils-99/src/libecryptfs/ecryptfs-stat.c.werror 2012-05-18 21:06:17.000000000 +0200
++++ ecryptfs-utils-99/src/libecryptfs/ecryptfs-stat.c 2012-07-23 18:59:05.238406451 +0200
@@ -146,7 +146,7 @@ int ecryptfs_parse_stat(struct ecryptfs_
if (buf_size < (ECRYPTFS_FILE_SIZE_BYTES
+ MAGIC_ECRYPTFS_MARKER_SIZE_BYTES
@@ -162,15 +162,21 @@ diff -up ecryptfs-utils-97/src/libecryptfs/ecryptfs-stat.c.werror ecryptfs-utils
"bytes; there are only [%zu] bytes\n", __FUNCTION__,
(ECRYPTFS_FILE_SIZE_BYTES
+ MAGIC_ECRYPTFS_MARKER_SIZE_BYTES
-diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.werror ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c
---- ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.werror 2012-05-18 21:06:17.000000000 +0200
-+++ ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c 2012-06-25 15:25:21.929773058 +0200
-@@ -39,35 +39,11 @@
- #include <sys/stat.h>
- #include <fcntl.h>
- #include <security/pam_modules.h>
-+#include <security/pam_ext.h>
- #include "../include/ecryptfs.h"
+diff -up ecryptfs-utils-99/src/libecryptfs/key_management.c.werror ecryptfs-utils-99/src/libecryptfs/key_management.c
+--- ecryptfs-utils-99/src/libecryptfs/key_management.c.werror 2012-07-23 18:59:05.219406346 +0200
++++ ecryptfs-utils-99/src/libecryptfs/key_management.c 2012-07-23 18:59:05.238406451 +0200
+@@ -228,7 +228,6 @@ int ecryptfs_wrap_passphrase_file(char *
+ int rc = 0;
+ ssize_t size;
+ int fd;
+- int i;
+ char *p = NULL;
+ char decrypted_passphrase[ECRYPTFS_MAX_PASSPHRASE_BYTES + 1];
+
+diff -up ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c.werror ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c
+--- ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c.werror 2012-07-11 16:03:17.000000000 +0200
++++ ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c 2012-07-23 18:59:38.714596789 +0200
+@@ -47,31 +47,6 @@
#define PRIVATE_DIR "Private"
@@ -202,16 +208,7 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.werror ecryptfs-utils
/* returns: 0 if file does not exist, 1 if it exists, <0 for error */
static int file_exists_dotecryptfs(const char *homedir, char *filename)
{
-@@ -87,7 +63,7 @@ out:
- return rc;
- }
-
--static int wrap_passphrase_if_necessary(char *username, uid_t uid, char *wrapped_pw_filename, char *passphrase, char *salt)
-+static int wrap_passphrase_if_necessary(const char *username, uid_t uid, char *wrapped_pw_filename, char *passphrase, char *salt)
- {
- char *unwrapped_pw_filename = NULL;
- struct stat s;
-@@ -195,8 +171,6 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+@@ -216,8 +191,6 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
if ((argc == 1)
&& (memcmp(argv[0], "unwrap\0", 7) == 0)) {
char *wrapped_pw_filename;
@@ -220,7 +217,7 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.werror ecryptfs-utils
rc = asprintf(
&wrapped_pw_filename, "%s/.ecryptfs/%s",
-@@ -282,8 +256,6 @@ static int private_dir(pam_handle_t *pam
+@@ -309,8 +282,6 @@ static int private_dir(pam_handle_t *pam
char *autoumount = "auto-umount";
struct stat s;
pid_t pid;
@@ -229,7 +226,7 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.werror ecryptfs-utils
if ((pwd = fetch_pwd(pamh)) == NULL) {
/* fetch_pwd() logged a message */
-@@ -329,7 +301,7 @@ static int private_dir(pam_handle_t *pam
+@@ -356,7 +327,7 @@ static int private_dir(pam_handle_t *pam
if (stat(recorded, &s) != 0 && stat("/usr/share/ecryptfs-utils/ecryptfs-record-passphrase", &s) == 0) {
/* User has not recorded their passphrase */
unlink("/var/lib/update-notifier/user.d/ecryptfs-record-passphrase");
@@ -238,7 +235,7 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.werror ecryptfs-utils
fd = open("/var/lib/update-notifier/dpkg-run-stamp", O_WRONLY|O_CREAT|O_NONBLOCK, 0666);
close(fd);
}
-@@ -398,7 +370,6 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
+@@ -435,7 +406,6 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
char *old_passphrase = NULL;
char *new_passphrase = NULL;
char *wrapped_pw_filename;
@@ -246,21 +243,28 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.werror ecryptfs-utils
char salt[ECRYPTFS_SALT_SIZE];
char salt_hex[ECRYPTFS_SALT_SIZE_HEX];
pid_t child_pid, tmp_pid;
-@@ -412,10 +383,9 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
- if (pwd) {
+@@ -450,15 +420,15 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
uid = pwd->pw_uid;
+ gid = pwd->pw_gid;
homedir = pwd->pw_dir;
- name = pwd->pw_name;
}
} else {
-- syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%ld]\n", username, rc);
-+ syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%d]\n", username, rc);
+ syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%d]\n", username, rc);
goto out;
}
- saved_uid = geteuid();
-diff -up ecryptfs-utils-97/src/utils/mount.ecryptfs.c.werror ecryptfs-utils-97/src/utils/mount.ecryptfs.c
---- ecryptfs-utils-97/src/utils/mount.ecryptfs.c.werror 2012-06-25 15:25:21.926773034 +0200
-+++ ecryptfs-utils-97/src/utils/mount.ecryptfs.c 2012-06-25 15:25:21.930773066 +0200
+
+- if ((oeuid = geteuid()) < 0 || (oegid = getegid()) < 0 ||
+- (ngids = getgroups(sizeof(groups)/sizeof(gid_t), groups)) < 0) {
++ oeuid = geteuid();
++ oegid = getegid();
++ if ((ngids = getgroups(sizeof(groups)/sizeof(gid_t), groups)) < 0) {
+ syslog(LOG_ERR, "pam_ecryptfs: geteuid error");
+ goto outnouid;
+ }
+diff -up ecryptfs-utils-99/src/utils/mount.ecryptfs.c.werror ecryptfs-utils-99/src/utils/mount.ecryptfs.c
+--- ecryptfs-utils-99/src/utils/mount.ecryptfs.c.werror 2012-07-23 18:59:05.234406430 +0200
