1
=== modified file 'README'
2
--- README	2009-02-03 08:50:36 +0000
3
+++ README	2010-02-17 20:48:18 +0000
4
@@ -43,11 +43,6 @@
5
43
     1.0 or higher)
43
     1.0 or higher)
6
44
   - Finding its way into some distros
44
   - Finding its way into some distros
7
45
   - Obtainable from <http://people.redhat.com/~dhowells/keyutils> 
45
   - Obtainable from <http://people.redhat.com/~dhowells/keyutils> 
8
46
  - libgcrypt
9
47
    - Part of most distros; install the development package
10
48
    - If you need to build from source, you probably will want these:
11
49
     - <ftp://ftp.gnupg.org/gcrypt/libgpg-error>
12
50
     - <ftp://ftp.gnupg.org/gcrypt/libgcrypt>
13
51
46
14
52
47
15
53
KERNEL BUILD OPTIONS
48
KERNEL BUILD OPTIONS
16
54
49
17
=== modified file 'configure.ac'
18
--- configure.ac	2009-04-21 23:25:42 +0000
19
+++ configure.ac	2010-02-17 20:48:18 +0000
20
@@ -10,7 +10,7 @@
21
10
10
22
11
11
23
12
AC_PREREQ(2.59)
12
AC_PREREQ(2.59)
25
13
AC_INIT([ecryptfs-utils],[74])
13
AC_INIT([ecryptfs-utils],[82])
26
14
AC_CANONICAL_HOST
14
AC_CANONICAL_HOST
27
15
AC_CANONICAL_TARGET
15
AC_CANONICAL_TARGET
28
16
AM_INIT_AUTOMAKE([${PACKAGE_NAME}], [${PACKAGE_VERSION}])
16
AM_INIT_AUTOMAKE([${PACKAGE_NAME}], [${PACKAGE_VERSION}])
29
@@ -187,14 +187,6 @@
30
187
AC_HEADER_STDC
187
AC_HEADER_STDC
31
188
AC_CHECK_LIB([dl], [dlopen])
188
AC_CHECK_LIB([dl], [dlopen])
32
189
189
33
190
# Verify gcrypt
34
191
AC_MSG_CHECKING([for libgcrypt])
35
192
AM_PATH_LIBGCRYPT(,,[AC_MSG_ERROR([eCryptfs userspace tools require libgcrypt
36
193
You might find the package at:
37
194
http://directory.fsf.org/security/libgcrypt.html
38
195
])]
39
196
)
40
197
41
198
# Verify keyutils version 1.0 or higher
190
# Verify keyutils version 1.0 or higher
42
199
if test -z "${KEYUTILS_LIBS}"; then
191
if test -z "${KEYUTILS_LIBS}"; then
43
200
	AC_ARG_VAR([KEYUTILS_CFLAGS], [C compiler flags for keyutils])
192
	AC_ARG_VAR([KEYUTILS_CFLAGS], [C compiler flags for keyutils])
44
@@ -327,7 +319,7 @@
45
327
		AC_CHECK_LIB(
319
		AC_CHECK_LIB(
46
328
			[pam_misc],
320
			[pam_misc],
47
329
			[pam_misc_setenv],
321
			[pam_misc_setenv],
49
330
			[PAM_LIBS="${TSPI_LIBS} -lpam_misc"],
322
			[PAM_LIBS="${PAM_LIBS} ${TSPI_LIBS} -lpam_misc"],
50
331
			[AC_MSG_ERROR([Cannot find pam_misc])]
323
			[AC_MSG_ERROR([Cannot find pam_misc])]
51
332
		)
324
		)
52
333
	fi
325
	fi
53
@@ -353,13 +345,8 @@
54
353
	rootsbindir="\$(sbindir)"
345
	rootsbindir="\$(sbindir)"
55
354
fi
346
fi
56
355
347
64
356
if test "${enable_nss}" == "yes" ; then
348
CRYPTO_CFLAGS=${NSS_CFLAGS}
65
357
        CRYPTO_CFLAGS=${NSS_CFLAGS}
349
CRYPTO_LIBS=${NSS_LIBS}
59
358
	CRYPTO_LIBS=${NSS_LIBS}
60
359
else
61
360
        CRYPTO_CFLAGS=${LIBGCRYPT_CFLAGS}
62
361
	CRYPTO_LIBS=${LIBGCRYPT_LIBS}
63
362
fi
66
363
350
67
364
AC_SUBST([pamdir])
351
AC_SUBST([pamdir])
68
365
AC_SUBST([pamlibdir])
352
AC_SUBST([pamlibdir])
69
366
353
70
=== modified file 'debian/changelog'
71
--- debian/changelog	2009-04-21 23:24:32 +0000
72
+++ debian/changelog	2010-02-17 20:48:18 +0000
73
@@ -1,4 +1,314 @@
75
1
ecryptfs-utils (74) unreleased; urgency=low
1
ecryptfs-utils (83) UNRELEASED; urgency=low
76
2
77
3
  [ Yan Li <yan.i.li@intel.com> ]
78
4
  * src/pam_ecryptfs/pam_ecryptfs.c, src/utils/Makefile.am,
79
5
    src/utils/ecryptfs-migrate-home: add a script and pam hooks to
80
6
    support automatic migration to encrypted home directory
81
7
82
8
  [ Dustin Kirkland ]
83
9
  * src/utils/ecryptfs-migrate-home: clean up for merge
84
10
    - use $() rather than ``
85
11
    - drop set -u
86
12
    - use = and !=, and quote vars, rather than testing with -ne, -eq,
87
13
      for better shell portability
88
14
    - improve usage statement and error text
89
15
    - check if already encrypted
90
16
    - handle migration of multiple users on boot
91
17
    - fix all whitespace, use tabs for indents
92
18
    - use quotes around variables, rather than ${} (stylistic preference)
93
19
    - major simplification for immediate release
94
20
      + remove boot and user modes; only support administrator mode for
95
21
        security reasons and to avoid race conditions
96
22
      + other modes can be re-added, if necessary, and if security
97
23
        concerns can be addressed
98
24
    - ensure running as root
99
25
    - drop VERBOSE option, always print useful info messages
100
26
    - call the user $USER_NAME rather than $USER_ID since id implies
101
27
      number, and here we're deailing with names
102
28
    - no decimals on awk calculation
103
29
    - mktemp on the target user, not root
104
30
    - check that there is enough disk space available to do the migration
105
31
    - ensure the user's homedir group is correct
106
32
    - add critical instructions, user *must* login after the migration and
107
33
      before the reboot, as their wrapped passphrase will be cleared on
108
34
      reboot (possible we should use an init script to move these to
109
35
      /var/tmp on reboot)
110
36
    - ensure permissions are set correctly
111
37
    - improve text at the end of the migration
112
38
  * ecryptfs-utils.ecryptfs-utils-restore.upstart,
113
39
    ecryptfs-utils.ecryptfs-utils-save.upstart, rules:
114
40
    - try to protect migrating users who don't login before the next reboot
115
41
  * src/desktop/ecryptfs-record-passphrase: improve text
116
42
117
43
 -- Dustin Kirkland <kirkland@ubuntu.com>  Sat, 06 Feb 2010 17:48:57 -0600
118
44
119
45
ecryptfs-utils (82) released; urgency=low
120
46
121
47
  * src/utils/ecryptfs-setup-private: fix bug where setup-private
122
48
    incorrectly assumed that the home/private dir ownerships should
123
49
    be owned by USER:USER; instead, default to USER:GROUP, where
124
50
    GROUP is the USER's primary group by default, LP: #445301
125
51
  * src/utils/ecryptfs-setup-private, debian/control: LP: #456565
126
52
    - fix typo, s/getext/gettext
127
53
    - depend on gettext-base
128
54
  * src/utils/ecryptfs-setup-private: fix printing of error strings,
129
55
    which was broken by the gettext integration, LP: #471725;
130
56
    in doing so, use $() in place of ``, use '' for gettext arguments,
131
57
    and wrap gettext in "", like this: foo="$(gettext 'blah blah')"
132
58
  * debian/control: one package per line, helps tremendously when looking
133
59
    at diffs
134
60
  * debian/copyright: Add new fields
135
61
  * debian/ecryptfs-utils.postinst: minor set -e change
136
62
137
63
138
64
 -- Dustin Kirkland <kirkland@ubuntu.com>  Tue, 10 Nov 2009 11:31:25 -0600
139
65
140
66
ecryptfs-utils (81) released; urgency=low
141
67
142
68
  [ Michael Terry ]
143
69
  * src/utils/ecryptfs-setup=swap: clean up some error message reporting,
144
70
    LP: #430891, #430890
145
71
146
72
  [ Dustin Kirkland ]
147
73
  * doc/manpage/ecryptfs.7: note the 64-char passphrase limit, LP: #386504
148
74
  * src/utils/ecryptfs-setup-private: minor documentation change
149
75
150
76
 -- Dustin Kirkland <kirkland@ubuntu.com>  Fri, 18 Sep 2009 18:46:07 -0500
151
77
152
78
ecryptfs-utils (80) released; urgency=low
153
79
154
80
  [ Evan Dandrea ]
155
81
  * src/utils/ecryptfs-setup-swap: allow for setting up encrpyted swap,
156
82
    without activating it immediately, necessary for livecd installations
157
83
158
84
 -- Dustin Kirkland <kirkland@ubuntu.com>  Wed, 19 Aug 2009 11:31:03 -0500
159
85
160
86
ecryptfs-utils (79) released; urgency=low
161
87
162
88
  [ Dustin Kirkland ]
163
89
  * debian/control: updated bzr and browser urls, bumped standards version
164
90
  * src/pam_ecryptfs/pam_ecryptfs.c: silence useless, oft-shown info
165
91
    message
166
92
  * src/utils/ecryptfs-mount-private, src/utils/ecryptfs-rewrite-file,
167
93
    src/utils/ecryptfs-setup-private, src/utils/ecryptfs-setup-swap,
168
94
    src/utils/ecryptfs-umount-private: use gettext for all string printing,
169
95
    such that we can internationalize ecryptfs
170
96
  * po/POTFILES.sh, po/ecryptfs-utils.pot, po/fr.po, rules: add po to the
171
97
    build system; for now, in the debian/ directory; this should be put in
172
98
    the upstream source tree eventually (but I need some help with the
173
99
    automake/autoconf integration)
174
100
  * ecryptfs-setup-swap: exit(0) if there's no swaps to encrypt, ensures
175
101
    that this script succeeds if there is no swap space that needs to be
176
102
    secured, or if the existing swap space is already secured
177
103
  * doc/manpage/ecryptfs-setup-swap.1, doc/manpage/ecryptfs-stat.1,
178
104
    doc/manpage/umount.ecryptfs.8, doc/manpage/Makefile.am: added manpagess
179
105
  * doc/manpage/ecryptfs.7: fix lintian warning
180
106
  * debian/lintian/ecryptfs-utils: added a lintian overrides file
181
107
  * debian/lintian/ecryptfs-utils, debian/ecryptfs-utils.install: add and
182
108
    install some proper lintian overrides
183
109
  * src/libecryptfs/module_mgr.c: fix typo, LP: #408437
184
110
185
111
  [ Evan Dandrea ]
186
112
  * ecryptfs-setup-swap: support more than one encrypted swap device
187
113
188
114
  [ Dorin Scutarașu ]
189
115
  * src/libecryptfs/key_management.c: fix null pointer deref, LP: #409565
190
116
191
117
 -- Dustin Kirkland <kirkland@ubuntu.com>  Mon, 17 Aug 2009 11:58:35 -0500
192
118
193
119
ecryptfs-utils (78) released; urgency=low
194
120
195
121
  [ James Westby ]
196
122
  * src/libecryptfs/main.c flockfile the filehandle after checking that
197
123
    we were able to successfully open it (LP: #403011)
198
124
  * debian/libecryptfs0.shlibs: bump shlibs dep to 77 since we added new
199
125
    symbols there
200
126
201
127
 -- Dustin Kirkland <kirkland@ubuntu.com>  Wed, 22 Jul 2009 11:28:20 -0500
202
128
203
129
ecryptfs-utils (77) released; urgency=low
204
130
205
131
  [ Dustin Kirkland ]
206
132
  * src/libecryptfs/key_management.c, src/pam_ecryptfs/pam_ecryptfs.c:
207
133
    revert the zombie code removal from pam_ecryptfs as it seems this
208
134
    bit is still needed; fix the source of the problem introduced in
209
135
    commit r407; check for non-zero return codes; this problem would
210
136
    manifest itself as a) unable to unlock screensaver, b) unable to
211
137
    switch users, c) unable to mount home folder on initial login;
212
138
    LP: #402222, #402029
213
139
  * src/utils/ecryptfs-umount-private: use for loop to loop over key
214
140
    ids on removal
215
141
  * src/utils/mount.ecryptfs_private.c: return non-zero on unmount failure
216
142
    due to open sessions; handle this in ecryptfs-umount-private too; make
217
143
    the flock() blocking; use /dev/shm for counter; add an iterator to the
218
144
    counter file to prevent users from DoS'ing one another from accessing
219
145
    their encrypted directories, LP: #402745
220
146
  * debian/ecryptfs-utils.postinst: move /tmp counters to /dev/shm
221
147
  * configure.ac: link against pam, silence shlib warning
222
148
  * src/include/ecryptfs.h, src/libecryptfs/main.c,
223
149
    src/pam_ecryptfs/pam_ecryptfs.c, src/utils/Makefile.am,
224
150
    src/utils/mount.ecryptfs_private.c: move two functions from
225
151
    mount.ecryptfs_private to libecryptfs, namely is_mounted() and
226
152
    fetch_private_mnt(); use these in both pam_ecryptfs and
227
153
    mount.ecryptfs_private; also move PRIVATE to ECRYPTFS_PRIVATE in
228
154
    the ecryptfs.h headers; this will allow us to short-circuit some of the
229
155
    costly key-loading code on pam_auth if the private dir is already
230
156
    mounted, speeding up some subsequent authentications significantly,
231
157
    LP: #402748
232
158
  * doc/ecryptfs-mount-private.txt: removed the "$" to make copy-n-paste
233
159
    more user friendly
234
160
  * src/utils/ecryptfs-setup-private: when encrypting home, put the
235
161
    .ecryptfs and .Private data in /home/.ecryptfs rather than /var/lib,
236
162
    as users are forgetting to backup /var/lib, and are often putting
237
163
    /home on a separate partition; furthermore, this gives users a place
238
164
    to access their encrypted data for backup, rather than hiding the
239
165
    data below $HOME, LP: #371719
240
166
241
167
  [ Tyler Hicks ]
242
168
  * src/libecryptfs/cipher_list.c, src/libecryptfs/module_mgr.c:
243
169
    add blowfish/56-bytes to the list of ciphers we officially support,
244
170
    LP: #402790
245
171
246
172
 -- Dustin Kirkland <kirkland@ubuntu.com>  Tue, 21 Jul 2009 23:57:33 -0500
247
173
248
174
ecryptfs-utils (76) released; urgency=low
249
175
250
176
  [ Dustin Kirkland ]
251
177
  * src/utils/ecryptfs-setup-swap: switch from vol_id to blkid,
252
178
    LP: #376486
253
179
  * debian/ecryptfs-utils.postinst, src/utils/ecryptfs-setup-private:
254
180
    don't echo mount passphrase if running in bootstrap mode; prune
255
181
    potential leakages from install log, LP: #383650
256
182
  * SECURITY UPDATE: mount passphrase recorded in install log (LP: #383650).
257
183
    - debian/ecryptfs-utils.postinst: prune private information from
258
184
      installer log
259
185
    - src/utils/ecryptfs-setup-private: don't echo passphrase if running in
260
186
      bootstrap mode
261
187
    - CVE-2009-1296
262
188
  * src/utils/ecryptfs-setup-private: make some of the lanuage more readable,
263
189
    (thanks, anrxc)
264
190
  * README, configure.ac, debian/control, debian/rules,
265
191
    doc/sourceforge_webpage/README, src/libecryptfs-swig/libecryptfs.py,
266
192
    src/libecryptfs-swig/libecryptfs_wrap.c,
267
193
    src/libecryptfs/key_management.c, src/libecryptfs/libecryptfs.pc.in,
268
194
    src/libecryptfs/main.c, src/pam_ecryptfs/Makefile.am,
269
195
    src/utils/manager.c, src/utils/mount.ecryptfs.c: move build from gcrypt
270
196
    to nss (this change has been pending for some time)
271
197
  * src/utils/ecryptfs-dot-private: dropped, was too hacky
272
198
  * ecryptfs-mount-private.1, ecryptfs-setup-private.1: align the
273
199
    documentation and implementation of the wrapping-independent feature,
274
200
    LP: #383746
275
201
  * src/utils/ecryptfs-umount-private: use keyctl list @u, since keyctl show
276
202
    stopped working, LP: #400484, #395082
277
203
  * src/utils/mount.ecryptfs_private.c: fix counter file locking; solves
278
204
    a longstanding bug about "random" umount caused by cronjobs, LP: #358573
279
205
280
206
  [ Michal Hlavinka (edits by Dustin Kirkland) ]
281
207
  * doc/manpage/ecryptfs-mount-private.1,
282
208
    doc/manpage/ecryptfs-rewrite-file.1,
283
209
    doc/manpage/ecryptfs-setup-private.1, doc/manpage/ecryptfs.7,
284
210
    doc/manpage/mount.ecryptfs_private.1,
285
211
    doc/manpage/umount.ecryptfs_private.1: documentation updated to note
286
212
    possible ecryptfs group membership requirements; Fix ecrypfs.7 man
287
213
    page and key_mod_openssl's error message; fix typo
288
214
  * src/libecryptfs/decision_graph.c: put a finite limit (5 tries) on
289
215
    interactive input; fix memory leaks when asking questions
290
216
  * src/libecryptfs/module_mgr.c: Don't error out with EINVAL when
291
217
    verbosity=0 and some options are missing.
292
218
  * src/utils/umount.ecryptfs.c: no error for missing key when removing it
293
219
  * src/libecryptfs-swig/libecryptfs.i: fix compile werror, cast char*
294
220
  * src/utils/ecryptfs_add_passphrase.c: fix/test/use return codes;
295
221
    return nonzero for --fnek when not supported but used
296
222
  * src/include/ecryptfs.h, src/key_mod/ecryptfs_key_mod_openssl.c,
297
223
    src/libecryptfs/module_mgr.c: refuse mounting with too small rsa
298
224
    key (key_mod_openssl)
299
225
  * src/utils/ecryptfs_insert_wrapped_passphrase_into_keyring.c: fix return
300
226
    codes
301
227
  * src/utils/ecryptfs-rewrite-file: polish output
302
228
  * src/libecryptfs/key_management.c: inform about full keyring; insert fnek
303
229
    sig into keyring if fnek support check fails; don't fail if key already
304
230
    exists in keyring
305
231
  * src/utils/ecryptfs-setup-private: if the ecryptfs group exists, restrict
306
232
    ecryptfs-setup-private to members of this group
307
233
  * src/pam_ecryptfs/pam_ecryptfs.c: dynamically load ecryptfs module by
308
234
    checking ecryptfs version
309
235
  * src/libecryptfs/decision_graph.c, src/utils/io.c,
310
236
    src/utils/mount.ecryptfs.c: fix EOF handling, LP: #371587
311
237
  * src/desktop/Makefile.am: make desktop files trusted, LP: #371426
312
238
313
239
  [ Dustin Kirkland and Daniel Baumann ]
314
240
  * debian/control, debian/copyright, debian/ecryptfs-utils.dirs,
315
241
    debian/ecryptfs-utils.install, debian/ecryptfs-utils.postinst,
316
242
    debian/rules, ecryptfs-utils.pam-auth-update: sync Ubuntu's
317
243
    packaging with Debian; drop dpatch, drop libssl build dep, clean
318
244
    up extraneous debhelper bits, match cflags; remaining diff is only
319
245
    ecryptfs-utils.prerm
320
246
321
247
  [ Arfrever Frehtes Taifersar Arahesis ]
322
248
  * key_mod/ecryptfs_key_mod_gpg.c,
323
249
    key_mod/ecryptfs_key_mod_pkcs11_helper.c,
324
250
    libecryptfs/key_management.c, utils/ecryptfs_unwrap_passphrase.c:
325
251
    Fix warnings, initialize a few variables, drop unused ones
326
252
327
253
  [ David Hicks ]
328
254
  * src/lib/key_management.c: fix stray semicolon that prevents .ecryptfsrc
329
255
    files from working properly, LP: #372709
330
256
331
257
  [ Michael Rooney ]
332
258
  * src/python/ecryptfsapi.py: added python api
333
259
334
260
 -- Dustin Kirkland <kirkland@ubuntu.com>  Mon, 20 Jul 2009 12:12:30 -0500
335
261
336
262
ecryptfs-utils (75) released; urgency=low
337
263
338
264
  [ Dustin Kirkland ]
339
265
  * debian/rules: drop hackery that moves stuff /usr/share/ecryptfs-utils
340
266
  * src/utils/mount.ecryptfs_private.c: update inline documentation
341
267
  * debian/changelog, src/libecryptfs/cmd_ln_parser.c,
342
268
    src/libecryptfs/key_management.c, src/pam_ecryptfs/pam_ecryptfs.c,
343
269
    src/utils/ecryptfs_add_passphrase.c,
344
270
    src/utils/ecryptfs_insert_wrapped_passphrase_into_keyring.c,
345
271
    src/utils/ecryptfs_rewrap_passphrase.c,
346
272
    src/utils/ecryptfs_unwrap_passphrase.c,
347
273
    src/utils/ecryptfs_wrap_passphrase.c: silence some useless logging,
348
274
    LP: #313330
349
275
  * include/ecryptfs.h, libecryptfs/key_management.c,
350
276
    utils/ecryptfs_insert_wrapped_passphrase_into_keyring.c,
351
277
    utils/ecryptfs_unwrap_passphrase.c: if the file to unwrap is
352
278
    unspecified, try to use the default ~/.ecryptfs/wrapped-passphrase
353
279
    before bailing out, LP: #359997
354
280
  * src/utils/ecryptfs-setup-private: unix_chkpwd is not always present
355
281
    (eg, gentoo), LP: #332341
356
282
357
283
  [ Tyler Hicks ]
358
284
  * doc/manpage/ecryptfs.7: ecryptfs_encrypted_view option desription
359
285
    was wrong LP: #328761
360
286
361
287
  [ Michal Hlavinka ]
362
288
  * decision_graph.c: fix uninitialized return code
363
289
  * mount.ecryptfs.c: don't pass verbosity option to kernel
364
290
365
291
  [ anrxc & Dustin Kirkland ]
366
292
  * doc/Makefile.am, src/desktop/Makefile.am: fix automake installation from
367
293
    /usr/share to /usr/share/ecryptfs-utils
368
294
369
295
  [ Daniel Baumann & Dustin Kirkland ]
370
296
  * debian/rules, debian/control: sync differences between Debian & Ubuntu's
371
297
    packaging
372
298
373
299
  [ Arfrever Frehtes Taifersar Arahesis ]
374
300
  * src/key_mod/ecryptfs_key_mod_gpg.c,
375
301
    src/key_mod/ecryptfs_key_mod_pkcs11_helper.c: fix implicit declations
376
302
377
303
  [ Frédéric Guihéry ]
378
304
  * key_mod/ecryptfs_key_mod_tspi.c, utils/ecryptfs_generate_tpm_key.c:
379
305
    the SRK password should be set to 20 bytes of NULL (wellknown
380
306
    password), in order for different tools to request key protection
381
307
    with the Storage Root Key
382
308
383
309
 -- Dustin Kirkland <kirkland@ubuntu.com>  Fri, 01 May 2009 15:07:38 -0500
384
310
385
311
ecryptfs-utils (74) released; urgency=low
386
2
312
387
3
  [ Michal Hlavinka ]
313
  [ Michal Hlavinka ]
388
4
  * Changes for RH/Fedora release
314
  * Changes for RH/Fedora release
389
5
315
390
=== modified file 'debian/control'
391
--- debian/control	2009-02-18 21:30:21 +0000
392
+++ debian/control	2010-02-17 20:48:18 +0000
393
@@ -1,19 +1,47 @@
394
1
Source: ecryptfs-utils
1
Source: ecryptfs-utils
395
2
Section: misc
2
Section: misc
396
3
Priority: optional
3
Priority: optional
398
4
Maintainer: Ubuntu Core Developers <ubuntu-devel-discuss@lists.ubuntu.com>
4
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
399
5
XSBC-Original-Maintainer: Daniel Baumann <daniel@debian.org>
5
XSBC-Original-Maintainer: Daniel Baumann <daniel@debian.org>
402
6
Build-Depends: debhelper (>= 7), dpatch, autotools-dev, autoconf, automake, libtool, libgcrypt11-dev, libgpg-error-dev, libgpgme11-dev, libkeyutils-dev, libopencryptoki-dev [alpha amd64 arm armel hppa ia64 i386 m68k mips mipsel powerpc sparc], libpam0g-dev, libpkcs11-helper1-dev, libssl-dev, libtspi-dev [alpha amd64 arm armel hppa ia64 i386 m68k mips mipsel powerpc sparc], pkg-config, python-dev, swig
6
Build-Depends:
403
7
Standards-Version: 3.8.0
7
 debhelper (>= 7),
404
8
 autotools-dev,
405
9
 autoconf,
406
10
 automake,
407
11
 libtool,
408
12
 libgcrypt11-dev,
409
13
 libgpg-error-dev,
410
14
 libgpgme11-dev,
411
15
 libkeyutils-dev,
412
16
 libnss3-dev,
413
17
 libopencryptoki-dev [alpha amd64 arm armel hppa ia64 i386 m68k mips mipsel powerpc sparc],
414
18
 libpam0g-dev,
415
19
 libpkcs11-helper1-dev,
416
20
 libtspi-dev [alpha amd64 arm armel hppa ia64 i386 m68k mips mipsel powerpc sparc],
417
21
 pkg-config,
418
22
 python-dev,
419
23
 swig
420
24
Standards-Version: 3.8.3
421
8
Homepage: https://launchpad.net/ecryptfs
25
Homepage: https://launchpad.net/ecryptfs
424
9
Vcs-Browser: http://git.debian.net/?p=debian/ecryptfs-utils.git
26
Vcs-Bzr: https://code.launchpad.net/~ecryptfs/ecryptfs/ecryptfs-utils
425
10
Vcs-Git: git://git.debian.net/git/debian/ecryptfs-utils.git
27
Vcs-Browser: http://bazaar.launchpad.net/~ecryptfs/ecryptfs/ecryptfs-utils/files
426
11
28
427
12
Package: ecryptfs-utils
29
Package: ecryptfs-utils
428
13
Section: misc
30
Section: misc
429
14
Architecture: any
31
Architecture: any
432
15
Depends: ${shlibs:Depends}, ${misc:Depends}, libpam-runtime (>= 1.0.1-2ubuntu1), keyutils, libnss3-1d
32
Depends:
433
16
Suggests: opencryptoki, cryptsetup
33
 ${misc:Depends},
434
34
 ${shlibs:Depends},
435
35
 keyutils,
436
36
 libnss3-1d,
437
37
 libpam-runtime (>= 1.0.1-6),
438
38
 gettext-base
439
39
Recommends:
440
40
 lsof,
441
41
 rsync
442
42
Suggests:
443
43
 cryptsetup,
444
44
 opencryptoki
445
17
Description: ecryptfs cryptographic filesystem (utilities)
45
Description: ecryptfs cryptographic filesystem (utilities)
446
18
 eCryptfs is a POSIX-compliant enterprise-class stacked cryptographic filesystem
46
 eCryptfs is a POSIX-compliant enterprise-class stacked cryptographic filesystem
447
19
 for Linux.
47
 for Linux.
448
@@ -33,7 +61,9 @@
449
33
Package: libecryptfs0
61
Package: libecryptfs0
450
34
Section: libs
62
Section: libs
451
35
Architecture: any
63
Architecture: any
453
36
Depends: ${shlibs:Depends}, ${misc:Depends}
64
Depends:
454
65
 ${misc:Depends},
455
66
 ${shlibs:Depends}
456
37
Description: ecryptfs cryptographic filesystem (library)
67
Description: ecryptfs cryptographic filesystem (library)
457
38
 eCryptfs is a POSIX-compliant enterprise-class stacked cryptographic filesystem
68
 eCryptfs is a POSIX-compliant enterprise-class stacked cryptographic filesystem
458
39
 for Linux.
69
 for Linux.
459
@@ -43,7 +73,17 @@
460
43
Package: libecryptfs-dev
73
Package: libecryptfs-dev
461
44
Section: libdevel
74
Section: libdevel
462
45
Architecture: any
75
Architecture: any
464
46
Depends: libecryptfs0 (= ${binary:Version}), libgcrypt11-dev, libgpg-error-dev, libgpgme11-dev, libkeyutils-dev, libopencryptoki-dev [alpha amd64 arm armel hppa ia64 i386 m68k mips mipsel powerpc sparc], libpam0g-dev, libpkcs11-helper1-dev, libtspi-dev [alpha amd64 arm armel hppa ia64 i386 m68k mips mipsel powerpc sparc]
76
Depends:
465
77
 ${misc:Depends},
466
78
 libecryptfs0 (= ${binary:Version}),
467
79
 libgcrypt11-dev,
468
80
 libgpg-error-dev,
469
81
 libgpgme11-dev,
470
82
 libkeyutils-dev,
471
83
 libopencryptoki-dev [alpha amd64 arm armel hppa ia64 i386 m68k mips mipsel powerpc sparc],
472
84
 libpam0g-dev,
473
85
 libpkcs11-helper1-dev,
474
86
 libtspi-dev [alpha amd64 arm armel hppa ia64 i386 m68k mips mipsel powerpc sparc]
475
47
Description: ecryptfs cryptographic filesystem (development)
87
Description: ecryptfs cryptographic filesystem (development)
476
48
 eCryptfs is a POSIX-compliant enterprise-class stacked cryptographic filesystem
88
 eCryptfs is a POSIX-compliant enterprise-class stacked cryptographic filesystem
477
49
 for Linux.
89
 for Linux.
478
50
90
479
=== modified file 'debian/copyright'
480
--- debian/copyright	2009-02-13 15:57:24 +0000
481
+++ debian/copyright	2010-02-17 20:48:18 +0000
482
@@ -1,11 +1,16 @@
483
1
Authors:
1
Authors:
484
2
 Phillip Hellewell <hacker@byu.net>
2
 Phillip Hellewell <hacker@byu.net>
488
3
 Michael A. Halcrow <mhalcrow@us.ibm.com>
3
 Michael A. Halcrow <mike@halcrow.us>
489
4
 Dustin Kirkland <kirkland@ubuntu.com>
4
 Dustin Kirkland <kirkland@canonical.com>
490
5
Download: https://launchpad.net/ecryptfs/trunk
5
 Tyler Hicks <tyhicks@linux.vnet.ibm.com>
491
6
492
7
Upstream-Contact: Dustin Kirkland <kirkland@canonical.com>
493
8
Upstream-Homepage: https://launchpad.net/ecryptfs
494
6
9
495
7
Files: *
10
Files: *
497
8
Copyright: 2004-2008 International Business Machines Corp.
11
Copyright:
498
12
 (C) 2004-2009 International Business Machines Corp.
499
13
 (C) 2008-2009 Canonical, Ltd.
500
9
License: GPL-2+
14
License: GPL-2+
501
10
 This program is free software; you can redistribute it and/or
15
 This program is free software; you can redistribute it and/or
502
11
 modify it under the terms of the GNU General Public License
16
 modify it under the terms of the GNU General Public License
503
@@ -46,7 +51,7 @@
504
46
 can be found in /usr/share/common-licenses/GPL-2 file.
51
 can be found in /usr/share/common-licenses/GPL-2 file.
505
47
52
506
48
Files: debian/*
53
Files: debian/*
508
49
Copyright: (C) 2007-2008 Daniel Baumann <daniel@debian.org>
54
Copyright: (C) 2007-2009 Daniel Baumann <daniel@debian.org>
509
50
License: GPL-2+
55
License: GPL-2+
510
51
 This program is free software; you can redistribute it and/or
56
 This program is free software; you can redistribute it and/or
511
52
 modify it under the terms of the GNU General Public License
57
 modify it under the terms of the GNU General Public License
512
53
58
513
=== removed file 'debian/ecryptfs-utils.dirs'
514
--- debian/ecryptfs-utils.dirs	2009-03-24 21:15:49 +0000
515
+++ debian/ecryptfs-utils.dirs	1970-01-01 00:00:00 +0000
516
@@ -1,2 +0,0 @@
517
1
usr/share/pam-configs
518
2
usr/share/ecryptfs-utils
519
3
0
520
=== added file 'debian/ecryptfs-utils.ecryptfs-utils-restore.upstart'
521
--- debian/ecryptfs-utils.ecryptfs-utils-restore.upstart	1970-01-01 00:00:00 +0000
522
+++ debian/ecryptfs-utils.ecryptfs-utils-restore.upstart	2010-02-17 20:48:18 +0000
523
@@ -0,0 +1,26 @@
524
1
# eCryptfs restore
525
2
description "eCryptfs"
526
3
author "Dustin Kirkland <kirkland@canonical.com>"
527
4
528
5
start on runlevel [2345]
529
6
task
530
7
531
8
# This task is necessary in support of ecryptfs-migrate-home.
532
9
#
533
10
# The administrator is strongly advised that the migrated user must
534
11
# log in before reboot in order for the migration to take effect, as
535
12
# the data in /dev/shm will be lost.
536
13
#
537
14
# The code below moves the /dev/shm data to /var/tmp to persist across
538
15
# boots and prevent users from locking themselves out of their system,
539
16
# however, it's slightly less secure, as these files should not be written
540
17
# to disk, if possible.
541
18
542
19
script
543
20
	for i in /var/tmp/.ecryptfs-*; do
544
21
		u=$(echo "$i" | sed "s:^/var/tmp/.ecryptfs-::")
545
22
		if [ "$(stat -c %U $i)" = "$u" ]; then
546
23
			mv -n "$i" /dev/shm
547
24
		fi
548
25
	done
549
26
end script
550
0
27
551
=== added file 'debian/ecryptfs-utils.ecryptfs-utils-save.upstart'
552
--- debian/ecryptfs-utils.ecryptfs-utils-save.upstart	1970-01-01 00:00:00 +0000
553
+++ debian/ecryptfs-utils.ecryptfs-utils-save.upstart	2010-02-17 20:48:18 +0000
554
@@ -0,0 +1,26 @@
555
1
# eCryptfs save
556
2
description "eCryptfs"
557
3
author "Dustin Kirkland <kirkland@canonical.com>"
558
4
559
5
start on runlevel [!2345]
560
6
task
561
7
562
8
# This task is necessary in support of ecryptfs-migrate-home.
563
9
#
564
10
# The administrator is strongly advised that the migrated user must
565
11
# log in before reboot in order for the migration to take effect, as
566
12
# the data in /dev/shm will be lost.
567
13
#
568
14
# The code below moves the /dev/shm data to /var/tmp to persist across
569
15
# boots and prevent users from locking themselves out of their system,
570
16
# however, it's slightly less secure, as these files should not be written
571
17
# to disk, if possible.
572
18
573
19
script
574
20
	for i in /dev/shm/.ecryptfs-*; do
575
21
		u=$(echo "$i" | sed "s:^/dev/shm/.ecryptfs-::")
576
22
		if [ "$(stat -c %U $i)" = "$u" ]; then
577
23
			mv -n "$i" /var/tmp
578
24
		fi
579
25
	done
580
26
end script
581
0
27
582
=== modified file 'debian/ecryptfs-utils.install'
583
--- debian/ecryptfs-utils.install	2009-02-13 15:57:24 +0000
584
+++ debian/ecryptfs-utils.install	2010-02-17 20:48:18 +0000
585
@@ -3,5 +3,6 @@
586
3
/usr/bin
3
/usr/bin
587
4
/usr/lib/ecryptfs
4
/usr/lib/ecryptfs
588
5
/usr/share/doc
5
/usr/share/doc
589
6
/usr/share/ecryptfs-utils
590
6
/usr/share/man
7
/usr/share/man
592
7
/usr/share/pam-configs/ecryptfs-utils
8
../../debian/lintian/ecryptfs-utils usr/share/lintian/overrides
593
8
9
594
=== modified file 'debian/ecryptfs-utils.postinst'
595
--- debian/ecryptfs-utils.postinst	2009-02-13 15:57:24 +0000
596
+++ debian/ecryptfs-utils.postinst	2010-02-17 20:48:18 +0000
597
@@ -1,44 +1,20 @@
598
1
#!/bin/sh -e
599
2
600
3
auth=0c1295085dca124e6ba5a3cea7993c22
601
4
account=9f04221fe44762047894adeb96ffd069
602
5
session=2e9a42f2a3b6573891ff9e6bf0c31c9e
603
6
password=4cf59ec48caad2a06ea2e183d8bc007a
604
7
605
8
force=
606
9
if dpkg --compare-versions "$2" lt-nl 53-1ubuntu6; then
607
10
        # If we're upgrading from an older ecryptfs-utils,
608
11
        # and the pam configuration precisely matches that
609
12
        # which was written by auth-client-config, we can
610
13
        # safely force the pam-auth-update.
611
14
        force=--force
612
15
        for type in auth account session password
613
16
        do
614
17
            sum="$(md5sum /etc/pam.d/common-$type 2>/dev/null | awk '{ print $1 }')"
615
18
            [ "$sum" = "$(eval echo \$$type)" ] || force=
616
19
        done
617
20
fi
618
21
pam-auth-update --package $force
619
22
620
23
#DEBHELPER#
621
24
622
25
exit 0
623
26
#!/bin/sh
1
#!/bin/sh
624
27
2
625
28
set -e
3
set -e
626
29
4
627
30
case "${1}" in
5
case "${1}" in
628
31
	configure)
6
	configure)
639
32
		# Basically, if a user chooses to encrypt their entire home
7
		[ -e /var/log/installer/syslog ] && sed -i '/user-setup: YOU SHOULD RECORD THIS/,+2 d' /var/log/installer/syslog
640
33
		# directory, we're going to need someplace to put their
8
		pam-auth-update --package
641
34
		# ~/.ecryptfs directory that's available prior to mounting their
9
		# Try to migrate encrypted Private counters from /tmp to /dev/shm, if sane
642
35
		# home directory. Classic chicken/egg bootstrapping.
10
		for i in $(ls /home); do
643
36
11
			if [ -f "/tmp/ecryptfs-$i-Private" ] && [ ! -e "/dev/shm/ecryptfs-$i-Private" ]; then
644
37
		if [ ! -d /var/lib/ecryptfs ]
12
				o=$(stat -c %U "/tmp/ecryptfs-$i-Private")
645
38
		then
13
				if [ $i = $o ]; then
646
39
			mkdir -p /var/lib/ecryptfs
14
					mv -f /tmp/ecryptfs-$i-Private /dev/shm
647
40
			chmod 1777 /var/lib/ecryptfs
15
				fi
648
41
		fi
16
			fi
649
17
		done
650
42
		;;
18
		;;
651
43
19
652
44
	abort-upgrade|abort-remove|abort-deconfigure)
20
	abort-upgrade|abort-remove|abort-deconfigure)
653
45
21
654
=== modified file 'debian/libecryptfs0.shlibs'
655
--- debian/libecryptfs0.shlibs	2009-02-13 15:57:24 +0000
656
+++ debian/libecryptfs0.shlibs	2010-02-17 20:48:18 +0000
657
@@ -1,1 +1,1 @@
659
1
libecryptfs 0 libecryptfs0 (>= 48)
1
libecryptfs 0 libecryptfs0 (>= 77)
660
2
2
661
=== added directory 'debian/lintian'
662
=== renamed file 'debian/ecryptfs-utils.lintian-overides' => 'debian/lintian/ecryptfs-utils'
663
--- debian/ecryptfs-utils.lintian-overides	2009-02-13 15:57:24 +0000
664
+++ debian/lintian/ecryptfs-utils	2010-02-17 20:48:18 +0000
665
@@ -1,1 +1,14 @@
666
1
# This setuid is required for encrypted-home and encrypted-private;
667
2
# Other distros or sysadmins could perhaps make it 4750, and create
668
3
# an ecryptfs group, adding permitted users to this group (though
669
4
# we're not doing this in Ubuntu).
670
1
ecryptfs-utils: setuid-binary sbin/mount.ecryptfs_private 4755 root/root
5
ecryptfs-utils: setuid-binary sbin/mount.ecryptfs_private 4755 root/root
671
6
672
7
# The *.desktop files need to be executable
673
8
ecryptfs-utils: executable-not-elf-or-script ./usr/share/ecryptfs-utils/ecryptfs-mount-private.desktop
674
9
ecryptfs-utils: executable-not-elf-or-script ./usr/share/ecryptfs-utils/ecryptfs-setup-private.desktop
675
10
ecryptfs-utils: executable-not-elf-or-script ./usr/share/ecryptfs-utils/ecryptfs-record-passphrase
676
11
677
12
# We're not creating these files, but rather moving them, and the utilities
678
13
# that use them provide the necessary owernship checks
679
14
ecryptfs-utils: possibly-insecure-handling-of-tmp-files-in-maintainer-script postinst:9
680
2
15
681
=== added directory 'debian/local'
682
=== renamed file 'debian/ecryptfs-utils.pam-auth-update' => 'debian/local/ecryptfs-utils.pam-auth-update'
683
--- debian/ecryptfs-utils.pam-auth-update	2009-02-13 15:57:24 +0000
684
+++ debian/local/ecryptfs-utils.pam-auth-update	2010-02-17 20:48:18 +0000
685
@@ -3,10 +3,10 @@
686
3
Priority: 0
3
Priority: 0
687
4
Auth-Type: Additional
4
Auth-Type: Additional
688
5
Auth-Final:
5
Auth-Final:
690
6
        optional	pam_ecryptfs.so unwrap
6
	optional	pam_ecryptfs.so unwrap
691
7
Session-Type: Additional
7
Session-Type: Additional
692
8
Session-Final:
8
Session-Final:
694
9
        optional	pam_ecryptfs.so unwrap
9
	optional	pam_ecryptfs.so unwrap
695
10
Password-Type: Additional
10
Password-Type: Additional
696
11
Password-Final:
11
Password-Final:
698
12
        optional	pam_ecryptfs.so
12
	optional	pam_ecryptfs.so
699
13
13
700
=== added directory 'debian/po'
701
=== added file 'debian/po/POTFILES.sh'
702
--- debian/po/POTFILES.sh	1970-01-01 00:00:00 +0000
703
+++ debian/po/POTFILES.sh	2010-02-17 20:48:18 +0000
704
@@ -0,0 +1,5 @@
705
1
src/utils/ecryptfs-mount-private
706
2
src/utils/ecryptfs-rewrite-file
707
3
src/utils/ecryptfs-setup-private
708
4
src/utils/ecryptfs-setup-swap
709
5
src/utils/ecryptfs-umount-private
710
0
6
711
=== added file 'debian/po/ecryptfs-utils.pot'
712
--- debian/po/ecryptfs-utils.pot	1970-01-01 00:00:00 +0000
713
+++ debian/po/ecryptfs-utils.pot	2010-02-17 20:48:18 +0000
714
@@ -0,0 +1,407 @@
715
1
# SOME DESCRIPTIVE TITLE.
716
2
# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
717
3
# This file is distributed under the same license as the PACKAGE package.
718
4
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
719
5
#
720
6
#, fuzzy
721
7
msgid ""
722
8
msgstr ""
723
9
"Project-Id-Version: PACKAGE VERSION\n"
724
10
"Report-Msgid-Bugs-To: \n"
725
11
"POT-Creation-Date: 2009-07-23 18:15-0500\n"
726
12
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
727
13
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
728
14
"Language-Team: LANGUAGE <LL@li.org>\n"
729
15
"MIME-Version: 1.0\n"
730
16
"Content-Type: text/plain; charset=CHARSET\n"
731
17
"Content-Transfer-Encoding: 8bit\n"
732
18
733
19
#: src/utils/ecryptfs-mount-private:19
734
20
msgid "Enter your login passphrase:"
735
21
msgstr ""
736
22
737
23
#: src/utils/ecryptfs-mount-private:24
738
24
msgid "Enter your wrapping passphrase:"
739
25
msgstr ""
740
26
741
27
#: src/utils/ecryptfs-mount-private:49 src/utils/ecryptfs-mount-private:55
742
28
#: src/utils/ecryptfs-mount-private:60 src/utils/ecryptfs-rewrite-file:24
743
29
#: src/utils/ecryptfs-setup-private:84 src/utils/ecryptfs-setup-private:264
744
30
#: src/utils/ecryptfs-setup-private:272 src/utils/ecryptfs-setup-private:282
745
31
#: src/utils/ecryptfs-setup-private:313 src/utils/ecryptfs-setup-swap:25
746
32
msgid "ERROR:"
747
33
msgstr ""
748
34
749
35
#: src/utils/ecryptfs-mount-private:49
750
36
msgid "Your passphrase is incorrect"
751
37
msgstr ""
752
38
753
39
#: src/utils/ecryptfs-mount-private:55 src/utils/ecryptfs-setup-private:289
754
40
msgid "Too many incorrect password attempts, exiting"
755
41
msgstr ""
756
42
757
43
#: src/utils/ecryptfs-mount-private:60
758
44
msgid "Encrypted private directory is not setup properly"
759
45
msgstr ""
760
46
761
47
#: src/utils/ecryptfs-mount-private:65 src/utils/ecryptfs-mount-private:66
762
48
#: src/utils/ecryptfs-rewrite-file:30 src/utils/ecryptfs-setup-private:276
763
49
#: src/utils/ecryptfs-setup-private:344 src/utils/ecryptfs-setup-private:349
764
50
#: src/utils/ecryptfs-setup-swap:30 src/utils/ecryptfs-umount-private:21
765
51
#: src/utils/ecryptfs-umount-private:22
766
52
msgid "INFO:"
767
53
msgstr ""
768
54
769
55
#: src/utils/ecryptfs-mount-private:65
770
56
msgid "Your private directory has been mounted."
771
57
msgstr ""
772
58
773
59
#: src/utils/ecryptfs-mount-private:66 src/utils/ecryptfs-umount-private:22
774
60
msgid "To see this change in your current shell:"
775
61
msgstr ""
776
62
777
63
#: src/utils/ecryptfs-rewrite-file:23
778
64
msgid "[FAILED]"
779
65
msgstr ""
780
66
781
67
#: src/utils/ecryptfs-rewrite-file:30
782
68
msgid "Rewriting"
783
69
msgstr ""
784
70
785
71
#: src/utils/ecryptfs-rewrite-file:32
786
72
msgid "File does not exist"
787
73
msgstr ""
788
74
789
75
#: src/utils/ecryptfs-rewrite-file:36
790
76
msgid "[EXCLUDED]"
791
77
msgstr ""
792
78
793
79
#: src/utils/ecryptfs-rewrite-file:43
794
80
msgid "Could not create tempdir"
795
81
msgstr ""
796
82
797
83
#: src/utils/ecryptfs-rewrite-file:47 src/utils/ecryptfs-rewrite-file:52
798
84
#: src/utils/ecryptfs-rewrite-file:66
799
85
msgid "Could not rename"
800
86
msgstr ""
801
87
802
88
#: src/utils/ecryptfs-rewrite-file:57
803
89
msgid "Could not create tempfile"
804
90
msgstr ""
805
91
806
92
#: src/utils/ecryptfs-rewrite-file:61
807
93
msgid "Could not copy"
808
94
msgstr ""
809
95
810
96
#: src/utils/ecryptfs-rewrite-file:70
811
97
msgid "[OK]"
812
98
msgstr ""
813
99
814
100
#: src/utils/ecryptfs-rewrite-file:73
815
101
msgid "rewrites succeeded"
816
102
msgstr ""
817
103
818
104
#: src/utils/ecryptfs-setup-private:14
819
105
msgid "Enter your login passphrase"
820
106
msgstr ""
821
107
822
108
#: src/utils/ecryptfs-setup-private:104
823
109
msgid "Can't get ecryptfs version, ecryptfs kernel module not loaded?"
824
110
msgstr ""
825
111
826
112
#: src/utils/ecryptfs-setup-private:131
827
113
msgid "Enter your wrapping passphrase"
828
114
msgstr ""
829
115
830
116
#: src/utils/ecryptfs-setup-private:155
831
117
msgid "You must be root to bootstrap encrypt a home directory"
832
118
msgstr ""
833
119
834
120
#: src/utils/ecryptfs-setup-private:178 src/utils/ecryptfs-setup-private:183
835
121
msgid "ERROR: "
836
122
msgstr ""
837
123
838
124
#: src/utils/ecryptfs-setup-private:178
839
125
msgid "You must provide a username"
840
126
msgstr ""
841
127
842
128
#: src/utils/ecryptfs-setup-private:183 src/utils/ecryptfs-setup-private:191
843
129
msgid "User does not exist"
844
130
msgstr ""
845
131
846
132
#: src/utils/ecryptfs-setup-private:197
847
133
msgid "User needs to be a member of ecryptfs group"
848
134
msgstr ""
849
135
850
136
#: src/utils/ecryptfs-setup-private:204
851
137
msgid "User home directory does not exist"
852
138
msgstr ""
853
139
854
140
#: src/utils/ecryptfs-setup-private:223
855
141
msgid "wrapped-passphrase file already exists, use --force to overwrite."
856
142
msgstr ""
857
143
858
144
#: src/utils/ecryptfs-setup-private:226
859
145
msgid "file already exists, use --force to overwrite."
860
146
msgstr ""
861
147
862
148
#: src/utils/ecryptfs-setup-private:230 src/utils/ecryptfs-setup-private:231
863
149
msgid "is already mounted"
864
150
msgstr ""
865
151
866
152
#: src/utils/ecryptfs-setup-private:238 src/utils/ecryptfs-setup-private:242
867
153
msgid "must be empty before proceeding"
868
154
msgstr ""
869
155
870
156
#: src/utils/ecryptfs-setup-private:264
871
157
msgid "Wrapping passphrases must match"
872
158
msgstr ""
873
159
874
160
#: src/utils/ecryptfs-setup-private:272
875
161
msgid "You must provide a login passphrase"
876
162
msgstr ""
877
163
878
164
#: src/utils/ecryptfs-setup-private:276
879
165
msgid "Skipping password verification"
880
166
msgstr ""
881
167
882
168
#: src/utils/ecryptfs-setup-private:298
883
169
msgid "Enter your mount passphrase [leave blank to generate one]: "
884
170
msgstr ""
885
171
886
172
#: src/utils/ecryptfs-setup-private:308
887
173
msgid "Enter your mount passphrase (again): "
888
174
msgstr ""
889
175
890
176
#: src/utils/ecryptfs-setup-private:313
891
177
msgid "Mount passphrases do not match"
892
178
msgstr ""
893
179
894
180
#: src/utils/ecryptfs-setup-private:321
895
181
msgid "Too many incorrect passphrase attempts, exiting"
896
182
msgstr ""
897
183
898
184
#: src/utils/ecryptfs-setup-private:327
899
185
msgid ""
900
186
"YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION."
901
187
msgstr ""
902
188
903
189
#: src/utils/ecryptfs-setup-private:329
