[PATCH] ecryptfs-*-confidential: rollup of several patchsets For easy of application, this is a rollup of some unapplied changes, as well as some new changes.
Changed: * src/utils/ecryptfs-mount-confidential * switch fallback/default from ~/Confidential to ~/Private * source .ecryptfs/confidential rather than .ecryptfsrc * strengthen grep for ENCRYPTED_DIR * src/utils/ecryptfs-umount-confidential * the ^M's are driving me nuts, we need to figure how why this is happening * switch fallback/default from ~/Confidential to ~/Private * source .ecryptfs/confidential rather than .ecryptfsrc * strengthen grep for ENCRYPTED_DIR and use `mount` instead * src/utils/ecryptfs-setup-confidential * switch fallback/default from ~/Confidential to ~/Private * use $USER rather than $USERNAME (so that we can pull from environment) * remove the global root check, and just use 'sudo' on the few operations where necessary; this removes *a lot* of chown/chmod operations where we had to change owernship/permissions from root to $USER * create an error function that prints an ERROR message and exits non-zero; use this everywhere we were previously doing this (and add more checks and meaningful error messages) * move the active mount check above the fstab pruning * rework fstab stanza in a cleaner manner Let me know if you have any questions/comments. Signed-off-by: Dustin Kirkland <[EMAIL PROTECTED]> :-Dustin
diff --git a/src/utils/ecryptfs-mount-confidential b/src/utils/ecryptfs-mount-confidential
index d445923..fb97310 100755
--- a/src/utils/ecryptfs-mount-confidential
+++ b/src/utils/ecryptfs-mount-confidential
@@ -8,10 +8,10 @@
if [ -f $HOME/.ecryptfs/auto-mount ]; then
- CONFIDENTIAL="$HOME/Confidential"
- . $HOME/.ecryptfsrc 2>/dev/null || /bin/true
+ CONFIDENTIAL="$HOME/Private"
+ . $HOME/.ecryptfs/confidential 2>/dev/null || /bin/true
if ! mount | grep -q "$CONFIDENTIAL type ecryptfs"; then
- ENCRYPTED_DIR=`grep " $CONFIDENTIAL " /etc/fstab | awk '{print $1}'`
+ ENCRYPTED_DIR=`grep " $CONFIDENTIAL ecryptfs " /etc/fstab | awk '{print $1}'`
chmod 700 "$CONFIDENTIAL" "$ENCRYPTED_DIR"
mount -i "$CONFIDENTIAL"
fi
diff --git a/src/utils/ecryptfs-setup-confidential b/src/utils/ecryptfs-setup-confidential
index 2ea8ed7..db52029 100755
--- a/src/utils/ecryptfs-setup-confidential
+++ b/src/utils/ecryptfs-setup-confidential
@@ -1,5 +1,5 @@
#!/bin/sh
-# This script sets up an ecryptfs mount in a user's ~/Confidential, configures
+# This script sets up an ecryptfs mount in a user's ~/Private, configures
# fstab, pam, and bash to attach and wrap on login.
#
# Originally ecryptfs-setup-pam-wrapped.sh by Michael Halcrow, IBM
@@ -11,22 +11,22 @@
usage() {
echo
echo "Usage:"
- echo "# $0 [--username USERNAME]"
+ echo "# $0 [--username USER]"
echo " [--loginpass LOGINPASS] [--mountpass MOUNTPASS]"
echo " [--mountpoint MOUNTPOINT] [--cryptdir CRYPTDIR]"
echo
echo " --username Username for encrypted confidential mountpoint"
- echo " --loginpass System passphrase for USERNAME, used to wrap MOUNTPASS"
+ echo " --loginpass System passphrase for USER, used to wrap MOUNTPASS"
echo " --mountpass Passphrase for mounting the ecryptfs directory"
- echo " --mountpoint Defaults to ~USERNAME/Confidential, override here"
- echo " --cryptdir Defaults to ~USERNAME/.Confidential, override here"
+ echo " --mountpoint Defaults to ~USER/Private, override here"
+ echo " --cryptdir Defaults to ~USER/.Private, override here"
echo
echo " Be sure to properly escape your parameters according to your"
echo " shell's special character nuances, and also surround the"
echo " parameters by double quotes, if necessary."
