From 7a13e7851a201ffa7e89542553fc740bbbd74f7c Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Aug 09 2011 12:30:58 +0000 Subject: improve logging messages of ecryptfs pam module keep own copy of passphrase, pam clears it too early --- diff --git a/ecryptfs-utils-87-pamdata.patch b/ecryptfs-utils-87-pamdata.patch index 9553414..127499c 100644 --- a/ecryptfs-utils-87-pamdata.patch +++ b/ecryptfs-utils-87-pamdata.patch @@ -1,7 +1,7 @@ diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c --- ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.pamdata 2011-08-03 15:40:01.743949759 +0200 +++ ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c 2011-08-03 15:52:05.676388743 +0200 -@@ -45,6 +45,22 @@ +@@ -45,6 +45,25 @@ #define PRIVATE_DIR "Private" @@ -18,13 +18,16 @@ diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-util + +static void pam_free_ecryptfsdata(pam_handle_t *pamh, void *data, int error_status) +{ -+ free(data); ++ if (data) { ++ free(((struct ecryptfs_pam_data *)data)->passphrase); ++ free(data); ++ } +} + /* returns: 0 if file does not exist, 1 if it exists, <0 for error */ static int file_exists_dotecryptfs(const char *homedir, char *filename) { -@@ -64,7 +80,7 @@ out: +@@ -64,7 +83,7 @@ out: return rc; } @@ -33,7 +36,7 @@ diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-util { char *unwrapped_pw_filename = NULL; struct stat s; -@@ -96,42 +112,43 @@ static int wrap_passphrase_if_necessary( +@@ -96,42 +115,43 @@ static int wrap_passphrase_if_necessary( PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { @@ -94,7 +97,7 @@ diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-util /* If private/home is already mounted, then we can skip costly loading of keys */ goto out; -@@ -141,82 +158,31 @@ PAM_EXTERN int pam_sm_authenticate(pam_h +@@ -141,82 +161,32 @@ PAM_EXTERN int pam_sm_authenticate(pam_h if (ecryptfs_get_version(&version) != 0) syslog(LOG_WARNING, "Can't check if kernel supports ecryptfs\n"); saved_uid = geteuid(); @@ -107,6 +110,7 @@ diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-util else - rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&passphrase); + rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&epd->passphrase); ++ epd->passphrase = strdup(epd->passphrase); seteuid(saved_uid); if (rc != PAM_SUCCESS) { syslog(LOG_ERR, "Error retrieving passphrase; rc = [%ld]\n", @@ -177,9 +181,9 @@ diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-util - free(auth_tok_sig); - _exit(0); + epd->unwrap = ((argc == 1) && (memcmp(argv[0], "unwrap\0", 7) == 0)); -+ if (pam_set_data(pamh, ECRYPTFS_PAM_DATA, epd, pam_free_ecryptfsdata) != PAM_SUCCESS) { ++ if ((rc=pam_set_data(pamh, ECRYPTFS_PAM_DATA, epd, pam_free_ecryptfsdata)) != PAM_SUCCESS) { + -+ syslog(LOG_ERR, "Unable to store ecryptfs pam data : %m"); ++ syslog(LOG_ERR, "Unable to store ecryptfs pam data : %s", pam_strerror(pamh, rc)); + goto out; } - tmp_pid = waitpid(child_pid, NULL, 0); @@ -190,7 +194,7 @@ diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-util out: if (private_mnt != NULL) free(private_mnt); -@@ -361,10 +327,88 @@ static int umount_private_dir(pam_handle +@@ -361,10 +331,88 @@ static int umount_private_dir(pam_handle return private_dir(pamh, 0); } @@ -206,9 +210,9 @@ diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-util + return -ENOMEM; + } + -+ if (pam_get_data(pamh, ECRYPTFS_PAM_DATA, (const void **)&epd) != PAM_SUCCESS) ++ if ((rc=pam_get_data(pamh, ECRYPTFS_PAM_DATA, (const void **)&epd)) != PAM_SUCCESS) + { -+ syslog(LOG_ERR,"Unable to get ecryptfs pam data : %m"); ++ syslog(LOG_ERR,"Unable to get ecryptfs pam data : %s", pam_strerror(pamh, rc)); + return -EINVAL; + } + diff --git a/ecryptfs-utils-87-prefixsyslog.patch b/ecryptfs-utils-87-prefixsyslog.patch new file mode 100644 index 0000000..02fbad4 --- /dev/null +++ b/ecryptfs-utils-87-prefixsyslog.patch @@ -0,0 +1,240 @@ +diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.pamsyslog ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c +--- ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.pamsyslog 2011-08-09 11:39:28.404766037 +0200 ++++ ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c 2011-08-09 11:39:28.428765549 +0200 +@@ -91,7 +91,7 @@ static int wrap_passphrase_if_necessary( + + rc = asprintf(&unwrapped_pw_filename, "/dev/shm/.ecryptfs-%s", username); + if (rc == -1) { +- syslog(LOG_ERR, "Unable to allocate memory\n"); ++ pamsyslog(LOG_ERR, "Unable to allocate memory\n"); + return -ENOMEM; + } + /* If /dev/shm/.ecryptfs-$USER exists and owned by the user +@@ -105,7 +105,7 @@ static int wrap_passphrase_if_necessary( + setuid(uid); + rc = ecryptfs_wrap_passphrase_file(wrapped_pw_filename, passphrase, salt, unwrapped_pw_filename); + if (rc != 0) { +- syslog(LOG_ERR, "Error wrapping cleartext password; " "rc = [%d]\n", rc); ++ pamsyslog(LOG_ERR, "Error wrapping cleartext password; " "rc = [%d]\n", rc); + } + return rc; + } +@@ -122,10 +122,10 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + uint32_t version; + struct ecryptfs_pam_data *epd = {0,}; + +- syslog(LOG_INFO, "%s: Called\n", __FUNCTION__); ++ pamsyslog(LOG_INFO, "%s: Called\n", __FUNCTION__); + + if ((epd = malloc(sizeof(struct ecryptfs_pam_data))) == NULL) { +- syslog(LOG_ERR,"Memory allocation failed"); ++ pamsyslog(LOG_ERR,"Memory allocation failed"); + rc = -ENOMEM; + goto out; + } +@@ -134,7 +134,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + if (rc == PAM_SUCCESS) { + struct passwd *pwd; + +- syslog(LOG_INFO, "%s: username = [%s]\n", __FUNCTION__, ++ pamsyslog(LOG_INFO, "%s: username = [%s]\n", __FUNCTION__, + epd->username); + pwd = getpwnam(epd->username); + if (pwd) { +@@ -142,7 +142,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + epd->homedir = pwd->pw_dir; + } + } else { +- syslog(LOG_ERR, "Error getting passwd info for user [%s]; " ++ pamsyslog(LOG_ERR, "Error getting passwd info for user [%s]; " + "rc = [%ld]\n", epd->username, rc); + goto out; + } +@@ -150,7 +150,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + goto out; + private_mnt = ecryptfs_fetch_private_mnt(epd->homedir); + if (ecryptfs_private_is_mounted(NULL, private_mnt, NULL, 1)) { +- syslog(LOG_INFO, "%s: %s is already mounted\n", __FUNCTION__, ++ pamsyslog(LOG_INFO, "%s: %s is already mounted\n", __FUNCTION__, + epd->homedir); + /* If private/home is already mounted, then we can skip + costly loading of keys */ +@@ -159,7 +159,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + /* we need side effect of this check: + load ecryptfs module if not loaded already */ + if (ecryptfs_get_version(&version) != 0) +- syslog(LOG_WARNING, "Can't check if kernel supports ecryptfs\n"); ++ pamsyslog(LOG_WARNING, "Can't check