Hello community,
here is the log from the commit of package ecryptfs-utils for openSUSE:Factory
checked in at Mon Jun 6 13:56:34 CEST 2011.
--------
--- ecryptfs-utils/ecryptfs-utils.changes 2010-04-10 17:40:48.000000000 +0200
+++ /mounts/work_src_done/STABLE/ecryptfs-utils/ecryptfs-utils.changes 2011-04-18 17:09:01.000000000 +0200
@@ -1,0 +2,58 @@
+Mon Apr 18 17:06:50 CEST 2011 - meissner@suse.de
+
+- Updated to 87
+ * src/utils/ecryptfs-setup-private: update the Private.* selinux
+ contexts
+ * src/utils/ecryptfs-setup-private:
+ - add -p to mkdir, address noise for a non-error
+ - must insert keys during testing phase, since we remove keys on
+ unmount now, LP: #725862
+ * src/utils/ecryptfs_rewrap_passphrase.c: confirm passphrases in
+ interactive mode, LP: #667331
+- Updated to 86
+ * src/pam_ecryptfs/pam_ecryptfs.c:
+ - check if this file exists and ask the user for the wrapping passphrase
+ if it does
+ - eliminate both ecryptfs_pam_wrapping_independent_set() and
+ ecryptfs_pam_automount_set() and replace with a reusable
+ file_exists_dotecryptfs() function
+ * src/utils/mount.ecryptfs_private.c:
+ - support multiple, user configurable private directories by way of
+ a command line "alias" argument
+ - this "alias" references a configuration file by the name of:
+ $HOME/.ecryptfs/alias.conf, which is in an fstab(5) format,
+ as well as $HOME/.ecryptfs/alias.sig, in the same format as
+ Private.sig
+ - if no argument specified, the utility operates in legacy mode,
+ defaulting to "Private"
+ - rename variables, s/dev/src/ and s/mnt/dest/
+ - add a read_config() function
+ - add an alias char* to replace the #defined ECRYPTFS_PRIVATE_DIR
+ - this is half of the fix to LP: #615657
+ * doc/manpage/mount.ecryptfs_private.1: document these changes
+ * src/libecryptfs/main.c, src/utils/mount.ecryptfs_private.c:
+ - allow umount.ecryptfs_private to succeed when the key is no
+ longer in user keyring.
+- Updated to 85
+ * src/utils/ecryptfs-recover-private: clean sigs of invalid characters
+ * src/utils/mount.ecryptfs_private.c:
+ - fix bug LP: #313812, clear used keys on unmount
+ - add ecryptfs_unlink_sigs to the mount opts, so that unmounts from
+ umount.ecryptfs behave similarly
+ - use ecryptfs_remove_auth_tok_from_keyring() on the sig and sig_fnek
+ * src/utils/ecryptfs-migrate-home:
+ - support user databases outside of /etc/passwd, LP: #627506
+- Updated to 84
+ * src/desktop/ecryptfs-record-passphrase: fix typo, LP: #524139
+ * debian/rules, debian/control:
+ - disable the gpg key module, as it's not yet functional
+ - clean up unneeded build-deps
+ - also, not using opencryptoki either
+ * doc/manpage/ecryptfs.7: fix minor documentation bug, reported by
+ email by Jon 'maddog' Hall
+ * doc/manpage/ecryptfs-recover-private.1, doc/manpage/Makefile.am,
+ po/POTFILES.in, src/utils/ecryptfs-recover-private,
+ src/utils/Makefile.am: add a utility to simplify data recovery
+ of an encrypted private directory from a Live ISO, LP: #689969
+
+-------------------------------------------------------------------
calling whatdependson for head-i586
Old:
----
ecryptfs-utils_83.orig.tar.gz
New:
----
ecryptfs-utils_87.orig.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ ecryptfs-utils.spec ++++++
--- /var/tmp/diff_new_pack.iwioJt/_old 2011-06-06 13:55:48.000000000 +0200
+++ /var/tmp/diff_new_pack.iwioJt/_new 2011-06-06 13:55:48.000000000 +0200
@@ -1,7 +1,7 @@
#
-# spec file for package ecryptfs-utils (Version 83)
+# spec file for package ecryptfs-utils
#
-# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -24,8 +24,8 @@
Group: Productivity/Security
AutoReqProv: on
Summary: Userspace Utilities for ecryptfs
-Version: 83
-Release: 2
+Version: 87
+Release: 1
Source0: http://launchpad.net/ecryptfs/trunk/%version/+download/ecryptfs-utils_%versi...
Source1: baselibs.conf
BuildRoot: %{_tmppath}/%{name}-%{version}-build
++++++ ecryptfs-utils_83.orig.tar.gz -> ecryptfs-utils_87.orig.tar.gz ++++++
++++ 4269 lines of diff (skipped)
++++ retrying with extended exclude list
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/ecryptfs-utils-83/configure.ac new/ecryptfs-utils-87/configure.ac
--- old/ecryptfs-utils-83/configure.ac 2010-02-17 21:25:40.000000000 +0100
+++ new/ecryptfs-utils-87/configure.ac 2011-03-09 14:30:32.000000000 +0100
@@ -10,7 +10,7 @@
AC_PREREQ(2.59)
-AC_INIT([ecryptfs-utils],[83])
+AC_INIT([ecryptfs-utils],[87])
AC_CANONICAL_HOST
AC_CANONICAL_TARGET
AM_INIT_AUTOMAKE([${PACKAGE_NAME}], [${PACKAGE_VERSION}])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/ecryptfs-utils-83/doc/manpage/Makefile.am new/ecryptfs-utils-87/doc/manpage/Makefile.am
--- old/ecryptfs-utils-83/doc/manpage/Makefile.am 2009-10-20 20:49:55.000000000 +0200
+++ new/ecryptfs-utils-87/doc/manpage/Makefile.am 2011-03-09 14:30:32.000000000 +0100
@@ -18,6 +18,7 @@
ecryptfs-insert-wrapped-passphrase-into-keyring.1 \
ecryptfs-manager.8 \
ecryptfs-mount-private.1 \
+ ecryptfs-recover-private.1 \
ecryptfs-rewrap-passphrase.1 \
ecryptfs-rewrite-file.1 \
ecryptfs-setup-private.1 \
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/ecryptfs-utils-83/doc/manpage/ecryptfs-recover-private.1 new/ecryptfs-utils-87/doc/manpage/ecryptfs-recover-private.1
--- old/ecryptfs-utils-83/doc/manpage/ecryptfs-recover-private.1 1970-01-01 01:00:00.000000000 +0100
+++ new/ecryptfs-utils-87/doc/manpage/ecryptfs-recover-private.1 2011-03-09 14:30:32.000000000 +0100
@@ -0,0 +1,31 @@
+.TH ecryptfs-recover-private 1 2010-12-17 ecryptfs-utils "eCryptfs"
+.SH NAME
+\fBecryptfs-recover-private\fP \- find and mount any encrypted private directories
+
+.SH SYNOPSIS
+\fBecryptfs-recover-private\fP [encrypted private dir]
+
+.SH DESCRIPTION
+This utility is intended to help eCryptfs recover data from their encrypted home or encrypted private partitions. It is useful to run this from a LiveISO or a recovery image. It must run under \fBsudo\fP(8) or with root permission, in order to search the filesystem and perform the mounts.
