diff --git a/pam_mount-0.18-umount-home-dir.dif b/pam_mount-0.18-umount-home-dir.dif index 9e930ae..a86dfdf 100644 --- a/pam_mount-0.18-umount-home-dir.dif +++ b/pam_mount-0.18-umount-home-dir.dif @@ -23,15 +23,6 @@ Index: scripts/umount.crypt for ((x = 5; x >= 0; --x)); do fuser -m "$1" || break; -@@ -72,7 +83,7 @@ fi - - # Check for LUKS - # --if cryptsetup isLuks "$DEVICE" 2>/dev/null; then -+if cryptsetup isLuks "$REALDEVICE" 2>/dev/null; then - cryptsetup luksClose "$DMDEVICE"; - else - cryptsetup remove "$DMDEVICE"; @@ -90,3 +101,12 @@ if echo "$REALDEVICE" | grep ^/dev/loop exit 1 fi diff --git a/pam_mount-0.29.tar.bz2 b/pam_mount-0.29.tar.bz2 deleted file mode 100644 index bebe605..0000000 --- a/pam_mount-0.29.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a36f7493563cf2b4f9b801d830ae084d380af174e28efce9ee3cdda710fbe1fd -size 292007 diff --git a/pam_mount-0.32-post.dif b/pam_mount-0.32-post.dif new file mode 100644 index 0000000..e446d15 --- /dev/null +++ b/pam_mount-0.32-post.dif @@ -0,0 +1,290 @@ +diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_mount-0.32/doc/pam_mount.8 new/pam_mount-0.33/doc/pam_mount.8 +--- old/pam_mount-0.32/doc/pam_mount.8 2007-09-09 14:10:23.000000000 +0200 ++++ new/pam_mount-0.33/doc/pam_mount.8 2008-02-06 00:46:20.000000000 +0100 +@@ -24,9 +24,8 @@ + in an automount/supermount config file. This is also necessary for securing + encrypted filesystems. + .PP +-pam_mount "understands" SMB, NCP, and any type of filesystem that can be +-mounted using the standard mount command. If someone has a particular need for +-a different filesystem, feel free to ask me to include it and send me patches. ++pam_mount can mount any filesystem the kernel supports, and has supports the ++userspace helpers for SMB, CIFS, NCP, davfs, FUSE, and crypto mounts. + .PP + If you intend to use pam_mount to protect volumes on your computer using an + encrypted filesystem system, please know that there are many other issues you +diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_mount-0.32/doc/pam_mount.txt new/pam_mount-0.33/doc/pam_mount.txt +--- old/pam_mount-0.32/doc/pam_mount.txt 2007-09-09 14:10:23.000000000 +0200 ++++ new/pam_mount-0.33/doc/pam_mount.txt 2008-02-06 00:46:20.000000000 +0100 +@@ -27,26 +27,25 @@ + remote volume in /etc/fstab or in an automount/supermount config + file. This is also necessary for securing encrypted filesystems. + +- pam_mount "understands" SMB, NCP, and any type of filesystem that can +- be mounted using the standard mount command. If someone has a particu‐ +- lar need for a different filesystem, feel free to ask me to include it +- and send me patches. +- +- If you intend to use pam_mount to protect volumes on your computer +- using an encrypted filesystem system, please know that there are many +- other issues you need to consider in order to protect your data. For +- example, you probably want to disable or encrypt your swap partition ++ pam_mount can mount any filesystem the kernel supports, and has sup‐ ++ ports the userspace helpers for SMB, CIFS, NCP, davfs, FUSE, and crypto ++ mounts. ++ ++ If you intend to use pam_mount to protect volumes on your computer ++ using an encrypted filesystem system, please know that there are many ++ other issues you need to consider in order to protect your data. For ++ example, you probably want to disable or encrypt your swap partition + (the cryptoswap can help you do this). Do not assume a system is secure + without carefully considering potential threats. + + NASTY DETAILS +- The primary configuration file for the pam_mount module is +- pam_mount.conf.xml. On most platforms this file is read from +- /etc/security/pam_mount.conf.xml. On OpenBSD pam_mount reads its con‐ +- figuration file from /etc/pam_mount.conf.xml. pam_mount.conf.xml con‐ ++ The primary configuration file for the pam_mount module is ++ pam_mount.conf.xml. On most platforms this file is read from ++ /etc/security/pam_mount.conf.xml. On OpenBSD pam_mount reads