Hello community,
here is the log from the commit of package ecryptfs-utils for openSUSE:12.2
checked in at 2012-07-06 09:37:06
Comparing /work/SRC/openSUSE:12.2/ecryptfs-utils (Old)
and /work/SRC/openSUSE:12.2/.ecryptfs-utils.new (New)
Package is ecryptfs-utils, Maintainer is meiss...@suse.com
Changes:
--- /work/SRC/openSUSE:12.2/ecryptfs-utils/ecryptfs-utils.changes
2012-06-25 15:18:11.0 +0200
+++ /work/SRC/openSUSE:12.2/.ecryptfs-utils.new/ecryptfs-utils.changes
2012-07-06 09:37:07.0 +0200
@@ -1,0 +2,11 @@
+Wed Jul 4 11:08:11 UTC 2012 - meiss...@suse.com
+
+- hook pam_ecryptfs into pam session and auth bnc#755475
+
+---
+Thu Jun 21 06:19:46 UTC 2012 - meiss...@suse.com
+
+- added security improvements to mount.ecryptfs_private
+ and pam_ecryptfs (bnc#740110)
+
+---
New:
ecryptfs-utils.security.patch
Other differences:
--
++ ecryptfs-utils.spec ++
--- /var/tmp/diff_new_pack.JTddiR/_old 2012-07-06 09:37:07.0 +0200
+++ /var/tmp/diff_new_pack.JTddiR/_new 2012-07-06 09:37:07.0 +0200
@@ -26,6 +26,7 @@
Source0:
http://launchpad.net/ecryptfs/trunk/%version/+download/ecryptfs-utils_%version.orig.tar.gz
Source1:baselibs.conf
Patch0: ecryptfs-setup-swap-SuSE.patch
+Patch1: ecryptfs-utils.security.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: gtk2-devel
BuildRequires: intltool
@@ -35,12 +36,14 @@
BuildRequires: libtool
BuildRequires: mozilla-nss-devel
BuildRequires: openssl-devel
+BuildRequires: pam-config
BuildRequires: pam-devel
BuildRequires: pkcs11-helper-devel
BuildRequires: python-devel
BuildRequires: swig
BuildRequires: trousers-devel
BuildRequires: update-desktop-files
+Requires(pre): pam-config
%description
A stacked cryptographic filesystem for Linux.
@@ -48,6 +51,7 @@
%prep
%setup -q
%patch0 -p1
+%patch1 -p1
%build
export RPM_OPT_FLAGS=$RPM_OPT_FLAGS -fno-strict-aliasing
@@ -77,8 +81,11 @@
%post
/sbin/ldconfig
%set_permissions /sbin/mount.ecryptfs_private
+/usr/sbin/pam-config -a --ecryptfs
-%postun -p /sbin/ldconfig
+%postun
+/sbin/ldconfig
+/usr/sbin/pam-config -d --ecryptfs
%files -f %{name}.lang
%defattr(-, root, root)
++ ecryptfs-utils.security.patch ++
Index: ecryptfs-utils-96/src/pam_ecryptfs/pam_ecryptfs.c
===
--- ecryptfs-utils-96.orig/src/pam_ecryptfs/pam_ecryptfs.c
+++ ecryptfs-utils-96/src/pam_ecryptfs/pam_ecryptfs.c
@@ -32,13 +32,17 @@
#include unistd.h
#include errno.h
#include syslog.h
+#include limits.h
#include pwd.h
#include sys/types.h
#include sys/wait.h
#include sys/types.h
#include sys/stat.h
+#include sys/fsuid.h
+#include grp.h
#include fcntl.h
#include security/pam_modules.h
+#include security/pam_ext.h
#include ../include/ecryptfs.h
#define PRIVATE_DIR Private
@@ -119,9 +123,11 @@ static int wrap_passphrase_if_necessary(
PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
const char **argv)
{
- uid_t uid = 0;
+ uid_t uid = 0, oeuid = 0;
+ long ngroups_max = sysconf(_SC_NGROUPS_MAX);
+ gid_t gid = 0, oegid = 0, groups[ngroups_max+1];
+ int ngids = 0;
char *homedir = NULL;
- uid_t saved_uid = 0;
const char *username;
char *passphrase = NULL;
char salt[ECRYPTFS_SALT_SIZE];
@@ -139,12 +145,25 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
pwd = getpwnam(username);
if (pwd) {
uid = pwd-pw_uid;
+ gid = pwd-pw_gid;
homedir = pwd-pw_dir;
}
} else {
syslog(LOG_ERR, pam_ecryptfs: Error getting passwd info for
user [%s]; rc = [%ld]\n, username, rc);
goto out;
}
+
+ if ((oeuid = geteuid()) 0 || (oegid = getegid()) 0 ||
+ (ngids = getgroups(sizeof(groups)/sizeof(gid_t), groups)) 0) {
+ syslog(LOG_ERR, pam_ecryptfs: geteuid error);
+ goto outnouid;
+ }
+
+ if (setegid(gid) 0 || setgroups(1, gid) 0 || seteuid(uid) 0) {
+ syslog(LOG_ERR, pam_ecryptfs: seteuid error);
+ goto out;
+ }
+
if (!file_exists_dotecryptfs(homedir, auto-mount))
goto out;
private_mnt = ecryptfs_fetch_private_mnt(homedir);
@@ -158,13 +177,10 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
load ecryptfs module if not loaded already */
if (ecryptfs_get_version(version)