Hello community, here is the log from the commit of package ecryptfs-utils for openSUSE:Factory checked in at Mon Jun 6 13:56:34 CEST 2011.
-------- --- ecryptfs-utils/ecryptfs-utils.changes 2010-04-10 17:40:48.000000000 +0200 +++ /mounts/work_src_done/STABLE/ecryptfs-utils/ecryptfs-utils.changes 2011-04-18 17:09:01.000000000 +0200 @@ -1,0 +2,58 @@ +Mon Apr 18 17:06:50 CEST 2011 - meiss...@suse.de + +- Updated to 87 + * src/utils/ecryptfs-setup-private: update the Private.* selinux + contexts + * src/utils/ecryptfs-setup-private: + - add -p to mkdir, address noise for a non-error + - must insert keys during testing phase, since we remove keys on + unmount now, LP: #725862 + * src/utils/ecryptfs_rewrap_passphrase.c: confirm passphrases in + interactive mode, LP: #667331 +- Updated to 86 + * src/pam_ecryptfs/pam_ecryptfs.c: + - check if this file exists and ask the user for the wrapping passphrase + if it does + - eliminate both ecryptfs_pam_wrapping_independent_set() and + ecryptfs_pam_automount_set() and replace with a reusable + file_exists_dotecryptfs() function + * src/utils/mount.ecryptfs_private.c: + - support multiple, user configurable private directories by way of + a command line "alias" argument + - this "alias" references a configuration file by the name of: + $HOME/.ecryptfs/alias.conf, which is in an fstab(5) format, + as well as $HOME/.ecryptfs/alias.sig, in the same format as + Private.sig + - if no argument specified, the utility operates in legacy mode, + defaulting to "Private" + - rename variables, s/dev/src/ and s/mnt/dest/ + - add a read_config() function + - add an alias char* to replace the #defined ECRYPTFS_PRIVATE_DIR + - this is half of the fix to LP: #615657 + * doc/manpage/mount.ecryptfs_private.1: document these changes + * src/libecryptfs/main.c, src/utils/mount.ecryptfs_private.c: + - allow umount.ecryptfs_private to succeed when the key is no + longer in user keyring. +- Updated to 85 + * src/utils/ecryptfs-recover-private: clean sigs of invalid characters + * src/utils/mount.ecryptfs_private.c: + - fix bug LP: #313812, clear used keys on unmount + - add ecryptfs_unlink_sigs to the mount opts, so that unmounts from + umount.ecryptfs behave similarly + - use ecryptfs_remove_auth_tok_from_keyring() on the sig and sig_fnek + * src/utils/ecryptfs-migrate-home: + - support user databases outside of /etc/passwd, LP: #627506 +- Updated to 84 + * src/desktop/ecryptfs-record-passphrase: fix typo, LP: #524139 + * debian/rules, debian/control: + - disable the gpg key module, as it's not yet functional + - clean up unneeded build-deps + - also, not using opencryptoki either + * doc/manpage/ecryptfs.7: fix minor documentation bug, reported by + email by Jon 'maddog' Hall + * doc/manpage/ecryptfs-recover-private.1, doc/manpage/Makefile.am, + po/POTFILES.in, src/utils/ecryptfs-recover-private, + src/utils/Makefile.am: add a utility to simplify data recovery + of an encrypted private directory from a Live ISO, LP: #689969 + +------------------------------------------------------------------- calling whatdependson for head-i586 Old: ---- ecryptfs-utils_83.orig.tar.gz New: ---- ecryptfs-utils_87.orig.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ecryptfs-utils.spec ++++++ --- /var/tmp/diff_new_pack.iwioJt/_old 2011-06-06 13:55:48.000000000 +0200 +++ /var/tmp/diff_new_pack.iwioJt/_new 2011-06-06 13:55:48.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package ecryptfs-utils (Version 83) +# spec file for package ecryptfs-utils # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -24,8 +24,8 @@ Group: Productivity/Security AutoReqProv: on Summary: Userspace Utilities for ecryptfs -Version: 83 -Release: 2 +Version: 87 +Release: 1 Source0: http://launchpad.net/ecryptfs/trunk/%version/+download/ecryptfs-utils_%version.orig.tar.gz Source1: baselibs.conf BuildRoot: %{_tmppath}/%{name}-%{version}-build ++++++ ecryptfs-utils_83.orig.tar.gz -> ecryptfs-utils_87.orig.tar.gz ++++++ ++++ 4269 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/ecryptfs-utils-83/configure.ac new/ecryptfs-utils-87/configure.ac --- old/ecryptfs-utils-83/configure.ac 2010-02-17 21:25:40.000000000 +0100 +++ new/ecryptfs-utils-87/configure.ac 2011-03-09 14:30:32.000000000 +0100 @@ -10,7 +10,7 @@ AC_PREREQ(2.59) -AC_INIT([ecryptfs-utils],[83]) +AC_INIT([ecryptfs-utils],[87]) AC_CANONICAL_HOST AC_CANONICAL_TARGET AM_INIT_AUTOMAKE([${PACKAGE_NAME}], [${PACKAGE_VERSION}]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/ecryptfs-utils-83/doc/manpage/Makefile.am new/ecryptfs-utils-87/doc/manpage/Makefile.am --- old/ecryptfs-utils-83/doc/manpage/Makefile.am 2009-10-20 20:49:55.000000000 +0200 +++ new/ecryptfs-utils-87/doc/manpage/Makefile.am 2011-03-09 14:30:32.000000000 +0100 @@ -18,6 +18,7 @@ ecryptfs-insert-wrapped-passphrase-into-keyring.1 \ ecryptfs-manager.8 \ ecryptfs-mount-private.1 \ + ecryptfs-recover-private.1 \ ecryptfs-rewrap-passphrase.1 \ ecryptfs-rewrite-file.1 \ ecryptfs-setup-private.1 \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/ecryptfs-utils-83/doc/manpage/ecryptfs-recover-private.1 new/ecryptfs-utils-87/doc/manpage/ecryptfs-recover-private.1 --- old/ecryptfs-utils-83/doc/manpage/ecryptfs-recover-private.1 1970-01-01 01:00:00.000000000 +0100 +++ new/ecryptfs-utils-87/doc/manpage/ecryptfs-recover-private.1 2011-03-09 14:30:32.000000000 +0100 @@ -0,0 +1,31 @@ +.TH ecryptfs-recover-private 1 2010-12-17 ecryptfs-utils "eCryptfs" +.SH NAME +\fBecryptfs-recover-private\fP \- find and mount any encrypted private directories + +.SH SYNOPSIS +\fBecryptfs-recover-private\fP [encrypted private dir] + +.SH DESCRIPTION +This utility is intended to help eCryptfs recover data from their encrypted home or encrypted private partitions. It is useful to run this from a LiveISO or a recovery image. It must run under \fBsudo\fP(8) or with root permission, in order to search the filesystem and perform the mounts. + +The program can take a target encrypted directory on the command line. If unspecified, the utility will search the entire system looking for encrypted private directories, as configured by \fBecryptfs-setup-private\fP(1). + +If an encrypted directory and a \fIwrapped-passphrase\fP file are found, the user is prompted for the login (wrapping) passphrase, the keys are inserted into the keyring, and the data is decrypted and mounted. + +If no \fIwrapped-passphrase\fP file is found, the user will be prompted for their mount passphrase. This passphrase is typically 32 characters of [0-9a-f]. All users are prompted to urgently record this randomly generated passphrase when they first setup their encrypted private directory. + +The destination mount of the decrypted data is a temporary directory, in the form of \fI/tmp/ecryptfs.XXXXXXXX\fP. + +.SH SEE ALSO +\fBecryptfs-setup-private\fP(1), \fBsudo\fP(8) + +\fIhttp://blog.dustinkirkland.com/2009/03/mounting-your-encrypted-home-from.html\fP + +.TP +\fIhttp://launchpad.net/ecryptfs/\fP +.PD + +.SH AUTHOR +This manpage was written by Dustin Kirkland <kirkl...@canonical.com> for Ubuntu systems (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation. + +On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/ecryptfs-utils-83/doc/manpage/ecryptfs.7 new/ecryptfs-utils-87/doc/manpage/ecryptfs.7 --- old/ecryptfs-utils-83/doc/manpage/ecryptfs.7 2009-10-20 20:49:55.000000000 +0200 +++ new/ecryptfs-utils-87/doc/manpage/ecryptfs.7 2011-03-09 14:30:32.000000000 +0100 @@ -64,7 +64,7 @@ .TP .B passphrase_passwd=(passphrase) -The actual password is password. Since the password is visible to utilities (like ps under Unix) this form should only be used where security is not important. +The actual password is passphrase. Since the password is visible to utilities (like ps under Unix) this form should only be used where security is not important. .TP .B passphrase_passwd_file=(filename) The password should be specified in a file with passwd=(passphrase). It is highly reccomended that the file be stored on a secure medium such as a personal usb key. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/ecryptfs-utils-83/doc/manpage/mount.ecryptfs_private.1 new/ecryptfs-utils-87/doc/manpage/mount.ecryptfs_private.1 --- old/ecryptfs-utils-83/doc/manpage/mount.ecryptfs_private.1 2009-10-20 20:49:55.000000000 +0200 +++ new/ecryptfs-utils-87/doc/manpage/mount.ecryptfs_private.1 2011-03-09 14:30:32.000000000 +0100 @@ -3,26 +3,36 @@ mount.ecryptfs_private \- eCryptfs private mount helper. .SH SYNOPSIS -\fBmount.ecryptfs_private\fP +\fBmount.ecryptfs_private [ALIAS]\fP \fBNOTE:\fP This program will \fBnot\fP dynamically load the relevant keys. For this reason, it is recommended that users use \fBecryptfs-mount-private\fP(1) instead! .SH DESCRIPTION -\fBmount.ecryptfs_private\fP is a mount helper utility for non-root users, who are members of \fBecryptfs\fP group, to cryptographically mount a private directory, ~/Private. +\fBmount.ecryptfs_private\fP is a mount helper utility for non-root users, who are members of \fBecryptfs\fP group, to cryptographically mount a private directory, ~/Private by default. -If, and only if: - - the private mount passphrase is in their kernel keyring, and - - the current user owns both ~/.Private and ~/Private, and - - ~/Private is not already mounted, then +This program optionally takes one argument, ALIAS. If ALIAS is omitted, the program will default to using "Private" using: + - $HOME/.Private as the SOURCE + - $HOME/Private as the DESTINATION + - $HOME/.ecryptfs/Private.sig for the key signatures. + +If ALIAS is specified, then the program will look for an \fBfstab\fP(5) style configuration in: + - $HOME/.ecryptfs/ALIAS.conf +and for key signature(s) in: + - $HOME/.ecryptfs/ALIAS.sig + +The mounting will proceed if, and only if: + - the required passphrase is in their kernel keyring, and + - the current user owns both the SOURCE and DESTINATION mount points + - the DESTINATION is not already mounted This program will: - - mount ~/.Private onto ~/Private + - mount SOURCE onto DESTINATION - as an ecryptfs filesystem - using the AES cipher - with a key length of 16 bytes - using the passphrase whose signature is in ~/.ecryptfs/Private.sig -The only setuid operation in this program is the call to \fBmount\fP(8). +The only setuid operation in this program is the