Hello community,

here is the log from the commit of package ecryptfs-utils for openSUSE:Factory
checked in at Mon Jun 6 13:56:34 CEST 2011.



--------
--- ecryptfs-utils/ecryptfs-utils.changes       2010-04-10 17:40:48.000000000 
+0200
+++ /mounts/work_src_done/STABLE/ecryptfs-utils/ecryptfs-utils.changes  
2011-04-18 17:09:01.000000000 +0200
@@ -1,0 +2,58 @@
+Mon Apr 18 17:06:50 CEST 2011 - meiss...@suse.de
+
+- Updated to 87
+  * src/utils/ecryptfs-setup-private: update the Private.* selinux
+    contexts
+  * src/utils/ecryptfs-setup-private:
+    - add -p to mkdir, address noise for a non-error
+    - must insert keys during testing phase, since we remove keys on
+      unmount now, LP: #725862
+  * src/utils/ecryptfs_rewrap_passphrase.c: confirm passphrases in
+    interactive mode, LP: #667331
+- Updated to 86
+  * src/pam_ecryptfs/pam_ecryptfs.c:
+    - check if this file exists and ask the user for the wrapping passphrase
+      if it does
+    - eliminate both ecryptfs_pam_wrapping_independent_set() and
+      ecryptfs_pam_automount_set() and replace with a reusable
+      file_exists_dotecryptfs() function
+  * src/utils/mount.ecryptfs_private.c:
+    - support multiple, user configurable private directories by way of
+      a command line "alias" argument
+    - this "alias" references a configuration file by the name of:
+      $HOME/.ecryptfs/alias.conf, which is in an fstab(5) format,
+      as well as $HOME/.ecryptfs/alias.sig, in the same format as
+      Private.sig
+    - if no argument specified, the utility operates in legacy mode,
+      defaulting to "Private"
+    - rename variables, s/dev/src/ and s/mnt/dest/
+    - add a read_config() function
+    - add an alias char* to replace the #defined ECRYPTFS_PRIVATE_DIR
+    - this is half of the fix to LP: #615657
+  * doc/manpage/mount.ecryptfs_private.1: document these changes
+  * src/libecryptfs/main.c, src/utils/mount.ecryptfs_private.c:
+    - allow umount.ecryptfs_private to succeed when the key is no
+      longer in user keyring.
+- Updated to 85
+  * src/utils/ecryptfs-recover-private: clean sigs of invalid characters
+  * src/utils/mount.ecryptfs_private.c:
+    - fix bug LP: #313812, clear used keys on unmount
+    - add ecryptfs_unlink_sigs to the mount opts, so that unmounts from
+      umount.ecryptfs behave similarly
+    - use ecryptfs_remove_auth_tok_from_keyring() on the sig and sig_fnek
+  * src/utils/ecryptfs-migrate-home:
+    - support user databases outside of /etc/passwd, LP: #627506
+- Updated to 84
+  * src/desktop/ecryptfs-record-passphrase: fix typo, LP: #524139
+  * debian/rules, debian/control:
+    - disable the gpg key module, as it's not yet functional
+    - clean up unneeded build-deps
+    - also, not using opencryptoki either
+  * doc/manpage/ecryptfs.7: fix minor documentation bug, reported by
+    email by Jon 'maddog' Hall
+  * doc/manpage/ecryptfs-recover-private.1, doc/manpage/Makefile.am,
+    po/POTFILES.in, src/utils/ecryptfs-recover-private,
+    src/utils/Makefile.am: add a utility to simplify data recovery
+    of an encrypted private directory from a Live ISO, LP: #689969
+
+-------------------------------------------------------------------

calling whatdependson for head-i586


Old:
----
  ecryptfs-utils_83.orig.tar.gz

New:
----
  ecryptfs-utils_87.orig.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ ecryptfs-utils.spec ++++++
--- /var/tmp/diff_new_pack.iwioJt/_old  2011-06-06 13:55:48.000000000 +0200
+++ /var/tmp/diff_new_pack.iwioJt/_new  2011-06-06 13:55:48.000000000 +0200
@@ -1,7 +1,7 @@
 #
-# spec file for package ecryptfs-utils (Version 83)
+# spec file for package ecryptfs-utils
 #
-# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -24,8 +24,8 @@
 Group:          Productivity/Security
 AutoReqProv:    on
 Summary:        Userspace Utilities for ecryptfs
-Version:        83
-Release:        2
+Version:        87
+Release:        1
 Source0:        
http://launchpad.net/ecryptfs/trunk/%version/+download/ecryptfs-utils_%version.orig.tar.gz
 Source1:        baselibs.conf
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

++++++ ecryptfs-utils_83.orig.tar.gz -> ecryptfs-utils_87.orig.tar.gz ++++++
++++ 4269 lines of diff (skipped)
++++    retrying with extended exclude list
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude 
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh 
old/ecryptfs-utils-83/configure.ac new/ecryptfs-utils-87/configure.ac
--- old/ecryptfs-utils-83/configure.ac  2010-02-17 21:25:40.000000000 +0100
+++ new/ecryptfs-utils-87/configure.ac  2011-03-09 14:30:32.000000000 +0100
@@ -10,7 +10,7 @@
 
