This time, inline with the patch. diff --git a/src/pam_ecryptfs/pam_ecryptfs.c b/src/pam_ecryptfs/pam_ecryptfs.c index 20fc667..5661e67 100644 --- a/src/pam_ecryptfs/pam_ecryptfs.c +++ b/src/pam_ecryptfs/pam_ecryptfs.c @@ -39,6 +39,8 @@ #include "config.h" #include "../include/ecryptfs.h" +#define PRIVATE_DIR "Private" + static void error(const char *msg) { syslog(LOG_ERR, "errno = [%i]; strerror = [%s]\n", errno, @@ -187,10 +189,94 @@ PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, return PAM_SUCCESS; } +struct passwd *fetch_pwd(pam_handle_t *pamh) +{ + long rc; + char *username = NULL; + struct passwd *pwd = NULL; + rc = pam_get_user(pamh, &username, NULL); + if (rc != PAM_SUCCESS || username == NULL) { + syslog(LOG_ERR, "Error getting passwd info for user [%s]; " + "rc = [%ld]\n", username, rc); + return NULL; + } + pwd = getpwnam(username); + if (pwd == NULL) { + syslog(LOG_ERR, "Error getting passwd info for user [%s]; " + "rc = [%ld]\n", username, rc); + return NULL; + } + return pwd; +} + +int private_dir(pam_handle_t *pamh, int mount) +{ + int rc; + struct passwd *pwd = NULL; + char *sigfile = NULL; + struct stat s; + pid_t pid; + struct utmp *u; + int count = 0; + + if ((pwd = fetch_pwd(pamh)) == NULL) { + /* fetch_pwd() logged a message */ + return 1; + } + if ( + (asprintf(&sigfile, "%s/.ecryptfs/%s.sig", pwd->pw_dir, + PRIVATE_DIR) < 0) || sigfile == NULL) { + syslog(LOG_ERR, "Error allocating memory for sigfile name"); + return 1; + } + if (stat(sigfile, &s) != 0) { + syslog(LOG_ERR, "Error allocating memory for sigfile name"); + return 1; + } + if (!S_ISREG(s.st_mode)) { + /* No sigfile, no need to mount private dir */ + goto out; + } + if ((pid = fork()) < 0) { + syslog(LOG_ERR, "Error setting up private mount"); + return 1; + } + if (pid == 0) { + if (mount == 1) { + /* run mount.ecryptfs_private as the user */ + setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid); + execl("/sbin/mount.ecryptfs_private", + "mount.ecryptfs_private", NULL); + } else { + /* run umount.ecryptfs_private as the user */ + setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid); + execl("/sbin/umount.ecryptfs_private", + "umount.ecryptfs_private", NULL); + } + return 1; + } else { + wait(&rc); + syslog(LOG_INFO, + "Mount of private directory return code [%d]", rc); + goto out; + } +out: + return 0; +} + +int mount_private_dir(pamh) { + return private_dir(pamh, 1); +} + +int umount_private_dir(pamh) { + return private_dir(pamh, 0); +} + PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char *argv[]) { + mount_private_dir(pamh); return PAM_SUCCESS; } @@ -198,6 +284,7 @@ PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char *argv[]) { + umount_private_dir(pamh, 0); return PAM_SUCCESS; } diff --git a/src/utils/ecryptfs-setup-confidential b/src/utils/ecryptfs-setup-confidential index a6a21d7..f1c0716 100755 --- a/src/utils/ecryptfs-setup-confidential +++ b/src/utils/ecryptfs-setup-confidential @@ -182,7 +182,7 @@ echo # Setup private directory in home mkdir -m 700 -p "$CRYPTDIR" || error "Could not create crypt directory [$CRYPTDIR]" mkdir -m 700 -p "$MOUNTPOINT" || error "Could not create mount directory [$MOUNTPOINT]" -touch "$MOUNTPOINT"/"NOT MOUNTED - Run ecryptfs-mount-confidential to mount this directory" +ln -s /sbin/mount.ecryptfs_private "$MOUNTPOINT"/"THIS DIRECTORY HAS BEEN UNMOUNTED TO PROTECT YOUR DATA -- Run mount.ecryptfs_private to mount again" # Setup ~/.ecryptfs directory mkdir -m 700 $HOME/.ecryptfs 2>/dev/null
