From bf348735525e6e845bfa3c9054bdcf34653c4aec Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Sep 27 2012 13:23:22 +0000 Subject: do not crash in pam module when non-existent user name is used (#859766) --- diff --git a/ecryptfs-utils-87-pamdata.patch b/ecryptfs-utils-87-pamdata.patch index 01fe08e..bc8319d 100644 --- a/ecryptfs-utils-87-pamdata.patch +++ b/ecryptfs-utils-87-pamdata.patch @@ -1,6 +1,6 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c ---- ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.pamdata 2012-08-20 14:39:10.895860230 +0200 -+++ ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c 2012-08-20 14:39:52.177176922 +0200 +--- ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.pamdata 2012-09-27 15:00:56.127148058 +0200 ++++ ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c 2012-09-27 15:03:45.105625179 +0200 @@ -47,6 +47,26 @@ #define PRIVATE_DIR "Private" @@ -37,7 +37,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-uti { char *unwrapped_pw_filename = NULL; struct stat s; -@@ -98,138 +118,63 @@ static int wrap_passphrase_if_necessary( +@@ -96,138 +116,66 @@ static int wrap_passphrase_if_necessary( PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { @@ -54,10 +54,10 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-uti char *private_mnt = NULL; - pid_t child_pid, tmp_pid; long rc; -+ struct ecryptfs_pam_data *epd = {0,}; ++ struct ecryptfs_pam_data *epd; - rc = pam_get_user(pamh, &username, NULL); -+ if ((epd = malloc(sizeof(struct ecryptfs_pam_data))) == NULL) { ++ if ((epd = calloc(1, sizeof(struct ecryptfs_pam_data))) == NULL) { + syslog(LOG_ERR,"Memory allocation failed"); + rc = -ENOMEM; + goto out; @@ -68,21 +68,23 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-uti struct passwd *pwd; - pwd = getpwnam(username); ++ errno = 0; + pwd = getpwnam(epd->username); if (pwd) { - uid = pwd->pw_uid; - gid = pwd->pw_gid; - homedir = pwd->pw_dir; +- } +- } else { +- syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%ld]\n", username, rc); +- goto out; + epd->uid = pwd->pw_uid; + epd->gid = pwd->pw_gid; + epd->homedir = pwd->pw_dir; - } - } else { -- syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%ld]\n", username, rc); -+ syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user; rc = [%ld]\n", rc); - goto out; ++ rc = 0; ++ } else rc = errno; } - +- - if ((oeuid = geteuid()) < 0 || (oegid = getegid()) < 0 || - (ngids = getgroups(sizeof(groups)/sizeof(gid_t), groups)) < 0) { - syslog(LOG_ERR, "pam_ecryptfs: geteuid error"); @@ -91,12 +93,14 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-uti - - if (setegid(gid) < 0 || setgroups(1, &gid) < 0 || seteuid(uid) < 0) { - syslog(LOG_ERR, "pam_ecryptfs: seteuid error"); -+ if (!file_exists_dotecryptfs(epd->homedir, "auto-mount")) ++ if (!epd->homedir) { ++ syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user; rc = [%ld]\n", rc); goto out; -- } -- + } + - if (!file_exists_dotecryptfs(homedir, "auto-mount")) -- goto out; ++ if (!file_exists_dotecryptfs(epd->homedir, "auto-mount")) + goto out; - private_mnt = ecryptfs_fetch_private_mnt(homedir); + private_mnt = ecryptfs_fetch_private_mnt(epd->homedir); if (ecryptfs_private_is_mounted(NULL, private_mnt, NULL, 1)) { @@ -203,7 +207,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.pamdata ecryptfs-uti if (private_mnt != NULL) free(private_mnt); return PAM_SUCCESS; -@@ -374,10 +319,119 @@ static int umount_private_dir(pam_handle +@@ -372,10 +320,119 @@ static int umount_private_dir(pam_handle return private_dir(pamh, 0); } diff --git a/ecryptfs-utils-87-syslog.patch b/ecryptfs-utils-87-syslog.patch index 24166f6..5024953 100644 --- a/ecryptfs-utils-87-syslog.patch +++ b/ecryptfs-utils-87-syslog.patch @@ -1,6 +1,6 @@ diff -up ecryptfs-utils-100/src/include/ecryptfs.h.syslog ecryptfs-utils-100/src/include/ecryptfs.h ---- ecryptfs-utils-100/src/include/ecryptfs.h.syslog 2012-08-20 15:49:24.351952427 +0200 -+++ ecryptfs-utils-100/src/include/ecryptfs.h 2012-08-20 15:49:24.355952459 +0200 +--- ecryptfs-utils-100/src/include/ecryptfs.h.syslog 2012-09-27 15:04:15.639901578 +0200 ++++ ecryptfs-utils-100/src/include/ecryptfs.h 2012-09-27 15:04:15.659901767 +0200 @@ -143,7 +143,7 @@ #define ECRYPTFS_TAG_67_PACKET 0x43 @@ -11,8 +11,8 @@ diff -up