call to \fBmount\fP(8) or \fBumount\fP(8). The \fBecryptfs-setup-private\fP(1) utility will create the ~/.Private and ~/Private directories, generate a mount passphrase, wrap the passphrase, and write the ~/.ecryptfs/Private.sig. @@ -40,7 +50,7 @@ .SH SEE ALSO .PD 0 .TP -\fBecryptfs\fP(7), \fBecryptfs-rewrap-passphrase\fP(1), \fBecryptfs-setup-private\fP(1), \fBkeyctl\fP(1), \fBmount\fP(8), \fBumount.ecryptfs_private\fP(1), \fBpam_ecryptfs\fP(8) +\fBecryptfs\fP(7), \fBecryptfs-rewrap-passphrase\fP(1), \fBecryptfs-setup-private\fP(1), \fBkeyctl\fP(1), \fBmount\fP(8), \fBumount.ecryptfs_private\fP(1), \fBpam_ecryptfs\fP(8), \fBfstab\fP(5) .TP \fI/usr/share/doc/ecryptfs-utils/ecryptfs-faq.html\fP diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/ecryptfs-utils-83/m4/intltool.m4 new/ecryptfs-utils-87/m4/intltool.m4 --- old/ecryptfs-utils-83/m4/intltool.m4 2009-09-21 18:08:22.000000000 +0200 +++ new/ecryptfs-utils-87/m4/intltool.m4 1970-01-01 01:00:00.000000000 +0100 @@ -1,216 +0,0 @@ -## intltool.m4 - Configure intltool for the target system. -*-Shell-script-*- -## Copyright (C) 2001 Eazel, Inc. -## Author: Maciej Stachowiak <m...@noisehavoc.org> -## Kenneth Christiansen <kenn...@gnu.org> -## -## This program is free software; you can redistribute it and/or modify -## it under the terms of the GNU General Public License as published by -## the Free Software Foundation; either version 2 of the License, or -## (at your option) any later version. -## -## This program is distributed in the hope that it will be useful, but -## WITHOUT ANY WARRANTY; without even the implied warranty of -## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -## General Public License for more details. -## -## You should have received a copy of the GNU General Public License -## along with this program; if not, write to the Free Software -## Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -## -## As a special exception to the GNU General Public License, if you -## distribute this file as part of a program that contains a -## configuration script generated by Autoconf, you may include it under -## the same distribution terms that you use for the rest of that program. - -dnl IT_PROG_INTLTOOL([MINIMUM-VERSION], [no-xml]) -# serial 40 IT_PROG_INTLTOOL -AC_DEFUN([IT_PROG_INTLTOOL], [ -AC_PREREQ([2.50])dnl -AC_REQUIRE([AM_NLS])dnl - -case "$am__api_version" in - 1.[01234]) - AC_MSG_ERROR([Automake 1.5 or newer is required to use intltool]) - ;; - *) - ;; -esac - -if test -n "$1"; then - AC_MSG_CHECKING([for intltool >= $1]) - - INTLTOOL_REQUIRED_VERSION_AS_INT=`echo $1 | awk -F. '{ print $ 1 * 1000 + $ 2 * 100 + $ 3; }'` - INTLTOOL_APPLIED_VERSION=`intltool-update --version | head -1 | cut -d" " -f3` - [INTLTOOL_APPLIED_VERSION_AS_INT=`echo $INTLTOOL_APPLIED_VERSION | awk -F. '{ print $ 1 * 1000 + $ 2 * 100 + $ 3; }'` - ] - AC_MSG_RESULT([$INTLTOOL_APPLIED_VERSION found]) - test "$INTLTOOL_APPLIED_VERSION_AS_INT" -ge "$INTLTOOL_REQUIRED_VERSION_AS_INT" || - AC_MSG_ERROR([Your intltool is too old. You need intltool $1 or later.]) -fi - -AC_PATH_PROG(INTLTOOL_UPDATE, [intltool-update]) -AC_PATH_PROG(INTLTOOL_MERGE, [intltool-merge]) -AC_PATH_PROG(INTLTOOL_EXTRACT, [intltool-extract]) -if test -z "$INTLTOOL_UPDATE" -o -z "$INTLTOOL_MERGE" -o -z "$INTLTOOL_EXTRACT"; then - AC_MSG_ERROR([The intltool scripts were not found. Please install intltool.]) -fi - - INTLTOOL_DESKTOP_RULE='%.desktop: %.desktop.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' -INTLTOOL_DIRECTORY_RULE='%.directory: %.directory.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' - INTLTOOL_KEYS_RULE='%.keys: %.keys.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -k -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' - INTLTOOL_PROP_RULE='%.prop: %.prop.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' - INTLTOOL_OAF_RULE='%.oaf: %.oaf.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -o -p $(top_srcdir)/po $< [$]@' - INTLTOOL_PONG_RULE='%.pong: %.pong.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' - INTLTOOL_SERVER_RULE='%.server: %.server.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -o -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' - INTLTOOL_SHEET_RULE='%.sheet: %.sheet.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' -INTLTOOL_SOUNDLIST_RULE='%.soundlist: %.soundlist.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' - INTLTOOL_UI_RULE='%.ui: %.ui.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' - INTLTOOL_XML_RULE='%.xml: %.xml.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' - INTLTOOL_XML_NOMERGE_RULE='%.xml: %.xml.in $(INTLTOOL_MERGE) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u /tmp $< [$]@' - INTLTOOL_XAM_RULE='%.xam: %.xml.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' - INTLTOOL_KBD_RULE='%.kbd: %.kbd.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -m -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' - INTLTOOL_CAVES_RULE='%.caves: %.caves.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' - INTLTOOL_SCHEMAS_RULE='%.schemas: %.schemas.