From 538c2f1c7ac65e5724f950e780ba2cc443356f00 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Jul 24 2012 13:05:28 +0000 Subject: ecryptfs-utils updated to 99 - fixes: suid helper does not restrict mounting filesystems with nosuid, nodev leading to possible privilege escalation (CVE-2012-3409) --- diff --git a/.gitignore b/.gitignore index 516bcb1..de51268 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,4 @@ ecryptfs-mount-private.png /ecryptfs-utils_95.orig.tar.gz /ecryptfs-utils_96.orig.tar.gz /ecryptfs-utils_97.orig.tar.gz +/ecryptfs-utils_99.orig.tar.gz diff --git a/ecryptfs-utils-75-werror.patch b/ecryptfs-utils-75-werror.patch index 9cedf2a..60cc559 100644 --- a/ecryptfs-utils-75-werror.patch +++ b/ecryptfs-utils-75-werror.patch @@ -1,6 +1,6 @@ -diff -up ecryptfs-utils-97/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.werror ecryptfs-utils-97/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c ---- ecryptfs-utils-97/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.werror 2012-06-25 15:25:21.915772946 +0200 -+++ ecryptfs-utils-97/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c 2012-06-25 15:25:21.928773050 +0200 +diff -up ecryptfs-utils-99/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.werror ecryptfs-utils-99/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c +--- ecryptfs-utils-99/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.werror 2012-07-23 18:59:05.223406369 +0200 ++++ ecryptfs-utils-99/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c 2012-07-23 18:59:05.237406445 +0200 @@ -99,7 +99,7 @@ static int ecryptfs_pkcs11h_deserialize( pkcs11h_data->serialized_id = NULL; } @@ -150,9 +150,9 @@ diff -up ecryptfs-utils-97/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.werror e subgraph_key_ctx = (struct pkcs11h_subgraph_key_ctx *)(*foo); -diff -up ecryptfs-utils-97/src/libecryptfs/ecryptfs-stat.c.werror ecryptfs-utils-97/src/libecryptfs/ecryptfs-stat.c ---- ecryptfs-utils-97/src/libecryptfs/ecryptfs-stat.c.werror 2012-05-18 21:06:17.000000000 +0200 -+++ ecryptfs-utils-97/src/libecryptfs/ecryptfs-stat.c 2012-06-25 15:25:21.929773058 +0200 +diff -up ecryptfs-utils-99/src/libecryptfs/ecryptfs-stat.c.werror ecryptfs-utils-99/src/libecryptfs/ecryptfs-stat.c +--- ecryptfs-utils-99/src/libecryptfs/ecryptfs-stat.c.werror 2012-05-18 21:06:17.000000000 +0200 ++++ ecryptfs-utils-99/src/libecryptfs/ecryptfs-stat.c 2012-07-23 18:59:05.238406451 +0200 @@ -146,7 +146,7 @@ int ecryptfs_parse_stat(struct ecryptfs_ if (buf_size < (ECRYPTFS_FILE_SIZE_BYTES + MAGIC_ECRYPTFS_MARKER_SIZE_BYTES @@ -162,15 +162,21 @@ diff -up ecryptfs-utils-97/src/libecryptfs/ecryptfs-stat.c.werror ecryptfs-utils "bytes; there are only [%zu] bytes\n", __FUNCTION__, (ECRYPTFS_FILE_SIZE_BYTES + MAGIC_ECRYPTFS_MARKER_SIZE_BYTES -diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.werror ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c ---- ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.werror 2012-05-18 21:06:17.000000000 +0200 -+++ ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c 2012-06-25 15:25:21.929773058 +0200 -@@ -39,35 +39,11 @@ - #include - #include - #include -+#include - #include "../include/ecryptfs.h" +diff -up ecryptfs-utils-99/src/libecryptfs/key_management.c.werror ecryptfs-utils-99/src/libecryptfs/key_management.c +--- ecryptfs-utils-99/src/libecryptfs/key_management.c.werror 2012-07-23 18:59:05.219406346 +0200 ++++ ecryptfs-utils-99/src/libecryptfs/key_management.c 2012-07-23 18:59:05.238406451 +0200 +@@ -228,7 +228,6 @@ int ecryptfs_wrap_passphrase_file(char * + int rc = 0; + ssize_t size; + int fd; +- int i; + char *p = NULL; + char decrypted_passphrase[ECRYPTFS_MAX_PASSPHRASE_BYTES + 1]; + +diff -up ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c.werror ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c +--- ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c.werror 2012-07-11 16:03:17.000000000 +0200 ++++ ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c 2012-07-23 18:59:38.714596789 +0200 +@@ -47,31 +47,6 @@ #define PRIVATE_DIR "Private" @@ -202,16 +208,7 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.werror ecryptfs-utils /* returns: 0 if file does not exist, 1 if it exists, <0 for error */ static int file_exists_dotecryptfs(const char *homedir, char *filename) { -@@ -87,7 +63,7 @@ out: - return rc; - } - --static int wrap_passphrase_if_necessary(char *username, uid_t uid, char *wrapped_pw_filename, char *passphrase, char *salt) -+static int wrap_passphrase_if_necessary(const char *username, uid_t uid, char *wrapped_pw_filename, char *passphrase, char *salt) - { - char *unwrapped_pw_filename = NULL; - struct stat s; -@@ -195,8 +171,6 @@ PAM_EXTERN int pam_sm_authenticate(pam_h +@@ -216,8 +191,6 @@ PAM_EXTERN int pam_sm_authenticate(pam_h if ((argc == 1) && (memcmp(argv[0], "unwrap\0", 7) == 0)) { char *wrapped_pw_filename; @@ -220,7 +217,7 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.werror ecryptfs-utils rc = asprintf( &wrapped_pw_filename, "%s/.ecryptfs/%s", -@@ -282,8 +256,6 @@ static int private_dir(pam_handle_t *pam +@@ -309,8 +282,6 @@ static int private_dir(pam_handle_t *pam char *autoumount = "auto-umount"; struct stat s; pid_t pid; @@ -229,7 +226,7 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.werror ecryptfs-utils if ((pwd = fetch_pwd(pamh)) == NULL) { /* fetch_pwd() logged a message */ -@@ -329,7 +301,7 @@ static int private_dir(pam_handle_t *pam +@@ -356,7 +327,7 @@ static int private_dir(pam_handle_t *pam if (stat(recorded, &s) != 0 && stat("/usr/share/ecryptfs-utils/ecryptfs-record-passphrase", &s) == 0) { /* User has not recorded their passphrase */ unlink("/var/lib/update-notifier/user.d/ecryptfs-record-passphrase"); @@ -238,7 +235,7 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.werror ecryptfs-utils fd = open("/var/lib/update-notifier/dpkg-run-stamp", O_WRONLY|O_CREAT|O_NONBLOCK, 0666); close(fd); } -@@ -398,7 +370,6 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand +@@ -435,7 +406,6 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand char *old_passphrase = NULL; char *new_passphrase = NULL; char *wrapped_pw_filename; @@ -246,21 +243,28 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.werror ecryptfs-utils char salt[ECRYPTFS_SALT_SIZE]; char salt_hex[ECRYPTFS_SALT_SIZE_HEX]; pid_t child_pid, tmp_pid; -@@ -412,10 +383,9 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand - if (pwd) { +@@ -450,15 +420,15 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand uid = pwd->pw_uid; + gid = pwd->pw_gid; homedir = pwd->pw_dir; - name = pwd->pw_name; } } else { -- syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%ld]\n", username, rc); -+ syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%d]\n", username, rc); + syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%d]\n", username, rc); goto out; } - saved_uid = geteuid(); -diff -up ecryptfs-utils-97/src/utils/mount.ecryptfs.c.werror ecryptfs-utils-97/src/utils/mount.ecryptfs.c ---- ecryptfs-utils-97/src/utils/mount.ecryptfs.c.werror 2012-06-25 15:25:21.926773034 +0200 -+++ ecryptfs-utils-97/src/utils/mount.ecryptfs.c 2012-06-25 15:25:21.930773066 +0200 + +- if ((oeuid = geteuid()) < 0 || (oegid = getegid()) < 0 || +- (ngids = getgroups(sizeof(groups)/sizeof(gid_t), groups)) < 0) { ++ oeuid = geteuid(); ++ oegid = getegid(); ++ if ((ngids = getgroups(sizeof(groups)/sizeof(gid_t), groups)) < 0) { + syslog(LOG_ERR, "pam_ecryptfs: geteuid error"); + goto outnouid; + } +diff -up ecryptfs-utils-99/src/utils/mount.ecryptfs.c.werror ecryptfs-utils-99/src/utils/mount.ecryptfs.c +--- ecryptfs-utils-99/src/utils/mount.ecryptfs.c.werror 2012-07-23 18:59:05.234406430 +0200 ++++ ecryptfs-utils-99/src/utils/mount.ecryptfs.c 2012-07-23 18:59:05.239406457 +0200 @@ -34,6 +34,7 @@ #include #include @@ -269,9 +273,9 @@ diff -up ecryptfs-utils-97/src/utils/mount.ecryptfs.c.werror ecryptfs-utils-97/s #include "config.h" #include "ecryptfs.h" #include "decision_graph.h" -diff -up ecryptfs-utils-97/src/utils/mount.ecryptfs_private.c.werror ecryptfs-utils-97/src/utils/mount.ecryptfs_private.c ---- ecryptfs-utils-97/src/utils/mount.ecryptfs_private.c.werror 2012-06-25 15:25:21.921772994 +0200 -+++ ecryptfs-utils-97/src/utils/mount.ecryptfs_private.c 2012-06-25 15:25:21.930773066 +0200 +diff -up ecryptfs-utils-99/src/utils/mount.ecryptfs_private.c.werror ecryptfs-utils-99/src/utils/mount.ecryptfs_private.c +--- ecryptfs-utils-99/src/utils/mount.ecryptfs_private.c.werror 2012-07-23 18:59:05.229406400 +0200 ++++ ecryptfs-utils-99/src/utils/mount.ecryptfs_private.c 2012-07-23 18:59:05.240406463 +0200 @@ -95,7 +95,7 @@ int read_config(char *pw_dir, int uid, c *s = strdup(e->mnt_fsname); if (!*s) @@ -281,18 +285,9 @@ diff -up ecryptfs-utils-97/src/utils/mount.ecryptfs_private.c.werror ecryptfs-ut return 0; } -@@ -302,7 +302,7 @@ int update_mtab(char *dev, char *mnt, ch - goto fail_early; - } - -- while (old_ent = getmntent(old_mtab)) { -+ while ((old_ent = getmntent(old_mtab))) { - if (addmntent(new_mtab, old_ent) != 0) { - perror("addmntent"); - goto fail; -diff -up ecryptfs-utils-97/src/utils/test.c.werror ecryptfs-utils-97/src/utils/test.c ---- ecryptfs-utils-97/src/utils/test.c.werror 2012-05-18 21:06:17.000000000 +0200 -+++ ecryptfs-utils-97/src/utils/test.c 2012-06-25 15:25:21.931773074 +0200 +diff -up ecryptfs-utils-99/src/utils/test.c.werror ecryptfs-utils-99/src/utils/test.c +--- ecryptfs-utils-99/src/utils/test.c.werror 2012-05-18 21:06:17.000000000 +0200 ++++ ecryptfs-utils-99/src/utils/test.c 2012-07-23 18:59:05.240406463 +0200 @@ -281,7 +281,7 @@ int ecryptfs_encrypt_page(int page_cache struct inode *lower_inode; struct ecryptfs_crypt_stat *crypt_stat; @@ -302,9 +297,9 @@ diff -up ecryptfs-utils-97/src/utils/test.c.werror ecryptfs-utils-97/src/utils/t int orig_byte_offset = 0; int num_extents_per_page; #define ECRYPTFS_PAGE_STATE_UNREAD 0 -diff -up ecryptfs-utils-97/tests/kernel/directory-concurrent/test.c.werror ecryptfs-utils-97/tests/kernel/directory-concurrent/test.c ---- ecryptfs-utils-97/tests/kernel/directory-concurrent/test.c.werror 2012-05-18 21:06:17.000000000 +0200 -+++ ecryptfs-utils-97/tests/kernel/directory-concurrent/test.c 2012-06-25 15:25:21.931773074 +0200 +diff -up ecryptfs-utils-99/tests/kernel/directory-concurrent/test.c.werror ecryptfs-utils-99/tests/kernel/directory-concurrent/test.c +--- ecryptfs-utils-99/tests/kernel/directory-concurrent/test.c.werror 2012-05-18 21:06:17.000000000 +0200 ++++ ecryptfs-utils-99/tests/kernel/directory-concurrent/test.c 2012-07-23 18:59:05.240406463 +0200 @@ -149,7 +149,7 @@ int hang_check(int option, const char *f int test_dirs(const char *path, const int max_dirs) @@ -314,9 +309,9 @@ diff -up ecryptfs-utils-97/tests/kernel/directory-concurrent/test.c.werror ecryp char *filename; size_t len = strlen(path) + 32; int ret = TEST_PASSED; -diff -up ecryptfs-utils-97/tests/kernel/extend-file-random/test.c.werror ecryptfs-utils-97/tests/kernel/extend-file-random/test.c ---- ecryptfs-utils-97/tests/kernel/extend-file-random/test.c.werror 2012-05-18 21:06:17.000000000 +0200 -+++ ecryptfs-utils-97/tests/kernel/extend-file-random/test.c 2012-06-25 15:25:21.931773074 +0200 +diff -up ecryptfs-utils-99/tests/kernel/extend-file-random/test.c.werror ecryptfs-utils-99/tests/kernel/extend-file-random/test.c +--- ecryptfs-utils-99/tests/kernel/extend-file-random/test.c.werror 2012-05-18 21:06:17.000000000 +0200 ++++ ecryptfs-utils-99/tests/kernel/extend-file-random/test.c 2012-07-23 18:59:05.241406469 +0200 @@ -48,7 +48,7 @@ int test_write(int fd, char *buffer, siz } @@ -342,9 +337,9 @@ diff -up ecryptfs-utils-97/tests/kernel/extend-file-random/test.c.werror ecryptf len, offset, strerror(errno)); return TEST_FAILED; } -diff -up ecryptfs-utils-97/tests/kernel/file-concurrent/test.c.werror ecryptfs-utils-97/tests/kernel/file-concurrent/test.c ---- ecryptfs-utils-97/tests/kernel/file-concurrent/test.c.werror 2012-05-18 21:06:17.000000000 +0200 -+++ ecryptfs-utils-97/tests/kernel/file-concurrent/test.c 2012-06-25 15:25:21.932773082 +0200 +diff -up ecryptfs-utils-99/tests/kernel/file-concurrent/test.c.werror ecryptfs-utils-99/tests/kernel/file-concurrent/test.c +--- ecryptfs-utils-99/tests/kernel/file-concurrent/test.c.werror 2012-05-18 21:06:17.000000000 +0200 ++++ ecryptfs-utils-99/tests/kernel/file-concurrent/test.c 2012-07-23 18:59:05.241406469 +0200 @@ -177,7 +177,7 @@ int hang_check(int option, const char *f int test_files(const char *path, const int max_files) @@ -354,9 +349,9 @@ diff -up ecryptfs-utils-97/tests/kernel/file-concurrent/test.c.werror ecryptfs-u char *filename; size_t len = strlen(path) + 32; int ret = TEST_PASSED; -diff -up ecryptfs-utils-97/tests/kernel/inode-race-stat/test.c.werror ecryptfs-utils-97/tests/kernel/inode-race-stat/test.c ---- ecryptfs-utils-97/tests/kernel/inode-race-stat/test.c.werror 2012-05-18 21:06:17.000000000 +0200 -+++ ecryptfs-utils-97/tests/kernel/inode-race-stat/test.c 2012-06-25 15:25:21.932773082 +0200 +diff -up ecryptfs-utils-99/tests/kernel/inode-race-stat/test.c.werror ecryptfs-utils-99/tests/kernel/inode-race-stat/test.c +--- ecryptfs-utils-99/tests/kernel/inode-race-stat/test.c.werror 2012-05-18 21:06:17.000000000 +0200 ++++ ecryptfs-utils-99/tests/kernel/inode-race-stat/test.c 2012-07-23 18:59:05.241406469 +0200 @@ -106,7 +106,6 @@ static void do_test(const int fdin, cons { for (;;) { @@ -391,9 +386,9 @@ diff -up ecryptfs-utils-97/tests/kernel/inode-race-stat/test.c.werror ecryptfs-u (void)waitpid(pids[i], &status, 0); (void)close(pipe_to[i][1]); -diff -up ecryptfs-utils-97/tests/kernel/lp-509180/test.c.werror ecryptfs-utils-97/tests/kernel/lp-509180/test.c ---- ecryptfs-utils-97/tests/kernel/lp-509180/test.c.werror 2012-06-25 15:25:25.512801830 +0200 -+++ ecryptfs-utils-97/tests/kernel/lp-509180/test.c 2012-06-25 15:25:25.526801949 +0200 +diff -up ecryptfs-utils-99/tests/kernel/lp-509180/test.c.werror ecryptfs-utils-99/tests/kernel/lp-509180/test.c +--- ecryptfs-utils-99/tests/kernel/lp-509180/test.c.werror 2012-05-18 21:06:17.000000000 +0200 ++++ ecryptfs-utils-99/tests/kernel/lp-509180/test.c 2012-07-23 18:59:05.242406474 +0200 @@ -48,7 +48,6 @@ int main(int argc, char **argv) int fd; int opt, flags = 0; @@ -402,9 +397,9 @@ diff -up ecryptfs-utils-97/tests/kernel/lp-509180/test.c.werror ecryptfs-utils-9 char *file; unsigned char buffer[1]; -diff -up ecryptfs-utils-97/tests/kernel/trunc-file/test.c.werror ecryptfs-utils-97/tests/kernel/trunc-file/test.c ---- ecryptfs-utils-97/tests/kernel/trunc-file/test.c.werror 2012-05-18 21:06:17.000000000 +0200 -+++ ecryptfs-utils-97/tests/kernel/trunc-file/test.c 2012-06-25 15:25:21.932773082 +0200 +diff -up ecryptfs-utils-99/tests/kernel/trunc-file/test.c.werror ecryptfs-utils-99/tests/kernel/trunc-file/test.c +--- ecryptfs-utils-99/tests/kernel/trunc-file/test.c.werror 2012-05-18 21:06:17.000000000 +0200 ++++ ecryptfs-utils-99/tests/kernel/trunc-file/test.c 2012-07-23 18:59:05.242406474 +0200 @@ -39,7 +39,7 @@ int write_buff(int fd, unsigned char *data, ssize_t size) diff --git a/ecryptfs-utils-87-fixexecgid.patch b/ecryptfs-utils-87-fixexecgid.patch index ed9c2e6..613fcd6 100644 --- a/ecryptfs-utils-87-fixexecgid.patch +++ b/ecryptfs-utils-87-fixexecgid.patch @@ -1,24 +1,27 @@ -diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.fixexecgid ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c ---- ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.fixexecgid 2011-07-25 16:38:48.040555555 +0200 -+++ ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c 2011-07-25 16:52:22.751025667 +0200 -@@ -33,6 +33,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -303,6 +304,12 @@ static int private_dir(pam_handle_t *pam - return 1; - } - if (pid == 0) { -+ /* set user's groups, we may need ecryptfs group for (u)mount */ -+ if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) { -+ syslog(LOG_ERR, "Unable to set user's groups : %m"); -+ _exit(255); -+ } -+ - if (mount == 1) { - if ((asprintf(&recorded, - "%s/.ecryptfs/.wrapped-passphrase.recorded", +diff -up ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c.fixexecgid ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c +--- ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c.fixexecgid 2012-07-24 13:20:58.456297563 +0200 ++++ ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c 2012-07-24 13:21:53.250786224 +0200 +@@ -337,8 +337,10 @@ static int private_dir(pam_handle_t *pam + _exit(0); + } + clearenv(); +- if (setgroups(1, &pwd->pw_gid) < 0 || setgid(pwd->pw_gid) < 0) ++ if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) { ++ syslog(LOG_ERR, "Unable to set user's groups : %m"); + _exit(255); ++ } + /* run mount.ecryptfs_private as the user */ + if (setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid) < 0) + _exit(255); +@@ -352,8 +354,10 @@ static int private_dir(pam_handle_t *pam + _exit(0); + } + clearenv(); +- if (setgroups(1, &pwd->pw_gid) < 0 || setgid(pwd->pw_gid) < 0) ++ if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) { ++ syslog(LOG_ERR, "Unable to set user's groups : %m"); + _exit(255); ++ } + /* run umount.ecryptfs_private as the user */ + if (setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid) < 0) + _exit(255); diff --git a/ecryptfs-utils-87-fixpamfork.patch b/ecryptfs-utils-87-fixpamfork.patch index 6eb8861..820a885 100644 --- a/ecryptfs-utils-87-fixpamfork.patch +++ b/ecryptfs-utils-87-fixpamfork.patch @@ -1,7 +1,7 @@ -diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.fixpamfork ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c ---- ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.fixpamfork 2012-06-25 14:57:39.908192484 +0200 -+++ ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c 2012-06-25 15:05:53.368373955 +0200 -@@ -208,7 +208,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h +diff -up ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c.fixpamfork ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c +--- ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c.fixpamfork 2012-07-24 13:19:34.168544970 +0200 ++++ ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c 2012-07-24 13:20:20.600959698 +0200 +@@ -228,7 +228,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h } out_child: free(auth_tok_sig); @@ -10,7 +10,7 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.fixpamfork ecryptfs-u } tmp_pid = waitpid(child_pid, NULL, 0); if (tmp_pid == -1) -@@ -296,7 +296,7 @@ static int private_dir(pam_handle_t *pam +@@ -322,7 +322,7 @@ static int private_dir(pam_handle_t *pam "%s/.ecryptfs/.wrapped-passphrase.recorded", pwd->pw_dir) < 0) || recorded == NULL) { syslog(LOG_ERR, "pam_ecryptfs: Error allocating memory for recorded name"); @@ -19,15 +19,21 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.fixpamfork ecryptfs-u } if (stat(recorded, &s) != 0 && stat("/usr/share/ecryptfs-utils/ecryptfs-record-passphrase", &s) == 0) { /* User has not recorded their passphrase */ -@@ -308,25 +308,27 @@ static int private_dir(pam_handle_t *pam +@@ -334,33 +334,35 @@ static int private_dir(pam_handle_t *pam if (stat(autofile, &s) != 0) { /* User does not want to auto-mount */ syslog(LOG_DEBUG, "pam_ecryptfs: Skipping automatic eCryptfs mount"); - exit(0); + _exit(0); } + clearenv(); + if (setgroups(1, &pwd->pw_gid) < 0 || setgid(pwd->pw_gid) < 0) +- return -1; ++ _exit(255); /* run mount.ecryptfs_private as the user */ - setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid); + if (setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid) < 0) +- return -1; ++ _exit(255); execl("/sbin/mount.ecryptfs_private", "mount.ecryptfs_private", NULL); + syslog(LOG_ERR,"unable to execute mount.ecryptfs_private : %m"); @@ -38,8 +44,14 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.fixpamfork ecryptfs-u - exit(0); + _exit(0); } + clearenv(); + if (setgroups(1, &pwd->pw_gid) < 0 || setgid(pwd->pw_gid) < 0) +- return -1; ++ _exit(255); /* run umount.ecryptfs_private as the user */ - setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid); + if (setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid) < 0) +- return -1; ++ _exit(255); execl("/sbin/umount.ecryptfs_private", "umount.ecryptfs_private", NULL); - exit(1); @@ -51,7 +63,7 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.fixpamfork ecryptfs-u } else { waitpid(pid, &rc, 0); } -@@ -456,7 +458,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand +@@ -505,7 +507,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand goto out_child; } out_child: diff --git a/ecryptfs-utils-87-pamdata.patch b/ecryptfs-utils-87-pamdata.patch index 366d8b7..2df6359 100644 --- a/ecryptfs-utils-87-pamdata.patch +++ b/ecryptfs-utils-87-pamdata.patch @@ -1,7 +1,7 @@ -diff -up ecryptfs-utils-93/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-utils-93/src/pam_ecryptfs/pam_ecryptfs.c ---- ecryptfs-utils-93/src/pam_ecryptfs/pam_ecryptfs.c.pamdata 2011-10-31 13:47:57.282750862 +0100 -+++ ecryptfs-utils-93/src/pam_ecryptfs/pam_ecryptfs.c 2011-10-31 13:56:28.601144959 +0100 -@@ -44,6 +44,25 @@ +diff -up ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c +--- ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c.pamdata 2012-07-23 20:16:39.161357208 +0200 ++++ ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c 2012-07-23 20:16:49.952442084 +0200 +@@ -47,6 +47,26 @@ #define PRIVATE_DIR "Private" @@ -10,6 +10,7 @@ diff -up ecryptfs-utils-93/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-util +struct ecryptfs_pam_data { + int unwrap; + uid_t uid; ++ gid_t gid; + char *passphrase; + const char *homedir; + const char *username; @@ -27,7 +28,7 @@ diff -up ecryptfs-utils-93/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-util /* returns: 0 if file does not exist, 1 if it exists, <0 for error */ static int file_exists_dotecryptfs(const char *homedir, char *filename) { -@@ -63,7 +82,7 @@ out: +@@ -66,7 +86,7 @@ out: return rc; } @@ -36,13 +37,15 @@ diff -up ecryptfs-utils-93/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-util { char *unwrapped_pw_filename = NULL; struct stat s; -@@ -95,37 +114,37 @@ static int wrap_passphrase_if_necessary( +@@ -98,52 +118,38 @@ static int wrap_passphrase_if_necessary( PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { -- uid_t uid = 0; +- uid_t uid = 0, oeuid = 0; +- long ngroups_max = sysconf(_SC_NGROUPS_MAX); +- gid_t gid = 0, oegid = 0, groups[ngroups_max+1]; +- int ngids = 0; - char *homedir = NULL; - uid_t saved_uid = 0; - const char *username; - char *passphrase = NULL; - char salt[ECRYPTFS_SALT_SIZE]; @@ -50,8 +53,7 @@ diff -up ecryptfs-utils-93/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-util - char *auth_tok_sig; char *private_mnt = NULL; - pid_t child_pid, tmp_pid; -- long rc; -+ long rc = 0; + long rc; uint32_t version; + struct ecryptfs_pam_data *epd = {0,}; @@ -70,15 +72,29 @@ diff -up ecryptfs-utils-93/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-util + pwd = getpwnam(epd->username); if (pwd) { - uid = pwd->pw_uid; +- gid = pwd->pw_gid; - homedir = pwd->pw_dir; + epd->uid = pwd->pw_uid; ++ epd->gid = pwd->pw_gid; + epd->homedir = pwd->pw_dir; } } else { - syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%ld]\n", username, rc); -+ syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%ld]\n", epd->username, rc); +- goto out; +- } +- +- if ((oeuid = geteuid()) < 0 || (oegid = getegid()) < 0 || +- (ngids = getgroups(sizeof(groups)/sizeof(gid_t), groups)) < 0) { +- syslog(LOG_ERR, "pam_ecryptfs: geteuid error"); +- goto outnouid; +- } +- +- if (setegid(gid) < 0 || setgroups(1, &gid) < 0 || seteuid(uid) < 0) { +- syslog(LOG_ERR, "pam_ecryptfs: seteuid error"); ++ syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user; rc = [%ld]\n", rc); goto out; } + - if (!file_exists_dotecryptfs(homedir, "auto-mount")) + if (!file_exists_dotecryptfs(epd->homedir, "auto-mount")) goto out; @@ -90,21 +106,18 @@ diff -up ecryptfs-utils-93/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-util /* If private/home is already mounted, then we can skip costly loading of keys */ goto out; -@@ -135,79 +154,29 @@ PAM_EXTERN int pam_sm_authenticate(pam_h +@@ -152,89 +158,28 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + load ecryptfs module if not loaded already */ if (ecryptfs_get_version(&version) != 0) syslog(LOG_WARNING, "pam_ecryptfs: Can't check if kernel supports ecryptfs\n"); - saved_uid = geteuid(); -- seteuid(uid); - if(file_exists_dotecryptfs(homedir, "wrapping-independent") == 1) - rc = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &passphrase, "Encryption passphrase: "); -+ seteuid(epd->uid); + if(file_exists_dotecryptfs(epd->homedir, "wrapping-independent") == 1) + rc = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &epd->passphrase, "Encryption passphrase: "); else - rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&passphrase); + rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&epd->passphrase); + epd->passphrase = strdup(epd->passphrase); - seteuid(saved_uid); if (rc != PAM_SUCCESS) { syslog(LOG_ERR, "pam_ecryptfs: Error retrieving passphrase; rc = [%ld]\n", rc); @@ -123,7 +136,12 @@ diff -up ecryptfs-utils-93/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-util } else - from_hex(salt, salt_hex, ECRYPTFS_SALT_SIZE); - if ((child_pid = fork()) == 0) { -- setuid(uid); +- /* temp regain uid 0 to drop privs */ +- seteuid(oeuid); +- /* setgroups() already called */ +- if (setgid(gid) < 0 || setuid(uid) < 0) +- goto out_child; +- - if (passphrase == NULL) { - syslog(LOG_ERR, "pam_ecryptfs: NULL passphrase; aborting\n"); - rc = -EINVAL; @@ -172,40 +190,69 @@ diff -up ecryptfs-utils-93/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-util + from_hex(epd->salt, salt_hex, ECRYPTFS_SALT_SIZE); + epd->unwrap = ((argc == 1) && (memcmp(argv[0], "unwrap\0", 7) == 0)); + if ((rc=pam_set_data(pamh, ECRYPTFS_PAM_DATA, epd, pam_free_ecryptfsdata)) != PAM_SUCCESS) { -+ + syslog(LOG_ERR, "Unable to store ecryptfs pam data : %s", pam_strerror(pamh, rc)); + goto out; } - tmp_pid = waitpid(child_pid, NULL, 0); - if (tmp_pid == -1) - syslog(LOG_WARNING, "pam_ecryptfs: waitpid() returned with error condition\n"); - out: +-out: + +- seteuid(oeuid); +- setegid(oegid); +- setgroups(ngids, groups); +- +-outnouid: ++out: if (private_mnt != NULL) free(private_mnt); -@@ -347,10 +316,88 @@ static int umount_private_dir(pam_handle + return PAM_SUCCESS; +@@ -381,10 +326,115 @@ static int umount_private_dir(pam_handle return private_dir(pamh, 0); } +static int fill_keyring(pam_handle_t *pamh) +{ + pid_t child_pid,tmp_pid; ++ uid_t oeuid = 0; ++ long ngroups_max = sysconf(_SC_NGROUPS_MAX); ++ gid_t oegid = 0, groups[ngroups_max+1]; ++ int ngids = 0; + int rc = 0; + const struct ecryptfs_pam_data *epd; + char *auth_tok_sig; + auth_tok_sig = malloc(ECRYPTFS_SIG_SIZE_HEX + 1); -+ if (!auth_tok_sig) { -+ syslog(LOG_ERR, "Out of memory\n"); -+ return -ENOMEM; -+ } -+ ++ + if ((rc=pam_get_data(pamh, ECRYPTFS_PAM_DATA, (const void **)&epd)) != PAM_SUCCESS) + { + syslog(LOG_ERR,"Unable to get ecryptfs pam data : %s", pam_strerror(pamh, rc)); + return -EINVAL; + } + ++ oeuid = geteuid(); ++ oegid = getegid(); ++ if ((ngids = getgroups(sizeof(groups)/sizeof(gid_t), groups)) < 0) { ++ syslog(LOG_ERR, "pam_ecryptfs: geteuid error"); ++ goto outnouid; ++ } ++ ++ if (setegid(epd->gid) < 0 || setgroups(1, &epd->gid) < 0 || seteuid(epd->uid) < 0) { ++ syslog(LOG_ERR, "pam_ecryptfs: seteuid error"); ++ goto out; ++ } ++ ++ if (!auth_tok_sig) { ++ syslog(LOG_ERR, "Out of memory\n"); ++ return -ENOMEM; ++ } ++ + if ((child_pid = fork()) == 0) { -+ setuid(epd->uid); ++ /* temp regain uid 0 to drop privs */ ++ seteuid(oeuid); ++ /* setgroups() already called */ ++ if (setgid(epd->gid) < 0 || setuid(epd->uid) < 0) ++ goto out_child; ++ + if (epd->passphrase == NULL) { + syslog(LOG_ERR, "NULL passphrase; aborting\n"); + rc = -EINVAL; @@ -257,7 +304,12 @@ diff -up ecryptfs-utils-93/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-util + if (tmp_pid == -1) + syslog(LOG_WARNING, + "waitpid() returned with error condition\n"); -+ ++out: ++ seteuid(oeuid); ++ setegid(oegid); ++ setgroups(ngids, groups); ++ ++outnouid: + + return 0; +} diff --git a/ecryptfs-utils-87-syslog.patch b/ecryptfs-utils-87-syslog.patch index a76fd01..56c68ba 100644 --- a/ecryptfs-utils-87-syslog.patch +++ b/ecryptfs-utils-87-syslog.patch @@ -1,6 +1,6 @@ -diff -up ecryptfs-utils-97/src/include/ecryptfs.h.syslog ecryptfs-utils-97/src/include/ecryptfs.h ---- ecryptfs-utils-97/src/include/ecryptfs.h.syslog 2012-06-25 15:06:12.902539327 +0200 -+++ ecryptfs-utils-97/src/include/ecryptfs.h 2012-06-25 