 
 AC_PREREQ(2.59)
-AC_INIT([ecryptfs-utils],[83])
+AC_INIT([ecryptfs-utils],[87])
 AC_CANONICAL_HOST
 AC_CANONICAL_TARGET
 AM_INIT_AUTOMAKE([${PACKAGE_NAME}], [${PACKAGE_VERSION}])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude 
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh 
old/ecryptfs-utils-83/doc/manpage/Makefile.am 
new/ecryptfs-utils-87/doc/manpage/Makefile.am
--- old/ecryptfs-utils-83/doc/manpage/Makefile.am       2009-10-20 
20:49:55.000000000 +0200
+++ new/ecryptfs-utils-87/doc/manpage/Makefile.am       2011-03-09 
14:30:32.000000000 +0100
@@ -18,6 +18,7 @@
        ecryptfs-insert-wrapped-passphrase-into-keyring.1 \
        ecryptfs-manager.8 \
        ecryptfs-mount-private.1 \
+       ecryptfs-recover-private.1 \
        ecryptfs-rewrap-passphrase.1 \
        ecryptfs-rewrite-file.1 \
        ecryptfs-setup-private.1 \
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude 
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh 
old/ecryptfs-utils-83/doc/manpage/ecryptfs-recover-private.1 
new/ecryptfs-utils-87/doc/manpage/ecryptfs-recover-private.1
--- old/ecryptfs-utils-83/doc/manpage/ecryptfs-recover-private.1        
1970-01-01 01:00:00.000000000 +0100
+++ new/ecryptfs-utils-87/doc/manpage/ecryptfs-recover-private.1        
2011-03-09 14:30:32.000000000 +0100
@@ -0,0 +1,31 @@
+.TH ecryptfs-recover-private 1 2010-12-17 ecryptfs-utils "eCryptfs"
+.SH NAME
+\fBecryptfs-recover-private\fP \- find and mount any encrypted private 
directories
+
+.SH SYNOPSIS
+\fBecryptfs-recover-private\fP [encrypted private dir]
+
+.SH DESCRIPTION
+This utility is intended to help eCryptfs recover data from their encrypted 
home or encrypted private partitions.  It is useful to run this from a LiveISO 
or a recovery image.  It must run under \fBsudo\fP(8) or with root permission, 
in order to search the filesystem and perform the mounts.
+
+The program can take a target encrypted directory on the command line.  If 
unspecified, the utility will search the entire system looking for encrypted 
private directories, as configured by \fBecryptfs-setup-private\fP(1).
+
+If an encrypted directory and a \fIwrapped-passphrase\fP file are found, the 
user is prompted for the login (wrapping) passphrase, the keys are inserted 
into the keyring, and the data is decrypted and mounted.
+
+If no \fIwrapped-passphrase\fP file is found, the user will be prompted for 
their mount passphrase.  This passphrase is typically 32 characters of 
[0-9a-f].  All users are prompted to urgently record this randomly generated 
passphrase when they first setup their encrypted private directory. 
+
+The destination mount of the decrypted data is a temporary directory, in the 
form of \fI/tmp/ecryptfs.XXXXXXXX\fP.
+
+.SH SEE ALSO
+\fBecryptfs-setup-private\fP(1), \fBsudo\fP(8)
+
+\fIhttp://blog.dustinkirkland.com/2009/03/mounting-your-encrypted-home-from.html\fP
+
+.TP
+\fIhttp://launchpad.net/ecryptfs/\fP
+.PD
+
+.SH AUTHOR
+This manpage was written by Dustin Kirkland <kirkl...@canonical.com> for 
Ubuntu systems (but may be used by others).  Permission is granted to copy, 
distribute and/or modify this document under the terms of the GNU General 
Public License, Version 2 or any later version published by the Free Software 
Foundation.
+
+On Debian systems, the complete text of the GNU General Public License can be 
found in /usr/share/common-licenses/GPL.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude 
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh 
old/ecryptfs-utils-83/doc/manpage/ecryptfs.7 
new/ecryptfs-utils-87/doc/manpage/ecryptfs.7
--- old/ecryptfs-utils-83/doc/manpage/ecryptfs.7        2009-10-20 
20:49:55.000000000 +0200
+++ new/ecryptfs-utils-87/doc/manpage/ecryptfs.7        2011-03-09 
14:30:32.000000000 +0100
@@ -64,7 +64,7 @@
 
 .TP
 .B passphrase_passwd=(passphrase)
-The actual password is password. Since the password is visible to utilities 
(like ps under Unix) this form should only be used where security is not 
important.
+The actual password is passphrase. Since the password is visible to utilities 
(like ps under Unix) this form should only be used where security is not 
important.
 .TP
 .B passphrase_passwd_file=(filename)
 The password should be specified in a file with passwd=(passphrase). It is 
highly reccomended that the file be stored on a secure medium such as a 
personal usb key.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude 
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh 
old/ecryptfs-utils-83/doc/manpage/mount.ecryptfs_private.1 
new/ecryptfs-utils-87/doc/manpage/mount.ecryptfs_private.1
--- old/ecryptfs-utils-83/doc/manpage/mount.ecryptfs_private.1  2009-10-20 
20:49:55.000000000 +0200
+++ new/ecryptfs-utils-87/doc/manpage/mount.ecryptfs_private.1  2011-03-09 
14:30:32.000000000 +0100
@@ -3,26 +3,36 @@
 mount.ecryptfs_private \- eCryptfs private mount helper.
 
 .SH SYNOPSIS
-\fBmount.ecryptfs_private\fP
+\fBmount.ecryptfs_private [ALIAS]\fP
 
 \fBNOTE:\fP This program will \fBnot\fP dynamically load the relevant keys.  
For this reason, it is recommended that users use 
\fBecryptfs-mount-private\fP(1) instead!
 
 .SH DESCRIPTION
-\fBmount.ecryptfs_private\fP is a mount helper utility for non-root users, who 
are members of \fBecryptfs\fP group, to cryptographically mount a private 
directory, ~/Private.
+\fBmount.ecryptfs_private\fP is a mount helper utility for non-root users, who 
are members of \fBecryptfs\fP group, to cryptographically mount a private 
directory, ~/Private by default.
 
-If, and only if:
-  - the private mount passphrase is in their kernel keyring, and
-  - the current user owns both ~/.Private and ~/Private, and
-  - ~/Private is not already mounted, then
+This program optionally takes one argument, ALIAS.  If ALIAS is omitted, the 
program will default to using "Private" using:
+ - $HOME/.Private as the SOURCE
+ - $HOME/Private as the DESTINATION
+ - $HOME/.ecryptfs/Private.sig for the key signatures.
+
+If ALIAS is specified, then the program will look for an \fBfstab\fP(5) style 
configuration in:
+ - $HOME/.ecryptfs/ALIAS.conf
+and for key signature(s) in:
+ - $HOME/.ecryptfs/ALIAS.sig
+
+The mounting will proceed if, and only if:
+  - the required passphrase is in their kernel keyring, and
+  - the current user owns both the SOURCE and DESTINATION mount points
+  - the DESTINATION is not already mounted
 
 This program will:
-  - mount ~/.Private onto ~/Private
+  - mount SOURCE onto DESTINATION
   - as an ecryptfs filesystem
   - using the AES cipher
   - with a key length of 16 bytes
   - using the passphrase whose signature is in ~/.ecryptfs/Private.sig
 
-The only setuid operation in this program is the call to \fBmount\fP(8).
+The only setuid operation in this program is the call to \fBmount\fP(8) or 
\fBumount\fP(8).
 
 The \fBecryptfs-setup-private\fP(1) utility will create the ~/.Private and 
~/Private directories, generate a mount passphrase, wrap the passphrase, and 
write the ~/.ecryptfs/Private.sig.
 
@@ -40,7 +50,7 @@
 .SH SEE ALSO
 .PD 0
 .TP
-\fBecryptfs\fP(7), \fBecryptfs-rewrap-passphrase\fP(1), 
\fBecryptfs-setup-private\fP(1), \fBkeyctl\fP(1), \fBmount\fP(8), 
\fBumount.ecryptfs_private\fP(1), \fBpam_ecryptfs\fP(8)
+\fBecryptfs\fP(7), \fBecryptfs-rewrap-passphrase\fP(1), 
\fBecryptfs-setup-private\fP(1), \fBkeyctl\fP(1), \fBmount\fP(8), 
\fBumount.ecryptfs_private\fP(1), \fBpam_ecryptfs\fP(8), \fBfstab\fP(5)
 