++++ ecryptfs-utils-99/src/utils/mount.ecryptfs.c 2012-07-23 18:59:05.239406457 +0200
@@ -34,6 +34,7 @@
#include <sys/mount.h>
#include <sys/stat.h>
@@ -269,9 +273,9 @@ diff -up ecryptfs-utils-97/src/utils/mount.ecryptfs.c.werror ecryptfs-utils-97/s
#include "config.h"
#include "ecryptfs.h"
#include "decision_graph.h"
-diff -up ecryptfs-utils-97/src/utils/mount.ecryptfs_private.c.werror ecryptfs-utils-97/src/utils/mount.ecryptfs_private.c
---- ecryptfs-utils-97/src/utils/mount.ecryptfs_private.c.werror 2012-06-25 15:25:21.921772994 +0200
-+++ ecryptfs-utils-97/src/utils/mount.ecryptfs_private.c 2012-06-25 15:25:21.930773066 +0200
+diff -up ecryptfs-utils-99/src/utils/mount.ecryptfs_private.c.werror ecryptfs-utils-99/src/utils/mount.ecryptfs_private.c
+--- ecryptfs-utils-99/src/utils/mount.ecryptfs_private.c.werror 2012-07-23 18:59:05.229406400 +0200
++++ ecryptfs-utils-99/src/utils/mount.ecryptfs_private.c 2012-07-23 18:59:05.240406463 +0200
@@ -95,7 +95,7 @@ int read_config(char *pw_dir, int uid, c
*s = strdup(e->mnt_fsname);
if (!*s)
@@ -281,18 +285,9 @@ diff -up ecryptfs-utils-97/src/utils/mount.ecryptfs_private.c.werror ecryptfs-ut
return 0;
}
-@@ -302,7 +302,7 @@ int update_mtab(char *dev, char *mnt, ch
- goto fail_early;
- }
-
-- while (old_ent = getmntent(old_mtab)) {
-+ while ((old_ent = getmntent(old_mtab))) {
- if (addmntent(new_mtab, old_ent) != 0) {
- perror("addmntent");
- goto fail;
-diff -up ecryptfs-utils-97/src/utils/test.c.werror ecryptfs-utils-97/src/utils/test.c
---- ecryptfs-utils-97/src/utils/test.c.werror 2012-05-18 21:06:17.000000000 +0200
-+++ ecryptfs-utils-97/src/utils/test.c 2012-06-25 15:25:21.931773074 +0200
+diff -up ecryptfs-utils-99/src/utils/test.c.werror ecryptfs-utils-99/src/utils/test.c
+--- ecryptfs-utils-99/src/utils/test.c.werror 2012-05-18 21:06:17.000000000 +0200
++++ ecryptfs-utils-99/src/utils/test.c 2012-07-23 18:59:05.240406463 +0200
@@ -281,7 +281,7 @@ int ecryptfs_encrypt_page(int page_cache
struct inode *lower_inode;
struct ecryptfs_crypt_stat *crypt_stat;
@@ -302,9 +297,9 @@ diff -up ecryptfs-utils-97/src/utils/test.c.werror ecryptfs-utils-97/src/utils/t
int orig_byte_offset = 0;
int num_extents_per_page;
#define ECRYPTFS_PAGE_STATE_UNREAD 0
-diff -up ecryptfs-utils-97/tests/kernel/directory-concurrent/test.c.werror ecryptfs-utils-97/tests/kernel/directory-concurrent/test.c
---- ecryptfs-utils-97/tests/kernel/directory-concurrent/test.c.werror 2012-05-18 21:06:17.000000000 +0200
-+++ ecryptfs-utils-97/tests/kernel/directory-concurrent/test.c 2012-06-25 15:25:21.931773074 +0200
+diff -up ecryptfs-utils-99/tests/kernel/directory-concurrent/test.c.werror ecryptfs-utils-99/tests/kernel/directory-concurrent/test.c
+--- ecryptfs-utils-99/tests/kernel/directory-concurrent/test.c.werror 2012-05-18 21:06:17.000000000 +0200
++++ ecryptfs-utils-99/tests/kernel/directory-concurrent/test.c 2012-07-23 18:59:05.240406463 +0200
@@ -149,7 +149,7 @@ int hang_check(int option, const char *f
int test_dirs(const char *path, const int max_dirs)
@@ -314,9 +309,9 @@ diff -up ecryptfs-utils-97/tests/kernel/directory-concurrent/test.c.werror ecryp
char *filename;
size_t len = strlen(path) + 32;
int ret = TEST_PASSED;
-diff -up ecryptfs-utils-97/tests/kernel/extend-file-random/test.c.werror ecryptfs-utils-97/tests/kernel/extend-file-random/test.c
---- ecryptfs-utils-97/tests/kernel/extend-file-random/test.c.werror 2012-05-18 21:06:17.000000000 +0200
-+++ ecryptfs-utils-97/tests/kernel/extend-file-random/test.c 2012-06-25 15:25:21.931773074 +0200
+diff -up ecryptfs-utils-99/tests/kernel/extend-file-random/test.c.werror ecryptfs-utils-99/tests/kernel/extend-file-random/test.c
+--- ecryptfs-utils-99/tests/kernel/extend-file-random/test.c.werror 2012-05-18 21:06:17.000000000 +0200
++++ ecryptfs-utils-99/tests/kernel/extend-file-random/test.c 2012-07-23 18:59:05.241406469 +0200
@@ -48,7 +48,7 @@ int test_write(int fd, char *buffer, siz
}
@@ -342,9 +337,9 @@ diff -up ecryptfs-utils-97/tests/kernel/extend-file-random/test.c.werror ecryptf
len, offset, strerror(errno));
return TEST_FAILED;
}
-diff -up ecryptfs-utils-97/tests/kernel/file-concurrent/test.c.werror ecryptfs-utils-97/tests/kernel/file-concurrent/test.c
---- ecryptfs-utils-97/tests/kernel/file-concurrent/test.c.werror 2012-05-18 21:06:17.000000000 +0200
-+++ ecryptfs-utils-97/tests/kernel/file-concurrent/test.c 2012-06-25 15:25:21.932773082 +0200
+diff -up ecryptfs-utils-99/tests/kernel/file-concurrent/test.c.werror ecryptfs-utils-99/tests/kernel/file-concurrent/test.c
+--- ecryptfs-utils-99/tests/kernel/file-concurrent/test.c.werror 2012-05-18 21:06:17.000000000 +0200
++++ ecryptfs-utils-99/tests/kernel/file-concurrent/test.c 2012-07-23 18:59:05.241406469 +0200
@@ -177,7 +177,7 @@ int hang_check(int option, const char *f
int test_files(const char *path, const int max_files)
@@ -354,9 +349,9 @@ diff -up ecryptfs-utils-97/tests/kernel/file-concurrent/test.c.werror ecryptfs-u
char *filename;
size_t len = strlen(path) + 32;
int ret = TEST_PASSED;
-diff -up ecryptfs-utils-97/tests/kernel/inode-race-stat/test.c.werror ecryptfs-utils-97/tests/kernel/inode-race-stat/test.c
---- ecryptfs-utils-97/tests/kernel/inode-race-stat/test.c.werror 2012-05-18 21:06:17.000000000 +0200
-+++ ecryptfs-utils-97/tests/kernel/inode-race-stat/test.c 2012-06-25 15:25:21.932773082 +0200
+diff -up ecryptfs-utils-99/tests/kernel/inode-race-stat/test.c.werror ecryptfs-utils-99/tests/kernel/inode-race-stat/test.c
