2012-06-21 15:31:34 +00:00
|
|
|
Index: ecryptfs-utils-96/src/pam_ecryptfs/pam_ecryptfs.c
|
|
|
|
===================================================================
|
|
|
|
--- ecryptfs-utils-96.orig/src/pam_ecryptfs/pam_ecryptfs.c
|
|
|
|
+++ ecryptfs-utils-96/src/pam_ecryptfs/pam_ecryptfs.c
|
2012-06-21 15:44:13 +00:00
|
|
|
@@ -37,6 +37,8 @@
|
2012-06-21 15:31:34 +00:00
|
|
|
#include <sys/wait.h>
|
|
|
|
#include <sys/types.h>
|
|
|
|
#include <sys/stat.h>
|
|
|
|
+#include <sys/fsuid.h>
|
2012-06-21 15:44:13 +00:00
|
|
|
+#include <grp.h>
|
2012-06-21 15:31:34 +00:00
|
|
|
#include <fcntl.h>
|
|
|
|
#include <security/pam_modules.h>
|
|
|
|
#include "../include/ecryptfs.h"
|
|
|
|
@@ -119,7 +120,8 @@ static int wrap_passphrase_if_necessary(
|
2012-06-21 15:22:16 +00:00
|
|
|
PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
|
|
|
|
const char **argv)
|
|
|
|
{
|
|
|
|
- uid_t uid = 0;
|
|
|
|
+ uid_t uid = 0, oeuid = 0;
|
|
|
|
+ gid_t gid = 0, oegid = 0;
|
|
|
|
char *homedir = NULL;
|
|
|
|
uid_t saved_uid = 0;
|
|
|
|
const char *username;
|
2012-06-21 15:31:34 +00:00
|
|
|
@@ -139,12 +141,24 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
|
2012-06-21 15:22:16 +00:00
|
|
|
pwd = getpwnam(username);
|
|
|
|
if (pwd) {
|
|
|
|
uid = pwd->pw_uid;
|
|
|
|
+ gid = pwd->pw_gid;
|
|
|
|
homedir = pwd->pw_dir;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%ld]\n", username, rc);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
+
|
|
|
|
+ if ((oeuid = geteuid()) < 0 || (oegid = getegid()) < 0) {
|
|
|
|
+ syslog(LOG_ERR, "pam_ecryptfs: geteuid error");
|
|
|
|
+ goto outnouid;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ if (setfsgid(gid) != gid || setfsuid(uid) != uid) {
|
|
|
|
+ syslog(LOG_ERR, "pam_ecryptfs: setfsuid error");
|
|
|
|
+ goto outnouid;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
if (!file_exists_dotecryptfs(homedir, "auto-mount"))
|
|
|
|
goto out;
|
|
|
|
private_mnt = ecryptfs_fetch_private_mnt(homedir);
|
2012-06-21 15:31:34 +00:00
|
|
|
@@ -158,13 +172,10 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
|
2012-06-21 15:22:16 +00:00
|
|
|
load ecryptfs module if not loaded already */
|
|
|
|
if (ecryptfs_get_version(&version) != 0)
|
|
|
|
syslog(LOG_WARNING, "pam_ecryptfs: Can't check if kernel supports ecryptfs\n");
|
|
|
|
- saved_uid = geteuid();
|
|
|
|
- seteuid(uid);
|
|
|
|
if(file_exists_dotecryptfs(homedir, "wrapping-independent") == 1)
|
|
|
|
rc = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &passphrase, "Encryption passphrase: ");
|
|
|
|
else
|
|
|
|
rc = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&passphrase);
|
|
|
|
- seteuid(saved_uid);
|
|
|
|
if (rc != PAM_SUCCESS) {
|
|
|
|
syslog(LOG_ERR, "pam_ecryptfs: Error retrieving passphrase; rc = [%ld]\n",
|
|
|
|
rc);
|
2012-06-21 15:31:34 +00:00
|
|
|
@@ -182,7 +193,11 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
|
2012-06-21 15:22:16 +00:00
|
|
|
} else
|
|
|
|
from_hex(salt, salt_hex, ECRYPTFS_SALT_SIZE);
|
|
|
|
if ((child_pid = fork()) == 0) {
|
|
|
|
- setuid(uid);
|
|
|
|
+ if (setgroups(1, &gid) < 0 || setgid(gid) < 0 || setuid(uid) < 0) {
|
|
|
|
+ syslog(LOG_ERR, "pam_ecryptfs: setting uid/gid failed");
|
|
|
|
+ rc = -errno;
|
|
|
|
+ goto out_child;
|
|
|
|
+ }
|
|
|
|
if (passphrase == NULL) {
|
|
|
|
syslog(LOG_ERR, "pam_ecryptfs: NULL passphrase; aborting\n");
|
|
|
|
rc = -EINVAL;
|
2012-06-21 15:31:34 +00:00
|
|
|
@@ -240,6 +255,11 @@ out_child:
|
2012-06-21 15:22:16 +00:00
|
|
|
if (tmp_pid == -1)
|
|
|
|