 .TP
 \fI/usr/share/doc/ecryptfs-utils/ecryptfs-faq.html\fP
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude 
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh 
old/ecryptfs-utils-83/m4/intltool.m4 new/ecryptfs-utils-87/m4/intltool.m4
--- old/ecryptfs-utils-83/m4/intltool.m4        2009-09-21 18:08:22.000000000 
+0200
+++ new/ecryptfs-utils-87/m4/intltool.m4        1970-01-01 01:00:00.000000000 
+0100
@@ -1,216 +0,0 @@
-## intltool.m4 - Configure intltool for the target system. -*-Shell-script-*-
-## Copyright (C) 2001 Eazel, Inc.
-## Author: Maciej Stachowiak <m...@noisehavoc.org>
-##         Kenneth Christiansen <kenn...@gnu.org>
-##
-## This program is free software; you can redistribute it and/or modify
-## it under the terms of the GNU General Public License as published by
-## the Free Software Foundation; either version 2 of the License, or
-## (at your option) any later version.
-##
-## This program is distributed in the hope that it will be useful, but
-## WITHOUT ANY WARRANTY; without even the implied warranty of
-## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-## General Public License for more details.
-##
-## You should have received a copy of the GNU General Public License
-## along with this program; if not, write to the Free Software
-## Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-##
-## As a special exception to the GNU General Public License, if you
-## distribute this file as part of a program that contains a
-## configuration script generated by Autoconf, you may include it under
-## the same distribution terms that you use for the rest of that program.
-
-dnl IT_PROG_INTLTOOL([MINIMUM-VERSION], [no-xml])
-# serial 40 IT_PROG_INTLTOOL
-AC_DEFUN([IT_PROG_INTLTOOL], [
-AC_PREREQ([2.50])dnl
-AC_REQUIRE([AM_NLS])dnl
-
-case "$am__api_version" in
-    1.[01234])
-       AC_MSG_ERROR([Automake 1.5 or newer is required to use intltool])
-    ;;
-    *)
-    ;;
-esac
-
-if test -n "$1"; then
-    AC_MSG_CHECKING([for intltool >= $1])
-
-    INTLTOOL_REQUIRED_VERSION_AS_INT=`echo $1 | awk -F. '{ print $ 1 * 1000 + 
$ 2 * 100 + $ 3; }'`
-    INTLTOOL_APPLIED_VERSION=`intltool-update --version | head -1 | cut -d" " 
-f3`
-    [INTLTOOL_APPLIED_VERSION_AS_INT=`echo $INTLTOOL_APPLIED_VERSION | awk -F. 
'{ print $ 1 * 1000 + $ 2 * 100 + $ 3; }'`
-    ]
-    AC_MSG_RESULT([$INTLTOOL_APPLIED_VERSION found])
-    test "$INTLTOOL_APPLIED_VERSION_AS_INT" -ge 
"$INTLTOOL_REQUIRED_VERSION_AS_INT" ||
-       AC_MSG_ERROR([Your intltool is too old.  You need intltool $1 or 
later.])
-fi
-
-AC_PATH_PROG(INTLTOOL_UPDATE, [intltool-update])
-AC_PATH_PROG(INTLTOOL_MERGE, [intltool-merge])
-AC_PATH_PROG(INTLTOOL_EXTRACT, [intltool-extract])
-if test -z "$INTLTOOL_UPDATE" -o -z "$INTLTOOL_MERGE" -o -z 
"$INTLTOOL_EXTRACT"; then
-    AC_MSG_ERROR([The intltool scripts were not found. Please install 
intltool.])
-fi
-
-  INTLTOOL_DESKTOP_RULE='%.desktop:   %.desktop.in   $(INTLTOOL_MERGE) 
$(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c 
$(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
-INTLTOOL_DIRECTORY_RULE='%.directory: %.directory.in $(INTLTOOL_MERGE) 
$(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c 
$(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
-     INTLTOOL_KEYS_RULE='%.keys:      %.keys.in      $(INTLTOOL_MERGE) 
$(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -k -u -c 
$(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
-     INTLTOOL_PROP_RULE='%.prop:      %.prop.in      $(INTLTOOL_MERGE) 
$(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c 
$(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
-      INTLTOOL_OAF_RULE='%.oaf:       %.oaf.in       $(INTLTOOL_MERGE) 
$(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -o -p 
$(top_srcdir)/po $< [$]@'
-     INTLTOOL_PONG_RULE='%.pong:      %.pong.in      $(INTLTOOL_MERGE) 
$(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c 
$(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
-   INTLTOOL_SERVER_RULE='%.server:    %.server.in    $(INTLTOOL_MERGE) 
$(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -o -u -c 
$(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
-    INTLTOOL_SHEET_RULE='%.sheet:     %.sheet.in     $(INTLTOOL_MERGE) 
$(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c 
$(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
-INTLTOOL_SOUNDLIST_RULE='%.soundlist: %.soundlist.in $(INTLTOOL_MERGE) 
$(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c 
$(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
-       INTLTOOL_UI_RULE='%.ui:        %.ui.in        $(INTLTOOL_MERGE) 
$(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c 
$(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
-      INTLTOOL_XML_RULE='%.xml:       %.xml.in       $(INTLTOOL_MERGE) 
$(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c 
$(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
-      INTLTOOL_XML_NOMERGE_RULE='%.xml:       %.xml.in       $(INTLTOOL_MERGE) 
; LC_ALL=C $(INTLTOOL_MERGE) -x -u /tmp $< [$]@' 
-      INTLTOOL_XAM_RULE='%.xam:       %.xml.in       $(INTLTOOL_MERGE) 
$(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c 
$(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
-      INTLTOOL_KBD_RULE='%.kbd:       %.kbd.in       $(INTLTOOL_MERGE) 
$(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -m -c 
$(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
-    INTLTOOL_CAVES_RULE='%.caves:     %.caves.in     $(INTLTOOL_MERGE) 
$(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c 
$(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
-  INTLTOOL_SCHEMAS_RULE='%.schemas:   %.schemas.in   $(INTLTOOL_MERGE) 
$(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -s -u -c 
$(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
-    INTLTOOL_THEME_RULE='%.theme:     %.theme.in     $(INTLTOOL_MERGE) 
$(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c 
$(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@' 
-    INTLTOOL_SERVICE_RULE='%.service: %.service.in   $(INTLTOOL_MERGE) 
$(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c 
$(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@'
-   INTLTOOL_POLICY_RULE='%.policy:    %.policy.in    $(INTLTOOL_MERGE) 
$(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c 
$(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@'
-
-_IT_SUBST(INTLTOOL_DESKTOP_RULE)
-_IT_SUBST(INTLTOOL_DIRECTORY_RULE)
-_IT_SUBST(INTLTOOL_KEYS_RULE)
-_IT_SUBST(INTLTOOL_PROP_RULE)
-_IT_SUBST(INTLTOOL_OAF_RULE)
-_IT_SUBST(INTLTOOL_PONG_RULE)
-_IT_SUBST(INTLTOOL_SERVER_RULE)
-_IT_SUBST(INTLTOOL_SHEET_RULE)
-_IT_SUBST(INTLTOOL_SOUNDLIST_RULE)
-_IT_SUBST(INTLTOOL_UI_RULE)
-_IT_SUBST(INTLTOOL_XAM_RULE)
-_IT_SUBST(INTLTOOL_KBD_RULE)
-_IT_SUBST(INTLTOOL_XML_RULE)