+--- ecryptfs-utils-99/tests/kernel/inode-race-stat/test.c.werror 2012-05-18 21:06:17.000000000 +0200
++++ ecryptfs-utils-99/tests/kernel/inode-race-stat/test.c 2012-07-23 18:59:05.241406469 +0200
@@ -106,7 +106,6 @@ static void do_test(const int fdin, cons
{
for (;;) {
@@ -391,9 +386,9 @@ diff -up ecryptfs-utils-97/tests/kernel/inode-race-stat/test.c.werror ecryptfs-u
(void)waitpid(pids[i], &status, 0);
(void)close(pipe_to[i][1]);
-diff -up ecryptfs-utils-97/tests/kernel/lp-509180/test.c.werror ecryptfs-utils-97/tests/kernel/lp-509180/test.c
---- ecryptfs-utils-97/tests/kernel/lp-509180/test.c.werror 2012-06-25 15:25:25.512801830 +0200
-+++ ecryptfs-utils-97/tests/kernel/lp-509180/test.c 2012-06-25 15:25:25.526801949 +0200
+diff -up ecryptfs-utils-99/tests/kernel/lp-509180/test.c.werror ecryptfs-utils-99/tests/kernel/lp-509180/test.c
+--- ecryptfs-utils-99/tests/kernel/lp-509180/test.c.werror 2012-05-18 21:06:17.000000000 +0200
++++ ecryptfs-utils-99/tests/kernel/lp-509180/test.c 2012-07-23 18:59:05.242406474 +0200
@@ -48,7 +48,6 @@ int main(int argc, char **argv)
int fd;
int opt, flags = 0;
@@ -402,9 +397,9 @@ diff -up ecryptfs-utils-97/tests/kernel/lp-509180/test.c.werror ecryptfs-utils-9
char *file;
unsigned char buffer[1];
-diff -up ecryptfs-utils-97/tests/kernel/trunc-file/test.c.werror ecryptfs-utils-97/tests/kernel/trunc-file/test.c
---- ecryptfs-utils-97/tests/kernel/trunc-file/test.c.werror 2012-05-18 21:06:17.000000000 +0200
-+++ ecryptfs-utils-97/tests/kernel/trunc-file/test.c 2012-06-25 15:25:21.932773082 +0200
+diff -up ecryptfs-utils-99/tests/kernel/trunc-file/test.c.werror ecryptfs-utils-99/tests/kernel/trunc-file/test.c
+--- ecryptfs-utils-99/tests/kernel/trunc-file/test.c.werror 2012-05-18 21:06:17.000000000 +0200
++++ ecryptfs-utils-99/tests/kernel/trunc-file/test.c 2012-07-23 18:59:05.242406474 +0200
@@ -39,7 +39,7 @@
int write_buff(int fd, unsigned char *data, ssize_t size)
diff --git a/ecryptfs-utils-87-fixexecgid.patch b/ecryptfs-utils-87-fixexecgid.patch
index ed9c2e6..613fcd6 100644
--- a/ecryptfs-utils-87-fixexecgid.patch
+++ b/ecryptfs-utils-87-fixexecgid.patch
@@ -1,24 +1,27 @@
-diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.fixexecgid ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c
---- ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.fixexecgid 2011-07-25 16:38:48.040555555 +0200
-+++ ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c 2011-07-25 16:52:22.751025667 +0200
-@@ -33,6 +33,7 @@
- #include <errno.h>
- #include <syslog.h>
- #include <pwd.h>
-+#include <grp.h>
- #include <sys/types.h>
- #include <sys/wait.h>
- #include <sys/types.h>
-@@ -303,6 +304,12 @@ static int private_dir(pam_handle_t *pam
- return 1;
- }
- if (pid == 0) {
-+ /* set user's groups, we may need ecryptfs group for (u)mount */
-+ if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) {
-+ syslog(LOG_ERR, "Unable to set user's groups : %m");
-+ _exit(255);
-+ }
-+
- if (mount == 1) {
- if ((asprintf(&recorded,
- "%s/.ecryptfs/.wrapped-passphrase.recorded",
+diff -up ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c.fixexecgid ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c
+--- ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c.fixexecgid 2012-07-24 13:20:58.456297563 +0200
++++ ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c 2012-07-24 13:21:53.250786224 +0200
+@@ -337,8 +337,10 @@ static int private_dir(pam_handle_t *pam
+ _exit(0);
+ }
+ clearenv();
+- if (setgroups(1, &pwd->pw_gid) < 0 || setgid(pwd->pw_gid) < 0)
++ if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) {
++ syslog(LOG_ERR, "Unable to set user's groups : %m");
+ _exit(255);
++ }
+ /* run mount.ecryptfs_private as the user */
+ if (setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid) < 0)
+ _exit(255);
+@@ -352,8 +354,10 @@ static int private_dir(pam_handle_t *pam
+ _exit(0);
+ }
+ clearenv();
+- if (setgroups(1, &pwd->pw_gid) < 0 || setgid(pwd->pw_gid) < 0)
++ if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) {
++ syslog(LOG_ERR, "Unable to set user's groups : %m");
+ _exit(255);
++ }
+ /* run umount.ecryptfs_private as the user */
+ if (setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid) < 0)
+ _exit(255);
diff --git a/ecryptfs-utils-87-fixpamfork.patch b/ecryptfs-utils-87-fixpamfork.patch
index 6eb8861..820a885 100644
--- a/ecryptfs-utils-87-fixpamfork.patch
+++ b/ecryptfs-utils-87-fixpamfork.patch
@@ -1,7 +1,7 @@
-diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.fixpamfork ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c
---- ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.fixpamfork 2012-06-25 14:57:39.908192484 +0200
-+++ ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c 2012-06-25 15:05:53.368373955 +0200
-@@ -208,7 +208,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+diff -up ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c.fixpamfork ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c
+--- ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c.fixpamfork 2012-07-24 13:19:34.168544970 +0200
++++ ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c 2012-07-24 13:20:20.600959698 +0200
+@@ -228,7 +228,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
}
out_child:
free(auth_tok_sig);
@@ -10,7 +10,7 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.fixpamfork ecryptfs-u
}
tmp_pid = waitpid(child_pid, NULL, 0);
if (tmp_pid == -1)
-@@ -296,7 +296,7 @@ static int private_dir(pam_handle_t *pam