904
190
msgid "THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME."
905
191
msgstr ""
906
192
907
193
#: src/utils/ecryptfs-setup-private:336
908
194
msgid "Could not create crypt directory"
909
195
msgstr ""
910
196
911
197
#: src/utils/ecryptfs-setup-private:337
912
198
msgid "Could not create mount directory"
913
199
msgstr ""
914
200
915
201
#: src/utils/ecryptfs-setup-private:344
916
202
msgid "will not be mounted on login"
917
203
msgstr ""
918
204
919
205
#: src/utils/ecryptfs-setup-private:346
920
206
msgid "Could not setup ecryptfs auto-mount"
921
207
msgstr ""
922
208
923
209
#: src/utils/ecryptfs-setup-private:349
924
210
msgid "will not be unmounted on logout"
925
211
msgstr ""
926
212
927
213
#: src/utils/ecryptfs-setup-private:351
928
214
msgid "Could not setup ecryptfs auto-umount"
929
215
msgstr ""
930
216
931
217
#: src/utils/ecryptfs-setup-private:355
932
218
msgid "Could not remove ecryptfs wrapping-independent"
933
219
msgstr ""
934
220
935
221
#: src/utils/ecryptfs-setup-private:357
936
222
msgid "Could not setup ecryptfs wrapping-independent"
937
223
msgstr ""
938
224
939
225
#: src/utils/ecryptfs-setup-private:365
940
226
msgid "Could not backup existing data"
941
227
msgstr ""
942
228
943
229
#: src/utils/ecryptfs-setup-private:381
944
230
msgid "Could not wrap passphrase"
945
231
msgstr ""
946
232
947
233
#: src/utils/ecryptfs-setup-private:389
948
234
msgid "Could not add passphrase to the current keyring"
949
235
msgstr ""
950
236
951
237
#: src/utils/ecryptfs-setup-private:393
952
238
msgid "Could not obtain the key signature"
953
239
msgstr ""
954
240
955
241
#: src/utils/ecryptfs-setup-private:396
956
242
msgid "Could not create signature file"
957
243
msgstr ""
958
244
959
245
#: src/utils/ecryptfs-setup-private:399
960
246
msgid "Could not create mountpoint file"
961
247
msgstr ""
962
248
963
249
#: src/utils/ecryptfs-setup-private:403
964
250
msgid "Done configuring."
965
251
msgstr ""
966
252
967
253
#: src/utils/ecryptfs-setup-private:433
968
254
msgid "Testing mount/write/umount/read..."
969
255
msgstr ""
970
256
971
257
#: src/utils/ecryptfs-setup-private:434
972
258
msgid "Could not mount private ecryptfs directory"
973
259
msgstr ""
974
260
975
261
#: src/utils/ecryptfs-setup-private:435
976
262
msgid "Could not create empty file"
977
263
msgstr ""
978
264
979
265
#: src/utils/ecryptfs-setup-private:436
980
266
msgid "Could not generate random data"
981
267
msgstr ""
982
268
983
269
#: src/utils/ecryptfs-setup-private:437
984
270
msgid "Could not write encrypted file"
985
271
msgstr ""
986
272
987
273
#: src/utils/ecryptfs-setup-private:438
988
274
msgid "Could not read encrypted file"
989
275
msgstr ""
990
276
991
277
#: src/utils/ecryptfs-setup-private:439
992
278
msgid "Could not unmount private ecryptfs directory"
993
279
msgstr ""
994
280
995
281
#: src/utils/ecryptfs-setup-private:440
996
282
msgid "Could not mount private ecryptfs directory (2)"
997
283
msgstr ""
998
284
999
285
#: src/utils/ecryptfs-setup-private:441
1000
286
msgid "Could not read encrypted file (2)"
1001
287
msgstr ""
1002
288
1003
289
#: src/utils/ecryptfs-setup-private:445
1004
290
msgid "Could not unmount private ecryptfs directory (2)"
1005
291
msgstr ""
1006
292
1007
293
#: src/utils/ecryptfs-setup-private:447
1008
294
msgid "Testing failed."
1009
295
msgstr ""
1010
296
1011
297
#: src/utils/ecryptfs-setup-private:449
1012
298
msgid "Testing succeeded."
1013
299
msgstr ""
1014
300
1015
301
#: src/utils/ecryptfs-setup-private:453
1016
302
msgid "Logout, and log back in to begin using your encrypted directory."
1017
303
msgstr ""
1018
304
1019
305
#: src/utils/ecryptfs-setup-swap:34
1020
306
msgid "WARNING:"
1021
307
msgstr ""
1022
308
1023
309
#: src/utils/ecryptfs-setup-swap:39
1024
310
msgid "Usage:"
1025
311
msgstr ""
1026
312
1027
313
#: src/utils/ecryptfs-setup-swap:60
1028
314
msgid "Please install"
1029
315
msgstr ""
1030
316
1031
317
#: src/utils/ecryptfs-setup-swap:63
1032
318
msgid "This program must be run with 'sudo', or as root"
1033
319
msgstr ""
1034
320
1035
321
#: src/utils/ecryptfs-setup-swap:70
1036
322
msgid "You do not currently have any swap space defined."
1037
323
msgstr ""
1038
324
1039
325
#: src/utils/ecryptfs-setup-swap:72
1040
326
msgid "You can create a swap file by doing:"
1041
327
msgstr ""
1042
328
1043
329
#: src/utils/ecryptfs-setup-swap:77
1044
330
msgid "And then re-run"
1045
331
msgstr ""
1046
332
1047
333
#: src/utils/ecryptfs-setup-swap:81
1048
334
msgid "You have more than one swap space defined."
1049
335
msgstr ""
1050
336
1051
337
#: src/utils/ecryptfs-setup-swap:82
1052
338
msgid "only supports setting up a single swap space"
1053
339
msgstr ""
1054
340
1055
341
#: src/utils/ecryptfs-setup-swap:89
1056
342
msgid "does not appear to be swap space"
1057
343
msgstr ""
1058
344
1059
345
#: src/utils/ecryptfs-setup-swap:94
1060
346
msgid "already appears to be encrypted."
1061
347
msgstr ""
1062
348
1063
349
#: src/utils/ecryptfs-setup-swap:103
1064
350
msgid "already has an entry in /etc/crypttab."
1065
351
msgstr ""
1066
352
1067
353
#: src/utils/ecryptfs-setup-swap:107
1068
354
msgid "already has an entry in /etc/fstab."
1069
355
msgstr ""
1070
356
1071
357
#: src/utils/ecryptfs-setup-swap:113
1072
358
msgid "There appears to be a cryptswap entry in /etc/cryptab; aborting."
1073
359
msgstr ""
1074
360
1075
361
#: src/utils/ecryptfs-setup-swap:118
1076
362
msgid "There appears to be a cryptswap entry in /etc/fstab; aborting."
1077
363
msgstr ""
1078
364
1079
365
#: src/utils/ecryptfs-setup-swap:124
1080
366
msgid "Commented out your unencrypted swap from /etc/fstab"
1081
367
msgstr ""
1082
368
1083
369
#: src/utils/ecryptfs-setup-swap:126
1084
370
msgid "Your swap space isn't currently listed in /etc/fstab"
1085
371
msgstr ""
1086
372
1087
373
#: src/utils/ecryptfs-setup-swap:134
1088
374
msgid ""
1089
375
"An encrypted swap is required to help ensure that encrypted files are not "
1090
376
"leaked to disk in an unencrypted format."
1091
377
msgstr ""
1092
378
1093
379
#: src/utils/ecryptfs-setup-swap:136
1094
380
msgid ""
1095
381
"HOWEVER, THE SWAP ENCRYPTION CONFIGURATION PRODUCED BY THIS PROGRAM WILL "
1096
382
"BREAK HIBERNATE/RESUME ON THIS SYSTEM!"
1097
383
msgstr ""
1098
384
1099
385
#: src/utils/ecryptfs-setup-swap:138
1100
386
msgid "NOTE: Your suspend/resume capabilities will not be affected."
1101
387
msgstr ""
1102
388
1103
389
#: src/utils/ecryptfs-setup-swap:140
1104
390
msgid "Do you want to proceed with encrypting your swap?"
1105
391
msgstr ""
1106
392
1107
393
#: src/utils/ecryptfs-setup-swap:145
1108
394
msgid "Aborting."
1109
395
msgstr ""
1110
396
1111
397
#: src/utils/ecryptfs-setup-swap:153
1112
398
msgid "Setting up swap:"
1113
399
msgstr ""
1114
400
1115
401
#: src/utils/ecryptfs-setup-swap:170
1116
402
msgid "Successfully setup encrypted swap!"
1117
403
msgstr ""
1118
404
1119
405
#: src/utils/ecryptfs-umount-private:21
1120
406
msgid "Your private directory has been unmounted."
1121
407
msgstr ""
1122
0
408
1123
=== added file 'debian/po/fr.po'
1124
--- debian/po/fr.po	1970-01-01 00:00:00 +0000
1125
+++ debian/po/fr.po	2010-02-17 20:48:18 +0000
1126
@@ -0,0 +1,389 @@
1127
1
#: src/utils/ecryptfs-mount-private:19
1128
2
msgid "Enter your login passphrase:"
1129
3
msgstr ""
1130
4
1131
5
#: src/utils/ecryptfs-mount-private:24
1132
6
msgid "Enter your wrapping passphrase:"
1133
7
msgstr ""
1134
8
1135
9
#: src/utils/ecryptfs-mount-private:49 src/utils/ecryptfs-mount-private:55
1136
10
#: src/utils/ecryptfs-mount-private:60 src/utils/ecryptfs-rewrite-file:24
1137
11
#: src/utils/ecryptfs-setup-private:84 src/utils/ecryptfs-setup-private:264
1138
12
#: src/utils/ecryptfs-setup-private:272 src/utils/ecryptfs-setup-private:282
1139
13
#: src/utils/ecryptfs-setup-private:313 src/utils/ecryptfs-setup-swap:25
1140
14
msgid "ERROR:"
1141
15
msgstr ""
1142
16
1143
17
#: src/utils/ecryptfs-mount-private:49
1144
18
msgid "Your passphrase is incorrect"
1145
19
msgstr ""
1146
20
1147
21
#: src/utils/ecryptfs-mount-private:55 src/utils/ecryptfs-setup-private:289
1148
22
msgid "Too many incorrect password attempts, exiting"
1149
23
msgstr ""
1150
24
1151
25
#: src/utils/ecryptfs-mount-private:60
1152
26
msgid "Encrypted private directory is not setup properly"
1153
27
msgstr ""
1154
28
1155
29
#: src/utils/ecryptfs-mount-private:65 src/utils/ecryptfs-mount-private:66
1156
30
#: src/utils/ecryptfs-rewrite-file:30 src/utils/ecryptfs-setup-private:276
1157
31
#: src/utils/ecryptfs-setup-private:344 src/utils/ecryptfs-setup-private:349
1158
32
#: src/utils/ecryptfs-setup-swap:30 src/utils/ecryptfs-umount-private:21
1159
33
#: src/utils/ecryptfs-umount-private:22
1160
34
msgid "INFO:"
1161
35
msgstr ""
1162
36
1163
37
#: src/utils/ecryptfs-mount-private:65
1164
38
msgid "Your private directory has been mounted."
1165
39
msgstr ""
1166
40
1167
41
#: src/utils/ecryptfs-mount-private:66 src/utils/ecryptfs-umount-private:22
1168
42
msgid "To see this change in your current shell:"
1169
43
msgstr ""
1170
44
1171
45
#: src/utils/ecryptfs-rewrite-file:23
1172
46
msgid "[FAILED]"
1173
47
msgstr ""
1174
48
1175
49
#: src/utils/ecryptfs-rewrite-file:30
1176
50
msgid "Rewriting"
1177
51
msgstr ""
1178
52
1179
53
#: src/utils/ecryptfs-rewrite-file:32
1180
54
msgid "File does not exist"
1181
55
msgstr ""
1182
56
1183
57
#: src/utils/ecryptfs-rewrite-file:36
1184
58
msgid "[EXCLUDED]"
1185
59
msgstr ""
1186
60
1187
61
#: src/utils/ecryptfs-rewrite-file:43
1188
62
msgid "Could not create tempdir"
1189
63
msgstr ""
1190
64
1191
65
#: src/utils/ecryptfs-rewrite-file:47 src/utils/ecryptfs-rewrite-file:52
1192
66
#: src/utils/ecryptfs-rewrite-file:66
1193
67
msgid "Could not rename"
1194
68
msgstr ""
1195
69
1196
70
#: src/utils/ecryptfs-rewrite-file:57
1197
71
msgid "Could not create tempfile"
1198
72
msgstr ""
1199
73
1200
74
#: src/utils/ecryptfs-rewrite-file:61
1201
75
msgid "Could not copy"
1202
76
msgstr ""
1203
77
1204
78
#: src/utils/ecryptfs-rewrite-file:70
1205
79
msgid "[OK]"
1206
80
msgstr ""
1207
81
1208
82
#: src/utils/ecryptfs-rewrite-file:73
1209
83
msgid "rewrites succeeded"
1210
84
msgstr ""
1211
85
1212
86
#: src/utils/ecryptfs-setup-private:14
1213
87
msgid "Enter your login passphrase"
1214
88
msgstr ""
1215
89
1216
90
#: src/utils/ecryptfs-setup-private:104
1217
91
msgid "Can't get ecryptfs version, ecryptfs kernel module not loaded?"
1218
92
msgstr ""
1219
93
1220
94
#: src/utils/ecryptfs-setup-private:131
1221
95
msgid "Enter your wrapping passphrase"
1222
96
msgstr ""
1223
97
1224
98
#: src/utils/ecryptfs-setup-private:155
1225
99
msgid "You must be root to bootstrap encrypt a home directory"
1226
100
msgstr ""
1227
101
1228
102
#: src/utils/ecryptfs-setup-private:178 src/utils/ecryptfs-setup-private:183
1229
103
msgid "ERROR: "
1230
104
msgstr ""
1231
105
1232
106
#: src/utils/ecryptfs-setup-private:178
1233
107
msgid "You must provide a username"
1234
108
msgstr ""
1235
109
1236
110
#: src/utils/ecryptfs-setup-private:183 src/utils/ecryptfs-setup-private:191
1237
111
msgid "User does not exist"
1238
112
msgstr ""
1239
113
1240
114
#: src/utils/ecryptfs-setup-private:197
1241
115
msgid "User needs to be a member of ecryptfs group"
1242
116
msgstr ""
1243
117
1244
118
#: src/utils/ecryptfs-setup-private:204
1245
119
msgid "User home directory does not exist"
1246
120
msgstr ""
1247
121
1248
122
#: src/utils/ecryptfs-setup-private:223
1249
123
msgid "wrapped-passphrase file already exists, use --force to overwrite."
1250
124
msgstr ""
1251
125
1252
126
#: src/utils/ecryptfs-setup-private:226
1253
127
msgid "file already exists, use --force to overwrite."
1254
128
msgstr ""
1255
129
1256
130
#: src/utils/ecryptfs-setup-private:230 src/utils/ecryptfs-setup-private:231
1257
131
msgid "is already mounted"
1258
132
msgstr ""
1259
133
1260
134
#: src/utils/ecryptfs-setup-private:238 src/utils/ecryptfs-setup-private:242
1261
135
msgid "must be empty before proceeding"
1262
136
msgstr ""
1263
137
1264
138
#: src/utils/ecryptfs-setup-private:264
1265
139
msgid "Wrapping passphrases must match"
1266
140
msgstr ""
1267
141
1268
142
#: src/utils/ecryptfs-setup-private:272
1269
143
msgid "You must provide a login passphrase"
1270
144
msgstr ""
1271
145
1272
146
#: src/utils/ecryptfs-setup-private:276
1273
147
msgid "Skipping password verification"
1274
148
msgstr ""
1275
149
1276
150
#: src/utils/ecryptfs-setup-private:298
1277
151
msgid "Enter your mount passphrase [leave blank to generate one]: "
1278
152
msgstr ""
1279
153
1280
154
#: src/utils/ecryptfs-setup-private:308
1281
155
msgid "Enter your mount passphrase (again): "
1282
156
msgstr ""
1283
157
1284
158
#: src/utils/ecryptfs-setup-private:313
1285
159
msgid "Mount passphrases do not match"
1286
160
msgstr ""
1287
161
1288
162
#: src/utils/ecryptfs-setup-private:321
1289
163
msgid "Too many incorrect passphrase attempts, exiting"
1290
164
msgstr ""
1291
165
1292
166
#: src/utils/ecryptfs-setup-private:327
1293
167
msgid ""
1294
168
"YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION."
1295
169
msgstr ""
1296
170
1297
171
#: src/utils/ecryptfs-setup-private:329
1298
172
msgid "THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME."
1299
173
msgstr ""
1300
174
1301
175
#: src/utils/ecryptfs-setup-private:336
1302
176
msgid "Could not create crypt directory"
1303
177
msgstr ""
1304
178
1305
179
#: src/utils/ecryptfs-setup-private:337
1306
180
msgid "Could not create mount directory"
1307
181
msgstr ""
1308
182
1309
183
#: src/utils/ecryptfs-setup-private:344
1310
184
msgid "will not be mounted on login"
1311
185
msgstr ""
1312
186
1313
187
#: src/utils/ecryptfs-setup-private:346
1314
188
msgid "Could not setup ecryptfs auto-mount"
1315
189
msgstr ""
1316
190
1317
191
#: src/utils/ecryptfs-setup-private:349
1318
192
msgid "will not be unmounted on logout"
1319
193
msgstr ""
1320
194
1321
195
#: src/utils/ecryptfs-setup-private:351
1322
196
msgid "Could not setup ecryptfs auto-umount"
1323
197
msgstr ""
1324
198
1325
199
#: src/utils/ecryptfs-setup-private:355
1326
200
msgid "Could not remove ecryptfs wrapping-independent"
1327
201
msgstr ""
1328
202
1329
203
#: src/utils/ecryptfs-setup-private:357
1330
204
msgid "Could not setup ecryptfs wrapping-independent"
1331
205
msgstr ""
1332
206
1333
207
#: src/utils/ecryptfs-setup-private:365
1334
208
msgid "Could not backup existing data"
1335
209
msgstr ""
1336
210
1337
211
#: src/utils/ecryptfs-setup-private:381
1338
212
msgid "Could not wrap passphrase"
1339
213
msgstr ""
1340
214
1341
215
#: src/utils/ecryptfs-setup-private:389
1342
216
msgid "Could not add passphrase to the current keyring"
1343
217
msgstr ""
1344
218
1345
219
#: src/utils/ecryptfs-setup-private:393
1346
220
msgid "Could not obtain the key signature"
1347
221
msgstr ""
1348
222
1349
223
#: src/utils/ecryptfs-setup-private:396
1350
224
msgid "Could not create signature file"
1351
225
msgstr ""
1352
226
1353
227
#: src/utils/ecryptfs-setup-private:399
1354
228
msgid "Could not create mountpoint file"
1355
229
msgstr ""
1356
230
1357
231
#: src/utils/ecryptfs-setup-private:403
1358
232
msgid "Done configuring."
1359
233
msgstr ""
1360
234
1361
235
#: src/utils/ecryptfs-setup-private:433
1362
236
msgid "Testing mount/write/umount/read..."
1363
237
msgstr ""
1364
238
1365
239
#: src/utils/ecryptfs-setup-private:434
1366
240
msgid "Could not mount private ecryptfs directory"
1367
241
msgstr ""
1368
242
1369
243
#: src/utils/ecryptfs-setup-private:435
1370
244
msgid "Could not create empty file"
1371
245
msgstr ""
1372
246
1373
247
#: src/utils/ecryptfs-setup-private:436
1374
248
msgid "Could not generate random data"
1375
249
msgstr ""
1376
250
1377
251
#: src/utils/ecryptfs-setup-private:437
1378
252
msgid "Could not write encrypted file"
1379
253
msgstr ""
1380
254
1381
255
#: src/utils/ecryptfs-setup-private:438
1382
256
msgid "Could not read encrypted file"
1383
257
msgstr ""
1384
258
1385
259
#: src/utils/ecryptfs-setup-private:439
1386
260
msgid "Could not unmount private ecryptfs directory"
1387
261
msgstr ""
1388
262
1389
263
#: src/utils/ecryptfs-setup-private:440
1390
264
msgid "Could not mount private ecryptfs directory (2)"
1391
265
msgstr ""
1392
266
1393
267
#: src/utils/ecryptfs-setup-private:441
1394
268
msgid "Could not read encrypted file (2)"
1395
269
msgstr ""
1396
270
1397
271
#: src/utils/ecryptfs-setup-private:445
1398
272
msgid "Could not unmount private ecryptfs directory (2)"
1399
273
msgstr ""
1400
274
1401
275
#: src/utils/ecryptfs-setup-private:447
1402
276
msgid "Testing failed."
1403
277
msgstr ""
1404
278
1405
279
#: src/utils/ecryptfs-setup-private:449
1406
280
msgid "Testing succeeded."
1407
281
msgstr ""
1408
282
1409
283
#: src/utils/ecryptfs-setup-private:453
1410
284
msgid "Logout, and log back in to begin using your encrypted directory."
1411
285
msgstr ""
1412
286
1413
287
#: src/utils/ecryptfs-setup-swap:34
1414
288
msgid "WARNING:"
1415
289
msgstr ""
1416
290
1417
291
#: src/utils/ecryptfs-setup-swap:39
1418
292
msgid "Usage:"
1419
293
msgstr ""
1420
294
1421
295
#: src/utils/ecryptfs-setup-swap:60
1422
296
msgid "Please install"
1423
297
msgstr ""
1424
298
1425
299
#: src/utils/ecryptfs-setup-swap:63
1426
300
msgid "This program must be run with 'sudo', or as root"
1427
301
msgstr ""
1428
302
1429
303
#: src/utils/ecryptfs-setup-swap:70
1430
304
msgid "You do not currently have any swap space defined."
1431
305
msgstr ""
1432
306
1433
307
#: src/utils/ecryptfs-setup-swap:72
1434
308
msgid "You can create a swap file by doing:"
1435
309
msgstr ""
1436
310
1437
311
#: src/utils/ecryptfs-setup-swap:77
1438
312
msgid "And then re-run"
1439
313
msgstr ""
1440
314
1441
315
#: src/utils/ecryptfs-setup-swap:81
1442
316
msgid "You have more than one swap space defined."
1443
317
msgstr ""
1444
318
1445
319
#: src/utils/ecryptfs-setup-swap:82
1446
320
msgid "only supports setting up a single swap space"
1447
321
msgstr ""
1448
322
1449
323
#: src/utils/ecryptfs-setup-swap:89
1450
324
msgid "does not appear to be swap space"
1451
325
msgstr ""
1452
326
1453
327
#: src/utils/ecryptfs-setup-swap:94
1454
328
msgid "already appears to be encrypted."
1455
329
msgstr ""
1456
330
1457
331
#: src/utils/ecryptfs-setup-swap:103
1458
332
msgid "already has an entry in /etc/crypttab."
1459
333
msgstr ""
1460
334
1461
335
#: src/utils/ecryptfs-setup-swap:107
1462
336
msgid "already has an entry in /etc/fstab."
1463
337
msgstr ""
1464
338
1465
339
#: src/utils/ecryptfs-setup-swap:113
1466
340
msgid "There appears to be a cryptswap entry in /etc/cryptab; aborting."
1467
341
msgstr ""
1468
342
1469
343
#: src/utils/ecryptfs-setup-swap:118
1470
344
msgid "There appears to be a cryptswap entry in /etc/fstab; aborting."
1471
345
msgstr ""
1472
346
1473
347
#: src/utils/ecryptfs-setup-swap:124
1474
348
msgid "Commented out your unencrypted swap from /etc/fstab"
1475
349
msgstr ""
1476
350
1477
351
#: src/utils/ecryptfs-setup-swap:126
1478
352
msgid "Your swap space isn't currently listed in /etc/fstab"
1479
353
msgstr ""
1480
354
1481
355
#: src/utils/ecryptfs-setup-swap:134
1482
356
msgid ""
1483
357
"An encrypted swap is required to help ensure that encrypted files are not "
1484
358
"leaked to disk in an unencrypted format."
1485
359
msgstr ""
1486
360
1487
361
#: src/utils/ecryptfs-setup-swap:136
1488
362
msgid ""
1489
363
"HOWEVER, THE SWAP ENCRYPTION CONFIGURATION PRODUCED BY THIS PROGRAM WILL "
1490
364
"BREAK HIBERNATE/RESUME ON THIS SYSTEM!"
1491
365
msgstr ""
1492
366
1493
367
#: src/utils/ecryptfs-setup-swap:138
1494
368
msgid "NOTE: Your suspend/resume capabilities will not be affected."
1495
369
msgstr ""
1496
370
1497
371
#: src/utils/ecryptfs-setup-swap:140
1498
372
msgid "Do you want to proceed with encrypting your swap?"
1499
373
msgstr ""
1500
374
1501
375
#: src/utils/ecryptfs-setup-swap:145
1502
376
msgid "Aborting."
1503
377
msgstr ""
1504
378
1505
379
#: src/utils/ecryptfs-setup-swap:153
1506
380
msgid "Setting up swap:"
1507
381
msgstr ""
1508
382
1509
383
#: src/utils/ecryptfs-setup-swap:170
1510
384
msgid "Successfully setup encrypted swap!"
1511
385
msgstr ""
1512
386
1513
387
#: src/utils/ecryptfs-umount-private:21
1514
388
msgid "Your private directory has been unmounted."
1515
389
msgstr ""
1516
0
390
1517
=== modified file 'debian/rules'
1518
--- debian/rules	2009-04-22 00:07:59 +0000
1519
+++ debian/rules	2010-02-17 20:48:18 +0000
1520
@@ -1,43 +1,63 @@
1521
1
#!/usr/bin/make -f
1
#!/usr/bin/make -f
1522
2
2
1524
3
include /usr/share/dpatch/dpatch.make
3
PKG=ecryptfs-utils
1525
4
PO_DIR=debian/po
1526
4
5
1527
5
DEB_BUILD_ARCH		?= $(shell dpkg-architecture -qDEB_BUILD_ARCH)
1528
6
DEB_HOST_GNU_TYPE	?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
6
DEB_HOST_GNU_TYPE	?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
1529
7
DEB_BUILD_GNU_TYPE	?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
7
DEB_BUILD_GNU_TYPE	?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
1530
8
8
1535
9
CFLAGS = -Wall -g
9
ifneq ($(DEB_HOST_GNU_TYPE),$(DEB_BUILD_GNU_TYPE))
1536
10
10
	CROSS=CC=$(DEB_HOST_GNU_TYPE)-gcc
1533
11
ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
1534
12
	CFLAGS += -O0
1537
13
else
11
else
1539
14
	CFLAGS += -O2
12
	CROSS=
1540
15
endif
13
endif
1541
16
14
1542
15
DEB_BUILD_ARCH		?= $(shell dpkg-architecture -qDEB_BUILD_ARCH)
1543
16
1544
17
ifneq ($(DEB_BUILD_ARCH),s390)
17
ifneq ($(DEB_BUILD_ARCH),s390)
1545
18
	TPMFLAGS = --enable-opencryptoki
18
	TPMFLAGS = --enable-opencryptoki
1546
19
endif
19
endif
1547
20
20
1549
21
clean: unpatch
21
install-po: update-pot
1550
22
	for po in ${PO_DIR}/*.po ; do \
1551
23
		lang=$${po#po/}; lang=$${lang%.po}; \
1552
24
		mkdir -p ${PO_DIR}/locale/$${lang}/LC_MESSAGES/; \
1553
25
		msgfmt $${po} -o ${PO_DIR}/locale/$${lang}/LC_MESSAGES/${PKG}.mo ; \
1554
26
	done
1555
27
1556
28
update-pot:
1557
29
	rm -f ${PO_DIR}/${PKG}.pot
1558
30
	xgettext -o ${PO_DIR}/${PKG}.pot -L Shell -f ${PO_DIR}/POTFILES.sh
1559
31
	for po in ${PO_DIR}/*.po ; do \
1560
32
		msgmerge $${po} ${PO_DIR}/${PKG}.pot -o $${po} ; \
1561
33
	done
1562
34
1563
35
clean:
1564
22
	dh_testdir
36
	dh_testdir
1565
23
	dh_testroot
37
	dh_testroot
1566
24
	rm -f build-stamp
38
	rm -f build-stamp
1567
25
	rm -f config.guess config.sub
39
	rm -f config.guess config.sub
1568
40
	for po in ${PO_DIR}/*.po ; do \
1569
41
		lang=$${po#po/}; lang=$${lang%.po}; \
1570
42
		rm -f ${PO_DIR}/locale/$${lang}/LC_MESSAGES/${PKG}.mo ; \
1571
43
	done
1572
44
1573
26
45
1574
27
	[ ! -f Makefile ] || $(MAKE) distclean
46
	[ ! -f Makefile ] || $(MAKE) distclean
1575
28
47
1576
29
	dh_clean
48
	dh_clean
1577
30
49
1579
31
config.status: configure patch
50
config.status: configure
1580
32
	dh_testdir
51
	dh_testdir
1581
33
52
1582
53
ifneq "$(wildcard /usr/share/misc/config.guess)" ""
1583
54
	cp -f /usr/share/misc/config.guess config.guess
1584
55
endif
1585
34
ifneq "$(wildcard /usr/share/misc/config.sub)" ""
56
ifneq "$(wildcard /usr/share/misc/config.sub)" ""
1586
35
	cp -f /usr/share/misc/config.sub config.sub
57
	cp -f /usr/share/misc/config.sub config.sub
1587
36
endif
58
endif
1592
37
ifneq "$(wildcard /usr/share/misc/config.guess)" ""
59
1593
38
	cp -f /usr/share/misc/config.guess config.guess
60
	./configure $(CROSS) --prefix=/usr --libdir=\$${prefix}/lib --mandir=\$${prefix}/share/man --enable-static --enable-gpg --enable-nss --disable-gui --enable-pam --disable-openssl --disable-pkcs11-helper --disable-tspi $(TPMFLAGS) CFLAGS="$(CFLAGS)"
1590
39
endif
1591
40
	CFLAGS="$(CFLAGS)" ./configure --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --libdir=\$${prefix}/lib --mandir=\$${prefix}/share/man --enable-static --enable-gpg --disable-gui --enable-pam --disable-openssl --disable-pkcs11-helper --disable-tspi $(TPMFLAGS)
1594
41
61
1595
42
build: build-stamp
62
build: build-stamp
1596
43
build-stamp: config.status
63
build-stamp: config.status
1597
@@ -47,17 +67,14 @@
1598
47
67
1599
48
	touch build-stamp
68
	touch build-stamp
1600
49
69
1602
50
install: build
70
install: build install-po
1603
51
	dh_testdir
71
	dh_testdir
1604
52
	dh_testroot
72
	dh_testroot
1605
53
	dh_prep
73
	dh_prep
1606
54
	dh_installdirs
1607
55
74
1608
56
	$(MAKE) DESTDIR=$(CURDIR)/debian/tmp install
75
	$(MAKE) DESTDIR=$(CURDIR)/debian/tmp install
1609
57
	install -m 644 -D $(CURDIR)/debian/ecryptfs-utils.pam-auth-update $(CURDIR)/debian/tmp/usr/share/pam-configs/ecryptfs-utils
1610
58
76
1613
59
	mv debian/tmp/usr/share/ecryptfs-* debian/ecryptfs-utils/usr/share/ecryptfs-utils
77
	install -D -m 0644 debian/local/ecryptfs-utils.pam-auth-update debian/ecryptfs-utils/usr/share/pam-configs/ecryptfs-utils
1612
60
	mv debian/tmp/usr/share/doc/ecryptfs-utils/ecryptfs-mount-private.txt debian/ecryptfs-utils/usr/share/ecryptfs-utils/ecryptfs-mount-private.txt
1614
61
78
1615
62
	chmod 4755 debian/tmp/sbin/mount.ecryptfs_private
79
	chmod 4755 debian/tmp/sbin/mount.ecryptfs_private
1616
63
80
1617
@@ -65,12 +82,14 @@
1618
65
82
1619
66
binary: binary-arch
83
binary: binary-arch
1620
67
84
1622
68
binary-arch: build install
85
binary-arch: install
1623
69
	dh_testdir
86
	dh_testdir
1624
70
	dh_testroot
87
	dh_testroot
1625
71
	dh_installchangelogs ChangeLog
88
	dh_installchangelogs ChangeLog
1626
72
	dh_installdocs
89
	dh_installdocs
1627
73
	dh_install --fail-missing --sourcedir=debian/tmp
90
	dh_install --fail-missing --sourcedir=debian/tmp
1628
91
	dh_installinit --noscripts --error-handler=true --name=ecryptfs-utils-save
1629
92
	dh_installinit --noscripts --error-handler=true --name=ecryptfs-utils-restore
1630
74
	dh_lintian
93
	dh_lintian
1631
75
	dh_link
94
	dh_link
1632
76
	dh_strip
95
	dh_strip
1633
77
96
1634
=== modified file 'doc/Makefile.am'
1635
--- doc/Makefile.am	2009-02-03 08:50:36 +0000
1636
+++ doc/Makefile.am	2010-02-17 20:48:18 +0000
1637
@@ -18,5 +18,4 @@
1638
18
dist_noinst_DATA += ecryptfs-pkcs11-helper-doc.txt
18
dist_noinst_DATA += ecryptfs-pkcs11-helper-doc.txt
1639
19
endif
19
endif
1640
20
20
1643
21
dist_doc_DATA += ecryptfs-mount-private.txt
21
dist_pkgdata_DATA = ecryptfs-mount-private.txt
1642
22
dist_noinst_DATA += ecryptfs-mount-private.txt
1644
23
22
1645
=== modified file 'doc/ecryptfs-mount-private.txt'
1646
--- doc/ecryptfs-mount-private.txt	2009-02-03 08:50:36 +0000
1647
+++ doc/ecryptfs-mount-private.txt	2010-02-17 20:48:18 +0000
1648
@@ -6,4 +6,4 @@
1649
6
or
6
or
1650
7
7
1651
8
From the command line, run:
8
From the command line, run:
1653
9
 $ ecryptfs-mount-private
9
 ecryptfs-mount-private
1654
10
10
1655
=== modified file 'doc/manpage/Makefile.am'
1656
--- doc/manpage/Makefile.am	2009-03-20 19:29:14 +0000
1657
+++ doc/manpage/Makefile.am	2010-02-17 20:48:18 +0000
1658
@@ -21,10 +21,13 @@
1659
21
	ecryptfs-rewrap-passphrase.1 \
21
	ecryptfs-rewrap-passphrase.1 \
1660
22
	ecryptfs-rewrite-file.1 \
22
	ecryptfs-rewrite-file.1 \
1661
23
	ecryptfs-setup-private.1 \
23
	ecryptfs-setup-private.1 \
1662
24
	ecryptfs-setup-swap.1 \
1663
25
	ecryptfs-stat.1 \
1664
24
	ecryptfs-umount-private.1 \
26
	ecryptfs-umount-private.1 \
1665
25
	ecryptfs-unwrap-passphrase.1 \
27
	ecryptfs-unwrap-passphrase.1 \
1666
26
	ecryptfs-wrap-passphrase.1 \
28
	ecryptfs-wrap-passphrase.1 \
1667
27
	mount.ecryptfs.8 \
29
	mount.ecryptfs.8 \
1668
30
	umount.ecryptfs.8 \
1669
28
	mount.ecryptfs_private.1 \
31
	mount.ecryptfs_private.1 \
1670
29
	pam_ecryptfs.8 \
32
	pam_ecryptfs.8 \
1671
30
	umount.ecryptfs_private.1
33
	umount.ecryptfs_private.1
1672
31
34
1673
=== modified file 'doc/manpage/ecryptfs-mount-private.1'
1674
--- doc/manpage/ecryptfs-mount-private.1	2009-02-03 08:50:36 +0000
1675
+++ doc/manpage/ecryptfs-mount-private.1	2010-02-17 20:48:18 +0000
1676
@@ -6,7 +6,7 @@
1677
6
\fBecryptfs-mount-private\fP
6
\fBecryptfs-mount-private\fP
1678
7
7
1679
8
.SH DESCRIPTION
8
.SH DESCRIPTION
1681
9
\fBecryptfs-mount-private\fP is a wrapper script for the \fBmount.ecryptfs_private\fP utility that will interactively prompt for the user's login password, if necessary.
9
\fBecryptfs-mount-private\fP is a wrapper script for the \fBmount.ecryptfs_private\fP utility that will interactively prompt for the user's login password, if necessary. You need to be a member of \fBecryptfs\fB group to use this.
1682
10
10
1683
11
.SH FILES
11
.SH FILES
1684
12
\fI~/.Private\fP - underlying directory containing encrypted data
12
\fI~/.Private\fP - underlying directory containing encrypted data
1685
@@ -17,7 +17,7 @@
1686
17
17
1687
18
\fI~/.ecryptfs/wrapped-passphrase\fP - file containing the wrapped passphrase
18
\fI~/.ecryptfs/wrapped-passphrase\fP - file containing the wrapped passphrase
1688
19
19
1690
20
\fI~/.ecryptfs/wrapped-independent\fP - this file exists if the wrapping passphrase is independent from login passphrase
20
\fI~/.ecryptfs/wrapping-independent\fP - this file exists if the wrapping passphrase is independent from login passphrase
1691
21
21
1692
22
.SH SEE ALSO
22
.SH SEE ALSO
1693
23
.PD 0
23
.PD 0
1694
24
24
1695
=== modified file 'doc/manpage/ecryptfs-rewrite-file.1'
1696
--- doc/manpage/ecryptfs-rewrite-file.1	2009-03-20 22:12:06 +0000
1697
+++ doc/manpage/ecryptfs-rewrite-file.1	2010-02-17 20:48:18 +0000
1698
@@ -6,7 +6,7 @@
1699
6
\fBecryptfs-rewrite-file [file1] [file2] [file3] ...\fP
6
\fBecryptfs-rewrite-file [file1] [file2] [file3] ...\fP
1700
7
7
1701
8
.SH DESCRIPTION
8
.SH DESCRIPTION
1703
9
This script takes one or more files/directories/symlinks as arguments, moves each of them to a temporary file, and the moves them back to the original name.  This causes the file to be rewritten (and reencrypted) in the lower filesystem.
9
This script takes one or more files/directories/symlinks as arguments, moves each of them to a temporary file, and then moves them back to the original name.  This causes the file to be rewritten (and reencrypted) in the lower filesystem.
1704
10
10
1705
11
This script may be combined with \fBfind\fP(1) and \fBxargs\fP(1) to rewrite an entire eCryptfs mountpoint, unmount, and sync:
11
This script may be combined with \fBfind\fP(1) and \fBxargs\fP(1) to rewrite an entire eCryptfs mountpoint, unmount, and sync:
1706
12
12
1707
13
13
1708
=== modified file 'doc/manpage/ecryptfs-setup-private.1'
1709
--- doc/manpage/ecryptfs-setup-private.1	2009-03-18 22:00:04 +0000
1710
+++ doc/manpage/ecryptfs-setup-private.1	2010-02-17 20:48:18 +0000
1711
@@ -43,7 +43,7 @@
1712
43
43
1713
44
44
1714
45
.SH DESCRIPTION
45
.SH DESCRIPTION
1716
46
\fBecryptfs-setup-private\fP is a program that sets up a private cryptographic mountpoint for a non-root user.
46
\fBecryptfs-setup-private\fP is a program that sets up a private cryptographic mountpoint for a non-root user, who is a member of \fBecryptfs\fP group.
1717
47
47
1718
48
Be sure to properly escape your parameters according to your shell's special character nuances, and also surround the parameters by double quotes, if necessary. Any of the parameters may be:
48
Be sure to properly escape your parameters according to your shell's special character nuances, and also surround the parameters by double quotes, if necessary. Any of the parameters may be:
1719
49
49
1720
@@ -78,7 +78,7 @@
1721
78
78
1722
79
\fI~/.ecryptfs/wrapped-passphrase\fP - file containing the mount passphrase, wrapped with the login passphrase
79
\fI~/.ecryptfs/wrapped-passphrase\fP - file containing the mount passphrase, wrapped with the login passphrase
1723
80
80
1725
81
\fI~/.ecryptfs/wrapped-independent\fP - this file exists if the wrapping passphrase is independent from login passphrase
81
\fI~/.ecryptfs/wrapping-independent\fP - this file exists if the wrapping passphrase is independent from login passphrase
1726
82
82
1727
83
.SH SEE ALSO
83
.SH SEE ALSO
1728
84
.PD 0
84
.PD 0
1729
85
85
1730
=== added file 'doc/manpage/ecryptfs-setup-swap.1'
1731
--- doc/manpage/ecryptfs-setup-swap.1	1970-01-01 00:00:00 +0000
1732
+++ doc/manpage/ecryptfs-setup-swap.1	2010-02-17 20:48:18 +0000
1733
@@ -0,0 +1,29 @@
1734
1
.TH ecryptfs-setup-swap 1 2009-08-17 ecryptfs-utils "eCryptfs"
1735
2
.SH NAME
1736
3
ecryptfs-setup-swap \- ensure that any swap space is encrypted
1737
4
1738
5
.SH SYNOPSIS
1739
6
\fBecryptfs-setup-swap\fP [-f|--force]
1740
7
1741
8
.SH DESCRIPTION
1742
9
This script will detect existing swap partitions or swap files, and encrypt them, using cryptsetup.
1743
10
1744
11
Encrypted swap is essential to securing any system using eCryptfs, since decrypted file contents will exist in the system's memory, which may be swapped to disk at any time.  If the system swap space is not also encrypted, it is possible that decrypted files could be written to disk in clear text.
1745
12
1746
13
Note that most Linux distributions do not yet support resuming from an encrypted swap space, and thus hibernate/resume will not work.  Suspend/resume is unaffected.
1747
14
1748
15
Upon running the utility, the user will be informed of the hibernate/resume break, and asked to confirm the behavior.  The -f|--force option can be used to bypass this interactive prompt.
1749
16
1750
17
.SH SEE ALSO
1751
18
.PD 0
1752
19
.TP
1753
20
\fBcryptsetup\fP(8)
1754
21
1755
22
.TP
1756
23
\fIhttp://launchpad.net/ecryptfs/\fP
1757
24
.PD
1758
25
1759
26
.SH AUTHOR
1760
27
This manpage and the utility was written by Dustin Kirkland <kirkland@canonical.com> for Ubuntu systems (but may be used by others).  Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation.
1761
28
1762
29
On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL.
1763
0
30
1764
=== added file 'doc/manpage/ecryptfs-stat.1'
1765
--- doc/manpage/ecryptfs-stat.1	1970-01-01 00:00:00 +0000
1766
+++ doc/manpage/ecryptfs-stat.1	2010-02-17 20:48:18 +0000
1767
@@ -0,0 +1,18 @@
1768
1
.TH ecryptfs-setup-swap 1 2009-08-17 ecryptfs-utils "eCryptfs"
1769
2
.SH NAME
1770
3
ecryptfs-stat \- Present statistics on encrypted eCryptfs file attributes
1771
4
1772
5
.SH SYNOPSIS
1773
6
\fBecryptfs-stat\fP filename
1774
7
1775
8
.SH DESCRIPTION
1776
9
This program will present statistics on encrypted eCryptfs file and its attributes.
1777
10
1778
11
.TP
1779
12
\fIhttp://launchpad.net/ecryptfs/\fP
1780
13
.PD
1781
14
1782
15
.SH AUTHOR
1783
16
This manpage was written by Dustin Kirkland <kirkland@canonical.com> for Ubuntu systems (but may be used by others).  Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation.
1784
17
1785
18
On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL.
1786
0
19
1787
=== modified file 'doc/manpage/ecryptfs.7'
1788
--- doc/manpage/ecryptfs.7	2009-04-21 23:20:27 +0000
1789
+++ doc/manpage/ecryptfs.7	2010-02-17 20:48:18 +0000
1790
@@ -34,7 +34,7 @@
1791
34
Do not check the mount key signature against the values in the user's ~/.ecryptfs/sig-cache.txt file. This is useful for such things as non-interactive setup scripts, so that the mount helper does not stop and prompt the user in the event that the key sig is not in the cache.
34
Do not check the mount key signature against the values in the user's ~/.ecryptfs/sig-cache.txt file. This is useful for such things as non-interactive setup scripts, so that the mount helper does not stop and prompt the user in the event that the key sig is not in the cache.
1792
35
.TP
35
.TP
1793
36
.B ecryptfs_encrypted_view
36
.B ecryptfs_encrypted_view
1795
37
This option, when set, will have eCryptfs return the encrypted versions of the lower files, rather than decrypt encrypted files and return the decrypted data from the lower files. This options is useful for such things as backup utilities.
37
This option provides a unified encrypted file format of the eCryptfs files in the lower mount point.  Currently, it is only useful if the lower mount point contains files with the metadata stored in the extended attribute.  Upon a file read in the upper mount point, the encrypted version of the file will be presented with the metadata in the file header instead of the xattr.  Files cannot be opened for writing when this option is enabled. 
1796
38
.TP
38
.TP
1797
39
.B ecryptfs_xattr
39
.B ecryptfs_xattr
1798
40
Store the metadata in the extended attribute of the lower files rather than the header region of the lower files.
40
Store the metadata in the extended attribute of the lower files rather than the header region of the lower files.
1799
@@ -79,7 +79,7 @@
1800
79
The filename should be the filename of a file containing an RSA SSL key.
79
The filename should be the filename of a file containing an RSA SSL key.
1801
80
.TP
80
.TP
1802
81
.B openssl_passwd_file=(filename)
81
.B openssl_passwd_file=(filename)
1804
82
The password should be specified in a file with passwd=(openssl-password). It is highly reccomended that the file be stored on a secure medium such as a personal usb key.
82
The password should be specified in a file with openssl_passwd=(openssl-password). It is highly reccomended that the file be stored on a secure medium such as a personal usb key.
1805
83
.TP
83
.TP
1806
84
.B openssl_passwd_fd=(file descriptor)
84
.B openssl_passwd_fd=(file descriptor)
1807
85
The password is specified through the specified file descriptor.
85
The password is specified through the specified file descriptor.
1808
@@ -93,15 +93,13 @@
1809
93
93
1810
94
.PP
94
.PP
1811
95
95
1813
96
The following command will layover mount eCryptfs on /secret with a passphrase contained in a file stored on secure media mounted at /mnt/secureusb/.
96
The following command will layover mount eCryptfs on /secret with a passphrase contained in a file stored on secure media mounted at /mnt/usb/.
1814
97
97
1818
98
\fBmount -t ecryptfs -o
98
\fBmount -t ecryptfs -o key=passphrase:passphrase_passwd_file=/mnt/usb/file.txt /secret /secret\fP
1816
99
key=passphrase:passphrase_passwd_file=/mnt/secureusb/passwd_file.txt
1817
100
/secret /secret\fP
1819
101
99
1820
102
.PP
100
.PP
1821
103
101
1823
104
Where passwd_file.txt contains the contents
102
Where file.txt contains the contents
1824
105
\fB"passphrase_passwd=[passphrase]"\fP.
103
\fB"passphrase_passwd=[passphrase]"\fP.
1825
106
104
1826
107
.SH SEE ALSO
105
.SH SEE ALSO
1827
@@ -119,6 +117,8 @@
1828
119
.SH NOTES
117
.SH NOTES
1829
120
Do not run eCryptfs in verbose-mode unless you are doing so for the sole purpose of development, since secret values will be written out to the system log in that case. Make certain that your eCryptfs mount covers all locations where your applications may write sensitive data. In addition, use dm-crypt to encrypt your swap space with a random key on boot, or see \fBecryptfs-setup-swap\fP(1).
118
Do not run eCryptfs in verbose-mode unless you are doing so for the sole purpose of development, since secret values will be written out to the system log in that case. Make certain that your eCryptfs mount covers all locations where your applications may write sensitive data. In addition, use dm-crypt to encrypt your swap space with a random key on boot, or see \fBecryptfs-setup-swap\fP(1).
1830
121
119
1831
120
Passphrases have a maximum length of 64 characters.
1832
121
1833
122
.SH BUGS
122
.SH BUGS
1834
123
Please post bug reports to the eCryptfs bug tracker on Launchpad.net: https://bugs.launchpad.net/ecryptfs/+filebug.
123
Please post bug reports to the eCryptfs bug tracker on Launchpad.net: https://bugs.launchpad.net/ecryptfs/+filebug.
1835
124
124
1836
@@ -128,131 +128,3 @@
1837
128
This manpage was (re-)written by Dustin Kirkland <kirkland@canonical.com> for Ubuntu systems (but may be used by others).  Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation.
128
This manpage was (re-)written by Dustin Kirkland <kirkland@canonical.com> for Ubuntu systems (but may be used by others).  Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation.
1838
129
129
1839
130
On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL.
130
On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL.
1840
131
.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.35
1841
132
.\"
1842
133
.\" Standard preamble:
1843
134
.\" ========================================================================
1844
135
.de Sh \" Subsection heading
1845
136
.br
1846
137
.if t .Sp
1847
138
.ne 5
1848
139
.PP
1849
140
\fB\\$1\fR
1850
141
.PP
1851
142
..
1852
143
.de Sp \" Vertical space (when we can't use .PP)
1853
144
.if t .sp .5v
1854
145
.if n .sp
1855
146
..
1856
147
.de Vb \" Begin verbatim text
1857
148
.ft CW
1858
149
.nf
1859
150
.ne \\$1
1860
151
..
1861
152
.de Ve \" End verbatim text
1862
153
.ft R
1863
154
.fi
1864
155
..
1865
156
.\" Set up some character translations and predefined strings.  \*(-- will
1866
157
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
1867
158
.\" double quote, and \*(R" will give a right double quote.  | will give a
1868
159
.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
1869
160
.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
1870
161
.\" expand to `' in nroff, nothing in troff, for use with C<>.
1871
162
.tr \(*W-|\(bv\*(Tr
1872
163
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
1873
164
.ie n \{\
1874
165
.    ds -- \(*W-
1875
166
.    ds PI pi
1876
167
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
1877
168
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
1878
169
.    ds L" ""
1879
170
.    ds R" ""
1880
171
.    ds C` ""
1881
172
.    ds C' ""
1882
173
'br\}
1883
174
.el\{\
1884
175
.    ds -- \|\(em\|
1885
176
.    ds PI \(*p
1886
177
.    ds L" ``
1887
178
.    ds R" ''
1888
179
'br\}
1889
180
.\"
1890
181
.\" If the F register is turned on, we'll generate index entries on stderr for
1891
182
.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
1892
183
.\" entries marked with X<> in POD.  Of course, you'll have to process the
1893
184
.\" output yourself in some meaningful fashion.
1894
185
.if \nF \{\
1895
186
.    de IX
1896
187
.    tm Index:\\$1\t\\n%\t"\\$2"
1897
188
..
1898
189
.    nr % 0
1899
190
.    rr F
1900
191
.\}
1901
192
.\"
1902
193
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
1903
194
