ecryptfs team mailing list archive

Thread
Date

[Bug 317895] Re: netboot newuser and ecryptfs fails to login

To: ecryptfs@xxxxxxxxxxxxxxxxxxx
From: Dustin Kirkland <dustin.kirkland@xxxxxxxxx>
Date: Sun, 22 Feb 2009 15:44:12 -0000
Reply-to: Bug 317895 <317895@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Hi Mackenzie, Luis,

Thanks very much for the bug report, analysis, and patch.

The encrypted home directory mount point is set to 500 to keep you from
inadvertently writing unencrypted files into the mount. Should your
encrypted home (or private) become unmounted for whatever reason, and
some random application writes some data into your unencrypted
mountpoint, it would be written to disk in plain text, and you probably
wouldn't be able to find that file next time you log and your encrypted
directory is mounted properly.

I need to look a little deeper, but I think this is a problem in the
net-installer code.

Other installations perform the encrypted mount *before* such
configuration files are written into the home directory (such as
/etc/skel/*). Thus, these files get written to the disk encrypted.

I'm going to CC Colin Watson on this bug, as he can probably point us to
the correct code.

:-Dustin

--
netboot newuser and ecryptfs fails to login
https://bugs.launchpad.net/bugs/317895
You received this bug notification because you are a member of eCryptfs,
which is subscribed to ecryptfs-utils in ubuntu.

Status in eCryptfs - Enterprise Cryptographic Filesystem: New
Status in “ecryptfs-utils” source package in Ubuntu: Triaged

Bug description:
Steps to reproduce:

1. take the netboot directory from the alternate CD and setup a tftp server with it
2. boot a system over the network using the attached preseed file
3. login with that user after installation is done

At login the user cannot mount it's ~/.Private directory over to ~/.

I fixed this by doing:

1. login as root
2. rm -fr ~user/.ecryptfs ~user/.Private
3. su - user
4. ecrypt-setup-private
5. changed .Private/Private.mnt to point to /home/user instead of /home/user/Private

There might not be a simple way to provide a password from a preseed file since the password is encrypted in this file.

Note:
- when using the preseed file provided, do not provide any manual input (except if something fails and you need to hit continue).