ecryptfs team mailing list archive

Thread
Date
[Bug 400484] Re: unable to show the contents of my kernel keyring

To: ecryptfs@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <400484@xxxxxxxxxxxxxxxxxx>
Date: Fri, 17 Jul 2009 23:40:07 -0000
Reply-to: Bug 400484 <400484@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package ecryptfs-utils - 76-0ubuntu1

---------------
ecryptfs-utils (76-0ubuntu1) karmic; urgency=low

  [ Dustin Kirkland ]
  * src/utils/ecryptfs-setup-swap: switch from vol_id to blkid,
    LP: #376486
  * debian/ecryptfs-utils.postinst, src/utils/ecryptfs-setup-private:
    don't echo mount passphrase if running in bootstrap mode; prune
    potential leakages from install log, LP: #383650
  * SECURITY UPDATE: mount passphrase recorded in install log (LP: #383650).
    - debian/ecryptfs-utils.postinst: prune private information from
      installer log
    - src/utils/ecryptfs-setup-private: don't echo passphrase if running in
      bootstrap mode
    - CVE-2009-1296
  * src/utils/ecryptfs-setup-private: make some of the lanuage more readable,
    (thanks, anrxc)
  * README, configure.ac, debian/control, debian/rules,
    doc/sourceforge_webpage/README, src/libecryptfs-swig/libecryptfs.py,
    src/libecryptfs-swig/libecryptfs_wrap.c,
    src/libecryptfs/key_management.c, src/libecryptfs/libecryptfs.pc.in,
    src/libecryptfs/main.c, src/pam_ecryptfs/Makefile.am,
    src/utils/manager.c, src/utils/mount.ecryptfs.c: move build from gcrypt
    to nss (this change has been pending for some time)
  * src/utils/ecryptfs-dot-private: dropped, was too hacky
  * ecryptfs-mount-private.1, ecryptfs-setup-private.1: align the
    documentation and implementation of the wrapping-independent feature,
    LP: #383746
  * src/utils/ecryptfs-umount-private: use keyctl list @u, since keyctl show
    stopped working, LP: #400484, #395082
  * src/utils/mount.ecryptfs_private.c: fix counter file locking; solves
    a longstanding bug about "random" umount caused by cronjobs, LP: #358573

  [ Michal Hlavinka (edits by Dustin Kirkland) ]
  * doc/manpage/ecryptfs-mount-private.1,
    doc/manpage/ecryptfs-rewrite-file.1,
    doc/manpage/ecryptfs-setup-private.1, doc/manpage/ecryptfs.7,
    doc/manpage/mount.ecryptfs_private.1,
    doc/manpage/umount.ecryptfs_private.1: documentation updated to note
    possible ecryptfs group membership requirements; Fix ecrypfs.7 man
    page and key_mod_openssl's error message; fix typo
  * src/libecryptfs/decision_graph.c: put a finite limit (5 tries) on
    interactive input; fix memory leaks when asking questions
  * src/libecryptfs/module_mgr.c: Don't error out with EINVAL when
    verbosity=0 and some options are missing.
  * src/utils/umount.ecryptfs.c: no error for missing key when removing it
  * src/libecryptfs-swig/libecryptfs.i: fix compile werror, cast char*
  * src/utils/ecryptfs_add_passphrase.c: fix/test/use return codes;
    return nonzero for --fnek when not supported but used
  * src/include/ecryptfs.h, src/key_mod/ecryptfs_key_mod_openssl.c,
    src/libecryptfs/module_mgr.c: refuse mounting with too small rsa
    key (key_mod_openssl)
  * src/utils/ecryptfs_insert_wrapped_passphrase_into_keyring.c: fix return
    codes
  * src/utils/ecryptfs-rewrite-file: polish output
  * src/libecryptfs/key_management.c: inform about full keyring; insert fnek
    sig into keyring if fnek support check fails; don't fail if key already
    exists in keyring
  * src/utils/ecryptfs-setup-private: if the ecryptfs group exists, restrict
    ecryptfs-setup-private to members of this group
  * src/pam_ecryptfs/pam_ecryptfs.c: dynamically load ecryptfs module by
    checking ecryptfs version
  * src/libecryptfs/decision_graph.c, src/utils/io.c,
    src/utils/mount.ecryptfs.c: fix EOF handling, LP: #371587
  * src/desktop/Makefile.am: make desktop files trusted, LP: #371426