.\" way too many mistakes in technical documents.
1904
195
.hy 0
1905
196
.if n .na
1906
197
.\"
1907
198
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
1908
199
.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
1909
200
.    \" fudge factors for nroff and troff
1910
201
.if n \{\
1911
202
.    ds #H 0
1912
203
.    ds #V .8m
1913
204
.    ds #F .3m
1914
205
.    ds #[ \f1
1915
206
.    ds #] \fP
1916
207
.\}
1917
208
.if t \{\
1918
209
.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
1919
210
.    ds #V .6m
1920
211
.    ds #F 0
1921
212
.    ds #[ \&
1922
213
.    ds #] \&
1923
214
.\}
1924
215
.    \" simple accents for nroff and troff
1925
216
.if n \{\
1926
217
.    ds ' \&
1927
218
.    ds ` \&
1928
219
.    ds ^ \&
1929
220
.    ds , \&
1930
221
.    ds ~ ~
1931
222
.    ds /
1932
223
.\}
1933
224
.if t \{\
1934
225
.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
1935
226
.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
1936
227
.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
1937
228
.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
1938
229
.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
1939
230
.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
1940
231
.\}
1941
232
.    \" troff and (daisy-wheel) nroff accents
1942
233
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
1943
234
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
1944
235
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
1945
236
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
1946
237
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
1947
238
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
1948
239
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
1949
240
.ds ae a\h'-(\w'a'u*4/10)'e
1950
241
.ds Ae A\h'-(\w'A'u*4/10)'E
1951
242
.    \" corrections for vroff
1952
243
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
1953
244
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
1954
245
.    \" for low resolution devices (crt and lpr)
1955
246
.if \n(.H>23 .if \n(.V>19 \
1956
247
\{\
1957
248
.    ds : e
1958
249
.    ds 8 ss
1959
250
.    ds o a
1960
251
.    ds d- d\h'-1'\(ga
1961
252
.    ds D- D\h'-1'\(hy
1962
253
.    ds th \o'bp'
1963
254
.    ds Th \o'LP'
1964
255
.    ds ae ae
1965
256
.    ds Ae AE
1966
257
.\}
1967
258
.rm #[ #] #H #V #F C
1968
259
131
1969
=== modified file 'doc/manpage/mount.ecryptfs_private.1'
1970
--- doc/manpage/mount.ecryptfs_private.1	2009-02-23 21:31:11 +0000
1971
+++ doc/manpage/mount.ecryptfs_private.1	2010-02-17 20:48:18 +0000
1972
@@ -8,7 +8,7 @@
1973
8
\fBNOTE:\fP This program will \fBnot\fP dynamically load the relevant keys.  For this reason, it is recommended that users use \fBecryptfs-mount-private\fP(1) instead!
8
\fBNOTE:\fP This program will \fBnot\fP dynamically load the relevant keys.  For this reason, it is recommended that users use \fBecryptfs-mount-private\fP(1) instead!
1974
9
9
1975
10
.SH DESCRIPTION
10
.SH DESCRIPTION
1977
11
\fBmount.ecryptfs_private\fP is a mount helper utility for non-root users to cryptographically mount a private directory, ~/Private.
11
\fBmount.ecryptfs_private\fP is a mount helper utility for non-root users, who are members of \fBecryptfs\fP group, to cryptographically mount a private directory, ~/Private.
1978
12
12
1979
13
If, and only if:
13
If, and only if:
1980
14
  - the private mount passphrase is in their kernel keyring, and
14
  - the private mount passphrase is in their kernel keyring, and
1981
15
15
1982
=== added file 'doc/manpage/umount.ecryptfs.8'
1983
--- doc/manpage/umount.ecryptfs.8	1970-01-01 00:00:00 +0000
1984
+++ doc/manpage/umount.ecryptfs.8	2010-02-17 20:48:19 +0000
1985
@@ -0,0 +1,23 @@
1986
1
.TH umount.ecryptfs 8 2009-08-17 ecryptfs-utils "eCryptfs"
1987
2
.SH NAME
1988
3
umount.ecryptfs \- eCryptfs umount helper.
1989
4
1990
5
.SH SYNOPSIS
1991
6
\fBumount\fP [\fIecryptfs\ mount\ point\fP]
1992
7
1993
8
.SH DESCRIPTION
1994
9
\fBumount.ecryptfs\fP is an eCryptfs umount helper, that will also unlink keys from the keyring.
1995
10
1996
11
.SH "SEE ALSO"
1997
12
.PD 0
1998
13
.TP
1999
14
\fBmount.ecryptfs\fP(8), \fBmount\fP(8)
2000
15
2001
16
.TP
2002
17
\fIhttp://launchpad.net/ecryptfs/\fP
2003
18
.PD
2004
19
2005
20
.SH AUTHOR
2006
21
This manpage was written by Dustin Kirkland <kirkland@canonical.com> for Ubuntu systems (but may be used by others).  Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation.
2007
22
2008
23
On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL.
2009
0
24
2010
=== modified file 'doc/manpage/umount.ecryptfs_private.1'
2011
--- doc/manpage/umount.ecryptfs_private.1	2009-02-23 21:31:11 +0000
2012
+++ doc/manpage/umount.ecryptfs_private.1	2010-02-17 20:48:19 +0000
2013
@@ -14,7 +14,7 @@
2014
14
Force the unmount, ignoring the value of the mount counter in \fI/tmp/ecryptfs-USERNAME-Private\fP
14
Force the unmount, ignoring the value of the mount counter in \fI/tmp/ecryptfs-USERNAME-Private\fP
2015
15
15
2016
16
.SH DESCRIPTION
16
.SH DESCRIPTION
2018
17
\fBumount.ecryptfs_private\fP is a mount helper utility for non-root users to unmount a cryptographically mounted private directory, ~/Private.
17
\fBumount.ecryptfs_private\fP is a mount helper utility for non-root users, who ares members of \fBecryptfs\fP group, to unmount a cryptographically mounted private directory, ~/Private.
2019
18
18
2020
19
If, and only if:
19
If, and only if:
2021
20
  - the private mount passphrase is in their kernel keyring, and
20
  - the private mount passphrase is in their kernel keyring, and
2022
21
21
2023
=== modified file 'doc/sourceforge_webpage/README'
2024
--- doc/sourceforge_webpage/README	2009-02-03 08:50:36 +0000
2025
+++ doc/sourceforge_webpage/README	2010-02-17 20:48:19 +0000
2026
@@ -38,11 +38,6 @@
2027
38
    1.0 or higher)
38
    1.0 or higher)
2028
39
   - Finding its way into some distro's
39
   - Finding its way into some distro's
2029
40
   - Obtainable from <http://people.redhat.com/~dhowells/keyutils> 
40
   - Obtainable from <http://people.redhat.com/~dhowells/keyutils> 
2030
41
  - libgcrypt
2031
42
    - Part of most distro's; install the development package
2032
43
    - If you need to build from source, you probably will want these:
2033
44
     - <ftp://ftp.gnupg.org/gcrypt/libgpg-error>
2034
45
     - <ftp://ftp.gnupg.org/gcrypt/libgcrypt>
2035
46
41
2036
47
42
2037
48
KERNEL BUILD OPTIONS
43
KERNEL BUILD OPTIONS
2038
49
44
2039
=== added directory 'lintian'
2040
=== added file 'lintian/ecryptfs-utils'
2041
--- lintian/ecryptfs-utils	1970-01-01 00:00:00 +0000
2042
+++ lintian/ecryptfs-utils	2010-02-17 20:48:19 +0000
2043
@@ -0,0 +1,12 @@
2044
1
# This setuid is required for encrypted-home and encrypted-private;
2045
2
# Other distros or sysadmins could perhaps make it 4750, and create
2046
3
# an ecryptfs group, adding permitted users to this group (though
2047
4
# we're not doing this in Ubuntu).
2048
5
ecryptfs-utils: setuid-binary sbin/mount.ecryptfs_private 4755 root/root
2049
6
2050
7
# The *.desktop files should be executable
2051
8
ecryptfs-utils: executable-not-elf-or-script
2052
9
2053
10
# We're not creating these files, but rather moving them, and the utilities
2054
11
# that use them provide the necessary owernship checks.
2055
12
ecryptfs-utils: possibly-insecure-handling-of-tmp-files-in-maintainer-script
2056
0
13
2057
=== modified file 'scripts/build-ubuntu.sh'
2058
--- scripts/build-ubuntu.sh	2009-03-24 20:39:50 +0000
2059
+++ scripts/build-ubuntu.sh	2010-02-17 20:48:19 +0000
2060
@@ -7,5 +7,5 @@
2061
7
cd ubuntu
7
cd ubuntu
2062
8
tar zxvf *.orig.tar.gz
8
tar zxvf *.orig.tar.gz
2063
9
cd ecryptfs-utils*/
9
cd ecryptfs-utils*/
2065
10
cp -a ../../ecryptfs/debian .
10
cp -a ../../upstream/debian .
2066
11
debuild -uc -us
11
debuild -uc -us
2067
12
12
2068
=== modified file 'scripts/release.sh'
2069
--- scripts/release.sh	2009-04-22 00:17:57 +0000
2070
+++ scripts/release.sh	2010-02-17 20:48:19 +0000
2071
@@ -8,7 +8,7 @@
2072
8
	exit 1
8
	exit 1
2073
9
}
9
}
2074
10
10
2076
11
head -n1 debian/changelog | grep "unreleased" || error "This version must be 'unreleased'"
11
head -n1 debian/changelog | grep -i "unreleased" || error "This version must be 'unreleased'"
2077
12
12
2078
13
13
2079
14
rm -f ./ecryptfs-utils*.tar.*
14
rm -f ./ecryptfs-utils*.tar.*
2080
@@ -36,5 +36,9 @@
2081
36
echo "TO MAKE THE RELEASE OFFICIAL, UPLOAD:"
36
echo "TO MAKE THE RELEASE OFFICIAL, UPLOAD:"
2082
37
echo -n "  "
37
echo -n "  "
2083
38
ls ../ecryptfs-utils*.orig.tar.gz
38
ls ../ecryptfs-utils*.orig.tar.gz
2085
39
echo "---->  https://launchpad.net/ecryptfs/trunk"
39
echo "---->  https://launchpad.net/ecryptfs/trunk/+addrelease"
2086
40
echo
2087
41
echo " dch --release released"
2088
42
echo " debcommit --release"
2089
43
echo " bzr push lp:ecryptfs"
2090
40
echo
44
echo
2091
41
45
2092
=== modified file 'src/desktop/Makefile.am'
2093
--- src/desktop/Makefile.am	2009-04-07 22:33:58 +0000
2094
+++ src/desktop/Makefile.am	2010-02-17 20:48:19 +0000
2095
@@ -1,3 +1,4 @@
2096
1
MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
1
MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
2097
2
2
2099
3
dist_dataroot_DATA = ecryptfs-mount-private.desktop ecryptfs-setup-private.desktop ecryptfs-record-passphrase
3
eudatarootdir = $(datarootdir)/ecryptfs-utils
2100
4
dist_eudataroot_SCRIPTS = ecryptfs-mount-private.desktop ecryptfs-setup-private.desktop ecryptfs-record-passphrase
2101
4
5
2102
=== modified file 'src/desktop/ecryptfs-mount-private.desktop' (properties changed: -x to +x)
2103
=== modified file 'src/desktop/ecryptfs-record-passphrase' (properties changed: -x to +x)
2104
--- src/desktop/ecryptfs-record-passphrase	2009-04-07 22:33:58 +0000
2105
+++ src/desktop/ecryptfs-record-passphrase	2010-02-17 20:48:19 +0000
2106
@@ -6,13 +6,16 @@
2107
6
Terminal: True
6
Terminal: True
2108
7
Command: "sh -c 'ecryptfs-unwrap-passphrase $HOME/.ecryptfs/wrapped-passphrase 2>/dev/null && echo [Enter] && head -n1 && touch $HOME/.ecryptfs/.wrapped-passphrase.recorded '"
7
Command: "sh -c 'ecryptfs-unwrap-passphrase $HOME/.ecryptfs/wrapped-passphrase 2>/dev/null && echo [Enter] && head -n1 && touch $HOME/.ecryptfs/.wrapped-passphrase.recorded '"
2109
8
Description: To encrypt your home directory or "Private" folder, a strong
8
Description: To encrypt your home directory or "Private" folder, a strong
2111
9
 passphrase has been autogenerated. Usually your directory is unlocked
9
 passphrase has been automatically generated. Usually your directory is unlocked
2112
10
 with your user password, but if you ever need to manually recover this
10
 with your user password, but if you ever need to manually recover this
2113
11
 directory, you will need this passphrase. Please print or write it down and
11
 directory, you will need this passphrase. Please print or write it down and
2114
12
 store it in a safe location.
12
 store it in a safe location.
2115
13
 .
13
 .
2118
14
 You can run the "ecryptfs-unwrap-passphrase" command now to do this. Enter
14
 If you click "Run this action now", enter your login password at the "Passphrase"
2119
15
 your user password at the "Passphrase" prompt.
15
 prompt and you can display your randomly generated passphrase.
2120
16
 .
2121
17
 Otherwise, you will need to run "ecryptfs-unwrap-passphrase" from the command
2122
18
 line to retrive and record your generated passphrase.
2123
16
Description-de: Um Ihr Heimat- oder "Private"-Verzeichnis zu verschlüsseln,
19
Description-de: Um Ihr Heimat- oder "Private"-Verzeichnis zu verschlüsseln,
2124
17
 wurde automatisch ein starkes Passwort geniert. Normalerweise wird Ihr
20
 wurde automatisch ein starkes Passwort geniert. Normalerweise wird Ihr
2125
18
 Verzeichnis mit Ihrem Benutzerpasswort freigegeben, aber wenn Sie jemals
21
 Verzeichnis mit Ihrem Benutzerpasswort freigegeben, aber wenn Sie jemals
2126
19
22
2127
=== modified file 'src/desktop/ecryptfs-setup-private.desktop' (properties changed: -x to +x)
2128
=== modified file 'src/include/ecryptfs.h'
2129
--- src/include/ecryptfs.h	2009-02-06 13:20:40 +0000
2130
+++ src/include/ecryptfs.h	2010-02-17 20:48:19 +0000
2131
@@ -512,6 +512,7 @@
2132
512
					    uint32_t version);
512
					    uint32_t version);
2133
513
int get_string(char *val, int len, int echo);
513
int get_string(char *val, int len, int echo);
2134
514
int get_string_stdin(char **val, char *prompt, int echo);
514
int get_string_stdin(char **val, char *prompt, int echo);
2135
515
int stack_pop(struct val_node **head);
2136
515
int stack_pop_val(struct val_node **head, void **val);
516
int stack_pop_val(struct val_node **head, void **val);
2137
516
int ecryptfs_mount(char *source, char *target, unsigned long flags, char *opts);
517
int ecryptfs_mount(char *source, char *target, unsigned long flags, char *opts);
2138
517
int ecryptfs_get_current_kernel_ciphers(
518
int ecryptfs_get_current_kernel_ciphers(
2139
@@ -581,6 +582,7 @@
2140
581
int ecryptfs_insert_wrapped_passphrase_into_keyring(
582
int ecryptfs_insert_wrapped_passphrase_into_keyring(
2141
582
	char *auth_tok_sig, char *filename, char *wrapping_passphrase,
583
	char *auth_tok_sig, char *filename, char *wrapping_passphrase,
2142
583
	char *salt);
584
	char *salt);
2143
585
char *ecryptfs_get_wrapped_passphrase_filename();
2144
584
struct ecryptfs_key_mod_ops *passphrase_get_key_mod_ops(void);
586
struct ecryptfs_key_mod_ops *passphrase_get_key_mod_ops(void);
2145
585
int ecryptfs_validate_keyring(void);
587
int ecryptfs_validate_keyring(void);
2146
586
#define ECRYPTFS_SHM_KEY 0x3c81b7f5
588
#define ECRYPTFS_SHM_KEY 0x3c81b7f5
2147
@@ -630,5 +632,8 @@
2148
630
char *ecryptfs_get_passphrase(char *prompt);
632
char *ecryptfs_get_passphrase(char *prompt);
2149
631
int ecryptfs_run_daemon(struct ecryptfs_messaging_ctx *mctx);
633
int ecryptfs_run_daemon(struct ecryptfs_messaging_ctx *mctx);
2150
632
634
2151
635
#define ECRYPTFS_PRIVATE_DIR "Private"
2152
636
char *ecryptfs_fetch_private_mnt(char *pw_dir);
2153
637
int ecryptfs_private_is_mounted(char *dev, char *mnt, char *sig, int mounting);
2154
633
638
2155
634
#endif
639
#endif
2156
635
640
2157
=== modified file 'src/key_mod/ecryptfs_key_mod_gpg.c'
2158
--- src/key_mod/ecryptfs_key_mod_gpg.c	2009-04-22 09:05:00 +0000
2159
+++ src/key_mod/ecryptfs_key_mod_gpg.c	2010-02-17 20:48:19 +0000
2160
@@ -18,6 +18,7 @@
2161
18
 * 02111-1307, USA.
18
 * 02111-1307, USA.
2162
19
 */
19
 */
2163
20
20
2164
21
#include "config.h"
2165
21
#include <fcntl.h>
22
#include <fcntl.h>
2166
22
#include <pwd.h>
23
#include <pwd.h>
2167
23
#include <stdio.h>
24
#include <stdio.h>
2168
@@ -29,7 +30,6 @@
2169
29
#include <gpgme.h>
30
#include <gpgme.h>
2170
30
#include <sys/types.h>
31
#include <sys/types.h>
2171
31
#include <sys/stat.h>
32
#include <sys/stat.h>
2172
32
#include "config.h"
2173
33
#include "../include/ecryptfs.h"
33
#include "../include/ecryptfs.h"
2174
34
#include "../include/decision_graph.h"
34
#include "../include/decision_graph.h"
2175
35
35
2176
@@ -131,7 +131,7 @@
2177
131
131
2178
132
int ecryptfs_gpg_encrypt(char *to, int size, char *from, unsigned char *blob)
132
int ecryptfs_gpg_encrypt(char *to, int size, char *from, unsigned char *blob)
2179
133
{
133
{
2181
134
	int rc;
134
	int rc = 0;
2182
135
135
2183
136
/*	gpg_op_encrypt(...); */
136
/*	gpg_op_encrypt(...); */
2184
137
out:
137
out:
2185
@@ -251,7 +251,7 @@
2186
251
			 struct val_node **head, void **foo)
251
			 struct val_node **head, void **foo)
2187
252
{
252
{
2188
253
	struct key_mod_gpg *key_mod_gpg = (struct key_mod_gpg *)(*foo);
253
	struct key_mod_gpg *key_mod_gpg = (struct key_mod_gpg *)(*foo);
2190
254
	int i;
254
	int i = 0;
2191
255
	gpgme_error_t err;
255
	gpgme_error_t err;
2192
256
	int rc = 0;
256
	int rc = 0;
2193
257
	gpgme_key_t key;
257
	gpgme_key_t key;
2194
@@ -283,10 +283,7 @@
2195
283
283
2196
284
static int generate_name_val_list(struct ecryptfs_name_val_pair *head)
284
static int generate_name_val_list(struct ecryptfs_name_val_pair *head)
2197
285
{
285
{
2198
286
	struct stat buf;
2199
287
	int i = 0;
2200
288
	uid_t id = getuid();
286
	uid_t id = getuid();
2201
289
	struct passwd *pw = getpwuid(id);
2202
290
	int rc = 0;
287
	int rc = 0;
2203
291
288
2204
292
	head->next = NULL;
289
	head->next = NULL;
2205
@@ -304,6 +301,7 @@
2206
304
		destroy_key_mod_gpg(key_mod_gpg);
301
		destroy_key_mod_gpg(key_mod_gpg);
2207
305
		free(key_mod_gpg);
302
		free(key_mod_gpg);
2208
306
	}
303
	}
2209
304
	return 0;
2210
307
}
305
}
2211
308
306
2212
309
307
2213
@@ -312,7 +310,6 @@
2214
312
{
310
{
2215
313
	struct key_mod_gpg *key_mod_gpg;
311
	struct key_mod_gpg *key_mod_gpg;
2216
314
	gpgme_error_t err;
312
	gpgme_error_t err;
2217
315
	gpgme_keylist_result_t keylist_res;
2218
316
	int rc = 0;
313
	int rc = 0;
2219
317
314
2220
318
	(*foo) = NULL;
315
	(*foo) = NULL;
2221
@@ -329,7 +326,7 @@
2222
329
	if ((err = gpgme_op_keylist_start(key_mod_gpg->ctx, "", 0))) {
326
	if ((err = gpgme_op_keylist_start(key_mod_gpg->ctx, "", 0))) {
2223
330
		printf("Error attempting to start keylist\n");
327
		printf("Error attempting to start keylist\n");
2224
331
		rc = -EINVAL;
328
		rc = -EINVAL;
2226
332
		gpgme_release(ctx);
329
		gpgme_release(key_mod_gpg->ctx);
2227
333
		free(key_mod_gpg);
330
		free(key_mod_gpg);
2228
334
		goto out;
331
		goto out;
2229
335
	}
332
	}
2230
336
333
2231
=== modified file 'src/key_mod/ecryptfs_key_mod_openssl.c'
2232
--- src/key_mod/ecryptfs_key_mod_openssl.c	2009-04-22 09:05:00 +0000
2233
+++ src/key_mod/ecryptfs_key_mod_openssl.c	2010-02-17 20:48:19 +0000
2234
@@ -550,6 +550,30 @@
2235
550
	return rc;
550
	return rc;
2236
551
}
551
}
2237
552
552
2238
553
static int limit_key_size(struct val_node **params, 
2239
554
			  struct ecryptfs_subgraph_ctx *subgraph_ctx)
2240
555
{
2241
556
	char *buf;
2242
557
	int rc;
2243
558
	RSA *rsa = NULL;
2244
559
2245
560
	if ((rc=ecryptfs_openssl_read_key(&rsa, 
2246
561
				(unsigned char *)subgraph_ctx->key_mod->blob)))
2247
562
		return rc;
2248
563
	/* 41 is for padding and 3 are for additional data send from 
2249
564
	 * kernel (1 for cipher type and 2 for checksum */
2250
565
	if ((rc = asprintf(&buf, "max_key_bytes=%d", 
2251
566
			   RSA_size(rsa)-41-3)) == -1) {
2252
567
		rc = -ENOMEM;
2253
568
		goto out;
2254
569
	}
2255
570
2256
571
	rc = stack_push(params, buf);
2257
572
out:	
2258
573
	RSA_free(rsa);
2259
574
	return rc;
2260
575
}
2261
576
2262
553
/**
577
/**
2263
554
 *
578
 *
2264
555
 * 
579
 * 
2265
@@ -575,6 +599,7 @@
2266
575
		syslog(LOG_ERR, "Error processing OpenSSL key; rc = [%d]", rc);
599
		syslog(LOG_ERR, "Error processing OpenSSL key; rc = [%d]", rc);
2267
576
		goto out;
600
		goto out;
2268
577
	}
601
	}
2269
602
	limit_key_size(mnt_params, subgraph_ctx);
2270
578
	ecryptfs_openssl_destroy_subgraph_ctx(subgraph_ctx);
603
	ecryptfs_openssl_destroy_subgraph_ctx(subgraph_ctx);
2271
579
	free(subgraph_ctx);
604
	free(subgraph_ctx);
2272
580
	(*foo) = NULL;
605
	(*foo) = NULL;
2273
@@ -629,7 +654,7 @@
2274
629
		walker = walker->next;
654
		walker = walker->next;
2275
630
	}
655
	}
2276
631
	if (!walker) {
656
	if (!walker) {
2278
632
		syslog(LOG_ERR, "%s: No passwd option found in file\n",
657
		syslog(LOG_ERR, "%s: No openssl_passwd option found in file\n",
2279
633
		       __FUNCTION__);
658
		       __FUNCTION__);
2280
634
		rc = MOUNT_ERROR;
659
		rc = MOUNT_ERROR;
2281
635
		goto out;
660
		goto out;
2282
@@ -639,6 +664,7 @@
2283
639
		syslog(LOG_ERR, "Error processing OpenSSL key; rc = [%d]", rc);
664
		syslog(LOG_ERR, "Error processing OpenSSL key; rc = [%d]", rc);
2284
640
		goto out;
665
		goto out;
2285
641
	}
666
	}
2286
667
	limit_key_size(mnt_params, subgraph_ctx);
2287
642
	ecryptfs_openssl_destroy_subgraph_ctx(subgraph_ctx);
668
	ecryptfs_openssl_destroy_subgraph_ctx(subgraph_ctx);
2288
643
	free(subgraph_ctx);
669
	free(subgraph_ctx);
2289
644
	(*foo) = NULL;
670
	(*foo) = NULL;
2290
@@ -727,7 +753,7 @@
2291
727
	 .display_opts = NULL,
753
	 .display_opts = NULL,
2292
728
	 .default_val = NULL,
754
	 .default_val = NULL,
2293
729
	 .suggested_val = NULL,
755
	 .suggested_val = NULL,
2295
730
	 .flags = ECRYPTFS_PARAM_FLAG_MASK_OUTPUT,
756
	 .flags = ECRYPTFS_PARAM_FLAG_MASK_OUTPUT | VERIFY_VALUE,
2296
731
	 .num_transitions = 1,
757
	 .num_transitions = 1,
2297
732
	 .tl = {{.val = NULL,
758
	 .tl = {{.val = NULL,
2298
733
		 .pretty_val = NULL,
759
		 .pretty_val = NULL,
2299
734
760
2300
=== modified file 'src/key_mod/ecryptfs_key_mod_pkcs11_helper.c'
2301
--- src/key_mod/ecryptfs_key_mod_pkcs11_helper.c	2009-04-22 09:05:00 +0000
2302
+++ src/key_mod/ecryptfs_key_mod_pkcs11_helper.c	2010-02-17 20:48:19 +0000
2303
@@ -20,6 +20,7 @@
2304
20
 * 02111-1307, USA.
20
 * 02111-1307, USA.
2305
21
 */
21
 */
2306
22
22
2307
23
#include "config.h"
2308
23
#include <fcntl.h>
24
#include <fcntl.h>
2309
24
#include <pwd.h>
25
#include <pwd.h>
2310
25
#include <stdio.h>
26
#include <stdio.h>
2311
@@ -28,11 +29,12 @@
2312
28
#include <errno.h>
29
#include <errno.h>
2313
29
#include <stdlib.h>
30
#include <stdlib.h>
2314
30
#include <unistd.h>
31
#include <unistd.h>
2315
32
#include <openssl/err.h>
2316
33
#include <openssl/pem.h>
2317
31
#include <openssl/x509.h>
34
#include <openssl/x509.h>
2318
32
#include <sys/types.h>
35
#include <sys/types.h>
2319
33
#include <sys/stat.h>
36
#include <sys/stat.h>
2320
34
#include <pkcs11-helper-1.0/pkcs11h-certificate.h>
37
#include <pkcs11-helper-1.0/pkcs11h-certificate.h>
2321
35
#include "config.h"
2322
36
#include "../include/ecryptfs.h"
38
#include "../include/ecryptfs.h"
2323
37
#include "../include/decision_graph.h"
39
#include "../include/decision_graph.h"
2324
38
40
2325
@@ -590,7 +592,6 @@
2326
590
		char dn[1024] = {0};
592
		char dn[1024] = {0};
2327
591
		char serial[1024] = {0};
593
		char serial[1024] = {0};
2328
592
		char *ser = NULL;
594
		char *ser = NULL;
2329
593
		char *ssh_key = NULL;
2330
594
		size_t ser_len = 0;
595
		size_t ser_len = 0;
2331
595
		int n;
596
		int n;
2332
596
597
2333
@@ -1536,7 +1537,6 @@
2334
1536
	struct ecryptfs_ctx *ctx = &_ctx;
1537
	struct ecryptfs_ctx *ctx = &_ctx;
2335
1537
	struct ecryptfs_name_val_pair nvp_head;
1538
	struct ecryptfs_name_val_pair nvp_head;
2336
1538
	struct val_node *dummy_mnt_params;
1539
	struct val_node *dummy_mnt_params;
2337
1539
	uid_t id;
2338
1540
	struct passwd *pw;
1540
	struct passwd *pw;
2339
1541
	char *rcfile_fullpath = NULL;
1541
	char *rcfile_fullpath = NULL;
2340
1542
	int fd;
1542
	int fd;
2341
@@ -1647,6 +1647,7 @@
2342
1647
	if (pkcs11h_key_param_nodes[PKCS11H_KEY_TOK_ID].suggested_val)
1647
	if (pkcs11h_key_param_nodes[PKCS11H_KEY_TOK_ID].suggested_val)
2343
1648
		free(pkcs11h_key_param_nodes[PKCS11H_KEY_TOK_ID].suggested_val);
1648
		free(pkcs11h_key_param_nodes[PKCS11H_KEY_TOK_ID].suggested_val);
2344
1649
	pkcs11h_terminate ();
1649
	pkcs11h_terminate ();
2345
1650
	return 0;
2346
1650
}
1651
}
2347
1651
1652
2348
1652
static struct ecryptfs_key_mod_ops ecryptfs_pkcs11h_ops = {
1653
static struct ecryptfs_key_mod_ops ecryptfs_pkcs11h_ops = {
2349
1653
1654
2350
=== modified file 'src/key_mod/ecryptfs_key_mod_tspi.c'
2351
--- src/key_mod/ecryptfs_key_mod_tspi.c	2009-02-09 15:33:25 +0000
2352
+++ src/key_mod/ecryptfs_key_mod_tspi.c	2010-02-17 20:48:19 +0000
2353
@@ -317,6 +317,7 @@
2354
317
	struct tspi_data tspi_data;
317
	struct tspi_data tspi_data;
2355
318
	struct ecryptfs_tspi_connect_ticket *ticket;
318
	struct ecryptfs_tspi_connect_ticket *ticket;
2356
319
	int rc = 0;
319
	int rc = 0;
2357
320
	BYTE wellknown[] = TSS_WELL_KNOWN_SECRET;
2358
320
321
2359
321
	pthread_mutex_lock(&encrypt_lock);
322
	pthread_mutex_lock(&encrypt_lock);
2360
322
	(*to_size) = 0;
323
	(*to_size) = 0;
2361
@@ -345,8 +346,9 @@
2362
345
		rc = -EIO;
346
		rc = -EIO;
2363
346
		goto out;
347
		goto out;
2364
347
	}
348
	}
2367
348
	if ((result = Tspi_Policy_SetSecret(h_srk_policy, TSS_SECRET_MODE_PLAIN,
349
	if ((result = Tspi_Policy_SetSecret(h_srk_policy,
2368
349
					    0, NULL))
350
					    TSS_SECRET_MODE_SHA1,
2369
351
					    sizeof(wellknown), wellknown))
2370
350
	    != TSS_SUCCESS) {
352
	    != TSS_SUCCESS) {
2371
351
		syslog(LOG_ERR, "Tspi_Policy_SetSecret failed: [%s]\n",
353
		syslog(LOG_ERR, "Tspi_Policy_SetSecret failed: [%s]\n",
2372
352
		       Trspi_Error_String(result));
354
		       Trspi_Error_String(result));
2373
@@ -415,6 +417,7 @@
2374
415
	struct ecryptfs_tspi_connect_ticket *ticket;
417
	struct ecryptfs_tspi_connect_ticket *ticket;
2375
416
	TSS_RESULT result;
418
	TSS_RESULT result;
2376
417
	int rc = 0;
419
	int rc = 0;
2377
420
	BYTE wellknown[] = TSS_WELL_KNOWN_SECRET;
2378
418
421
2379
419
	pthread_mutex_lock(&decrypt_lock);
422
	pthread_mutex_lock(&decrypt_lock);
2380
420
	ecryptfs_tspi_deserialize(&tspi_data, blob);
423
	ecryptfs_tspi_deserialize(&tspi_data, blob);
2381
@@ -442,7 +445,8 @@
2382
442
		goto out;
445
		goto out;
2383
443
	}
446
	}
2384
444
	if ((result = Tspi_Policy_SetSecret(h_srk_policy,
447
	if ((result = Tspi_Policy_SetSecret(h_srk_policy,
2386
445
					    TSS_SECRET_MODE_PLAIN, 0, NULL))
448
					    TSS_SECRET_MODE_SHA1,
2387
449
					    sizeof(wellknown), wellknown))
2388
446
	    != TSS_SUCCESS) {
450
	    != TSS_SUCCESS) {
2389
447
		syslog(LOG_ERR, "Tspi_Policy_SetSecret failed: [%s]\n",
451
		syslog(LOG_ERR, "Tspi_Policy_SetSecret failed: [%s]\n",
2390
448
		       Trspi_Error_String(result));
452
		       Trspi_Error_String(result));
2391
449
453
2392
=== modified file 'src/libecryptfs-swig/libecryptfs.i'
2393
--- src/libecryptfs-swig/libecryptfs.i	2009-02-03 08:50:36 +0000
2394
+++ src/libecryptfs-swig/libecryptfs.i	2010-02-17 20:48:19 +0000
2395
@@ -9,7 +9,7 @@
2396
9
#include "../include/ecryptfs.h"
9
#include "../include/ecryptfs.h"
2397
10
10
2398
11
%typemap(out) binary_data {
11
%typemap(out) binary_data {
2400
12
    $result = PyString_FromStringAndSize($1.data,$1.size);
12
    $result = PyString_FromStringAndSize((char *)($1.data),$1.size);
2401
13
}
13
}
2402
14
14
2403
15
extern binary_data ecryptfs_passphrase_blob(char *salt, char *passphrase);
15
extern binary_data ecryptfs_passphrase_blob(char *salt, char *passphrase);
2404
16
16
2405
=== modified file 'src/libecryptfs-swig/libecryptfs.py'
2406
--- src/libecryptfs-swig/libecryptfs.py	2009-02-03 08:50:36 +0000
2407
+++ src/libecryptfs-swig/libecryptfs.py	2010-02-17 20:48:19 +0000
2408
@@ -1,5 +1,5 @@
2409
1
# This file was automatically generated by SWIG (http://www.swig.org).
1
# This file was automatically generated by SWIG (http://www.swig.org).
2411
2
# Version 1.3.31
2
# Version 1.3.36
2412
3
#
3
#
2413
4
# Don't modify this file, modify the SWIG interface instead.
4
# Don't modify this file, modify the SWIG interface instead.
2414
5
# This file is compatible with both classic and new-style classes.
5
# This file is compatible with both classic and new-style classes.
2415
6
6
2416
=== modified file 'src/libecryptfs-swig/libecryptfs_wrap.c'
2417
--- src/libecryptfs-swig/libecryptfs_wrap.c	2009-02-03 08:50:36 +0000
2418
+++ src/libecryptfs-swig/libecryptfs_wrap.c	2010-02-17 20:48:19 +0000
2419
@@ -1,6 +1,6 @@
2420
1
/* ----------------------------------------------------------------------------
1
/* ----------------------------------------------------------------------------
2421
2
 * This file was automatically generated by SWIG (http://www.swig.org).
2
 * This file was automatically generated by SWIG (http://www.swig.org).
2423
3
 * Version 1.3.31
3
 * Version 1.3.36
2424
4
 * 
4
 * 
2425
5
 * This file is not intended to be easily readable and contains a number of 
5
 * This file is not intended to be easily readable and contains a number of 
2426
6
 * coding conventions designed to improve portability and efficiency. Do not make
6
 * coding conventions designed to improve portability and efficiency. Do not make
2427
@@ -17,14 +17,14 @@
2428
17
17
2429
18
/* template workaround for compilers that cannot correctly implement the C++ standard */
18
/* template workaround for compilers that cannot correctly implement the C++ standard */
2430
19
#ifndef SWIGTEMPLATEDISAMBIGUATOR
19
#ifndef SWIGTEMPLATEDISAMBIGUATOR
2437
20
# if defined(__SUNPRO_CC)
20
# if defined(__SUNPRO_CC) && (__SUNPRO_CC <= 0x560)
2438
21
#   if (__SUNPRO_CC <= 0x560)
21
#  define SWIGTEMPLATEDISAMBIGUATOR template
2439
22
#     define SWIGTEMPLATEDISAMBIGUATOR template
22
# elif defined(__HP_aCC)
2440
23
#   else
23
/* Needed even with `aCC -AA' when `aCC -V' reports HP ANSI C++ B3910B A.03.55 */
2441
24
#     define SWIGTEMPLATEDISAMBIGUATOR 
24
/* If we find a maximum version that requires this, the test would be __HP_aCC <= 35500 for A.03.55 */
2442
25
#   endif
25
#  define SWIGTEMPLATEDISAMBIGUATOR template
2443
26
# else
26
# else
2445
27
#   define SWIGTEMPLATEDISAMBIGUATOR 
27
#  define SWIGTEMPLATEDISAMBIGUATOR
2446
28
# endif
28
# endif
2447
29
#endif
29
#endif
2448
30
30
2449
@@ -52,6 +52,12 @@
2450
52
# endif
52
# endif
2451
53
#endif
53
#endif
2452
54
54
2453
55
#ifndef SWIG_MSC_UNSUPPRESS_4505
2454
56
# if defined(_MSC_VER)
2455
57
#   pragma warning(disable : 4505) /* unreferenced local function has been removed */
2456
58
# endif 
2457
59
#endif
2458
60
2459
55
#ifndef SWIGUNUSEDPARM
61
#ifndef SWIGUNUSEDPARM
2460
56
# ifdef __cplusplus
62
# ifdef __cplusplus
2461
57
#   define SWIGUNUSEDPARM(p)
63
#   define SWIGUNUSEDPARM(p)
2462
@@ -107,6 +113,12 @@
2463
107
# define _CRT_SECURE_NO_DEPRECATE
113
# define _CRT_SECURE_NO_DEPRECATE
2464
108
#endif
114
#endif
2465
109
115
2466
116
/* Deal with Microsoft's attempt at deprecating methods in the standard C++ library */
2467
117
#if !defined(SWIG_NO_SCL_SECURE_NO_DEPRECATE) && defined(_MSC_VER) && !defined(_SCL_SECURE_NO_DEPRECATE)
2468
118
# define _SCL_SECURE_NO_DEPRECATE
2469
119
#endif
2470
120
2471
121
2472
110
122
2473
111
/* Python.h has to appear first */
123
/* Python.h has to appear first */
2474
112
#include <Python.h>
124
#include <Python.h>
2475
@@ -120,7 +132,7 @@
2476
120
132
2477
121
/* This should only be incremented when either the layout of swig_type_info changes,
133
/* This should only be incremented when either the layout of swig_type_info changes,
2478
122
   or for whatever reason, the runtime changes incompatibly */
134
   or for whatever reason, the runtime changes incompatibly */
2480
123
#define SWIG_RUNTIME_VERSION "3"
135
#define SWIG_RUNTIME_VERSION "4"
2481
124
136
2482
125
/* define SWIG_TYPE_TABLE_NAME as "SWIG_TYPE_TABLE" */
137
/* define SWIG_TYPE_TABLE_NAME as "SWIG_TYPE_TABLE" */
2483
126
#ifdef SWIG_TYPE_TABLE
138
#ifdef SWIG_TYPE_TABLE
2484
@@ -155,6 +167,7 @@
2485
155
167
2486
156
/* Flags for pointer conversions */
168
/* Flags for pointer conversions */
2487
157
#define SWIG_POINTER_DISOWN        0x1
169
#define SWIG_POINTER_DISOWN        0x1
2488
170
#define SWIG_CAST_NEW_MEMORY       0x2
2489
158
171
2490
159
/* Flags for new pointer objects */
172
/* Flags for new pointer objects */
2491
160
#define SWIG_POINTER_OWN           0x1
173
#define SWIG_POINTER_OWN           0x1
2492
@@ -295,10 +308,10 @@
2493
295
extern "C" {
308
extern "C" {
2494
296
#endif
309
#endif
2495
297
310
2497
298
typedef void *(*swig_converter_func)(void *);
311
typedef void *(*swig_converter_func)(void *, int *);
2498
299
typedef struct swig_type_info *(*swig_dycast_func)(void **);
312
typedef struct swig_type_info *(*swig_dycast_func)(void **);
2499
300
313
2501
301
/* Structure to store inforomation on one type */
314
/* Structure to store information on one type */
2502
302
typedef struct swig_type_info {
315
typedef struct swig_type_info {
2503
303
  const char             *name;			/* mangled name of this type */
316
  const char             *name;			/* mangled name of this type */
2504
304
  const char             *str;			/* human readable name of this type */
317
  const char             *str;			/* human readable name of this type */
2505
@@ -343,7 +356,7 @@
2506
343
    while ((*f2 == ' ') && (f2 != l2)) ++f2;
356
    while ((*f2 == ' ') && (f2 != l2)) ++f2;
2507
344
    if (*f1 != *f2) return (*f1 > *f2) ? 1 : -1;
357
    if (*f1 != *f2) return (*f1 > *f2) ? 1 : -1;
2508
345
  }
358
  }
2510
346
  return (l1 - f1) - (l2 - f2);
359
  return (int)((l1 - f1) - (l2 - f2));
2511
347
}
360
}
2512
348
361
2513
349
/*
362
/*
2514
@@ -425,8 +438,8 @@
2515
425
  Cast a pointer up an inheritance hierarchy
438
  Cast a pointer up an inheritance hierarchy
2516
426
*/
439
*/
2517
427
SWIGRUNTIMEINLINE void *
440
SWIGRUNTIMEINLINE void *
2520
428
SWIG_TypeCast(swig_cast_info *ty, void *ptr) {
441
SWIG_TypeCast(swig_cast_info *ty, void *ptr, int *newmemory) {
2521
429
  return ((!ty) || (!ty->converter)) ? ptr : (*ty->converter)(ptr);
442
  return ((!ty) || (!ty->converter)) ? ptr : (*ty->converter)(ptr, newmemory);
2522
430
}
443
}
2523
431
444
2524
432
/* 
445
/* 
2525
@@ -850,7 +863,7 @@
2526
850
    Py_DECREF(old_str);
863
    Py_DECREF(old_str);
2527
851
    Py_DECREF(value);
864
    Py_DECREF(value);
2528
852
  } else {
865
  } else {
2530
853
    PyErr_Format(PyExc_RuntimeError, mesg);
866
    PyErr_SetString(PyExc_RuntimeError, mesg);
2531
854
  }
867
  }
2532
855
}
868
}
2533
856
869
2534
@@ -1090,14 +1103,14 @@
2535
1090
/* Unpack the argument tuple */
1103
/* Unpack the argument tuple */
2536
1091
1104
2537
1092
SWIGINTERN int
1105
SWIGINTERN int
2539
1093
SWIG_Python_UnpackTuple(PyObject *args, const char *name, int min, int max, PyObject **objs)
1106
SWIG_Python_UnpackTuple(PyObject *args, const char *name, Py_ssize_t min, Py_ssize_t max, PyObject **objs)
2540
1094
{
1107
{
2541
1095
  if (!args) {
1108
  if (!args) {
2542
1096
    if (!min && !max) {
1109
    if (!min && !max) {
2543
1097
      return 1;
1110
      return 1;
2544
1098
    } else {
1111
    } else {
2545
1099
      PyErr_Format(PyExc_TypeError, "%s expected %s%d arguments, got none", 
1112
      PyErr_Format(PyExc_TypeError, "%s expected %s%d arguments, got none", 
2547
1100
		   name, (min == max ? "" : "at least "), min);
1113
		   name, (min == max ? "" : "at least "), (int)min);
2548
1101
      return 0;
1114
      return 0;
2549
1102
    }
1115
    }
2550
1103
  }  
1116
  }  
2551
@@ -1105,14 +1118,14 @@
2552
1105
    PyErr_SetString(PyExc_SystemError, "UnpackTuple() argument list is not a tuple");
1118
    PyErr_SetString(PyExc_SystemError, "UnpackTuple() argument list is not a tuple");
2553
1106
    return 0;
1119
    return 0;
2554
1107
  } else {
1120
  } else {
2556
1108
    register int l = PyTuple_GET_SIZE(args);
1121
    register Py_ssize_t l = PyTuple_GET_SIZE(args);
2557
1109
    if (l < min) {
1122
    if (l < min) {
2558
1110
      PyErr_Format(PyExc_TypeError, "%s expected %s%d arguments, got %d", 
1123
      PyErr_Format(PyExc_TypeError, "%s expected %s%d arguments, got %d", 
2560
1111
		   name, (min == max ? "" : "at least "), min, l);
1124
		   name, (min == max ? "" : "at least "), (int)min, (int)l);
2561
1112
      return 0;
1125
      return 0;
2562
1113
    } else if (l > max) {
1126
    } else if (l > max) {
2563
1114
      PyErr_Format(PyExc_TypeError, "%s expected %s%d arguments, got %d", 
1127
      PyErr_Format(PyExc_TypeError, "%s expected %s%d arguments, got %d", 
2565
1115
		   name, (min == max ? "" : "at most "), max, l);
1128
		   name, (min == max ? "" : "at most "), (int)max, (int)l);
2566
1116
      return 0;
1129
      return 0;
2567
1117
    } else {
1130
    } else {
2568
1118
      register int i;
1131
      register int i;
2569
@@ -1410,7 +1423,7 @@
2570
1410
{
1423
{
2571
1411
  PySwigObject *sobj = (PySwigObject *) v;
1424
  PySwigObject *sobj = (PySwigObject *) v;
2572
1412
  PyObject *next = sobj->next;
1425
  PyObject *next = sobj->next;
2574
1413
  if (sobj->own) {
1426
  if (sobj->own == SWIG_POINTER_OWN) {
2575
1414
    swig_type_info *ty = sobj->ty;
1427
    swig_type_info *ty = sobj->ty;
2576
1415
    PySwigClientData *data = ty ? (PySwigClientData *) ty->clientdata : 0;
1428
    PySwigClientData *data = ty ? (PySwigClientData *) ty->clientdata : 0;
2577
1416
    PyObject *destroy = data ? data->destroy : 0;
1429
    PyObject *destroy = data ? data->destroy : 0;
2578
@@ -1428,12 +1441,13 @@
2579
1428
	res = ((*meth)(mself, v));
1441
	res = ((*meth)(mself, v));
2580
1429
      }
1442
      }
2581
1430
      Py_XDECREF(res);
1443
      Py_XDECREF(res);
2583
1431
    } else {
1444
    } 
2584
1445
#if !defined(SWIG_PYTHON_SILENT_MEMLEAK)
2585
1446
    else {
2586
1432
      const char *name = SWIG_TypePrettyName(ty);
1447
      const char *name = SWIG_TypePrettyName(ty);
2589
1433
#if !defined(SWIG_PYTHON_SILENT_MEMLEAK)
1448
      printf("swig/python detected a memory leak of type '%s', no destructor found.\n", (name ? name : "unknown"));
2590
1434
      printf("swig/python detected a memory leak of type '%s', no destructor found.\n", name);
1449
    }
2591
1435
#endif
1450
#endif
2592
1436
    }
2593
1437
  } 
1451
  } 
2594
1438
  Py_XDECREF(next);
1452
  Py_XDECREF(next);
2595
1439
  PyObject_DEL(v);
1453
  PyObject_DEL(v);
2596
@@ -1591,9 +1605,11 @@
2597
1591
    (unaryfunc)0,                 /*nb_float*/
1605
    (unaryfunc)0,                 /*nb_float*/
2598
1592
    (unaryfunc)PySwigObject_oct,  /*nb_oct*/
1606
    (unaryfunc)PySwigObject_oct,  /*nb_oct*/
2599
1593
    (unaryfunc)PySwigObject_hex,  /*nb_hex*/
1607
    (unaryfunc)PySwigObject_hex,  /*nb_hex*/
2603
1594
#if PY_VERSION_HEX >= 0x02020000
1608
#if PY_VERSION_HEX >= 0x02050000 /* 2.5.0 */
2604
1595
    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 /* nb_inplace_add -> nb_inplace_true_divide */ 
1609
    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 /* nb_inplace_add -> nb_index */
2605
1596
#elif PY_VERSION_HEX >= 0x02000000
1610
#elif PY_VERSION_HEX >= 0x02020000 /* 2.2.0 */
2606
1611
    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 /* nb_inplace_add -> nb_inplace_true_divide */
2607
1612
#elif PY_VERSION_HEX >= 0x02000000 /* 2.0.0 */
2608
1597
    0,0,0,0,0,0,0,0,0,0,0 /* nb_inplace_add -> nb_inplace_or */
1613
    0,0,0,0,0,0,0,0,0,0,0 /* nb_inplace_add -> nb_inplace_or */
2609
1598
#endif
1614
#endif
2610
1599
  };
1615
  };
2611
@@ -1936,7 +1952,7 @@
2612
1936
1952
2613
1937
SWIGRUNTIME int
1953
SWIGRUNTIME int
2614
1938
SWIG_Python_AcquirePtr(PyObject *obj, int own) {
1954
SWIG_Python_AcquirePtr(PyObject *obj, int own) {
2616
1939
  if (own) {
1955
  if (own == SWIG_POINTER_OWN) {
2617
1940
    PySwigObject *sobj = SWIG_Python_GetSwigThis(obj);
1956
    PySwigObject *sobj = SWIG_Python_GetSwigThis(obj);
2618
1941
    if (sobj) {
1957
    if (sobj) {
2619
1942
      int oldown = sobj->own;
1958
      int oldown = sobj->own;
2620
@@ -1957,6 +1973,8 @@
2621
1957
    return SWIG_OK;
1973
    return SWIG_OK;
2622
1958
  } else {
1974
  } else {
2623
1959
    PySwigObject *sobj = SWIG_Python_GetSwigThis(obj);
1975
    PySwigObject *sobj = SWIG_Python_GetSwigThis(obj);
2624
1976
    if (own)
2625
1977
      *own = 0;
2626
1960
    while (sobj) {
1978
    while (sobj) {
2627
1961
      void *vptr = sobj->ptr;
1979
      void *vptr = sobj->ptr;
2628
1962
      if (ty) {
1980
      if (ty) {
2629
@@ -1970,7 +1988,15 @@
2630
1970
	  if (!tc) {
1988
	  if (!tc) {
2631
1971
	    sobj = (PySwigObject *)sobj->next;
1989
	    sobj = (PySwigObject *)sobj->next;
2632
1972
	  } else {
1990
	  } else {
2634
1973
	    if (ptr) *ptr = SWIG_TypeCast(tc,vptr);
1991
	    if (ptr) {
2635
1992
              int newmemory = 0;
2636
1993
              *ptr = SWIG_TypeCast(tc,vptr,&newmemory);
2637
1994
              if (newmemory == SWIG_CAST_NEW_MEMORY) {
2638
1995
                assert(own);
2639
1996
                if (own)
2640
1997
                  *own = *own | SWIG_CAST_NEW_MEMORY;
2641
1998
              }
2642
1999
            }
2643
1974
	    break;
2000
	    break;
2644
1975
	  }
2001
	  }
2645
1976
	}
2002
	}
2646
@@ -1980,7 +2006,8 @@
2647
1980
      }
2006
      }
2648
1981
    }
2007
    }
2649
1982
    if (sobj) {
2008
    if (sobj) {
2651
1983
      if (own) *own = sobj->own;
2009
      if (own)
2652
2010
        *own = *own | sobj->own;
2653
1984
      if (flags & SWIG_POINTER_DISOWN) {
2011
      if (flags & SWIG_POINTER_DISOWN) {
2654
1985
	sobj->own = 0;
2012
	sobj->own = 0;
2655
1986
      }
2013
      }
2656
@@ -2045,8 +2072,13 @@
2657
2045
    }
2072
    }
2658
2046
    if (ty) {
2073
    if (ty) {
2659
2047
      swig_cast_info *tc = SWIG_TypeCheck(desc,ty);
2074
      swig_cast_info *tc = SWIG_TypeCheck(desc,ty);
2662
2048
      if (!tc) return SWIG_ERROR;
2075
      if (tc) {
2663
2049
      *ptr = SWIG_TypeCast(tc,vptr);
2076
        int newmemory = 0;
2664
2077
        *ptr = SWIG_TypeCast(tc,vptr,&newmemory);
2665
2078
        assert(!newmemory); /* newmemory handling not yet implemented */
2666
2079
      } else {
2667
2080
        return SWIG_ERROR;
2668
2081
      }
2669
2050
    } else {
2082
    } else {
2670
2051
      *ptr = vptr;
2083
      *ptr = vptr;
2671
2052
    }
2084
    }
2672
@@ -2469,7 +2501,7 @@
2673
2469
2501
2674
2470
#define SWIG_name    "_libecryptfs"
2502
#define SWIG_name    "_libecryptfs"
2675
2471
2503
2677
2472
#define SWIGVERSION 0x010331 
2504
#define SWIGVERSION 0x010336 
2678
2473
#define SWIG_VERSION SWIGVERSION
2505
#define SWIG_VERSION SWIGVERSION
2679
2474
2506
2680
2475
2507
2681
@@ -2567,7 +2599,6 @@
2682
2567
  PyObject *resultobj = 0;
2599
  PyObject *resultobj = 0;
2683
2568
  char *arg1 = (char *) 0 ;
2600
  char *arg1 = (char *) 0 ;
2684
2569
  char *arg2 = (char *) 0 ;
2601
  char *arg2 = (char *) 0 ;
2685
2570
  binary_data result;
2686
2571
  int res1 ;
2602
  int res1 ;
2687
2572
  char *buf1 = 0 ;
2603
  char *buf1 = 0 ;
2688
2573
  int alloc1 = 0 ;
2604
  int alloc1 = 0 ;
2689
@@ -2576,6 +2607,7 @@
2690
2576
  int alloc2 = 0 ;
2607
  int alloc2 = 0 ;
2691
2577
  PyObject * obj0 = 0 ;
2608
  PyObject * obj0 = 0 ;
2692
2578
  PyObject * obj1 = 0 ;
2609
  PyObject * obj1 = 0 ;
2693
2610
  binary_data result;
2694
2579
  
