From be2a3c9c1ff3526d45ac38d160f299344c2e502d Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Jul 21 2011 15:14:24 +0000 Subject: fix pam module to set ecryptfs gid before mount helper execution do not use zombie process, it causes lock ups in ssh --- diff --git a/ecryptfs-utils-87-fixexecgid.patch b/ecryptfs-utils-87-fixexecgid.patch new file mode 100644 index 0000000..2da6c24 --- /dev/null +++ b/ecryptfs-utils-87-fixexecgid.patch @@ -0,0 +1,35 @@ +diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.fixexecgid ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c +--- ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.fixexecgid 2011-07-21 14:20:31.773602653 +0200 ++++ ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c 2011-07-21 14:21:12.302160125 +0200 +@@ -33,6 +33,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -303,6 +304,23 @@ static int private_dir(pam_handle_t *pam + return 1; + } + if (pid == 0) { ++ /* explicitely change group to ecryptfs if user is member of that group, changing uid is not enough */ ++ errno=0; ++ struct group *efsg = getgrnam("ecryptfs"); ++ if (efsg==NULL && errno) syslog(LOG_ERR, "unable to list members of ecryptfs group : %m"); ++ else ++ { ++ while (*efsg->gr_mem) ++ { ++ if (!strcmp(*efsg->gr_mem, pwd->pw_name)) ++ { ++ if (setgid(efsg->gr_gid)<0) syslog(LOG_ERR, "Unable to change group to ecryptfs : %m"); ++ break; ++ } ++ efsg->gr_mem++; ++ } ++ } ++ + if (mount == 1) { + if ((asprintf(&recorded, + "%s/.ecryptfs/.wrapped-passphrase.recorded", diff --git a/ecryptfs-utils-87-fixgid.patch b/ecryptfs-utils-87-fixgid.patch deleted file mode 100644 index 5b8e39e..0000000 --- a/ecryptfs-utils-87-fixgid.patch +++ /dev/null @@ -1,58 +0,0 @@ -diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.fixgid ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c ---- ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.fixgid 2011-07-19 15:58:45.337539138 +0200 -+++ ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c 2011-07-19 16:02:09.542029724 +0200 -@@ -217,7 +217,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h - } - out_child: - free(auth_tok_sig); -- exit(0); -+ _exit(0); - } - tmp_pid = waitpid(child_pid, NULL, 0); - if (tmp_pid == -1) -@@ -309,7 +309,7 @@ static int private_dir(pam_handle_t *pam - pwd->pw_dir) < 0) || recorded == NULL) { - syslog(LOG_ERR, - "Error allocating memory for recorded name"); -- return 1; -+ _exit(255); - } - if (stat(recorded, &s) != 0 && stat("/usr/share/ecryptfs-utils/ecryptfs-record-passphrase", &s) == 0) { - /* User has not recorded their passphrase */ -@@ -322,23 +322,25 @@ static int private_dir(pam_handle_t *pam - /* User does not want to auto-mount */ - syslog(LOG_INFO, - "Skipping automatic eCryptfs mount"); -- return 0; -+ _exit(0); - } - /* run mount.ecryptfs_private as the user */ - setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid); - execl("/sbin/mount.ecryptfs_private", - "mount.ecryptfs_private", NULL); -+ _exit(255); - } else { - if (stat(autofile, &s) != 0) { - /* User does not want to auto-unmount */ - syslog(LOG_INFO, - "Skipping automatic