+@@ -322,7 +322,7 @@ static int private_dir(pam_handle_t *pam
"%s/.ecryptfs/.wrapped-passphrase.recorded",
pwd->pw_dir) < 0) || recorded == NULL) {
syslog(LOG_ERR, "pam_ecryptfs: Error allocating memory for recorded name");
@@ -19,15 +19,21 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.fixpamfork ecryptfs-u
}
if (stat(recorded, &s) != 0 && stat("/usr/share/ecryptfs-utils/ecryptfs-record-passphrase", &s) == 0) {
/* User has not recorded their passphrase */
-@@ -308,25 +308,27 @@ static int private_dir(pam_handle_t *pam
+@@ -334,33 +334,35 @@ static int private_dir(pam_handle_t *pam
if (stat(autofile, &s) != 0) {
/* User does not want to auto-mount */
syslog(LOG_DEBUG, "pam_ecryptfs: Skipping automatic eCryptfs mount");
- exit(0);
+ _exit(0);
}
+ clearenv();
+ if (setgroups(1, &pwd->pw_gid) < 0 || setgid(pwd->pw_gid) < 0)
+- return -1;
++ _exit(255);
/* run mount.ecryptfs_private as the user */
- setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid);
+ if (setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid) < 0)
+- return -1;
++ _exit(255);
execl("/sbin/mount.ecryptfs_private",
"mount.ecryptfs_private", NULL);
+ syslog(LOG_ERR,"unable to execute mount.ecryptfs_private : %m");
@@ -38,8 +44,14 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.fixpamfork ecryptfs-u
- exit(0);
+ _exit(0);
}
+ clearenv();
+ if (setgroups(1, &pwd->pw_gid) < 0 || setgid(pwd->pw_gid) < 0)
+- return -1;
++ _exit(255);
/* run umount.ecryptfs_private as the user */
- setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid);
+ if (setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid) < 0)
+- return -1;
++ _exit(255);
execl("/sbin/umount.ecryptfs_private",
"umount.ecryptfs_private", NULL);
- exit(1);
@@ -51,7 +63,7 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.fixpamfork ecryptfs-u
} else {
waitpid(pid, &rc, 0);
}
-@@ -456,7 +458,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
+@@ -505,7 +507,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
goto out_child;
}
out_child:
diff --git a/ecryptfs-utils-87-pamdata.patch b/ecryptfs-utils-87-pamdata.patch
index 366d8b7..2df6359 100644
--- a/ecryptfs-utils-87-pamdata.patch
+++ b/ecryptfs-utils-87-pamdata.patch
@@ -1,7 +1,7 @@
-diff -up ecryptfs-utils-93/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-utils-93/src/pam_ecryptfs/pam_ecryptfs.c
---- ecryptfs-utils-93/src/pam_ecryptfs/pam_ecryptfs.c.pamdata 2011-10-31 13:47:57.282750862 +0100
-+++ ecryptfs-utils-93/src/pam_ecryptfs/pam_ecryptfs.c 2011-10-31 13:56:28.601144959 +0100
-@@ -44,6 +44,25 @@
+diff -up ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c
+--- ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c.pamdata 2012-07-23 20:16:39.161357208 +0200
++++ ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c 2012-07-23 20:16:49.952442084 +0200
+@@ -47,6 +47,26 @@
#define PRIVATE_DIR "Private"
@@ -10,6 +10,7 @@ diff -up ecryptfs-utils-93/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-util
+struct ecryptfs_pam_data {
+ int unwrap;
+ uid_t uid;
++ gid_t gid;
+ char *passphrase;
+ const char *homedir;
+ const char *username;
@@ -27,7 +28,7 @@ diff -up ecryptfs-utils-93/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-util
/* returns: 0 if file does not exist, 1 if it exists, <0 for error */
static int file_exists_dotecryptfs(const char *homedir, char *filename)
{
-@@ -63,7 +82,7 @@ out:
+@@ -66,7 +86,7 @@ out:
return rc;
}
@@ -36,13 +37,15 @@ diff -up ecryptfs-utils-93/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-util
{
char *unwrapped_pw_filename = NULL;
struct stat s;
-@@ -95,37 +114,37 @@ static int wrap_passphrase_if_necessary(
+@@ -98,52 +118,38 @@ static int wrap_passphrase_if_necessary(
PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
const char **argv)
{
-- uid_t uid = 0;
+- uid_t uid = 0, oeuid = 0;
+- long ngroups_max = sysconf(_SC_NGROUPS_MAX);
+- gid_t gid = 0, oegid = 0, groups[ngroups_max+1];
+- int ngids = 0;
- char *homedir = NULL;
- uid_t saved_uid = 0;
- const char *username;
- char *passphrase = NULL;
- char salt[ECRYPTFS_SALT_SIZE];
@@ -50,8 +53,7 @@ diff -up ecryptfs-utils-93/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-util
- char *auth_tok_sig;
char *private_mnt = NULL;
- pid_t child_pid, tmp_pid;
-- long rc;
-+ long rc = 0;
+ long rc;
uint32_t version;
+ struct ecryptfs_pam_data *epd = {0,};
@@ -70,15 +72,29 @@ diff -up ecryptfs-utils-93/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-util
+ pwd = getpwnam(epd->username);
if (pwd) {
- uid = pwd->pw_uid;
+- gid = pwd->pw_gid;
- homedir = pwd->pw_dir;
+ epd->uid = pwd->pw_uid;
++ epd->gid = pwd->pw_gid;
+ epd->homedir = pwd->pw_dir;
}
} else {
- syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%ld]\n", username, rc);
-+ syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%ld]\n", epd->username, rc);
+- goto out;
+- }
+-
+- if ((oeuid = geteuid()) < 0 || (oegid = getegid()) < 0 ||
+- (ngids = getgroups(sizeof(groups)/sizeof(gid_t), groups)) < 0) {
+- syslog(LOG_ERR, "pam_ecryptfs: geteuid error");
+- goto outnouid;
+- }
+-
+- if (setegid(gid) < 0 || setgroups(1, &gid) < 0 || seteuid(uid) < 0) {
+- syslog(LOG_ERR, "pam_ecryptfs: seteuid error");
++ syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user; rc = [%ld]\n", rc);
goto out;
}
+
- if (!file_exists_dotecryptfs(homedir, "auto-mount"))
+ if (!file_exists_dotecryptfs(epd->homedir, "auto-mount"))
goto out;
