ecryptfs-devel team mailing list archive

Thread
Date

Re: [PATCH 1/2] pam_ecryptfs: Respect ~/.ecryptfs/wrapping-independent

To: Jakob Unterwurzacher <jakobunt@xxxxxxxxx>
From: Dustin Kirkland <dustin.kirkland@xxxxxxxxx>
Date: Sat, 5 Feb 2011 19:44:13 -0700
Cc: ecryptfs-devel@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4CD73632.9050906@gmail.com>

On Sun, Nov 7, 2010 at 4:28 PM, Jakob Unterwurzacher <jakobunt@xxxxxxxxx> wrote:
> Quoting man ecryptfs-mount-private:
>>    ~/.ecryptfs/wrapping-independent  -  this  file  exists  if the
>>           wrapping passphrase is independent from login passphrase
>
> This patch makes pam_ecryptfs check if this file exists and ask the
> user for the wrapping passphrase if it does.
>
> Note that ecryptfs_pam_wrapping_independent_set() is a copy of
> ecryptfs_pam_automount_set(), this will be cleaned up in a later patch.
> ---
>  src/pam_ecryptfs/pam_ecryptfs.c |   24 +++++++++++++++++++++++-
>  1 files changed, 23 insertions(+), 1 deletions(-)
>
> diff --git a/src/pam_ecryptfs/pam_ecryptfs.c b/src/pam_ecryptfs/pam_ecryptfs.c
> index 2209ac8..2a821e8 100644
> --- a/src/pam_ecryptfs/pam_ecryptfs.c
> +++ b/src/pam_ecryptfs/pam_ecryptfs.c
> @@ -87,6 +87,25 @@ out:
>        return rc;
>  }
>
> +/* returns: 0 for independent wrapping passphrase not set, 1 for set, <0 for error */
> +static int ecryptfs_pam_wrapping_independent_set(const char *homedir)
> +{
> +       char *file_path;
> +       int rc = 0;
> +       struct stat s;
> +       if (asprintf(&file_path, "%s/.ecryptfs/wrapping-independent", homedir) == -1)
> +               return -ENOMEM;
> +       if (stat(file_path, &s) != 0) {
> +               if (errno != ENOENT)
> +                       rc = -errno;
> +               goto out;
> +       }
> +       rc = 1;
> +out:
> +       free(file_path);
> +       return rc;
> +}
> +
>  static int wrap_passphrase_if_necessary(char *username, uid_t uid, char *wrapped_pw_filename, char *passphrase, char *salt)
>  {
>        char *unwrapped_pw_filename = NULL;
> @@ -165,7 +184,10 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
>                syslog(LOG_WARNING, "Can't check if kernel supports ecryptfs\n");
>        saved_uid = geteuid();
>        seteuid(uid);
> -       rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&passphrase);
> +       if(ecryptfs_pam_wrapping_independent_set(homedir) == 1)
> +               rc = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &passphrase, "Encryption passphrase: ");
> +       else
> +               rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&passphrase);
>        seteuid(saved_uid);
>        if (rc != PAM_SUCCESS) {
>                syslog(LOG_ERR, "Error retrieving passphrase; rc = [%ld]\n",
> --
> 1.7.0.4

Thanks for the patch, and sorry for the delay.  Your mails got caught
up in a mail filter.

Committed revision 524.  Will be in -86 release.

:-Dustin

References

[PATCH 1/2] pam_ecryptfs: Respect ~/.ecryptfs/wrapping-independent
From: Jakob Unterwurzacher, 2010-11-07