pool/ecryptfs-utils
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refreshed with more fixes from sebastian

Browse Source 
OBS-URL: https://build.opensuse.org/package/show/security/ecryptfs-utils?expand=0&rev=36
This commit is contained in:
Marcus Meissner 2012-07-04 09:14:28 +00:00 committed by Git OBS Bridge
parent 0300f80457
commit a89823be48
2 changed files with 48 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
ecryptfs-utils.security.patch
View File

@ -14,19 +14,20 @@ Index: ecryptfs-utils-96/src/pam_ecryptfs/pam_ecryptfs.c
#include "../include/ecryptfs.h" #include "../include/ecryptfs.h"
#define PRIVATE_DIR "Private" #define PRIVATE_DIR "Private"
@@ -119,9 +122,9 @@ static int wrap_passphrase_if_necessary( @@ -119,9 +122,10 @@ static int wrap_passphrase_if_necessary(
PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
const char **argv) const char **argv)
{ {
- uid_t uid = 0; - uid_t uid = 0;
+ uid_t uid = 0, oeuid = 0; + uid_t uid = 0, oeuid = 0;
+ gid_t gid = 0, oegid = 0; + gid_t gid = 0, oegid = 0, groups[64];
+ int ngids = 0;
char *homedir = NULL; char *homedir = NULL;
- uid_t saved_uid = 0; - uid_t saved_uid = 0;
const char *username; const char *username;
char *passphrase = NULL; char *passphrase = NULL;
char salt[ECRYPTFS_SALT_SIZE]; char salt[ECRYPTFS_SALT_SIZE];
@@ -139,12 +142,24 @@ PAM_EXTERN int pam_sm_authenticate(pam_h @@ -139,12 +143,25 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
pwd = getpwnam(username); pwd = getpwnam(username);
if (pwd) { if (pwd) {
uid = pwd->pw_uid; uid = pwd->pw_uid;
@ -38,20 +39,21 @@ Index: ecryptfs-utils-96/src/pam_ecryptfs/pam_ecryptfs.c
goto out; goto out;
} }
+ +
+ if ((oeuid = geteuid()) < 0 || (oegid = getegid()) < 0) { + if ((oeuid = geteuid()) < 0 || (oegid = getegid()) < 0 ||
+ (ngids = getgroups(sizeof(groups)/sizeof(gid_t), groups)) < 0) {
+ syslog(LOG_ERR, "pam_ecryptfs: geteuid error"); + syslog(LOG_ERR, "pam_ecryptfs: geteuid error");
+ goto outnouid; + goto outnouid;
+ } + }
+ +
+ if (setfsgid(gid) != gid || setfsuid(uid) != uid) { + if (setegid(gid) < 0 || setgroups(1, &gid) < 0 || seteuid(uid) < 0) {
+ syslog(LOG_ERR, "pam_ecryptfs: setfsuid error"); + syslog(LOG_ERR, "pam_ecryptfs: seteuid error");
+ goto outnouid; + goto out;
+ } + }
+ +
if (!file_exists_dotecryptfs(homedir, "auto-mount")) if (!file_exists_dotecryptfs(homedir, "auto-mount"))
goto out; goto out;
private_mnt = ecryptfs_fetch_private_mnt(homedir); private_mnt = ecryptfs_fetch_private_mnt(homedir);
@@ -158,13 +173,10 @@ PAM_EXTERN int pam_sm_authenticate(pam_h @@ -158,13 +175,10 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
load ecryptfs module if not loaded already */ load ecryptfs module if not loaded already */
if (ecryptfs_get_version(&version) != 0) if (ecryptfs_get_version(&version) != 0)
syslog(LOG_WARNING, "pam_ecryptfs: Can't check if kernel supports ecryptfs\n"); syslog(LOG_WARNING, "pam_ecryptfs: Can't check if kernel supports ecryptfs\n");
@ -65,72 +67,75 @@ Index: ecryptfs-utils-96/src/pam_ecryptfs/pam_ecryptfs.c
if (rc != PAM_SUCCESS) { if (rc != PAM_SUCCESS) {
syslog(LOG_ERR, "pam_ecryptfs: Error retrieving passphrase; rc = [%ld]\n", syslog(LOG_ERR, "pam_ecryptfs: Error retrieving passphrase; rc = [%ld]\n",
rc); rc);
@@ -182,7 +194,11 @@ PAM_EXTERN int pam_sm_authenticate(pam_h @@ -182,7 +196,12 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
} else } else
from_hex(salt, salt_hex, ECRYPTFS_SALT_SIZE); from_hex(salt, salt_hex, ECRYPTFS_SALT_SIZE);
if ((child_pid = fork()) == 0) { if ((child_pid = fork()) == 0) {
- setuid(uid); - setuid(uid);
+ if (setgroups(1, &gid) < 0 || setgid(gid) < 0 || setuid(uid) < 0) { + /* temp regain uid 0 to drop privs */
+ syslog(LOG_ERR, "pam_ecryptfs: setting uid/gid failed"); + seteuid(oeuid);
+ rc = -errno; + /* setgroups() already called */
+ if (setgid(gid) < 0 || setuid(uid) < 0)
+ goto out_child; + goto out_child;
+ } +
if (passphrase == NULL) { if (passphrase == NULL) {