+
+The program can take a target encrypted directory on the command line. If unspecified, the utility will search the entire system looking for encrypted private directories, as configured by \fBecryptfs-setup-private\fP(1).
+
+If an encrypted directory and a \fIwrapped-passphrase\fP file are found, the user is prompted for the login (wrapping) passphrase, the keys are inserted into the keyring, and the data is decrypted and mounted.
+
+If no \fIwrapped-passphrase\fP file is found, the user will be prompted for their mount passphrase. This passphrase is typically 32 characters of [0-9a-f]. All users are prompted to urgently record this randomly generated passphrase when they first setup their encrypted private directory.
+
+The destination mount of the decrypted data is a temporary directory, in the form of \fI/tmp/ecryptfs.XXXXXXXX\fP.
+
+.SH SEE ALSO
+\fBecryptfs-setup-private\fP(1), \fBsudo\fP(8)
+
+\fIhttp://blog.dustinkirkland.com/2009/03/mounting-your-encrypted-home-from.html\fP
+
+.TP
+\fIhttp://launchpad.net/ecryptfs/\fP
+.PD
+
+.SH AUTHOR
+This manpage was written by Dustin Kirkland for Ubuntu systems (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation.
+
+On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/ecryptfs-utils-83/doc/manpage/ecryptfs.7 new/ecryptfs-utils-87/doc/manpage/ecryptfs.7
--- old/ecryptfs-utils-83/doc/manpage/ecryptfs.7 2009-10-20 20:49:55.000000000 +0200
+++ new/ecryptfs-utils-87/doc/manpage/ecryptfs.7 2011-03-09 14:30:32.000000000 +0100
@@ -64,7 +64,7 @@
.TP
.B passphrase_passwd=(passphrase)
-The actual password is password. Since the password is visible to utilities (like ps under Unix) this form should only be used where security is not important.
+The actual password is passphrase. Since the password is visible to utilities (like ps under Unix) this form should only be used where security is not important.
.TP
.B passphrase_passwd_file=(filename)
The password should be specified in a file with passwd=(passphrase). It is highly reccomended that the file be stored on a secure medium such as a personal usb key.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/ecryptfs-utils-83/doc/manpage/mount.ecryptfs_private.1 new/ecryptfs-utils-87/doc/manpage/mount.ecryptfs_private.1
--- old/ecryptfs-utils-83/doc/manpage/mount.ecryptfs_private.1 2009-10-20 20:49:55.000000000 +0200
+++ new/ecryptfs-utils-87/doc/manpage/mount.ecryptfs_private.1 2011-03-09 14:30:32.000000000 +0100
@@ -3,26 +3,36 @@
mount.ecryptfs_private \- eCryptfs private mount helper.
.SH SYNOPSIS
-\fBmount.ecryptfs_private\fP
+\fBmount.ecryptfs_private [ALIAS]\fP
\fBNOTE:\fP This program will \fBnot\fP dynamically load the relevant keys. For this reason, it is recommended that users use \fBecryptfs-mount-private\fP(1) instead!
.SH DESCRIPTION
-\fBmount.ecryptfs_private\fP is a mount helper utility for non-root users, who are members of \fBecryptfs\fP group, to cryptographically mount a private directory, ~/Private.
+\fBmount.ecryptfs_private\fP is a mount helper utility for non-root users, who are members of \fBecryptfs\fP group, to cryptographically mount a private directory, ~/Private by default.
-If, and only if:
- - the private mount passphrase is in their kernel keyring, and
- - the current user owns both ~/.Private and ~/Private, and
- - ~/Private is not already mounted, then
+This program optionally takes one argument, ALIAS. If ALIAS is omitted, the program will default to using "Private" using:
+ - $HOME/.Private as the SOURCE
+ - $HOME/Private as the DESTINATION
+ - $HOME/.ecryptfs/Private.sig for the key signatures.
+
+If ALIAS is specified, then the program will look for an \fBfstab\fP(5) style configuration in:
+ - $HOME/.ecryptfs/ALIAS.conf
+and for key signature(s) in:
+ - $HOME/.ecryptfs/ALIAS.sig
+
+The mounting will proceed if, and only if:
+ - the required passphrase is in their kernel keyring, and
+ - the current user owns both the SOURCE and DESTINATION mount points
+ - the DESTINATION is not already mounted
This program will:
- - mount ~/.Private onto ~/Private
+ - mount SOURCE onto DESTINATION
- as an ecryptfs filesystem
- using the AES cipher
- with a key length of 16 bytes
- using the passphrase whose signature is in ~/.ecryptfs/Private.sig
-The only setuid operation in this program is the call to \fBmount\fP(8).
+The only setuid operation in this program is the call to \fBmount\fP(8) or \fBumount\fP(8).
The \fBecryptfs-setup-private\fP(1) utility will create the ~/.Private and ~/Private directories, generate a mount passphrase, wrap the passphrase, and write the ~/.ecryptfs/Private.sig.
@@ -40,7 +50,7 @@
.SH SEE ALSO
.PD 0
.TP
-\fBecryptfs\fP(7), \fBecryptfs-rewrap-passphrase\fP(1), \fBecryptfs-setup-private\fP(1), \fBkeyctl\fP(1), \fBmount\fP(8), \fBumount.ecryptfs_private\fP(1), \fBpam_ecryptfs\fP(8)
+\fBecryptfs\fP(7), \fBecryptfs-rewrap-passphrase\fP(1), \fBecryptfs-setup-private\fP(1), \fBkeyctl\fP(1), \fBmount\fP(8), \fBumount.ecryptfs_private\fP(1), \fBpam_ecryptfs\fP(8), \fBfstab\fP(5)
.TP
\fI/usr/share/doc/ecryptfs-utils/ecryptfs-faq.html\fP
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/ecryptfs-utils-83/m4/intltool.m4 new/ecryptfs-utils-87/m4/intltool.m4
--- old/ecryptfs-utils-83/m4/intltool.m4 2009-09-21 18:08:22.000000000 +0200
+++ new/ecryptfs-utils-87/m4/intltool.m4 1970-01-01 01:00:00.000000000 +0100
@@ -1,216 +0,0 @@
-## intltool.m4 - Configure intltool for the target system. -*-Shell-script-*-
-## Copyright (C) 2001 Eazel, Inc.