eCryptfs unmount"); -- return 0; -+ _exit(0); - } - /* run umount.ecryptfs_private as the user */ - setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid); - execl("/sbin/umount.ecryptfs_private", - "umount.ecryptfs_private", NULL); -+ _exit(255); - } - return 1; - } else { -@@ -482,7 +484,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand - goto out_child; - } - out_child: -- exit(0); -+ _exit(0); - } - if ((tmp_pid = waitpid(child_pid, NULL, 0)) == -1) - syslog(LOG_WARNING, diff --git a/ecryptfs-utils-87-fixpamfork.patch b/ecryptfs-utils-87-fixpamfork.patch new file mode 100644 index 0000000..fe1d85d --- /dev/null +++ b/ecryptfs-utils-87-fixpamfork.patch @@ -0,0 +1,61 @@ +diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.fixgid ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c +--- ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.fixgid 2011-07-21 13:35:47.968581526 +0200 ++++ ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c 2011-07-21 13:37:08.411188936 +0200 +@@ -217,7 +217,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + } + out_child: + free(auth_tok_sig); +- exit(0); ++ _exit(0); + } + tmp_pid = waitpid(child_pid, NULL, 0); + if (tmp_pid == -1) +@@ -309,7 +309,7 @@ static int private_dir(pam_handle_t *pam + pwd->pw_dir) < 0) || recorded == NULL) { + syslog(LOG_ERR, + "Error allocating memory for recorded name"); +- return 1; ++ _exit(255); + } + if (stat(recorded, &s) != 0 && stat("/usr/share/ecryptfs-utils/ecryptfs-record-passphrase", &s) == 0) { + /* User has not recorded their passphrase */ +@@ -322,25 +322,27 @@ static int private_dir(pam_handle_t *pam + /* User does not want to auto-mount */ + syslog(LOG_INFO, + "Skipping automatic eCryptfs mount"); +- return 0; ++ _exit(0); + } + /* run mount.ecryptfs_private as the user */ + setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid); + execl("/sbin/mount.ecryptfs_private", + "mount.ecryptfs_private", NULL); ++ syslog(LOG_ERR,"unable to execute mount.ecryptfs_private : %m"); + } else { + if (stat(autofile, &s) != 0) { + /* User does not want to auto-unmount */ + syslog(LOG_INFO, + "Skipping automatic eCryptfs unmount"); +- return 0; ++ _exit(0); + } + /* run umount.ecryptfs_private as the user */ + setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid); + execl("/sbin/umount.ecryptfs_private", + "umount.ecryptfs_private", NULL); ++ syslog(LOG_ERR,"unable to execute umount.ecryptfs_private : %m"); + } +- return 1; ++ _exit(255); + } else { + waitpid(pid, &rc, 0); + goto out; +@@ -482,7 +484,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand + goto out_child; + } + out_child: +- exit(0); ++ _exit(0); + } + if ((tmp_pid = waitpid(child_pid, NULL, 0)) == -1) + syslog(LOG_WARNING, diff --git a/ecryptfs-utils-87-nozombies.patch b/ecryptfs-utils-87-nozombies.patch new file mode 100644 index 0000000..32b0147 --- /dev/null +++ b/ecryptfs-utils-87-nozombies.patch @@ -0,0 +1,522 @@ +diff -up ecryptfs-utils-87/src/include/ecryptfs.h.nozombies ecryptfs-utils-87/src/include/ecryptfs.h +--- ecryptfs-utils-87/src/include/ecryptfs.h.nozombies 2011-03-09 