-_IT_SUBST(INTLTOOL_XML_NOMERGE_RULE)
-_IT_SUBST(INTLTOOL_CAVES_RULE)
-_IT_SUBST(INTLTOOL_SCHEMAS_RULE)
-_IT_SUBST(INTLTOOL_THEME_RULE)
-_IT_SUBST(INTLTOOL_SERVICE_RULE)
-_IT_SUBST(INTLTOOL_POLICY_RULE)
-
-# Check the gettext tools to make sure they are GNU
-AC_PATH_PROG(XGETTEXT, xgettext)
-AC_PATH_PROG(MSGMERGE, msgmerge)
-AC_PATH_PROG(MSGFMT, msgfmt)
-AC_PATH_PROG(GMSGFMT, gmsgfmt, $MSGFMT)
-if test -z "$XGETTEXT" -o -z "$MSGMERGE" -o -z "$MSGFMT"; then
-    AC_MSG_ERROR([GNU gettext tools not found; required for intltool])
-fi
-xgversion="`$XGETTEXT --version|grep '(GNU ' 2> /dev/null`"
-mmversion="`$MSGMERGE --version|grep '(GNU ' 2> /dev/null`"
-mfversion="`$MSGFMT --version|grep '(GNU ' 2> /dev/null`"
-if test -z "$xgversion" -o -z "$mmversion" -o -z "$mfversion"; then
-    AC_MSG_ERROR([GNU gettext tools not found; required for intltool])
-fi
-
-AC_PATH_PROG(INTLTOOL_PERL, perl)
-if test -z "$INTLTOOL_PERL"; then
-   AC_MSG_ERROR([perl not found])
-fi
-AC_MSG_CHECKING([for perl >= 5.8.1])
-$INTLTOOL_PERL -e "use 5.8.1;" > /dev/null 2>&1
-if test $? -ne 0; then
-   AC_MSG_ERROR([perl 5.8.1 is required for intltool])
-else
-   IT_PERL_VERSION="`$INTLTOOL_PERL -e \"printf '%vd', $^V\"`"
-   AC_MSG_RESULT([$IT_PERL_VERSION])
-fi
-if test "x$2" != "xno-xml"; then
-   AC_MSG_CHECKING([for XML::Parser])
-   if `$INTLTOOL_PERL -e "require XML::Parser" 2>/dev/null`; then
-       AC_MSG_RESULT([ok])
-   else
-       AC_MSG_ERROR([XML::Parser perl module is required for intltool])
-   fi
-fi
-
-# Substitute ALL_LINGUAS so we can use it in po/Makefile
-AC_SUBST(ALL_LINGUAS)
-
-# Set DATADIRNAME correctly if it is not set yet
-# (copied from glib-gettext.m4)
-if test -z "$DATADIRNAME"; then
-  AC_LINK_IFELSE(
-    [AC_LANG_PROGRAM([[]],
-                     [[extern int _nl_msg_cat_cntr;
-                       return _nl_msg_cat_cntr]])],
-    [DATADIRNAME=share],
-    [case $host in
-    *-*-solaris*)
-    dnl On Solaris, if bind_textdomain_codeset is in libc,
-    dnl GNU format message catalog is always supported,
-    dnl since both are added to the libc all together.
-    dnl Hence, we'd like to go with DATADIRNAME=share
-    dnl in this case.
-    AC_CHECK_FUNC(bind_textdomain_codeset,
-      [DATADIRNAME=share], [DATADIRNAME=lib])
-    ;;
-    *)
-    [DATADIRNAME=lib]
-    ;;
-    esac])
-fi
-AC_SUBST(DATADIRNAME)
-
-IT_PO_SUBDIR([po])
-
-])
-
-
-# IT_PO_SUBDIR(DIRNAME)
-# ---------------------
-# All po subdirs have to be declared with this macro; the subdir "po" is
-# declared by IT_PROG_INTLTOOL.
-#
-AC_DEFUN([IT_PO_SUBDIR],
-[AC_PREREQ([2.53])dnl We use ac_top_srcdir inside AC_CONFIG_COMMANDS.
-dnl
-dnl The following CONFIG_COMMANDS should be exetuted at the very end
-dnl of config.status.
-AC_CONFIG_COMMANDS_PRE([
-  AC_CONFIG_COMMANDS([$1/stamp-it], [
-    if [ ! grep "^# INTLTOOL_MAKEFILE$" "$1/Makefile.in" > /dev/null ]; then
-       AC_MSG_ERROR([$1/Makefile.in.in was not created by intltoolize.])
-    fi
-    rm -f "$1/stamp-it" "$1/stamp-it.tmp" "$1/POTFILES" "$1/Makefile.tmp"
-    >"$1/stamp-it.tmp"
-    [sed '/^#/d
-        s/^[[].*] *//
-        /^[    ]*$/d
-       '"s|^|  $ac_top_srcdir/|" \
-      "$srcdir/$1/POTFILES.in" | sed '$!s/$/ \\/' >"$1/POTFILES"
-    ]
-    [sed '/^POTFILES =/,/[^\\]$/ {
-               /^POTFILES =/!d
-               r $1/POTFILES
-         }
-        ' "$1/Makefile.in" >"$1/Makefile"]
-    rm -f "$1/Makefile.tmp"
-    mv "$1/stamp-it.tmp" "$1/stamp-it"
-  ])
-])dnl
-])
-
-# _IT_SUBST(VARIABLE)
-# -------------------
-# Abstract macro to do either _AM_SUBST_NOTMAKE or AC_SUBST
-#
-AC_DEFUN([_IT_SUBST],
-[
-AC_SUBST([$1])
-m4_ifdef([_AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE([$1])])
-]
-)
-
-# deprecated macros
-AU_ALIAS([AC_PROG_INTLTOOL], [IT_PROG_INTLTOOL])
-# A hint is needed for aclocal from Automake <= 1.9.4:
-# AC_DEFUN([AC_PROG_INTLTOOL], ...)
-
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude 
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh 
old/ecryptfs-utils-83/po/POTFILES.in new/ecryptfs-utils-87/po/POTFILES.in
--- old/ecryptfs-utils-83/po/POTFILES.in        2010-02-17 18:05:05.000000000 
+0100
+++ new/ecryptfs-utils-87/po/POTFILES.in        2011-03-09 14:30:32.000000000 
+0100
@@ -2,6 +2,7 @@
 src/desktop/ecryptfs-mount-private.desktop.in
 src/desktop/ecryptfs-setup-private.desktop.in
 src/utils/ecryptfs-mount-private
+src/utils/ecryptfs-recover-private
 src/utils/ecryptfs-rewrite-file
 src/utils/ecryptfs-setup-private
 src/utils/ecryptfs-setup-swap
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude 
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh 
old/ecryptfs-utils-83/src/desktop/ecryptfs-record-passphrase 
new/ecryptfs-utils-87/src/desktop/ecryptfs-record-passphrase
--- old/ecryptfs-utils-83/src/desktop/ecryptfs-record-passphrase        
2010-02-17 22:11:13.000000000 +0100
+++ new/ecryptfs-utils-87/src/desktop/ecryptfs-record-passphrase        
2011-03-09 14:30:32.000000000 +0100
@@ -15,5 +15,5 @@
  "Passphrase" prompt and you can display your randomly generated passphrase.
  .
  Otherwise, you will need to run "ecryptfs-unwrap-passphrase" from the command
- line to retrive and record your generated passphrase.
+ line to retrieve and record your generated passphrase.
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude 
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh 
old/ecryptfs-utils-83/src/libecryptfs/main.c 
new/ecryptfs-utils-87/src/libecryptfs/main.c
--- old/ecryptfs-utils-83/src/libecryptfs/main.c        2009-11-11 
02:01:37.000000000 +0100
+++ new/ecryptfs-utils-87/src/libecryptfs/main.c        2011-03-09 
14:30:32.000000000 +0100
@@ -144,7 +144,7 @@
        struct mntent *m = NULL;
        char *opt = NULL;
        int mounted;
-       if (asprintf(&opt, "ecryptfs_sig=%s", sig) < 0) {
+       if (sig && asprintf(&opt, "ecryptfs_sig=%s", sig) < 0) {
                perror("asprintf");
                return 0;
        }
@@ -181,7 +181,7 @@
                        if (
                            strcmp(m->mnt_fsname, dev) == 0 &&
                            strcmp(m->mnt_dir, mnt) == 0 &&
-                           hasmntopt(m, opt) != NULL
+                           (!opt || hasmntopt(m, opt) != NULL)
                        ) {
                                mounted = 1;
                                break;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude 
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh 
old/ecryptfs-utils-83/src/pam_ecryptfs/pam_ecryptfs.c 
new/ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c
--- old/ecryptfs-utils-83/src/pam_ecryptfs/pam_ecryptfs.c       2010-02-16 
18:01:43.000000000 +0100
+++ new/ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c       2011-03-09 
14:30:32.000000000 +0100
@@ -68,13 +68,13 @@
        }
 }
 