if kernel supports ecryptfs\n"); + saved_uid = geteuid(); + seteuid(epd->uid); + if(file_exists_dotecryptfs(epd->homedir, "wrapping-independent") == 1) +@@ -168,7 +168,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&epd->passphrase); + seteuid(saved_uid); + if (rc != PAM_SUCCESS) { +- syslog(LOG_ERR, "Error retrieving passphrase; rc = [%ld]\n", ++ pamsyslog(LOG_ERR, "Error retrieving passphrase; rc = [%ld]\n", + rc); + goto out; + } +@@ -182,7 +182,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + epd->unwrap = ((argc == 1) && (memcmp(argv[0], "unwrap\0", 7) == 0)); + if (pam_set_data(pamh, ECRYPTFS_PAM_DATA, epd, pam_free_ecryptfsdata) != PAM_SUCCESS) { + +- syslog(LOG_ERR, "Unable to store ecryptfs pam data : %m"); ++ pamsyslog(LOG_ERR, "Unable to store ecryptfs pam data : %m"); + goto out; + } + +@@ -206,13 +206,13 @@ static struct passwd *fetch_pwd(pam_hand + + rc = pam_get_user(pamh, &username, NULL); + if (rc != PAM_SUCCESS || username == NULL) { +- syslog(LOG_ERR, "Error getting passwd info for user [%s]; " ++ pamsyslog(LOG_ERR, "Error getting passwd info for user [%s]; " + "rc = [%ld]\n", username, rc); + return NULL; + } + pwd = getpwnam(username); + if (pwd == NULL) { +- syslog(LOG_ERR, "Error getting passwd info for user [%s]; " ++ pamsyslog(LOG_ERR, "Error getting passwd info for user [%s]; " + "rc = [%ld]\n", username, rc); + return NULL; + } +@@ -244,13 +244,13 @@ static int private_dir(pam_handle_t *pam + if ( + (asprintf(&autofile, "%s/.ecryptfs/%s", pwd->pw_dir, a) < 0) + || autofile == NULL) { +- syslog(LOG_ERR, "Error allocating memory for autofile name"); ++ pamsyslog(LOG_ERR, "Error allocating memory for autofile name"); + return 1; + } + if ( + (asprintf(&sigfile, "%s/.ecryptfs/%s.sig", pwd->pw_dir, + PRIVATE_DIR) < 0) || sigfile == NULL) { +- syslog(LOG_ERR, "Error allocating memory for sigfile name"); ++ pamsyslog(LOG_ERR, "Error allocating memory for sigfile name"); + return 1; + } + if (stat(sigfile, &s) != 0) { +@@ -262,13 +262,13 @@ static int private_dir(pam_handle_t *pam + goto out; + } + if ((pid = fork()) < 0) { +- syslog(LOG_ERR, "Error setting up private mount"); ++ pamsyslog(LOG_ERR, "Error setting up private mount"); + return 1; + } + if (pid == 0) { + /* set user's groups, we may need ecryptfs group for (u)mount */ + if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) { +- syslog(LOG_ERR, "Unable to set user's groups : %m"); ++ pamsyslog(LOG_ERR, "Unable to set user's groups : %m"); + _exit(255); + } + +@@ -276,7 +276,7 @@ static int private_dir(pam_handle_t *pam + if ((asprintf(&recorded, + "%s/.ecryptfs/.wrapped-passphrase.recorded", + pwd->pw_dir) < 0) || recorded == NULL) { +- syslog(LOG_ERR, ++ pamsyslog(LOG_ERR, + "Error allocating memory for recorded name"); + _exit(255); + } +@@ -289,7 +289,7 @@ static int private_dir(pam_handle_t *pam + } + if (stat(autofile, &s) != 0) { + /* User does not want to auto-mount */ +- syslog(LOG_INFO, ++ pamsyslog(LOG_INFO, + "Skipping automatic eCryptfs mount"); + _exit(0); + } +@@ -297,11 +297,11 @@ static int private_dir(pam_handle_t *pam + setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid); + execl("/sbin/mount.ecryptfs_private", + "mount.ecryptfs_private", NULL); +- syslog(LOG_ERR,"unable to execute mount.ecryptfs_private : %m"); ++ pamsyslog(LOG_ERR,"unable to execute mount.ecryptfs_private : %m"); + } else { + if (stat(autofile, &s) != 0) { + /* User does not want to auto-unmount */ +- syslog(LOG_INFO, ++ pamsyslog(LOG_INFO, + "Skipping automatic eCryptfs unmount"); + _exit(0); + } +@@ -309,7 +309,7 @@ static int private_dir(pam_handle_t *pam + setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid); + execl("/sbin/umount.ecryptfs_private", + "umount.ecryptfs_private", NULL); +- syslog(LOG_ERR,"unable to execute umount.ecryptfs_private : %m"); ++ pamsyslog(LOG_ERR,"unable to execute umount.ecryptfs_private : %m"); + } + _exit(255); + } else { +@@ -338,25 +338,25 @@ static int fill_keyring(pam_handle_t *pa + char *auth_tok_sig; + auth_tok_sig = malloc(ECRYPTFS_SIG_SIZE_HEX + 1); + if (!auth_tok_sig) { +- syslog(LOG_ERR, "Out of memory\n"); ++ pamsyslog(LOG_ERR, "Out of memory\n"); + return -ENOMEM; + } + + if (pam_get_data(pamh, ECRYPTFS_PAM_DATA, (const void **)&epd) != PAM_SUCCESS) + { +- syslog(LOG_ERR,"Unable to get ecryptfs pam data : %m"); ++ pamsyslog(LOG_ERR,"Unable to get ecryptfs pam data : %m"); + return -EINVAL; + } + + if ((child_pid = fork()) == 0) { + setuid(epd->uid); + if (epd->passphrase == NULL) { +- syslog(LOG_ERR, "NULL passphrase; aborting\n"); ++ pamsyslog(LOG_ERR, "NULL passphrase; aborting\n"); + rc = -EINVAL; + goto out_child; + } + if ((rc = ecryptfs_validate_keyring())) { +- syslog(LOG_WARNING, ++ pamsyslog(LOG_WARNING, + "Cannot validate keyring integrity\n"); + } + rc = 0; +@@ -368,12 +368,12 @@ static int fill_keyring(pam_handle_t *pa + epd->homedir, + ECRYPTFS_DEFAULT_WRAPPED_PASSPHRASE_FILENAME); + if (rc == -1) { +- syslog(LOG_ERR, "Unable to allocate memory\n"); ++ pamsyslog(LOG_ERR, "Unable to allocate memory\n"); + rc = -ENOMEM; + goto out_child; + } + if (wrap_passphrase_if_necessary(epd->username, epd->uid, wrapped_pw_filename, epd->passphrase, epd->salt) == 0) { +- syslog(LOG_INFO, "Passphrase file wrapped"); ++ pamsyslog(LOG_INFO, "Passphrase file wrapped"); + } else { + goto out_child; + } +@@ -389,7 +389,7 @@ static int fill_keyring(pam_handle_t *pa + goto out_child; + } + if (rc) { +- syslog(LOG_ERR, "Error adding passphrase key token to " ++ pamsyslog(LOG_ERR, "Error adding passphrase key token to " + "user session keyring; rc = [%d]\n", rc); + goto out_child; + } +@@ -399,7 +399,7 @@ out_child: + } + tmp_pid = waitpid(child_pid, NULL, 0); + if (tmp_pid == -1) +- syslog(LOG_WARNING, ++ pamsyslog(LOG_WARNING, + "waitpid() returned with error condition\n"); + + diff --git a/ecryptfs-utils-87-syslog.patch b/ecryptfs-utils-87-syslog.patch new file mode 100644 index 0000000..da0508e --- /dev/null +++ b/ecryptfs-utils-87-syslog.patch @@ -0,0 +1,256 @@ +diff -up ecryptfs-utils-87/src/include/ecryptfs.h.syslog ecryptfs-utils-87/src/include/ecryptfs.h +--- ecryptfs-utils-87/src/include/ecryptfs.h.syslog 2011-08-09 13:53:46.159665547 +0200 ++++ ecryptfs-utils-87/src/include/ecryptfs.h 2011-08-09 13:53:46.194664841 +0200 +@@ -143,7 +143,7 @@ + #define ECRYPTFS_TAG_67_PACKET 0x43 + + #define ecryptfs_syslog(type, fmt, arg...) \ +- syslog(type, "%s: " fmt, __FUNCTION__, ## arg); ++ syslog(type, "ecryptfs: %s: " fmt, __FUNCTION__, ## arg); + + #define ECRYPTFS_MAX_NUM_CIPHERS 64 + #define ECRYPTFS_ECHO_ON 1 +diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c +--- ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.syslog 2011-08-09 13:53:46.155665627 +0200 ++++ ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c 2011-08-09 14:01:13.663636527 +0200 +@@ -88,7 +88,7 @@ static int wrap_passphrase_if_necessary( + + rc = asprintf(&unwrapped_pw_filename, "/dev/shm/.ecryptfs-%s", username); + if (rc == -1) { +- syslog(LOG_ERR, "Unable to allocate memory\n"); ++ ecryptfs_syslog(LOG_ERR, "Unable to allocate memory\n"); + return -ENOMEM; + } + /* If /dev/shm/.ecryptfs-$USER exists and owned by the user +@@ -102,7 +102,7 @@ static int wrap_passphrase_if_necessary( + setuid(uid); + rc = ecryptfs_wrap_passphrase_file(wrapped_pw_filename, passphrase, salt, unwrapped_pw_filename); + if (rc != 0) { +- syslog(LOG_ERR, "Error wrapping cleartext password; " "rc = [%d]\n", rc); ++ ecryptfs_syslog(LOG_ERR, "Error wrapping cleartext password; " "rc = [%d]\n", rc); + } + return rc; + } +@@ -119,10 +119,10 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + uint32_t version; + struct ecryptfs_pam_data *epd = {0,}; + +- syslog(LOG_INFO, "%s: Called\n", __FUNCTION__); ++ ecryptfs_syslog(LOG_INFO, "pam auth stack calls pam_ecryptfs module"); + + if ((epd = malloc(sizeof(struct ecryptfs_pam_data))) == NULL) { +- syslog(LOG_ERR,"Memory allocation failed"); ++ ecryptfs_syslog(LOG_ERR,"Memory allocation failed"); + rc = -ENOMEM; + goto out; + } +@@ -131,7 +131,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + if (rc == PAM_SUCCESS) { + struct passwd *pwd; + +- syslog(LOG_INFO, "%s: username = [%s]\n", __FUNCTION__, ++ ecryptfs_syslog(LOG_INFO, "pam_ecryptfs: username = [%s]\n", + epd->username); + pwd = getpwnam(epd->username); + if (pwd) { +@@ -139,7 +139,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + epd->homedir = pwd->pw_dir; + } + } else { +- syslog(LOG_ERR, "Error getting passwd info for user [%s]; " ++ ecryptfs_syslog(LOG_ERR, "Error getting passwd info for user [%s]; " + "rc = [%ld]\n", epd->username, rc); + goto out; + } +@@ -147,7 +147,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + goto out; + private_mnt = ecryptfs_fetch_private_mnt(epd->homedir); + if (ecryptfs_private_is_mounted(NULL, private_mnt, NULL, 1)) { +- syslog(LOG_INFO, "%s: %s is already mounted\n", __FUNCTION__, ++ ecryptfs_syslog(LOG_INFO, "%s is already mounted", + epd->homedir); + /* If private/home is already mounted, then we can skip + costly loading of keys */ +@@ -156,7 +156,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + /* we need side effect of this check: + load ecryptfs module if not loaded already */ + if (ecryptfs_get_version(&version) != 0) +- syslog(LOG_WARNING, "Can't check if kernel supports ecryptfs\n"); ++ ecryptfs_syslog(LOG_WARNING, "Can't check if kernel supports ecryptfs\n"); + saved_uid = geteuid(); + seteuid(epd->uid); + if(file_exists_dotecryptfs(epd->homedir, "wrapping-independent") == 1) +@@ -165,7 +165,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&epd->passphrase); + seteuid(saved_uid); + if (rc != PAM_SUCCESS) { +- syslog(LOG_ERR, "Error retrieving passphrase; rc = [%ld]\n", ++ ecryptfs_syslog(LOG_ERR, "Error retrieving passphrase; rc = [%ld]\n", + rc); + goto out; + } +@@ -179,9 +179,9 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + epd->unwrap = ((argc == 1) && (memcmp(argv[0], "unwrap\0", 7) == 0)); + if ((rc=pam_set_data(pamh, ECRYPTFS_PAM_DATA, epd, pam_free_ecryptfsdata)) != PAM_SUCCESS) { + +- syslog(LOG_ERR, "Unable