echo
echo " Any of these parameters may be:"
- echo " 1) exported as environment variables (USERNAME, MOUNTPASS,"
+ echo " 1) exported as environment variables (USER, MOUNTPASS,"
echo " LOGINPASS, MOUNTPOINT, CRYPTDIR)"
echo " 2) specified on the command line"
echo " 3) left empty and interactively prompted"
@@ -37,19 +37,19 @@ usage() {
exit 1
}
-if ! whoami | grep "^root$" >/dev/null ; then
- echo "ERROR: Please run this script as root (sudo $0)"
+error() {
+ echo "ERROR: $1"
exit 1
-fi
+}
if [ ! -z "$SUDO_USER" ]; then
- USERNAME="$SUDO_USER"
+ USER="$SUDO_USER"
fi
while [ ! -z "$1" ]; do
case "$1" in
--username)
- USERNAME="$2"
+ USER="$2"
shift 2
;;
--loginpass)
@@ -74,28 +74,25 @@ while [ ! -z "$1" ]; do
esac
done
-if [ -z "$USERNAME" ]; then
- read -p "Enter the username: " -r USERNAME
- if [ -z "$USERNAME" ]; then
- echo "ERROR: You must provide a username"
+if [ -z "$USER" ]; then
+ read -p "Enter the username: " -r USER
+ if [ -z "$USER" ]; then
+ error "You must provide a username"
fi
fi
-if ! grep "^$USERNAME:" /etc/passwd >/dev/null; then
- echo "ERROR: User [$USERNAME] does not exist"
- exit 1
+if ! grep "^$USER:" /etc/passwd >/dev/null; then
+ error "User [$USER] does not exist"
fi
-HOME=`grep "^$USERNAME:" /etc/passwd | awk -F: '{print $6}'`
+HOME=`grep "^$USER:" /etc/passwd | awk -F: '{print $6}'`
if [ ! -d "$HOME" ]; then
- echo "ERROR: User home directory [$HOME] does not exist"
- exit 1
+ error "User home directory [$HOME] does not exist"
fi
if [ -z "$LOGINPASS" ]; then
read -p "Enter your login passphrase: " -r LOGINPASS
if [ -z "$LOGINPASS" ]; then
- echo "ERROR: You must provide the login passphrase"
- usage
+ error "You must provide the login passphrase"
fi
fi
@@ -109,9 +106,9 @@ if [ -z "$MOUNTPASS" ]; then
fi
if [ -z "$MOUNTPOINT" ]; then
- read -p "Enter the confidential mountpoint [$HOME/Confidential]: " -r MOUNTPOINT
+ read -p "Enter the confidential mountpoint [$HOME/Private]: " -r MOUNTPOINT
if [ -z "$MOUNTPOINT" ]; then
- MOUNTPOINT="$HOME/Confidential"
+ MOUNTPOINT="$HOME/Private"
fi
fi
@@ -129,8 +126,7 @@ if [ -f "/etc/pam.d/system-auth" ]; then
elif [ -f "/etc/pam.d/common-auth" ]; then
PAM_CONF=/etc/pam.d/common-auth
else
- echo "ERROR: Cannot determine location of PAM system/common auth configuration"
- exit 1
+ error "Cannot determine location of PAM system/common auth configuration"
fi
if [ -f "/lib/security/libpam_ecryptfs.so" ]; then
@@ -138,10 +134,9 @@ if [ -f "/lib/security/libpam_ecryptfs.so" ]; then
elif [ -f "/lib/security/pam_ecryptfs.so" ]; then
PAM_LIB=pam_ecryptfs.so
else
- echo "ERROR: Cannot find ecryptfs PAM library"
- exit 1
+ error "Cannot find ecryptfs PAM library"
fi
-echo "Using username [$USERNAME]"
+echo "Using username [$USER]"
echo "Using mount passphrase [$MOUNTPASS]"
echo "Using login passphrase [$LOGINPASS]"
echo "Using mount point [$MOUNTPOINT]"
@@ -162,29 +157,37 @@ echo
###############################################################################
# Setup confidential directory in home
-modprobe ecryptfs
-mkdir -m 500 -p "$MOUNTPOINT"
-mkdir -m 500 -p "$CRYPTDIR"
-chown $USERNAME:$USERNAME "$MOUNTPOINT" "$CRYPTDIR"
+sudo modprobe ecryptfs || error "Could not load ecryptfs driver"
+mkdir -m 500 -p "$CRYPTDIR" || error "Could not create crypt directory [$CRYPTDIR]"
+mkdir -m 700 -p "$MOUNTPOINT" || error "Could not create mount directory [$MOUNTPOINT]"
+chmod 700 "$MOUNTPOINT" || error "Could not change permissions on [$MOUNTPOINT]"
