commit ecryptfs-utils for openSUSE:12.2

2012-07-12 Thread h_root 
Hello community,

here is the log from the commit of package ecryptfs-utils for openSUSE:12.2 
checked in at 2012-07-12 14:46:55

Comparing /work/SRC/openSUSE:12.2/ecryptfs-utils (Old)
 and  /work/SRC/openSUSE:12.2/.ecryptfs-utils.new (New)


Package is ecryptfs-utils, Maintainer is meiss...@suse.com

Changes:

--- /work/SRC/openSUSE:12.2/ecryptfs-utils/ecryptfs-utils.changes   
2012-07-06 09:37:07.0 +0200
+++ /work/SRC/openSUSE:12.2/.ecryptfs-utils.new/ecryptfs-utils.changes  
2012-07-12 14:46:56.0 +0200
@@ -1,0 +2,12 @@
+Wed Jul 11 11:48:24 UTC 2012 - meiss...@suse.com
+
+- also supply MS_NODEV to avoid exposing device files
+  if someone got them on the encrypted media.
+
+---
+Tue Jul 10 14:03:27 UTC 2012 - meiss...@suse.com
+
+- point the desktop link to the right .desktop file
+- build mount.ecryptfs_private with -pie/-fpie
+
+---

New:

  ecryptfs-correct-desktop.patch



Other differences:
--
++ ecryptfs-utils.spec ++
--- /var/tmp/diff_new_pack.GBvxMN/_old  2012-07-12 14:46:56.0 +0200
+++ /var/tmp/diff_new_pack.GBvxMN/_new  2012-07-12 14:46:56.0 +0200
@@ -27,6 +27,7 @@
 Source1:baselibs.conf
 Patch0: ecryptfs-setup-swap-SuSE.patch
 Patch1: ecryptfs-utils.security.patch
+Patch2: ecryptfs-correct-desktop.patch
 BuildRoot:  %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  gtk2-devel
 BuildRequires:  intltool
@@ -52,6 +53,7 @@
 %setup -q
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 
 %build
 export RPM_OPT_FLAGS=$RPM_OPT_FLAGS -fno-strict-aliasing

++ ecryptfs-correct-desktop.patch ++
Index: ecryptfs-utils-96/src/utils/ecryptfs-setup-private
===
--- ecryptfs-utils-96.orig/src/utils/ecryptfs-setup-private
+++ ecryptfs-utils-96/src/utils/ecryptfs-setup-private
@@ -340,7 +340,7 @@ echo
 mkdir -m 700 -p $CRYPTDIR || error $(gettext 'Could not create crypt 
directory') [$CRYPTDIR]
 mkdir -m 700 -p $MOUNTPOINT || error $(gettext 'Could not create mount 
directory') [$MOUNTPOINT]
 ln -sf /usr/share/ecryptfs-utils/ecryptfs-mount-private.txt 
$MOUNTPOINT/README.txt
-ln -sf /usr/share/ecryptfs-utils/ecryptfs-mount-private.desktop 
$MOUNTPOINT/Access-Your-Private-Data.desktop
+ln -sf /usr/share/applications/ecryptfs-mount-private.desktop 
$MOUNTPOINT/Access-Your-Private-Data.desktop
 chmod 500 $MOUNTPOINT
 
 # Setup ~/.ecryptfs directory
++ ecryptfs-utils.security.patch ++
--- /var/tmp/diff_new_pack.GBvxMN/_old  2012-07-12 14:46:56.0 +0200
+++ /var/tmp/diff_new_pack.GBvxMN/_new  2012-07-12 14:46:56.0 +0200
@@ -256,7 +256,7 @@
}
/* Perform mount */
 -  if (mount(src, ., FSTYPE, 0, opt) == 0) {
-+  if (mount(src, ., FSTYPE, MS_NOSUID, opt) == 0) {
++  if (mount(src, ., FSTYPE, MS_NOSUID|MS_NODEV, opt) == 0) {
if (update_mtab(src, dest, opt) != 0) {
goto fail;
}
@@ -268,3 +268,17 @@
  
/* Since we're doing a lazy unmount anyway, just unmount the 
current
 * directory. This avoids a lot of complexity in dealing with 
race
+Index: ecryptfs-utils-96/src/utils/Makefile.am
+===
+--- ecryptfs-utils-96.orig/src/utils/Makefile.am
 ecryptfs-utils-96/src/utils/Makefile.am
+@@ -58,7 +58,9 @@ ecryptfs_generate_tpm_key_CFLAGS = $(AM_
+ ecryptfs_generate_tpm_key_LDADD = $(TSPI_LIBS)
+ 
+ mount_ecryptfs_private_SOURCES = mount.ecryptfs_private.c
++mount_ecryptfs_private_CFLAGS = $(AM_CFLAGS) -fpie
+ mount_ecryptfs_private_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la 
$(KEYUTILS_LIBS)
++mount_ecryptfs_private_LDFLAGS = -pie
+ 
+ ecryptfs_stat_SOURCES = ecryptfs-stat.c
+ ecryptfs_stat_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la

-- 
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org

commit ecryptfs-utils for openSUSE:12.2

2012-07-06 Thread h_root 
Hello community,

here is the log from the commit of package ecryptfs-utils for openSUSE:12.2 
checked in at 2012-07-06 09:37:06

Comparing /work/SRC/openSUSE:12.2/ecryptfs-utils (Old)
 and  /work/SRC/openSUSE:12.2/.ecryptfs-utils.new (New)