-## Author: Maciej Stachowiak
-## Kenneth Christiansen
-##
-## This program is free software; you can redistribute it and/or modify
-## it under the terms of the GNU General Public License as published by
-## the Free Software Foundation; either version 2 of the License, or
-## (at your option) any later version.
-##
-## This program is distributed in the hope that it will be useful, but
-## WITHOUT ANY WARRANTY; without even the implied warranty of
-## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-## General Public License for more details.
-##
-## You should have received a copy of the GNU General Public License
-## along with this program; if not, write to the Free Software
-## Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-##
-## As a special exception to the GNU General Public License, if you
-## distribute this file as part of a program that contains a
-## configuration script generated by Autoconf, you may include it under
-## the same distribution terms that you use for the rest of that program.
-
-dnl IT_PROG_INTLTOOL([MINIMUM-VERSION], [no-xml])
-# serial 40 IT_PROG_INTLTOOL
-AC_DEFUN([IT_PROG_INTLTOOL], [
-AC_PREREQ([2.50])dnl
-AC_REQUIRE([AM_NLS])dnl
-
-case "$am__api_version" in
- 1.[01234])
- AC_MSG_ERROR([Automake 1.5 or newer is required to use intltool])
- ;;
- *)
- ;;
-esac
-
-if test -n "$1"; then
- AC_MSG_CHECKING([for intltool >= $1])
-
- INTLTOOL_REQUIRED_VERSION_AS_INT=`echo $1 | awk -F. '{ print $ 1 * 1000 + $ 2 * 100 + $ 3; }'`
- INTLTOOL_APPLIED_VERSION=`intltool-update --version | head -1 | cut -d" " -f3`
- [INTLTOOL_APPLIED_VERSION_AS_INT=`echo $INTLTOOL_APPLIED_VERSION | awk -F. '{ print $ 1 * 1000 + $ 2 * 100 + $ 3; }'`
- ]
- AC_MSG_RESULT([$INTLTOOL_APPLIED_VERSION found])
- test "$INTLTOOL_APPLIED_VERSION_AS_INT" -ge "$INTLTOOL_REQUIRED_VERSION_AS_INT" ||
- AC_MSG_ERROR([Your intltool is too old. You need intltool $1 or later.])
-fi
-
-AC_PATH_PROG(INTLTOOL_UPDATE, [intltool-update])
-AC_PATH_PROG(INTLTOOL_MERGE, [intltool-merge])
-AC_PATH_PROG(INTLTOOL_EXTRACT, [intltool-extract])
-if test -z "$INTLTOOL_UPDATE" -o -z "$INTLTOOL_MERGE" -o -z "$INTLTOOL_EXTRACT"; then
- AC_MSG_ERROR([The intltool scripts were not found. Please install intltool.])
-fi
-
- INTLTOOL_DESKTOP_RULE='%.desktop: %.desktop.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@'
-INTLTOOL_DIRECTORY_RULE='%.directory: %.directory.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@'
- INTLTOOL_KEYS_RULE='%.keys: %.keys.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -k -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@'
- INTLTOOL_PROP_RULE='%.prop: %.prop.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@'
- INTLTOOL_OAF_RULE='%.oaf: %.oaf.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -o -p $(top_srcdir)/po $< [$]@'
- INTLTOOL_PONG_RULE='%.pong: %.pong.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@'
- INTLTOOL_SERVER_RULE='%.server: %.server.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -o -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@'
- INTLTOOL_SHEET_RULE='%.sheet: %.sheet.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@'
-INTLTOOL_SOUNDLIST_RULE='%.soundlist: %.soundlist.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@'
- INTLTOOL_UI_RULE='%.ui: %.ui.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@'
- INTLTOOL_XML_RULE='%.xml: %.xml.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@'
- INTLTOOL_XML_NOMERGE_RULE='%.xml: %.xml.in $(INTLTOOL_MERGE) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u /tmp $< [$]@'
- INTLTOOL_XAM_RULE='%.xam: %.xml.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@'
- INTLTOOL_KBD_RULE='%.kbd: %.kbd.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -m -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@'
- INTLTOOL_CAVES_RULE='%.caves: %.caves.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@'
- INTLTOOL_SCHEMAS_RULE='%.schemas: %.schemas.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -s -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@'
- INTLTOOL_THEME_RULE='%.theme: %.theme.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@'
- INTLTOOL_SERVICE_RULE='%.service: %.service.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -d -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@'
- INTLTOOL_POLICY_RULE='%.policy: %.policy.in $(INTLTOOL_MERGE) $(wildcard $(top_srcdir)/po/*.po) ; LC_ALL=C $(INTLTOOL_MERGE) -x -u -c $(top_builddir)/po/.intltool-merge-cache $(top_srcdir)/po $< [$]@'
-
-_IT_SUBST(INTLTOOL_DESKTOP_RULE)
-_IT_SUBST(INTLTOOL_DIRECTORY_RULE)
-_IT_SUBST(INTLTOOL_KEYS_RULE)
-_IT_SUBST(INTLTOOL_PROP_RULE)
-_IT_SUBST(INTLTOOL_OAF_RULE)
-_IT_SUBST(INTLTOOL_PONG_RULE)
-_IT_SUBST(INTLTOOL_SERVER_RULE)
-_IT_SUBST(INTLTOOL_SHEET_RULE)
-_IT_SUBST(INTLTOOL_SOUNDLIST_RULE)
-_IT_SUBST(INTLTOOL_UI_RULE)
-_IT_SUBST(INTLTOOL_XAM_RULE)