-/* returns: 0 for pam automounting not set, 1 for set, <0 for error */
-static int ecryptfs_pam_automount_set(const char *homedir)
+/* returns: 0 if file does not exist, 1 if it exists, <0 for error */
+static int file_exists_dotecryptfs(const char *homedir, char *filename)
 {
        char *file_path;
        int rc = 0;
        struct stat s;
-       if (asprintf(&file_path, "%s/.ecryptfs/auto-mount", homedir) == -1)
+       if (asprintf(&file_path, "%s/.ecryptfs/%s", homedir, filename) == -1)
                return -ENOMEM;
        if (stat(file_path, &s) != 0) {
                if (errno != ENOENT)
@@ -149,7 +149,7 @@
                       "rc = [%ld]\n", username, rc);
                goto out;
        }
-       if (!ecryptfs_pam_automount_set(homedir))
+       if (!file_exists_dotecryptfs(homedir, "auto-mount"))
                goto out;
        private_mnt = ecryptfs_fetch_private_mnt(homedir);
        if (ecryptfs_private_is_mounted(NULL, private_mnt, NULL, 1)) {
@@ -165,7 +165,10 @@
                syslog(LOG_WARNING, "Can't check if kernel supports 
ecryptfs\n");
        saved_uid = geteuid();
        seteuid(uid);
-       rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&passphrase);
+       if(file_exists_dotecryptfs(homedir, "wrapping-independent") == 1)
+               rc = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &passphrase, 
"Encryption passphrase: ");
+       else
+               rc = pam_get_item(pamh, PAM_AUTHTOK, (const void 
**)&passphrase);
        seteuid(saved_uid);
        if (rc != PAM_SUCCESS) {
                syslog(LOG_ERR, "Error retrieving passphrase; rc = [%ld]\n",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude 
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh 
old/ecryptfs-utils-83/src/utils/Makefile.am 
new/ecryptfs-utils-87/src/utils/Makefile.am
--- old/ecryptfs-utils-83/src/utils/Makefile.am 2010-02-17 03:53:33.000000000 
+0100
+++ new/ecryptfs-utils-87/src/utils/Makefile.am 2011-03-09 14:30:32.000000000 
+0100
@@ -1,6 +1,6 @@
 MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
 