@@ -90,21 +106,18 @@ diff -up ecryptfs-utils-93/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-util
/* If private/home is already mounted, then we can skip
costly loading of keys */
goto out;
-@@ -135,79 +154,29 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+@@ -152,89 +158,28 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+ load ecryptfs module if not loaded already */
if (ecryptfs_get_version(&version) != 0)
syslog(LOG_WARNING, "pam_ecryptfs: Can't check if kernel supports ecryptfs\n");
- saved_uid = geteuid();
-- seteuid(uid);
- if(file_exists_dotecryptfs(homedir, "wrapping-independent") == 1)
- rc = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &passphrase, "Encryption passphrase: ");
-+ seteuid(epd->uid);
+ if(file_exists_dotecryptfs(epd->homedir, "wrapping-independent") == 1)
+ rc = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &epd->passphrase, "Encryption passphrase: ");
else
- rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&passphrase);
+ rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&epd->passphrase);
+ epd->passphrase = strdup(epd->passphrase);
- seteuid(saved_uid);
if (rc != PAM_SUCCESS) {
syslog(LOG_ERR, "pam_ecryptfs: Error retrieving passphrase; rc = [%ld]\n",
rc);
@@ -123,7 +136,12 @@ diff -up ecryptfs-utils-93/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-util
} else
- from_hex(salt, salt_hex, ECRYPTFS_SALT_SIZE);
- if ((child_pid = fork()) == 0) {
-- setuid(uid);
+- /* temp regain uid 0 to drop privs */
+- seteuid(oeuid);
+- /* setgroups() already called */
+- if (setgid(gid) < 0 || setuid(uid) < 0)
+- goto out_child;
+-
- if (passphrase == NULL) {
- syslog(LOG_ERR, "pam_ecryptfs: NULL passphrase; aborting\n");
- rc = -EINVAL;
@@ -172,40 +190,69 @@ diff -up ecryptfs-utils-93/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-util
+ from_hex(epd->salt, salt_hex, ECRYPTFS_SALT_SIZE);
+ epd->unwrap = ((argc == 1) && (memcmp(argv[0], "unwrap\0", 7) == 0));
+ if ((rc=pam_set_data(pamh, ECRYPTFS_PAM_DATA, epd, pam_free_ecryptfsdata)) != PAM_SUCCESS) {
-+
+ syslog(LOG_ERR, "Unable to store ecryptfs pam data : %s", pam_strerror(pamh, rc));
+ goto out;
}
- tmp_pid = waitpid(child_pid, NULL, 0);
- if (tmp_pid == -1)
- syslog(LOG_WARNING, "pam_ecryptfs: waitpid() returned with error condition\n");
- out:
+-out:
+
+- seteuid(oeuid);
+- setegid(oegid);
+- setgroups(ngids, groups);
+-
+-outnouid:
++out:
if (private_mnt != NULL)
free(private_mnt);
-@@ -347,10 +316,88 @@ static int umount_private_dir(pam_handle
+ return PAM_SUCCESS;
+@@ -381,10 +326,115 @@ static int umount_private_dir(pam_handle
return private_dir(pamh, 0);
}
+static int fill_keyring(pam_handle_t *pamh)
+{
+ pid_t child_pid,tmp_pid;
++ uid_t oeuid = 0;
++ long ngroups_max = sysconf(_SC_NGROUPS_MAX);
++ gid_t oegid = 0, groups[ngroups_max+1];
++ int ngids = 0;
+ int rc = 0;
+ const struct ecryptfs_pam_data *epd;
+ char *auth_tok_sig;
+ auth_tok_sig = malloc(ECRYPTFS_SIG_SIZE_HEX + 1);
-+ if (!auth_tok_sig) {
-+ syslog(LOG_ERR, "Out of memory\n");
-+ return -ENOMEM;
-+ }
-+
++
+ if ((rc=pam_get_data(pamh, ECRYPTFS_PAM_DATA, (const void **)&epd)) != PAM_SUCCESS)
+ {
+ syslog(LOG_ERR,"Unable to get ecryptfs pam data : %s", pam_strerror(pamh, rc));
+ return -EINVAL;
+ }
+
++ oeuid = geteuid();
++ oegid = getegid();
++ if ((ngids = getgroups(sizeof(groups)/sizeof(gid_t), groups)) < 0) {
++ syslog(LOG_ERR, "pam_ecryptfs: geteuid error");
++ goto outnouid;
++ }
++
++ if (setegid(epd->gid) < 0 || setgroups(1, &epd->gid) < 0 || seteuid(epd->uid) < 0) {
++ syslog(LOG_ERR, "pam_ecryptfs: seteuid error");
++ goto out;
++ }
++
++ if (!auth_tok_sig) {
++ syslog(LOG_ERR, "Out of memory\n");
++ return -ENOMEM;
++ }
++
+ if ((child_pid = fork()) == 0) {
-+ setuid(epd->uid);
++ /* temp regain uid 0 to drop privs */
++ seteuid(oeuid);
++ /* setgroups() already called */
++ if (setgid(epd->gid) < 0 || setuid(epd->uid) < 0)
++ goto out_child;
++
+ if (epd->passphrase == NULL) {
+ syslog(LOG_ERR, "NULL passphrase; aborting\n");
+ rc = -EINVAL;
@@ -257,7 +304,12 @@ diff -up ecryptfs-utils-93/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-util
+ if (tmp_pid == -1)
+ syslog(LOG_WARNING,
+ "waitpid() returned with error condition\n");
-+
++out:
++ seteuid(oeuid);
++ setegid(oegid);
++ setgroups(ngids, groups);
++
++outnouid:
+
+ return 0;
+}
diff --git a/ecryptfs-utils-87-syslog.patch b/ecryptfs-utils-87-syslog.patch
index a76fd01..56c68ba 100644
--- a/ecryptfs-utils-87-syslog.patch
+++ b/ecryptfs-utils-87-syslog.patch
@@ -1,6 +1,6 @@
-diff -up ecryptfs-utils-97/src/include/ecryptfs.h.syslog ecryptfs-utils-97/src/include/ecryptfs.h
---- ecryptfs-utils-97/src/include/ecryptfs.h.syslog 2012-06-25 15:06:12.902539327 +0200
-+++ ecryptfs-utils-97/src/include/ecryptfs.h 2012-06-25 15:06:12.907539370 +0200
+diff -up ecryptfs-utils-99/src/include/ecryptfs.h.syslog ecryptfs-utils-99/src/include/ecryptfs.h
+--- ecryptfs-utils-99/src/include/ecryptfs.h.syslog 2012-07-24 13:22:22.225044430 +0200
++++ ecryptfs-utils-99/src/include/ecryptfs.h 2012-07-24 13:22:22.228044457 +0200
@@ -143,7 +143,7 @@
#define ECRYPTFS_TAG_67_PACKET 0x43
@@ -10,10 +10,10 @@ diff -up ecryptfs-utils-97/src/include/ecryptfs.h.syslog ecryptfs-utils-97/src/i
#define ECRYPTFS_MAX_NUM_CIPHERS 64
#define ECRYPTFS_ECHO_ON 1
-diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c
---- ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog 2012-06-25 15:06:12.899539302 +0200
-+++ ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c 2012-06-25 15:07:29.141184640 +0200
