Hello community, here is the log from the commit of package ecryptfs-utils for openSUSE:Factory checked in at Wed Sep 21 17:03:32 CEST 2011. -------- --- ecryptfs-utils/ecryptfs-utils.changes 2011-08-11 17:27:36.000000000 +0200 +++ /mounts/work_src_done/STABLE/ecryptfs-utils/ecryptfs-utils.changes 2011-09-20 15:33:30.000000000 +0200 @@ -1,0 +2,15 @@ +Tue Sep 20 15:32:22 CEST 2011 - meissner@suse.de + +- Updated to 92 + * Fix umask issue introduced by last security update + * some bugfixes + +------------------------------------------------------------------- +Sun Sep 18 17:17:12 UTC 2011 - jengelh@medozas.de + +- Remove redundant/obsolete tags/sections from specfile + (cf. packaging guidelines) +- Put make call in the right spot +- Use %_smp_mflags for parallel build + +------------------------------------------------------------------- calling whatdependson for head-i586 Old: ---- ecryptfs-utils_90.orig.tar.gz New: ---- ecryptfs-utils_92.orig.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ecryptfs-utils.spec ++++++ --- /var/tmp/diff_new_pack.td7d2Z/_old 2011-09-21 17:03:26.000000000 +0200 +++ /var/tmp/diff_new_pack.td7d2Z/_new 2011-09-21 17:03:26.000000000 +0200 @@ -15,16 +15,14 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # -# norootforbuild Name: ecryptfs-utils Url: https://launchpad.net/ecryptfs License: GPLv2+ Group: Productivity/Security -AutoReqProv: on Summary: Userspace Utilities for ecryptfs -Version: 90 +Version: 92 Release: 1 Source0: http://launchpad.net/ecryptfs/trunk/%version/+download/ecryptfs-utils_%versi... Source1: baselibs.conf @@ -35,16 +33,6 @@ %description A stacked cryptographic filesystem for Linux. - - -Authors: --------- - Mike Halcrow designed and implemented eCryptfs, which is a fork from - Cryptfs. Erez Zadok, along with the fileystem research lab at Stony - Brook University, designed and implemented Cryptfs. Michael - C. Thompson has contributed a substantial amount of code to the - project. - %prep %setup -q @@ -57,9 +45,9 @@ --enable-tspi \ --enable-pkcs11-helper \ --with-pamdir=/%_lib/security +make %{?_smp_mflags} %check -make make check %install @@ -70,9 +58,6 @@ %suse_update_desktop_file ecryptfs-setup-private %find_lang %{name} -%clean -rm -rf $RPM_BUILD_ROOT - %post -p /sbin/ldconfig %postun -p /sbin/ldconfig ++++++ ecryptfs-utils_90.orig.tar.gz -> ecryptfs-utils_92.orig.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ecryptfs-utils-90/Makefile.in new/ecryptfs-utils-92/Makefile.in --- old/ecryptfs-utils-90/Makefile.in 2011-08-10 15:36:29.000000000 +0200 +++ new/ecryptfs-utils-92/Makefile.in 2011-09-01 23:23:43.000000000 +0200 @@ -217,6 +217,8 @@ MSGMERGE = @MSGMERGE@ NM = @NM@ NMEDIT = @NMEDIT@ +NSS_CFLAGS = @NSS_CFLAGS@ +NSS_LIBS = @NSS_LIBS@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ecryptfs-utils-90/configure new/ecryptfs-utils-92/configure --- old/ecryptfs-utils-90/configure 2011-08-10 15:36:28.000000000 +0200 +++ new/ecryptfs-utils-92/configure 2011-09-01 23:23:41.