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -s -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' - INTLTOOL_THEME_RULE='%.theme: %.theme.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' - INTLTOOL_SERVICE_RULE='%.service: %.service.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' - INTLTOOL_POLICY_RULE='%.policy: %.policy.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' - -_IT_SUBST(INTLTOOL_DESKTOP_RULE) -_IT_SUBST(INTLTOOL_DIRECTORY_RULE) -_IT_SUBST(INTLTOOL_KEYS_RULE) -_IT_SUBST(INTLTOOL_PROP_RULE) -_IT_SUBST(INTLTOOL_OAF_RULE) -_IT_SUBST(INTLTOOL_PONG_RULE) -_IT_SUBST(INTLTOOL_SERVER_RULE) -_IT_SUBST(INTLTOOL_SHEET_RULE) -_IT_SUBST(INTLTOOL_SOUNDLIST_RULE) -_IT_SUBST(INTLTOOL_UI_RULE) -_IT_SUBST(INTLTOOL_XAM_RULE) -_IT_SUBST(INTLTOOL_KBD_RULE) -_IT_SUBST(INTLTOOL_XML_RULE) -_IT_SUBST(INTLTOOL_XML_NOMERGE_RULE) -_IT_SUBST(INTLTOOL_CAVES_RULE) -_IT_SUBST(INTLTOOL_SCHEMAS_RULE) -_IT_SUBST(INTLTOOL_THEME_RULE) -_IT_SUBST(INTLTOOL_SERVICE_RULE) -_IT_SUBST(INTLTOOL_POLICY_RULE) - -# Check the gettext tools to make sure they are GNU -AC_PATH_PROG(XGETTEXT, xgettext) -AC_PATH_PROG(MSGMERGE, msgmerge) -AC_PATH_PROG(MSGFMT, msgfmt) -AC_PATH_PROG(GMSGFMT, gmsgfmt, $MSGFMT) -if test -z "$XGETTEXT" -o -z "$MSGMERGE" -o -z "$MSGFMT"; then - AC_MSG_ERROR([GNU gettext tools not found; required for intltool]) -fi -xgversion="`$XGETTEXT --version|grep '(GNU ' 2> /dev/null`" -mmversion="`$MSGMERGE --version|grep '(GNU ' 2> /dev/null`" -mfversion="`$MSGFMT --version|grep '(GNU ' 2> /dev/null`" -if test -z "$xgversion" -o -z "$mmversion" -o -z "$mfversion"; then - AC_MSG_ERROR([GNU gettext tools not found; required for intltool]) -fi - -AC_PATH_PROG(INTLTOOL_PERL, perl) -if test -z "$INTLTOOL_PERL"; then - AC_MSG_ERROR([perl not found]) -fi -AC_MSG_CHECKING([for perl >= 5.8.1]) -$INTLTOOL_PERL -e "use 5.8.1;" > /dev/null 2>&1 -if test $? -ne 0; then - AC_MSG_ERROR([perl 5.8.1 is required for intltool]) -else - IT_PERL_VERSION="`$INTLTOOL_PERL -e \"printf '%vd', $^V\"`" - AC_MSG_RESULT([$IT_PERL_VERSION]) -fi -if test "x$2" != "xno-xml"; then - AC_MSG_CHECKING([for XML::Parser]) - if `$INTLTOOL_PERL -e "require XML::Parser" 2>/dev/null`; then - AC_MSG_RESULT([ok]) - else - AC_MSG_ERROR([XML::Parser perl module is required for intltool]) - fi -fi - -# Substitute ALL_LINGUAS so we can use it in po/Makefile -AC_SUBST(ALL_LINGUAS) - -# Set DATADIRNAME correctly if it is not set yet -# (copied from glib-gettext.m4) -if test -z "$DATADIRNAME"; then - AC_LINK_IFELSE( - [AC_LANG_PROGRAM([[]], - [[extern int _nl_msg_cat_cntr; - return _nl_msg_cat_cntr]])], - [DATADIRNAME=share], - [case $host in - *-*-solaris*) - dnl On Solaris, if bind_textdomain_codeset is in libc, - dnl GNU format message catalog is always supported, - dnl since both are added to the libc all together. - dnl Hence, we'd like to go with DATADIRNAME=share - dnl in this case. - AC_CHECK_FUNC(bind_textdomain_codeset, - [DATADIRNAME=share], [DATADIRNAME=lib]) - ;; - *) - [DATADIRNAME=lib] - ;; - esac]) -fi -AC_SUBST(DATADIRNAME) - -IT_PO_SUBDIR([po]) - -]) - - -# IT_PO_SUBDIR(DIRNAME) -# --------------------- -# All po subdirs have to be declared with this macro; the subdir "po" is -# declared by IT_PROG_INTLTOOL. -# -AC_DEFUN([IT_PO_SUBDIR], -[AC_PREREQ([2.53])dnl We use ac_top_srcdir inside AC_CONFIG_COMMANDS. -dnl -dnl The following CONFIG_COMMANDS should be exetuted at the very end -dnl of config.status. -AC_CONFIG_COMMANDS_PRE([ - AC_CONFIG_COMMANDS([$1/stamp-it], [ - if [ ! grep "^# INTLTOOL_MAKEFILE$" "$1/Makefile.in" > /dev/null ]; then - AC_MSG_ERROR([$1/Makefile.in.in was not created by intltoolize.]) - fi - rm -f "$1/stamp-it" "$1/stamp-it.tmp" "$1/POTFILES" "$1/Makefile.tmp" - >"$1/stamp-it.tmp" - [sed '/^#/d - s/^[[].*] *// - /^[ ]*$/d - '"s|^| $ac_top_srcdir/|" \ - "$srcdir/$1/POTFILES.in" | sed '$!s/$/ \\/' >"$1/POTFILES" - ] - [sed '/^POTFILES =/,/[^\\]$/ { - /^POTFILES =/!d - r $1/POTFILES - } - ' "$1/Makefile.in" >"$1/Makefile"] - rm -f "$1/Makefile.tmp" - mv "$1/stamp-it.tmp" "$1/stamp-it" - ]) -])dnl -]) - -# _IT_SUBST(VARIABLE) -# ------------------- -# Abstract macro to do either _AM_SUBST_NOTMAKE or AC_SUBST -# -AC_DEFUN([_IT_SUBST], -[ -AC_SUBST([$1]) -m4_ifdef([_AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE([$1])]) -] -) - -# deprecated macros -AU_ALIAS([AC_PROG_INTLTOOL], [IT_PROG_INTLTOOL]) -# A hint is needed for aclocal from Automake <= 1.9.4: -# AC_DEFUN([AC_PROG_INTLTOOL], ...) - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/ecryptfs-utils-83/po/POTFILES.in new/ecryptfs-utils-87/po/POTFILES.in --- old/ecryptfs-utils-83/po/POTFILES.in 2010-02-17 18:05:05.000000000 +0100 +++ new/ecryptfs-utils-87/po/POTFILES.in 2011-03-09 14:30:32.000000000 +0100 @@ -2,6 +2,7 @@ src/desktop/ecryptfs-mount-private.desktop.in src/desktop/ecryptfs-setup-private.desktop.in src/utils/ecryptfs-mount-private +src/utils/ecryptfs-recover-private src/utils/ecryptfs-rewrite-file src/utils/ecryptfs-setup-private src/utils/ecryptfs-setup-swap diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/ecryptfs-utils-83/src/desktop/ecryptfs-record-passphrase new/ecryptfs-utils-87/src/desktop/ecryptfs-record-passphrase --- old/ecryptfs-utils-83/src/desktop/ecryptfs-record-passphrase 2010-02-17 22:11:13.000000000 +0100 +++ new/ecryptfs-utils-87/src/desktop/ecryptfs-record-passphrase 2011-03-09 14:30:32.000000000 +0100 @@ -15,5 +15,5 @@ "Passphrase" prompt and you can display your randomly generated passphrase. . Otherwise, you will need to run "ecryptfs-unwrap-passphrase" from the command - line to retrive and record your generated passphrase. + line to retrieve and record your generated passphrase. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/ecryptfs-utils-83/src/libecryptfs/main.c new/ecryptfs-utils-87/src/libecryptfs/main.c --- old/ecryptfs-utils-83/src/libecryptfs/main.c 2009-11-11 02:01:37.000000000 +0100 +++ new/ecryptfs-utils-87/src/libecryptfs/main.c 2011-03-09 14:30:32.000000000 +0100 @@ -144,7 +144,7 @@ struct mntent *m = NULL; char *opt = NULL; int mounted; - if (asprintf(&opt, "ecryptfs_sig=%s", sig) < 0) { + if (sig && asprintf(&opt, "ecryptfs_sig=%s", sig) < 0) { perror("asprintf"); return 0; } @@ -181,7 +181,7 @@ if ( strcmp(m->mnt_fsname, dev) == 0 && strcmp(m->mnt_dir, mnt) == 0 && - hasmntopt(m, opt) != NULL + (!opt || hasmntopt(m, opt) != NULL) ) { mounted = 1; break; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/ecryptfs-utils-83/src/pam_ecryptfs/pam_ecryptfs.c new/ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c --- old/ecryptfs-utils-83/src/pam_ecryptfs/pam_ecryptfs.c 2010-02-16 18:01:43.000000000 +0100 +++ new/ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c 2011-03-09 14:30:32.000000000 +0100 @@ -68,13 +68,13 @@ } } -/* returns: 0 for pam automounting not set, 1 for set, <0 for error */ -static int ecryptfs_pam_automount_set(const char *homedir) +/* returns: 0 if file does not exist, 1 if it exists, <0 for error */ +static int file_exists_dotecryptfs(const char *homedir, char *filename) { char *file_path; int rc = 0; struct stat s; - if (asprintf(&file_path, "%s/.ecryptfs/auto-mount", homedir) == -1) + if (asprintf(&file_path, "%s/.ecryptfs/%s", homedir, filename) == -1) return -ENOMEM; if (stat(file_path, &s) != 0) { if (errno != ENOENT) @@ -149,7 +149,7 @@ "rc = [%ld]\n", username, rc); goto out; } - if (!ecryptfs_pam_automount_set(homedir)) + if (!file_exists_dotecryptfs(homedir, "auto-mount")) goto out; private_mnt = ecryptfs_fetch_private_mnt(homedir); if (ecryptfs_private_is_mounted(NULL, private_mnt, NULL, 1)) { @@ -165,7 +165,10 @@ syslog(LOG_WARNING, "Can't check if kernel supports ecryptfs\n"); saved_uid = geteuid(); seteuid(uid); - rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&passphrase); + if(file_exists_dotecryptfs(homedir, "wrapping-independent") == 1) + rc = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &passphrase, "Encryption passphrase: "); + else + rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&passphrase); seteuid(saved_uid); if (rc != PAM_SUCCESS) { syslog(LOG_ERR, "Error retrieving passphrase; rc = [%ld]\n", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/ecryptfs-utils-83/src/utils/Makefile.am new/ecryptfs-utils-87/src/utils/Makefile.am --- old/ecryptfs-utils-83/src/utils/Makefile.am 2010-02-17 03:53:33.000000000 +0100 +++ new/ecryptfs-utils-87/src/utils/Makefile.am 2011-03-09 14:30:32.000000000 +0100 @@ -1,6 +1,6 @@ MAINTAINERCLEANFILES = $(srcdir)/Makefile.in -EXTRA_DIST=ecryptfsrc ecryptfs-rewrite-file ecryptfs-setup-private ecryptfs-setup-swap ecryptfs-mount-private ecryptfs-umount-private ecryptfs-migrate-home +EXTRA_DIST=ecryptfsrc ecryptfs-rewrite-file ecryptfs-setup-private ecryptfs-setup-swap ecryptfs-mount-private ecryptfs-umount-private ecryptfs-migrate-home ecryptfs-recover-private rootsbin_PROGRAMS=mount.ecryptfs \ umount.ecryptfs \ @@ -16,6 +16,7 @@ ecryptfs-mount-private \ ecryptfs-umount-private \ ecryptfs-rewrite-file \ + ecryptfs-recover-private \ ecryptfs-migrate-home bin2dir = $(bindir) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/ecryptfs-utils-83/src/utils/ecryptfs-migrate-home new/ecryptfs-utils-87/src/utils/ecryptfs-migrate-home --- old/ecryptfs-utils-83/src/utils/ecryptfs-migrate-home 2010-02-17 22:00:40.000000000 +0100 +++ new/ecryptfs-utils-87/src/utils/ecryptfs-migrate-home 2011-03-09 14:30:32.000000000 +0100 @@ -81,7 +81,7 @@ # get user home by username get_user_home () { local USER_NAME="$1" - local USER_HOME=$(grep "^$USER_NAME:" /etc/passwd | cut -d":" -f 6) + local USER_HOME=$(getent passwd "$USER_NAME" | cut -d":" -f 6) if [ -z "$USER_HOME" ]; then error "Cannot find the home directory of $USER_NAME." fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/ecryptfs-utils-83/src/utils/ecryptfs-recover-private new/ecryptfs-utils-87/src/utils/ecryptfs-recover-private --- old/ecryptfs-utils-83/src/utils/ecryptfs-recover-private 1970-01-01 01:00:00.000000000 +0100 +++ new/ecryptfs-utils-87/src/utils/ecryptfs-recover-private 2011-03-09 14:30:32.000000000 +0100 @@ -0,0 +1,100 @@ +#!/bin/sh -e +# +# ecryptfs-recover-private +# Copyright (C) 2010 Canonical Ltd. +# +# Authors: Dustin Kirkland <kirkl...