ecryptfs-utils-100/src/include/ecryptfs.h.syslog ecryptfs-utils-100/src #define ECRYPTFS_MAX_NUM_CIPHERS 64 #define ECRYPTFS_ECHO_ON 1 diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c ---- ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog 2012-08-20 15:49:24.348952403 +0200 -+++ ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c 2012-08-20 15:49:34.357033235 +0200 +--- ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog 2012-09-27 15:04:15.626901456 +0200 ++++ ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c 2012-09-27 15:04:59.003302383 +0200 @@ -94,7 +94,7 @@ static int wrap_passphrase_if_necessary( rc = asprintf(&unwrapped_pw_filename, "/dev/shm/.ecryptfs-%s", username); @@ -32,24 +32,24 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util return rc; } @@ -122,7 +122,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h - struct ecryptfs_pam_data *epd = {0,}; + struct ecryptfs_pam_data *epd; - if ((epd = malloc(sizeof(struct ecryptfs_pam_data))) == NULL) { + if ((epd = calloc(1, sizeof(struct ecryptfs_pam_data))) == NULL) { - syslog(LOG_ERR,"Memory allocation failed"); + ecryptfs_syslog(LOG_ERR,"Memory allocation failed"); rc = -ENOMEM; goto out; } -@@ -138,7 +138,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h - epd->homedir = pwd->pw_dir; - } - } else { +@@ -141,7 +141,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + } else rc = errno; + } + if (!epd->homedir) { - syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user; rc = [%ld]\n", rc); + ecryptfs_syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user; rc = [%ld]\n", rc); goto out; } -@@ -146,7 +146,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h +@@ -149,7 +149,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h goto out; private_mnt = ecryptfs_fetch_private_mnt(epd->homedir); if (ecryptfs_private_is_mounted(NULL, private_mnt, NULL, 1)) { @@ -58,7 +58,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util /* If private/home is already mounted, then we can skip costly loading of keys */ goto out; -@@ -157,7 +157,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h +@@ -160,7 +160,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&epd->passphrase); epd->passphrase = strdup(epd->passphrase); if (rc != PAM_SUCCESS) { @@ -67,7 +67,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util rc); goto out; } -@@ -168,7 +168,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h +@@ -171,7 +171,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h from_hex(epd->salt, salt_hex, ECRYPTFS_SALT_SIZE); epd->unwrap = ((argc == 1) && (memcmp(argv[0], "unwrap\0", 7) == 0)); if ((rc=pam_set_data(pamh, ECRYPTFS_PAM_DATA, epd, pam_free_ecryptfsdata)) != PAM_SUCCESS) { @@ -76,7 +76,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util goto out; } -@@ -192,12 +192,12 @@ static struct passwd *fetch_pwd(pam_hand +@@ -195,12 +195,12 @@ static struct passwd *fetch_pwd(pam_hand rc = pam_get_user(pamh, &username, NULL); if (rc != PAM_SUCCESS || username == NULL) { @@ -91,7 +91,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util return NULL; } return pwd; -@@ -228,13 +228,13 @@ static int private_dir(pam_handle_t *pam +@@ -231,13 +231,13 @@ static int private_dir(pam_handle_t *pam if ( (asprintf(&autofile, "%s/.ecryptfs/%s", pwd->pw_dir, a) < 0) || autofile == NULL) { @@ -107,7 +107,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util return 1; } if (stat(sigfile, &s) != 0) { -@@ -246,7 +246,7 @@ static int private_dir(pam_handle_t *pam +@@ -249,7 +249,7 @@ static int private_dir(pam_handle_t *pam goto out; } if ((pid = fork()) < 0) { @@ -116,7 +116,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util return 1; } if (pid == 0) { -@@ -254,7 +254,7 @@ static int private_dir(pam_handle_t *pam +@@ -257,7 +257,7 @@ static int private_dir(pam_handle_t *pam if ((asprintf(&recorded, "%s/.ecryptfs/.wrapped-passphrase.recorded", pwd->pw_dir) < 0) || recorded == NULL) { @@ -125,7 +125,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util _exit(255); } if (stat(recorded, &s) != 0 && stat("/usr/share/ecryptfs-utils/ecryptfs-record-passphrase", &s) == 0) { -@@ -266,12 +266,12 @@ static int private_dir(pam_handle_t *pam +@@ -269,12 +269,12 @@ static int private_dir(pam_handle_t *pam } if (stat(autofile, &s) != 