to store ecryptfs pam data : %s", pam_strerror(pamh, rc)); ++ ecryptfs_syslog(LOG_ERR, "Unable to store ecryptfs pam data : %s", pam_strerror(pamh, rc)); + goto out; +- } ++ } + + out: + if (private_mnt != NULL) +@@ -203,13 +203,13 @@ static struct passwd *fetch_pwd(pam_hand + + rc = pam_get_user(pamh, &username, NULL); + if (rc != PAM_SUCCESS || username == NULL) { +- syslog(LOG_ERR, "Error getting passwd info for user [%s]; " ++ ecryptfs_syslog(LOG_ERR, "Error getting passwd info for user [%s]; " + "rc = [%ld]\n", username, rc); + return NULL; + } + pwd = getpwnam(username); + if (pwd == NULL) { +- syslog(LOG_ERR, "Error getting passwd info for user [%s]; " ++ ecryptfs_syslog(LOG_ERR, "Error getting passwd info for user [%s]; " + "rc = [%ld]\n", username, rc); + return NULL; + } +@@ -241,13 +241,13 @@ static int private_dir(pam_handle_t *pam + if ( + (asprintf(&autofile, "%s/.ecryptfs/%s", pwd->pw_dir, a) < 0) + || autofile == NULL) { +- syslog(LOG_ERR, "Error allocating memory for autofile name"); ++ ecryptfs_syslog(LOG_ERR, "Error allocating memory for autofile name"); + return 1; + } + if ( + (asprintf(&sigfile, "%s/.ecryptfs/%s.sig", pwd->pw_dir, + PRIVATE_DIR) < 0) || sigfile == NULL) { +- syslog(LOG_ERR, "Error allocating memory for sigfile name"); ++ ecryptfs_syslog(LOG_ERR, "Error allocating memory for sigfile name"); + return 1; + } + if (stat(sigfile, &s) != 0) { +@@ -259,13 +259,13 @@ static int private_dir(pam_handle_t *pam + goto out; + } + if ((pid = fork()) < 0) { +- syslog(LOG_ERR, "Error setting up private mount"); ++ ecryptfs_syslog(LOG_ERR, "Error setting up private mount"); + return 1; + } + if (pid == 0) { + /* set user's groups, we may need ecryptfs group for (u)mount */ + if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) { +- syslog(LOG_ERR, "Unable to set user's groups : %m"); ++ ecryptfs_syslog(LOG_ERR, "Unable to set user's groups : %m"); + _exit(255); + } + +@@ -273,7 +273,7 @@ static int private_dir(pam_handle_t *pam + if ((asprintf(&recorded, + "%s/.ecryptfs/.wrapped-passphrase.recorded", + pwd->pw_dir) < 0) || recorded == NULL) { +- syslog(LOG_ERR, ++ ecryptfs_syslog(LOG_ERR, + "Error allocating memory for recorded name"); + _exit(255); + } +@@ -286,7 +286,7 @@ static int private_dir(pam_handle_t *pam + } + if (stat(autofile, &s) != 0) { + /* User does not want to auto-mount */ +- syslog(LOG_INFO, ++ ecryptfs_syslog(LOG_INFO, + "Skipping automatic eCryptfs mount"); + _exit(0); + } +@@ -294,11 +294,11 @@ static int private_dir(pam_handle_t *pam + setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid); + execl("/sbin/mount.ecryptfs_private", + "mount.ecryptfs_private", NULL); +- syslog(LOG_ERR,"unable to execute mount.ecryptfs_private : %m"); ++ ecryptfs_syslog(LOG_ERR,"unable to execute mount.ecryptfs_private : %m"); + } else { + if (stat(autofile, &s) != 0) { + /* User does not want to auto-unmount */ +- syslog(LOG_INFO, ++ ecryptfs_syslog(LOG_INFO, + "Skipping automatic eCryptfs unmount"); + _exit(0); + } +@@ -306,7 +306,7 @@ static int private_dir(pam_handle_t *pam + setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid); + execl("/sbin/umount.ecryptfs_private", + "umount.ecryptfs_private", NULL); +- syslog(LOG_ERR,"unable to execute umount.ecryptfs_private : %m"); ++ ecryptfs_syslog(LOG_ERR,"unable to execute umount.ecryptfs_private : %m"); + } + _exit(255); + } else { +@@ -335,25 +335,25 @@ static int fill_keyring(pam_handle_t *pa + char *auth_tok_sig; + auth_tok_sig = malloc(ECRYPTFS_SIG_SIZE_HEX + 1); + if (!auth_tok_sig) { +- syslog(LOG_ERR, "Out of memory\n"); ++ ecryptfs_syslog(LOG_ERR, "Out of memory\n"); + return -ENOMEM; + } + + if ((rc=pam_get_data(pamh, ECRYPTFS_PAM_DATA, (const void **)&epd)) != PAM_SUCCESS) + { +- syslog(LOG_ERR,"Unable to get ecryptfs pam data : %s", pam_strerror(pamh, rc)); ++ ecryptfs_syslog(LOG_ERR,"Unable to get ecryptfs pam data : %s", pam_strerror(pamh, rc)); + return -EINVAL; +- } ++ } + + if ((child_pid = fork()) == 0) { + setuid(epd->uid); + if (epd->passphrase == NULL) { +- syslog(LOG_ERR, "NULL passphrase; aborting\n"); ++ ecryptfs_syslog(LOG_ERR, "NULL passphrase; aborting\n"); + rc = -EINVAL; + goto out_child; + } + if ((rc = ecryptfs_validate_keyring())) { +- syslog(LOG_WARNING, ++ ecryptfs_syslog(LOG_WARNING, + "Cannot validate keyring integrity\n"); + } + rc = 0; +@@ -365,12 +365,12 @@ static int fill_keyring(pam_handle_t *pa + epd->homedir, + ECRYPTFS_DEFAULT_WRAPPED_PASSPHRASE_FILENAME); + if (rc == -1) { +- syslog(LOG_ERR, "Unable to allocate memory\n"); ++ ecryptfs_syslog(LOG_ERR, "Unable to allocate memory\n"); + rc = -ENOMEM; + goto out_child; + } + if (wrap_passphrase_if_necessary(epd->username, epd->uid, wrapped_pw_filename, epd->passphrase, epd->salt) == 0) { +- syslog(LOG_INFO, "Passphrase file wrapped"); ++ ecryptfs_syslog(LOG_INFO, "Passphrase file wrapped"); + } else { + goto out_child; + } +@@ -386,7 +386,7 @@ static int fill_keyring(pam_handle_t *pa + goto out_child; + } + if (rc) { +- syslog(LOG_ERR, "Error adding passphrase key token to " ++ ecryptfs_syslog(LOG_ERR, "Error adding passphrase key token to " + "user session keyring; rc = [%d]\n", rc); + goto out_child; + } +@@ -396,7 +396,7 @@ out_child: + } + tmp_pid = waitpid(child_pid, NULL, 0); + if (tmp_pid == -1) +- syslog(LOG_WARNING, ++ ecryptfs_syslog(LOG_WARNING, + "waitpid() returned with error condition\n"); + + diff --git a/ecryptfs-utils.spec b/ecryptfs-utils.spec index 8046854..7ffcc3e 100644 --- a/ecryptfs-utils.spec +++ b/ecryptfs-utils.spec @@ -5,7 +5,7 @@ Name: ecryptfs-utils Version: 87 -Release: 8%{?dist} +Release: 9%{?dist} Summary: The eCryptfs mount helper and support libraries Group: System Environment/Base License: GPLv2+ @@ -62,6 +62,8 @@ Patch16: ecryptfs-utils-87-pamdata.patch # patch16 needs propper const on some places Patch17: ecryptfs-utils-87-fixconst.patch +Patch18: ecryptfs-utils-87-syslog.patch + BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) Requires: keyutils, cryptsetup-luks, util-linux-ng, gettext BuildRequires: libgcrypt-devel keyutils-libs-devel openssl-devel pam-devel @@ -115,6 +117,7 @@ the interface supplied by the ecryptfs-utils library. %patch15 -p1 -b .nozombies %patch16 -p1 -b .pamdata %patch17 -p1 -b .fixconst +%patch18 -p1 -b .syslog %build export CFLAGS="$RPM_OPT_FLAGS -Werror -Wtype-limits" @@ -242,6 +245,10 @@ rm -rf $RPM_BUILD_ROOT %{python_sitearch}/ecryptfs-utils/_libecryptfs.so %changelog +* Tue Aug 09 2011 Michal Hlavinka - 87-9 +- improve logging messages of ecryptfs pam module +- keep own copy of passphrase, pam clears it too early + * Wed Aug 03 2011 Michal Hlavinka - 87-8 - keyring from auth stack does not survive, use pam_data and delayed keyring initialization