@canonical.com> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +error() { + echo "ERROR: $@" 1>&2 + exit 1 +} + +info() { + echo "INFO: $@" +} + +# We need root access to do the deep find and the mount +[ "$(id -u)" = "0" ] || error "This program must be run as root." + +# Handle parameters +if [ -d "$1" ]; then + # Allow for target directories on the command line + dirs="$@" +else + # Otherwise, search the system for directories named ".Private" + info "Searching for encrypted private directories (this might take a while)..." + dirs=$(find / -type d -name ".Private") + if [ -z "$dirs" ]; then + info "Hint: click 'Places' and select your hard disk, then run this again." + error "No private directories found; make sure that your root filesystem is mounted." + fi +fi + +# Examine directories +for d in $dirs; do + if [ -d "$d" ]; then + info "Found [$d]." + echo -n "Try to recover this directory? [Y/n]: " + answer=$(head -n1) + case "$answer" in n*|N*) continue ;; esac + else + continue + fi + # Determine if filename encryption is on + ls "$d/ECRYPTFS_FNEK_ENCRYPTED"* >/dev/null 2>&1 && fnek="--fnek" || fnek= + if [ -f "$d/../.ecryptfs/wrapped-passphrase" ]; then + # Use the wrapped-passphrase, if available + info "Enter your LOGIN passphrase..." + ecryptfs-insert-wrapped-passphrase-into-keyring "$d/../.ecryptfs/wrapped-passphrase" + sigs=$(sed -e "s/[^0-9a-f]//g" "$d/../.ecryptfs/Private.sig") + else + # Fall back to mount passphrase + echo + info "Could not find your wrapped passphrase file." + info "To recover this directory, you MUST have your original MOUNT passphrase." + info "When you first setup your encrypted private directory, you were told to record" + info "your MOUNT passphrase." + info "It should be 32 characters long, consisting of [0-9] and [a-f]." + echo + echo -n "Enter your MOUNT passphrase: " + stty_orig=$(stty -g) + stty -echo + passphrase=$(head -n1) + stty $stty_orig + echo + sigs=$(printf "%s\0" "$passphrase" | ecryptfs-add-passphrase $fnek | grep "^Inserted" | sed -e "s/^.*\[//" -e "s/\].*$//" -e "s/[^0-9a-f]//g") + fi + case $(echo "$sigs" | wc -l) in + 1) + mount_sig=$(echo "$sigs" | head -n1) + fnek_sig= + mount_opts="ro,ecryptfs_sig=$mount_sig,ecryptfs_cipher=aes,ecryptfs_key_bytes=16" + ;; + 2) + mount_sig=$(echo "$sigs" | head -n1) + fnek_sig=$(echo "$sigs" | tail -n1) + mount_opts="ro,ecryptfs_sig=$mount_sig,ecryptfs_fnek_sig=$fnek_sig,ecryptfs_cipher=aes,ecryptfs_key_bytes=16" + ;; + *) + continue + ;; + esac + (keyctl list @u | grep -qs "$mount_sig") || error "The key required to access this private data is not available." + (keyctl list @u | grep -qs "$fnek_sig") || error "The key required to access this private data is not available." + tmpdir=$(mktemp -d /tmp/ecryptfs.XXXXXXXX) + mount -i -t ecryptfs -o "$mount_opts" "$d" "$tmpdir" + info "Success! Private data mounted read-only at [$tmpdir]." +done diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/ecryptfs-utils-83/src/utils/ecryptfs-setup-private new/ecryptfs-utils-87/src/utils/ecryptfs-setup-private --- old/ecryptfs-utils-83/src/utils/ecryptfs-setup-private 2010-02-17 05:47:40.000000000 +0100 +++ new/ecryptfs-utils-87/src/utils/ecryptfs-setup-private 2011-03-09 14:30:32.000000000 +0100 @@ -217,7 +217,7 @@ MOUNTPOINT="$HOME" CRYPTDIR="$ECRYPTFS_DIR/$USER/.$PRIVATE_DIR" else - mkdir -m 700 $HOME/.ecryptfs + mkdir -p -m 700 $HOME/.ecryptfs MOUNTPOINT="$HOME/$PRIVATE_DIR" CRYPTDIR="$HOME/.$PRIVATE_DIR" fi @@ -399,9 +399,11 @@ temp=`mktemp` echo "$sig" > "$temp" || error "$(gettext 'Could not create signature file')" "[$HOME/.ecryptfs/$PRIVATE_DIR.sig]" mv "$temp" "$HOME/.ecryptfs/$PRIVATE_DIR.sig" +which restorecon 2>/dev/null && restorecon "$HOME/.ecryptfs/$PRIVATE_DIR.sig" > /dev/null 2>&1 temp=`mktemp` echo "$MOUNTPOINT" > "$temp" || error "$(gettext 'Could not create mountpoint file')" "[$HOME/.ecryptfs/$PRIVATE_DIR.mnt]" mv "$temp" "$HOME/.ecryptfs/$PRIVATE_DIR.mnt" +which restorecon 2>/dev/null && restorecon "$HOME/.ecryptfs/$PRIVATE_DIR.mnt" > /dev/null 2>&1 echo echo "$(gettext 'Done configuring.')" @@ -435,12 +437,14 @@ # Now let's perform some basic mount/write/umount/read sanity testing... echo "$(gettext 'Testing mount/write/umount/read...')" +printf "%s" "$MOUNTPASS" | ecryptfs-add-passphrase $FNEK - /sbin/mount.ecryptfs_private || error "$(gettext 'Could not mount private ecryptfs directory')" temp=`mktemp "$MOUNTPOINT/ecryptfs.test.XXXXXX"` || error_testing "$temp" "$(gettext 'Could not create empty file')" random_data=`head -c 16000 /dev/urandom | od -x` || error_testing "$temp" "$(gettext 'Could not generate random data')" echo "$random_data" > "$temp" || error_testing "$temp" "$(gettext 'Could not write encrypted file')" md5sum1=`md5sum "$temp"` || error_testing "$temp" "$(gettext 'Could not read encrypted file')" /sbin/umount.ecryptfs_private || error_testing "$temp" "$(gettext 'Could not unmount private ecryptfs directory')" +printf "%s" "$MOUNTPASS" | ecryptfs-add-passphrase $FNEK - /sbin/mount.ecryptfs_private || error_testing "$temp" "$(gettext 'Could not mount private ecryptfs directory (2)')" md5sum2=`md5sum "$temp"` || error_testing "$temp" "$(gettext 'Could not read encrypted file (2)')" rm -f "$temp" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/ecryptfs-utils-83/src/utils/ecryptfs_rewrap_passphrase.c