-_IT_SUBST(INTLTOOL_KBD_RULE)
-_IT_SUBST(INTLTOOL_XML_RULE)
-_IT_SUBST(INTLTOOL_XML_NOMERGE_RULE)
-_IT_SUBST(INTLTOOL_CAVES_RULE)
-_IT_SUBST(INTLTOOL_SCHEMAS_RULE)
-_IT_SUBST(INTLTOOL_THEME_RULE)
-_IT_SUBST(INTLTOOL_SERVICE_RULE)
-_IT_SUBST(INTLTOOL_POLICY_RULE)
-
-# Check the gettext tools to make sure they are GNU
-AC_PATH_PROG(XGETTEXT, xgettext)
-AC_PATH_PROG(MSGMERGE, msgmerge)
-AC_PATH_PROG(MSGFMT, msgfmt)
-AC_PATH_PROG(GMSGFMT, gmsgfmt, $MSGFMT)
-if test -z "$XGETTEXT" -o -z "$MSGMERGE" -o -z "$MSGFMT"; then
- AC_MSG_ERROR([GNU gettext tools not found; required for intltool])
-fi
-xgversion="`$XGETTEXT --version|grep '(GNU ' 2> /dev/null`"
-mmversion="`$MSGMERGE --version|grep '(GNU ' 2> /dev/null`"
-mfversion="`$MSGFMT --version|grep '(GNU ' 2> /dev/null`"
-if test -z "$xgversion" -o -z "$mmversion" -o -z "$mfversion"; then
- AC_MSG_ERROR([GNU gettext tools not found; required for intltool])
-fi
-
-AC_PATH_PROG(INTLTOOL_PERL, perl)
-if test -z "$INTLTOOL_PERL"; then
- AC_MSG_ERROR([perl not found])
-fi
-AC_MSG_CHECKING([for perl >= 5.8.1])
-$INTLTOOL_PERL -e "use 5.8.1;" > /dev/null 2>&1
-if test $? -ne 0; then
- AC_MSG_ERROR([perl 5.8.1 is required for intltool])
-else
- IT_PERL_VERSION="`$INTLTOOL_PERL -e \"printf '%vd', $^V\"`"
- AC_MSG_RESULT([$IT_PERL_VERSION])
-fi
-if test "x$2" != "xno-xml"; then
- AC_MSG_CHECKING([for XML::Parser])
- if `$INTLTOOL_PERL -e "require XML::Parser" 2>/dev/null`; then
- AC_MSG_RESULT([ok])
- else
- AC_MSG_ERROR([XML::Parser perl module is required for intltool])
- fi
-fi
-
-# Substitute ALL_LINGUAS so we can use it in po/Makefile
-AC_SUBST(ALL_LINGUAS)
-
-# Set DATADIRNAME correctly if it is not set yet
-# (copied from glib-gettext.m4)
-if test -z "$DATADIRNAME"; then
- AC_LINK_IFELSE(
- [AC_LANG_PROGRAM([[]],
- [[extern int _nl_msg_cat_cntr;
- return _nl_msg_cat_cntr]])],
- [DATADIRNAME=share],
- [case $host in
- *-*-solaris*)
- dnl On Solaris, if bind_textdomain_codeset is in libc,
- dnl GNU format message catalog is always supported,
- dnl since both are added to the libc all together.
- dnl Hence, we'd like to go with DATADIRNAME=share
- dnl in this case.
- AC_CHECK_FUNC(bind_textdomain_codeset,
- [DATADIRNAME=share], [DATADIRNAME=lib])
- ;;
- *)
- [DATADIRNAME=lib]
- ;;
- esac])
-fi
-AC_SUBST(DATADIRNAME)
-
-IT_PO_SUBDIR([po])
-
-])
-
-
-# IT_PO_SUBDIR(DIRNAME)
-# ---------------------
-# All po subdirs have to be declared with this macro; the subdir "po" is
-# declared by IT_PROG_INTLTOOL.
-#
-AC_DEFUN([IT_PO_SUBDIR],
-[AC_PREREQ([2.53])dnl We use ac_top_srcdir inside AC_CONFIG_COMMANDS.
-dnl
-dnl The following CONFIG_COMMANDS should be exetuted at the very end
-dnl of config.status.
-AC_CONFIG_COMMANDS_PRE([
- AC_CONFIG_COMMANDS([$1/stamp-it], [
- if [ ! grep "^# INTLTOOL_MAKEFILE$" "$1/Makefile.in" > /dev/null ]; then
- AC_MSG_ERROR([$1/Makefile.in.in was not created by intltoolize.])
- fi
- rm -f "$1/stamp-it" "$1/stamp-it.tmp" "$1/POTFILES" "$1/Makefile.tmp"
- >"$1/stamp-it.tmp"
- [sed '/^#/d
- s/^[[].*] *//
- /^[ ]*$/d
- '"s|^| $ac_top_srcdir/|" \
- "$srcdir/$1/POTFILES.in" | sed '$!s/$/ \\/' >"$1/POTFILES"
- ]
- [sed '/^POTFILES =/,/[^\\]$/ {
- /^POTFILES =/!d
- r $1/POTFILES
- }
- ' "$1/Makefile.in" >"$1/Makefile"]
- rm -f "$1/Makefile.tmp"
- mv "$1/stamp-it.tmp" "$1/stamp-it"
- ])
-])dnl
-])
-
-# _IT_SUBST(VARIABLE)
-# -------------------
-# Abstract macro to do either _AM_SUBST_NOTMAKE or AC_SUBST
-#
-AC_DEFUN([_IT_SUBST],
-[
-AC_SUBST([$1])
-m4_ifdef([_AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE([$1])])
-]
-)
-
-# deprecated macros
-AU_ALIAS([AC_PROG_INTLTOOL], [IT_PROG_INTLTOOL])
-# A hint is needed for aclocal from Automake <= 1.9.4:
-# AC_DEFUN([AC_PROG_INTLTOOL], ...)
-
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/ecryptfs-utils-83/po/POTFILES.in new/ecryptfs-utils-87/po/POTFILES.in
--- old/ecryptfs-utils-83/po/POTFILES.in 2010-02-17 18:05:05.000000000 +0100
+++ new/ecryptfs-utils-87/po/POTFILES.in 2011-03-09 14:30:32.000000000 +0100
@@ -2,6 +2,7 @@
src/desktop/ecryptfs-mount-private.desktop.in
src/desktop/ecryptfs-setup-private.desktop.in
src/utils/ecryptfs-mount-private
+src/utils/ecryptfs-recover-private
src/utils/ecryptfs-rewrite-file
src/utils/ecryptfs-setup-private
src/utils/ecryptfs-setup-swap
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/ecryptfs-utils-83/src/desktop/ecryptfs-record-passphrase new/ecryptfs-utils-87/src/desktop/ecryptfs-record-passphrase
--- old/ecryptfs-utils-83/src/desktop/ecryptfs-record-passphrase 2010-02-17 22:11:13.000000000 +0100
+++ new/ecryptfs-utils-87/src/desktop/ecryptfs-record-passphrase 2011-03-09 14:30:32.000000000 +0100
@@ -15,5 +15,5 @@
"Passphrase" prompt and you can display your randomly generated passphrase.
.
Otherwise, you will need to run "ecryptfs-unwrap-passphrase" from the command
- line to retrive and record your generated passphrase.
