On Fri, Aug 22, 2008 at 12:46:57PM +0100, Dustin Kirkland wrote: > [PATCH] ecryptfs-setup-private: check that directories are empty > before setting up
Merged. > ecryptfs-setup-private should check that Private and .Private are > empty before setting up. > > If data already exists in ~/Private, and pam_ecryptfs regularly > performs a mount on top of it, then the that data would be hidden from > view, and not encrypted (as the user might expect). > > If data already exists in ~/.Private, then that's likely encrypted > data, which will probably not be readable once we generate a new > mounting passphrase, etc. > > Thus, we need to stop ecryptfs-setup-private and tell the user to > clear out those directories before proceeding. > > *** Note, it would be very nice to provide a utility to "encrypt" the > existing data in place, in an existing Private directory. Would could > uses something like "rsync -a" to copy the data to a tempdir, perform > the ecryptfs mount, and then sync the data back into place. However, > all sorts of race conditions could occur, with other processes > potentially reading/writing data during the "encryption migration"--a > much harder problem to solve than it initially seems. > diff -upr ecryptfs-utils-53/src/utils/ecryptfs-setup-private > ecryptfs-utils-53.new/src/utils/ecryptfs-setup-private > --- ecryptfs-utils-53/src/utils/ecryptfs-setup-private 2008-08-22 > 12:01:30.043671882 +0100 > +++ ecryptfs-utils-53.new/src/utils/ecryptfs-setup-private 2008-08-22 > 12:10:15.771880356 +0100 > @@ -118,6 +118,18 @@ CRYPTDIR="$HOME/.$PRIVATE_DIR" > grep -qs "$MOUNTPOINT " /proc/mounts && error "[$MOUNTPOINT] is already > mounted" > grep -qs "$CRYPTDIR " /proc/mounts && error "[$CRYPTDIR] is already mounted" > > +# Check that the mount point and encrypted directory are empty. > +# Perhaps one day we could provide a migration mode (using rsync or > something), > +# but this would be VERY hard to do safely. > +count=`ls -Al "$MOUNTPOINT" 2>/dev/null | grep -v "^total" | grep -v > "^l.*mount.ecryptfs_private$" | wc -l` > +if [ "$count" != "0" ]; then > + error "$MOUNTPOINT must be empty before proceeding" > +fi > +count=`ls -Al "$CRYPTDIR" 2>/dev/null | grep -v "^total" | wc -l` > +if [ "$count" != "0" ]; then > + error "$CRYPTDIR must be empty before proceeding" > +fi > + > stty_orig=`stty -g` > # Prompt for the LOGINPASS, if not on the command line and not in the > environment > if [ -z "$LOGINPASS" ]; then > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > eCryptfs-devel mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/ecryptfs-devel
pgpOgV9LMlgjs.pgp
Description: PGP signature
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________ eCryptfs-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ecryptfs-devel