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.68 for ecryptfs-utils 90. +# Generated by GNU Autoconf 2.68 for ecryptfs-utils 92. # # # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, @@ -567,8 +567,8 @@ # Identity of this package. PACKAGE_NAME='ecryptfs-utils' PACKAGE_TARNAME='ecryptfs-utils' -PACKAGE_VERSION='90' -PACKAGE_STRING='ecryptfs-utils 90' +PACKAGE_VERSION='92' +PACKAGE_STRING='ecryptfs-utils 92' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -695,6 +695,8 @@ TSPI_CFLAGS PKCS11_HELPER_LIBS PKCS11_HELPER_CFLAGS +NSS_LIBS +NSS_CFLAGS OPENSSL_LIBS OPENSSL_CFLAGS KEYUTILS_LIBS @@ -885,6 +887,8 @@ KEYUTILS_LIBS OPENSSL_CFLAGS OPENSSL_LIBS +NSS_CFLAGS +NSS_LIBS PKCS11_HELPER_CFLAGS PKCS11_HELPER_LIBS TSPI_CFLAGS @@ -1435,7 +1439,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures ecryptfs-utils 90 to adapt to many kinds of systems. +\`configure' configures ecryptfs-utils 92 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1506,7 +1510,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of ecryptfs-utils 90:";; + short | recursive ) echo "Configuration of ecryptfs-utils 92:";; esac cat <<\_ACEOF @@ -1576,6 +1580,8 @@ C compiler flags for OPENSSL, overriding pkg-config OPENSSL_LIBS linker flags for OPENSSL, overriding pkg-config + NSS_CFLAGS C compiler flags for NSS, overriding pkg-config + NSS_LIBS linker flags for NSS, overriding pkg-config PKCS11_HELPER_CFLAGS C compiler flags for PKCS11_HELPER, overriding pkg-config PKCS11_HELPER_LIBS @@ -1651,7 +1657,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -ecryptfs-utils configure 90 +ecryptfs-utils configure 92 generated by GNU Autoconf 2.68 Copyright (C) 2010 Free Software Foundation, Inc. @@ -2016,7 +2022,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by ecryptfs-utils $as_me 90, which was +It was created by ecryptfs-utils $as_me 92, which was generated by GNU Autoconf 2.68. Invocation command line was $ $0 $@ @@ -14146,15 +14152,77 @@ fi #Verify nss -NSS_LIBS=`nss-config --libs` -if test "x${NSS_LIBS}" != "x" ; then - NSS_CFLAGS=`nss-config --cflags` - NSPR_CFLAGS=`nspr-config --cflags` - NSS_CFLAGS="${NSS_CFLAGS} -DENABLE_NSS ${NSPR_CFLAGS}" - have_nss="yes" + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for NSS" >&5 +$as_echo_n "checking for NSS... " >&6; } + +if test -n "$NSS_CFLAGS"; then + pkg_cv_NSS_CFLAGS="$NSS_CFLAGS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"nss\""; } >&5 + ($PKG_CONFIG --exists --print-errors "nss") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_NSS_CFLAGS=`$PKG_CONFIG --cflags "nss" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes else - NSS_CFLAGS="" - have_nss="no" + pkg_failed=yes +fi + else + pkg_failed=untried +fi +if test -n "$NSS_LIBS"; then + pkg_cv_NSS_LIBS="$NSS_LIBS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"nss\""; } >&5 + ($PKG_CONFIG --exists --print-errors "nss") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_NSS_LIBS=`$PKG_CONFIG --libs "nss" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + NSS_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "nss" 2>&1` + else + NSS_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "nss" 2>&1` + fi + # Put the nasty error message in config.log where it belongs + echo "$NSS_PKG_ERRORS" >&5 + + have_nss="no" +elif test $pkg_failed = untried; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + have_nss="no" +else + NSS_CFLAGS=$pkg_cv_NSS_CFLAGS + NSS_LIBS=$pkg_cv_NSS_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + have_nss="yes" + NSS_CFLAGS="${NSS_CFLAGS} -DENABLE_NSS" fi if test "${enable_nss}" = "detect" ; then @@ -16646,7 +16714,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by ecryptfs-utils $as_me 90, which was +This file was extended by ecryptfs-utils $as_me 92, which was generated by GNU Autoconf 2.68. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -16712,7 +16780,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -ecryptfs-utils config.status 90 +ecryptfs-utils config.status 92 configured by $0, generated by GNU Autoconf 2.68, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ecryptfs-utils-90/configure.ac new/ecryptfs-utils-92/configure.ac --- old/ecryptfs-utils-90/configure.ac 2011-07-20 00:18:53.000000000 +0200 +++ new/ecryptfs-utils-92/configure.ac 2011-08-31 23:45:45.000000000 +0200 @@ -10,7 +10,7 @@ AC_PREREQ(2.59) -AC_INIT([ecryptfs-utils],[90]) +AC_INIT([ecryptfs-utils],[92]) AC_CANONICAL_HOST AC_CANONICAL_TARGET AM_INIT_AUTOMAKE([${PACKAGE_NAME}], [${PACKAGE_VERSION}]) @@ -228,16 +228,12 @@ fi #Verify nss -NSS_LIBS=`nss-config --libs` -if test "x${NSS_LIBS}" != "x" ; then - NSS_CFLAGS=`nss-config --cflags` - NSPR_CFLAGS=`nspr-config --cflags` - NSS_CFLAGS="${NSS_CFLAGS} -DENABLE_NSS ${NSPR_CFLAGS}" - have_nss="yes" -else - NSS_CFLAGS="" - have_nss="no" -fi +PKG_CHECK_MODULES( + [NSS], + [nss], + [have_nss="yes" + NSS_CFLAGS="${NSS_CFLAGS} -DENABLE_NSS"], + [have_nss="no"]) if test "${enable_nss}" = "detect" ; then if test "$have_nss" == "yes" ; then diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ecryptfs-utils-90/doc/Makefile.in new/ecryptfs-utils-92/doc/Makefile.in --- old/ecryptfs-utils-90/doc/Makefile.in 2011-08-10 15:36:29.000000000 +0200 +++ new/ecryptfs-utils-92/doc/Makefile.in 2011-09-01 23:23:42.000000000 +0200 @@ -203,6 +203,8 @@ MSGMERGE = @MSGMERGE@ NM = @NM@ NMEDIT = @NMEDIT@ +NSS_CFLAGS = @NSS_CFLAGS@ +NSS_LIBS = @NSS_LIBS@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ecryptfs-utils-90/doc/manpage/Makefile.in new/ecryptfs-utils-92/doc/manpage/Makefile.in --- old/ecryptfs-utils-90/doc/manpage/Makefile.in 2011-08-10 15:36:29.000000000 +0200 +++ new/ecryptfs-utils-92/doc/manpage/Makefile.in 2011-09-01 23:23:42.000000000 +0200 @@ -166,6 +166,8 @@ MSGMERGE = @MSGMERGE@ NM = @NM@ NMEDIT = @NMEDIT@ +NSS_CFLAGS = @NSS_CFLAGS@ +NSS_LIBS = @NSS_LIBS@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ecryptfs-utils-90/src/Makefile.in new/ecryptfs-utils-92/src/Makefile.in --- old/ecryptfs-utils-90/src/Makefile.in 2011-08-10 15:36:29.000000000 +0200 +++ new/ecryptfs-utils-92/src/Makefile.in 2011-09-01 23:23:42.000000000 +0200 @@ -177,6 +177,8 @@ MSGMERGE = @MSGMERGE@ NM = @NM@ NMEDIT = @NMEDIT@ +NSS_CFLAGS = @NSS_CFLAGS@ +NSS_LIBS = @NSS_LIBS@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ecryptfs-utils-90/src/daemon/Makefile.in new/ecryptfs-utils-92/src/daemon/Makefile.in --- old/ecryptfs-utils-90/src/daemon/Makefile.in 2011-08-10 15:36:29.000000000 +0200 +++ new/ecryptfs-utils-92/src/daemon/Makefile.in 2011-09-01 23:23:42.000000000 +0200 @@ -155,6 +155,8 @@ MSGMERGE = @MSGMERGE@ NM = @NM@ NMEDIT = @NMEDIT@ +NSS_CFLAGS = @NSS_CFLAGS@ +NSS_LIBS = @NSS_LIBS@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ecryptfs-utils-90/src/desktop/Makefile.in new/ecryptfs-utils-92/src/desktop/Makefile.in --- old/ecryptfs-utils-90/src/desktop/Makefile.in 2011-08-10 15:36:29.000000000 +0200 +++ new/ecryptfs-utils-92/src/desktop/Makefile.in 2011-09-01 23:23:42.000000000 +0200 @@ -158,6 +158,8 @@ MSGMERGE = @MSGMERGE@ NM = @NM@ NMEDIT = @NMEDIT@ +NSS_CFLAGS = @NSS_CFLAGS@ +NSS_LIBS = @NSS_LIBS@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ecryptfs-utils-90/src/include/Makefile.in new/ecryptfs-utils-92/src/include/Makefile.in --- old/ecryptfs-utils-90/src/include/Makefile.in 2011-08-10 15:36:29.000000000 +0200 +++ new/ecryptfs-utils-92/src/include/Makefile.in 2011-09-01 23:23:42.000000000 +0200 @@ -154,6 +154,8 @@ MSGMERGE = @MSGMERGE@ NM = @NM@ NMEDIT = @NMEDIT@ +NSS_CFLAGS = @NSS_CFLAGS@ +NSS_LIBS = @NSS_LIBS@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ecryptfs-utils-90/src/key_mod/Makefile.in new/ecryptfs-utils-92/src/key_mod/Makefile.in --- old/ecryptfs-utils-90/src/key_mod/Makefile.in 2011-08-10 15:36:29.000000000 +0200 +++ new/ecryptfs-utils-92/src/key_mod/Makefile.in 2011-09-01 23:23:42.000000000 +0200 @@ -232,6 +232,8 @@ MSGMERGE = @MSGMERGE@ NM = @NM@ NMEDIT = @NMEDIT@ +NSS_CFLAGS = @NSS_CFLAGS@ +NSS_LIBS = @NSS_LIBS@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ecryptfs-utils-90/src/libecryptfs/Makefile.in new/ecryptfs-utils-92/src/libecryptfs/Makefile.in --- old/ecryptfs-utils-90/src/libecryptfs/Makefile.in 2011-08-10 15:36:29.000000000 +0200 +++ new/ecryptfs-utils-92/src/libecryptfs/Makefile.in 2011-09-01 23:23:43.000000000 +0200 @@ -185,6 +185,8 @@ MSGMERGE = @MSGMERGE@ NM = @NM@ NMEDIT = @NMEDIT@ +NSS_CFLAGS = @NSS_CFLAGS@ +NSS_LIBS = @NSS_LIBS@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ecryptfs-utils-90/src/libecryptfs/key_management.c new/ecryptfs-utils-92/src/libecryptfs/key_management.c --- old/ecryptfs-utils-90/src/libecryptfs/key_management.c 2011-05-24 16:38:56.000000000 +0200 +++ new/ecryptfs-utils-92/src/libecryptfs/key_management.c 2011-09-01 21:54:07.000000000 +0200 @@ -571,7 +571,7 @@ { char decrypted_passphrase[ECRYPTFS_MAX_PASSPHRASE_BYTES + 1] ; uint32_t version; - int rc; + int rc = 0; if ((rc = ecryptfs_unwrap_passphrase(decrypted_passphrase, filename, wrapping_passphrase, salt))) { @@ -592,7 +592,6 @@ syslog(LOG_ERR, "Error attempting to add filename encryption key to " "user session keyring; rc = [%d]\n", rc); - goto out; } } if ((rc = ecryptfs_add_passphrase_key_to_keyring(auth_tok_sig, @@ -600,8 +599,7 @@ salt)) != 0) { syslog(LOG_ERR, "Error attempting to add passphrase key to " "user session keyring; rc = [%d]\n", rc); - } else - rc = 0; + } out: return rc; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ecryptfs-utils-90/src/libecryptfs-swig/Makefile.in new/ecryptfs-utils-92/src/libecryptfs-swig/Makefile.in --- old/ecryptfs-utils-90/src/libecryptfs-swig/Makefile.in 2011-08-10 15:36:29.000000000 +0200 +++ new/ecryptfs-utils-92/src/libecryptfs-swig/Makefile.in 2011-09-01 23:23:43.000000000 +0200 @@ -183,6 +183,8 @@ MSGMERGE = @MSGMERGE@ NM = @NM@ NMEDIT = @NMEDIT@ +NSS_CFLAGS = @NSS_CFLAGS@ +NSS_LIBS = @NSS_LIBS@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ecryptfs-utils-90/src/pam_ecryptfs/Makefile.in new/ecryptfs-utils-92/src/pam_ecryptfs/Makefile.in --- old/ecryptfs-utils-90/src/pam_ecryptfs/Makefile.in 2011-08-10 15:36:29.000000000 +0200 +++ new/ecryptfs-utils-92/src/pam_ecryptfs/Makefile.in 2011-09-01 23:23:43.000000000 +0200 @@ -176,6 +176,8 @@ MSGMERGE = @MSGMERGE@ NM = @NM@ NMEDIT = @NMEDIT@ +NSS_CFLAGS = @NSS_CFLAGS@ +NSS_LIBS = @NSS_LIBS@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ecryptfs-utils-90/src/pam_ecryptfs/pam_ecryptfs.c