+ line to retrieve and record your generated passphrase.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/ecryptfs-utils-83/src/libecryptfs/main.c new/ecryptfs-utils-87/src/libecryptfs/main.c
--- old/ecryptfs-utils-83/src/libecryptfs/main.c 2009-11-11 02:01:37.000000000 +0100
+++ new/ecryptfs-utils-87/src/libecryptfs/main.c 2011-03-09 14:30:32.000000000 +0100
@@ -144,7 +144,7 @@
struct mntent *m = NULL;
char *opt = NULL;
int mounted;
- if (asprintf(&opt, "ecryptfs_sig=%s", sig) < 0) {
+ if (sig && asprintf(&opt, "ecryptfs_sig=%s", sig) < 0) {
perror("asprintf");
return 0;
}
@@ -181,7 +181,7 @@
if (
strcmp(m->mnt_fsname, dev) == 0 &&
strcmp(m->mnt_dir, mnt) == 0 &&
- hasmntopt(m, opt) != NULL
+ (!opt || hasmntopt(m, opt) != NULL)
) {
mounted = 1;
break;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/ecryptfs-utils-83/src/pam_ecryptfs/pam_ecryptfs.c new/ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c
--- old/ecryptfs-utils-83/src/pam_ecryptfs/pam_ecryptfs.c 2010-02-16 18:01:43.000000000 +0100
+++ new/ecryptfs-utils-87/src/pam_ecryptfs/pam_ecryptfs.c 2011-03-09 14:30:32.000000000 +0100
@@ -68,13 +68,13 @@
}
}
-/* returns: 0 for pam automounting not set, 1 for set, <0 for error */
-static int ecryptfs_pam_automount_set(const char *homedir)
+/* returns: 0 if file does not exist, 1 if it exists, <0 for error */
+static int file_exists_dotecryptfs(const char *homedir, char *filename)
{
char *file_path;
int rc = 0;
struct stat s;
- if (asprintf(&file_path, "%s/.ecryptfs/auto-mount", homedir) == -1)
+ if (asprintf(&file_path, "%s/.ecryptfs/%s", homedir, filename) == -1)
return -ENOMEM;
if (stat(file_path, &s) != 0) {
if (errno != ENOENT)
@@ -149,7 +149,7 @@
"rc = [%ld]\n", username, rc);
goto out;
}
- if (!ecryptfs_pam_automount_set(homedir))
+ if (!file_exists_dotecryptfs(homedir, "auto-mount"))
goto out;
private_mnt = ecryptfs_fetch_private_mnt(homedir);
if (ecryptfs_private_is_mounted(NULL, private_mnt, NULL, 1)) {
@@ -165,7 +165,10 @@
syslog(LOG_WARNING, "Can't check if kernel supports ecryptfs\n");
saved_uid = geteuid();
seteuid(uid);
- rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&passphrase);
+ if(file_exists_dotecryptfs(homedir, "wrapping-independent") == 1)
+ rc = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &passphrase, "Encryption passphrase: ");
+ else
+ rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&passphrase);
seteuid(saved_uid);
if (rc != PAM_SUCCESS) {
syslog(LOG_ERR, "Error retrieving passphrase; rc = [%ld]\n",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/ecryptfs-utils-83/src/utils/Makefile.am new/ecryptfs-utils-87/src/utils/Makefile.am
--- old/ecryptfs-utils-83/src/utils/Makefile.am 2010-02-17 03:53:33.000000000 +0100
+++ new/ecryptfs-utils-87/src/utils/Makefile.am 2011-03-09 14:30:32.000000000 +0100
@@ -1,6 +1,6 @@
MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
-EXTRA_DIST=ecryptfsrc ecryptfs-rewrite-file ecryptfs-setup-private ecryptfs-setup-swap ecryptfs-mount-private ecryptfs-umount-private ecryptfs-migrate-home
+EXTRA_DIST=ecryptfsrc ecryptfs-rewrite-file ecryptfs-setup-private ecryptfs-setup-swap ecryptfs-mount-private ecryptfs-umount-private ecryptfs-migrate-home ecryptfs-recover-private
rootsbin_PROGRAMS=mount.ecryptfs \
umount.ecryptfs \
@@ -16,6 +16,7 @@
ecryptfs-mount-private \
ecryptfs-umount-private \
ecryptfs-rewrite-file \
+ ecryptfs-recover-private \
ecryptfs-migrate-home
bin2dir = $(bindir)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/ecryptfs-utils-83/src/utils/ecryptfs-migrate-home new/ecryptfs-utils-87/src/utils/ecryptfs-migrate-home
--- old/ecryptfs-utils-83/src/utils/ecryptfs-migrate-home 2010-02-17 22:00:40.000000000 +0100
+++ new/ecryptfs-utils-87/src/utils/ecryptfs-migrate-home 2011-03-09 14:30:32.000000000 +0100
@@ -81,7 +81,7 @@
# get user home by username
get_user_home () {
local USER_NAME="$1"
- local USER_HOME=$(grep "^$USER_NAME:" /etc/passwd | cut -d":" -f 6)
+ local USER_HOME=$(getent passwd "$USER_NAME" | cut -d":" -f 6)
if [ -z "$USER_HOME" ]; then
error "Cannot find the home directory of $USER_NAME."
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/ecryptfs-utils-83/src/utils/ecryptfs-recover-private new/ecryptfs-utils-87/src/utils/ecryptfs-recover-private
--- old/ecryptfs-utils-83/src/utils/ecryptfs-recover-private 1970-01-01 01:00:00.000000000 +0100
+++ new/ecryptfs-utils-87/src/utils/ecryptfs-recover-private 2011-03-09 14:30:32.000000000 +0100
@@ -0,0 +1,100 @@
+#!/bin/sh -e
+#
+# ecryptfs-recover-private
+# Copyright (C) 2010 Canonical Ltd.
+#
+# Authors: Dustin Kirkland
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see http://www.gnu.org/licenses/.
+
+error() {
+ echo "ERROR: $@" 1>&2
+ exit 1
+}
+
+info() {
+ echo "INFO: $@"
+}
+
+# We need root access to do the deep find and the mount
+[ "$(id -u)" = "0" ] || error "This program must be run as root."
+
+# Handle parameters
+if [ -d "$1" ]; then
+ # Allow for target directories on the command line
+ dirs="$@"
+else
+ # Otherwise, search the system for directories named ".Private"
+ info "Searching for encrypted private directories (this might take a while)..."
+ dirs=$(find / -type d -name ".Private")
+ if [ -z "$dirs" ]; then
+ info "Hint: click 'Places' and select your hard disk, then run this again."
+ error "No private directories found; make sure that your root filesystem is mounted."
+ fi
+fi
+
+# Examine directories
+for d in $dirs; do
+ if [ -d "$d" ]; then
+ info "Found [$d]."