new/ecryptfs-utils-87/src/utils/ecryptfs_rewrap_passphrase.c --- old/ecryptfs-utils-83/src/utils/ecryptfs_rewrap_passphrase.c 2009-10-20 20:49:55.000000000 +0200 +++ new/ecryptfs-utils-87/src/utils/ecryptfs_rewrap_passphrase.c 2011-03-09 14:30:32.000000000 +0100 @@ -42,6 +42,7 @@ char passphrase[ECRYPTFS_MAX_PASSWORD_LENGTH + 1]; char *old_wrapping_passphrase; char *new_wrapping_passphrase; + char *new_wrapping_passphrase2; char salt[ECRYPTFS_SALT_SIZE]; char salt_hex[ECRYPTFS_SALT_SIZE_HEX]; int rc = 0; @@ -52,6 +53,16 @@ ecryptfs_get_passphrase("Old wrapping passphrase"); new_wrapping_passphrase = ecryptfs_get_passphrase("New wrapping passphrase"); + new_wrapping_passphrase2 = + ecryptfs_get_passphrase("New wrapping passphrase (again)"); + if ( + strlen(new_wrapping_passphrase) != strlen(new_wrapping_passphrase2) || + strncmp(new_wrapping_passphrase, new_wrapping_passphrase2, strlen(new_wrapping_passphrase))!=0 + ) { + fprintf(stderr, "New wrapping passphrases do not match\n"); + rc = 1; + goto out; + } } else if (argc == 3 && strlen(argv[2]) == 1 && strncmp(argv[2], "-", 1) == 0) { /* stdin mode */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/ecryptfs-utils-83/src/utils/mount.ecryptfs_private.c new/ecryptfs-utils-87/src/utils/mount.ecryptfs_private.c --- old/ecryptfs-utils-83/src/utils/mount.ecryptfs_private.c 2010-02-16 17:59:21.000000000 +0100 +++ new/ecryptfs-utils-87/src/utils/mount.ecryptfs_private.c 2011-03-09 14:30:32.000000000 +0100 @@ -5,6 +5,7 @@ * Copyright (C) 2008 Canonical Ltd. * * This code was originally written by Dustin Kirkland <kirkl...@ubuntu.com>. + * Enhanced by Serge Hallyn <hal...@ubuntu.com>. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -31,6 +32,7 @@ #include <sys/param.h> #include <sys/stat.h> #include <sys/types.h> +#include <errno.h> #include <keyutils.h> #include <mntent.h> #include <pwd.h> @@ -51,6 +53,51 @@ #define FSTYPE "ecryptfs" #define TMP "/dev/shm" +int saved_errno; + +int read_config(char *pw_dir, int uid, char *alias, char **s, char **d, char **o) { +/* Read an fstab(5) style config file */ + char *fnam; + struct stat mstat; + struct mntent *e; + FILE *fin; + if (asprintf(&fnam, "%s/.ecryptfs/%s.conf", pw_dir, alias) < 0) { + perror("asprintf"); + return -1; + } + if (stat(fnam, &mstat)!=0 || (!S_ISREG(mstat.st_mode) || mstat.st_uid!=uid)) { + fputs("Bad file\n", stderr); + free(fnam); + return -1; + } + fin = fopen(fnam, "r"); + free(fnam); + if (!fin) { + perror("fopen"); + return -1; + } + e = getmntent(fin); + fclose(fin); + if (!e) { + perror("getmntent"); + return -1; + } + if (strcmp(e->mnt_type, "ecryptfs") != 0) { + fputs("Bad fs type\n", stderr); + return -1; + } + *o = strdup(e->mnt_opts); + if (!*o) + return -2; + *d = strdup(e->mnt_dir); + if (!*d) + return -2; + *s = strdup(e->mnt_fsname); + if (!*s) + return -2; +out: + return 0; +} int check_username(char *u) { /* We follow the username guidelines used by the adduser program. Quoting its @@ -83,8 +130,7 @@ return 0; } - -char *fetch_sig(char *pw_dir, int entry) { +char *fetch_sig(char *pw_dir, int entry, char *alias) { /* Read ecryptfs signature from file and validate * Return signature as a string, or NULL on failure */ @@ -95,7 +141,7 @@ /* Construct sig file name */ if ( asprintf(&sig_file, "%s/.ecryptfs/%s.sig", pw_dir, - ECRYPTFS_PRIVATE_DIR) < 0 + alias) < 0 ) { perror("asprintf"); return NULL; @@ -144,9 +190,7 @@ * compile with -lkeyutils */ if (keyctl_search(KEY_SPEC_USER_KEYRING, "user", sig, 0) < 0) { - perror("keyctl_search"); - fputs("Perhaps try the interactive 'ecryptfs-mount-private'\n", - stderr); + saved_errno = errno; return NULL; } return sig; @@ -204,7 +248,7 @@ return 0; } -FILE *lock_counter(char *u, int uid) { +FILE *lock_counter(char *u, int uid, char *alias) { char *f; int fd; FILE *fh; @@ -212,7 +256,7 @@ int i = 1; /* We expect TMP to exist, be writeable by the user, * and to be cleared on boot */ - if (asprintf(&f, "%s/%s-%s-%s", TMP, FSTYPE, u, ECRYPTFS_PRIVATE_DIR) < 0) { + if (asprintf(&f, "%s/%s-%s-%s", TMP, FSTYPE, u, alias) < 0) { perror("asprintf"); return NULL; } @@ -224,7 +268,7 @@ if (stat(f, &s)==0 && (!S_ISREG(s.st_mode) || s.st_uid!=uid)) { free(f); if (asprintf(&f, "%s/%s-%s-%s-%d", TMP, FSTYPE, u, - ECRYPTFS_PRIVATE_DIR, i++) < 0) { + alias, i++) < 0) { perror("asprintf"); return NULL; } @@ -326,9 +370,8 @@ * - unmounts ~/.Private from ~/Private * - using the signature defined in ~/.ecryptfs/Private.sig * - ONLY IF the user - * - has the signature's key in his keyring * - owns both ~/.Private and ~/Private - * - is currently mounted + * - is currently ecryptfs mounted * * The only setuid operations in this program are: * a) mounting @@ -338,9 +381,8 @@ int main(int argc, char *argv[]) { int uid, mounting; int force = 0; - int fnek = 1; struct passwd *pwd; - char *dev, *mnt, *opt; + char *alias, *src, *dest, *opt, *opts2; char *sig, *sig_fnek; FILE *fh_counter = NULL; @@ -358,8 +400,39 @@ goto fail; } + /* If no arguments, default to private dir; but accept at most one + argument, an alias for the configuration to read and use. + */ + if (argc == 1) { + /* Use default source and destination dirs */ + alias = ECRYPTFS_PRIVATE_DIR; + if ((asprintf(&src, "%s/.