new/ecryptfs-utils-92/src/pam_ecryptfs/pam_ecryptfs.c --- old/ecryptfs-utils-90/src/pam_ecryptfs/pam_ecryptfs.c 2011-02-06 03:44:30.000000000 +0100 +++ new/ecryptfs-utils-92/src/pam_ecryptfs/pam_ecryptfs.c 2011-09-01 23:19:22.000000000 +0200 @@ -45,25 +45,25 @@ static void error(const char *msg) { - syslog(LOG_ERR, "errno = [%i]; strerror = [%m]\n", errno); + syslog(LOG_ERR, "pam_ecryptfs: errno = [%i]; strerror = [%m]\n", errno); switch (errno) { case ENOKEY: - syslog(LOG_ERR, "%s: Requested key not available\n", msg); + syslog(LOG_ERR, "pam_ecryptfs: %s: Requested key not available\n", msg); return; case EKEYEXPIRED: - syslog(LOG_ERR, "%s: Key has expired\n", msg); + syslog(LOG_ERR, "pam_ecryptfs: %s: Key has expired\n", msg); return; case EKEYREVOKED: - syslog(LOG_ERR, "%s: Key has been revoked\n", msg); + syslog(LOG_ERR, "pam_ecryptfs: %s: Key has been revoked\n", msg); return; case EKEYREJECTED: - syslog(LOG_ERR, "%s: Key was rejected by service\n", msg); + syslog(LOG_ERR, "pam_ecryptfs: %s: Key was rejected by service\n", msg); return; default: - syslog(LOG_ERR, "%s: Unknown key error\n", msg); + syslog(LOG_ERR, "pam_ecryptfs: %s: Unknown key error\n", msg); return; } } @@ -95,7 +95,7 @@ rc = asprintf(&unwrapped_pw_filename, "/dev/shm/.ecryptfs-%s", username); if (rc == -1) { - syslog(LOG_ERR, "Unable to allocate memory\n"); + syslog(LOG_ERR, "pam_ecryptfs: Unable to allocate memory\n"); return -ENOMEM; } /* If /dev/shm/.ecryptfs-$USER exists and owned by the user @@ -109,7 +109,7 @@ setuid(uid); rc = ecryptfs_wrap_passphrase_file(wrapped_pw_filename, passphrase, salt, unwrapped_pw_filename); if (rc != 0) { - syslog(LOG_ERR, "Error wrapping cleartext password; " "rc = [%d]\n", rc); + syslog(LOG_ERR, "pam_ecryptfs: Error wrapping cleartext password; " "rc = [%d]\n", rc); } return rc; } @@ -132,29 +132,24 @@ long rc; uint32_t version; - syslog(LOG_INFO, "%s: Called\n", __FUNCTION__); rc = pam_get_user(pamh, &username, NULL); if (rc == PAM_SUCCESS) { struct passwd *pwd; - syslog(LOG_INFO, "%s: username = [%s]\n", __FUNCTION__, - username); pwd = getpwnam(username); if (pwd) { uid = pwd->pw_uid; homedir = pwd->pw_dir; } } else { - syslog(LOG_ERR, "Error getting passwd info for user [%s]; " - "rc = [%ld]\n", username, rc); + syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%ld]\n", username, rc); goto out; } if (!file_exists_dotecryptfs(homedir, "auto-mount")) goto out; private_mnt = ecryptfs_fetch_private_mnt(homedir); if (ecryptfs_private_is_mounted(NULL, private_mnt, NULL, 1)) { - syslog(LOG_INFO, "%s: %s is already mounted\n", __FUNCTION__, - homedir); + syslog(LOG_DEBUG, "pam_ecryptfs: %s: %s is already mounted\n", __FUNCTION__, homedir); /* If private/home is already mounted, then we can skip costly loading of keys */ goto out; @@ -162,7 +157,7 @@ /* we need side effect of this check: load ecryptfs module if not loaded already */ if (ecryptfs_get_version(&version) != 0) - syslog(LOG_WARNING, "Can't check if kernel supports ecryptfs\n"); + syslog(LOG_WARNING, "pam_ecryptfs: Can't check if kernel supports ecryptfs\n"); saved_uid = geteuid(); seteuid(uid); if(file_exists_dotecryptfs(homedir, "wrapping-independent") == 1) @@ -171,14 +166,14 @@ rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&passphrase); seteuid(saved_uid); if (rc != PAM_SUCCESS) { - syslog(LOG_ERR, "Error retrieving