2611
  
2695
2580
  if (!PyArg_ParseTuple(args,(char *)"OO:ecryptfs_passphrase_blob",&obj0,&obj1)) SWIG_fail;
2612
  if (!PyArg_ParseTuple(args,(char *)"OO:ecryptfs_passphrase_blob",&obj0,&obj1)) SWIG_fail;
2696
2581
  res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1);
2613
  res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1);
2697
@@ -2590,7 +2622,7 @@
2698
2590
  arg2 = (char *)(buf2);
2622
  arg2 = (char *)(buf2);
2699
2591
  result = ecryptfs_passphrase_blob(arg1,arg2);
2623
  result = ecryptfs_passphrase_blob(arg1,arg2);
2700
2592
  {
2624
  {
2702
2593
    resultobj = PyString_FromStringAndSize((char *)(&result)->data,(&result)->size);
2625
    resultobj = PyString_FromStringAndSize((char *)((&result)->data),(&result)->size);
2703
2594
  }
2626
  }
2704
2595
  if (alloc1 == SWIG_NEWOBJ) free((char*)buf1);
2627
  if (alloc1 == SWIG_NEWOBJ) free((char*)buf1);
2705
2596
  if (alloc2 == SWIG_NEWOBJ) free((char*)buf2);
2628
  if (alloc2 == SWIG_NEWOBJ) free((char*)buf2);
2706
@@ -2605,11 +2637,11 @@
2707
2605
SWIGINTERN PyObject *_wrap_ecryptfs_passphrase_sig_from_blob(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
2637
SWIGINTERN PyObject *_wrap_ecryptfs_passphrase_sig_from_blob(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
2708
2606
  PyObject *resultobj = 0;
2638
  PyObject *resultobj = 0;
2709
2607
  char *arg1 = (char *) 0 ;
2639
  char *arg1 = (char *) 0 ;
2710
2608
  binary_data result;
2711
2609
  int res1 ;
2640
  int res1 ;
2712
2610
  char *buf1 = 0 ;
2641
  char *buf1 = 0 ;
2713
2611
  int alloc1 = 0 ;
2642
  int alloc1 = 0 ;
2714
2612
  PyObject * obj0 = 0 ;
2643
  PyObject * obj0 = 0 ;
2715
2644
  binary_data result;
2716
2613
  
2645
  
2717
2614
  if (!PyArg_ParseTuple(args,(char *)"O:ecryptfs_passphrase_sig_from_blob",&obj0)) SWIG_fail;
2646
  if (!PyArg_ParseTuple(args,(char *)"O:ecryptfs_passphrase_sig_from_blob",&obj0)) SWIG_fail;
2718
2615
  res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1);
2647
  res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1);
2719
@@ -2619,7 +2651,7 @@
2720
2619
  arg1 = (char *)(buf1);
2651
  arg1 = (char *)(buf1);
2721
2620
  result = ecryptfs_passphrase_sig_from_blob(arg1);
2652
  result = ecryptfs_passphrase_sig_from_blob(arg1);
2722
2621
  {
2653
  {
2724
2622
    resultobj = PyString_FromStringAndSize((char *)(&result)->data,(&result)->size);
2654
    resultobj = PyString_FromStringAndSize((char *)((&result)->data),(&result)->size);
2725
2623
  }
2655
  }
2726
2624
  if (alloc1 == SWIG_NEWOBJ) free((char*)buf1);
2656
  if (alloc1 == SWIG_NEWOBJ) free((char*)buf1);
2727
2625
  return resultobj;
2657
  return resultobj;
2728
@@ -2633,15 +2665,15 @@
2729
2633
  PyObject *resultobj = 0;
2665
  PyObject *resultobj = 0;
2730
2634
  char *arg1 = (char *) 0 ;
2666
  char *arg1 = (char *) 0 ;
2731
2635
  char *arg2 = (char *) 0 ;
2667
  char *arg2 = (char *) 0 ;
2732
2668
  int res1 ;
2733
2669
  char *buf1 = 0 ;
2734
2670
  int alloc1 = 0 ;
2735
2671
  int res2 ;
2736
2672
  char *buf2 = 0 ;
2737
2673
  int alloc2 = 0 ;
2738
2674
  PyObject * obj0 = 0 ;
2739
2675
  PyObject * obj1 = 0 ;
2740
2636
  int result;
2676
  int result;
2741
2637
  int res1 ;
2742
2638
  char *buf1 = 0 ;
2743
2639
  int alloc1 = 0 ;
2744
2640
  int res2 ;
2745
2641
  char *buf2 = 0 ;
2746
2642
  int alloc2 = 0 ;
2747
2643
  PyObject * obj0 = 0 ;
2748
2644
  PyObject * obj1 = 0 ;
2749
2645
  
2677
  
2750
2646
  if (!PyArg_ParseTuple(args,(char *)"OO:ecryptfs_add_blob_to_keyring",&obj0,&obj1)) SWIG_fail;
2678
  if (!PyArg_ParseTuple(args,(char *)"OO:ecryptfs_add_blob_to_keyring",&obj0,&obj1)) SWIG_fail;
2751
2647
  res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1);
2679
  res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1);
2752
@@ -2754,7 +2786,7 @@
2753
2754
SWIG_InitializeModule(void *clientdata) {
2786
SWIG_InitializeModule(void *clientdata) {
2754
2755
  size_t i;
2787
  size_t i;
2755
2756
  swig_module_info *module_head, *iter;
2788
  swig_module_info *module_head, *iter;
2757
2757
  int found;
2789
  int found, init;
2758
2758
  
2790
  
2759
2759
  clientdata = clientdata;
2791
  clientdata = clientdata;
2760
2760
  
2792
  
2761
@@ -2764,6 +2796,9 @@
2762
2764
    swig_module.type_initial = swig_type_initial;
2796
    swig_module.type_initial = swig_type_initial;
2763
2765
    swig_module.cast_initial = swig_cast_initial;
2797
    swig_module.cast_initial = swig_cast_initial;
2764
2766
    swig_module.next = &swig_module;
2798
    swig_module.next = &swig_module;
2765
2799
    init = 1;
2766
2800
  } else {
2767
2801
    init = 0;
2768
2767
  }
2802
  }
2769
2768
  
2803
  
2770
2769
  /* Try and load any already created modules */
2804
  /* Try and load any already created modules */
2771
@@ -2792,6 +2827,12 @@
2772
2792
    module_head->next = &swig_module;
2827
    module_head->next = &swig_module;
2773
2793
  }
2828
  }
2774
2794
  
2829
  
2775
2830
  /* When multiple interpeters are used, a module could have already been initialized in
2776
2831
       a different interpreter, but not yet have a pointer in this interpreter.
2777
2832
       In this case, we do not want to continue adding types... everything should be
2778
2833
       set up already */
2779
2834
  if (init == 0) return;
2780
2835
  
2781
2795
  /* Now work on filling in swig_module.types */
2836
  /* Now work on filling in swig_module.types */
2782
2796
#ifdef SWIGRUNTIME_DEBUG
2837
#ifdef SWIGRUNTIME_DEBUG
2783
2797
  printf("SWIG_InitializeModule: size %d\n", swig_module.size);
2838
  printf("SWIG_InitializeModule: size %d\n", swig_module.size);
2784
2798
2839
2785
=== modified file 'src/libecryptfs/cipher_list.c'
2786
--- src/libecryptfs/cipher_list.c	2009-04-22 09:05:00 +0000
2787
+++ src/libecryptfs/cipher_list.c	2010-02-17 20:48:19 +0000
2788
@@ -338,7 +338,7 @@
2789
338
	{"tea", "tea.ko", 8, 16, 16, 7, 0},
338
	{"tea", "tea.ko", 8, 16, 16, 7, 0},
2790
339
	{"xeta", "tea.ko", 8, 16, 16, 9, 0},
339
	{"xeta", "tea.ko", 8, 16, 16, 9, 0},
2791
340
	{"xtea", "tea.ko", 8, 16, 16, 8, 0},
340
	{"xtea", "tea.ko", 8, 16, 16, 8, 0},
2793
341
	{"blowfish", "blowfish.ko", 16, 16, 32, 2, 1},
341
	{"blowfish", "blowfish.ko", 16, 16, 56, 2, 1},
2794
342
	{"twofish", "twofish.ko", 16, 16, 32, 4, 1},
342
	{"twofish", "twofish.ko", 16, 16, 32, 4, 1},
2795
343
	{"khazad", "khazad.ko", 8, 16, 16, 11, 0},
343
	{"khazad", "khazad.ko", 8, 16, 16, 11, 0},
2796
344
	{"cast5", "cast5.ko", 8, 5, 16, 14, 1},
344
	{"cast5", "cast5.ko", 8, 5, 16, 14, 1},
2797
345
345
2798
=== modified file 'src/libecryptfs/cmd_ln_parser.c'
2799
--- src/libecryptfs/cmd_ln_parser.c	2009-04-22 09:05:00 +0000
2800
+++ src/libecryptfs/cmd_ln_parser.c	2010-02-17 20:48:19 +0000
2801
@@ -200,7 +200,7 @@
2802
200
200
2803
201
	fd = open(fullpath, O_RDONLY);
201
	fd = open(fullpath, O_RDONLY);
2804
202
	if (fd == -1) {
202
	if (fd == -1) {
2806
203
		rc = -EIO;
203
		rc = -errno;
2807
204
		goto out;
204
		goto out;
2808
205
	}
205
	}
2809
206
	rc = parse_options_file(fd, nvp_list_head);
206
	rc = parse_options_file(fd, nvp_list_head);
2810
207
207
2811
=== modified file 'src/libecryptfs/decision_graph.c'
2812
--- src/libecryptfs/decision_graph.c	2009-04-23 16:31:05 +0000
2813
+++ src/libecryptfs/decision_graph.c	2010-02-17 20:48:19 +0000
2814
@@ -209,8 +209,15 @@
2815
209
		  struct ecryptfs_name_val_pair *nvp_head,
209
		  struct ecryptfs_name_val_pair *nvp_head,
2816
210
		  struct val_node **mnt_params, void **foo)
210
		  struct val_node **mnt_params, void **foo)
2817
211
{
211
{
2818
212
	static int repeated = 0;
2819
213
	static struct param_node *lastnode = NULL;
2820
212
	int i, rc;
214
	int i, rc;
2821
213
215
2822
216
	if (current != lastnode)
2823
217
		repeated = 0;
2824
218
2825
219
	lastnode = current;
2826
220
2827
214
	for (i = 0; i < current->num_transitions; i++) {
221
	for (i = 0; i < current->num_transitions; i++) {
2828
215
		struct transition_node *tn = &current->tl[i];
222
		struct transition_node *tn = &current->tl[i];
2829
216
		struct ecryptfs_name_val_pair *nvp = nvp_head->next;
223
		struct ecryptfs_name_val_pair *nvp = nvp_head->next;
2830
@@ -275,11 +282,17 @@
2831
275
				trans_func_tok_id =
282
				trans_func_tok_id =
2832
276
					tn->trans_func(ctx, current,
283
					tn->trans_func(ctx, current,
2833
277
						       mnt_params, foo);
284
						       mnt_params, foo);
2839
278
			if (trans_func_tok_id == WRONG_VALUE && 
285
			if (trans_func_tok_id == WRONG_VALUE) { 
2840
279
			    (ctx->verbosity || 
286
				if (ctx->verbosity || 
2841
280
			     (current->flags & STDIN_REQUIRED))) {
287
				    (current->flags & STDIN_REQUIRED)) {
2842
281
			    *next = current;
288
						if (++repeated >= 5)
2843
282
			    return 0;
289
							return -EINVAL;
2844
290
						else {
2845
291
							*next = current;
2846
292
							return 0;
2847
293
						}
2848
294
				} else 
2849
295
					return -EINVAL;
2850
283
			}
296
			}
2851
284
			if (trans_func_tok_id == MOUNT_ERROR || 
297
			if (trans_func_tok_id == MOUNT_ERROR || 
2852
285
			    trans_func_tok_id < 0)
298
			    trans_func_tok_id < 0)
2853
@@ -289,6 +302,8 @@
2854
289
			else return -EINVAL;
302
			else return -EINVAL;
2855
290
		}
303
		}
2856
291
	}
304
	}
2857
305
	if (current->num_transitions)
2858
306
		return MOUNT_ERROR;
2859
292
	return NULL_TOK;
307
	return NULL_TOK;
2860
293
}
308
}
2861
294
309
2862
@@ -560,10 +575,13 @@
2863
560
			}
575
			}
2864
561
			prompt[i] = '\0';
576
			prompt[i] = '\0';
2865
562
get_value:
577
get_value:
2870
563
			rc = (ctx->get_string)
578
			if ((rc = (ctx->get_string)
2871
564
				(&(node->val), prompt,
579
				      (&(node->val), prompt,
2872
565
				 (node->flags
580
					(node->flags
2873
566
				  & ECRYPTFS_PARAM_FLAG_ECHO_INPUT));
581
					  & ECRYPTFS_PARAM_FLAG_ECHO_INPUT)))) {
2874
582
				free(prompt);
2875
583
				return rc;
2876
584
			}
2877
567
			val = atoi(node->val);
585
			val = atoi(node->val);
2878
568
			if (val > 0 && val <= node->num_transitions) {
586
			if (val > 0 && val <= node->num_transitions) {
2879
569
				free(node->val);
587
				free(node->val);
2880
@@ -627,26 +645,34 @@
2881
627
				(&(node->val), prompt,
645
				(&(node->val), prompt,
2882
628
				 (node->flags
646
				 (node->flags
2883
629
				  & ECRYPTFS_PARAM_FLAG_ECHO_INPUT));
647
				  & ECRYPTFS_PARAM_FLAG_ECHO_INPUT));
2884
648
			free(prompt);
2885
649
			if (rc)
2886
650
				goto out;
2887
630
			if (node->val[0] == '\0' && 
651
			if (node->val[0] == '\0' && 
2888
631
			    (node->flags & ECRYPTFS_NONEMPTY_VALUE_REQUIRED)) {
652
			    (node->flags & ECRYPTFS_NONEMPTY_VALUE_REQUIRED)) {
2889
632
				fprintf(stderr,"Wrong input, non-empty value "
653
				fprintf(stderr,"Wrong input, non-empty value "
2890
633
					"required!\n");
654
					"required!\n");
2891
634
				goto obtain_value;
655
				goto obtain_value;
2892
635
			}
656
			}
2893
636
			free(prompt);
2894
637
			if (node->flags & VERIFY_VALUE) {
657
			if (node->flags & VERIFY_VALUE) {
2895
638
				rc = asprintf(&verify_prompt, "Verify %s",
658
				rc = asprintf(&verify_prompt, "Verify %s",
2896
639
					      node->prompt);
659
					      node->prompt);
2897
640
				if (rc == -1)
660
				if (rc == -1)
2899
641
					return MOUNT_ERROR;
661
					return -ENOMEM;
2900
642
				rc = (ctx->get_string)
662
				rc = (ctx->get_string)
2901
643
					(&verify, verify_prompt,
663
					(&verify, verify_prompt,
2902
644
					 (node->flags
664
					 (node->flags
2903
645
					  & ECRYPTFS_PARAM_FLAG_ECHO_INPUT));
665
					  & ECRYPTFS_PARAM_FLAG_ECHO_INPUT));
2904
666
				free(verify_prompt);
2905
646
				if (rc)
667
				if (rc)
2908
647
					return MOUNT_ERROR;
668
					return -EIO;
2909
648
				if (strcmp(verify, node->val))
669
				rc = strcmp(verify, node->val); 
2910
670
				free(verify);
2911
671
				if (rc) {
2912
672
					free(node->val);
2913
673
					node->val = NULL;
2914
649
					goto obtain_value;
674
					goto obtain_value;
2915
675
				}
2916
650
			}
676
			}
2917
651
			if (node->val[0] == '\0') {
677
			if (node->val[0] == '\0') {
2918
652
				free(node->val);
678
				free(node->val);
2919
653
679
2920
=== modified file 'src/libecryptfs/key_management.c'
2921
--- src/libecryptfs/key_management.c	2009-04-22 09:36:25 +0000
2922
+++ src/libecryptfs/key_management.c	2010-02-17 20:48:19 +0000
2923
@@ -18,13 +18,10 @@
2924
18
 * 02111-1307, USA.
18
 * 02111-1307, USA.
2925
19
 */
19
 */
2926
20
20
2927
21
#include "config.h"
2928
21
#include <errno.h>
22
#include <errno.h>
2929
22
#ifdef ENABLE_NSS
2930
23
#include <nss.h>
23
#include <nss.h>
2931
24
#include <pk11func.h>
24
#include <pk11func.h>
2932
25
#else
2933
26
#include <gcrypt.h>
2934
27
#endif /* #ifdef ENABLE_NSS */
2935
28
#include <keyutils.h>
25
#include <keyutils.h>
2936
29
#ifndef S_SPLINT_S
26
#ifndef S_SPLINT_S
2937
30
#include <stdio.h>
27
#include <stdio.h>
2938
@@ -38,7 +35,7 @@
2939
38
#include <sys/mman.h>
35
#include <sys/mman.h>
2940
39
#include <sys/types.h>
36
#include <sys/types.h>
2941
40
#include <sys/stat.h>
37
#include <sys/stat.h>
2943
41
#include "config.h"
38
#include <pwd.h>
2944
42
#include "../include/ecryptfs.h"
39
#include "../include/ecryptfs.h"
2945
43
40
2946
44
#ifndef ENOKEY
41
#ifndef ENOKEY
2947
@@ -166,8 +163,6 @@
2948
166
	rc = (int)keyctl_search(KEY_SPEC_USER_KEYRING, "user", auth_tok_sig, 0);
163
	rc = (int)keyctl_search(KEY_SPEC_USER_KEYRING, "user", auth_tok_sig, 0);
2949
167
	if (rc != -1) { /* we already have this key in keyring; we're done */
164
	if (rc != -1) { /* we already have this key in keyring; we're done */
2950
168
		rc = 1;
165
		rc = 1;
2951
169
		syslog(LOG_WARNING, "Passphrase key already in keyring;"
2952
170
		       " rc = [%d]\n", rc);
2953
171
		goto out;
166
		goto out;
2954
172
	} else if ((rc == -1) && (errno != ENOKEY)) {
167
	} else if ((rc == -1) && (errno != ENOKEY)) {
2955
173
		int errnum = errno;
168
		int errnum = errno;
2956
@@ -180,11 +175,11 @@
2957
180
	rc = add_key("user", auth_tok_sig, (void *)auth_tok,
175
	rc = add_key("user", auth_tok_sig, (void *)auth_tok,
2958
181
		     sizeof(struct ecryptfs_auth_tok), KEY_SPEC_USER_KEYRING);
176
		     sizeof(struct ecryptfs_auth_tok), KEY_SPEC_USER_KEYRING);
2959
182
	if (rc == -1) {
177
	if (rc == -1) {
2962
183
		int errnum = errno;
178
		rc = -errno;
2961
184
2963
185
		syslog(LOG_ERR, "Error adding key with sig [%s]; rc = [%d] "
179
		syslog(LOG_ERR, "Error adding key with sig [%s]; rc = [%d] "
2964
186
		       "\"%m\"\n", auth_tok_sig, rc);
180
		       "\"%m\"\n", auth_tok_sig, rc);
2966
187
		rc = (errnum < 0) ? errnum : errnum * -1;
181
		if (rc == -EDQUOT)
2967
182
			syslog(LOG_WARNING, "Error adding key to keyring - keyring is full\n");
2968
188
		goto out;
183
		goto out;
2969
189
	}
184
	}
2970
190
	rc = 0;
185
	rc = 0;
2971
@@ -300,7 +295,6 @@
2972
300
		ECRYPTFS_AES_BLOCK_SIZE + 1];
295
		ECRYPTFS_AES_BLOCK_SIZE + 1];
2973
301
	int encrypted_passphrase_pos = 0;
296
	int encrypted_passphrase_pos = 0;
2974
302
	int decrypted_passphrase_pos = 0;
297
	int decrypted_passphrase_pos = 0;
2975
303
#ifdef ENABLE_NSS
2976
304
	int tmp1_outlen = 0;
298
	int tmp1_outlen = 0;
2977
305
	int tmp2_outlen = 0;
299
	int tmp2_outlen = 0;
2978
306
	SECStatus err;
300
	SECStatus err;
2979
@@ -309,11 +303,6 @@
2980
309
	PK11SlotInfo *slot = NULL;
303
	PK11SlotInfo *slot = NULL;
2981
310
	PK11Context *enc_ctx = NULL;
304
	PK11Context *enc_ctx = NULL;
2982
311
	SECItem *sec_param = NULL;
305
	SECItem *sec_param = NULL;
2983
312
#else
2984
313
#warning Building against gcrypt instead of nss
2985
314
	gcry_cipher_hd_t gcry_handle;
2986
315
	gcry_error_t gcry_err;
2987
316
#endif /* #ifdef ENABLE_NSS */
2988
317
	int encrypted_passphrase_bytes;
306
	int encrypted_passphrase_bytes;
2989
318
	int decrypted_passphrase_bytes;
307
	int decrypted_passphrase_bytes;
2990
319
	int fd;
308
	int fd;
2991
@@ -345,7 +334,6 @@
2992
345
					       - (decrypted_passphrase_bytes
334
					       - (decrypted_passphrase_bytes
2993
346
						  % ECRYPTFS_AES_BLOCK_SIZE));
335
						  % ECRYPTFS_AES_BLOCK_SIZE));
2994
347
	encrypted_passphrase_bytes = decrypted_passphrase_bytes;
336
	encrypted_passphrase_bytes = decrypted_passphrase_bytes;
2995
348
#ifdef ENABLE_NSS
2996
349
	NSS_NoDB_Init(NULL);
337
	NSS_NoDB_Init(NULL);
2997
350
	slot = PK11_GetBestSlot(CKM_AES_ECB, NULL);
338
	slot = PK11_GetBestSlot(CKM_AES_ECB, NULL);
2998
351
	key_item.data = (unsigned char *)wrapping_key;
339
	key_item.data = (unsigned char *)wrapping_key;
2999
@@ -406,41 +394,6 @@
3000
406
		rc = - EIO;
394
		rc = - EIO;
3001
407
		goto out;
395
		goto out;
3002
408
	}
396
	}
3003
409
#else
3004
410
	if ((gcry_err = gcry_cipher_open(&gcry_handle, GCRY_CIPHER_AES,
3005
411
					 GCRY_CIPHER_MODE_ECB, 0))) {
3006
412
		syslog(LOG_ERR, "Error attempting to initialize AES cipher; "
3007
413
		       "gcry_error_t = [%d]\n", gcry_err);
3008
414
		rc = -EIO;
3009
415
		goto out;
3010
416
	}
3011
417
	if ((gcry_err = gcry_cipher_setkey(gcry_handle, wrapping_key,
3012
418
					   ECRYPTFS_AES_KEY_BYTES))) {
3013
419
		syslog(LOG_ERR, "Error attempting to set AES key; "
3014
420
		       "gcry_error_t = [%d]\n", gcry_err);
3015
421
		rc = -EIO;
3016
422
		gcry_cipher_close(gcry_handle);
3017
423
		goto out;
3018
424
	}
3019
425
	while (decrypted_passphrase_bytes > 0) {
3020
426
		if ((gcry_err = gcry_cipher_encrypt(
3021
427
			     gcry_handle,
3022
428
			     &encrypted_passphrase[encrypted_passphrase_pos],
3023
429
			     ECRYPTFS_AES_BLOCK_SIZE,
3024
430
			     &decrypted_passphrase[decrypted_passphrase_pos],
3025
431
			     ECRYPTFS_AES_BLOCK_SIZE))) {
3026
432
			syslog(LOG_ERR, "Error attempting to encrypt block; "
3027
433
			       "gcry_error = [%d]\n", gcry_err);
3028
434
			rc = -EIO;
3029
435
			gcry_cipher_close(gcry_handle);
3030
436
			goto out;
3031
437
		}
3032
438
		encrypted_passphrase_pos += ECRYPTFS_AES_BLOCK_SIZE;
3033
439
		decrypted_passphrase_pos += ECRYPTFS_AES_BLOCK_SIZE;
3034
440
		decrypted_passphrase_bytes -= ECRYPTFS_AES_BLOCK_SIZE;
3035
441
	}
3036
442
	gcry_cipher_close(gcry_handle);
3037
443
#endif /* #ifdef ENABLE_NSS */
3038
444
	unlink(filename);
397
	unlink(filename);
3039
445
	if ((fd = open(filename, (O_WRONLY | O_CREAT | O_EXCL),
398
	if ((fd = open(filename, (O_WRONLY | O_CREAT | O_EXCL),
3040
446
		       (S_IRUSR | S_IWUSR))) == -1) {
399
		       (S_IRUSR | S_IWUSR))) == -1) {
3041
@@ -486,7 +439,6 @@
3042
486
	char encrypted_passphrase[ECRYPTFS_MAX_PASSPHRASE_BYTES + 1];
439
	char encrypted_passphrase[ECRYPTFS_MAX_PASSPHRASE_BYTES + 1];
3043
487
	int encrypted_passphrase_pos = 0;
440
	int encrypted_passphrase_pos = 0;
3044
488
	int decrypted_passphrase_pos = 0;
441
	int decrypted_passphrase_pos = 0;
3045
489
#ifdef ENABLE_NSS
3046
490
	int tmp1_outlen = 0;
442
	int tmp1_outlen = 0;
3047
491
	int tmp2_outlen = 0;
443
	int tmp2_outlen = 0;
3048
492
	SECStatus err;
444
	SECStatus err;
3049
@@ -495,10 +447,6 @@
3050
495
	PK11SlotInfo *slot = NULL;
447
	PK11SlotInfo *slot = NULL;
3051
496
	PK11Context *enc_ctx = NULL;
448
	PK11Context *enc_ctx = NULL;
3052
497
	SECItem *sec_param = NULL;
449
	SECItem *sec_param = NULL;
3053
498
#else
3054
499
	gcry_cipher_hd_t gcry_handle;
3055
500
	gcry_error_t gcry_err;
3056
501
#endif /* #ifdef ENABLE_NSS */
3057
502
	int encrypted_passphrase_bytes;
450
	int encrypted_passphrase_bytes;
3058
503
	int fd;
451
	int fd;
3059
504
	ssize_t size;
452
	ssize_t size;
3060
@@ -545,7 +493,6 @@
3061
545
		goto out;
493
		goto out;
3062
546
	}
494
	}
3063
547
	encrypted_passphrase_bytes = size;
495
	encrypted_passphrase_bytes = size;
3064
548
#ifdef ENABLE_NSS
3065
549
	NSS_NoDB_Init(NULL);
496
	NSS_NoDB_Init(NULL);
3066
550
	slot = PK11_GetBestSlot(CKM_AES_ECB, NULL);
497
	slot = PK11_GetBestSlot(CKM_AES_ECB, NULL);
3067
551
	key_item.data = (unsigned char *)wrapping_key;
498
	key_item.data = (unsigned char *)wrapping_key;
3068
@@ -605,41 +552,6 @@
3069
605
		rc = - EIO;
552
		rc = - EIO;
3070
606
		goto out;
553
		goto out;
3071
607
	}
554
	}
3072
608
#else
3073
609
	if ((gcry_err = gcry_cipher_open(&gcry_handle, GCRY_CIPHER_AES,
3074
610
					 GCRY_CIPHER_MODE_ECB, 0))) {
3075
611
		syslog(LOG_ERR, "Error attempting to initialize AES cipher; "
3076
612
		       "gcry_error_t = [%d]\n", gcry_err);
3077
613
		rc = -EIO;
3078
614
		goto out;
3079
615
	}
3080
616
	if ((gcry_err = gcry_cipher_setkey(gcry_handle, wrapping_key,
3081
617
					   ECRYPTFS_AES_KEY_BYTES))) {
3082
618
		syslog(LOG_ERR, "Error attempting to set AES key; "
3083
619
		       "gcry_error_t = [%d]\n", gcry_err);
3084
620
		rc = -EIO;
3085
621
		gcry_cipher_close(gcry_handle);
3086
622
		goto out;
3087
623
	}
3088
624
	memset(decrypted_passphrase, 0, ECRYPTFS_MAX_PASSPHRASE_BYTES + 1);
3089
625
	while (encrypted_passphrase_bytes > 0) {
3090
626
		if ((gcry_err = gcry_cipher_decrypt(
3091
627
			     gcry_handle,
3092
628
			     &decrypted_passphrase[encrypted_passphrase_pos],
3093
629
			     ECRYPTFS_AES_BLOCK_SIZE,
3094
630
			     &encrypted_passphrase[decrypted_passphrase_pos],
3095
631
			     ECRYPTFS_AES_BLOCK_SIZE))) {
3096
632
			syslog(LOG_ERR, "Error attempting to decrypt block; "
3097
633
			       "gcry_error = [%d]\n", gcry_err);
3098
634
			rc = -EIO;
3099
635
			gcry_cipher_close(gcry_handle);
3100
636
			goto out;
3101
637
		}
3102
638
		encrypted_passphrase_pos += ECRYPTFS_AES_BLOCK_SIZE;
3103
639
		decrypted_passphrase_pos += ECRYPTFS_AES_BLOCK_SIZE;
3104
640
		encrypted_passphrase_bytes -= ECRYPTFS_AES_BLOCK_SIZE;
3105
641
	}
3106
642
#endif /* #ifdef ENABLE_NSS */
3107
643
out:
555
out:
3108
644
	return rc;
556
	return rc;
3109
645
}
557
}
3110
@@ -676,18 +588,20 @@
3111
676
		if ((rc = ecryptfs_add_passphrase_key_to_keyring(
588
		if ((rc = ecryptfs_add_passphrase_key_to_keyring(
3112
677
					auth_tok_sig,
589
					auth_tok_sig,
3113
678
					decrypted_passphrase,
590
					decrypted_passphrase,
3115
679
					ECRYPTFS_DEFAULT_SALT_FNEK_HEX))) {
591
					ECRYPTFS_DEFAULT_SALT_FNEK_HEX)) != 0) {
3116
680
			syslog(LOG_ERR,
592
			syslog(LOG_ERR,
3117
681
			   "Error attempting to add filename encryption key to "
593
			   "Error attempting to add filename encryption key to "
3118
682
			   "user session keyring; rc = [%d]\n", rc);
594
			   "user session keyring; rc = [%d]\n", rc);
3119
595
			goto out;
3120
683
		}
596
		}
3121
684
	}
597
	}
3122
685
	if ((rc = ecryptfs_add_passphrase_key_to_keyring(auth_tok_sig,
598
	if ((rc = ecryptfs_add_passphrase_key_to_keyring(auth_tok_sig,
3123
686
							 decrypted_passphrase,
599
							 decrypted_passphrase,
3125
687
							 salt))) {
600
							 salt)) != 0) {
3126
688
		syslog(LOG_ERR, "Error attempting to add passphrase key to "
601
		syslog(LOG_ERR, "Error attempting to add passphrase key to "
3127
689
		       "user session keyring; rc = [%d]\n", rc);
602
		       "user session keyring; rc = [%d]\n", rc);
3129
690
	}
603
	} else
3130
604
		rc = 0;
3131
691
out:
605
out:
3132
692
	return rc;
606
	return rc;
3133
693
}
607
}
3134
@@ -744,10 +658,13 @@
3135
744
	rc = add_key("user", auth_tok_sig, (void *)auth_tok,
658
	rc = add_key("user", auth_tok_sig, (void *)auth_tok,
3136
745
		     (sizeof(struct ecryptfs_auth_tok) + blob_size),
659
		     (sizeof(struct ecryptfs_auth_tok) + blob_size),
3137
746
		     KEY_SPEC_USER_KEYRING);
660
		     KEY_SPEC_USER_KEYRING);
3139
747
	if (rc < 0)
661
	if (rc < 0) {
3140
662
		rc = -errno;
3141
748
		syslog(LOG_ERR, "Error adding key with sig [%s]; rc ="
663
		syslog(LOG_ERR, "Error adding key with sig [%s]; rc ="
3142
749
		       " [%d]\n", auth_tok_sig, rc);
664
		       " [%d]\n", auth_tok_sig, rc);
3144
750
	else rc = 0;
665
		if (rc == -EDQUOT)
3145
666
			syslog(LOG_WARNING, "Error adding key to keyring - keyring is full\n");
3146
667
	} else rc = 0;
3147
751
out:
668
out:
3148
752
	if (auth_tok != NULL) {
669
	if (auth_tok != NULL) {
3149
753
		memset(auth_tok, 0, (sizeof(struct ecryptfs_auth_tok) + blob_size));
670
		memset(auth_tok, 0, (sizeof(struct ecryptfs_auth_tok) + blob_size));
3150
@@ -765,14 +682,14 @@
3151
765
	memset(&nvp_list_head, 0, sizeof(struct ecryptfs_name_val_pair));
682
	memset(&nvp_list_head, 0, sizeof(struct ecryptfs_name_val_pair));
3152
766
	rc = ecryptfs_parse_rc_file(&nvp_list_head);
683
	rc = ecryptfs_parse_rc_file(&nvp_list_head);
3153
767
	if (rc) {
684
	if (rc) {
3155
768
		if (rc != -EIO) {
685
		if (rc != -ENOENT) {
3156
769
			syslog(LOG_WARNING,
686
			syslog(LOG_WARNING,
3157
770
				"Error attempting to parse .ecryptfsrc file; "
687
				"Error attempting to parse .ecryptfsrc file; "
3158
771
				"rc = [%d]", rc);
688
				"rc = [%d]", rc);
3159
772
		}
689
		}
3160
773
		goto out;
690
		goto out;
3161
774
	}
691
	}
3163
775
	nvp = &nvp_list_head;
692
	nvp = nvp_list_head.next;
3164
776
	while (nvp) {
693
	while (nvp) {
3165
777
		if (strcmp(nvp->name, "salt") == 0) {
694
		if (strcmp(nvp->name, "salt") == 0) {
3166
778
			int valsize;
695
			int valsize;
3167
@@ -780,7 +697,7 @@
3168
780
			if (!nvp->value)
697
			if (!nvp->value)
3169
781
				goto next_iteration;
698
				goto next_iteration;
3170
782
			valsize = strlen(nvp->value);
699
			valsize = strlen(nvp->value);
3172
783
			if (valsize != ECRYPTFS_SALT_SIZE_HEX);
700
			if (valsize != ECRYPTFS_SALT_SIZE_HEX)
3173
784
				goto next_iteration;
701
				goto next_iteration;
3174
785
			memcpy(salt_hex, nvp->value, ECRYPTFS_SALT_SIZE_HEX);
702
			memcpy(salt_hex, nvp->value, ECRYPTFS_SALT_SIZE_HEX);
3175
786
			goto out_free;
703
			goto out_free;
3176
@@ -917,7 +834,8 @@
3177
917
	ecryptfs_enable_echo(&current_settings);
834
	ecryptfs_enable_echo(&current_settings);
3178
918
	p = strrchr(passphrase, '\n');
835
	p = strrchr(passphrase, '\n');
3179
919
	if (p) *p = '\0';
836
	if (p) *p = '\0';
3181
920
	printf("\n");
837
	if (prompt != NULL)
3182
838
		printf("\n");
3183
921
	if (strlen(passphrase) > ECRYPTFS_MAX_PASSWORD_LENGTH) {
839
	if (strlen(passphrase) > ECRYPTFS_MAX_PASSWORD_LENGTH) {
3184
922
		fprintf(stderr,"Passphrase is too long. Use at most %u "
840
		fprintf(stderr,"Passphrase is too long. Use at most %u "
3185
923
			       "characters long passphrase.\n",
841
			       "characters long passphrase.\n",
3186
@@ -927,3 +845,23 @@
3187
927
	}
845
	}
3188
928
	return passphrase;
846
	return passphrase;
3189
929
}
847
}
3190
848
3191
849
char *ecryptfs_get_wrapped_passphrase_filename() {
3192
850
	struct passwd *pwd = NULL;
3193
851
	struct stat s;
3194
852
	char *filename = NULL;
3195
853
	if ((pwd = getpwuid(getuid())) == NULL) {
3196
854
		perror("getpwuid");
3197
855
		return NULL;
3198
856
	}
3199
857
	if ((asprintf(&filename,
3200
858
	    "%s/.ecryptfs/wrapped-passphrase", pwd->pw_dir) < 0)) {
3201
859
		perror("asprintf");
3202
860
		return NULL;
3203
861
	}
3204
862
	if (stat(filename, &s) != 0) {
3205
863
		perror("stat");
3206
864
		return NULL;
3207
865
	}
3208
866
	return filename;
3209
867
}
3210
930
868
3211
=== modified file 'src/libecryptfs/libecryptfs.pc.in'
3212
--- src/libecryptfs/libecryptfs.pc.in	2009-02-03 08:50:36 +0000
3213
+++ src/libecryptfs/libecryptfs.pc.in	2010-02-17 20:48:19 +0000
3214
@@ -6,5 +6,5 @@
3215
6
Name: libecryptfs
6
Name: libecryptfs
3216
7
Description: eCryptfs library
7
Description: eCryptfs library
3217
8
Version: @PACKAGE_VERSION@
8
Version: @PACKAGE_VERSION@
3220
9
Cflags: -I${includedir} @LIBGCRYPT_CFLAGS@ @KEYUTILS_CFLAGS@
9
Cflags: -I${includedir} @KEYUTILS_CFLAGS@
3221
10
Libs: @LIBGCRYPT_LIBS@ @KEYUTILS_LIBS@ -L${libdir} -lecryptfs
10
Libs: @KEYUTILS_LIBS@ -L${libdir} -lecryptfs
3222
11
11
3223
=== modified file 'src/libecryptfs/main.c'
3224
--- src/libecryptfs/main.c	2009-02-09 15:33:25 +0000
3225
+++ src/libecryptfs/main.c	2010-02-17 20:48:19 +0000
3226
@@ -21,12 +21,8 @@
3227
21
21
3228
22
#include "config.h"
22
#include "config.h"
3229
23
#include <errno.h>
23
#include <errno.h>
3230
24
#ifdef ENABLE_NSS
3231
25
#include <nss.h>
24
#include <nss.h>
3232
26
#include <pk11func.h>
25
#include <pk11func.h>
3233
27
#else
3234
28
#include <gcrypt.h>
3235
29
#endif /* #ifdef ENABLE_NSS */
3236
30
#include <mntent.h>
26
#include <mntent.h>
3237
31
#ifndef S_SPLINT_S
27
#ifndef S_SPLINT_S
3238
32
#include <stdio.h>
28
#include <stdio.h>
3239
@@ -37,9 +33,10 @@
3240
37
#include <signal.h>
33
#include <signal.h>
3241
38
#include <sys/mount.h>
34
#include <sys/mount.h>
3242
39
#include <getopt.h>
35
#include <getopt.h>
3243
36
#include <sys/types.h>
3244
40
#include <keyutils.h>
37
#include <keyutils.h>
3245
41
#include <sys/types.h>
3246
42
#include <sys/ipc.h>
38
#include <sys/ipc.h>
3247
39
#include <sys/param.h>
3248
43
#include <sys/shm.h>
40
#include <sys/shm.h>
3249
44
#include <sys/sem.h>
41
#include <sys/sem.h>
3250
45
#include "../include/ecryptfs.h"
42
#include "../include/ecryptfs.h"
3251
@@ -77,16 +74,8 @@
3252
77
74
3253
78
int do_hash(char *src, int src_size, char *dst, int algo)
75
int do_hash(char *src, int src_size, char *dst, int algo)
3254
79
{
76
{
3255
80
#ifdef ENABLE_NSS
3256
81
	SECStatus err;
77
	SECStatus err;
3257
82
#else
3258
83
	gcry_md_hd_t hd;
3259
84
	gcry_error_t err = 0;
3260
85
	unsigned char * hash;
3261
86
	unsigned int mdlen;
3262
87
#endif /* #ifdef ENABLE_NSS */
3263
88
78
3264
89
#ifdef ENABLE_NSS
3265
90
	NSS_NoDB_Init(NULL);
79
	NSS_NoDB_Init(NULL);
3266
91
	err = PK11_HashBuf(algo, (unsigned char *)dst, (unsigned char *)src,
80
	err = PK11_HashBuf(algo, (unsigned char *)dst, (unsigned char *)src,
3267
92
			   src_size);
81
			   src_size);
3268
@@ -97,23 +86,115 @@
3269
97
		err = -EINVAL;
86
		err = -EINVAL;
3270
98
		goto out;
87
		goto out;
3271
99
	}
88
	}
3272
100
#else
3273
101
	err = gcry_md_open(&hd, algo, 0);
3274
102
	mdlen = gcry_md_get_algo_dlen(algo);
3275
103
	if (err) {
3276
104
		syslog(LOG_ERR, "Failed to open hash algo [%d]: "
3277
105
		       "[%d]\n", algo, err);
3278
106
		goto out;
3279
107
	}
3280
108
	gcry_md_write(hd, src, src_size);
3281
109
	hash = gcry_md_read(hd, algo);
3282
110
	memcpy(dst, hash, mdlen);
3283
111
	gcry_md_close(hd);
3284
112
#endif /* #ifdef ENABLE_NSS */
3285
113
out:
89
out:
3286
114
	return (int)err;
90
	return (int)err;
3287
115
}
91
}
3288
116
92
3289
93
/* Read ecryptfs private mount from file
3290
94
 * Allocate and return a string
3291
95
 */
3292
96
char *ecryptfs_fetch_private_mnt(char *pw_dir) {
3293
97
	char *mnt_file = NULL;
3294
98
	char *mnt_default = NULL;
3295
99
	char *mnt = NULL;
3296
100
	FILE *fh = NULL;
3297
101
	/* Construct mnt file name */
3298
102
	if (asprintf(&mnt_default, "%s/%s", pw_dir, ECRYPTFS_PRIVATE_DIR) < 0
3299
103
			|| mnt_default == NULL) {
3300
104
		perror("asprintf");
3301
105
		return NULL;
3302
106
	}
3303
107
	if (
3304
108
			asprintf(&mnt_file, "%s/.ecryptfs/%s.mnt", pw_dir, ECRYPTFS_PRIVATE_DIR) < 0
3305
109
			|| mnt_file == NULL) {
3306
110
		perror("asprintf");
3307
111
		return NULL;
3308
112
	}
3309
113
	fh = fopen(mnt_file, "r");
3310
114
	if (fh == NULL) {
3311
115
		mnt = mnt_default;
3312
116
	} else {
3313
117
		flockfile(fh);
3314
118
		if ((mnt = (char *)malloc(MAXPATHLEN+1)) == NULL) {
3315
119
			perror("malloc");
3316
120
			return NULL;
3317
121
		}
3318
122
		if (fgets(mnt, MAXPATHLEN, fh) == NULL) {
3319
123
			mnt = mnt_default;
3320
124
		} else {
3321
125
			/* Ensure that mnt doesn't contain newlines */
3322
126
			mnt = strtok(mnt, "\n");
3323
127
		}
3324
128
		fclose(fh);
3325
129
	}
3326
130
	if (mnt_file != NULL)
3327
131
		free(mnt_file);
3328
132
	if (mnt_default != NULL && mnt != mnt_default)
3329
133
		free(mnt_default);
3330
134
	return mnt;
3331
135
}
3332
136
3333
137
3334
138
/* Check if an ecryptfs private device or mount point is mounted.
3335
139
 * Return 1 if a filesystem in mtab matches dev && mnt && sig.
3336
140
 * Return 0 otherwise.
3337
141
 */
3338
142
int ecryptfs_private_is_mounted(char *dev, char *mnt, char *sig, int mounting) {
3339
143
	FILE *fh = NULL;
3340
144
	struct mntent *m = NULL;
3341
145
	char *opt = NULL;
3342
146
	int mounted;
3343
147
	if (asprintf(&opt, "ecryptfs_sig=%s", sig) < 0) {
3344
148
		perror("asprintf");
3345
149
		return 0;
3346
150
	}
3347
151
	fh = setmntent("/proc/mounts", "r");
3348
152
	if (fh == NULL) {
3349
153
		perror("setmntent");
3350
154
		return 0;
3351
155
	}
3352
156
	mounted = 0;
3353
157
	flockfile(fh);
3354
158
	while ((m = getmntent(fh)) != NULL) {
3355
159
		if (strcmp(m->mnt_type, "ecryptfs") != 0)
3356
160
			/* Skip if this entry is not an ecryptfs mount */
3357
161
			continue;
3358
162
		if (mounting == 1) {
3359
163
			/* If mounting, return "already mounted" if EITHER the
3360
164
 			 * dev or the mnt dir shows up in mtab/mounts;
3361
165
 			 * regardless of the signature of such mounts;
3362
166
 			 */
3363
167
			if (dev != NULL && strcmp(m->mnt_fsname, dev) == 0) {
3364
168
				mounted = 1;
3365
169
				break;
3366
170
			}
3367
171
			if (mnt != NULL && strcmp(m->mnt_dir, mnt) == 0) {
3368
172
				mounted = 1;
3369
173
				break;
3370
174
			}
3371
175
		} else {
3372
176
			/* Otherwise, we're unmounting, and we need to be
3373
177
			 * very conservative in finding a perfect match
3374
178
			 * to unmount.  The device, mountpoint, and signature
3375
179
			 * must *all* match perfectly.
3376
180
			 */
3377
181
			if (
3378
182
			    strcmp(m->mnt_fsname, dev) == 0 &&
3379
183
			    strcmp(m->mnt_dir, mnt) == 0 &&
3380
184
			    hasmntopt(m, opt) != NULL
3381
185
			) {
3382
186
				mounted = 1;
3383
187
				break;
3384
188
			}
3385
189
		}
3386
190
	}
3387
191
	endmntent(fh);
3388
192
	if (opt != NULL)
3389
193
		free(opt);
3390
194
	return mounted;
3391
195
}
3392
196
3393
197
3394
117
/**
198
/**
3395
118
 * TODO: We need to support more hash algs
199
 * TODO: We need to support more hash algs
3396
119
 * @fekek: ECRYPTFS_MAX_KEY_BYTES bytes of allocated memory
200
 * @fekek: ECRYPTFS_MAX_KEY_BYTES bytes of allocated memory
3397
@@ -133,11 +214,7 @@
3398
133
	char salt_and_passphrase[ECRYPTFS_MAX_PASSPHRASE_BYTES
214
	char salt_and_passphrase[ECRYPTFS_MAX_PASSPHRASE_BYTES
3399
134
				 + ECRYPTFS_SALT_SIZE];
215
				 + ECRYPTFS_SALT_SIZE];
3400
135
	int passphrase_size;
216
	int passphrase_size;
3401
136
#ifdef ENABLE_NSS
3402
137
	int alg = SEC_OID_SHA512;
217
	int alg = SEC_OID_SHA512;
3403
138
#else
3404
139
	int alg = GCRY_MD_SHA512;
3405
140
#endif /* #ifdef ENABLE_NSS */
3406
141
	int dig_len = SHA512_DIGEST_LENGTH;
218
	int dig_len = SHA512_DIGEST_LENGTH;
3407
142
	char buf[SHA512_DIGEST_LENGTH];
219
	char buf[SHA512_DIGEST_LENGTH];
3408
143
	int hash_iterations = ECRYPTFS_DEFAULT_NUM_HASH_ITERATIONS;
220
	int hash_iterations = ECRYPTFS_DEFAULT_NUM_HASH_ITERATIONS;
3409
@@ -890,3 +967,4 @@
3410
890
{
967
{
3411
891
	return &ctx_ops;
968
	return &ctx_ops;
3412
892
}
969
}
3413
970
3414
893
971
3415
=== modified file 'src/libecryptfs/module_mgr.c'
3416
--- src/libecryptfs/module_mgr.c	2009-04-21 17:59:16 +0000
3417
+++ src/libecryptfs/module_mgr.c	2010-02-17 20:48:19 +0000
3418
@@ -97,15 +97,20 @@
3419
97
		.trans_func = sig_param_node_callback}}
97
		.trans_func = sig_param_node_callback}}
3420
98
};
98
};
3421
99
99
3424
100
/* returns: 1 for str=="yes" or "y", 0 for "no" or "n", -1 elsewhere */
100
/* returns: 
3425
101
static int is_yes(const char *str)
101
 * 	on_null for str == NULL
3426
102
 *	1 for str=="yes" or "y"
3427
103
 *	0 for str=="no" or "n"
3428
104
 *	-1 elsewhere */
3429
105
static int is_yes(const char *str, int on_null)
3430
102
{
106
{
3431
103
	if (str) {
107
	if (str) {
3432
104
		if (!strcmp(str,"y") || !strcmp(str,"yes"))
108
		if (!strcmp(str,"y") || !strcmp(str,"yes"))
3433
105
			return 1;
109
			return 1;
3434
106
		if (!strcmp(str,"no") || !strcmp(str,"n"))
110
		if (!strcmp(str,"no") || !strcmp(str,"n"))
3435
107
			return 0;
111
			return 0;
3437
108
	}
112
	} else
3438
113
		return on_null;
3439
109
114
3440
110
	return -1;
115
	return -1;
3441
111
}
116
}
3442
@@ -120,7 +125,7 @@
3443
120
{
125
{
3444
121
	int rc;
126
	int rc;
3445
122
127
3447
123
	if (((rc=is_yes(node->val)) == 1) || (node->flags & PARAMETER_SET)) {
128
	if (((rc=is_yes(node->val, 0)) == 1) || (node->flags & PARAMETER_SET)) {
3448
124
		rc = stack_push(head, opt_name);
129
		rc = stack_push(head, opt_name);
3449
125
	} else if (rc == -1)
130
	} else if (rc == -1)
3450
126
		rc = WRONG_VALUE;
131
		rc = WRONG_VALUE;
3451
@@ -207,7 +212,7 @@
3452
207
static struct param_node filename_crypto_fnek_sig_param_node = {
212
static struct param_node filename_crypto_fnek_sig_param_node = {
3453
208
	.num_mnt_opt_names = 1,
213
	.num_mnt_opt_names = 1,
3454
209
	.mnt_opt_names = {"ecryptfs_fnek_sig"},
214
	.mnt_opt_names = {"ecryptfs_fnek_sig"},
3456
210
	.prompt = "Filname Encryption Key (FNEK) Signature",
215
	.prompt = "Filename Encryption Key (FNEK) Signature",
3457
211
	.val_type = VAL_STR,
216
	.val_type = VAL_STR,
3458
212
	.val = NULL,
217
	.val = NULL,
3459
213
	.display_opts = NULL,
218
	.display_opts = NULL,
3460
@@ -227,7 +232,7 @@
3461
227
{
232
{
3462
228
	int yn, rc = 0;
233
	int yn, rc = 0;
3463
229
234
3465
230
	if (((yn=is_yes(node->val)) > 0)
235
	if (((yn=is_yes(node->val, 0)) > 0)
3466
231
	    || (node->flags & PARAMETER_SET)) {
236
	    || (node->flags & PARAMETER_SET)) {
3467
232
		int i;
237
		int i;
3468
233
		struct val_node *val_node;
238
		struct val_node *val_node;
3469
@@ -407,6 +412,7 @@
3470
407
	{"twofish", 32, 2},
412
	{"twofish", 32, 2},
3471
408
	{"blowfish", 16, 1},
413
	{"blowfish", 16, 1},
3472
409
	{"blowfish", 32, 2},
414
	{"blowfish", 32, 2},
3473
415
	{"blowfish", 56, 2},
3474
410
	{"khazad", 16, 1},
416
	{"khazad", 16, 1},
3475
411
	{"arc4", 16, 1},
417
	{"arc4", 16, 1},
3476
412
	{"arc4", 32, 2},
418
	{"arc4", 32, 2},
3477
@@ -432,15 +438,18 @@
3478
432
	return rc;
438
	return rc;
3479
433
}
439
}
3480
434
440
3482
435
static int init_ecryptfs_key_bytes_param_node(char *cipher_name)
441
static int init_ecryptfs_key_bytes_param_node(char *cipher_name, 
3483
442
					      int min, int max)
3484
436
{
443
{
3485
437
	int i;
444
	int i;
3486
438
	int rc = 0;
445
	int rc = 0;
3487
439
446
3488
440
	i = 0;
447
	i = 0;
3489
441
	while (supported_key_bytes[i].cipher_name) {
448
	while (supported_key_bytes[i].cipher_name) {
3492
442
		if (strcmp(cipher_name, supported_key_bytes[i].cipher_name)
449
		if ((supported_key_bytes[i].key_bytes >= min) && 
3493
443
		    == 0) {
450
		    (supported_key_bytes[i].key_bytes <= max) &&
3494
451
		    (strcmp(cipher_name, supported_key_bytes[i].cipher_name)
3495
452
		      == 0)) {
3496
444
			struct transition_node *tn;
453
			struct transition_node *tn;
3497
445
			