14:30:32.000000000 +0100 ++++ ecryptfs-utils-87/src/include/ecryptfs.h 2011-07-21 14:17:33.539120662 +0200 +@@ -588,10 +588,6 @@ int ecryptfs_validate_keyring(void); + #define ECRYPTFS_SHM_KEY 0x3c81b7f5 + #define ECRYPTFS_SEM_KEY 0x3c81b7f6 + #define ECRYPTFS_SHM_SIZE 4096 +-#define ECRYPTFS_ZOMBIE_SLEEP_SECONDS 300 +-int ecryptfs_set_zombie_session_placeholder(void); +-int ecryptfs_kill_and_clear_zombie_session_placeholder(void); +-int ecryptfs_list_zombie_session_placeholders(void); + int ecryptfs_build_linear_subgraph_from_nvp(struct transition_node **trans_node, + struct ecryptfs_key_mod *key_mod); + int ecryptfs_build_linear_subgraph(struct transition_node **trans_node, +diff -up ecryptfs-utils-87/src/libecryptfs/main.c.nozombies ecryptfs-utils-87/src/libecryptfs/main.c +--- ecryptfs-utils-87/src/libecryptfs/main.c.nozombies 2011-03-09 14:30:32.000000000 +0100 ++++ ecryptfs-utils-87/src/libecryptfs/main.c 2011-07-21 14:19:02.384364121 +0200 +@@ -480,487 +480,6 @@ out: + return rc; + } + +-static int zombie_semaphore_get(void) +-{ +- int sem_id; +- struct semid_ds semid_ds; +- struct sembuf sb; +- int i; +- int rc; +- +- sem_id = semget(ECRYPTFS_SEM_KEY, 1, (0666 | IPC_EXCL | IPC_CREAT)); +- if (sem_id >= 0) { +- sb.sem_op = 1; +- sb.sem_flg = 0; +- sb.sem_num = 0; +- +- rc = semop(sem_id, &sb, 1); +- if (rc == -1) { +- semctl(sem_id, 0, IPC_RMID); +- syslog(LOG_ERR, "Error initializing semaphore\n"); +- rc = -1; +- goto out; +- } +- } else if (errno == EEXIST) { +- int initialized = 0; +- +- sem_id = semget(ECRYPTFS_SEM_KEY, 1, 0); +- if (sem_id < 0) { +- syslog(LOG_ERR, "Error getting existing semaphore"); +- rc = -1; +- goto out; +- } +-#define RETRY_LIMIT 3 +- for (i = 0; i < RETRY_LIMIT; i++) { +- semctl(sem_id, 0, IPC_STAT, &semid_ds); +- if (semid_ds.sem_otime != 0) { +- initialized = 1; +- break; +- } else +- sleep(1); +- } +- if (!initialized) { +- syslog(LOG_ERR, "Waited too long for initialized " +- "semaphore; something's wrong\n"); +- rc = -1; +- goto out; +- } +- } else { +- syslog(LOG_ERR, "Error attempting to get semaphore\n"); +- rc = -1; +- goto out; +- } +- rc = sem_id; +-out: +- return rc; +-} +- +-static void zombie_semaphore_lock(int sem_id) +-{ +- struct sembuf sb; +- int i; +- int rc; +- +- sb.sem_num = 0; +- sb.sem_op = -1; +- sb.sem_flg = IPC_NOWAIT; +- for (i = 0; i < RETRY_LIMIT; i++) { +- rc = semop(sem_id, &sb, 1); +- if (rc == -1 && errno == EAGAIN) { +- sleep(1); +- } else if (rc == -1) { +- syslog(LOG_ERR, "Error locking semaphore; errno " +- "string = [%m]\n"); +- goto out; +- } else +- goto out; +- } +- syslog(LOG_ERR, "Error locking semaphore; hit max retries\n"); +-out: +- return; +-} +- +-static void zombie_semaphore_unlock(int sem_id) +-{ +- struct sembuf sb; +- int rc; +- +- sb.sem_num = 0; +- sb.sem_op = 1; +- sb.sem_flg = 0; +- rc = semop(sem_id, &sb, 1); +- if (rc == -1) { +- syslog(LOG_ERR, "Error unlocking semaphore\n"); +- goto out; +- } +-out: +- return; +-} +- +-static int get_zombie_shared_mem_locked(int *shm_id, int *sem_id) +-{ +- int rc; +- +- (*sem_id) = zombie_semaphore_get(); +- if ((*sem_id) == -1) { +- syslog(LOG_ERR, "Error attempting to get zombie semaphore\n"); +- rc = -EIO; +- goto out; +- } +- zombie_semaphore_lock((*sem_id)); +- rc = shmget(ECRYPTFS_SHM_KEY, ECRYPTFS_SHM_SIZE, (0666 | IPC_CREAT +- | IPC_EXCL)); +- if (rc == -1 && errno == EEXIST) +- rc = shmget(ECRYPTFS_SHM_KEY, ECRYPTFS_SHM_SIZE, 0); +- else { +- char *shm_virt; +- +- (*shm_id) = rc; +- shm_virt = shmat((*shm_id), NULL, 0); +- if (shm_virt == (void *)-1) { +- syslog(LOG_ERR, "Error attaching to newly allocated " +- "shared memory; errno string = [%m]\n"); +- rc = -EIO; +- zombie_semaphore_unlock((*sem_id)); +- goto out; +- } +- memset(shm_virt, 0, ECRYPTFS_SHM_SIZE); +- if ((rc = shmdt(shm_virt))) { +- rc = -EIO; +- zombie_semaphore_unlock((*sem_id)); +- goto out; +- } +- rc = shmget(ECRYPTFS_SHM_KEY, ECRYPTFS_SHM_SIZE, 0); +- } +- if (rc == -1) { +- syslog(LOG_ERR, "Error attempting to get identifier for " +- "shared memory with key [0x%.8x]\n", ECRYPTFS_SHM_KEY); +- rc = -EIO; +- zombie_semaphore_unlock((*sem_id)); +- goto out; +- } +- (*shm_id) = rc; +- rc = 0; +-out: +- return rc; +-} +- +-static int list_pid_sid_pairs(int shm_id) +-{ +- pid_t sid_tmp; +- pid_t pid_tmp; +- char *shm_virt; +- int i; +- int rc; +- +- if (sizeof(pid_t) != sizeof(uint32_t)) { +- syslog(LOG_ERR, "sizeof(pid_t) != sizeof(uint32_t); the code " +- "needs some tweaking to work on this architecture\n"); +- rc = -EINVAL; +- goto out; +- } +- shm_virt = shmat(shm_id, NULL, 0); +- if (shm_virt == (void *)-1) { +- rc = -EIO; +- goto out; +- } +- i = 0; +- memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t)); +- i += sizeof(pid_t); +- sid_tmp = ntohl(sid_tmp); /* uint32_t */ +- memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t)); +- i += sizeof(pid_t); +- pid_tmp = ntohl(pid_tmp); /* uint32_t */ +- while (!(sid_tmp == 0 && pid_tmp == 0)) { +- if ((i + (2 * sizeof(pid_t))) > ECRYPTFS_SHM_SIZE) +- break; +- memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t)); +- i += sizeof(pid_t); +- sid_tmp = ntohl(sid_tmp); /* uint32_t */ +- memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t)); +- i += sizeof(pid_t); +- pid_tmp = ntohl(pid_tmp); /* uint32_t */ +- } +- if ((rc = shmdt(shm_virt))) +- rc = -EIO; +-out: +- return rc; +-} +- +-static int find_pid_for_this_sid(pid_t *pid, int shm_id) +-{ +- pid_t sid_tmp; +- pid_t sid; +- pid_t pid_tmp; +- pid_t this_pid; +- char *shm_virt; +- int i; +- int rc; +- +- (*pid) = 0; +- if (sizeof(pid_t) != sizeof(uint32_t)) { +- syslog(LOG_ERR, "sizeof(pid_t) != sizeof(uint32_t); the code " +- "needs some tweaking to work on this architecture\n"); +- rc = -EINVAL; +- goto out; +- } +- shm_virt = shmat(shm_id, NULL, 0); +- if (shm_virt == (void *)-1) { +- rc = -EIO; +- goto out; +- } +- i = 0; +- memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t)); +- i += sizeof(pid_t); +- sid_tmp = ntohl(sid_tmp); /* uint32_t */ +- memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t)); +- i += sizeof(pid_t); +- pid_tmp = ntohl(pid_tmp); /* uint32_t */ +- this_pid = getpid(); +- sid = getsid(this_pid); +- while (!