passphrase; rc = [%ld]\n", + syslog(LOG_ERR, "pam_ecryptfs: Error retrieving passphrase; rc = [%ld]\n", rc); goto out; } auth_tok_sig = malloc(ECRYPTFS_SIG_SIZE_HEX + 1); if (!auth_tok_sig) { rc = -ENOMEM; - syslog(LOG_ERR, "Out of memory\n"); + syslog(LOG_ERR, "pam_ecryptfs: Out of memory\n"); goto out; } rc = ecryptfs_read_salt_hex_from_rc(salt_hex); @@ -189,13 +184,12 @@ if ((child_pid = fork()) == 0) { setuid(uid); if (passphrase == NULL) { - syslog(LOG_ERR, "NULL passphrase; aborting\n"); + syslog(LOG_ERR, "pam_ecryptfs: NULL passphrase; aborting\n"); rc = -EINVAL; goto out_child; } if ((rc = ecryptfs_validate_keyring())) { - syslog(LOG_WARNING, - "Cannot validate keyring integrity\n"); + syslog(LOG_WARNING, "pam_ecryptfs: Cannot validate keyring integrity\n"); } rc = 0; if ((argc == 1) @@ -209,12 +203,12 @@ homedir, ECRYPTFS_DEFAULT_WRAPPED_PASSPHRASE_FILENAME); if (rc == -1) { - syslog(LOG_ERR, "Unable to allocate memory\n"); + syslog(LOG_ERR, "pam_ecryptfs: Unable to allocate memory\n"); rc = -ENOMEM; goto out_child; } if (wrap_passphrase_if_necessary(username, uid, wrapped_pw_filename, passphrase, salt) == 0) { - syslog(LOG_INFO, "Passphrase file wrapped"); + syslog(LOG_DEBUG, "pam_ecryptfs: Passphrase file wrapped"); } else { goto out_child; } @@ -230,15 +224,12 @@ goto out_child; } if (rc) { - syslog(LOG_ERR, "Error adding passphrase key token to " - "user session keyring; rc = [%ld]\n", rc); + syslog(LOG_ERR, "pam_ecryptfs: Error adding passphrase key token to user session keyring; rc = [%ld]\n", rc); goto out_child; } if (fork() == 0) { if ((rc = ecryptfs_set_zombie_session_placeholder())) { - syslog(LOG_ERR, "Error attempting to create " - "and register zombie process; " - "rc = [%ld]\n", rc); + syslog(LOG_ERR, "pam_ecryptfs: Error attempting to create and register zombie process; rc = [%ld]\n", rc); } } out_child: @@ -247,8 +238,7 @@ } tmp_pid = waitpid(child_pid, NULL, 0); if (tmp_pid == -1) - syslog(LOG_WARNING, - "waitpid() returned with error condition\n"); + syslog(LOG_WARNING, "pam_ecryptfs: waitpid() returned with error condition\n"); out: if (private_mnt != NULL) free(private_mnt); @@ -269,14 +259,12 @@ rc = pam_get_user(pamh, &username, NULL); if (rc != PAM_SUCCESS || username == NULL) { - syslog(LOG_ERR, "Error getting passwd info for user [%s]; " - "rc = [%ld]\n", username, rc); + syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%ld]\n", username, rc); return NULL; } pwd = getpwnam(username); if (pwd == NULL) { - syslog(LOG_ERR, "Error getting passwd info for user [%s]; " - "rc = [%ld]\n", username, rc); + syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%ld]\n", username, rc); return NULL; } return pwd; @@ -309,13 +297,13 @@ if ( (asprintf(&autofile, "%s/.ecryptfs/%s", pwd->pw_dir, a) < 0) || autofile == NULL) { - syslog(LOG_ERR, "Error allocating memory for autofile name"); + syslog(LOG_ERR, "pam_ecryptfs: Error allocating memory for autofile name"); return 1; } if ( (asprintf(&sigfile, "%s/.ecryptfs/%s.sig", pwd->pw_dir, PRIVATE_DIR) < 0) || sigfile == NULL) { - syslog(LOG_ERR, "Error allocating memory for sigfile name"); + syslog(LOG_ERR, "pam_ecryptfs: Error allocating memory for sigfile name"); return 1; } if (stat(sigfile, &s) != 0) { @@ -327,7 +315,7 @@ goto out; } if ((pid = fork()) < 0) { - syslog(LOG_ERR, "Error setting up private