454
			
3498
446
			tn = &ecryptfs_key_bytes_param_node.tl[
455
			tn = &ecryptfs_key_bytes_param_node.tl[
3499
@@ -468,6 +477,11 @@
3500
468
		}
477
		}
3501
469
		i++;
478
		i++;
3502
470
	}
479
	}
3503
480
	if (ecryptfs_key_bytes_param_node.num_transitions == 0) {
3504
481
		syslog(LOG_ERR, "Error initializing key_bytes selection: "
3505
482
		       "there is no posibility left for used params\n");
3506
483
		return -EINVAL;
3507
484
	}
3508
471
out:
485
out:
3509
472
	return rc;
486
	return rc;
3510
473
}
487
}
3511
@@ -477,8 +491,40 @@
3512
477
{
491
{
3513
478
	char *opt;
492
	char *opt;
3514
479
	int rc;
493
	int rc;
3517
480
494
	int min = 0, max = 999999;
3518
481
	rc = init_ecryptfs_key_bytes_param_node(node->val);
495
	struct val_node *tmp = *head, *tmpprev = NULL;
3519
496
3520
497
	while (tmp) {
3521
498
		char *ptr;
3522
499
		int popval = 0;
3523
500
		if (tmp->val && (strstr(tmp->val,"max_key_bytes=") != NULL) && 
3524
501
		    ((ptr=strchr(tmp->val,'=')) != NULL)) {
3525
502
			char *eptr;
3526
503
			max = strtol(++ptr, &eptr, 10);
3527
504
			if (eptr == ptr)
3528
505
				return -EINVAL;
3529
506
			popval = 1;
3530
507
		}
3531
508
		if (tmp->val && (strstr(tmp->val,"min_key_bytes=") != NULL) && 
3532
509
		    ((ptr=strchr(tmp->val,'=')) != NULL)) {
3533
510
			char *eptr;
3534
511
			min = strtol(++ptr, &eptr, 10);
3535
512
			if (eptr == ptr)
3536
513
				return -EINVAL;
3537
514
			popval = 1;
3538
515
		}
3539
516
		if (popval) {
3540
517
			if (tmp == *head)
3541
518
				*head = (*head)->next;
3542
519
			stack_pop(&tmp);
3543
520
			if (tmpprev != NULL)
3544
521
				tmpprev->next = tmp;
3545
522
		}
3546
523
		tmpprev = tmp;
3547
524
		tmp = tmp->next;
3548
525
	}
3549
526
3550
527
	rc = init_ecryptfs_key_bytes_param_node(node->val, min, max);
3551
482
	if (rc) {
528
	if (rc) {
3552
483
		syslog(LOG_ERR, "%s: Error initializing key_bytes param node; "
529
		syslog(LOG_ERR, "%s: Error initializing key_bytes param node; "
3553
484
		       "rc = [%d]\n", __FUNCTION__, rc);
530
		       "rc = [%d]\n", __FUNCTION__, rc);
3554
485
531
3555
=== modified file 'src/pam_ecryptfs/Makefile.am'
3556
--- src/pam_ecryptfs/Makefile.am	2009-02-03 08:50:36 +0000
3557
+++ src/pam_ecryptfs/Makefile.am	2010-02-17 20:48:19 +0000
3558
@@ -12,6 +12,6 @@
3559
12
endif
12
endif
3560
13
13
3561
14
pam_ecryptfs_la_SOURCES = pam_ecryptfs.c
14
pam_ecryptfs_la_SOURCES = pam_ecryptfs.c
3564
15
pam_ecryptfs_la_CFLAGS = $(AM_CFLAGS) $(LIBGCRYPT_CFLAGS)
15
pam_ecryptfs_la_CFLAGS = $(AM_CFLAGS)
3565
16
pam_ecryptfs_la_LIBADD = $(top_builddir)/src/libecryptfs/libecryptfs.la $(PAM_LIBS) $(LIBGCRYPT_LIBS)
16
pam_ecryptfs_la_LIBADD = $(top_builddir)/src/libecryptfs/libecryptfs.la $(PAM_LIBS)
3566
17
pam_ecryptfs_la_LDFLAGS = $(AM_LDFLAGS) -module -avoid-version -shared
17
pam_ecryptfs_la_LDFLAGS = $(AM_LDFLAGS) -module -avoid-version -shared
3567
18
18
3568
=== modified file 'src/pam_ecryptfs/pam_ecryptfs.c'
3569
--- src/pam_ecryptfs/pam_ecryptfs.c	2009-04-21 23:20:27 +0000
3570
+++ src/pam_ecryptfs/pam_ecryptfs.c	2010-02-17 20:48:23 +0000
3571
@@ -1,4 +1,5 @@
3573
1
/**
1
/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*-
3574
2
 *
3575
2
 * pam_ecryptfs.c: PAM module that sends the user's authentication
3
 * pam_ecryptfs.c: PAM module that sends the user's authentication
3576
3
 * tokens into the kernel keyring.
4
 * tokens into the kernel keyring.
3577
4
 *
5
 *
3578
@@ -73,30 +74,48 @@
3579
73
	char *file_path;
74
	char *file_path;
3580
74
	int rc = 0;
75
	int rc = 0;
3581
75
	struct stat s;
76
	struct stat s;
3582
76
	if (asprintf(
3583
77
		&file_path, "%s/.ecryptfs/%s",
3584
78
		homedir,
3585
79
		ECRYPTFS_DEFAULT_WRAPPED_PASSPHRASE_FILENAME) == -1)
3586
80
		return -ENOMEM;
3587
81
	if (stat(file_path, &s) != 0) {
3588
82
		if (errno != ENOENT)
3589
83
			rc = -errno;
3590
84
		goto out;
3591
85
	} 
3592
86
	free(file_path);
3593
87
	if (asprintf(&file_path, "%s/.ecryptfs/auto-mount", homedir) == -1)
77
	if (asprintf(&file_path, "%s/.ecryptfs/auto-mount", homedir) == -1)
3594
88
		return -ENOMEM;
78
		return -ENOMEM;
3595
89
	if (stat(file_path, &s) != 0) {
79
	if (stat(file_path, &s) != 0) {
3596
90
		if (errno != ENOENT)
80
		if (errno != ENOENT)
3597
91
			rc = -errno;
81
			rc = -errno;
3598
92
		goto out;
82
		goto out;
3600
93
	} 
83
	}
3601
94
	rc = 1;
84
	rc = 1;
3602
95
out:
85
out:
3603
96
	free(file_path);
86
	free(file_path);
3604
97
	return rc;
87
	return rc;
3605
98
}
88
}
3606
99
89
3607
90
static int wrap_passphrase_if_necessary(char *username, uid_t uid, char *wrapped_pw_filename, char *passphrase, char *salt)
3608
91
{
3609
92
	char *unwrapped_pw_filename = NULL;
3610
93
	struct stat s;
3611
94
	int rc = 0;
3612
95
3613
96
	rc = asprintf(&unwrapped_pw_filename, "/dev/shm/.ecryptfs-%s", username);
3614
97
	if (rc == -1) {
3615
98
		syslog(LOG_ERR, "Unable to allocate memory\n");
3616
99
		return -ENOMEM;
3617
100
	}
3618
101
	/* If /dev/shm/.ecryptfs-$USER exists and owned by the user
3619
102
	   and ~/.ecryptfs/wrapped-passphrase does not exist
3620
103
	   and a passphrase is set:
3621
104
	   wrap the unwrapped passphrase file */
3622
105
	if (stat(unwrapped_pw_filename, &s) == 0 && (s.st_uid == uid) &&
3623
106
	    stat(wrapped_pw_filename, &s) != 0  &&
3624
107
	    passphrase != NULL && *passphrase != '\0' &&
3625
108
	    username != NULL && *username != '\0') {
3626
109
		setuid(uid);
3627
110
		rc = ecryptfs_wrap_passphrase_file(wrapped_pw_filename, passphrase, salt, unwrapped_pw_filename);
3628
111
		if (rc != 0) {
3629
112
			syslog(LOG_ERR, "Error wrapping cleartext password; " "rc = [%d]\n", rc);
3630
113
		}
3631
114
		return rc;
3632
115
	}
3633
116
	return 0;
3634
117
}
3635
118
3636
100
PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
119
PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
3637
101
				   const char **argv)
120
				   const char **argv)
3638
102
{
121
{
3639
@@ -108,8 +127,10 @@
3640
108
	char salt[ECRYPTFS_SALT_SIZE];
127
	char salt[ECRYPTFS_SALT_SIZE];
3641
109
	char salt_hex[ECRYPTFS_SALT_SIZE_HEX];
128
	char salt_hex[ECRYPTFS_SALT_SIZE_HEX];
3642
110
	char *auth_tok_sig;
129
	char *auth_tok_sig;
3643
130
	char *private_mnt = NULL;
3644
111
	pid_t child_pid, tmp_pid;
131
	pid_t child_pid, tmp_pid;
3645
112
	long rc;
132
	long rc;
3646
133
	uint32_t version;
3647
113
134
3648
114
	syslog(LOG_INFO, "%s: Called\n", __FUNCTION__);
135
	syslog(LOG_INFO, "%s: Called\n", __FUNCTION__);
3649
115
	rc = pam_get_user(pamh, &username, NULL);
136
	rc = pam_get_user(pamh, &username, NULL);
3650
@@ -130,6 +151,18 @@
3651
130
	}
151
	}
3652
131
	if (!ecryptfs_pam_automount_set(homedir))
152
	if (!ecryptfs_pam_automount_set(homedir))
3653
132
		goto out;
153
		goto out;
3654
154
	private_mnt = ecryptfs_fetch_private_mnt(homedir);
3655
155
	if (ecryptfs_private_is_mounted(NULL, private_mnt, NULL, 1)) {
3656
156
		syslog(LOG_INFO, "%s: %s is already mounted\n", __FUNCTION__,
3657
157
			homedir);
3658
158
		/* If private/home is already mounted, then we can skip
3659
159
		   costly loading of keys */
3660
160
		goto out;
3661
161
	}
3662
162
	/* we need side effect of this check:
3663
163
	   load ecryptfs module if not loaded already */
3664
164
	if (ecryptfs_get_version(&version) != 0)
3665
165
		syslog(LOG_WARNING, "Can't check if kernel supports ecryptfs\n");
3666
133
	saved_uid = geteuid();
166
	saved_uid = geteuid();
3667
134
	seteuid(uid);
167
	seteuid(uid);
3668
135
	rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&passphrase);
168
	rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&passphrase);
3669
@@ -147,7 +180,6 @@
3670
147
	}
180
	}
3671
148
	rc = ecryptfs_read_salt_hex_from_rc(salt_hex);
181
	rc = ecryptfs_read_salt_hex_from_rc(salt_hex);
3672
149
	if (rc) {
182
	if (rc) {
3673
150
		syslog(LOG_WARNING, "%s\n", ECRYPTFS_WARN_DEFAULT_SALT);
3674
151
		from_hex(salt, ECRYPTFS_DEFAULT_SALT_HEX, ECRYPTFS_SALT_SIZE);
183
		from_hex(salt, ECRYPTFS_DEFAULT_SALT_HEX, ECRYPTFS_SALT_SIZE);
3675
152
	} else
184
	} else
3676
153
		from_hex(salt, salt_hex, ECRYPTFS_SALT_SIZE);
185
		from_hex(salt, salt_hex, ECRYPTFS_SALT_SIZE);
3677
@@ -166,7 +198,9 @@
3678
166
		if ((argc == 1)
198
		if ((argc == 1)
3679
167
		    && (memcmp(argv[0], "unwrap\0", 7) == 0)) {
199
		    && (memcmp(argv[0], "unwrap\0", 7) == 0)) {
3680
168
			char *wrapped_pw_filename;
200
			char *wrapped_pw_filename;
3682
169
			