-@@ -91,7 +91,7 @@ static int wrap_passphrase_if_necessary(
+diff -up ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c
+--- ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c.syslog 2012-07-24 13:22:22.222044403 +0200
++++ ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c 2012-07-24 13:23:02.726405147 +0200
+@@ -94,7 +94,7 @@ static int wrap_passphrase_if_necessary(
rc = asprintf(&unwrapped_pw_filename, "/dev/shm/.ecryptfs-%s", username);
if (rc == -1) {
@@ -22,7 +22,7 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils
return -ENOMEM;
}
/* If /dev/shm/.ecryptfs-$USER exists and owned by the user
-@@ -105,7 +105,7 @@ static int wrap_passphrase_if_necessary(
+@@ -108,7 +108,7 @@ static int wrap_passphrase_if_necessary(
setuid(uid);
rc = ecryptfs_wrap_passphrase_file(wrapped_pw_filename, passphrase, salt, unwrapped_pw_filename);
if (rc != 0) {
@@ -31,7 +31,7 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils
}
return rc;
}
-@@ -123,7 +123,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+@@ -125,7 +125,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
struct ecryptfs_pam_data *epd = {0,};
if ((epd = malloc(sizeof(struct ecryptfs_pam_data))) == NULL) {
@@ -40,15 +40,16 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils
rc = -ENOMEM;
goto out;
}
-@@ -138,14 +138,14 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+@@ -141,7 +141,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
epd->homedir = pwd->pw_dir;
}
} else {
-- syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%ld]\n", epd->username, rc);
-+ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%ld]\n", epd->username, rc);
+- syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user; rc = [%ld]\n", rc);
++ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user; rc = [%ld]\n", rc);
goto out;
}
- if (!file_exists_dotecryptfs(epd->homedir, "auto-mount"))
+
+@@ -149,7 +149,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
goto out;
private_mnt = ecryptfs_fetch_private_mnt(epd->homedir);
if (ecryptfs_private_is_mounted(NULL, private_mnt, NULL, 1)) {
@@ -57,18 +58,17 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils
/* If private/home is already mounted, then we can skip
costly loading of keys */
goto out;
-@@ -153,7 +153,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+@@ -157,14 +157,14 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
/* we need side effect of this check:
load ecryptfs module if not loaded already */
if (ecryptfs_get_version(&version) != 0)
- syslog(LOG_WARNING, "pam_ecryptfs: Can't check if kernel supports ecryptfs\n");
+ ecryptfs_syslog(LOG_WARNING, "pam_ecryptfs: Can't check if kernel supports ecryptfs\n");
- saved_uid = geteuid();
- seteuid(epd->uid);
if(file_exists_dotecryptfs(epd->homedir, "wrapping-independent") == 1)
-@@ -163,7 +163,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+ rc = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &epd->passphrase, "Encryption passphrase: ");
+ else
+ rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&epd->passphrase);
epd->passphrase = strdup(epd->passphrase);
- seteuid(saved_uid);
if (rc != PAM_SUCCESS) {
- syslog(LOG_ERR, "pam_ecryptfs: Error retrieving passphrase; rc = [%ld]\n",
+ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: Error retrieving passphrase; rc = [%ld]\n",
@@ -76,15 +76,15 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils
goto out;
}
@@ -175,7 +175,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+ from_hex(epd->salt, salt_hex, ECRYPTFS_SALT_SIZE);
epd->unwrap = ((argc == 1) && (memcmp(argv[0], "unwrap\0", 7) == 0));
if ((rc=pam_set_data(pamh, ECRYPTFS_PAM_DATA, epd, pam_free_ecryptfsdata)) != PAM_SUCCESS) {
-
- syslog(LOG_ERR, "Unable to store ecryptfs pam data : %s", pam_strerror(pamh, rc));
+ ecryptfs_syslog(LOG_ERR, "Unable to store ecryptfs pam data : %s", pam_strerror(pamh, rc));
goto out;
}
- out:
-@@ -198,12 +198,12 @@ static struct passwd *fetch_pwd(pam_hand
+
+@@ -199,12 +199,12 @@ static struct passwd *fetch_pwd(pam_hand
rc = pam_get_user(pamh, &username, NULL);
if (rc != PAM_SUCCESS || username == NULL) {
@@ -99,7 +99,7 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils
return NULL;
}
return pwd;
-@@ -234,13 +234,13 @@ static int private_dir(pam_handle_t *pam
+@@ -235,13 +235,13 @@ static int private_dir(pam_handle_t *pam
if (
(asprintf(&autofile, "%s/.ecryptfs/%s", pwd->pw_dir, a) < 0)
|| autofile == NULL) {
@@ -115,7 +115,7 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils
return 1;
}
if (stat(sigfile, &s) != 0) {
-@@ -252,13 +252,13 @@ static int private_dir(pam_handle_t *pam
+@@ -253,7 +253,7 @@ static int private_dir(pam_handle_t *pam
goto out;
}
if ((pid = fork()) < 0) {
@@ -124,14 +124,7 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils
return 1;
}
if (pid == 0) {
- /* set user's groups, we may need ecryptfs group for (u)mount */
- if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) {
-- syslog(LOG_ERR, "Unable to set user's groups : %m");
-+ ecryptfs_syslog(LOG_ERR, "Unable to set user's groups : %m");
- _exit(255);
- }
-
-@@ -266,7 +266,7 @@ static int private_dir(pam_handle_t *pam
+@@ -261,7 +261,7 @@ static int private_dir(pam_handle_t *pam
if ((asprintf(&recorded,
"%s/.ecryptfs/.wrapped-passphrase.recorded",
pwd->pw_dir) < 0) || recorded == NULL) {
@@ -140,7 +133,7 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils
_exit(255);
}