mount"); + syslog(LOG_ERR, "pam_ecryptfs: Error setting up private mount"); return 1; } if (pid == 0) { @@ -335,8 +323,7 @@ if ((asprintf(&recorded, "%s/.ecryptfs/.wrapped-passphrase.recorded", pwd->pw_dir) < 0) || recorded == NULL) { - syslog(LOG_ERR, - "Error allocating memory for recorded name"); + syslog(LOG_ERR, "pam_ecryptfs: Error allocating memory for recorded name"); return 1; } if (stat(recorded, &s) != 0 && stat("/usr/share/ecryptfs-utils/ecryptfs-record-passphrase", &s) == 0) { @@ -348,8 +335,7 @@ } if (stat(autofile, &s) != 0) { /* User does not want to auto-mount */ - syslog(LOG_INFO, - "Skipping automatic eCryptfs mount"); + syslog(LOG_DEBUG, "pam_ecryptfs: Skipping automatic eCryptfs mount"); return 0; } /* run mount.ecryptfs_private as the user */ @@ -359,8 +345,7 @@ } else { if (stat(autofile, &s) != 0) { /* User does not want to auto-unmount */ - syslog(LOG_INFO, - "Skipping automatic eCryptfs unmount"); + syslog(LOG_DEBUG, "pam_ecryptfs: Skipping automatic eCryptfs unmount"); return 0; } /* run umount.ecryptfs_private as the user */ @@ -430,8 +415,7 @@ name = pwd->pw_name; } } else { - syslog(LOG_ERR, "Error getting passwd info for user [%s]; " - "rc = [%ld]\n", username, rc); + syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%ld]\n", username, rc); goto out; } saved_uid = geteuid(); @@ -439,8 +423,7 @@ if ((rc = pam_get_item(pamh, PAM_OLDAUTHTOK, (const void **)&old_passphrase)) != PAM_SUCCESS) { - syslog(LOG_ERR, "Error retrieving old passphrase; rc = [%d]\n", - rc); + syslog(LOG_ERR, "pam_ecryptfs: Error retrieving old passphrase; rc = [%d]\n", rc); seteuid(saved_uid); goto out; } @@ -448,9 +431,7 @@ if ((flags & PAM_PRELIM_CHECK)) { if (!old_passphrase) { - syslog(LOG_WARNING, "eCryptfs PAM passphrase change " - "module retrieved a NULL passphrase; nothing to " - "do\n"); + syslog(LOG_WARNING, "pam_ecryptfs: PAM passphrase change module retrieved a NULL passphrase; nothing to do\n"); rc = PAM_AUTHTOK_RECOVER_ERR; } seteuid(saved_uid); @@ -459,15 +440,14 @@ if ((rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&new_passphrase)) != PAM_SUCCESS) { - syslog(LOG_ERR, "Error retrieving new passphrase; rc = [%d]\n", - rc); + syslog(LOG_ERR, "pam_ecryptfs: Error retrieving new passphrase; rc = [%d]\n", rc); seteuid(saved_uid); goto out; } if ((rc = asprintf(&wrapped_pw_filename, "%s/.ecryptfs/%s", homedir, ECRYPTFS_DEFAULT_WRAPPED_PASSPHRASE_FILENAME)) == -1) { - syslog(LOG_ERR, "Unable to allocate memory\n"); + syslog(LOG_ERR, "pam_ecryptfs: Unable to allocate memory\n"); rc = -ENOMEM; goto out; } @@ -477,16 +457,14 @@ from_hex(salt, salt_hex, ECRYPTFS_SALT_SIZE); } if (wrap_passphrase_if_necessary(username, uid, wrapped_pw_filename, new_passphrase, salt) == 0) { - syslog(LOG_INFO, "Passphrase file wrapped"); + syslog(LOG_DEBUG, "pam_ecryptfs: Passphrase file wrapped"); } else { goto out; } seteuid(saved_uid); if (!old_passphrase || !new_passphrase || *new_passphrase == '\0') { - syslog(LOG_WARNING, "eCryptfs PAM passphrase change module " - "retrieved at least one NULL passphrase; nothing to " - "do\n"); + syslog(LOG_WARNING, "pam_ecryptfs: PAM passphrase change module retrieved at least one NULL passphrase; nothing to do\n"); rc = PAM_AUTHTOK_RECOVER_ERR; goto out; } @@ -498,23 +476,20 @@ if ((rc = ecryptfs_unwrap_passphrase(passphrase, wrapped_pw_filename, old_passphrase, salt))) { - syslog(LOG_ERR, "Error