+ echo -n "Try to recover this directory? [Y/n]: "
+ answer=$(head -n1)
+ case "$answer" in n*|N*) continue ;; esac
+ else
+ continue
+ fi
+ # Determine if filename encryption is on
+ ls "$d/ECRYPTFS_FNEK_ENCRYPTED"* >/dev/null 2>&1 && fnek="--fnek" || fnek=
+ if [ -f "$d/../.ecryptfs/wrapped-passphrase" ]; then
+ # Use the wrapped-passphrase, if available
+ info "Enter your LOGIN passphrase..."
+ ecryptfs-insert-wrapped-passphrase-into-keyring "$d/../.ecryptfs/wrapped-passphrase"
+ sigs=$(sed -e "s/[^0-9a-f]//g" "$d/../.ecryptfs/Private.sig")
+ else
+ # Fall back to mount passphrase
+ echo
+ info "Could not find your wrapped passphrase file."
+ info "To recover this directory, you MUST have your original MOUNT passphrase."
+ info "When you first setup your encrypted private directory, you were told to record"
+ info "your MOUNT passphrase."
+ info "It should be 32 characters long, consisting of [0-9] and [a-f]."
+ echo
+ echo -n "Enter your MOUNT passphrase: "
+ stty_orig=$(stty -g)
+ stty -echo
+ passphrase=$(head -n1)
+ stty $stty_orig
+ echo
+ sigs=$(printf "%s\0" "$passphrase" | ecryptfs-add-passphrase $fnek | grep "^Inserted" | sed -e "s/^.*\[//" -e "s/\].*$//" -e "s/[^0-9a-f]//g")
+ fi
+ case $(echo "$sigs" | wc -l) in
+ 1)
+ mount_sig=$(echo "$sigs" | head -n1)
+ fnek_sig=
+ mount_opts="ro,ecryptfs_sig=$mount_sig,ecryptfs_cipher=aes,ecryptfs_key_bytes=16"
+ ;;
+ 2)
+ mount_sig=$(echo "$sigs" | head -n1)
+ fnek_sig=$(echo "$sigs" | tail -n1)
+ mount_opts="ro,ecryptfs_sig=$mount_sig,ecryptfs_fnek_sig=$fnek_sig,ecryptfs_cipher=aes,ecryptfs_key_bytes=16"
+ ;;
+ *)
+ continue
+ ;;
+ esac
+ (keyctl list @u | grep -qs "$mount_sig") || error "The key required to access this private data is not available."
+ (keyctl list @u | grep -qs "$fnek_sig") || error "The key required to access this private data is not available."
+ tmpdir=$(mktemp -d /tmp/ecryptfs.XXXXXXXX)
+ mount -i -t ecryptfs -o "$mount_opts" "$d" "$tmpdir"
+ info "Success! Private data mounted read-only at [$tmpdir]."
+done
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/ecryptfs-utils-83/src/utils/ecryptfs-setup-private new/ecryptfs-utils-87/src/utils/ecryptfs-setup-private
--- old/ecryptfs-utils-83/src/utils/ecryptfs-setup-private 2010-02-17 05:47:40.000000000 +0100
+++ new/ecryptfs-utils-87/src/utils/ecryptfs-setup-private 2011-03-09 14:30:32.000000000 +0100
@@ -217,7 +217,7 @@
MOUNTPOINT="$HOME"
CRYPTDIR="$ECRYPTFS_DIR/$USER/.$PRIVATE_DIR"
else
- mkdir -m 700 $HOME/.ecryptfs
+ mkdir -p -m 700 $HOME/.ecryptfs
MOUNTPOINT="$HOME/$PRIVATE_DIR"
CRYPTDIR="$HOME/.$PRIVATE_DIR"
fi
@@ -399,9 +399,11 @@
temp=`mktemp`
echo "$sig" > "$temp" || error "$(gettext 'Could not create signature file')" "[$HOME/.ecryptfs/$PRIVATE_DIR.sig]"
mv "$temp" "$HOME/.ecryptfs/$PRIVATE_DIR.sig"
+which restorecon 2>/dev/null && restorecon "$HOME/.ecryptfs/$PRIVATE_DIR.sig" > /dev/null 2>&1
temp=`mktemp`
echo "$MOUNTPOINT" > "$temp" || error "$(gettext 'Could not create mountpoint file')" "[$HOME/.ecryptfs/$PRIVATE_DIR.mnt]"
mv "$temp" "$HOME/.ecryptfs/$PRIVATE_DIR.mnt"
+which restorecon 2>/dev/null && restorecon "$HOME/.ecryptfs/$PRIVATE_DIR.mnt" > /dev/null 2>&1
echo
echo "$(gettext 'Done configuring.')"
@@ -435,12 +437,14 @@
# Now let's perform some basic mount/write/umount/read sanity testing...
echo "$(gettext 'Testing mount/write/umount/read...')"
+printf "%s" "$MOUNTPASS" | ecryptfs-add-passphrase $FNEK -
/sbin/mount.ecryptfs_private || error "$(gettext 'Could not mount private ecryptfs directory')"
temp=`mktemp "$MOUNTPOINT/ecryptfs.test.XXXXXX"` || error_testing "$temp" "$(gettext 'Could not create empty file')"
random_data=`head -c 16000 /dev/urandom | od -x` || error_testing "$temp" "$(gettext 'Could not generate random data')"
echo "$random_data" > "$temp" || error_testing "$temp" "$(gettext 'Could not write encrypted file')"
md5sum1=`md5sum "$temp"` || error_testing "$temp" "$(gettext 'Could not read encrypted file')"
/sbin/umount.ecryptfs_private || error_testing "$temp" "$(gettext 'Could not unmount private ecryptfs directory')"
+printf "%s" "$MOUNTPASS" | ecryptfs-add-passphrase $FNEK -
/sbin/mount.ecryptfs_private || error_testing "$temp" "$(gettext 'Could not mount private ecryptfs directory (2)')"
md5sum2=`md5sum "$temp"` || error_testing "$temp" "$(gettext 'Could not read encrypted file (2)')"
rm -f "$temp"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/ecryptfs-utils-83/src/utils/ecryptfs_rewrap_passphrase.c new/ecryptfs-utils-87/src/utils/ecryptfs_rewrap_passphrase.c
--- old/ecryptfs-utils-83/src/utils/ecryptfs_rewrap_passphrase.c 2009-10-20 20:49:55.000000000 +0200
+++ new/ecryptfs-utils-87/src/utils/ecryptfs_rewrap_passphrase.c 2011-03-09 14:30:32.000000000 +0100
@@ -42,6 +42,7 @@
char passphrase[ECRYPTFS_MAX_PASSWORD_LENGTH + 1];
char *old_wrapping_passphrase;
char *new_wrapping_passphrase;
+ char *new_wrapping_passphrase2;
char salt[ECRYPTFS_SALT_SIZE];
char salt_hex[ECRYPTFS_SALT_SIZE_HEX];
int rc = 0;
@@ -52,6 +53,16 @@
ecryptfs_get_passphrase("Old wrapping passphrase");
new_wrapping_passphrase =
ecryptfs_get_passphrase("New wrapping passphrase");
+ new_wrapping_passphrase2 =
+ ecryptfs_get_passphrase("New wrapping passphrase (again)");
+ if (
+ strlen(new_wrapping_passphrase) != strlen(new_wrapping_passphrase2) ||
+ strncmp(new_wrapping_passphrase, new_wrapping_passphrase2, strlen(new_wrapping_passphrase))!=0
+ ) {
+ fprintf(stderr, "New wrapping passphrases do not match\n");
+ rc = 1;
+ goto out;
+ }
} else if (argc == 3
&& strlen(argv[2]) == 1 && strncmp(argv[2], "-", 1) == 0) {
/* stdin mode */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/ecryptfs-utils-83/src/utils/mount.ecryptfs_private.c new/ecryptfs-utils-87/src/utils/mount.ecryptfs_private.c
--- old/ecryptfs-utils-83/src/utils/mount.ecryptfs_private.c 2010-02-16 17:59:21.000000000 +0100
+++ new/ecryptfs-utils-87/src/utils/mount.ecryptfs_private.c 2011-03-09 14:30:32.000000000 +0100
@@ -5,6 +5,7 @@
* Copyright (C) 2008 Canonical Ltd.