%s", pwd->pw_dir, alias) < 0) || src == NULL) { + perror("asprintf (src)"); + goto fail; + } + dest = ecryptfs_fetch_private_mnt(pwd->pw_dir); + if (dest == NULL) { + perror("asprintf (dest)"); + goto fail; + } + } else if (argc == 2) { + alias = argv[1]; + /* Read the source and destination dirs from .conf file */ + if (read_config(pwd->pw_dir, uid, alias, &src, &dest, &opts2) < 0) { + fputs("Error reading configuration file", stderr); + exit(1); + } + if (opts2 != NULL && strlen(opts2) != 0 && strcmp(opts2, "none") != 0) { + fputs("Mount options are not supported here", stderr); + exit(1); + } + } else { + fputs("Too many arguments", stderr); + exit(1); + } + /* Lock the counter through the rest of the program */ - fh_counter = lock_counter(pwd->pw_name, uid); + fh_counter = lock_counter(pwd->pw_name, uid, alias); if (fh_counter == NULL) { fputs("Error locking counter", stderr); goto fail; @@ -387,52 +460,38 @@ /* Fetch signatures from file */ /* First line is the file content encryption key signature */ - sig = fetch_sig(pwd->pw_dir, 0); + sig = fetch_sig(pwd->pw_dir, 0, alias); if (sig == NULL) { - goto fail; + /* if umounting, no sig is ok */ + if (mounting) { + errno = saved_errno; + perror("keyctl_search"); + fputs("Perhaps try the interactive 'ecryptfs-mount-private'\n", + stderr); + goto fail; + } } /* Second line, if present, is the filename encryption key signature */ - sig_fnek = fetch_sig(pwd->pw_dir, 1); - if (sig_fnek == NULL) { - fnek = 0; - } else { - fnek = 1; - } + sig_fnek = fetch_sig(pwd->pw_dir, 1, alias); - /* Construct device, mount point, and mount options */ + /* Build mount options */ if ( - (asprintf(&dev, "%s/.%s", pwd->pw_dir, ECRYPTFS_PRIVATE_DIR) < 0) || - dev == NULL) { - perror("asprintf (dev)"); - goto fail; - } - mnt = ecryptfs_fetch_private_mnt(pwd->pw_dir); - if (mnt == NULL) { - perror("asprintf (mnt)"); + (asprintf(&opt, "ecryptfs_cipher=%s,ecryptfs_key_bytes=%d,ecryptfs_unlink_sigs%s%s%s%s", + KEY_CIPHER, + KEY_BYTES, + sig ? ",ecryptfs_sig=" : "", + sig ? sig : "", + sig_fnek ? ",ecryptfs_fnek_sig=" : "", + sig_fnek ? sig_fnek : "" + ) < 0 + ) || opt == NULL + ) { + perror("asprintf (opt)"); goto fail; } - if (fnek == 1) { - /* Filename encryption is on, so specific the fnek sig */ - if ((asprintf(&opt, -"ecryptfs_sig=%s,ecryptfs_fnek_sig=%s,ecryptfs_cipher=%s,ecryptfs_key_bytes=%d", - sig, sig_fnek, KEY_CIPHER, KEY_BYTES) < 0) || - opt == NULL) { - perror("asprintf (opt)"); - goto fail; - } - } else { - /* Filename encryption is off; legacy support */ - if ((asprintf(&opt, - "ecryptfs_sig=%s,ecryptfs_cipher=%s,ecryptfs_key_bytes=%d", - sig, KEY_CIPHER, KEY_BYTES) < 0) || - opt == NULL) { - perror("asprintf (opt)"); - goto fail; - } - } - /* Check ownership of mnt */ - if (check_ownerships(uid, mnt) != 0) { + /* Check ownership of dest */ + if (check_ownerships(uid, dest) != 0) { goto fail; } @@ -442,13 +501,13 @@ fputs("Error incrementing mount counter\n", stderr); } /* Mounting, so exit if already mounted */ - if (ecryptfs_private_is_mounted(dev, mnt, sig, mounting) == 1) { + if (ecryptfs_private_is_mounted(src, dest, sig, mounting) == 1) { goto success; } - /* Check ownership of dev, if mounting; - * note, umount only operates on mnt + /* Check ownership of src, if mounting; + * note, umount only operates on dest */ - if (check_ownerships(uid, dev) != 0) { + if (check_ownerships(uid, src) != 0) { goto fail; } /* We must maintain our real uid as the user who called this @@ -462,8 +521,8 @@ */ setreuid(-1, 0); /* Perform mount */ - if (mount(dev, mnt, FSTYPE, 0, opt) == 0) { - if (update_mtab(dev, mnt, opt) != 0) { + if (mount(src, dest, FSTYPE, 0, opt) == 0) { + if (update_mtab(src, dest, opt) != 0) { goto fail; } } else { @@ -475,6 +534,7 @@ goto fail; } } else { + int rc = 0; /* Decrement counter, exiting if >0, and non-forced unmount */ if (force == 1) { zero(fh_counter); @@ -482,8 +542,22 @@ fputs("Sessions still open, not unmounting\n", stderr); goto fail; } + /* Attempt to clear the user's keys from the keyring, + to prevent root from mounting without the user's key. + This is a best-effort basis, so we'll just print messages + on error. */ + if (sig != NULL) { + rc = ecryptfs_remove_auth_tok_from_keyring(sig); + if (rc != 0 && rc != ENOKEY) + fputs("Could not remove key from keyring, try 'ecryptfs-umount-private'\n", stderr); + } + if (sig_fnek != NULL) { + rc = ecryptfs_remove_auth_tok_from_keyring(sig_fnek); + if (rc != 0 && rc != ENOKEY) + fputs("Could not remove key from keyring, try 'ecryptfs-umount-private'\n", stderr); + } /* Unmounting, so exit if not mounted */ - if (ecryptfs_private_is_mounted(dev, mnt, sig, mounting) == 0) { + if (ecryptfs_private_is_mounted(src, dest, sig, mounting) == 0) { goto fail; } /* The key is not needed for unmounting, so we set res=0. @@ -492,7 +566,7 @@ * Do not use the umount.ecryptfs helper (-i). */ setresuid(0,0,0); - execl("/bin/umount", "umount", "-i", "-l", mnt, NULL); + execl("/bin/umount", "umount", "-i", "-l", dest, NULL); perror("execl unmount failed"); goto fail; } ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org