syslog(LOG_ERR, "pam_ecryptfs: NULL passphrase; aborting\n"); syslog(LOG_ERR, "pam_ecryptfs: NULL passphrase; aborting\n");
rc = -EINVAL; rc = -EINVAL;
@@ -240,6 +256,11 @@ out_child: @@ -240,6 +259,12 @@ out_child:
if (tmp_pid == -1) if (tmp_pid == -1)
syslog(LOG_WARNING, "pam_ecryptfs: waitpid() returned with error condition\n"); syslog(LOG_WARNING, "pam_ecryptfs: waitpid() returned with error condition\n");
out: out:
+ +
+ setfsuid(oeuid); + seteuid(oeuid);
+ setfsgid(oegid); + setegid(oegid);
+ setgroups(ngids, groups);
+ +
+outnouid: +outnouid:
if (private_mnt != NULL) if (private_mnt != NULL)
free(private_mnt); free(private_mnt);
return PAM_SUCCESS; return PAM_SUCCESS;
@@ -338,8 +359,12 @@ static int private_dir(pam_handle_t *pam @@ -338,8 +363,12 @@ static int private_dir(pam_handle_t *pam
syslog(LOG_DEBUG, "pam_ecryptfs: Skipping automatic eCryptfs mount"); syslog(LOG_DEBUG, "pam_ecryptfs: Skipping automatic eCryptfs mount");
return 0; return 0;
} }
+ clearenv(); + clearenv();
+ if (setgroups(1, &pwd->pw_gid) < 0 || setgid(pwd->pw_gid) < 0)
+ return -1;
/* run mount.ecryptfs_private as the user */ /* run mount.ecryptfs_private as the user */
- setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid); - setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid);
+ if (setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid) < 0) + if (setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid) < 0)
+ return -1;
+ if (setgroups(1, &pwd->pw_gid) < 0 || setgid(pwd->pw_gid) < 0)
+ return -1; + return -1;
execl("/sbin/mount.ecryptfs_private", execl("/sbin/mount.ecryptfs_private",
"mount.ecryptfs_private", NULL); "mount.ecryptfs_private", NULL);
} else { } else {
@@ -348,8 +373,12 @@ static int private_dir(pam_handle_t *pam @@ -348,8 +377,12 @@ static int private_dir(pam_handle_t *pam
syslog(LOG_DEBUG, "pam_ecryptfs: Skipping automatic eCryptfs unmount"); syslog(LOG_DEBUG, "pam_ecryptfs: Skipping automatic eCryptfs unmount");
return 0; return 0;
} }
+ clearenv(); + clearenv();
+ if (setgroups(1, &pwd->pw_gid) < 0 || setgid(pwd->pw_gid) < 0)
+ return -1;
/* run umount.ecryptfs_private as the user */ /* run umount.ecryptfs_private as the user */
- setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid); - setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid);
+ if (setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid) < 0) + if (setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid) < 0)
+ return -1;
+ if (setgroups(1, &pwd->pw_gid) < 0 || setgid(pwd->pw_gid) < 0)
+ return -1; + return -1;
execl("/sbin/umount.ecryptfs_private", execl("/sbin/umount.ecryptfs_private",
"umount.ecryptfs_private", NULL); "umount.ecryptfs_private", NULL);
} }
@@ -391,9 +420,9 @@ pam_sm_close_session(pam_handle_t *pamh, @@ -391,9 +424,10 @@ pam_sm_close_session(pam_handle_t *pamh,
PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
int argc, const char **argv) int argc, const char **argv)
{ {
- uid_t uid = 0; - uid_t uid = 0;
+ uid_t uid = 0, oeuid = 0; + uid_t uid = 0, oeuid = 0;
+ gid_t gid = 0, oegid = 0; + gid_t gid = 0, oegid = 0, groups[64];
+ int ngids = 0;
char *homedir = NULL; char *homedir = NULL;
- uid_t saved_uid = 0; - uid_t saved_uid = 0;
const char *username; const char *username;
char *old_passphrase = NULL; char *old_passphrase = NULL;
char *new_passphrase = NULL; char *new_passphrase = NULL;
@@ -411,6 +440,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand @@ -411,6 +445,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
pwd = getpwnam(username); pwd = getpwnam(username);
if (pwd) { if (pwd) {
uid = pwd->pw_uid; uid = pwd->pw_uid;
@ -138,21 +143,22 @@ Index: ecryptfs-utils-96/src/pam_ecryptfs/pam_ecryptfs.c
homedir = pwd->pw_dir; homedir = pwd->pw_dir;
name = pwd->pw_name; name = pwd->pw_name;
} }
@@ -418,13 +448,21 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand @@ -418,13 +453,22 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%ld]\n", username, rc); syslog(LOG_ERR, "pam_ecryptfs: Error getting passwd info for user [%s]; rc = [%ld]\n", username, rc);