*
* This code was originally written by Dustin Kirkland .
+ * Enhanced by Serge Hallyn .
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -31,6 +32,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -51,6 +53,51 @@
#define FSTYPE "ecryptfs"
#define TMP "/dev/shm"
+int saved_errno;
+
+int read_config(char *pw_dir, int uid, char *alias, char **s, char **d, char **o) {
+/* Read an fstab(5) style config file */
+ char *fnam;
+ struct stat mstat;
+ struct mntent *e;
+ FILE *fin;
+ if (asprintf(&fnam, "%s/.ecryptfs/%s.conf", pw_dir, alias) < 0) {
+ perror("asprintf");
+ return -1;
+ }
+ if (stat(fnam, &mstat)!=0 || (!S_ISREG(mstat.st_mode) || mstat.st_uid!=uid)) {
+ fputs("Bad file\n", stderr);
+ free(fnam);
+ return -1;
+ }
+ fin = fopen(fnam, "r");
+ free(fnam);
+ if (!fin) {
+ perror("fopen");
+ return -1;
+ }
+ e = getmntent(fin);
+ fclose(fin);
+ if (!e) {
+ perror("getmntent");
+ return -1;
+ }
+ if (strcmp(e->mnt_type, "ecryptfs") != 0) {
+ fputs("Bad fs type\n", stderr);
+ return -1;
+ }
+ *o = strdup(e->mnt_opts);
+ if (!*o)
+ return -2;
+ *d = strdup(e->mnt_dir);
+ if (!*d)
+ return -2;
+ *s = strdup(e->mnt_fsname);
+ if (!*s)
+ return -2;
+out:
+ return 0;
+}
int check_username(char *u) {
/* We follow the username guidelines used by the adduser program. Quoting its
@@ -83,8 +130,7 @@
return 0;
}
-
-char *fetch_sig(char *pw_dir, int entry) {
+char *fetch_sig(char *pw_dir, int entry, char *alias) {
/* Read ecryptfs signature from file and validate
* Return signature as a string, or NULL on failure
*/
@@ -95,7 +141,7 @@
/* Construct sig file name */
if (
asprintf(&sig_file, "%s/.ecryptfs/%s.sig", pw_dir,
- ECRYPTFS_PRIVATE_DIR) < 0
+ alias) < 0
) {
perror("asprintf");
return NULL;
@@ -144,9 +190,7 @@
* compile with -lkeyutils
*/
if (keyctl_search(KEY_SPEC_USER_KEYRING, "user", sig, 0) < 0) {
- perror("keyctl_search");
- fputs("Perhaps try the interactive 'ecryptfs-mount-private'\n",
- stderr);
+ saved_errno = errno;
return NULL;
}
return sig;
@@ -204,7 +248,7 @@
return 0;
}
-FILE *lock_counter(char *u, int uid) {
+FILE *lock_counter(char *u, int uid, char *alias) {
char *f;
int fd;
FILE *fh;
@@ -212,7 +256,7 @@
int i = 1;
/* We expect TMP to exist, be writeable by the user,
* and to be cleared on boot */
- if (asprintf(&f, "%s/%s-%s-%s", TMP, FSTYPE, u, ECRYPTFS_PRIVATE_DIR) < 0) {
+ if (asprintf(&f, "%s/%s-%s-%s", TMP, FSTYPE, u, alias) < 0) {
perror("asprintf");
return NULL;
}
@@ -224,7 +268,7 @@
if (stat(f, &s)==0 && (!S_ISREG(s.st_mode) || s.st_uid!=uid)) {
free(f);
if (asprintf(&f, "%s/%s-%s-%s-%d", TMP, FSTYPE, u,
- ECRYPTFS_PRIVATE_DIR, i++) < 0) {
+ alias, i++) < 0) {
perror("asprintf");
return NULL;
}
@@ -326,9 +370,8 @@
* - unmounts ~/.Private from ~/Private
* - using the signature defined in ~/.ecryptfs/Private.sig
* - ONLY IF the user
- * - has the signature's key in his keyring
* - owns both ~/.Private and ~/Private
- * - is currently mounted
+ * - is currently ecryptfs mounted
*
* The only setuid operations in this program are:
* a) mounting
@@ -338,9 +381,8 @@
int main(int argc, char *argv[]) {
int uid, mounting;
int force = 0;
- int fnek = 1;
struct passwd *pwd;
- char *dev, *mnt, *opt;
+ char *alias, *src, *dest, *opt, *opts2;
char *sig, *sig_fnek;
FILE *fh_counter = NULL;
@@ -358,8 +400,39 @@
goto fail;
}
+ /* If no arguments, default to private dir; but accept at most one
+ argument, an alias for the configuration to read and use.