-EXTRA_DIST=ecryptfsrc ecryptfs-rewrite-file ecryptfs-setup-private 
ecryptfs-setup-swap ecryptfs-mount-private ecryptfs-umount-private 
ecryptfs-migrate-home
+EXTRA_DIST=ecryptfsrc ecryptfs-rewrite-file ecryptfs-setup-private 
ecryptfs-setup-swap ecryptfs-mount-private ecryptfs-umount-private 
ecryptfs-migrate-home ecryptfs-recover-private
 
 rootsbin_PROGRAMS=mount.ecryptfs \
                  umount.ecryptfs \
@@ -16,6 +16,7 @@
              ecryptfs-mount-private \
              ecryptfs-umount-private \
              ecryptfs-rewrite-file \
+             ecryptfs-recover-private \
              ecryptfs-migrate-home
 bin2dir = $(bindir)
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude 
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh 
old/ecryptfs-utils-83/src/utils/ecryptfs-migrate-home 
new/ecryptfs-utils-87/src/utils/ecryptfs-migrate-home
--- old/ecryptfs-utils-83/src/utils/ecryptfs-migrate-home       2010-02-17 
22:00:40.000000000 +0100
+++ new/ecryptfs-utils-87/src/utils/ecryptfs-migrate-home       2011-03-09 
14:30:32.000000000 +0100
@@ -81,7 +81,7 @@
 # get user home by username
 get_user_home () {
        local USER_NAME="$1"
-       local USER_HOME=$(grep "^$USER_NAME:" /etc/passwd | cut -d":" -f 6)
+       local USER_HOME=$(getent passwd "$USER_NAME" | cut -d":" -f 6)
        if [ -z "$USER_HOME" ]; then
                error "Cannot find the home directory of $USER_NAME."
        fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude 
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh 
old/ecryptfs-utils-83/src/utils/ecryptfs-recover-private 
new/ecryptfs-utils-87/src/utils/ecryptfs-recover-private
--- old/ecryptfs-utils-83/src/utils/ecryptfs-recover-private    1970-01-01 
01:00:00.000000000 +0100
+++ new/ecryptfs-utils-87/src/utils/ecryptfs-recover-private    2011-03-09 
14:30:32.000000000 +0100
@@ -0,0 +1,100 @@
+#!/bin/sh -e
+#
+#    ecryptfs-recover-private
+#    Copyright (C) 2010 Canonical Ltd.
+#
+#    Authors: Dustin Kirkland <kirkl...@canonical.com>
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, version 2 of the License.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+error() {
+       echo "ERROR: $@" 1>&2
+       exit 1
+}
+
+info() {
+       echo "INFO: $@"
+}
+
+# We need root access to do the deep find and the mount
+[ "$(id -u)" = "0" ] || error "This program must be run as root."
+
+# Handle parameters
+if [ -d "$1" ]; then
+       # Allow for target directories on the command line
+       dirs="$@"
+else
+       # Otherwise, search the system for directories named ".Private"
+       info "Searching for encrypted private directories (this might take a 
while)..."
+       dirs=$(find / -type d -name ".Private")
+       if [ -z "$dirs" ]; then
+               info "Hint: click 'Places' and select your hard disk, then run 
this again."
+               error "No private directories found; make sure that your root 
filesystem is mounted."
+       fi
+fi
+
+# Examine directories
+for d in $dirs; do
+       if [ -d "$d" ]; then
+               info "Found [$d]."
+               echo -n "Try to recover this directory? [Y/n]: "
+               answer=$(head -n1)
+               case "$answer" in n*|N*) continue ;; esac
+       else
+               continue
+       fi
+       # Determine if filename encryption is on
+       ls "$d/ECRYPTFS_FNEK_ENCRYPTED"* >/dev/null 2>&1 && fnek="--fnek" || 
fnek=
+       if [ -f "$d/../.ecryptfs/wrapped-passphrase" ]; then
+               # Use the wrapped-passphrase, if available
+               info "Enter your LOGIN passphrase..."
+               ecryptfs-insert-wrapped-passphrase-into-keyring 
"$d/../.ecryptfs/wrapped-passphrase"
+               sigs=$(sed -e "s/[^0-9a-f]//g" "$d/../.ecryptfs/Private.sig")
+       else
+               # Fall back to mount passphrase
+               echo
+               info "Could not find your wrapped passphrase file."
+               info "To recover this directory, you MUST have your original 
MOUNT passphrase."
+               info "When you first setup your encrypted private directory, 
you were told to record"
+               info "your MOUNT passphrase."
+               info "It should be 32 characters long, consisting of [0-9] and 
[a-f]."
+               echo
+               echo -n "Enter your MOUNT passphrase: "
+               stty_orig=$(stty -g)
+               stty -echo
+               passphrase=$(head -n1)
+               stty $stty_orig
+               echo
+               sigs=$(printf "%s\0" "$passphrase" | ecryptfs-add-passphrase 
$fnek | grep "^Inserted" | sed -e "s/^.*\[//" -e "s/\].*$//" -e 
"s/[^0-9a-f]//g")
+       fi
+       case $(echo "$sigs" | wc -l) in
+               1)
+                       mount_sig=$(echo "$sigs" | head -n1)
+                       fnek_sig=
+                       
mount_opts="ro,ecryptfs_sig=$mount_sig,ecryptfs_cipher=aes,ecryptfs_key_bytes=16"
+               ;;
+               2)
+                       mount_sig=$(echo "$sigs" | head -n1)
+                       fnek_sig=$(echo "$sigs" | tail -n1)
+                       
mount_opts="ro,ecryptfs_sig=$mount_sig,ecryptfs_fnek_sig=$fnek_sig,ecryptfs_cipher=aes,ecryptfs_key_bytes=16"
+               ;;
+               *)
+                       continue
+               ;;
+       esac
+       (keyctl list @u | grep -qs "$mount_sig") || error "The key required to 
access this private data is not available."
+       (keyctl list @u | grep -qs "$fnek_sig") || error "The key required to 
access this private data is not available."
+       tmpdir=$(mktemp -d /tmp/ecryptfs.XXXXXXXX)
+       mount -i -t ecryptfs -o "$mount_opts" "$d" "$tmpdir"
+       info "Success!  Private data mounted read-only at [$tmpdir]."
+done
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude 
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh 
old/ecryptfs-utils-83/src/utils/ecryptfs-setup-private 
new/ecryptfs-utils-87/src/utils/ecryptfs-setup-private
--- old/ecryptfs-utils-83/src/utils/ecryptfs-setup-private      2010-02-17 
05:47:40.000000000 +0100
+++ new/ecryptfs-utils-87/src/utils/ecryptfs-setup-private      2011-03-09 
14:30:32.000000000 +0100
@@ -217,7 +217,7 @@
        MOUNTPOINT="$HOME"
        CRYPTDIR="$ECRYPTFS_DIR/$USER/.$PRIVATE_DIR"
 else
-       mkdir -m 700 $HOME/.ecryptfs
+       mkdir -p -m 700 $HOME/.ecryptfs
        MOUNTPOINT="$HOME/$PRIVATE_DIR"
        CRYPTDIR="$HOME/.$PRIVATE_DIR"
 fi
@@ -399,9 +399,11 @@
 temp=`mktemp`
 echo "$sig" > "$temp" || error "$(gettext 'Could not create signature file')" 
"[$HOME/.ecryptfs/$PRIVATE_DIR.sig]"
 mv "$temp" "$HOME/.ecryptfs/$PRIVATE_DIR.sig"
+which restorecon 2>/dev/null && restorecon "$HOME/.ecryptfs/$PRIVATE_DIR.sig" 
> /dev/null 2>&1
 temp=`mktemp`
 echo "$MOUNTPOINT" > "$temp" || error "$(gettext 'Could not create mountpoint 
file')" "[$HOME/.ecryptfs/$PRIVATE_DIR.mnt]"
 mv "$temp" "$HOME/.ecryptfs/$PRIVATE_DIR.mnt"
+which restorecon 2>/dev/null && restorecon "$HOME/.ecryptfs/$PRIVATE_DIR.mnt" 
> /dev/null 2>&1
 
 echo
 echo "$(gettext 'Done configuring.')"
@@ -435,12 +437,14 @@
 
 # Now let's perform some basic mount/write/umount/read sanity testing...
 echo "$(gettext 'Testing mount/write/umount/read...')"
+printf "%s" "$MOUNTPASS" | ecryptfs-add-passphrase $FNEK -
 /sbin/mount.ecryptfs_private || error "$(gettext 'Could not mount private 
ecryptfs directory')"
 temp=`mktemp "$MOUNTPOINT/ecryptfs.test.XXXXXX"` || error_testing "$temp" 
"$(gettext 'Could not create empty file')"
 random_data=`head -c 16000 /dev/urandom | od -x` || error_testing "$temp" 
"$(gettext 'Could not generate random data')"
 echo "$random_data" > "$temp" || error_testing "$temp" "$(gettext 'Could not 
write encrypted file')"
 md5sum1=`md5sum "$temp"` || error_testing "$temp" "$(gettext 'Could not read 
encrypted file')"
 /sbin/umount.ecryptfs_private || error_testing "$temp" "$(gettext 'Could not 
unmount private ecryptfs directory')"
+printf "%s" "$MOUNTPASS" | ecryptfs-add-passphrase $FNEK -
 /sbin/mount.ecryptfs_private || error_testing "$temp" "$(gettext 'Could not 
mount private ecryptfs directory (2)')"
 md5sum2=`md5sum "$temp"` || error_testing "$temp" "$(gettext 'Could not read 
encrypted file (2)')"
 rm -f "$temp"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude 
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh 
old/ecryptfs-utils-83/src/utils/ecryptfs_rewrap_passphrase.c 
new/ecryptfs-utils-87/src/utils/ecryptfs_rewrap_passphrase.c
--- old/ecryptfs-utils-83/src/utils/ecryptfs_rewrap_passphrase.c        
2009-10-20 20:49:55.000000000 +0200
+++ new/ecryptfs-utils-87/src/utils/ecryptfs_rewrap_passphrase.c        
2011-03-09 14:30:32.000000000 +0100
@@ -42,6 +42,7 @@
        char passphrase[ECRYPTFS_MAX_PASSWORD_LENGTH + 1];
        char *old_wrapping_passphrase;
        char *new_wrapping_passphrase;
+       char *new_wrapping_passphrase2;
        char salt[ECRYPTFS_SALT_SIZE];
        char salt_hex[ECRYPTFS_SALT_SIZE_HEX];
        int rc = 0;
@@ -52,6 +53,16 @@
                        ecryptfs_get_passphrase("Old wrapping passphrase");
                new_wrapping_passphrase =
                        ecryptfs_get_passphrase("New wrapping passphrase");
+               new_wrapping_passphrase2 =
+                       ecryptfs_get_passphrase("New wrapping passphrase 
(again)");
+               if (
+                   strlen(new_wrapping_passphrase) != 
strlen(new_wrapping_passphrase2) ||
+                   strncmp(new_wrapping_passphrase, new_wrapping_passphrase2, 
strlen(new_wrapping_passphrase))!=0
+                  ) {
+                       fprintf(stderr, "New wrapping passphrases do not 
match\n");
+                       rc = 1;
+                       goto out;
+               }
        } else if (argc == 3
                   && strlen(argv[2]) == 1 && strncmp(argv[2], "-", 1) == 0) {
                /* stdin mode */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude 
config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 
--exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh 
old/ecryptfs-utils-83/src/utils/mount.ecryptfs_private.c 
new/ecryptfs-utils-87/src/utils/mount.ecryptfs_private.c
--- old/ecryptfs-utils-83/src/utils/mount.ecryptfs_private.c    2010-02-16 
17:59:21.000000000 +0100
+++ new/ecryptfs-utils-87/src/utils/mount.ecryptfs_private.c    2011-03-09 
14:30:32.000000000 +0100
@@ -5,6 +5,7 @@
  * Copyright (C) 2008 Canonical Ltd.
  *
  * This code was originally written by Dustin Kirkland <kirkl...@ubuntu.com>.
+ * Enhanced by Serge Hallyn <hal...@ubuntu.com>.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -31,6 +32,7 @@
 #include <sys/param.h>
 #include <sys/stat.h>
 #include <sys/types.h>
+#include <errno.h>
 #include <keyutils.h>
 #include <mntent.h>
 #include <pwd.h>
@@ -51,6 +53,51 @@
 #define FSTYPE "ecryptfs"
 #define TMP "/dev/shm"
 