Package is ecryptfs-utils, Maintainer is meiss...@suse.com

Changes:

--- /work/SRC/openSUSE:12.2/ecryptfs-utils/ecryptfs-utils.changes   
2012-06-25 15:18:11.0 +0200
+++ /work/SRC/openSUSE:12.2/.ecryptfs-utils.new/ecryptfs-utils.changes  
2012-07-06 09:37:07.0 +0200
@@ -1,0 +2,11 @@
+Wed Jul  4 11:08:11 UTC 2012 - meiss...@suse.com
+
+- hook pam_ecryptfs into pam session and auth bnc#755475
+
+---
+Thu Jun 21 06:19:46 UTC 2012 - meiss...@suse.com
+
+- added security improvements to mount.ecryptfs_private
+  and pam_ecryptfs (bnc#740110)
+
+---

New:

  ecryptfs-utils.security.patch



Other differences:
--
++ ecryptfs-utils.spec ++
--- /var/tmp/diff_new_pack.JTddiR/_old  2012-07-06 09:37:07.0 +0200
+++ /var/tmp/diff_new_pack.JTddiR/_new  2012-07-06 09:37:07.0 +0200
@@ -26,6 +26,7 @@
 Source0:
http://launchpad.net/ecryptfs/trunk/%version/+download/ecryptfs-utils_%version.orig.tar.gz
 Source1:baselibs.conf
 Patch0: ecryptfs-setup-swap-SuSE.patch
+Patch1: ecryptfs-utils.security.patch
 BuildRoot:  %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  gtk2-devel
 BuildRequires:  intltool
@@ -35,12 +36,14 @@
 BuildRequires:  libtool
 BuildRequires:  mozilla-nss-devel
 BuildRequires:  openssl-devel
+BuildRequires:  pam-config
 BuildRequires:  pam-devel
 BuildRequires:  pkcs11-helper-devel
 BuildRequires:  python-devel
 BuildRequires:  swig
 BuildRequires:  trousers-devel
 BuildRequires:  update-desktop-files
+Requires(pre):  pam-config
 
 %description
 A stacked cryptographic filesystem for Linux.
@@ -48,6 +51,7 @@
 %prep
 %setup -q
 %patch0 -p1
+%patch1 -p1
 
 %build
 export RPM_OPT_FLAGS=$RPM_OPT_FLAGS -fno-strict-aliasing
@@ -77,8 +81,11 @@
 %post
 /sbin/ldconfig
 %set_permissions /sbin/mount.ecryptfs_private
+/usr/sbin/pam-config -a --ecryptfs
 
-%postun -p /sbin/ldconfig
+%postun
+/sbin/ldconfig
+/usr/sbin/pam-config -d --ecryptfs
 
 %files -f %{name}.lang
 %defattr(-, root, root)

++ ecryptfs-utils.security.patch ++
Index: ecryptfs-utils-96/src/pam_ecryptfs/pam_ecryptfs.c
===
--- ecryptfs-utils-96.orig/src/pam_ecryptfs/pam_ecryptfs.c
+++ ecryptfs-utils-96/src/pam_ecryptfs/pam_ecryptfs.c
@@ -32,13 +32,17 @@
 #include unistd.h
 #include errno.h
 #include syslog.h
+#include limits.h
 #include pwd.h
 #include sys/types.h
 #include sys/wait.h
 #include sys/types.h
 #include sys/stat.h
+#include sys/fsuid.h
+#include grp.h
 #include fcntl.h
 #include security/pam_modules.h
+#include security/pam_ext.h
 #include ../include/ecryptfs.h
 
 #define PRIVATE_DIR Private
@@ -119,9 +123,11 @@ static int wrap_passphrase_if_necessary(
 PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
   const char **argv)
 {
-   uid_t uid = 0;
+   uid_t uid = 0, oeuid = 0;
+   long ngroups_max = sysconf(_SC_NGROUPS_MAX);
+   gid_t gid = 0, oegid = 0, groups[ngroups_max+1];
+   int ngids = 0;
char *homedir = NULL;
-   uid_t saved_uid = 0;
const char *username;
char *passphrase = NULL;
char salt[ECRYPTFS_SALT_SIZE];
@@ -139,12 +145,25 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
pwd = getpwnam(username);
if (pwd) {
uid = pwd-pw_uid;
+   gid = pwd-pw_gid;
homedir = pwd-pw_dir;
}
} else {
syslog(LOG_ERR, pam_ecryptfs: Error getting passwd info for 
user [%s]; rc = [%ld]\n, username, rc);
goto out;
}
+
+   if ((oeuid = geteuid())  0 || (oegid = getegid())  0 ||
+   (ngids = getgroups(sizeof(groups)/sizeof(gid_t), groups))  0) {
+   syslog(LOG_ERR, pam_ecryptfs: geteuid error);
+   goto outnouid;
+   }
+
+   if (setegid(gid)  0 || setgroups(1, gid)  0 || seteuid(uid)  0) {
+   syslog(LOG_ERR, pam_ecryptfs: seteuid error);
+   goto out;
+   }
+
if (!file_exists_dotecryptfs(homedir, auto-mount))
goto out;
private_mnt = ecryptfs_fetch_private_mnt(homedir);
@@ -158,13 +177,10 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
   load ecryptfs module if not loaded already */
if (ecryptfs_get_version(version)