diff --git a/src/pam_ecryptfs/pam_ecryptfs.c b/src/pam_ecryptfs/pam_ecryptfs.c index 20fc667..5661e67 100644 --- a/src/pam_ecryptfs/pam_ecryptfs.c +++ b/src/pam_ecryptfs/pam_ecryptfs.c @@ -39,6 +39,8 @@ #include "config.h" #include "../include/ecryptfs.h" +#define PRIVATE_DIR "Private" + static void error(const char *msg) { syslog(LOG_ERR, "errno = [%i]; strerror = [%s]\n", errno, @@ -187,10 +189,94 @@ PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, return PAM_SUCCESS; } +struct passwd *fetch_pwd(pam_handle_t *pamh) +{ + long rc; + char *username = NULL; + struct passwd *pwd = NULL; + rc = pam_get_user(pamh, &username, NULL); + if (rc != PAM_SUCCESS || username == NULL) { + syslog(LOG_ERR, "Error getting passwd info for user [%s]; " + "rc = [%ld]\n", username, rc); + return NULL; + } + pwd = getpwnam(username); + if (pwd == NULL) { + syslog(LOG_ERR, "Error getting passwd info for user [%s]; " + "rc = [%ld]\n", username, rc); + return NULL; + } + return pwd; +} + +int private_dir(pam_handle_t *pamh, int mount) +{ + int rc; + struct passwd *pwd = NULL; + char *sigfile = NULL; + struct stat s; + pid_t pid; + struct utmp *u; + int count = 0; + + if ((pwd = fetch_pwd(pamh)) == NULL) { + /* fetch_pwd() logged a message */ + return 1; + } + if ( + (asprintf(&sigfile, "%s/.ecryptfs/%s.sig", pwd->pw_dir, + PRIVATE_DIR) < 0) || sigfile == NULL) { + syslog(LOG_ERR, "Error allocating memory for sigfile name"); + return 1; + } + if (stat(sigfile, &s) != 0) { + syslog(LOG_ERR, "Error allocating memory for sigfile name"); + return 1; + } + if (!S_ISREG(s.st_mode)) { + /* No sigfile, no need to mount private dir */ + goto out; + } + if ((pid = fork()) < 0) { + syslog(LOG_ERR, "Error setting up private mount"); + return 1; + } + if (pid == 0) { + if (mount == 1) { + /* run mount.ecryptfs_private as the user */ + setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid); + execl("/sbin/mount.ecryptfs_private", + "mount.ecryptfs_private", NULL); + } else { + /* run umount.ecryptfs_private as the user */ + setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid); + execl("/sbin/umount.ecryptfs_private", + "umount.ecryptfs_private", NULL); + } + return 1; + } else { + wait(&rc); + syslog(LOG_INFO, + "Mount of private directory return code [%d]", rc); + goto out; + } +out: + return 0; +} + +int mount_private_dir(pamh) { + return private_dir(pamh, 1); +} + +int umount_private_dir(pamh) { + return private_dir(pamh, 0); +} + PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char *argv[]) { + mount_private_dir(pamh); return PAM_SUCCESS; } @@ -198,6 +284,7 @@ PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char *argv[]) { + umount_private_dir(pamh, 0); return PAM_SUCCESS; } diff --git a/src/utils/ecryptfs-setup-confidential b/src/utils/ecryptfs-setup-confidential index a6a21d7..f1c0716 100755 --- a/src/utils/ecryptfs-setup-confidential +++ b/src/utils/ecryptfs-setup-confidential @@ -182,7 +182,7 @@ echo # Setup private directory in home mkdir -m 700 -p "$CRYPTDIR" || error "Could not create crypt directory [$CRYPTDIR]" mkdir -m 700 -p "$MOUNTPOINT" || error "Could not create mount directory [$MOUNTPOINT]" -touch "$MOUNTPOINT"/"NOT MOUNTED - Run ecryptfs-mount-confidential to mount this directory" +ln -s /sbin/mount.ecryptfs_private "$MOUNTPOINT"/"THIS DIRECTORY HAS BEEN UNMOUNTED TO PROTECT YOUR DATA -- Run mount.ecryptfs_private to mount again" # Setup ~/.ecryptfs directory mkdir -m 700 $HOME/.ecryptfs 2>/dev/null
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
_______________________________________________ eCryptfs-devel mailing list eCryptfs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ecryptfs-devel