+int saved_errno;
+
+int read_config(char *pw_dir, int uid, char *alias, char **s, char **d, char 
**o) {
+/* Read an fstab(5) style config file */
+       char *fnam;
+       struct stat mstat;
+       struct mntent *e;
+       FILE *fin;
+       if (asprintf(&fnam, "%s/.ecryptfs/%s.conf", pw_dir, alias) < 0) {
+               perror("asprintf");
+               return -1;
+       }
+       if (stat(fnam, &mstat)!=0 || (!S_ISREG(mstat.st_mode) || 
mstat.st_uid!=uid)) {
+               fputs("Bad file\n", stderr);
+               free(fnam);
+               return -1;
+       }
+       fin = fopen(fnam, "r");
+       free(fnam);
+       if (!fin) {
+               perror("fopen");
+               return -1;
+       }
+       e = getmntent(fin);
+       fclose(fin);
+       if (!e) {
+               perror("getmntent");
+               return -1;
+       }
+       if (strcmp(e->mnt_type, "ecryptfs") != 0) {
+               fputs("Bad fs type\n", stderr);
+               return -1;
+       }
+       *o = strdup(e->mnt_opts);
+       if (!*o)
+               return -2;
+       *d = strdup(e->mnt_dir);
+       if (!*d)
+               return -2;
+       *s = strdup(e->mnt_fsname);
+       if (!*s)
+               return -2;
+out:
+       return 0;
+}
 
 int check_username(char *u) {
 /* We follow the username guidelines used by the adduser program.  Quoting its
@@ -83,8 +130,7 @@
        return 0;
 }
 
-
-char *fetch_sig(char *pw_dir, int entry) {
+char *fetch_sig(char *pw_dir, int entry, char *alias) {
 /* Read ecryptfs signature from file and validate
  * Return signature as a string, or NULL on failure
  */
@@ -95,7 +141,7 @@
        /* Construct sig file name */
        if (
            asprintf(&sig_file, "%s/.ecryptfs/%s.sig", pw_dir,
-                    ECRYPTFS_PRIVATE_DIR) < 0
+                    alias) < 0
           ) {
                perror("asprintf");
                return NULL;
@@ -144,9 +190,7 @@
         * compile with -lkeyutils
         */
        if (keyctl_search(KEY_SPEC_USER_KEYRING, "user", sig, 0) < 0) {
-               perror("keyctl_search");
-               fputs("Perhaps try the interactive 'ecryptfs-mount-private'\n",
-                       stderr);
+               saved_errno = errno;
                return NULL;
        }
        return sig;
@@ -204,7 +248,7 @@
        return 0;
 }
 
-FILE *lock_counter(char *u, int uid) {
+FILE *lock_counter(char *u, int uid, char *alias) {
        char *f;
        int fd;
        FILE *fh;
@@ -212,7 +256,7 @@
        int i = 1;
        /* We expect TMP to exist, be writeable by the user,
         * and to be cleared on boot */
-       if (asprintf(&f, "%s/%s-%s-%s", TMP, FSTYPE, u, ECRYPTFS_PRIVATE_DIR) < 
0) {
+       if (asprintf(&f, "%s/%s-%s-%s", TMP, FSTYPE, u, alias) < 0) {
                perror("asprintf");
                return NULL;
        }
@@ -224,7 +268,7 @@
                if (stat(f, &s)==0 && (!S_ISREG(s.st_mode) || s.st_uid!=uid)) {
                        free(f);
                        if (asprintf(&f, "%s/%s-%s-%s-%d", TMP, FSTYPE, u,
-                           ECRYPTFS_PRIVATE_DIR, i++) < 0) {
+                           alias, i++) < 0) {
                                perror("asprintf");
                                return NULL;
                        }
@@ -326,9 +370,8 @@
  *  - unmounts ~/.Private from ~/Private
  *    - using the signature defined in ~/.ecryptfs/Private.sig
  *    - ONLY IF the user
- *      - has the signature's key in his keyring
  *      - owns both ~/.Private and ~/Private
- *      - is currently mounted
+ *      - is currently ecryptfs mounted
  *
  * The only setuid operations in this program are:
  *  a) mounting
@@ -338,9 +381,8 @@
 int main(int argc, char *argv[]) {
        int uid, mounting;
        int force = 0;
-       int fnek = 1;
        struct passwd *pwd;
-       char *dev, *mnt, *opt;
+       char *alias, *src, *dest, *opt, *opts2;
        char *sig, *sig_fnek;
        FILE *fh_counter = NULL;
 