touch "$MOUNTPOINT"/"NOT MOUNTED - Run ecryptfs-mount-confidential to mount this directory"
+chmod 500 "$MOUNTPOINT"
+
+# Check for an active mount
+sudo umount "$MOUNTPOINT" 2>/dev/null
+if mount | grep "$MOUNTPOINT type ecryptfs"; then
+ error "[$MOUNTPOINT] still mounted after umount"
+fi
-# Prune out of fstab, and check for an active mount
+# Prune out of fstab
tmpfile=`mktemp`
grep -v "$MOUNTPOINT.*,ecryptfs_sig=.*" /etc/fstab > $tmpfile
chmod --reference /etc/fstab $tmpfile
-chown --reference /etc/fstab $tmpfile
-mv -f $tmpfile /etc/fstab
-umount "$MOUNTPOINT" 2>/dev/null
-if mount | grep "$MOUNTPOINT type ecryptfs"; then
- echo "ERROR: $MOUNTPOINT still mounted after umount"
- exit 1
-fi
+sudo chown --reference /etc/fstab $tmpfile || error "Could not update /etc/fstab"
+sudo mv -f $tmpfile /etc/fstab || error "Could not update /etc/fstab"
# Setup /etc/fstab
# BUG: passwd will be momentarily visible in "ps -ef" output
-mount -t ecryptfs "$CRYPTDIR" "$MOUNTPOINT" -o key=passphrase:passwd="$MOUNTPASS",ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n,no_sig_cache
-grep ecryptfs_sig /etc/mtab | grep "$MOUNTPOINT" | sed 's/ecryptfs_cipher\=aes,ecryptfs_key_bytes\=16/ecryptfs_cipher\=aes,ecryptfs_key_bytes\=16,user,noauto,/' >> /etc/fstab
-umount "$MOUNTPOINT"
+sudo mount -t ecryptfs "$CRYPTDIR" "$MOUNTPOINT" -o key=passphrase:passwd="$MOUNTPASS",ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n,no_sig_cache || error "Could not perform test ecryptfs mount"
+mtab=`cat /etc/mtab | grep "$CRYPTDIR $MOUNTPOINT ecryptfs rw,ecryptfs_sig=" | sed "s/\s0\s0$/,user,noauto 0 0/"`
+tmpfile1=`mktemp`
+cat /etc/fstab > $tmpfile1
+echo "$mtab" >> $tmpfile1
+chmod --reference /etc/fstab $tmpfile1
+sudo chown --reference /etc/fstab $tmpfile1
+sudo mv -f $tmpfile1 /etc/fstab || error "Could not append mount to /etc/fstab"
+sudo umount "$MOUNTPOINT" || error "Could not unmount [$MOUNTPOINT]"
# Setup PAM
tmpfile1=`mktemp`
@@ -197,37 +200,30 @@ echo "auth required $PAM_LIB unwrap" >> $tmpfile2
grep -A 100000 "auth\s.*pam_unix.so" $tmpfile1 | grep -v "auth\s.*pam_unix.so" >> $tmpfile2
rm -f $tmpfile1
chmod --reference $PAM_CONF $tmpfile2
-chown --reference $PAM_CONF $tmpfile2
-mv -f $tmpfile2 $PAM_CONF
+sudo chown --reference $PAM_CONF $tmpfile2 || error "Could not update PAM configuration"
+sudo mv -f $tmpfile2 $PAM_CONF || error "Could not update PAM configuration"
# Setup bash profile
if ! grep "ecryptfs-mount-confidential" $HOME/.bash_profile >/dev/null; then
- echo "ecryptfs-mount-confidential" >> $HOME/.bash_profile
- chown $USERNAME:$USERNAME $HOME/.bash_profile
+ echo "ecryptfs-mount-confidential" >> $HOME/.bash_profile || error "Could not configure bash profile"
fi
if ! grep "ecryptfs-umount-confidential" $HOME/.bash_logout >/dev/null; then
- echo "ecryptfs-umount-confidential" >> $HOME/.bash_logout
- chown $USERNAME:$USERNAME $HOME/.bash_logout
+ echo "ecryptfs-umount-confidential" >> $HOME/.bash_logout || error "Could not configure bash logout"
fi
# Setup gnome desktop autostart
-mkdir -p $HOME/.config/autostart/
-chown -R $USERNAME:$USERNAME $HOME/.config/autostart/
+mkdir -p $HOME/.config/autostart/ 2>/dev/null
echo "
[Desktop Entry]
Type=Application
-Name=Ecryptfs Mount Confidential
+Name=Ecryptfs Mount Private
Exec=/usr/bin/ecryptfs-mount-confidential
X-GNOME-Autostart-enabled=true
-" > $HOME/.config/autostart/ecryptfs-mount-confidential.desktop