  [ Dustin Kirkland and Daniel Baumann ]
  * debian/control, debian/copyright, debian/ecryptfs-utils.dirs,
    debian/ecryptfs-utils.install, debian/ecryptfs-utils.postinst,
    debian/rules, ecryptfs-utils.pam-auth-update: sync Ubuntu's
    packaging with Debian; drop dpatch, drop libssl build dep, clean
    up extraneous debhelper bits, match cflags; remaining diff is only
    ecryptfs-utils.prerm

  [ Arfrever Frehtes Taifersar Arahesis ]
  * key_mod/ecryptfs_key_mod_gpg.c,
    key_mod/ecryptfs_key_mod_pkcs11_helper.c,
    libecryptfs/key_management.c, utils/ecryptfs_unwrap_passphrase.c:
    Fix warnings, initialize a few variables, drop unused ones

  [ David Hicks ]
  * src/lib/key_management.c: fix stray semicolon that prevents .ecryptfsrc
    files from working properly, LP: #372709

  [ Michael Rooney ]
  * src/python/ecryptfsapi.py: added python api

 -- Dustin Kirkland <kirkland@xxxxxxxxxx>   Fri, 17 Jul 2009 18:33:44
-0500

** Changed in: ecryptfs-utils (Ubuntu)
       Status: Fix Committed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-1296

-- 
unable to show the contents of my kernel keyring
https://bugs.launchpad.net/bugs/400484
You received this bug notification because you are a member of eCryptfs,
which is subscribed to ecryptfs-utils in ubuntu.

Status in “ecryptfs-utils” package in Ubuntu: Fix Released
Status in “keyutils” package in Ubuntu: New
Status in “linux” package in Ubuntu: Confirmed

Bug description:
Running the command:
 $ keyctl show

I should see something like the following:
kirkland@t61p:~$ keyctl show
Session Keyring
       -3 --alswrv   1000    -1  keyring: _uid_ses.1000
698440950 --alswrv   1000    -1   \_ keyring: _uid.1000
575594151 --alswrv   1000     0       \_ user: 67354f2e3a6c1216
940463712 --alswrv   1000     0       \_ user: 1cb12fd405033223

And this is true, if I run the Jaunty 2.6.28 kernel on Karmic.

However, this is completely broken with the 2.6.31 Karmic kernel.

kirkland@x200:~$ keyctl show
Session Keyring
       -3 --alswrv   1000  1000  keyring: _ses


Major regression.  Hoses ecryptfs, which relies on keyutils.

:-Dustin

ProblemType: Bug
Architecture: amd64
Date: Thu Jul 16 21:32:48 2009
DistroRelease: Ubuntu 9.10
MachineType: LENOVO 7454CTO
Package: linux-image-2.6.31-3-generic 2.6.31-3.19
ProcCmdLine: root=UUID=d45ce184-de1d-48ac-a143-44ab4432a207 ro quiet splash
ProcEnviron:
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-3.19-generic
RelatedPackageVersions: linux-backports-modules-2.6.31-3-generic N/A
SourcePackage: linux
Uname: Linux 2.6.31-3-generic x86_64
dmi.bios.date: 04/22/2009
dmi.bios.vendor: LENOVO
dmi.bios.version: 6DET44WW (2.08 )
dmi.board.name: 7454CTO
dmi.board.vendor: LENOVO
dmi.board.version: Not Available
dmi.chassis.asset.tag: No Asset Information
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.version: Not Available
dmi.modalias: dmi:bvnLENOVO:bvr6DET44WW(2.08):bd04/22/2009:svnLENOVO:pn7454CTO:pvrThinkPadX200:rvnLENOVO:rn7454CTO:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
dmi.product.name: 7454CTO
dmi.product.version: ThinkPad X200
dmi.sys.vendor: LENOVO