@@ -358,8 +400,39 @@
                goto fail;
        }
 
+       /* If no arguments, default to private dir; but accept at most one
+          argument, an alias for the configuration to read and use.
+        */
+       if (argc == 1) {
+               /* Use default source and destination dirs */
+               alias = ECRYPTFS_PRIVATE_DIR;
+               if ((asprintf(&src, "%s/.%s", pwd->pw_dir, alias) < 0) || src 
== NULL) {
+                       perror("asprintf (src)");
+                       goto fail;
+               }
+               dest = ecryptfs_fetch_private_mnt(pwd->pw_dir);
+               if (dest == NULL) {
+                       perror("asprintf (dest)");
+                       goto fail;
+               }
+       } else if (argc == 2) {
+               alias = argv[1];
+               /* Read the source and destination dirs from .conf file */
+               if (read_config(pwd->pw_dir, uid, alias, &src, &dest, &opts2) < 
0) {
+                       fputs("Error reading configuration file", stderr);
+                       exit(1);
+               }
+               if (opts2 != NULL && strlen(opts2) != 0 && strcmp(opts2, 
"none") != 0) {
+                       fputs("Mount options are not supported here", stderr);
+                       exit(1);
+               }
+       } else {
+               fputs("Too many arguments", stderr);
+               exit(1);
+       }
+
        /* Lock the counter through the rest of the program */
-       fh_counter = lock_counter(pwd->pw_name, uid);
+       fh_counter = lock_counter(pwd->pw_name, uid, alias);
        if (fh_counter == NULL) {
                fputs("Error locking counter", stderr);
                goto fail;
@@ -387,52 +460,38 @@
 
        /* Fetch signatures from file */
        /* First line is the file content encryption key signature */
-       sig = fetch_sig(pwd->pw_dir, 0);
+       sig = fetch_sig(pwd->pw_dir, 0, alias);
        if (sig == NULL) {
-               goto fail;
+               /* if umounting, no sig is ok */
+               if (mounting) {
+                       errno = saved_errno;
+                       perror("keyctl_search");
+                       fputs("Perhaps try the interactive 
'ecryptfs-mount-private'\n",
+                               stderr);
+                       goto fail;
+               }
        }
        /* Second line, if present, is the filename encryption key signature */
-       sig_fnek = fetch_sig(pwd->pw_dir, 1);
-       if (sig_fnek == NULL) {
-               fnek = 0;
-       } else {
-               fnek = 1;
-       }
+       sig_fnek = fetch_sig(pwd->pw_dir, 1, alias);
 
-       /* Construct device, mount point, and mount options */
+       /* Build mount options */
        if (
-           (asprintf(&dev, "%s/.%s", pwd->pw_dir, ECRYPTFS_PRIVATE_DIR) < 0) ||
-           dev == NULL) {
-               perror("asprintf (dev)");
-               goto fail;
-       }
-       mnt = ecryptfs_fetch_private_mnt(pwd->pw_dir);
-       if (mnt == NULL) {
-               perror("asprintf (mnt)");
+           (asprintf(&opt, 
"ecryptfs_cipher=%s,ecryptfs_key_bytes=%d,ecryptfs_unlink_sigs%s%s%s%s",
+                     KEY_CIPHER,
+                     KEY_BYTES,
+                     sig ? ",ecryptfs_sig=" : "",
+                     sig ? sig : "",
+                     sig_fnek ? ",ecryptfs_fnek_sig=" : "",
+                     sig_fnek ? sig_fnek : ""
+                    ) < 0
+           ) || opt == NULL
+          ) {
+               perror("asprintf (opt)");
                goto fail;
        }
-       if (fnek == 1) {
-               /* Filename encryption is on, so specific the fnek sig */
-               if ((asprintf(&opt,
-"ecryptfs_sig=%s,ecryptfs_fnek_sig=%s,ecryptfs_cipher=%s,ecryptfs_key_bytes=%d",
-                sig, sig_fnek, KEY_CIPHER, KEY_BYTES) < 0) ||
-                opt == NULL) {
-                       perror("asprintf (opt)");
-                       goto fail;
-               }
-       } else {
-               /* Filename encryption is off; legacy support */
-               if ((asprintf(&opt,
-                "ecryptfs_sig=%s,ecryptfs_cipher=%s,ecryptfs_key_bytes=%d",
-                sig, KEY_CIPHER, KEY_BYTES) < 0) ||
-                opt == NULL) {
-                       perror("asprintf (opt)");
-                       goto fail;
-               }
-       }
 
-       /* Check ownership of mnt */
-       if (check_ownerships(uid, mnt) != 0) {
+       /* Check ownership of dest */
+       if (check_ownerships(uid, dest) != 0) {
                goto fail;
        }
 
@@ -442,13 +501,13 @@
                        fputs("Error incrementing mount counter\n", stderr);
                }
                /* Mounting, so exit if already mounted */
-               if (ecryptfs_private_is_mounted(dev, mnt, sig, mounting) == 1) {
+               if (ecryptfs_private_is_mounted(src, dest, sig, mounting) == 1) 
{
                        goto success;
                }
-               /* Check ownership of dev, if mounting;
-                * note, umount only operates on mnt
+               /* Check ownership of src, if mounting;
+                * note, umount only operates on dest
                 */
-               if (check_ownerships(uid, dev) != 0) {
+               if (check_ownerships(uid, src) != 0) {
                        goto fail;
                }
                /* We must maintain our real uid as the user who called this
@@ -462,8 +521,8 @@
                 */
                setreuid(-1, 0);
                /* Perform mount */
-               if (mount(dev, mnt, FSTYPE, 0, opt) == 0) {
-                       if (update_mtab(dev, mnt, opt) != 0) {
+               if (mount(src, dest, FSTYPE, 0, opt) == 0) {
+                       if (update_mtab(src, dest, opt) != 0) {
                                goto fail;
                        }
                } else {
@@ -475,6 +534,7 @@
                        goto fail;
                }
        } else {
+               int rc = 0;
                /* Decrement counter, exiting if >0, and non-forced unmount */
                if (force == 1) {
                        zero(fh_counter);
@@ -482,8 +542,22 @@
                        fputs("Sessions still open, not unmounting\n", stderr);
                        goto fail;
                }
+               /* Attempt to clear the user's keys from the keyring,
+                   to prevent root from mounting without the user's key.
+                   This is a best-effort basis, so we'll just print messages
+                   on error. */
+               if (sig != NULL) {
+                       rc = ecryptfs_remove_auth_tok_from_keyring(sig);
+                       if (rc != 0 && rc != ENOKEY)
+                               fputs("Could not remove key from keyring, try 
'ecryptfs-umount-private'\n", stderr);
+               }
+               if (sig_fnek != NULL) {
+                       rc = ecryptfs_remove_auth_tok_from_keyring(sig_fnek);
+                       if (rc != 0 && rc != ENOKEY)
+                               fputs("Could not remove key from keyring, try 
'ecryptfs-umount-private'\n", stderr);
+               }
                /* Unmounting, so exit if not mounted */
-               if (ecryptfs_private_is_mounted(dev, mnt, sig, mounting) == 0) {
+               if (ecryptfs_private_is_mounted(src, dest, sig, mounting) == 0) 
{
                        goto fail;
                }
                /* The key is not needed for unmounting, so we set res=0.
@@ -492,7 +566,7 @@
                 * Do not use the umount.ecryptfs helper (-i).
                 */
                setresuid(0,0,0);
-               execl("/bin/umount", "umount", "-i", "-l", mnt, NULL);
+               execl("/bin/umount", "umount", "-i", "-l", dest, NULL);
                perror("execl unmount failed");
                goto fail;
        }


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Remember to have fun...

-- 
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org

Reply via email to