+ */
+ if (argc == 1) {
+ /* Use default source and destination dirs */
+ alias = ECRYPTFS_PRIVATE_DIR;
+ if ((asprintf(&src, "%s/.%s", pwd->pw_dir, alias) < 0) || src == NULL) {
+ perror("asprintf (src)");
+ goto fail;
+ }
+ dest = ecryptfs_fetch_private_mnt(pwd->pw_dir);
+ if (dest == NULL) {
+ perror("asprintf (dest)");
+ goto fail;
+ }
+ } else if (argc == 2) {
+ alias = argv[1];
+ /* Read the source and destination dirs from .conf file */
+ if (read_config(pwd->pw_dir, uid, alias, &src, &dest, &opts2) < 0) {
+ fputs("Error reading configuration file", stderr);
+ exit(1);
+ }
+ if (opts2 != NULL && strlen(opts2) != 0 && strcmp(opts2, "none") != 0) {
+ fputs("Mount options are not supported here", stderr);
+ exit(1);
+ }
+ } else {
+ fputs("Too many arguments", stderr);
+ exit(1);
+ }
+
/* Lock the counter through the rest of the program */
- fh_counter = lock_counter(pwd->pw_name, uid);
+ fh_counter = lock_counter(pwd->pw_name, uid, alias);
if (fh_counter == NULL) {
fputs("Error locking counter", stderr);
goto fail;
@@ -387,52 +460,38 @@
/* Fetch signatures from file */
/* First line is the file content encryption key signature */
- sig = fetch_sig(pwd->pw_dir, 0);
+ sig = fetch_sig(pwd->pw_dir, 0, alias);
if (sig == NULL) {
- goto fail;
+ /* if umounting, no sig is ok */
+ if (mounting) {
+ errno = saved_errno;
+ perror("keyctl_search");
+ fputs("Perhaps try the interactive 'ecryptfs-mount-private'\n",
+ stderr);
+ goto fail;
+ }
}
/* Second line, if present, is the filename encryption key signature */
- sig_fnek = fetch_sig(pwd->pw_dir, 1);
- if (sig_fnek == NULL) {
- fnek = 0;
- } else {
- fnek = 1;
- }
+ sig_fnek = fetch_sig(pwd->pw_dir, 1, alias);
- /* Construct device, mount point, and mount options */
+ /* Build mount options */
if (
- (asprintf(&dev, "%s/.%s", pwd->pw_dir, ECRYPTFS_PRIVATE_DIR) < 0) ||
- dev == NULL) {
- perror("asprintf (dev)");
- goto fail;
- }
- mnt = ecryptfs_fetch_private_mnt(pwd->pw_dir);
- if (mnt == NULL) {
- perror("asprintf (mnt)");
+ (asprintf(&opt, "ecryptfs_cipher=%s,ecryptfs_key_bytes=%d,ecryptfs_unlink_sigs%s%s%s%s",
+ KEY_CIPHER,
+ KEY_BYTES,
+ sig ? ",ecryptfs_sig=" : "",
+ sig ? sig : "",
+ sig_fnek ? ",ecryptfs_fnek_sig=" : "",
+ sig_fnek ? sig_fnek : ""
+ ) < 0
+ ) || opt == NULL
+ ) {
+ perror("asprintf (opt)");
goto fail;
}
- if (fnek == 1) {
- /* Filename encryption is on, so specific the fnek sig */
- if ((asprintf(&opt,
-"ecryptfs_sig=%s,ecryptfs_fnek_sig=%s,ecryptfs_cipher=%s,ecryptfs_key_bytes=%d",
- sig, sig_fnek, KEY_CIPHER, KEY_BYTES) < 0) ||
- opt == NULL) {
- perror("asprintf (opt)");
- goto fail;
- }
- } else {
- /* Filename encryption is off; legacy support */
- if ((asprintf(&opt,
- "ecryptfs_sig=%s,ecryptfs_cipher=%s,ecryptfs_key_bytes=%d",
- sig, KEY_CIPHER, KEY_BYTES) < 0) ||
- opt == NULL) {
- perror("asprintf (opt)");
- goto fail;
- }
- }
- /* Check ownership of mnt */
- if (check_ownerships(uid, mnt) != 0) {
+ /* Check ownership of dest */
+ if (check_ownerships(uid, dest) != 0) {
goto fail;
}
@@ -442,13 +501,13 @@
fputs("Error incrementing mount counter\n", stderr);
}
/* Mounting, so exit if already mounted */
- if (ecryptfs_private_is_mounted(dev, mnt, sig, mounting) == 1) {
+ if (ecryptfs_private_is_mounted(src, dest, sig, mounting) == 1) {
goto success;
}
- /* Check ownership of dev, if mounting;
- * note, umount only operates on mnt
+ /* Check ownership of src, if mounting;
+ * note, umount only operates on dest
*/
- if (check_ownerships(uid, dev) != 0) {
+ if (check_ownerships(uid, src) != 0) {
goto fail;
}
/* We must maintain our real uid as the user who called this
@@ -462,8 +521,8 @@
*/
setreuid(-1, 0);
/* Perform mount */
- if (mount(dev, mnt, FSTYPE, 0, opt) == 0) {
- if (update_mtab(dev, mnt, opt) != 0) {
+ if (mount(src, dest, FSTYPE, 0, opt) == 0) {
+ if (update_mtab(src, dest, opt) != 0) {
goto fail;
}
} else {
@@ -475,6 +534,7 @@
goto fail;
}
} else {
+ int rc = 0;
/* Decrement counter, exiting if >0, and non-forced unmount */
if (force == 1) {
zero(fh_counter);
@@ -482,8 +542,22 @@
fputs("Sessions still open, not unmounting\n", stderr);
goto fail;
}
+ /* Attempt to clear the user's keys from the keyring,
+ to prevent root from mounting without the user's key.
+ This is a best-effort basis, so we'll just print messages
+ on error. */
+ if (sig != NULL) {
+ rc = ecryptfs_remove_auth_tok_from_keyring(sig);
+ if (rc != 0 && rc != ENOKEY)
+ fputs("Could not remove key from keyring, try 'ecryptfs-umount-private'\n", stderr);
+ }
+ if (sig_fnek != NULL) {
+ rc = ecryptfs_remove_auth_tok_from_keyring(sig_fnek);
+ if (rc != 0 && rc != ENOKEY)
+ fputs("Could not remove key from keyring, try 'ecryptfs-umount-private'\n", stderr);
+ }
/* Unmounting, so exit if not mounted */
- if (ecryptfs_private_is_mounted(dev, mnt, sig, mounting) == 0) {
+ if (ecryptfs_private_is_mounted(src, dest, sig, mounting) == 0) {
goto fail;
}
/* The key is not needed for unmounting, so we set res=0.
@@ -492,7 +566,7 @@
* Do not use the umount.ecryptfs helper (-i).
*/
setresuid(0,0,0);
- execl("/bin/umount", "umount", "-i", "-l", mnt, NULL);
+ execl("/bin/umount", "umount", "-i", "-l", dest, NULL);
perror("execl unmount failed");
goto fail;
}
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org