syslog(LOG_WARNING, "pam_ecryptfs: waitpid() returned with error condition\n");
|
|
|
|
out:
|
|
|
|
+
|
|
|
|
+ setfsuid(oeuid);
|
|
|
|
+ setfsgid(oegid);
|
|
|
|
+
|
|
|
|
+outnouid:
|
|
|
|
if (private_mnt != NULL)
|
|
|
|
free(private_mnt);
|
|
|
|
return PAM_SUCCESS;
|
2012-06-21 15:31:34 +00:00
|
|
|
@@ -338,8 +358,12 @@ static int private_dir(pam_handle_t *pam
|
2012-06-21 15:22:16 +00:00
|
|
|
syslog(LOG_DEBUG, "pam_ecryptfs: Skipping automatic eCryptfs mount");
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
+ clearenv();
|
|
|
|
/* run mount.ecryptfs_private as the user */
|
|
|
|
- setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid);
|
|
|
|
+ if (setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid) < 0)
|
|
|
|
+ return -1;
|
|
|
|
+ if (setgroups(1, &pwd->pw_gid) < 0 || setgid(pwd->pw_gid) < 0)
|
|
|
|
+ return -1;
|
|
|
|
execl("/sbin/mount.ecryptfs_private",
|
|
|
|
"mount.ecryptfs_private", NULL);
|
|
|
|
} else {
|
2012-06-21 15:31:34 +00:00
|
|
|
@@ -348,8 +372,12 @@ static int private_dir(pam_handle_t *pam
|
2012-06-21 15:22:16 +00:00
|
|
|
syslog(LOG_DEBUG, "pam_ecryptfs: Skipping automatic eCryptfs unmount");
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
+ clearenv();
|
|
|
|
/* run umount.ecryptfs_private as the user */
|
|
|
|
- setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid);
|
|
|
|
+ if (setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid) < 0)
|
|
|
|
+ return -1;
|
|
|
|
+ if (setgroups(1, &pwd->pw_gid) < 0 || setgid(pwd->pw_gid) < 0)
|
|
|
|
+ return -1;
|
|
|
|
execl("/sbin/umount.ecryptfs_private",
|
|
|
|
"umount.ecryptfs_private", NULL);
|
|
|
|
}
|
2012-06-21 15:31:34 +00:00
|
|
|
@@ -391,7 +419,8 @@ pam_sm_close_session(pam_handle_t *pamh,
|
2012-06-21 15:22:16 +00:00
|
|
|
PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
|
|
|
|
int argc, const char **argv)
|
|
|
|
{
|
|
|
|
- uid_t uid = 0;
|
|
|
|
+ uid_t uid = 0, oeuid = 0;
|
|
|
|
+ gid_t gid = 0, oegid = 0;
|
|
|
|
char *homedir = NULL;
|
|
|
|
uid_t saved_uid = 0;
|
|
|
|
const char *username;
|
2012-06-21 15:31:34 +00:00
|
|
|
@@ -411,6 +440,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
|
2012-06-21 15:22:16 +00:00
|
|
|
pwd = getpwnam(username);
|
|
|
|
if (pwd) {
|
|
|
|
uid = pwd->pw_uid;
|
|
|
|
+ gid = pwd->pw_gid;
|
|
|
|
homedir = pwd->pw_dir;
|
|
|
|
name = pwd->pw_name;
|
|
|
|
}
|
2012-06-21 15:31:34 +00:00
|
|
|
@@ -418,13 +448,21 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
|
2012-06-21 15:22:16 +00:00
|
|
|
syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%ld]\n", username, rc);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
- saved_uid = geteuid();
|
|
|
|
- seteuid(uid);
|
|
|
|
+
|
|
|
|
+ if ((oeuid = geteuid()) < 0 || (oegid = getegid()) < 0) {
|
|
|
|
+ syslog(LOG_ERR, "pam_ecryptfs: geteuid error");
|
|
|
|
+ goto outnouid;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ if (setfsgid(gid) != gid || setfsuid(uid) != uid) {
|
|
|
|
+ syslog(LOG_ERR, "pam_ecryptfs: setfsuid error");
|
|
|
|
+ goto outnouid;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
if ((rc = pam_get_item(pamh, PAM_OLDAUTHTOK,
|
|
|
|
(const void **)&old_passphrase))
|
|
|
|
!= PAM_SUCCESS) {
|
|
|
|
syslog(LOG_ERR, "pam_ecryptfs: Error retrieving old passphrase; rc = [%d]\n", rc);
|
|
|
|
- seteuid(saved_uid);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
/* On the first pass, do nothing except check that we have a password */
|
2012-06-21 15:31:34 +00:00
|
|
|
@@ -434,14 +472,12 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