goto out; goto out;
} }
- saved_uid = geteuid(); - saved_uid = geteuid();
- seteuid(uid); - seteuid(uid);
+ +
+ if ((oeuid = geteuid()) < 0 || (oegid = getegid()) < 0) { + if ((oeuid = geteuid()) < 0 || (oegid = getegid()) < 0 ||
+ (ngids = getgroups(sizeof(groups)/sizeof(gid_t), groups)) < 0) {
+ syslog(LOG_ERR, "pam_ecryptfs: geteuid error"); + syslog(LOG_ERR, "pam_ecryptfs: geteuid error");
+ goto outnouid; + goto outnouid;
+ } + }
+ +
+ if (setfsgid(gid) != gid || setfsuid(uid) != uid) { + if (setegid(gid) < 0 || setgroups(1, &gid) < 0 || seteuid(uid) < 0) {
+ syslog(LOG_ERR, "pam_ecryptfs: setfsuid error"); + syslog(LOG_ERR, "pam_ecryptfs: seteuid error");
+ goto outnouid; + goto out;
+ } + }
+ +
if ((rc = pam_get_item(pamh, PAM_OLDAUTHTOK, if ((rc = pam_get_item(pamh, PAM_OLDAUTHTOK,
@ -163,7 +169,7 @@ Index: ecryptfs-utils-96/src/pam_ecryptfs/pam_ecryptfs.c
goto out; goto out;
} }
/* On the first pass, do nothing except check that we have a password */ /* On the first pass, do nothing except check that we have a password */
@@ -434,14 +472,12 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand @@ -434,14 +478,12 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
syslog(LOG_WARNING, "pam_ecryptfs: PAM passphrase change module retrieved a NULL passphrase; nothing to do\n"); syslog(LOG_WARNING, "pam_ecryptfs: PAM passphrase change module retrieved a NULL passphrase; nothing to do\n");
rc = PAM_AUTHTOK_RECOVER_ERR; rc = PAM_AUTHTOK_RECOVER_ERR;
} }
@ -178,7 +184,7 @@ Index: ecryptfs-utils-96/src/pam_ecryptfs/pam_ecryptfs.c
goto out; goto out;
} }
if ((rc = asprintf(&wrapped_pw_filename, "%s/.ecryptfs/%s", homedir, if ((rc = asprintf(&wrapped_pw_filename, "%s/.ecryptfs/%s", homedir,
@@ -462,7 +498,6 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand @@ -462,7 +504,6 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
goto out; goto out;
} }
@ -186,25 +192,28 @@ Index: ecryptfs-utils-96/src/pam_ecryptfs/pam_ecryptfs.c
if (!old_passphrase || !new_passphrase || *new_passphrase == '\0') { if (!old_passphrase || !new_passphrase || *new_passphrase == '\0') {
syslog(LOG_WARNING, "pam_ecryptfs: PAM passphrase change module retrieved at least one NULL passphrase; nothing to do\n"); syslog(LOG_WARNING, "pam_ecryptfs: PAM passphrase change module retrieved at least one NULL passphrase; nothing to do\n");
rc = PAM_AUTHTOK_RECOVER_ERR; rc = PAM_AUTHTOK_RECOVER_ERR;
@@ -472,7 +507,10 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand @@ -472,7 +513,12 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
if ((child_pid = fork()) == 0) { if ((child_pid = fork()) == 0) {
char passphrase[ECRYPTFS_MAX_PASSWORD_LENGTH + 1]; char passphrase[ECRYPTFS_MAX_PASSWORD_LENGTH + 1];
- setuid(uid); - setuid(uid);
+ if (setuid(uid) < 0 || setgid(gid) < 0 || setgroups(1, &gid) < 0) { + /* temp regain uid 0 to drop privs */
+ syslog(LOG_ERR, "pam_ecryptfs: Error setting uid/gid"); + seteuid(oeuid);
+ /* setgroups() already called */
+ if (setgid(gid) < 0 || setuid(uid) < 0)
+ goto out_child; + goto out_child;
+ } +
if ((rc = ecryptfs_unwrap_passphrase(passphrase, if ((rc = ecryptfs_unwrap_passphrase(passphrase,
wrapped_pw_filename, wrapped_pw_filename,
old_passphrase, salt))) { old_passphrase, salt))) {
@@ -492,5 +530,10 @@ out_child: @@ -492,5 +538,11 @@ out_child:
syslog(LOG_WARNING, "pam_ecryptfs: waitpid() returned with error condition\n"); syslog(LOG_WARNING, "pam_ecryptfs: waitpid() returned with error condition\n");
free(wrapped_pw_filename); free(wrapped_pw_filename);
out: out:
+ +
+ setfsuid(oeuid); + seteuid(oeuid);
+ setfsgid(oegid); + setegid(oegid);
+ setgroups(ngids, groups);
+ +
+outnouid: +outnouid:
return rc; return rc;

1
ecryptfs-utils.spec
View File

@ -16,7 +16,6 @@
# #
Name: ecryptfs-utils Name: ecryptfs-utils
Url: https://launchpad.net/ecryptfs Url: https://launchpad.net/ecryptfs
Summary: Userspace Utilities for ecryptfs Summary: Userspace Utilities for ecryptfs