ecryptfs-devel team mailing list archive

Thread
Date

[PATCH 1/2] pam_ecryptfs: Respect ~/.ecryptfs/wrapping-independent

To: ecryptfs-devel@xxxxxxxxxxxxxxxxxxx
From: Jakob Unterwurzacher <jakobunt@xxxxxxxxx>
Date: Sun, 07 Nov 2010 23:28:54 -0000
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.15) Gecko/20101027 Thunderbird/3.0.10

Quoting man ecryptfs-mount-private:
>    ~/.ecryptfs/wrapping-independent  -  this  file  exists  if the
>           wrapping passphrase is independent from login passphrase

This patch makes pam_ecryptfs check if this file exists and ask the
user for the wrapping passphrase if it does.

Note that ecryptfs_pam_wrapping_independent_set() is a copy of
ecryptfs_pam_automount_set(), this will be cleaned up in a later patch.
---
 src/pam_ecryptfs/pam_ecryptfs.c |   24 +++++++++++++++++++++++-
 1 files changed, 23 insertions(+), 1 deletions(-)

diff --git a/src/pam_ecryptfs/pam_ecryptfs.c b/src/pam_ecryptfs/pam_ecryptfs.c
index 2209ac8..2a821e8 100644
--- a/src/pam_ecryptfs/pam_ecryptfs.c
+++ b/src/pam_ecryptfs/pam_ecryptfs.c
@@ -87,6 +87,25 @@ out:
 	return rc;
 }
 
+/* returns: 0 for independent wrapping passphrase not set, 1 for set, <0 for error */
+static int ecryptfs_pam_wrapping_independent_set(const char *homedir)
+{
+	char *file_path;
+	int rc = 0;
+	struct stat s;
+	if (asprintf(&file_path, "%s/.ecryptfs/wrapping-independent", homedir) == -1)
+		return -ENOMEM;
+	if (stat(file_path, &s) != 0) {
+		if (errno != ENOENT)
+			rc = -errno;
+		goto out;
+	}
+	rc = 1;
+out:
+	free(file_path);
+	return rc;
+}
+
 static int wrap_passphrase_if_necessary(char *username, uid_t uid, char *wrapped_pw_filename, char *passphrase, char *salt)
 {
 	char *unwrapped_pw_filename = NULL;
@@ -165,7 +184,10 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
 		syslog(LOG_WARNING, "Can't check if kernel supports ecryptfs\n");
 	saved_uid = geteuid();
 	seteuid(uid);
-	rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&passphrase);
+	if(ecryptfs_pam_wrapping_independent_set(homedir) == 1)
+		rc = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &passphrase, "Encryption passphrase: ");
+	else
+		rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&passphrase);
 	seteuid(saved_uid);
 	if (rc != PAM_SUCCESS) {
 		syslog(LOG_ERR, "Error retrieving passphrase; rc = [%ld]\n",
-- 
1.7.0.4

Follow ups

Re: [PATCH 1/2] pam_ecryptfs: Respect ~/.ecryptfs/wrapping-independent
From: Dustin Kirkland, 2011-02-06
[PATCH 2/2] pam_ecryptfs: New helper function: file_exists_dotecryptfs()
From: Jakob Unterwurzacher, 2010-11-07