(sid_tmp == 0 && pid_tmp == 0)) { +- if (sid_tmp == sid) { +- (*pid) = pid_tmp; +- goto end_search; +- } +- if ((i + (2 * sizeof(pid_t))) > ECRYPTFS_SHM_SIZE) +- break; +- memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t)); +- i += sizeof(pid_t); +- sid_tmp = ntohl(sid_tmp); /* uint32_t */ +- memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t)); +- i += sizeof(pid_t); +- pid_tmp = ntohl(pid_tmp); /* uint32_t */ +- } +-end_search: +- if ((rc = shmdt(shm_virt))) { +- rc = -EIO; +- (*pid) = 0; +- } +-out: +- return rc; +-} +- +-static int remove_pid_for_this_sid(int shm_id) +-{ +- pid_t sid_tmp; +- pid_t sid; +- pid_t pid_tmp; +- pid_t pid; +- pid_t this_pid; +- char *shm_virt; +- int i; +- int rc; +- +- pid = 0; +- if (sizeof(pid_t) != sizeof(uint32_t)) { +- syslog(LOG_ERR, "sizeof(pid_t) != sizeof(uint32_t); the code " +- "needs some tweaking to work on this architecture\n"); +- rc = -EINVAL; +- goto out; +- } +- shm_virt = shmat(shm_id, NULL, 0); +- if (shm_virt == (void *)-1) { +- rc = -EIO; +- goto out; +- } +- i = 0; +- memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t)); +- i += sizeof(pid_t); +- sid_tmp = ntohl(sid_tmp); /* uint32_t */ +- memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t)); +- i += sizeof(pid_t); +- pid_tmp = ntohl(pid_tmp); /* uint32_t */ +- this_pid = getpid(); +- sid = getsid(this_pid); +- while (!(sid_tmp == 0 && pid_tmp == 0)) { +- if (sid_tmp == sid) { +- pid = pid_tmp; +- break; +- } +- if ((i + (2 * sizeof(pid_t))) > ECRYPTFS_SHM_SIZE) +- break; +- memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t)); +- i += sizeof(pid_t); +- sid_tmp = ntohl(sid_tmp); /* uint32_t */ +- memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t)); +- i += sizeof(pid_t); +- pid_tmp = ntohl(pid_tmp); /* uint32_t */ +- } +- if (pid != 0) { +- char *tmp; +- int remainder = (ECRYPTFS_SHM_SIZE - i); +- +- if (remainder != 0) { +- if ((tmp = malloc(remainder)) == NULL) { +- rc = -ENOMEM; +- shmdt(shm_virt); +- goto out; +- } +- memcpy(tmp, &shm_virt[i], remainder); +- i -= (2 * sizeof(pid_t)); +- memcpy(&shm_virt[i], tmp, remainder); +- i += remainder; +- } else +- i -= (2 * sizeof(pid_t)); +- memset(&shm_virt[i], 0, (2 * sizeof(pid_t))); +- if (remainder != 0) +- free(tmp); +- } +- if ((rc = shmdt(shm_virt))) +- rc = -EIO; +-out: +- return rc; +-} +- +-static int add_sid_pid_pair_to_shm(int shm_id) +-{ +- pid_t sid_tmp; +- pid_t sid; +- pid_t pid_tmp; +- pid_t pid; +- char *shm_virt; +- int i; +- int rc; +- +- if (sizeof(pid_t) != sizeof(uint32_t)) { +- syslog(LOG_ERR, "sizeof(pid_t) != sizeof(uint32_t); the code " +- "needs some tweaking to work on this architecture\n"); +- rc = -EINVAL; +- goto out; +- } +- shm_virt = shmat(shm_id, NULL, 0); +- if (shm_virt == (void *)-1) { +- syslog(LOG_ERR, "Error attaching to shared memory; error " +- "string = [%m]\n"); +- shm_virt = shmat(shm_id, NULL, 0); +- if (shm_virt == (void *)-1) { +- syslog(LOG_ERR, "Error attaching to shared memory; error " +- "string = [%m]\n"); +- rc = -EIO; +- goto out; +- } +- rc = -EIO; +- goto out; +- } +- i = 0; +- memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t)); +- i += sizeof(pid_t); +- sid_tmp = ntohl(sid_tmp); /* uint32_t */ +- memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t)); +- i += sizeof(pid_t); +- pid_tmp = ntohl(pid_tmp); /* uint32_t */ +- while (!