0) { /* User does not want to auto-mount */ @@ -140,7 +140,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util _exit(255); } /* run mount.ecryptfs_private as the user */ -@@ -279,16 +279,16 @@ static int private_dir(pam_handle_t *pam +@@ -282,16 +282,16 @@ static int private_dir(pam_handle_t *pam _exit(255); execl("/sbin/mount.ecryptfs_private", "mount.ecryptfs_private", NULL); @@ -160,7 +160,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util _exit(255); } /* run umount.ecryptfs_private as the user */ -@@ -296,7 +296,7 @@ static int private_dir(pam_handle_t *pam +@@ -299,7 +299,7 @@ static int private_dir(pam_handle_t *pam _exit(255); execl("/sbin/umount.ecryptfs_private", "umount.ecryptfs_private", NULL); @@ -169,7 +169,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util _exit(255); } _exit(255); -@@ -331,24 +331,24 @@ static int fill_keyring(pam_handle_t *pa +@@ -334,24 +334,24 @@ static int fill_keyring(pam_handle_t *pa if ((rc=pam_get_data(pamh, ECRYPTFS_PAM_DATA, (const void **)&epd)) != PAM_SUCCESS) { @@ -198,7 +198,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util return -ENOMEM; } -@@ -364,12 +364,12 @@ static int fill_keyring(pam_handle_t *pa +@@ -367,12 +367,12 @@ static int fill_keyring(pam_handle_t *pa goto out_child; if (epd->passphrase == NULL) { @@ -213,7 +213,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util "Cannot validate keyring integrity\n"); } rc = 0; -@@ -381,12 +381,12 @@ static int fill_keyring(pam_handle_t *pa +@@ -384,12 +384,12 @@ static int fill_keyring(pam_handle_t *pa epd->homedir, ECRYPTFS_DEFAULT_WRAPPED_PASSPHRASE_FILENAME); if (rc == -1) { @@ -228,7 +228,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util } else { goto out_child; } -@@ -402,7 +402,7 @@ static int fill_keyring(pam_handle_t *pa +@@ -405,7 +405,7 @@ static int fill_keyring(pam_handle_t *pa goto out_child; } if (rc) { @@ -237,7 +237,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util "user session keyring; rc = [%d]\n", rc); goto out_child; } -@@ -412,7 +412,7 @@ out_child: +@@ -415,7 +415,7 @@ out_child: } tmp_pid = waitpid(child_pid, NULL, 0); if (tmp_pid == -1) @@ -246,7 +246,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util "waitpid() returned with error condition\n"); out: rc = seteuid(oeuid); -@@ -470,33 +470,33 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand +@@ -473,33 +473,33 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand homedir = pwd->pw_dir; } } else { @@ -285,7 +285,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util rc = PAM_AUTHTOK_RECOVER_ERR; } goto out; -@@ -504,13 +504,13 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand +@@ -507,13 +507,13 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand if ((rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&new_passphrase)) != PAM_SUCCESS) { @@ -301,7 +301,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util rc = -ENOMEM; goto out; } -@@ -520,13 +520,13 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand +@@ -523,13 +523,13 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand from_hex(salt, salt_hex, ECRYPTFS_SALT_SIZE); } if (wrap_passphrase_if_necessary(username, uid, wrapped_pw_filename, new_passphrase, salt) == 0) { @@ -317,7 +317,7 @@ diff -up ecryptfs-utils-100/src/pam_ecryptfs/pam_ecryptfs.c.syslog ecryptfs-util rc = PAM_AUTHTOK_RECOVER_ERR; goto out; } -@@ -546,20 +546,20 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand +@@ -549,20 +549,20 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand if ((rc = ecryptfs_unwrap_passphrase(passphrase, wrapped_pw_filename, old_passphrase, salt))) { diff --git a/ecryptfs-utils.spec b/ecryptfs-utils.spec index 83c6a24..58d8488 100644 --- a/ecryptfs-utils.spec +++ b/ecryptfs-utils.spec @@ -5,7 +5,7 @@ Name: ecryptfs-utils Version: 100 -Release: 2%{?dist} +Release: 3%{?dist} Summary: The eCryptfs mount helper and support libraries Group: System Environment/Base License: GPLv2+ @@ -262,6 +262,9 @@ rm -rf $RPM_BUILD_ROOT %{python_sitearch}/ecryptfs-utils/_libecryptfs.so %changelog +* Thu Sep 27 2012 Michal Hlavinka - 100-3 +- do not crash in pam module when non-existent user name is used (#859766) + * Mon Aug 20 2012 Michal Hlavinka - 100-2 - fix Werror messages in new build environment