201
			char *unwrapped_pw_filename;
3683
202
			struct stat s;
3684
203
3685
170
			rc = asprintf(
204
			rc = asprintf(
3686
171
				&wrapped_pw_filename, "%s/.ecryptfs/%s",
205
				&wrapped_pw_filename, "%s/.ecryptfs/%s",
3687
172
				homedir,
206
				homedir,
3688
@@ -176,6 +210,11 @@
3689
176
				rc = -ENOMEM;
210
				rc = -ENOMEM;
3690
177
				goto out_child;
211
				goto out_child;
3691
178
			}
212
			}
3692
213
			if (wrap_passphrase_if_necessary(username, uid, wrapped_pw_filename, passphrase, salt) == 0) {
3693
214
				syslog(LOG_INFO, "Passphrase file wrapped");
3694
215
			} else {
3695
216
				goto out_child;
3696
217
			}
3697
179
			rc = ecryptfs_insert_wrapped_passphrase_into_keyring(
218
			rc = ecryptfs_insert_wrapped_passphrase_into_keyring(
3698
180
				auth_tok_sig, wrapped_pw_filename, passphrase,
219
				auth_tok_sig, wrapped_pw_filename, passphrase,
3699
181
				salt);
220
				salt);
3700
@@ -185,9 +224,6 @@
3701
185
				auth_tok_sig, passphrase, salt);
224
				auth_tok_sig, passphrase, salt);
3702
186
		}
225
		}
3703
187
		if (rc == 1) {
226
		if (rc == 1) {
3704
188
			syslog(LOG_WARNING, "There is already a key in the "
3705
189
			       "user session keyring for the given "
3706
190
			       "passphrase.\n");
3707
191
			goto out_child;
227
			goto out_child;
3708
192
		}
228
		}
3709
193
		if (rc) {
229
		if (rc) {
3710
@@ -198,8 +234,8 @@
3711
198
		if (fork() == 0) {
234
		if (fork() == 0) {
3712
199
			if ((rc = ecryptfs_set_zombie_session_placeholder())) {
235
			if ((rc = ecryptfs_set_zombie_session_placeholder())) {
3713
200
				syslog(LOG_ERR, "Error attempting to create "
236
				syslog(LOG_ERR, "Error attempting to create "
3716
201
				       "and register zombie process; "
237
						"and register zombie process; "
3717
202
				       "rc = [%ld]\n", rc);
238
						"rc = [%ld]\n", rc);
3718
203
			}
239
			}
3719
204
		}
240
		}
3720
205
out_child:
241
out_child:
3721
@@ -211,6 +247,8 @@
3722
211
		syslog(LOG_WARNING,
247
		syslog(LOG_WARNING,
3723
212
		       "waitpid() returned with error condition\n");
248
		       "waitpid() returned with error condition\n");
3724
213
out:
249
out:
3725
250
	if (private_mnt != NULL)
3726
251
		free(private_mnt);
3727
214
	return PAM_SUCCESS;
252
	return PAM_SUCCESS;
3728
215
}
253
}
3729
216
254
3730
@@ -272,7 +310,7 @@
3731
272
		return 1;
310
		return 1;
3732
273
        }
311
        }
3733
274
        if (
312
        if (
3735
275
	    (asprintf(&sigfile, "%s/.ecryptfs/%s.sig", pwd->pw_dir, 
313
	    (asprintf(&sigfile, "%s/.ecryptfs/%s.sig", pwd->pw_dir,
3736
276
	     PRIVATE_DIR) < 0) || sigfile == NULL) {
314
	     PRIVATE_DIR) < 0) || sigfile == NULL) {
3737
277
		syslog(LOG_ERR, "Error allocating memory for sigfile name");
315
		syslog(LOG_ERR, "Error allocating memory for sigfile name");
3738
278
		return 1;
316
		return 1;
3739
@@ -288,7 +326,7 @@
3740
288
	if ((pid = fork()) < 0) {
326
	if ((pid = fork()) < 0) {
3741
289
		syslog(LOG_ERR, "Error setting up private mount");
327
		syslog(LOG_ERR, "Error setting up private mount");
3742
290
		return 1;
328
		return 1;
3744
291
	} 
329
	}
3745
292
	if (pid == 0) {
330
	if (pid == 0) {
3746
293
		if (mount == 1) {
331
		if (mount == 1) {
3747
294
		        if ((asprintf(&recorded,
332
		        if ((asprintf(&recorded,
3748
@@ -313,7 +351,7 @@
3749
313
			}
351
			}
3750
314
			/* run mount.ecryptfs_private as the user */
352
			/* run mount.ecryptfs_private as the user */
3751
315
			setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid);
353
			setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid);
3753
316
			execl("/sbin/mount.ecryptfs_private", 
354
			execl("/sbin/mount.ecryptfs_private",
3754
317
			      "mount.ecryptfs_private", NULL);
355
			      "mount.ecryptfs_private", NULL);
3755
318
		} else {
356
		} else {
3756
319
			if (stat(autofile, &s) != 0) {
357
			if (stat(autofile, &s) != 0) {
3757
@@ -324,14 +362,12 @@
3758
324
			}
362
			}
3759
325
			/* run umount.ecryptfs_private as the user */
363
			/* run umount.ecryptfs_private as the user */
3760
326
			setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid);
364
			setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid);
3762
327
			execl("/sbin/umount.ecryptfs_private", 
365
			execl("/sbin/umount.ecryptfs_private",
3763
328
 			      "umount.ecryptfs_private", NULL);
366
 			      "umount.ecryptfs_private", NULL);
3764
329
		}
367
		}
3765
330
		return 1;
368
		return 1;
3766
331
	} else {
369
	} else {
3767
332
		waitpid(pid, &rc, 0);
370
		waitpid(pid, &rc, 0);
3768
333
		syslog(LOG_INFO, 
3769
334
		       "Mount of private directory return code [%d]", rc);
3770
335
		goto out;
371
		goto out;
3771
336
	}
372
	}
3772
337
out:
373
out:
3773
@@ -374,12 +410,10 @@
3774
374
	char *old_passphrase = NULL;
410
	char *old_passphrase = NULL;
3775
375
	char *new_passphrase = NULL;
411
	char *new_passphrase = NULL;
3776
376
	char *wrapped_pw_filename;
412
	char *wrapped_pw_filename;
3777
377
	char *unwrapped_pw_filename;
3778
378
	char *name = NULL;
413
	char *name = NULL;
3779
379
	char salt[ECRYPTFS_SALT_SIZE];
414
	char salt[ECRYPTFS_SALT_SIZE];
3780
380
	char salt_hex[ECRYPTFS_SALT_SIZE_HEX];
415
	char salt_hex[ECRYPTFS_SALT_SIZE_HEX];
3781
381
	pid_t child_pid, tmp_pid;
416
	pid_t child_pid, tmp_pid;
3782
382
	struct stat s;
3783
383
	int rc = PAM_SUCCESS;
417
	int rc = PAM_SUCCESS;
3784
384
418
3785
385
	rc = pam_get_user(pamh, &username, NULL);
419
	rc = pam_get_user(pamh, &username, NULL);
3786
@@ -434,36 +468,17 @@
3787
434
		rc = -ENOMEM;
468
		rc = -ENOMEM;
3788
435
		goto out;
469
		goto out;
3789
436
	}
470
	}
3790
437
	rc = asprintf(&unwrapped_pw_filename, "/dev/shm/.ecryptfs-%s", name);
3791
438
	if (rc == -1) {
3792
439
		syslog(LOG_ERR, "Unable to allocate memory\n");
3793
440
		rc = -ENOMEM;
3794
441
		goto out;
3795
442
	}
3796
443
	if ((rc = ecryptfs_read_salt_hex_from_rc(salt_hex))) {
471
	if ((rc = ecryptfs_read_salt_hex_from_rc(salt_hex))) {
3797
444
		syslog(LOG_WARNING, "%s\n", ECRYPTFS_WARN_DEFAULT_SALT);
3798
445
		from_hex(salt, ECRYPTFS_DEFAULT_SALT_HEX, ECRYPTFS_SALT_SIZE);
472
		from_hex(salt, ECRYPTFS_DEFAULT_SALT_HEX, ECRYPTFS_SALT_SIZE);
3799
446
	} else {
473
	} else {
3800
447
		from_hex(salt, salt_hex, ECRYPTFS_SALT_SIZE);
474
		from_hex(salt, salt_hex, ECRYPTFS_SALT_SIZE);
3801
448
	}
475
	}
3818
449
	/* If /dev/shm/.ecryptfs-$USER exists and owned by the user
476
	if (wrap_passphrase_if_necessary(username, uid, wrapped_pw_filename, new_passphrase, salt) == 0) {
3819
450
	   and ~/.ecryptfs/wrapped-passphrase does not exist
477
		syslog(LOG_INFO, "Passphrase file wrapped");
3820
451
	   and a new_passphrase is set:
478
	} else {
3805
452
	   wrap the unwrapped passphrase file */
3806
453
	if (stat(unwrapped_pw_filename, &s) == 0 && (s.st_uid == uid) &&
3807
454
	    stat(wrapped_pw_filename, &s) != 0  &&
3808
455
	    new_passphrase != NULL && *new_passphrase != '\0' &&
3809
456
	    name != NULL && *name != '\0') {
3810
457
		setuid(uid);
3811
458
		rc = ecryptfs_wrap_passphrase_file(wrapped_pw_filename,
3812
459
			new_passphrase, salt, unwrapped_pw_filename);
3813
460
		if (rc != 0) {
3814
461
			syslog(LOG_ERR,
3815
462
			  "Error wrapping cleartext password; "
3816
463
	       		  "rc = [%d]\n", rc);
3817
464
		}
3821
465
		goto out;
479
		goto out;
3822
466
	}
480
	}
3823
481
3824
467
	seteuid(saved_uid);
482
	seteuid(saved_uid);
3825
468
	if (!old_passphrase || !new_passphrase || *new_passphrase == '\0') {
483
	if (!old_passphrase || !new_passphrase || *new_passphrase == '\0') {
3826
469
		syslog(LOG_WARNING, "eCryptfs PAM passphrase change module "
484
		syslog(LOG_WARNING, "eCryptfs PAM passphrase change module "
3827
470
485
3828
=== added directory 'src/python'
3829
=== added file 'src/python/__init__.py'
3830
=== added file 'src/python/ecryptfsapi.py'
3831
--- src/python/ecryptfsapi.py	1970-01-01 00:00:00 +0000
3832
+++ src/python/ecryptfsapi.py	2010-02-17 20:48:23 +0000
3833
@@ -0,0 +1,82 @@
3834
1
#!/usr/bin/env python
3835
2
#
3836
3
#    ecryptfsapi.py, Copyright 2008, 2009 Michael Rooney <mrooney@ubuntu.com>
3837
4
#    Date: 2009-05-28
3838
5
#    Version: 0.4
3839
6
#
3840
7
#    This is a python API for interacting with ecryptfs-utils and its
3841
8
#    encrypted directories.
3842
9
#
3843
10
#    This program is free software: you can redistribute it and/or modify
3844
11
#    it under the terms of the GNU General Public License as published by
3845
12
#    the Free Software Foundation, either version 3 of the License, or
3846
13
#    (at your option) any later version.
3847
14
#
3848
15
#    This program is distributed in the hope that it will be useful,
3849
16
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
3850
17
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
3851
18
#    GNU General Public License for more details.
3852
19
#
3853
20
#    You should have received a copy of the GNU General Public License
3854
21
#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
3855
22
3856
23
import commands, os
3857
24
3858
25
AUTOMOUNT_FILE = os.path.expanduser("~/.ecryptfs/auto-mount")
3859
26
AUTOUMOUNT_FILE = os.path.expanduser("~/.ecryptfs/auto-umount")
3860
27
PRIVATE_LOCATION_FILE = os.path.expanduser("~/.ecryptfs/Private.mnt")
3861
28
PRIVATE_LOCATION = os.path.exists(PRIVATE_LOCATION_FILE) and open(PRIVATE_LOCATION_FILE).read().strip()
3862
29
3863
30
def set_automount(doAuto):
3864
31
    """Enable or disable automounting for this user."""
3865
32
    if doAuto:
3866
33
        command = "touch %s" % AUTOMOUNT_FILE
3867
34
        #open(AUTOMOUNT_FILE, "w")
3868
35
    else:
3869
36
        command = "rm %s" % AUTOMOUNT_FILE
3870
37
        #os.remove(AUTOMOUNT_FILE)
3871
38
3872
39
    return commands.getstatusoutput(command)
3873
40
3874
41
def get_automount():
3875
42
    """Return whether or not automounting is enabled for this user."""
3876
43
    return os.path.exists(AUTOMOUNT_FILE)
3877
44
3878
45
def set_autounmount(doAuto):
3879
46
    """Enable or disable automounting for this user."""
3880
47
    if doAuto:
3881
48
        command = "touch %s" % AUTOUMOUNT_FILE
3882
49
    else:
3883
50
        command = "rm %s" % AUTOUMOUNT_FILE
3884
51
3885
52
    return commands.getstatusoutput(command)
3886
53
3887
54
def get_autounmount():
3888
55
    """Return whether or not autounmounting is enabled for this user."""
3889
56
    return os.path.exists(AUTOUMOUNT_FILE)
3890
57
3891
58
def set_mounted(doMount):
3892
59
    """Set the mounted (unencrypted) state of ~/Private."""
3893
60
    if doMount:
3894
61
        command = "/sbin/mount.ecryptfs_private"
3895
62
    else:
3896
63
        command = "/sbin/umount.ecryptfs_private"
3897
64
3898
65
    return commands.getstatusoutput(command)
3899
66
3900
67
def get_mounted():
3901
68
    """Return whether or not ~/Private is mounted (unencrypted)."""
3902
69
    if PRIVATE_LOCATION:
3903
70
        mounts = open("/proc/mounts").read()
3904
71
        return PRIVATE_LOCATION in mounts
3905
72
    else:
3906
73
        return False
3907
74
3908
75
def needs_setup():
3909
76
    """
3910
77
    Return whether or not an encrypted directory has been set up by ecryptfs
3911
78
    for this user, either Home or Private.
3912
79
    """
3913
80
    encryptedHome = False #TODO: implement
3914
81
    encryptedPrivate = PRIVATE_LOCATION
3915
82
    return not (encryptedHome or encryptedPrivate)
3916
0
83
3917
=== modified file 'src/utils/Makefile.am'
3918
--- src/utils/Makefile.am	2009-04-21 23:36:43 +0000
3919
+++ src/utils/Makefile.am	2010-02-17 20:48:23 +0000
3920
@@ -1,6 +1,6 @@
3921
1
MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
1
MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
3922
2
2
3924
3
EXTRA_DIST=ecryptfsrc ecryptfs-rewrite-file ecryptfs-setup-private ecryptfs-setup-swap ecryptfs-mount-private ecryptfs-umount-private ecryptfs-dot-private
3
EXTRA_DIST=ecryptfsrc ecryptfs-rewrite-file ecryptfs-setup-private ecryptfs-setup-swap ecryptfs-mount-private ecryptfs-umount-private ecryptfs-migrate-home
3925
4
4
3926
5
rootsbin_PROGRAMS=mount.ecryptfs \
5
rootsbin_PROGRAMS=mount.ecryptfs \
3927
6
		  umount.ecryptfs \
6
		  umount.ecryptfs \
3928
@@ -16,7 +16,8 @@
3929
16
	      ecryptfs-mount-private \
16
	      ecryptfs-mount-private \
3930
17
	      ecryptfs-umount-private \
17
	      ecryptfs-umount-private \
3931
18
	      ecryptfs-rewrite-file \
18
	      ecryptfs-rewrite-file \
3933
19
	      ecryptfs-dot-private
19
	      ecryptfs-migrate-home
3934
20
bin2dir = $(bindir)
3935
20
21
3936
21
noinst_PROGRAMS=test
22
noinst_PROGRAMS=test
3937
22
23
3938
@@ -55,7 +56,7 @@
3939
55
ecryptfs_generate_tpm_key_LDADD = $(TSPI_LIBS)
56
ecryptfs_generate_tpm_key_LDADD = $(TSPI_LIBS)
3940
56
57
3941
57
mount_ecryptfs_private_SOURCES = mount.ecryptfs_private.c
58
mount_ecryptfs_private_SOURCES = mount.ecryptfs_private.c
3943
58
mount_ecryptfs_private_LDADD = $(KEYUTILS_LIBS)
59
mount_ecryptfs_private_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la $(KEYUTILS_LIBS)
3944
59
60
3945
60
ecryptfs_stat_SOURCES = ecryptfs-stat.c
61
ecryptfs_stat_SOURCES = ecryptfs-stat.c
3946
61
ecryptfs_stat_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la
62
ecryptfs_stat_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la
3947
62
63
3948
=== removed file 'src/utils/ecryptfs-dot-private'
3949
--- src/utils/ecryptfs-dot-private	2009-04-08 22:36:45 +0000
3950
+++ src/utils/ecryptfs-dot-private	1970-01-01 00:00:00 +0000
3951
@@ -1,34 +0,0 @@
3952
1
#!/bin/sh -e
3953
2
#
3954
3
#    ecryptfs-dot-private
3955
4
#    Copyright (C) 2009 Canonical Ltd.
3956
5
#
3957
6
#    Authors: Dustin Kirkland <kirkland@canonical.com>
3958
7
#
3959
8
#    This program is free software: you can redistribute it and/or modify
3960
9
#    it under the terms of the GNU General Public License as published by
3961
10
#    the Free Software Foundation, version 2 of the License.
3962
11
#
3963
12
#    This program is distributed in the hope that it will be useful,
3964
13
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
3965
14
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
3966
15
#    GNU General Public License for more details.
3967
16
#
3968
17
#    You should have received a copy of the GNU General Public License
3969
18
3970
19
if echo "$0" | grep -qs "ecryptfs"; then
3971
20
	echo "ERROR: This file must be sourced, rather than executed:"
3972
21
	echo
3973
22
	echo "  . $0"
3974
23
	echo
3975
24
	exit 1
3976
25
fi
3977
26
3978
27
# Hacky, umount.ecryptfs_private should be taught to exit 1 on
3979
28
# unsuccessful unmount, must check who else depends on this exit code.
3980
29
if /sbin/umount.ecryptfs_private | grep -v "Sessions still open"; then
3981
30
	cd "$HOME"/.Private
3982
31
else
3983
32
	echo "ERROR: Unable to access .Private, please close some sessions"
3984
33
fi
3985
34
/sbin/mount.ecryptfs_private
3986
35
0
3987
=== added file 'src/utils/ecryptfs-migrate-home'
3988
--- src/utils/ecryptfs-migrate-home	1970-01-01 00:00:00 +0000
3989
+++ src/utils/ecryptfs-migrate-home	2010-02-17 20:48:23 +0000
3990
@@ -0,0 +1,195 @@
3991
1
#!/bin/sh
3992
2
# -*- sh-basic-offset: 4; sh-indentation: 4; tab-width: 4; indent-tabs-mode: t; sh-indent-comment: t; -*-
3993
3
# This script encrypts an user's home
3994
4
#
3995
5
# Written by Yan Li <yan.i.li@intel.com>, <yanli@gnome.org>
3996
6
# Copyright (C) 2010 Intel Corporation
3997
7
#
3998
8
# Modified by Dustin Kirkland <kirkland@canonical.com>
3999
9
#
4000
10
# This program is free software; you can redistribute it and/or
4001
11
# modify it under the terms of the GNU General Public License as
4002
12
# published by the Free Software Foundation; either version 2 of the
4003
13
# License, or (at your option) any later version.
4004
14
#
4005
15
# This program is distributed in the hope that it will be useful, but
4006
16
# WITHOUT ANY WARRANTY; without even the implied warranty of
4007
17
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
4008
18
# General Public License for more details.
4009
19
#
4010
20
# You should have received a copy of the GNU General Public License
4011
21
# along with this program; if not, write to the Free Software
4012
22
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
4013
23
# 02111-1307, USA.
4014
24
4015
25
set -e
4016
26
4017
27
PRIVATE_DIR="Private"
4018
28
4019
29
usage() {
4020
30
       echo "
4021
31
Usage:
4022
32
4023
33
$0 -u USER
4024
34
4025
35
 -u,--user       Migrate USER's home directory to an encrypted home directory
4026
36
4027
37
WARNING: Make a complete backup copy of the non-encrypted data to
4028
38
another system or external media. This script is dangerous and, in
4029
39
case of an error, could result in data lost, or lock you out of your
4030
40
system!
4031
41
4032
42
This program must be executed by root.
4033
43
4034
44
"
4035
45
	exit 1
4036
46
}
4037
47
4038
48
error() {
4039
49
	echo "$(gettext 'ERROR: ')" "$@" 1>&2
4040
50
	exit 1
4041
51
}
4042
52
4043
53
warning() {
4044
54
	echo "$(gettext 'WARNING: ')" "$@" 1>&2
4045
55
}
4046
56
4047
57
info() {
4048
58
	echo "$(gettext 'INFO: ')" "$@" 1>&2
4049
59
}
4050
60
4051
61
assert_dir_empty() {
4052
62
	local DIR="$1"
4053
63
	if [ -e "$DIR" ]; then
4054
64
		# if $DIR is a directory, make sure it's empty
4055
65
		if [ -d "$DIR" ]; then
4056
66
			ls=$(ls -A "$DIR" | wc -l)
4057
67
			if [ "$ls" != "0" ]; then
4058
68
				echo 1>&2 "If you already have some data in directory $DIR,"
4059
69
				echo 1>&2 "please move all of these files and directories out of the way, and"
4060
70
				echo 1>&2 "follow the instructions in:"
4061
71
				echo 1>&2 "    ecryptfs-setup-private --undo"
4062
72
				echo 1>&2 
4063
73
				error "$DIR is not empty, cannot continue."
4064
74
			fi
4065
75
		else
4066
76
			error "$DIR exists but is not an empty directory, cannot continue."
4067
77
		fi
4068
78
	fi
4069
79
}
4070
80
4071
81
# get user home by username
4072
82
get_user_home () {
4073
83
	local USER_NAME="$1"
4074
84
	local USER_HOME=$(grep "^$USER_NAME:" /etc/passwd | cut -d":" -f 6)
4075
85
	if [ -z "$USER_HOME" ]; then
4076
86
		error "Cannot find the home directory of $USER_NAME."
4077
87
	fi
4078
88
	echo "$USER_HOME"
4079
89
}
4080
90
4081
91
sanity_check () {
4082
92
	local USER_NAME="$1"
4083
93
	local USER_HOME="$2"
4084
94
	if [ -e "$USER_HOME/.ecryptfs" ]; then
4085
95
		error "$USER_HOME appears to be encrypted already."
4086
96
	fi
4087
97
	# Check for rsync
4088
98
	if ! which rsync >/dev/null 2>&1; then
4089
99
		error "Please install the rsync package."
4090
100
	fi
4091
101
	# Check free space: make sure we have sufficient disk space
4092
102
	# available. To make a full copy, we will need at least 2.5x the
4093
103
	# disk usage of the target home directory.
4094
104
	info "Checking disk space, this may take a few moments.  Please be patient."
4095
105
	needed=$(du -s "$USER_HOME" | awk '{printf "%.0f", $1*2.5}')
4096
106
	free=$(df -P "$USER_HOME" | tail -n 1 | awk '{print $4}')
4097
107
	if [ $needed -gt $free ]; then
4098
108
		info "2.5x the size your current home directory is required to perform a migration."
4099
109
		info "Once the migration succeeds, you may recover most of this space by deleting the cleartext directory."
4100
110
		error "Not enough free disk space."
4101
111
	fi
4102
112
	assert_dir_empty "$USER_HOME/.$PRIVATE_DIR"
4103
113
	assert_dir_empty "$USER_HOME/.ecryptfs"
4104
114
	assert_dir_empty "/home/.ecryptfs/$USER_NAME"
4105
115
}
4106
116
4107
117
encrypt_dir () {
4108
118
	local USER_NAME="$1"
4109
119
	local USER_HOME="$2"
4110
120
	if ! which lsof >/dev/null 2>&1; then
4111
121
		info "Please install lsof."
4112
122
		error "Can not tell whether $USER_HOME is in use or not."
4113
123
	fi
4114
124
	info "Checking for open files in $USER_HOME"
4115
125
	lsof=$(lsof +D "$USER_HOME" | wc -l)
4116
126
	if [ "$lsof" != "0" ]; then
4117
127
		info "The following files are in use:"
4118
128
		echo
4119
129
		lsof +D "$USER_HOME" | sed "s/^/    /"
4120
130
		echo
4121
131
		error "Cannot proceed."
4122
132
	fi
4123
133
	# start encryption
4124
134
	orig=$(mktemp /home/$USER_NAME.XXXXXXXX)
4125
135
	rm "$orig" && mv "$USER_HOME" "$orig"
4126
136
	chmod 700 "$orig"
4127
137
	mkdir -p -m 700 "$USER_HOME"
4128
138
	USER_GROUP=$(id -g "$USER_NAME")
4129
139
	chown "$USER_NAME:$USER_GROUP" "$USER_HOME" "$orig"
4130
140
	ECRYPTFS_SETUP_PRIVATE_ARGS=""
4131
141
	if [ -n "$LOGINPASS" ]; then
4132
142
		ECRYPTFS_SETUP_PRIVATE_ARGS="-l $LOGINPASS"
4133
143
	fi
4134
144
	if [ -n "$MOUNTPASS" ]; then
4135
145
		ECRYPTFS_SETUP_PRIVATE_ARGS="$ECRYPTFS_SETUP_PRIVATE_ARGS -m $MOUNTPASS"
4136
146
	fi
4137
147
	if ! ecryptfs-setup-private -u "$USER_NAME" -b $ECRYPTFS_SETUP_PRIVATE_ARGS; then
4138
148
		# too bad, something went wrong, we'll try to recover
4139
149
		rm -rf "$USER_HOME"
4140
150
		mv "$orig" "$USER_HOME"
4141
151
		exit 1
4142
152
	fi
4143
153
	info "Encrypted home has been set up, encrypting files now...this may take a while."
4144
154
	rsync -a "$orig/" "$USER_HOME/"
4145
155
	umount "$USER_HOME/"
4146
156
	echo
4147
157
	info "======================================================================"
4148
158
	info "The file encryption appears to have completed successfully, however,"
4149
159
	info "$USER_NAME MUST LOGIN IMMEDIATELY (BEFORE THE NEXT REBOOT) TO COMPLETE THE MIGRATION!!!"
4150
160
	info "======================================================================"
4151
161
	echo
4152
162
	info "If $USER_NAME can log in and read and write their files, then the migration is complete, and you should remove $orig."
4153
163
	echo
4154
164
	info "Otherwise, remove $USER_HOME and move $orig back to $USER_HOME."
4155
165
	echo
4156
166
}
4157
167
4158
168
DO_ENCRYPT=
4159
169
while true; do
4160
170
	[ -z "$1" ] && break
4161
171
	case "$1" in
4162
172
		-u|--user)
4163
173
			DO_ENCRYPT=1
4164
174
			USER_NAME="$2"
4165
175
			shift 2
4166
176
		;;
4167
177
		*)
4168
178
			usage
4169
179
		;;
4170
180
	esac
4171
181
done
4172
182
4173
183
if [ "$DO_ENCRYPT" != "1" ]; then
4174
184
	usage
4175
185
fi
4176
186
4177
187
if [ "$(id -u)" != "0" ]; then
4178
188
	error "This program must be executed with root privileges"
4179
189
fi
4180
190
4181
191
if [ "$DO_ENCRYPT" = "1" ]; then
4182
192
	USER_HOME=$(get_user_home "$USER_NAME")
4183
193
	sanity_check "$USER_NAME" "$USER_HOME"
4184
194
	encrypt_dir "$USER_NAME" "$USER_HOME" "$LOGINPASS" "$MOUNTPASS"
4185
195
fi
4186
0
196
4187
=== modified file 'src/utils/ecryptfs-mount-private'
4188
--- src/utils/ecryptfs-mount-private	2009-03-20 21:44:01 +0000
4189
+++ src/utils/ecryptfs-mount-private	2010-02-17 20:48:23 +0000
4190
@@ -15,12 +15,13 @@
4191
15
PRIVATE_DIR="Private"
15
PRIVATE_DIR="Private"
4192
16
WRAPPING_PASS="LOGIN"
16
WRAPPING_PASS="LOGIN"
4193
17
PW_ATTEMPTS=3
17
PW_ATTEMPTS=3
4195
18
MESSAGE="Enter your login passphrase: "
18
TEXTDOMAIN="ecryptfs-utils"
4196
19
MESSAGE=`gettext "Enter your login passphrase:"`
4197
19
20
4198
20
if [ -f $HOME/.ecryptfs/wrapping-independent ]; then
21
if [ -f $HOME/.ecryptfs/wrapping-independent ]; then
4199
21
	# use a wrapping passphrase different from the login passphrase
22
	# use a wrapping passphrase different from the login passphrase
4200
22
	WRAPPING_PASS="INDEPENDENT"
23
	WRAPPING_PASS="INDEPENDENT"
4202
23
	MESSAGE="Enter your wrapping passphrase: "
24
	MESSAGE=`gettext "Enter your wrapping passphrase:"`
4203
24
fi
25
fi
4204
25
26
4205
26
WRAPPED_PASSPHRASE_FILE="$HOME/.ecryptfs/wrapped-passphrase"
27
WRAPPED_PASSPHRASE_FILE="$HOME/.ecryptfs/wrapped-passphrase"
4206
@@ -45,24 +46,24 @@
4207
45
		if printf "%s\0" "$LOGINPASS" | ecryptfs-insert-wrapped-passphrase-into-keyring "$WRAPPED_PASSPHRASE_FILE" - ; then
46
		if printf "%s\0" "$LOGINPASS" | ecryptfs-insert-wrapped-passphrase-into-keyring "$WRAPPED_PASSPHRASE_FILE" - ; then
4208
46
			break
47
			break
4209
47
		else
48
		else
4211
48
			echo "ERROR: Your passphrase is incorrect"
49
			echo `gettext "ERROR:"` `gettext "Your passphrase is incorrect"`
4212
49
			tries=$(($tries + 1))
50
			tries=$(($tries + 1))
4213
50
			continue
51
			continue
4214
51
		fi
52
		fi
4215
52
	done
53
	done
4216
53
	if [ $tries -ge $PW_ATTEMPTS ]; then
54
	if [ $tries -ge $PW_ATTEMPTS ]; then
4218
54
		echo "ERROR: Too many incorrect password attempts, exiting"
55
		echo `gettext "ERROR:"` `gettext "Too many incorrect password attempts, exiting"`
4219
55
		exit 1
56
		exit 1
4220
56
	fi
57
	fi
4221
57
	/sbin/mount.ecryptfs_private
58
	/sbin/mount.ecryptfs_private
4222
58
else
59
else
4224
59
	echo "ERROR: Encrypted $PRIVATE_DIR is not setup properly"
60
	echo `gettext "ERROR:"` `gettext "Encrypted private directory is not setup properly"`
4225
60
	exit 1
61
	exit 1
4226
61
fi
62
fi
4227
62
if grep -qs "$HOME/.Private $PWD ecryptfs " /proc/mounts 2>/dev/null; then
63
if grep -qs "$HOME/.Private $PWD ecryptfs " /proc/mounts 2>/dev/null; then
4228
63
	echo
64
	echo
4231
64
	echo "INFO: Your private directory has been mounted."
65
	echo `gettext "INFO:"` `gettext "Your private directory has been mounted."`
4232
65
	echo "INFO: To see this change in your current shell:"
66
	echo `gettext "INFO:"` `gettext "To see this change in your current shell:"`
4233
66
	echo "  cd $PWD"
67
	echo "  cd $PWD"
4234
67
	echo
68
	echo
4235
68
fi
69
fi
4236
69
70
4237
=== modified file 'src/utils/ecryptfs-rewrite-file'
4238
--- src/utils/ecryptfs-rewrite-file	2009-03-20 22:11:25 +0000
4239
+++ src/utils/ecryptfs-rewrite-file	2010-02-17 20:48:23 +0000
4240
@@ -17,45 +17,59 @@
4241
17
#    You should have received a copy of the GNU General Public License
17
#    You should have received a copy of the GNU General Public License
4242
18
#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
18
#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
4243
19
19
4244
20
TEXTDOMAIN="ecryptfs-utils"
4245
21
4246
20
error() {
22
error() {
4249
21
	echo
23
	echo `gettext "[FAILED]"`
4250
22
	echo "ERROR: $1" 1>&2
24
	echo `gettext "ERROR:"` "$1" 1>&2
4251
23
}
25
}
4252
24
j=0
26
j=0
4253
27
OKs=0
4254
25
for i in "$@"; do
28
for i in "$@"; do
4255
26
	[ "$i" = "." ] && continue
4256
27
	j=`expr $j + 1`
29
	j=`expr $j + 1`
4258
28
	echo -n "INFO: Rewriting [$j/$#] [$i] ... "
30
	echo -n `gettext "INFO:"` `gettext "Rewriting"` "[$j/$#] [$i] ... "
4259
31
	if [ ! -e "$i" ] ; then
4260
32
		error `gettext "File does not exist"`
4261
33
		continue
4262
34
	fi
4263
35
	if [ "$i" = "." ]; then
4264
36
		echo `gettext "[EXCLUDED]"` >&2
4265
37
		continue
4266
38
	fi
4267
29
	opt=
39
	opt=
4268
30
	if [ -d "$i" -a ! -h "$i" ]; then
40
	if [ -d "$i" -a ! -h "$i" ]; then
4269
31
		# A directory, re-encrypt the filename
41
		# A directory, re-encrypt the filename
4270
32
		temp1=`mktemp -d "$i".XXXXXXXXXX` || {
42
		temp1=`mktemp -d "$i".XXXXXXXXXX` || {
4272
33
			error "Could not create tempdir"
43
			error `gettext "Could not create tempdir"`
4273
34
			continue
44
			continue
4274
35
		}
45
		}
4277
36
		mv -f -T "$i" "$temp1" || {
46
		mv -f -T "$i" "$temp1" 2>/dev/null  || {
4278
37
			error "Could not rename [$i] to [$temp1]"
47
			error `gettext "Could not rename"` "[$i] -> [$temp1]"
4279
38
			rmdir "$temp1"
48
			rmdir "$temp1"
4280
39
			continue
49
			continue
4281
40
		}
50
		}
4284
41
		mv -f "$temp1" "$i"	|| {
51
		mv -f "$temp1" "$i" 2>/dev/null || {
4285
42
			error "Could not rename [$temp1] to [$i]"
52
			error `gettext "Could not rename"` "[$temp1] -> [$i]"
4286
43
		}
53
		}
4287
44
	else
54
	else
4288
45
		# A file or symlink, re-encrypt the contents
55
		# A file or symlink, re-encrypt the contents
4289
46
		temp1=`mktemp "$i".XXXXXXXXXX` || {
56
		temp1=`mktemp "$i".XXXXXXXXXX` || {
4291
47
			error "Could not create tempfile"
57
			error `gettext "Could not create tempfile"`
4292
48
			continue
58
			continue
4293
49
		}
59
		}
4296
50
		cp -a "$i" "$temp1" || {
60
		cp -a "$i" "$temp1" 2>/dev/null || {
4297
51
			error "Could not copy [$i] to [$temp1]"
61
			error `gettext "Could not copy"` "[$i] -> [$temp1]"
4298
52
			rm -f "$temp1"
62
			rm -f "$temp1"
4299
53
			continue
63
			continue
4300
54
		}
64
		}
4303
55
		mv -f "$temp1" "$i" || {
65
		mv -f "$temp1" "$i" 2>/dev/null || {
4304
56
			error "Could not rename [$temp1] to [$i]"
66
			error `gettext "Could not rename"` "[$temp1] -> [$i]"
4305
67
			continue
4306
57
		}
68
		}
4307
58
	fi
69
	fi
4309
59
	echo "[OK]"
70
	echo `gettext "[OK]"`
4310
71
	OKs=$((OKs+1))
4311
60
done
72
done
4312
73
echo "$OKs/$j" `gettext "rewrites succeeded"`
4313
74
[ $OKs -ne $j ] && exit 1
4314
61
exit 0
75
exit 0
4315
62
76
4316
=== modified file 'src/utils/ecryptfs-setup-private'
4317
--- src/utils/ecryptfs-setup-private	2009-03-24 19:38:23 +0000
4318
+++ src/utils/ecryptfs-setup-private	2010-02-17 20:48:23 +0000
4319
@@ -8,8 +8,10 @@
4320
8
# Copyright (C) 2007-2008 International Business Machines
8
# Copyright (C) 2007-2008 International Business Machines
4321
9
PRIVATE_DIR="Private"
9
PRIVATE_DIR="Private"
4322
10
WRAPPING_PASS="LOGIN"
10
WRAPPING_PASS="LOGIN"
4323
11
ECRYPTFS_DIR="/home/.ecryptfs"
4324
11
PW_ATTEMPTS=3
12
PW_ATTEMPTS=3
4326
12
MESSAGE="Enter your login passphrase"
13
TEXTDOMAIN="ecryptfs-utils"
4327
14
MESSAGE="$(gettext 'Enter your login passphrase')"
4328
13
CIPHER="aes"
15
CIPHER="aes"
4329
14
KEYBYTES="16"
16
KEYBYTES="16"
4330
15
FNEK=
17
FNEK=
4331
@@ -18,42 +20,43 @@
4332
18
GREP_OPTIONS=
20
GREP_OPTIONS=
4333
19
21
4334
20
usage() {
22
usage() {
4371
21
	echo
23
	echo "
4372
22
	echo "Usage:"
24
Usage:
4373
23
	echo "  $0 [-f|--force] [-w|--wrapping] [--nopwcheck] [-n|--no-fnek]"
25
4374
24
	echo "  [-u|--username USER] [-l|--loginpass LOGINPASS]"
26
$0 [-f|--force] [-w|--wrapping] [--nopwcheck] [-n|--no-fnek]
4375
25
	echo "  [-m|--mountpass MOUNTPASS]"
27
  [-u|--username USER] [-l|--loginpass LOGINPASS]
4376
26
	echo
28
  [-m|--mountpass MOUNTPASS]
4377
27
	echo " -f, --force      Force overwriting of an existing setup"
29
4378
28
	echo " -w, --wrapping   Use an independent wrapping passphrase,"
30
 -f, --force      Force overwriting of an existing setup
4379
29
	echo "                  different from the login passphrase"
31
 -w, --wrapping   Use an independent wrapping passphrase,
4380
30
	echo " -n, --no-fnek    Do not encrypt filenames; If this flag is"
32
                  different from the login passphrase
4381
31
	echo "                  omitted, and the kernel supports filename"
33
 -n, --no-fnek    Do not encrypt filenames; If this flag is
4382
32
	echo "                  encryption, then filenames will be encrypted"
34
                  omitted, and the kernel supports filename
4383
33
	echo " -u, --username   Username for encrypted private mountpoint,"
35
                  encryption, then filenames will be encrypted
4384
34
	echo "                  defaults to yourself"
36
 -u, --username   Username for encrypted private mountpoint,
4385
35
	echo " -l, --loginpass  Login/Wrapping passphrase for USER,"
37
                  defaults to yourself
4386
36
	echo "                  used to wrap MOUNTPASS"
38
 -l, --loginpass  Login/Wrapping passphrase for USER,
4387
37
	echo " --nopwcheck      Do not check the validity of the specified"
39
                  used to wrap MOUNTPASS
4388
38
	echo "                  login password (useful for LDAP user accounts)"
40
 --nopwcheck      Do not check the validity of the specified
4389
39
	echo " --noautomount    Setup this user such that the encrypted private"
41
                  login password (useful for LDAP user accounts)
4390
40
	echo "                  directory is not automatically mounted on login"
42