(sid_tmp == 0 && pid_tmp == 0)) { +- if ((i + (2 * sizeof(pid_t))) > ECRYPTFS_SHM_SIZE) { +- syslog(LOG_ERR, +- "No space left in shared memory region\n"); +- rc = -ENOMEM; +- shmdt(shm_virt); +- goto out; +- } +- memcpy(&sid_tmp, &shm_virt[i], sizeof(pid_t)); +- i += sizeof(pid_t); +- sid_tmp = ntohl(sid_tmp); /* uint32_t */ +- memcpy(&pid_tmp, &shm_virt[i], sizeof(pid_t)); +- i += sizeof(pid_t); +- pid_tmp = ntohl(pid_tmp); /* uint32_t */ +- } +- pid = getpid(); +- sid = getsid(pid); +- sid = htonl(sid); +- pid = htonl(pid); +- i -= (2 * sizeof(pid_t)); +- memcpy(&shm_virt[i], &sid, sizeof(pid_t)); +- i += sizeof(pid_t); +- memcpy(&shm_virt[i], &pid, sizeof(pid_t)); +- i += sizeof(pid_t); +- if ((i + (2 * sizeof(pid_t))) <= ECRYPTFS_SHM_SIZE) +- memset(&shm_virt[i], 0, (i + (2 * sizeof(pid_t)))); +- if ((rc = shmdt(shm_virt))) { +- syslog(LOG_ERR, "Error detaching from shared memory\n"); +- rc = -EIO; +- } +-out: +- return rc; +-} +- +-int ecryptfs_set_zombie_session_placeholder(void) +-{ +- int shm_id; +- int sem_id; +- int rc = 0; +- +- if ((rc = get_zombie_shared_mem_locked(&shm_id, &sem_id))) { +- syslog(LOG_ERR, +- "Error getting shared memory segment\n"); +- goto out; +- } +- if ((rc = add_sid_pid_pair_to_shm(shm_id))) { +- syslog(LOG_ERR, "Error adding sid/pid pair to shared memory " +- "segment; rc = [%d]\n", rc); +- zombie_semaphore_unlock(sem_id); +- goto out; +- } +- zombie_semaphore_unlock(sem_id); +- sleep(ECRYPTFS_ZOMBIE_SLEEP_SECONDS); +- if ((rc = get_zombie_shared_mem_locked(&shm_id, &sem_id))) { +- syslog(LOG_ERR, +- "Error getting shared memory segment\n"); +- goto out; +- } +- if ((rc = remove_pid_for_this_sid(shm_id))) { +- syslog(LOG_ERR, "Error attempting to remove pid/sid " +- "pair from shared memory segment; rc = [%d]\n", +- rc); +- zombie_semaphore_unlock(sem_id); +- goto out; +- } +- zombie_semaphore_unlock(sem_id); +- exit(1); +-out: +- return rc; +-} +- +-int ecryptfs_kill_and_clear_zombie_session_placeholder(void) +-{ +- int shm_id; +- int sem_id; +- int pid; +- int rc = 0; +- +- if ((rc = get_zombie_shared_mem_locked(&shm_id, &sem_id))) { +- syslog(LOG_ERR, "Error getting shared memory segment\n"); +- goto out; +- } +- if ((rc = find_pid_for_this_sid(&pid, shm_id))) { +- syslog(LOG_ERR, "Error finding pid for sid in shared memory " +- "segment; rc = [%d]\n", rc); +- zombie_semaphore_unlock(sem_id); +- goto out; +- } +- if (pid == 0) { +- syslog(LOG_WARNING, "No valid pid found for this sid\n"); +- } else { +- if ((rc = kill(pid, SIGKILL))) { +- syslog(LOG_ERR, "Error attempting to kill process " +- "[%d]; rc = [%d]; errno string = [%m]\n", pid, +- rc); +- } +- if ((rc = remove_pid_for_this_sid(shm_id))) { +- syslog(LOG_ERR, "Error attempting to remove pid/sid " +- "pair from shared memory segment; rc = [%d]\n", +- rc); +- zombie_semaphore_unlock(sem_id); +- goto out; +- } +- } +- zombie_semaphore_unlock(sem_id); +-out: +- return rc; +-} +- +-int ecryptfs_list_zombie_session_placeholders(void) +-{ +- int shm_id; +- int sem_id; +- int rc = 0; +- +- if ((rc = get_zombie_shared_mem_locked(&shm_id, &sem_id))) { +- syslog(LOG_ERR, +- "Error getting shared memory segment\n"); +- goto out; +- } +- if ((rc = list_pid_sid_pairs(shm_id))) { +- syslog(LOG_ERR, "Error listing sid/pid pairs in shared memory " +- "segment; rc = [%d]\n", rc); +- zombie_semaphore_unlock(sem_id); +- goto out; +- } +- zombie_semaphore_unlock(sem_id); +-out: +- return rc; +-} +- + static struct ecryptfs_ctx_ops ctx_ops; + + struct ecryptfs_ctx_ops *cryptfs_get_ctx_opts (void) +diff -up ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.nozombies ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c +--- ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c.nozombies 2011-07-21 14:17:33.525120467 +0200 ++++ ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c 2011-07-21 14:17:33.541120690 +0200 +@@ -208,13 +208,6 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + "user session keyring; rc = [%ld]\n", rc); + goto out_child; + } +- if (fork() == 0) { +- if ((rc = ecryptfs_set_zombie_session_placeholder())) { +- syslog(LOG_ERR, "Error attempting to create " +- "and register zombie process; " +- "rc = [%ld]\n", rc); +- } +- } + out_child: + free(auth_tok_sig); + _exit(0); diff --git a/ecryptfs-utils.spec b/ecryptfs-utils.spec index 2ef3d5e..91a55bf 100644 --- a/ecryptfs-utils.spec +++ b/ecryptfs-utils.spec @@ -5,7 +5,7 @@ Name: ecryptfs-utils Version: 87 -Release: 6%{?dist} +Release: 7%{?dist} Summary: The eCryptfs mount helper and support libraries Group: System Environment/Base License: GPLv2+ @@ -47,8 +47,14 @@ Patch12: ecryptfs-utils-87-memcpyfix.patch # allow building with -Werror Patch999: ecryptfs-utils-75-werror.patch -# rhbz#722445 -Patch13: ecryptfs-utils-87-fixgid.patch +# using return after fork() in pam module has some nasty side effects, rhbz#722445 +Patch13: ecryptfs-utils-87-fixpamfork.patch + +# we need gid==ecryptfs in pam module before mount.ecryptfs_private execution +Patch14: ecryptfs-utils-87-fixexecgid.patch + +# do not use zombie process, it causes lock ups at least for ssh login +Patch15: ecryptfs-utils-87-nozombies.patch BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) Requires: keyutils, cryptsetup-luks, util-linux-ng, gettext @@ -98,7 +104,9 @@ the interface supplied by the ecryptfs-utils library. %patch11 -p1 -b .authconfig %patch12 -p1 -b .memcpyfix %patch999 -p1 -b .werror -%patch13 -p1 -b .fixgid +%patch13 -p1 -b .fixpamfork +%patch14 -p1 -b .fixexecgid +%patch15 -p1 -b .nozombies %build export CFLAGS="$RPM_OPT_FLAGS -Werror -Wtype-limits" @@ -226,6 +234,10 @@ rm -rf $RPM_BUILD_ROOT %{python_sitearch}/ecryptfs-utils/_libecryptfs.so %changelog +* Thu Jul 21 2011 Michal Hlavinka - 87-7 +- fix pam module to set ecryptfs gid before mount helper execution +- do not use zombie process, it causes lock ups in ssh + * Tue Jul 19 2011 Michal Hlavinka - 87-6 - do not use memcpy for overlaping areas - fix broken pam module resulting in session with wrong gid