ecryptfs team mailing list archive

Thread
Date
[Bug 302870] Re: add support for setting up encrypted home directory on user creation

To: ecryptfs@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <302870@xxxxxxxxxxxxxxxxxx>
Date: Sat, 06 Feb 2010 10:45:10 -0000
Reply-to: Bug 302870 <302870@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package gnome-system-tools - 2.29.3-0ubuntu1

---------------
gnome-system-tools (2.29.3-0ubuntu1) lucid; urgency=low

  * New upstream release (LP: #506365)
    - Move to new System Tools Backends protocol (new liboobs API).
      We now only commit changes to one user at a time, reducing the
      risk for dangerous bugs.
    - Include default profiles configuration file (user-profiles.conf).
      Distributors should modify it to suit their needs and send them
      back for inclusion.
    - When creating an user, don't force UID, main group, home directory
      and shell: these parameters are now handled (better) by the platform
      tools (LP: #488158, LP: #313990)
    - Allow removing home directory when deleting an user (LP: #426125).
    - Don't allow deleting the last administrator account, and warn when
      the user is losing its own admin rights. Same for active users
      (LP: #25947, LP: #349453)
    - Don't allow creating a group with an existing GID (LP: #491434)
    - Use UID and GID ranges defined by liboobs, depending on the platform's
      abilities.
    - Clear suggested login entry when Real name is emptied in the new user
      dialog.
    - Change GConf "showall" option to apply only on users. System groups are
      always shown, since they are the most interesting ones.
    - Various UI and string improvements.
    - Change password for current user by running 'passwd', to avoid
      breaking keyrings and encrypted dirs
    - Ask for PolicyKit authentication when it most makes sense, i.e.
      when showing dialogs
    - Option to set encrypted home directories when creating users (on
      platforms that support it) (LP: #302870)
    - When editing one group, only commit changes to that group
    - When changing Real name, update it in the users list (LP: #498970)
    - Select current user on start, and the first one after selected user
      has been deleted
    - Don't force updating configuration twice on start
  * Also fixes LP: #344182, LP: #208057, LP: #188757, LP: #372695,
    LP: #99276, LP: #160862
  * debian/control:
    - Bump liboobs-dev build-dep to 2.29.3
  * debian/gnome-system-tools.install:
    - Don't install debian/profile
    - Install upstream user-profiles.conf instead
  * Delete debian/profiles
  * Refreshed patches:
    - 25_sambashare_group_definition.patch
    - 90_relibtoolize.patch
  * Dropped debian/patches/85_user_gnome_about_me_for_password.patch:
    - The change is obsolete in the new version
  * debian/patches/82_gst-packages-time-admin.patch:
    - Updated to remove superfluous UI file changes, causing focus issues
      in the users-admin password change dialog. Thanks to Will for
      spotting this (LP: #501976)
 -- Chris Coulson <chrisccoulson@xxxxxxxxxx>   Fri, 05 Feb 2010 15:30:10 +0000

** Changed in: gnome-system-tools (Ubuntu)
       Status: Fix Committed => Fix Released

-- 
add support for setting up encrypted home directory on user creation
https://bugs.launchpad.net/bugs/302870
You received this bug notification because you are a member of eCryptfs,
which is subscribed to ecryptfs-utils in ubuntu.

Status in eCryptfs - Enterprise Cryptographic Filesystem: Fix Released
Status in “adduser” package in Ubuntu: Fix Released
Status in “ecryptfs-utils” package in Ubuntu: Fix Released
Status in “gnome-system-tools” package in Ubuntu: Fix Released
Status in “linux” package in Ubuntu: Fix Released
Status in “system-tools-backends” package in Ubuntu: Invalid
Status in “user-setup” package in Ubuntu: Fix Released

Bug description:
Binary package hint: adduser

I'm currently adding support for bootstrapping an encrypted home directory to the ecryptfs-setup-private utility in the ecryptfs-utils package.

This requires a simple patch to the adduser utility, to support an "--encrypt-home" option, which would call:
 # ecryptfs-setup-private -b -u $USER

The call to ecryptfs-setup-private uses the existing code to setup an encrypted home directory.  It will generate a mount passphrase from /dev/urandom, establish the user's ecryptfs configuration files, mount the home directory, and return 0.  With the home directory mounted, adduser can proceed to copy the /etc/skel files into the mounted, encrypted mountpoint.  The adduser utility then needs to unmount that home directory.  The "passwd" call within adduser will trigger the password-change code within pam_ecryptfs.so, which will detect the cleartext, randomly generated mount passphrase written to file, and wrap (ie, encrypt) that file using the chosen passphrase.

This patch also adds documentation to the manpage regarding the new --encrypt-home option.

Finally, this patch modifies the control file to "Recommend" a version of ecryptfs-utils with the required new functionality.  Note that Colin said he needs to think about the appropriate level (Recommends vs. Suggests).

:-Dustin