 --noautomount    Setup this user such that the encrypted private
4391
41
	echo " --noautoumount   Setup this user such that the encrypted private"
43
                  directory is not automatically mounted on login
4392
42
	echo "                  directory is not automatically unmounted at"
44
 --noautoumount   Setup this user such that the encrypted private
4393
43
	echo "                  logout"
45
                  directory is not automatically unmounted at
4394
44
	echo " -m, --mountpass  Passphrase for mounting the ecryptfs directory,"
46
                  logout
4395
45
	echo "                  defaults to randomly generated $KEYBYTES bytes"
47
 -m, --mountpass  Passphrase for mounting the ecryptfs directory,
4396
46
	echo " -b, --bootstrap  Bootstrap a new user's entire home directory"
48
                  defaults to randomly generated $KEYBYTES bytes
4397
47
	echo "                  Generates a random mount passphrase, which"
49
 -b, --bootstrap  Bootstrap a new user's entire home directory
4398
48
	echo "			will be wrapped when the new login passphrase"
50
                  Generates a random mount passphrase, which
4399
49
	echo "			is set. SHOULD ONLY BE CALLED FROM 'adduser'."
51
		  will be wrapped when the new login passphrase
4400
50
	echo " --undo           Provide instructions on how to undo an"
52
		  is set. SHOULD ONLY BE CALLED FROM 'adduser'.
4401
51
	echo "                  encrypted private setup"
53
 --undo           Provide instructions on how to undo an
4402
52
	echo
54
                  encrypted private setup
4403
53
	echo "   Be sure to properly escape your parameters according to your"
55
4404
54
	echo "   shell's special character nuances, and also surround the"
56
   Be sure to properly escape your parameters according to your
4405
55
	echo "   parameters by double quotes, if necessary."
57
   shell's special character nuances, and also surround the
4406
56
	echo
58
   parameters by double quotes, if necessary.
4407
59
"
4408
57
	exit 1
60
	exit 1
4409
58
}
61
}
4410
59
62
4411
@@ -63,7 +66,7 @@
4412
63
you will need to very carefully perform the following actions manually:
66
you will need to very carefully perform the following actions manually:
4413
64
67
4414
65
 1. Obtain your Private directory mountpoint
68
 1. Obtain your Private directory mountpoint
4416
66
   $ PRIVATE=\`cat ~/.ecryptfs/Private.mnt 2>/dev/null || echo \$HOME/Private\`
69
   $ PRIVATE=\`cat ~/.ecryptfs/Private.mnt 2>/dev/null || echo \$HOME/$PRIVATE_DIR\`
4417
67
 2. Ensure that you have moved all relevant data out of your \$PRIVATE directory
70
 2. Ensure that you have moved all relevant data out of your \$PRIVATE directory
4418
68
 3. Unmount your encrypted private directory
71
 3. Unmount your encrypted private directory
4419
69
   $ ecryptfs-umount-private
72
   $ ecryptfs-umount-private
4420
@@ -78,14 +81,15 @@
4421
78
}
81
}
4422
79
82
4423
80
error() {
83
error() {
4425
81
	echo "ERROR: $1" 1>&2
84
	echo "$(gettext 'ERROR: ')" "$@" 1>&2
4426
82
	exit 1
85
	exit 1
4427
83
}
86
}
4428
84
87
4429
85
error_testing() {
88
error_testing() {
4430
86
	rm -f "$1" >/dev/null
89
	rm -f "$1" >/dev/null
4431
90
	shift
4432
87
	/sbin/umount.ecryptfs_private >/dev/null
91
	/sbin/umount.ecryptfs_private >/dev/null
4434
88
	error "$2"
92
	error "$@"
4435
89
	exit 1
93
	exit 1
4436
90
}
94
}
4437
91
95
4438
@@ -98,7 +102,7 @@
4439
98
102
4440
99
filename_encryption_available() {
103
filename_encryption_available() {
4441
100
	version=$(cat /sys/fs/ecryptfs/version 2>/dev/null)
104
	version=$(cat /sys/fs/ecryptfs/version 2>/dev/null)
4443
101
	[ -z "$version" ] && error "Can't get ecryptfs version, ecryptfs kernel module not loaded?"
105
	[ -z "$version" ] && error "$(gettext 'Cannot get ecryptfs version, ecryptfs kernel module not loaded?')"
4444
102
	[ $(($version & 0x100)) -eq 0 ] && return 1
106
	[ $(($version & 0x100)) -eq 0 ] && return 1
4445
103
	return 0
107
	return 0
4446
104
}
108
}
4447
@@ -125,7 +129,7 @@
4448
125
		;;
129
		;;
4449
126
		-w|--wrapping)
130
		-w|--wrapping)
4450
127
			WRAPPING_PASS="INDEPENDENT"
131
			WRAPPING_PASS="INDEPENDENT"
4452
128
			MESSAGE="Enter your wrapping passphrase"
132
			MESSAGE="$(gettext 'Enter your wrapping passphrase')"
4453
129
			shift 1
133
			shift 1
4454
130
		;;
134
		;;
4455
131
		-f|--force)
135
		-f|--force)
4456
@@ -149,7 +153,7 @@
4457
149
			exit 0
153
			exit 0
4458
150
		;;
154
		;;
4459
151
		-b|--bootstrap)
155
		-b|--bootstrap)
4461
152
			[ `whoami` = "root" ] || error "You must be root to bootstrap encrypt a home directory"
156
			[ `whoami` = "root" ] || error "$(gettext 'You must be root to bootstrap encrypt a home directory')"
4462
153
			BOOTSTRAP=1
157
			BOOTSTRAP=1
4463
154
			MOUNTPASS=`random_passphrase $KEYBYTES`
158
			MOUNTPASS=`random_passphrase $KEYBYTES`
4464
155
			RANDOM_MOUNTPASS=1
159
			RANDOM_MOUNTPASS=1
4465
@@ -168,16 +172,16 @@
4466
168
# Prompt for the USER name, if not on the command line and not in the env
172
# Prompt for the USER name, if not on the command line and not in the env
4467
169
if [ -z "$USER" ]; then
173
if [ -z "$USER" ]; then
4468
170
	while [ true ]; do
174
	while [ true ]; do
4470
171
		echo -n "Enter the username: "
175
		echo -n "$(gettext 'Enter the username: ')"
4471
172
		USER=`head -n1`
176
		USER=`head -n1`
4472
173
		echo
177
		echo
4473
174
		if [ -z "$USER" ]; then
178
		if [ -z "$USER" ]; then
4475
175
			echo "ERROR: You must provide a username"
179
			echo "$(gettext 'ERROR: ')" "$(gettext 'You must provide a username')"
4476
176
			continue
180
			continue
4477
177
		else
181
		else
4478
178
			# Verify that the user exists
182
			# Verify that the user exists
4479
179
			if ! id "$USER" >/dev/null; then
183
			if ! id "$USER" >/dev/null; then
4481
180
				echo "ERROR: User [$USER] does not exist"
184
				echo "$(gettext 'ERROR: ')" "$(gettext 'User does not exist')" " [$USER]"
4482
181
				continue
185
				continue
4483
182
			fi
186
			fi
4484
183
			break
187
			break
4485
@@ -185,49 +189,61 @@
4486
185
	done
189
	done
4487
186
else
190
else
4488
187
	# Verify that the user exists
191
	# Verify that the user exists
4490
188
	id "$USER" >/dev/null || error "User [$USER] does not exist"
192
	id "$USER" >/dev/null || error "$(gettext 'User does not exist')" "[$USER]"
4491
193
fi
4492
194
4493
195
# Obtain USER's primary group
4494
196
GROUP=$(id -g $USER)
4495
197
4496
198
# Check if the ecryptfs group exists, and user is member of ecryptfs group
4497
199
if grep -qs "^ecryptfs:" /etc/group; then
4498
200
	if ! id "$USER" | grep -qs "\(ecryptfs\)"; then
4499
201
	       error "$(gettext 'User needs to be a member of ecryptfs group')"
4500
202
	fi
4501
189
fi
203
fi
4502
190
204
4503
191
# Obtain the user's home directory
205
# Obtain the user's home directory
4504
192
HOME=`getent passwd "$USER" | awk -F: '{print $6}'`
206
HOME=`getent passwd "$USER" | awk -F: '{print $6}'`
4505
193
if [ ! -d "$HOME" ]; then
207
if [ ! -d "$HOME" ]; then
4507
194
	error "User home directory [$HOME] does not exist"
208
	error "$(gettext 'User home directory does not exist')" "[$HOME]"
4508
195
fi
209
fi
4509
196
210
4510
197
if [ "$BOOTSTRAP" = "1" ]; then
211
if [ "$BOOTSTRAP" = "1" ]; then
4511
198
	# If we want to encrypt the entire homedir, we need the .ecryptfs
212
	# If we want to encrypt the entire homedir, we need the .ecryptfs
4512
199
	# config dir elsewhere, but linked into the homedir
213
	# config dir elsewhere, but linked into the homedir
4515
200
	mkdir -p -m 700 /var/lib/ecryptfs/$USER
214
	mkdir -p -m 700 $ECRYPTFS_DIR/$USER/.ecryptfs 
4516
201
	ln -sf /var/lib/ecryptfs/$USER $HOME/.ecryptfs
215
	ln -sf $ECRYPTFS_DIR/$USER/.ecryptfs $HOME/.ecryptfs
4517
216
	ln -sf $ECRYPTFS_DIR/$USER/.$PRIVATE_DIR $HOME/.$PRIVATE_DIR
4518
202
	MOUNTPOINT="$HOME"
217
	MOUNTPOINT="$HOME"
4519
218
	CRYPTDIR="$ECRYPTFS_DIR/$USER/.$PRIVATE_DIR"
4520
203
else
219
else
4521
204
	mkdir -m 700 $HOME/.ecryptfs
220
	mkdir -m 700 $HOME/.ecryptfs
4522
205
	MOUNTPOINT="$HOME/$PRIVATE_DIR"
221
	MOUNTPOINT="$HOME/$PRIVATE_DIR"
4523
222
	CRYPTDIR="$HOME/.$PRIVATE_DIR"
4524
206
fi
223
fi
4525
207
224
4526
208
# Check for previously setup private directory
225
# Check for previously setup private directory
4527
209
if [ -s "$HOME/.ecryptfs/wrapped-passphrase" -a "$FORCE" != "1" ]; then
226
if [ -s "$HOME/.ecryptfs/wrapped-passphrase" -a "$FORCE" != "1" ]; then
4529
210
	error "wrapped-passphrase file already exists, use --force to overwrite."
227
	error "$(gettext 'wrapped-passphrase file already exists, use --force to overwrite.')"
4530
211
fi
228
fi
4531
212
if [ -s "$HOME/.ecryptfs/$PRIVATE_DIR.sig" -a "$FORCE" != "1" ]; then
229
if [ -s "$HOME/.ecryptfs/$PRIVATE_DIR.sig" -a "$FORCE" != "1" ]; then
4533
213
	error "$PRIVATE_DIR.sig file already exists, use --force to overwrite."
230
	error "$PRIVATE_DIR.sig" "$(gettext 'file already exists, use --force to overwrite.')"
4534
214
fi
231
fi
4535
215
232
4536
216
# Check for active mounts
233
# Check for active mounts
4540
217
CRYPTDIR="$HOME/.$PRIVATE_DIR"
234
grep -qs "$MOUNTPOINT " /proc/mounts && error "[$MOUNTPOINT]" "$(gettext 'is already mounted')"
4541
218
grep -qs "$MOUNTPOINT " /proc/mounts && error "[$MOUNTPOINT] is already mounted"
235
grep -qs "$CRYPTDIR " /proc/mounts && error "[$CRYPTDIR]" "$(gettext 'is already mounted')"
4539
219
grep -qs "$CRYPTDIR " /proc/mounts && error "[$CRYPTDIR] is already mounted"
4542
220
236
4543
221
# Check that the mount point and encrypted directory are empty (skip symlinks).
237
# Check that the mount point and encrypted directory are empty (skip symlinks).
4544
222
# Perhaps one day we could provide a migration mode (using rsync or something),
238
# Perhaps one day we could provide a migration mode (using rsync or something),
4545
223
# but this would be VERY hard to do safely.
239
# but this would be VERY hard to do safely.
4546
224
count=`ls -Al "$MOUNTPOINT" 2>/dev/null | egrep -c "^[drwx-]{10}"`
240
count=`ls -Al "$MOUNTPOINT" 2>/dev/null | egrep -c "^[drwx-]{10}"`
4547
225
if [ "$count" != "0" ]; then
241
if [ "$count" != "0" ]; then
4549
226
	error "$MOUNTPOINT must be empty before proceeding"
242
	error "$MOUNTPOINT" "$(gettext 'must be empty before proceeding')"
4550
227
fi
243
fi
4551
228
count=`ls -Al "$CRYPTDIR" 2>/dev/null | egrep -c "^[dlrwx-]{10}"`
244
count=`ls -Al "$CRYPTDIR" 2>/dev/null | egrep -c "^[dlrwx-]{10}"`
4552
229
if [ "$count" != "0" ]; then
245
if [ "$count" != "0" ]; then
4554
230
	error "$CRYPTDIR must be empty before proceeding"
246
	error "$CRYPTDIR" "$(gettext 'must be empty before proceeding')"
4555
231
fi
247
fi
4556
232
248
4557
233
stty_orig=`stty -g`
249
stty_orig=`stty -g`
4558
@@ -240,14 +256,16 @@
4559
240
		LOGINPASS=`head -n1`
256
		LOGINPASS=`head -n1`
4560
241
		stty $stty_orig
257
		stty $stty_orig
4561
242
		echo
258
		echo
4563
243
		if [ $WRAPPING_PASS != "LOGIN" ]; then
259
		if [ $WRAPPING_PASS != "LOGIN" -o ! -x /sbin/unix_chkpwd ]; then
4564
260
			# If we can't check the accuracy of the user's entered
4565
261
			# passphrase, force them to type it twice (matching)
4566
244
			stty -echo
262
			stty -echo
4567
245
			echo -n "$MESSAGE (again): "
263
			echo -n "$MESSAGE (again): "
4568
246
			LOGINPASS2=`head -n1`
264
			LOGINPASS2=`head -n1`
4569
247
			stty $stty_orig
265
			stty $stty_orig
4570
248
			echo
266
			echo
4571
249
			if [ "$LOGINPASS" != "$LOGINPASS2" ]; then
267
			if [ "$LOGINPASS" != "$LOGINPASS2" ]; then
4573
250
				echo "ERROR: Wrapping passphrases must match"
268
				echo "$(gettext 'ERROR: ')" "$(gettext 'Wrapping passphrases must match')"
4574
251
			else
269
			else
4575
252
				break
270
				break
4576
253
			fi
271
			fi
4577
@@ -255,25 +273,24 @@
4578
255
			continue
273
			continue
4579
256
		fi
274
		fi
4580
257
		if [ -z "$LOGINPASS" ]; then
275
		if [ -z "$LOGINPASS" ]; then
4582
258
			echo "ERROR: You must provide a login passphrase"
276
			echo "$(gettext 'ERROR: ')" "$(gettext 'You must provide a login passphrase')"
4583
259
			tries=$(($tries + 1))
277
			tries=$(($tries + 1))
4584
260
		else
278
		else
4585
261
			if [ "$NOPWCHECK" = "1" ]; then
279
			if [ "$NOPWCHECK" = "1" ]; then
4587
262
				echo "INFO: Skipping password verification"
280
				echo "$(gettext 'INFO:')" "$(gettext 'Skipping password verification')"
4588
263
				break
281
				break
4589
264
			else
282
			else
4590
265
				if printf "%s\0" "$LOGINPASS" | /sbin/unix_chkpwd "$USER" nullok; then
283
				if printf "%s\0" "$LOGINPASS" | /sbin/unix_chkpwd "$USER" nullok; then
4591
266
					break
284
					break
4592
267
				else
285
				else
4594
268
					echo "ERROR: Your login passphrase is incorrect"
286
					echo "$(gettext 'ERROR: ')" "$(gettext 'Your login passphrase is incorrect')"
4595
269
					tries=$(($tries + 1))
287
					tries=$(($tries + 1))
4596
270
				fi
288
				fi
4597
271
			fi
289
			fi
4598
272
		fi
290
		fi
4599
273
	done
291
	done
4600
274
	if [ $tries -ge $PW_ATTEMPTS ]; then
292
	if [ $tries -ge $PW_ATTEMPTS ]; then
4603
275
		echo "ERROR: Too many incorrect password attempts, exiting"
293
		error "$(gettext 'Too many incorrect password attempts, exiting')"
4602
276
		exit 1
4604
277
	fi
294
	fi
4605
278
fi
295
fi
4606
279
296
4607
@@ -282,7 +299,7 @@
4608
282
	tries=0
299
	tries=0
4609
283
	while [ $tries -lt $PW_ATTEMPTS ]; do
300
	while [ $tries -lt $PW_ATTEMPTS ]; do
4610
284
		stty -echo
301
		stty -echo
4612
285
		echo -n "Enter your mount passphrase [leave blank to generate one]: "
302
		echo -n "$(gettext 'Enter your mount passphrase [leave blank to generate one]: ')"
4613
286
		MOUNTPASS=`head -n1`
303
		MOUNTPASS=`head -n1`
4614
287
		stty $stty_orig
304
		stty $stty_orig
4615
288
		echo
305
		echo
4616
@@ -292,12 +309,12 @@
4617
292
			break
309
			break
4618
293
		else
310
		else
4619
294
			stty -echo
311
			stty -echo
4621
295
			echo -n "Enter your mount passphrase (again): "
312
			echo -n "$(gettext 'Enter your mount passphrase (again): ')"
4622
296
			MOUNTPASS2=`head -n1`
313
			MOUNTPASS2=`head -n1`
4623
297
			stty $stty_orig
314
			stty $stty_orig
4624
298
			echo
315
			echo
4625
299
			if [ "$MOUNTPASS" != "$MOUNTPASS2" ]; then
316
			if [ "$MOUNTPASS" != "$MOUNTPASS2" ]; then
4627
300
				echo "ERROR: Mount passphrases do not match"
317
				echo "$(gettext 'ERROR: ')" "$(gettext 'Mount passphrases do not match')"
4628
301
				tries=$(($tries + 1))
318
				tries=$(($tries + 1))
4629
302
			else
319
			else
4630
303
				break
320
				break
4631
@@ -305,58 +322,43 @@
4632
305
		fi
322
		fi
4633
306
	done
323
	done
4634
307
	if [ $tries -ge $PW_ATTEMPTS ]; then
324
	if [ $tries -ge $PW_ATTEMPTS ]; then
4637
308
		echo "ERROR: Too many incorrect passphrase attempts, exiting"
325
		error "$(gettext 'Too many incorrect passphrase attempts, exiting')"
4636
309
		exit 1
4638
310
	fi
326
	fi
4639
311
fi
327
fi
4640
312
328
4641
313
#echo
4642
314
#echo "Using username [$USER]"
4643
315
#echo "Using mount passphrase [$MOUNTPASS]"
4644
316
#echo "Using login passphrase [$LOGINPASS]"
4645
317
#echo "Using mount point [$MOUNTPOINT]"
4646
318
#echo "Using encrypted dir [$CRYPTDIR]"
4647
319
#echo
4648
320
#echo "This script will attempt to set up your system to mount"
4649
321
#echo "$MOUNTPOINT with eCryptfs automatically on login,"
4650
322
#echo "using your login passphrase."
4651
323
echo
329
echo
4652
324
echo "************************************************************************"
330
echo "************************************************************************"
4660
325
if [ "$RANDOM_MOUNTPASS" = "1" ]; then
331
echo "$(gettext 'YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.')"
4661
326
	echo "YOU SHOULD RECORD THIS MOUNT PASSPHRASE AND STORE IN A SAFE LOCATION:"
332
echo "  ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase"
4662
327
	echo "$MOUNTPASS"
333
echo "$(gettext 'THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.')"
4656
328
else
4657
329
	echo "YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IN A SAFE LOCATION:"
4658
330
fi
4659
331
echo "THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME."
4663
332
echo "************************************************************************"
334
echo "************************************************************************"
4664
333
echo
335
echo
4665
334
336
4666
335
###############################################################################
337
###############################################################################
4667
336
338
4668
337
# Setup private directory in home
339
# Setup private directory in home
4671
338
mkdir -m 700 -p "$CRYPTDIR" || error "Could not create crypt directory [$CRYPTDIR]"
340
mkdir -m 700 -p "$CRYPTDIR" || error "$(gettext 'Could not create crypt directory')" "[$CRYPTDIR]"
4672
339
mkdir -m 700 -p "$MOUNTPOINT" || error "Could not create mount directory [$MOUNTPOINT]"
341
mkdir -m 700 -p "$MOUNTPOINT" || error "$(gettext 'Could not create mount directory')" "[$MOUNTPOINT]"
4673
340
ln -sf /usr/share/ecryptfs-utils/ecryptfs-mount-private.txt "$MOUNTPOINT"/README.txt
342
ln -sf /usr/share/ecryptfs-utils/ecryptfs-mount-private.txt "$MOUNTPOINT"/README.txt
4674
341
ln -sf /usr/share/ecryptfs-utils/ecryptfs-mount-private.desktop "$MOUNTPOINT"/Access-Your-Private-Data.desktop
343
ln -sf /usr/share/ecryptfs-utils/ecryptfs-mount-private.desktop "$MOUNTPOINT"/Access-Your-Private-Data.desktop
4675
342
chmod 500 "$MOUNTPOINT"
344
chmod 500 "$MOUNTPOINT"
4676
343
345
4677
344
# Setup ~/.ecryptfs directory
346
# Setup ~/.ecryptfs directory
4678
345
if [ "$NOAUTOMOUNT" = "1" ]; then
347
if [ "$NOAUTOMOUNT" = "1" ]; then
4680
346
	echo "INFO: $HOME/$PRIVATE_DIR will not be mounted on login"
348
	echo "$(gettext 'INFO:')" "$HOME/$PRIVATE_DIR" "$(gettext 'will not be mounted on login')"
4681
347
else
349
else
4683
348
	touch $HOME/.ecryptfs/auto-mount || error "Could not setup ecryptfs auto-mount"
350
	touch $HOME/.ecryptfs/auto-mount || error "$(gettext 'Could not setup ecryptfs auto-mount')"
4684
349
fi
351
fi
4685
350
if [ "$NOAUTOUMOUNT" = "1" ]; then
352
if [ "$NOAUTOUMOUNT" = "1" ]; then
4687
351
	echo "INFO: $HOME/$PRIVATE_DIR will not be unmounted on logout"
353
	echo "$(gettext 'INFO:')" "$HOME/$PRIVATE_DIR" "$(gettext 'will not be unmounted on logout')"
4688
352
else
354
else
4690
353
	touch $HOME/.ecryptfs/auto-umount || error "Could not setup ecryptfs auto-umount"
355
	touch $HOME/.ecryptfs/auto-umount || error "$(gettext 'Could not setup ecryptfs auto-umount')"
4691
354
fi
356
fi
4692
355
357
4693
356
if [ "$WRAPPING_PASS" = "LOGIN" ]; then
358
if [ "$WRAPPING_PASS" = "LOGIN" ]; then
4695
357
	rm -f $HOME/.ecryptfs/wrapping-independent || error "Could not remove ecryptfs wrapping-independent"
359
	rm -f $HOME/.ecryptfs/wrapping-independent || error "$(gettext 'Could not remove ecryptfs wrapping-independent')"
4696
358
else
360
else
4698
359
	touch $HOME/.ecryptfs/wrapping-independent || error "Could not setup ecryptfs wrapping-independent"
361
	touch $HOME/.ecryptfs/wrapping-independent || error "$(gettext 'Could not setup ecryptfs wrapping-independent')"
4699
360
fi
362
fi
4700
361
363
4701
362
364
4702
@@ -364,7 +366,7 @@
4703
364
timestamp=`date +%Y%m%d%H%M%S`
366
timestamp=`date +%Y%m%d%H%M%S`
4704
365
for i in "$HOME/.ecryptfs/wrapped-passphrase" "$HOME/.ecryptfs/$PRIVATE_DIR.sig"; do
367
for i in "$HOME/.ecryptfs/wrapped-passphrase" "$HOME/.ecryptfs/$PRIVATE_DIR.sig"; do
4705
366
	if [ -s "$i" ]; then
368
	if [ -s "$i" ]; then
4707
367
		mv -f "$i" "$i.$timestamp" || error "Could not backup existing data [$i]"
369
		mv -f "$i" "$i.$timestamp" || error "(gettext 'Could not backup existing data')" "[$i]"
4708
368
	fi
370
	fi
4709
369
done
371
done
4710
370
372
4711
@@ -380,7 +382,7 @@
4712
380
	printf "%s" "$MOUNTPASS" > "$temp"
382
	printf "%s" "$MOUNTPASS" > "$temp"
4713
381
	mv "$temp" "/dev/shm/.ecryptfs-$USER"
383
	mv "$temp" "/dev/shm/.ecryptfs-$USER"
4714
382
else
384
else
4716
383
	printf "%s\n%s" "$MOUNTPASS" "$LOGINPASS" | ecryptfs-wrap-passphrase "$HOME/.ecryptfs/wrapped-passphrase" - || error "Could not wrap passphrase"
385
	printf "%s\n%s" "$MOUNTPASS" "$LOGINPASS" | ecryptfs-wrap-passphrase "$HOME/.ecryptfs/wrapped-passphrase" - || error "$(gettext 'Could not wrap passphrase')"
4717
384
fi
386
fi
4718
385
umask $u
387
umask $u
4719
386
388
4720
@@ -388,21 +390,21 @@
4721
388
# On subsequent logins, this should be handled by "pam_ecryptfs.so unwrap"
390
# On subsequent logins, this should be handled by "pam_ecryptfs.so unwrap"
4722
389
response=`printf "%s" "$MOUNTPASS" | ecryptfs-add-passphrase $FNEK -`
391
response=`printf "%s" "$MOUNTPASS" | ecryptfs-add-passphrase $FNEK -`
4723
390
if [ $? -ne 0 ]; then
392
if [ $? -ne 0 ]; then
4725
391
	error "Could not add passphrase to the current keyring"
393
	error "$(gettext 'Could not add passphrase to the current keyring')"
4726
392
fi
394
fi
4727
393
sig=`echo "$response" | grep "Inserted auth tok" | sed "s/^.*\[//" | sed "s/\].*$//"`
395
sig=`echo "$response" | grep "Inserted auth tok" | sed "s/^.*\[//" | sed "s/\].*$//"`
4728
394
if ! echo "$sig" | egrep -qs "^[0-9a-fA-F]{$KEYBYTES,$KEYBYTES}$"; then
396
if ! echo "$sig" | egrep -qs "^[0-9a-fA-F]{$KEYBYTES,$KEYBYTES}$"; then
4730
395
	error "Could not obtain the key signature"
397
	error "$(gettext 'Could not obtain the key signature')"
4731
396
fi
398
fi
4732
397
temp=`mktemp`
399
temp=`mktemp`
4734
398
echo "$sig" > "$temp" || error "Could not create signature file [$HOME/.ecryptfs/$PRIVATE_DIR.sig]"
400
echo "$sig" > "$temp" || error "$(gettext 'Could not create signature file')" "[$HOME/.ecryptfs/$PRIVATE_DIR.sig]"
4735
399
mv "$temp" "$HOME/.ecryptfs/$PRIVATE_DIR.sig"
401
mv "$temp" "$HOME/.ecryptfs/$PRIVATE_DIR.sig"
4736
400
temp=`mktemp`
402
temp=`mktemp`
4738
401
echo "$MOUNTPOINT" > "$temp" || error "Could not create mountpoint file [$HOME/.ecryptfs/$PRIVATE_DIR.mnt]"
403
echo "$MOUNTPOINT" > "$temp" || error "$(gettext 'Could not create mountpoint file')" "[$HOME/.ecryptfs/$PRIVATE_DIR.mnt]"
4739
402
mv "$temp" "$HOME/.ecryptfs/$PRIVATE_DIR.mnt"
404
mv "$temp" "$HOME/.ecryptfs/$PRIVATE_DIR.mnt"
4740
403
405
4741
404
echo
406
echo
4743
405
echo "Done configuring."
407
echo "$(gettext 'Done configuring.')"
4744
406
echo
408
echo
4745
407
409
4746
408
# Skip the tests if we're in bootstrap mode, but exit with the encrypted
410
# Skip the tests if we're in bootstrap mode, but exit with the encrypted
4747
@@ -412,7 +414,9 @@
4748
412
	# and the calling 'adduser' is about to copy over /etc/skel
414
	# and the calling 'adduser' is about to copy over /etc/skel
4749
413
	# NOTE: it is the responsibility of 'adduser' to unmount!
415
	# NOTE: it is the responsibility of 'adduser' to unmount!
4750
414
	# And ensure that $USER owns the files/dirs we've created as root
416
	# And ensure that $USER owns the files/dirs we've created as root
4752
415
	chown $USER:$USER "$CRYPTDIR" /dev/shm/.ecryptfs-$USER
417
	chown $USER:$GROUP "$CRYPTDIR" /dev/shm/.ecryptfs-$USER
4753
418
	chown -R $USER:$GROUP $ECRYPTFS_DIR/$USER
4754
419
	chown -R $USER:$GROUP $MOUNTPOINT
4755
416
	if [ "$FNEK" = "--fnek" ]; then
420
	if [ "$FNEK" = "--fnek" ]; then
4756
417
		fnek_sig=`tail -n 1 "$HOME/.ecryptfs/$PRIVATE_DIR.sig"`
421
		fnek_sig=`tail -n 1 "$HOME/.ecryptfs/$PRIVATE_DIR.sig"`
4757
418
		sig=`head -n 1 "$HOME/.ecryptfs/$PRIVATE_DIR.sig"`
422
		sig=`head -n 1 "$HOME/.ecryptfs/$PRIVATE_DIR.sig"`
4758
@@ -420,42 +424,37 @@
4759
420
	else
424
	else
4760
421
		sig_opt="ecryptfs_sig=$sig"
425
		sig_opt="ecryptfs_sig=$sig"
4761
422
	fi
426
	fi
4762
427
	# Do the mount, and provide some helpful symlinks
4763
423
	mount -i -t ecryptfs -o "rw,$sig_opt,ecryptfs_cipher=$CIPHER,ecryptfs_key_bytes=$KEYBYTES" "$CRYPTDIR" "$MOUNTPOINT" || error "Could not mount"
428
	mount -i -t ecryptfs -o "rw,$sig_opt,ecryptfs_cipher=$CIPHER,ecryptfs_key_bytes=$KEYBYTES" "$CRYPTDIR" "$MOUNTPOINT" || error "Could not mount"
4775
424
	ln -sf /var/lib/ecryptfs/$USER $MOUNTPOINT/.ecryptfs
429
	ln -sf $ECRYPTFS_DIR/$USER/.ecryptfs $MOUNTPOINT/.ecryptfs
4776
425
	for i in auto-mount \
430
	ln -sf $ECRYPTFS_DIR/$USER/.$PRIVATE_DIR $MOUNTPOINT/.$PRIVATE_DIR
4777
426
		 auto-umount \
431
	chown -R $USER:$GROUP $ECRYPTFS_DIR/$USER
4778
427
		 $PRIVATE_DIR.mnt \
432
	chown -R $USER:$GROUP $MOUNTPOINT
4768
428
		 $PRIVATE_DIR.sig \
4769
429
		 wrapped-passphrase;
4770
430
	do
4771
431
		[ -e $HOME/.ecryptfs/$i ] && chown $USER:$USER $MOUNTPOINT/.ecryptfs/$i
4772
432
	done
4773
433
	chown $USER:$USER /var/lib/ecryptfs/$USER
4774
434
	chown -h $USER:$USER $MOUNTPOINT/.ecryptfs
4779
435
	exit 0
433
	exit 0
4780
436
fi
434
fi
4781
437
435
4782
438
# Now let's perform some basic mount/write/umount/read sanity testing...
436
# Now let's perform some basic mount/write/umount/read sanity testing...
4792
439
echo "Testing mount/write/umount/read..."
437
echo "$(gettext 'Testing mount/write/umount/read...')"
4793
440
/sbin/mount.ecryptfs_private || error "Could not mount private ecryptfs directory"
438
/sbin/mount.ecryptfs_private || error "$(gettext 'Could not mount private ecryptfs directory')"
4794
441
temp=`mktemp "$MOUNTPOINT/ecryptfs.test.XXXXXX"` || error_testing "$temp" "Could not create empty file"
439
temp=`mktemp "$MOUNTPOINT/ecryptfs.test.XXXXXX"` || error_testing "$temp" "$(gettext 'Could not create empty file')"
4795
442
random_data=`head -c 16000 /dev/urandom | od -x` || error_testing "$temp" "Could not generate random data"
440
random_data=`head -c 16000 /dev/urandom | od -x` || error_testing "$temp" "$(gettext 'Could not generate random data')"
4796
443
echo "$random_data" > "$temp" || error_testing "$temp" "Could not write encrypted file"
441
echo "$random_data" > "$temp" || error_testing "$temp" "$(gettext 'Could not write encrypted file')"
4797
444
md5sum1=`md5sum "$temp"` || error_testing "$temp" "Could not read encrypted file"
442
md5sum1=`md5sum "$temp"` || error_testing "$temp" "$(gettext 'Could not read encrypted file')"
4798
445
/sbin/umount.ecryptfs_private || error_testing "$temp" "Could not unmount private ecryptfs directory"
443
/sbin/umount.ecryptfs_private || error_testing "$temp" "$(gettext 'Could not unmount private ecryptfs directory')"
4799
446
/sbin/mount.ecryptfs_private || error_testing "$temp" "Could not mount private ecryptfs directory (2)"
444
/sbin/mount.ecryptfs_private || error_testing "$temp" "$(gettext 'Could not mount private ecryptfs directory (2)')"
4800
447
md5sum2=`md5sum "$temp"` || error_testing "$temp" "Could not read encrypted file (2)"
445
md5sum2=`md5sum "$temp"` || error_testing "$temp" "$(gettext 'Could not read encrypted file (2)')"
4801
448
rm -f "$temp"
446
rm -f "$temp"
4802
449
# Use ecryptfs-umount-private on the final run, to clear the used keys
447
# Use ecryptfs-umount-private on the final run, to clear the used keys
4803
450
# out of the keyring
448
# out of the keyring
4805
451
ecryptfs-umount-private || error_testing "$temp" "Could not unmount private ecryptfs directory (2)"
449
ecryptfs-umount-private || error_testing "$temp" "$(gettext 'Could not unmount private ecryptfs directory (2)')"
4806
452
if [ "$md5sum1" != "$md5sum2" ]; then
450
if [ "$md5sum1" != "$md5sum2" ]; then
4808
453
	error "Testing failed."
451
	error "$(gettext 'Testing failed.')"
4809
454
else
452
else
4811
455
	echo "Testing succeeded."
453
	echo "$(gettext 'Testing succeeded.')"
4812
456
fi
454
fi
4813
457
455
4814
458
echo
456
echo
4816
459
echo "Logout, and log back in to begin using your encrypted directory."
457
echo "$(gettext 'Logout, and log back in to begin using your encrypted directory.')"
4817
460
echo
458
echo
4818
459
4819
461
exit 0
460
exit 0
4820
462
461
4821
=== modified file 'src/utils/ecryptfs-setup-swap'
4822
--- src/utils/ecryptfs-setup-swap	2009-03-20 21:44:01 +0000
4823
+++ src/utils/ecryptfs-setup-swap	2010-02-17 20:48:23 +0000
4824
@@ -19,23 +19,25 @@
4825
19
# The cryptswap setup used here follows a guide published at:
19
# The cryptswap setup used here follows a guide published at:
4826
20
#  * http://ubuntumagnet.com/2007/11/creating-encrypted-swap-file-ubuntu-using-cryptsetup
20
#  * http://ubuntumagnet.com/2007/11/creating-encrypted-swap-file-ubuntu-using-cryptsetup
4827
21
21
4828
22
TEXTDOMAIN="ecryptfs-utils"
4829
23
4830
22
error() {
24
error() {
4832
23
	echo "ERROR: $1" 1>&2
25
	echo `gettext "ERROR:"` "$@" 1>&2
4833
24
	exit 1
26
	exit 1
4834
25
}
27
}
4835
26
28
4836
27
info() {
29
info() {
4838
28
	echo "INFO: $1"
30
	echo `gettext "INFO:"` "$@"
4839
29
}
31
}
4840
30
32
4843
31
warning() {
33
warn() {
4844
32
	echo "WARNING: "
34
	echo `gettext "WARNING:"` "$@" 1>&2
4845
33
}
35
}
4846
34
36
4847
35
usage() {
37
usage() {
4848
36
	echo
38
	echo
4851
37
	echo "Usage:"
39
	echo `gettext "Usage:"`
4852
38
	echo "  $0 [-f|--force]"
40
	echo "  $0 [-f|--force] [-n|--no-reload]"
4853
39
	echo
41
	echo
4854
40
	exit 1
42
	exit 1
4855
41
}
43
}
4856
@@ -48,6 +50,10 @@
4857
48
			FORCE=1
50
			FORCE=1
4858
49
			shift 1
51
			shift 1
4859
50
		;;
52
		;;
4860
53
		-n|--no-reload)
4861
54
			NO_RELOAD=1
4862
55
			shift 1
4863
56
		;;
4864
51
		*)
57
		*)
4865
52
			usage
58
			usage
4866
53
		;;
59
		;;
4867
@@ -55,94 +61,83 @@
4868
55
done
61
done
4869
56
62
4870
57
# Ensure that cryptsetup is available
63
# Ensure that cryptsetup is available
4872
58
[ -x /sbin/cryptsetup ] || error "Please install 'cryptsetup'"
64
[ -x /sbin/cryptsetup ] || error `gettext "Please install"` "'cryptsetup'"
4873
59
65
4874
60
# Ensure that we're running with root privileges
66
# Ensure that we're running with root privileges
4876
61
[ -w /etc/passwd ] || error "This program must be run with 'sudo', or as root"
67
[ -w /etc/passwd ] || error `gettext "This program must be run with 'sudo', or as root"`
4877
62
68
4878
63
# Count swap spaces available
69
# Count swap spaces available
4879
64
# BUG: We only support setting up a single swap space at this time
4880
65
if [ $(grep -c "^/" /proc/swaps) -eq 0 ]; then
70
if [ $(grep -c "^/" /proc/swaps) -eq 0 ]; then
4881
66
	mem=$(grep "^MemTotal:" /proc/meminfo | awk '{print $2}')
71
	mem=$(grep "^MemTotal:" /proc/meminfo | awk '{print $2}')
4882
67
	swapsize=$((4*$mem))
72
	swapsize=$((4*$mem))
4883
68
	info "You do not currently have any swap space defined."
73
	info "You do not currently have any swap space defined."
4884
69
	echo
74
	echo
4886
70
	echo "You can create a swap file by doing:"
75
	echo `gettext "You can create a swap file by doing:"`
4887
71
	echo " $ sudo dd if=/dev/zero of=/swapfile count=$swapsize"
76
	echo " $ sudo dd if=/dev/zero of=/swapfile count=$swapsize"
4888
72
	echo " $ sudo mkswap /swapfile"
77
	echo " $ sudo mkswap /swapfile"
4889
73
	echo " $ sudo swapon /swapfile"
78
	echo " $ sudo swapon /swapfile"
4890
74
	echo
79
	echo
4892
75
	echo "And then re-run $0"
80
	echo `gettext "And then re-run"` "$0"
4893
76
	echo
81
	echo
4894
77
	exit 0
82
	exit 0
4944
78
elif [ $(grep -c "^/" /proc/swaps) -gt 1 ]; then
83
fi
4945
79
	info "You have more than one swap space defined."
84
4946
80
	error "$0 only supports setting up a single swap space"
85
swaps=$(grep "^/" /proc/swaps | awk '{print $1}')
4947
81
else
86
4948
82
	swap=$(grep "^/" /proc/swaps | awk '{print $1}')
87
filtered_swaps=$(
4949
83
fi
88
for swap in $swaps; do
4950
84
89
	# Make sure this is swap space
4951
85
# Make sure this is swap space
90
	if [ "$(blkid -o value -s TYPE $swap)" != "swap" ]; then
4952
86
if ! vol_id "$swap" | grep -qs "ID_FS_TYPE=swap"; then
91
		warn "[$swap]" `gettext "does not appear to be swap space, skipping."`
4953
87
	error "[$swap] does not appear to be swap space"
92
		continue
4954
88
fi
93
	fi
4955
89
94
	