if (stat(recorded, &s) != 0 && stat("/usr/share/ecryptfs-utils/ecryptfs-record-passphrase", &s) == 0) {
-@@ -278,25 +278,25 @@ static int private_dir(pam_handle_t *pam
+@@ -273,12 +273,12 @@ static int private_dir(pam_handle_t *pam
}
if (stat(autofile, &s) != 0) {
/* User does not want to auto-mount */
@@ -148,8 +141,15 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils
+ ecryptfs_syslog(LOG_DEBUG, "pam_ecryptfs: Skipping automatic eCryptfs mount");
_exit(0);
}
+ clearenv();
+ if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) {
+- syslog(LOG_ERR, "Unable to set user's groups : %m");
++ ecryptfs_syslog(LOG_ERR, "Unable to set user's groups : %m");
+ _exit(255);
+ }
/* run mount.ecryptfs_private as the user */
- setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid);
+@@ -286,16 +286,16 @@ static int private_dir(pam_handle_t *pam
+ _exit(255);
execl("/sbin/mount.ecryptfs_private",
"mount.ecryptfs_private", NULL);
- syslog(LOG_ERR,"unable to execute mount.ecryptfs_private : %m");
@@ -161,8 +161,15 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils
+ ecryptfs_syslog(LOG_DEBUG, "pam_ecryptfs: Skipping automatic eCryptfs unmount");
_exit(0);
}
+ clearenv();
+ if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) {
+- syslog(LOG_ERR, "Unable to set user's groups : %m");
++ ecryptfs_syslog(LOG_ERR, "Unable to set user's groups : %m");
+ _exit(255);
+ }
/* run umount.ecryptfs_private as the user */
- setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid);
+@@ -303,7 +303,7 @@ static int private_dir(pam_handle_t *pam
+ _exit(255);
execl("/sbin/umount.ecryptfs_private",
"umount.ecryptfs_private", NULL);
- syslog(LOG_ERR,"unable to execute umount.ecryptfs_private : %m");
@@ -170,15 +177,8 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils
_exit(255);
}
_exit(255);
-@@ -325,25 +325,25 @@ static int fill_keyring(pam_handle_t *pa
- char *auth_tok_sig;
- auth_tok_sig = malloc(ECRYPTFS_SIG_SIZE_HEX + 1);
- if (!auth_tok_sig) {
-- syslog(LOG_ERR, "Out of memory\n");
-+ ecryptfs_syslog(LOG_ERR, "Out of memory\n");
- return -ENOMEM;
- }
-
+@@ -338,24 +338,24 @@ static int fill_keyring(pam_handle_t *pa
+
if ((rc=pam_get_data(pamh, ECRYPTFS_PAM_DATA, (const void **)&epd)) != PAM_SUCCESS)
{
- syslog(LOG_ERR,"Unable to get ecryptfs pam data : %s", pam_strerror(pamh, rc));
@@ -186,8 +186,29 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils
return -EINVAL;
}
- if ((child_pid = fork()) == 0) {
- setuid(epd->uid);
+ oeuid = geteuid();
+ oegid = getegid();
+ if ((ngids = getgroups(sizeof(groups)/sizeof(gid_t), groups)) < 0) {
+- syslog(LOG_ERR, "pam_ecryptfs: geteuid error");
++ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: geteuid error");
+ goto outnouid;
+ }
+
+ if (setegid(epd->gid) < 0 || setgroups(1, &epd->gid) < 0 || seteuid(epd->uid) < 0) {
+- syslog(LOG_ERR, "pam_ecryptfs: seteuid error");
++ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: seteuid error");
+ goto out;
+ }
+
+ if (!auth_tok_sig) {
+- syslog(LOG_ERR, "Out of memory\n");
++ ecryptfs_syslog(LOG_ERR, "Out of memory\n");
+ return -ENOMEM;
+ }
+
+@@ -367,12 +367,12 @@ static int fill_keyring(pam_handle_t *pa
+ goto out_child;
+
if (epd->passphrase == NULL) {
- syslog(LOG_ERR, "NULL passphrase; aborting\n");
+ ecryptfs_syslog(LOG_ERR, "NULL passphrase; aborting\n");
@@ -200,7 +221,7 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils
"Cannot validate keyring integrity\n");
}
rc = 0;
-@@ -355,12 +355,12 @@ static int fill_keyring(pam_handle_t *pa
+@@ -384,12 +384,12 @@ static int fill_keyring(pam_handle_t *pa
epd->homedir,
ECRYPTFS_DEFAULT_WRAPPED_PASSPHRASE_FILENAME);
if (rc == -1) {
@@ -215,7 +236,7 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils
} else {
goto out_child;
}
-@@ -376,7 +376,7 @@ static int fill_keyring(pam_handle_t *pa
+@@ -405,7 +405,7 @@ static int fill_keyring(pam_handle_t *pa
goto out_child;
}
if (rc) {
@@ -224,16 +245,16 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils
"user session keyring; rc = [%d]\n", rc);
goto out_child;
}
-@@ -386,7 +386,7 @@ out_child:
+@@ -415,7 +415,7 @@ out_child:
}
tmp_pid = waitpid(child_pid, NULL, 0);
if (tmp_pid == -1)
- syslog(LOG_WARNING,
+ ecryptfs_syslog(LOG_WARNING,
"waitpid() returned with error condition\n");
-
-
-@@ -436,7 +436,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
+ out:
+ seteuid(oeuid);
+@@ -473,33 +473,33 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
homedir = pwd->pw_dir;
}
} else {
@@ -241,17 +262,29 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils
+ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%d]\n", username, rc);
goto out;
}
- saved_uid = geteuid();
-@@ -444,7 +444,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
+
+ oeuid = geteuid();
+ oegid = getegid();
+ if ((ngids = getgroups(sizeof(groups)/sizeof(gid_t), groups)) < 0) {
+- syslog(LOG_ERR, "pam_ecryptfs: geteuid error");
++ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: geteuid error");
+ goto outnouid;
+ }
+
+ if (setegid(gid) < 0 || setgroups(1, &gid) < 0 || seteuid(uid) < 0) {
+- syslog(LOG_ERR, "pam_ecryptfs: seteuid error");
++ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: seteuid error");
+ goto out;
+ }
+
if ((rc = pam_get_item(pamh, PAM_OLDAUTHTOK,
(const void **)&old_passphrase))
!= PAM_SUCCESS) {
- syslog(LOG_ERR, "pam_ecryptfs: Error retrieving old passphrase; rc = [%d]\n", rc);
+ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: Error retrieving old passphrase; rc = [%d]\n", rc);
- seteuid(saved_uid);