15:06:12.907539370 +0200 +diff -up ecryptfs-utils-99/src/include/ecryptfs.h.syslog ecryptfs-utils-99/src/include/ecryptfs.h +--- ecryptfs-utils-99/src/include/ecryptfs.h.syslog 2012-07-24 13:22:22.225044430 +0200 ++++ ecryptfs-utils-99/src/include/ecryptfs.h 2012-07-24 13:22:22.228044457 +0200 @@ -143,7 +143,7 @@ #define ECRYPTFS_TAG_67_PACKET 0x43 @@ -10,10 +10,10 @@ diff -up ecryptfs-utils-97/src/include/ecryptfs.h.syslog ecryptfs-utils-97/src/i #define ECRYPTFS_MAX_NUM_CIPHERS 64 #define ECRYPTFS_ECHO_ON 1 -diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c ---- ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog 2012-06-25 15:06:12.899539302 +0200 -+++ ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c 2012-06-25 15:07:29.141184640 +0200 -@@ -91,7 +91,7 @@ static int wrap_passphrase_if_necessary( +diff -up ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c +--- ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c.syslog 2012-07-24 13:22:22.222044403 +0200 ++++ ecryptfs-utils-99/src/pam_ecryptfs/pam_ecryptfs.c 2012-07-24 13:23:02.726405147 +0200 +@@ -94,7 +94,7 @@ static int wrap_passphrase_if_necessary( rc = asprintf(&unwrapped_pw_filename, "/dev/shm/.ecryptfs-%s", username); if (rc == -1) { @@ -22,7 +22,7 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils return -ENOMEM; } /* If /dev/shm/.ecryptfs-$USER exists and owned by the user -@@ -105,7 +105,7 @@ static int wrap_passphrase_if_necessary( +@@ -108,7 +108,7 @@ static int wrap_passphrase_if_necessary( setuid(uid); rc = ecryptfs_wrap_passphrase_file(wrapped_pw_filename, passphrase, salt, unwrapped_pw_filename); if (rc != 0) { @@ -31,7 +31,7 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils } return rc; } -@@ -123,7 +123,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h +@@ -125,7 +125,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h struct ecryptfs_pam_data *epd = {0,}; if ((epd = malloc(sizeof(struct ecryptfs_pam_data))) == NULL) { @@ -40,15 +40,16 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils rc = -ENOMEM; goto out; } -@@ -138,14 +138,14 @@ PAM_EXTERN int pam_sm_authenticate(pam_h +@@ -141,7 +141,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h epd->homedir = pwd->pw_dir; } } else { -- syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%ld]\n", epd->username, rc); -+ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%ld]\n", epd->username, rc); +- syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user; rc = [%ld]\n", rc); ++ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user; rc = [%ld]\n", rc); goto out; } - if (!file_exists_dotecryptfs(epd->homedir, "auto-mount")) + +@@ -149,7 +149,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h goto out; private_mnt = ecryptfs_fetch_private_mnt(epd->homedir); if (ecryptfs_private_is_mounted(NULL, private_mnt, NULL, 1)) { @@ -57,18 +58,17 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils /* If private/home is already mounted, then we can skip costly loading of keys */ goto out; -@@ -153,7 +153,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h +@@ -157,14 +157,14 @@ PAM_EXTERN int pam_sm_authenticate(pam_h /* we need side effect of this check: load ecryptfs module if not loaded already */ if (ecryptfs_get_version(&version) != 0) - syslog(LOG_WARNING, "pam_ecryptfs: Can't check if kernel supports ecryptfs\n"); + ecryptfs_syslog(LOG_WARNING, "pam_ecryptfs: Can't check if kernel supports ecryptfs\n"); - saved_uid = geteuid(); - seteuid(epd->uid); if(file_exists_dotecryptfs(epd->homedir, "wrapping-independent") == 1) -@@ -163,7 +163,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + rc = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &epd->passphrase, "Encryption passphrase: "); + else + rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&epd->passphrase); epd->passphrase = strdup(epd->passphrase); - seteuid(saved_uid); if (rc != PAM_SUCCESS) { - syslog(LOG_ERR, "pam_ecryptfs: Error retrieving passphrase; rc = [%ld]\n", + ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: Error retrieving passphrase; rc = [%ld]\n", @@ -76,15 +76,15 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils goto out; } @@ -175,7 +175,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + from_hex(epd->salt, salt_hex, ECRYPTFS_SALT_SIZE); epd->unwrap = ((argc == 1) && (memcmp(argv[0], "unwrap\0", 7) == 0)); if ((rc=pam_set_data(pamh, ECRYPTFS_PAM_DATA, epd, pam_free_ecryptfsdata)) != PAM_SUCCESS) { - - syslog(LOG_ERR, "Unable to store ecryptfs pam data : %s", pam_strerror(pamh, rc)); + ecryptfs_syslog(LOG_ERR, "Unable to store ecryptfs pam data : %s", pam_strerror(pamh, rc)); goto out; } - out: -@@ -198,12 +198,12 @@ static struct passwd *fetch_pwd(pam_hand + +@@ -199,12 +199,12 @@ static struct passwd *fetch_pwd(pam_hand rc = pam_get_user(pamh, &username, NULL); if (rc != PAM_SUCCESS || username == NULL) { @@ -99,7 +99,7 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils return NULL; } return pwd; -@@ -234,13 +234,13 @@ static int private_dir(pam_handle_t *pam +@@ -235,13 +235,13 @@ static int private_dir(pam_handle_t *pam if ( (asprintf(&autofile, "%s/.ecryptfs/%s", pwd->pw_dir, a) < 0) || autofile == NULL) { @@ -115,7 +115,7 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils return 1; } if (stat(sigfile, &s) != 0) { -@@ -252,13 +252,13 @@ static int private_dir(pam_handle_t *pam +@@ -253,7 +253,7 @@ static int private_dir(pam_handle_t *pam goto out; } if ((pid = fork()) < 0) { @@ -124,14 +124,7 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils return 1; } if (pid == 0) { - /* set user's groups, we may need ecryptfs group for (u)mount */ - if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) { -- syslog(LOG_ERR, "Unable to