|
2012-06-21 15:22:16 +00:00
|
|
|
syslog(LOG_WARNING, "pam_ecryptfs: PAM passphrase change module retrieved a NULL passphrase; nothing to do\n");
|
|
|
|
rc = PAM_AUTHTOK_RECOVER_ERR;
|
|
|
|
}
|
|
|
|
- seteuid(saved_uid);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
if ((rc = pam_get_item(pamh, PAM_AUTHTOK,
|
|
|
|
(const void **)&new_passphrase))
|
|
|
|
!= PAM_SUCCESS) {
|
|
|
|
syslog(LOG_ERR, "pam_ecryptfs: Error retrieving new passphrase; rc = [%d]\n", rc);
|
|
|
|
- seteuid(saved_uid);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
if ((rc = asprintf(&wrapped_pw_filename, "%s/.ecryptfs/%s", homedir,
|
2012-06-21 15:31:34 +00:00
|
|
|
@@ -462,7 +498,6 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
|
2012-06-21 15:22:16 +00:00
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
- seteuid(saved_uid);
|
|
|
|
if (!old_passphrase || !new_passphrase || *new_passphrase == '\0') {
|
|
|
|
syslog(LOG_WARNING, "pam_ecryptfs: PAM passphrase change module retrieved at least one NULL passphrase; nothing to do\n");
|
|
|
|
rc = PAM_AUTHTOK_RECOVER_ERR;
|
2012-06-21 15:31:34 +00:00
|
|
|
@@ -472,7 +507,10 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
|
2012-06-21 15:22:16 +00:00
|
|
|
if ((child_pid = fork()) == 0) {
|
|
|
|
char passphrase[ECRYPTFS_MAX_PASSWORD_LENGTH + 1];
|
|
|
|
|
|
|
|
- setuid(uid);
|
|
|
|
+ if (setuid(uid) < 0 || setgid(gid) < 0 || setgroups(1, &gid) < 0) {
|
|
|
|
+ syslog(LOG_ERR, "pam_ecryptfs: Error setting uid/gid");
|
|
|
|
+ goto out_child;
|
|
|
|
+ }
|
|
|
|
if ((rc = ecryptfs_unwrap_passphrase(passphrase,
|
|
|
|
wrapped_pw_filename,
|
|
|
|
old_passphrase, salt))) {
|
2012-06-21 15:31:34 +00:00
|
|
|
@@ -492,5 +530,10 @@ out_child:
|
2012-06-21 15:22:16 +00:00
|
|
|
syslog(LOG_WARNING, "pam_ecryptfs: waitpid() returned with error condition\n");
|
|
|
|
free(wrapped_pw_filename);
|
|
|
|
out:
|
|
|
|
+
|
|
|
|
+ setfsuid(oeuid);
|
|
|
|
+ setfsgid(oegid);
|
|
|
|
+
|
|
|
|
+outnouid:
|
|
|
|
return rc;
|
|
|
|
}
|
2012-06-21 15:31:34 +00:00
|
|
|
Index: ecryptfs-utils-96/src/utils/mount.ecryptfs_private.c
|
|
|
|
===================================================================
|
|
|
|
--- ecryptfs-utils-96.orig/src/utils/mount.ecryptfs_private.c
|
|
|
|
+++ ecryptfs-utils-96/src/utils/mount.ecryptfs_private.c
|
|
|
|
@@ -535,6 +535,11 @@ int main(int argc, char *argv[]) {
|
2012-06-21 15:22:16 +00:00
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
|
|
|
|
+ if (strstr(alias, "..")) {
|
|
|
|
+ fputs("Invalid alias", stderr);
|
|
|
|
+ exit(1);
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
/* Lock the counter through the rest of the program */
|
|
|
|
fh_counter = lock_counter(pwd->pw_name, uid, alias);
|
|
|
|
if (fh_counter == NULL) {
|
2012-06-21 15:31:34 +00:00
|
|
|
@@ -627,7 +632,7 @@ int main(int argc, char *argv[]) {
|
2012-06-21 15:22:16 +00:00
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
/* Perform mount */
|
|
|
|
- if (mount(src, ".", FSTYPE, 0, opt) == 0) {
|
|
|
|
+ if (mount(src, ".", FSTYPE, MS_NOSUID, opt) == 0) {
|
|
|
|
if (update_mtab(src, dest, opt) != 0) {
|
|
|
|
goto fail;
|
|
|
|
}
|
2012-06-21 15:31:34 +00:00
|
|
|
@@ -676,6 +681,7 @@ int main(int argc, char *argv[]) {
|
2012-06-21 15:22:16 +00:00
|
|
|
*/
|
|
|
|
setresuid(0,0,0);
|
|
|
|
setresgid(0,0,0);
|
|
|
|
+ clearenv();
|
|
|
|
|
|
|
|
/* Since we're doing a lazy unmount anyway, just unmount the current
|
|
|
|
* directory. This avoids a lot of complexity in dealing with race
|