goto out;
}
-@@ -452,7 +452,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
+ /* On the first pass, do nothing except check that we have a password */
if ((flags & PAM_PRELIM_CHECK)) {
if (!old_passphrase)
{
@@ -259,14 +292,13 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils
+ ecryptfs_syslog(LOG_WARNING, "pam_ecryptfs: PAM passphrase change module retrieved a NULL passphrase; nothing to do\n");
rc = PAM_AUTHTOK_RECOVER_ERR;
}
- seteuid(saved_uid);
-@@ -461,14 +461,14 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
+ goto out;
+@@ -507,13 +507,13 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
if ((rc = pam_get_item(pamh, PAM_AUTHTOK,
(const void **)&new_passphrase))
!= PAM_SUCCESS) {
- syslog(LOG_ERR, "pam_ecryptfs: Error retrieving new passphrase; rc = [%d]\n", rc);
+ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: Error retrieving new passphrase; rc = [%d]\n", rc);
- seteuid(saved_uid);
goto out;
}
if ((rc = asprintf(&wrapped_pw_filename, "%s/.ecryptfs/%s", homedir,
@@ -277,7 +309,7 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils
rc = -ENOMEM;
goto out;
}
-@@ -478,14 +478,14 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
+@@ -523,13 +523,13 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
from_hex(salt, salt_hex, ECRYPTFS_SALT_SIZE);
}
if (wrap_passphrase_if_necessary(username, uid, wrapped_pw_filename, new_passphrase, salt) == 0) {
@@ -287,14 +319,13 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils
goto out;
}
- seteuid(saved_uid);
if (!old_passphrase || !new_passphrase || *new_passphrase == '\0') {
- syslog(LOG_WARNING, "pam_ecryptfs: PAM passphrase change module retrieved at least one NULL passphrase; nothing to do\n");
+ ecryptfs_syslog(LOG_WARNING, "pam_ecryptfs: PAM passphrase change module retrieved at least one NULL passphrase; nothing to do\n");
rc = PAM_AUTHTOK_RECOVER_ERR;
goto out;
}
-@@ -497,20 +497,20 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
+@@ -546,20 +546,20 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
if ((rc = ecryptfs_unwrap_passphrase(passphrase,
wrapped_pw_filename,
old_passphrase, salt))) {
@@ -317,4 +348,4 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils
+ ecryptfs_syslog(LOG_WARNING, "pam_ecryptfs: waitpid() returned with error condition\n");
free(wrapped_pw_filename);
out:
- return rc;
+
diff --git a/ecryptfs-utils-99-selinux.patch b/ecryptfs-utils-99-selinux.patch
new file mode 100644
index 0000000..2c3bc19
--- /dev/null
+++ b/ecryptfs-utils-99-selinux.patch
@@ -0,0 +1,20 @@
+diff -up ecryptfs-utils-99/src/utils/ecryptfs-migrate-home.selinux ecryptfs-utils-99/src/utils/ecryptfs-migrate-home
+--- ecryptfs-utils-99/src/utils/ecryptfs-migrate-home.selinux 2012-07-24 14:35:28.428669924 +0200
++++ ecryptfs-utils-99/src/utils/ecryptfs-migrate-home 2012-07-24 14:48:22.656139924 +0200
+@@ -136,6 +136,7 @@ encrypt_dir () {
+ error "Cannot proceed."
+ fi
+ # start encryption
++ setsebool -P use_ecryptfs_home_dirs=1 1>/dev/null 2>&1 ||:
+ orig=$(mktemp /home/$USER_NAME.XXXXXXXX)
+ rm "$orig" && mv "$USER_HOME" "$orig"
+ chmod 700 "$orig"
+@@ -158,6 +159,8 @@ encrypt_dir () {
+ fi
+ info "Encrypted home has been set up, encrypting files now...this may take a while."
+ # Show progress, but on stderr, in case the user wants to filter that out
++ semanage fcontext -a -e /home /home/.ecryptfs >/dev/null 2>&1 ||:
++ restorecon -R $HOME/.ecrypfs/$USER >/dev/null 2>&1 ||:
+ rsync -aP "$orig/" "$USER_HOME/" 1>&2
+ umount "$USER_HOME/"
+ echo
diff --git a/ecryptfs-utils.spec b/ecryptfs-utils.spec
index f63ff97..bd19cab 100644
--- a/ecryptfs-utils.spec
+++ b/ecryptfs-utils.spec
@@ -4,7 +4,7 @@
%global _sbindir /sbin
Name: ecryptfs-utils
-Version: 97
+Version: 99
Release: 1%{?dist}
Summary: The eCryptfs mount helper and support libraries
Group: System Environment/Base
@@ -59,6 +59,8 @@ Patch19: ecryptfs-utils-87-syslog.patch
# if e-m-p fails, check if user is member of ecryptfs group
Patch21: ecryptfs-utils-96-groupcheck.patch
+Patch22: ecryptfs-utils-99-selinux.patch
+
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
Requires: keyutils, cryptsetup-luks, util-linux, gettext
@@ -113,6 +115,7 @@ the interface supplied by the ecryptfs-utils library.
%patch18 -p1 -b .fixconst
%patch19 -p1 -b .syslog
%patch21 -p1 -b .groupcheck
+%patch22 -p1 -b .selinux
%build
export CFLAGS="$RPM_OPT_FLAGS -Werror -Wtype-limits"
@@ -186,7 +189,7 @@ rm -rf $RPM_BUILD_ROOT
%files -f %{name}.lang
%defattr(-,root,root,-)
%doc README COPYING AUTHORS NEWS THANKS
-%doc doc/ecryptfs-faq.html doc/ecryptfs-pam-doc.txt
+%doc doc/ecryptfs-faq.html
%doc doc/ecryptfs-pkcs11-helper-doc.txt
%{_sbindir}/mount.ecryptfs
%{_sbindir}/umount.ecryptfs
@@ -259,6 +262,11 @@ rm -rf $RPM_BUILD_ROOT
%{python_sitearch}/ecryptfs-utils/_libecryptfs.so
%changelog
+* Tue Jul 24 2012 Michal Hlavinka <mhlavink at redhat.com> - 99-1
+- ecryptfs-utils updated to 99
+- fixes: suid helper does not restrict mounting filesystems with
+ nosuid, nodev leading to possible privilege escalation (CVE-2012-3409)
+
* Mon Jun 25 2012 Michal Hlavinka <mhlavink at redhat.com> - 97-1
- ecryptfs-utils updated to 97
diff --git a/sources b/sources
index 63d6235..8fe0eef 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
e612ddb9ccb17f8fec79df26e626a8c6 ecryptfs-mount-private.png
-74e8cacd5fa641075419ec02f6312421 ecryptfs-utils_97.orig.tar.gz
+17ef9190c6d078845e19d3e9a7d8ef7a ecryptfs-utils_99.orig.tar.gz
More information about the scm-commits
mailing list