4956
90
# Check if this this swap space is already setup for encryption
95
	if [ "${swap#/dev/ram}" != "$swap" ]; then
4957
91
if /sbin/dmsetup table "$swap" | grep -qs " crypt " 2>/dev/null; then
96
		warn "[$swap]" `gettext "is a RAM device, skipping."`
4958
92
	info "[$swap] already appears to be encrypted."
97
		continue
4959
93
	exit 0
98
	fi
4960
94
else
99
4961
95
	# keep going
100
	# Check if this swap space is already setup for encryption
4962
96
	/bin/true
101
	if /sbin/dmsetup table "$swap" 2>/dev/null | grep -qs " crypt "; then
4963
97
fi
102
		warn "[$swap]" `gettext "already appears to be encrypted, skipping."`
4964
98
103
		continue
4965
99
base=$(basename "$swap")
104
	fi
4966
100
if grep -qs "^$base.*swap.*cipher" /etc/crypttab 2>/dev/null; then
105
4967
101
	info "[$swap] already has an entry in /etc/crypttab."
106
	base=$(basename "$swap")
4968
102
	exit 0
107
	if grep -qs "^$base.*swap.*cipher" /etc/crypttab 2>/dev/null; then
4969
103
fi
108
		warn "[$swap]" `gettext "already has an entry in /etc/crypttab, skipping."`
4970
104
if grep -qs "$swap" /etc/initramfs-tools/conf.d/cryptroot 2>/dev/null; then
109
		continue
4971
105
	info "[$swap] already has an entry in /etc/fstab."
110
	fi
4972
106
	exit 0
111
	if grep -qs "$swap" /etc/initramfs-tools/conf.d/cryptroot 2>/dev/null; then
4973
107
fi
112
		warn "[$swap]" `gettext "already has an entry in /etc/crypttab, skipping."`
4974
108
113
		continue
4975
109
# Ensure available dev mapper name 'cryptswap'
114
	fi
4976
110
if grep -qs "^cryptswap" /etc/crypttab; then
115
4977
111
	error "There appears to be a cryptswap entry in /etc/cryptab; aborting."
116
	echo $swap
4978
112
fi
117
done
4979
113
118
)
4980
114
# Ensure available fstab entry
119
swaps="$filtered_swaps"
4981
115
if grep -qs "^/dev/mapper/cryptswap" /etc/fstab; then
120
if [ -z "$swaps" ]; then
4982
116
	error "There appears to be a cryptswap entry in /etc/fstab; aborting."
121
	warn "There were no usable swap devices to be encrypted.  Exiting."
4983
117
fi
122
	exit 0
4984
118
123
fi
4936
119
# Ensure that the existing swap space exists in fstab
4937
120
if grep -qs "^$swap" /etc/fstab; then
4938
121
	sed -i "s:^$swap:\#$swap:" /etc/fstab
4939
122
	info "Commented out your unencrypted swap from /etc/fstab"
4940
123
else
4941
124
	info "Your swap space isn't currently listed in /etc/fstab"
4942
125
fi
4943
126
4985
127
##########################################################################
124
##########################################################################
4986
128
# Warn the user about breaking hibernate mode
125
# Warn the user about breaking hibernate mode
4987
129
if [ "$FORCE" != 1 ]; then
126
if [ "$FORCE" != 1 ]; then
4988
130
	echo
127
	echo
4999
131
	warning
128
	echo `gettext "WARNING:"`
5000
132
	echo "    An encrypted swap is required to help ensure that encrypted files"
129
	echo `gettext "An encrypted swap is required to help ensure that encrypted files are not leaked to disk in an unencrypted format."`
4991
133
	echo "    are not leaked to disk in an unencrypted format."
4992
134
	echo
4993
135
	echo "    HOWEVER, THE SWAP ENCRYPTION CONFIGURATION PRODUCED BY THIS PROGRAM"
4994
136
	echo "    WILL BREAK HIBERNATE/RESUME ON THIS SYSTEM!"
4995
137
	echo
4996
138
	echo "    NOTE: Your suspend/resume capabilities will not be affected."
4997
139
	echo
4998
140
	echo -n "Do you want to proceed with encrypting your swap [y/N]: "
Reviewer	Review Type	Date Requested	Status
Dustin Kirkland  (community)			Needs Information on 2012-04-26
Review via email: mp+12512@code.staging.launchpad.net