-chown $USERNAME:$USERNAME $HOME/.config/autostart/ecryptfs-mount-confidential.desktop
-
+" > $HOME/.config/autostart/ecryptfs-mount-confidential.desktop || error "Could not create desktop autostart file"
# Setup ~/.ecryptfs directory
mkdir -m 700 $HOME/.ecryptfs 2>/dev/null
-chown $USERNAME:$USERNAME $HOME/.ecryptfs
-touch $HOME/.ecryptfs/auto-mount
-chown $USERNAME:$USERNAME $HOME/.ecryptfs/auto-mount
+touch $HOME/.ecryptfs/auto-mount || error "Could not setup ecryptfs auto-mount"
# Backup any existing wrapped-passphrase
if [ -z "$HOME/.ecryptfs/wrapped-passphrase" ]; then
timestamp=`date +%Y%m%d%H%M%S`
@@ -236,19 +232,17 @@ fi
# BUG: passphrases will be momentarily visible in "ps -ef" output
ecryptfs-wrap-passphrase $HOME/.ecryptfs/wrapped-passphrase "$MOUNTPASS" "$LOGINPASS"
chmod 400 $HOME/.ecryptfs/wrapped-passphrase
-chown $USERNAME:$USERNAME $HOME/.ecryptfs/wrapped-passphrase
-# Setup .ecryptfsrc to store the confidential mountpoint
-tmpfile1=`mktemp $HOME/.ecryptfsrc.XXXXXX`
-chmod 400 $tmpfile1
-chown $USERNAME:$USERNAME $tmpfile1
-grep -v "CONFIDENTIAL=" $HOME/.ecryptfsrc > $tmpfile1
+# Setup .ecryptfs/confidential to store the confidential mountpoint
+tmpfile1=`mktemp $HOME/.ecryptfs/confidential.XXXXXX`
+chmod 600 $tmpfile1
+grep -v "CONFIDENTIAL=" $HOME/.ecryptfs/confidential > $tmpfile1
echo "CONFIDENTIAL=\"$MOUNTPOINT\"" >> $tmpfile1
-mv -f $tmpfile1 $HOME/.ecryptfsrc
+mv -f $tmpfile1 $HOME/.ecryptfs/confidential
echo
echo "Done."
echo
-echo "$USERNAME should log in and check the output of the 'mount' command."
+echo "$USER should log in and check the output of the 'mount' command."
echo
exit 0
diff --git a/src/utils/ecryptfs-umount-confidential b/src/utils/ecryptfs-umount-confidential
index 418f0dc..7c061ae 100755
--- a/src/utils/ecryptfs-umount-confidential
+++ b/src/utils/ecryptfs-umount-confidential
@@ -1,18 +1,19 @@
-#!/bin/sh
-# This script unmounts a user's confidential ecryptfs folder, and makes
-# both the mountpoint and underlying encrypted directories read-only.
-#
-# Original by Michael Halcrow, IBM
-# Extracted to a stand-alone script by Dustin Kirkland <[EMAIL PROTECTED]>
-
-CONFIDENTIAL="$HOME/Private"
-if mount | grep -q "$CONFIDENTIAL type ecryptfs"; then
- username=`whoami`
- count=`who | grep "^$username " | wc -l`
- if [ $count -le 1 ]; then
- ENCRYPTED_DIR=`grep " $CONFIDENTIAL " /etc/fstab | awk '{print $1}'`
- umount -l "$CONFIDENTIAL" && chmod 500 "$CONFIDENTIAL" "$ENCRYPTED_DIR"
- fi
-fi
-
-ecryptfs-zombie-kill
+#!/bin/sh
+# This script unmounts a user's confidential ecryptfs folder, and makes
+# both the mountpoint and underlying encrypted directories read-only.
+#
+# Original by Michael Halcrow, IBM
+# Extracted to a stand-alone script by Dustin Kirkland <[EMAIL PROTECTED]>
+
+CONFIDENTIAL="$HOME/Private"
+. $HOME/.ecryptfs/confidential 2>/dev/null || /bin/true
+if mount | grep -q "$CONFIDENTIAL type ecryptfs"; then
+ username=`whoami`
+ count=`who | grep "^$username " | wc -l`
+ if [ $count -le 1 ]; then
+ ENCRYPTED_DIR=`mount | grep "$CONFIDENTIAL type ecryptfs.*user=$username)" | awk '{print $1}'`
+ umount -l "$CONFIDENTIAL" && chmod 500 "$CONFIDENTIAL" "$ENCRYPTED_DIR"
+ fi
+fi
+
+ecryptfs-zombie-kill
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
_______________________________________________ eCryptfs-devel mailing list eCryptfs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ecryptfs-devel