attempting to unwrap " - "passphrase; rc = [%d]\n", rc); + syslog(LOG_ERR, "pam_ecryptfs: Error attempting to unwrap passphrase; rc = [%d]\n", rc); goto out_child; } if ((rc = ecryptfs_wrap_passphrase(wrapped_pw_filename, new_passphrase, salt, passphrase))) { - syslog(LOG_ERR, "Error attempting to wrap passphrase; " - "rc = [%d]", rc); + syslog(LOG_ERR, "pam_ecryptfs: Error attempting to wrap passphrase; rc = [%d]", rc); goto out_child; } out_child: exit(0); } if ((tmp_pid = waitpid(child_pid, NULL, 0)) == -1) - syslog(LOG_WARNING, - "waitpid() returned with error condition\n"); + syslog(LOG_WARNING, "pam_ecryptfs: waitpid() returned with error condition\n"); free(wrapped_pw_filename); out: return rc; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ecryptfs-utils-90/src/utils/Makefile.in new/ecryptfs-utils-92/src/utils/Makefile.in --- old/ecryptfs-utils-90/src/utils/Makefile.in 2011-08-10 15:36:29.000000000 +0200 +++ new/ecryptfs-utils-92/src/utils/Makefile.in 2011-09-01 23:23:43.000000000 +0200 @@ -280,6 +280,8 @@ MSGMERGE = @MSGMERGE@ NM = @NM@ NMEDIT = @NMEDIT@ +NSS_CFLAGS = @NSS_CFLAGS@ +NSS_LIBS = @NSS_LIBS@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c new/ecryptfs-utils-92/src/utils/mount.ecryptfs_private.c --- old/ecryptfs-utils-90/src/utils/mount.ecryptfs_private.c 2011-08-10 15:35:18.000000000 +0200 +++ new/ecryptfs-utils-92/src/utils/mount.ecryptfs_private.c 2011-08-31 23:41:34.000000000 +0200 @@ -274,12 +274,14 @@ int fd; FILE *old_mtab, *new_mtab; struct mntent *old_ent, new_ent; + mode_t old_umask; /* Make an attempt to play nice with other mount helpers * by creating an /etc/mtab~ lock file. Of course this * only works if those other helpers actually check for * this. */ + old_umask = umask(033); fd = open("/etc/mtab~", O_RDONLY | O_CREAT | O_EXCL, 0644); if (fd < 0) { perror("open"); @@ -332,6 +334,8 @@ unlink("/etc/mtab~"); + umask(old_umask); + return 0; fail: @@ -341,6 +345,7 @@ fail_early: endmntent(old_mtab); unlink("/etc/mtab~"); + umask(old_umask); return 1; } @@ -476,7 +481,7 @@ * c) updating /etc/mtab */ int main(int argc, char *argv[]) { - int uid, mounting; + int uid, gid, mounting; int force = 0; struct passwd *pwd; char *alias, *src, *dest, *opt, *opts2; @@ -484,6 +489,7 @@ FILE *fh_counter = NULL; uid = getuid(); + gid = getgid(); /* Non-privileged effective uid is sufficient for all but the code * that mounts, unmounts, and updates /etc/mtab. * Run at a lower privilege until we need it. @@ -611,7 +617,14 @@ * the real uid to be that of the user. * And we need the effective uid to be root in order to mount. */ - setreuid(-1, 0); + if (setreuid(-1, 0) < 0) { + perror("setreuid"); + goto fail; + } + if (setregid(-1, 0) < 0) { + perror("setregid"); + goto fail; + } /* Perform mount */ if (mount(src, ".", FSTYPE, 0, opt) == 0) { if (update_mtab(src, dest, opt) != 0) { @@ -623,6 +636,9 @@ if (setreuid(uid, uid) < 0) { perror("setreuid"); } + if (setregid(gid, gid) < 0) { + perror("setregid"); + } goto fail; } } else { @@ -658,6 +674,7 @@ * Do not use the umount.ecryptfs helper (-i). */ setresuid(0,0,0); + setresgid(0,0,0); /* Since we're doing a lazy unmount anyway, just unmount the current * directory. This avoids a lot of complexity in dealing with race ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org