set user's groups : %m"); -+ ecryptfs_syslog(LOG_ERR, "Unable to set user's groups : %m"); - _exit(255); - } - -@@ -266,7 +266,7 @@ static int private_dir(pam_handle_t *pam +@@ -261,7 +261,7 @@ static int private_dir(pam_handle_t *pam if ((asprintf(&recorded, "%s/.ecryptfs/.wrapped-passphrase.recorded", pwd->pw_dir) < 0) || recorded == NULL) { @@ -140,7 +133,7 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils _exit(255); } if (stat(recorded, &s) != 0 && stat("/usr/share/ecryptfs-utils/ecryptfs-record-passphrase", &s) == 0) { -@@ -278,25 +278,25 @@ static int private_dir(pam_handle_t *pam +@@ -273,12 +273,12 @@ static int private_dir(pam_handle_t *pam } if (stat(autofile, &s) != 0) { /* User does not want to auto-mount */ @@ -148,8 +141,15 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils + ecryptfs_syslog(LOG_DEBUG, "pam_ecryptfs: Skipping automatic eCryptfs mount"); _exit(0); } + clearenv(); + if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) { +- syslog(LOG_ERR, "Unable to set user's groups : %m"); ++ ecryptfs_syslog(LOG_ERR, "Unable to set user's groups : %m"); + _exit(255); + } /* run mount.ecryptfs_private as the user */ - setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid); +@@ -286,16 +286,16 @@ static int private_dir(pam_handle_t *pam + _exit(255); execl("/sbin/mount.ecryptfs_private", "mount.ecryptfs_private", NULL); - syslog(LOG_ERR,"unable to execute mount.ecryptfs_private : %m"); @@ -161,8 +161,15 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils + ecryptfs_syslog(LOG_DEBUG, "pam_ecryptfs: Skipping automatic eCryptfs unmount"); _exit(0); } + clearenv(); + if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) { +- syslog(LOG_ERR, "Unable to set user's groups : %m"); ++ ecryptfs_syslog(LOG_ERR, "Unable to set user's groups : %m"); + _exit(255); + } /* run umount.ecryptfs_private as the user */ - setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid); +@@ -303,7 +303,7 @@ static int private_dir(pam_handle_t *pam + _exit(255); execl("/sbin/umount.ecryptfs_private", "umount.ecryptfs_private", NULL); - syslog(LOG_ERR,"unable to execute umount.ecryptfs_private : %m"); @@ -170,15 +177,8 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils _exit(255); } _exit(255); -@@ -325,25 +325,25 @@ static int fill_keyring(pam_handle_t *pa - char *auth_tok_sig; - auth_tok_sig = malloc(ECRYPTFS_SIG_SIZE_HEX + 1); - if (!auth_tok_sig) { -- syslog(LOG_ERR, "Out of memory\n"); -+ ecryptfs_syslog(LOG_ERR, "Out of memory\n"); - return -ENOMEM; - } - +@@ -338,24 +338,24 @@ static int fill_keyring(pam_handle_t *pa + if ((rc=pam_get_data(pamh, ECRYPTFS_PAM_DATA, (const void **)&epd)) != PAM_SUCCESS) { - syslog(LOG_ERR,"Unable to get ecryptfs pam data : %s", pam_strerror(pamh, rc)); @@ -186,8 +186,29 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils return -EINVAL; } - if ((child_pid = fork()) == 0) { - setuid(epd->uid); + oeuid = geteuid(); + oegid = getegid(); + if ((ngids = getgroups(sizeof(groups)/sizeof(gid_t), groups)) < 0) { +- syslog(LOG_ERR, "pam_ecryptfs: geteuid error"); ++ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: geteuid error"); + goto outnouid; + } + + if (setegid(epd->gid) < 0 || setgroups(1, &epd->gid) < 0 || seteuid(epd->uid) < 0) { +- syslog(LOG_ERR, "pam_ecryptfs: seteuid error"); ++ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: seteuid error"); + goto out; + } + + if (!auth_tok_sig) { +- syslog(LOG_ERR, "Out of memory\n"); ++ ecryptfs_syslog(LOG_ERR, "Out of memory\n"); + return -ENOMEM; + } + +@@ -367,12 +367,12 @@ static int fill_keyring(pam_handle_t *pa + goto out_child; + if (epd->passphrase == NULL) { - syslog(LOG_ERR, "NULL passphrase; aborting\n"); + ecryptfs_syslog(LOG_ERR, "NULL passphrase; aborting\n"); @@ -200,7 +221,7 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils "Cannot validate keyring integrity\n"); } rc = 0; -@@ -355,12 +355,12 @@ static int fill_keyring(pam_handle_t *pa +@@ -384,12 +384,12 @@ static int fill_keyring(pam_handle_t *pa epd->homedir, ECRYPTFS_DEFAULT_WRAPPED_PASSPHRASE_FILENAME); if (rc == -1) { @@ -215,7 +236,7 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils } else { goto out_child; } -@@ -376,7 +376,7 @@ static int fill_keyring(pam_handle_t *pa +@@ -405,7 +405,7 @@ static int fill_keyring(pam_handle_t *pa goto out_child; } if (rc) { @@ -224,16 +245,16 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils "user session keyring; rc = [%d]\n", rc); goto out_child; } -@@ -386,7 +386,7 @@ out_child: +@@ -415,7 +415,7 @@ out_child: } tmp_pid = waitpid(child_pid, NULL, 0); if (tmp_pid == -1) - syslog(LOG_WARNING, + ecryptfs_syslog(LOG_WARNING, "waitpid() returned with error condition\n"); - - -@@ -436,7 +436,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand + out: + seteuid(oeuid); +@@ -473,33 +473,33 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand homedir = pwd->pw_dir; } } else { @@ -241,17 +262,29 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils + ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%d]\n", username, rc); goto out; } - saved_uid = geteuid(); -@@ -444,7 +444,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand + + oeuid = geteuid(); + oegid = getegid(); + if ((ngids = getgroups(sizeof(groups)/sizeof(gid_t), groups)) < 0) { +- syslog(LOG_ERR, "pam_ecryptfs: geteuid error"); ++ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: geteuid error"); + goto outnouid; + } + + if (setegid(gid) < 0 || setgroups(1, &gid) < 0 || seteuid(uid) < 0) { +- syslog(LOG_ERR, "pam_ecryptfs: seteuid error"); ++ ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: seteuid error"); + goto out; + } + if ((rc = pam_get_item(pamh, PAM_OLDAUTHTOK, (const void **)&old_passphrase)) != PAM_SUCCESS) { - syslog(LOG_ERR, "pam_ecryptfs: Error retrieving old passphrase; rc = [%d]\n", rc); + ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: Error retrieving old passphrase; rc = [%d]\n", rc); - seteuid(saved_uid); goto out; } -@@ -452,7 +452,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand + /* On the first pass, do nothing except check that we have a password */ if ((flags & PAM_PRELIM_CHECK)) { if (!old_passphrase) { @@ -259,14 +292,13 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils + ecryptfs_syslog(LOG_WARNING, "pam_ecryptfs: PAM passphrase change module retrieved a NULL passphrase; nothing to do\n"); rc = PAM_AUTHTOK_RECOVER_ERR; } - seteuid(saved_uid); -@@ -461,14 +461,14 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand + goto out; +@@ -507,13 +507,13 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand if ((rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&new_passphrase)) != PAM_SUCCESS) { - syslog(LOG_ERR, "pam_ecryptfs: Error retrieving new passphrase; rc = [%d]\n", rc); + ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: Error retrieving new passphrase; rc = [%d]\n", rc); - seteuid(saved_uid); goto out; } if ((rc = asprintf(&wrapped_pw_filename, "%s/.ecryptfs/%s", homedir, @@ -277,7 +309,7 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils rc = -ENOMEM; goto out; } -@@ -478,14 +478,14 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand +@@ -523,13 +523,13 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand from_hex(salt, salt_hex, ECRYPTFS_SALT_SIZE); } if (wrap_passphrase_if_necessary(username, uid, wrapped_pw_filename, new_passphrase, salt) == 0) { @@ -287,14 +319,13 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils goto out; } - seteuid(saved_uid); if (!old_passphrase || !new_passphrase || *new_passphrase == '\0') { - syslog(LOG_WARNING, "pam_ecryptfs: PAM passphrase change module retrieved at least one NULL passphrase; nothing to do\n"); + ecryptfs_syslog(LOG_WARNING, "pam_ecryptfs: PAM passphrase change module retrieved at least one NULL passphrase; nothing to do\n"); rc = PAM_AUTHTOK_RECOVER_ERR; goto out; } -@@ -497,20 +497,20 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand +@@ -546,20 +546,20 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand if ((rc = ecryptfs_unwrap_passphrase(passphrase, wrapped_pw_filename, old_passphrase, salt))) { @@ -317,4 +348,4 @@ diff -up ecryptfs-utils-97/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils + ecryptfs_syslog(LOG_WARNING, "pam_ecryptfs: waitpid() returned with error condition\n"); free(wrapped_pw_filename); out: - return rc; + diff --git a/ecryptfs-utils-99-selinux.patch b/ecryptfs-utils-99-selinux.patch new file mode 100644 index 0000000..2c3bc19 --- /dev/null +++ b/ecryptfs-utils-99-selinux.patch @@ -0,0 +1,20 @@ +diff -up ecryptfs-utils-99/src/utils/ecryptfs-migrate-home.selinux ecryptfs-utils-99/src/utils/ecryptfs-migrate-home +--- ecryptfs-utils-99/src/utils/ecryptfs-migrate-home.selinux 2012-07-24 14:35:28.428669924 +0200 ++++ ecryptfs-utils-99/src/utils/ecryptfs-migrate-home 2012-07-24 14:48:22.656139924 +0200 +@@ -136,6 +136,7 @@ encrypt_dir () { + error "Cannot proceed." + fi + # start encryption ++ setsebool -P use_ecryptfs_home_dirs=1 1>/dev/null 2>&1 ||: + orig=$(mktemp /home/$USER_NAME.XXXXXXXX) + rm "$orig" && mv "$USER_HOME" "$orig" + chmod 700 "$orig" +@@ -158,6 +159,8 @@ encrypt_dir () { + fi + info "Encrypted home has been set up, encrypting files now...this may take a while." + # Show progress, but on stderr, in case the user wants to filter that out ++ semanage fcontext -a -e /home /home/.ecryptfs >/dev/null 2>&1 ||: ++ restorecon -R $HOME/.ecrypfs/$USER >/dev/null 2>&1 ||: + rsync -aP "$orig/" "$USER_HOME/" 1>&2 + umount "$USER_HOME/" + echo diff --git a/ecryptfs-utils.spec b/ecryptfs-utils.spec index 79e571f..d820b56 100644 --- a/ecryptfs-utils.spec +++ b/ecryptfs-utils.spec @@ -4,8 +4,8 @@ %global _sbindir /sbin Name: ecryptfs-utils -Version: 97 -Release: 2%{?dist} +Version: 99 +Release: 1%{?dist} Summary: The eCryptfs mount helper and support libraries Group: System Environment/Base License: GPLv2+ @@ -59,6 +59,8 @@ Patch19: ecryptfs-utils-87-syslog.patch # if e-m-p fails, check if user is member of ecryptfs group Patch21: ecryptfs-utils-96-groupcheck.patch +Patch22: ecryptfs-utils-99-selinux.patch + BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) Requires: keyutils, cryptsetup-luks, util-linux, gettext @@ -113,6 +115,7 @@ the interface supplied by the ecryptfs-utils library. %patch18 -p1 -b .fixconst %patch19 -p1 -b .syslog %patch21 -p1 -b .groupcheck +%patch22 -p1 -b .selinux %build export CFLAGS="$RPM_OPT_FLAGS -Werror -Wtype-limits" @@ -186,7 +189,7 @@ rm -rf $RPM_BUILD_ROOT %files -f %{name}.lang %defattr(-,root,root,-) %doc README COPYING AUTHORS NEWS THANKS -%doc doc/ecryptfs-faq.html doc/ecryptfs-pam-doc.txt +%doc doc/ecryptfs-faq.html %doc doc/ecryptfs-pkcs11-helper-doc.txt %{_sbindir}/mount.ecryptfs %{_sbindir}/umount.ecryptfs @@ -259,6 +262,11 @@ rm -rf $RPM_BUILD_ROOT %{python_sitearch}/ecryptfs-utils/_libecryptfs.so %changelog +* Tue Jul 24 2012 Michal Hlavinka - 99-1 +- ecryptfs-utils updated to 99 +- fixes: suid helper does not restrict mounting filesystems with + nosuid, nodev leading to possible privilege escalation (CVE-2012-3409) + * Wed Jul 18 2012 Fedora Release Engineering - 97-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild diff --git a/sources b/sources index 63d6235..8fe0eef 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ e612ddb9ccb17f8fec79df26e626a8c6 ecryptfs-mount-private.png -74e8cacd5fa641075419ec02f6312421 ecryptfs-utils_97.orig.tar.gz +17ef9190c6d078845e19d3e9a7d8ef7a ecryptfs-utils_99.orig.tar.gz