its con‐ ++ figuration file from /etc/pam_mount.conf.xml. pam_mount.conf.xml con‐ + tains many comments documenting its use. + +- In addition, you must include two entries in the system's applicable ++ In addition, you must include two entries in the system's applicable + /etc/pam.d/SERVICE config files, as the following example shows: + + auth required pam_securetty.so +@@ -61,14 +60,14 @@ + +++ session optional pam_mount.so + + When "sufficient" is used in the second column, you must make sure that +- pam_mount is added before this entry. Otherwise pam_mount will not get +- executed should a previous PAM module succeed. Also be aware of the +- "include" statements. These make PAM look into the specified file. If ++ pam_mount is added before this entry. Otherwise pam_mount will not get ++ executed should a previous PAM module succeed. Also be aware of the ++ "include" statements. These make PAM look into the specified file. If + there is a "sufficient" statement, then the pam_mount entry must either + be in the included file before the "sufficient" statement or before the + "include" statement. + +- If you use pam_ldap, pam_winbind, or any other authentication services ++ If you use pam_ldap, pam_winbind, or any other authentication services + that make use of PAM's sufficient keyword then model your configuration + on the following: + +@@ -81,17 +80,17 @@ + + This allows the following: + +- 1. pam_mount will prompt for a password and export it to the PAM sys‐ ++ 1. pam_mount will prompt for a password and export it to the PAM sys‐ + tem. + +- 2. pam_ldap will use the password from the PAM system to try and ++ 2. pam_ldap will use the password from the PAM system to try and + authenticate the user. If this succedes, the user will be authenti‐ + cated. If it fails, pam_unix will try to authenticate. + +- 3. pam_unix will try to authenticate the user if pam_ldap fails. If ++ 3. pam_unix will try to authenticate the user if pam_ldap fails. If + pam_unix fails, then the authentication will be refused. + +- Alternatively, the following is possible (thanks to Andrew Morgan for ++ Alternatively, the following is possible (thanks to Andrew Morgan for + the hint!): + + auth [success=2 default=ignore] pam_unix2.so +@@ -99,20 +98,20 @@ + auth requisite pam_deny.so + auth optional pam_mount.so use_first_pass + +- It may seem odd, but the first three lines will make it so that at +- least one of pam_unix2 or pam_ldap has to succeed. As you can see, +- pam_mount will be run after successful authentification with theses ++ It may seem odd, but the first three lines will make it so that at ++ least one of pam_unix2 or pam_ldap has to succeed. As you can see, ++ pam_mount will be run after successful authentification with theses + subsystems. + +- If your volume has a different password than your system account, then +- encrypt the password to the volume you wish mounted using your system +- password as the key and store it somewhere on your system's local ++ If your volume has a different password than your system account, then ++ encrypt the password to the volume you wish mounted using your system ++ password as the key and store it somewhere on your system's local + filesystem. pam_mount supports transparently decrypting this filesystem + key, as long as the cipher used is supported by openssl. Given: + + sk system key, the key or password used to log into the system + +- fsk filesystem key, the key that allows you to use the filesystem ++ fsk filesystem key, the key that allows you to use the filesystem + you wish pam_mount to mount for you + + E and D +@@ -121,48 +120,48 @@ + efsk encrypted filesystem key, efsk = E_sk (fsk), stored somewhere on + the local filesystem (ie: /home/user.key) + +- pam_mount will read efsk from the local filesystem, perform fsk = D_sk +- (efsk) and use fsk to mount the filesystem. If you change your system +- password, simply regenerate efsk using efsk = E_sk (fsk). If you want +- to mount this volume by hand, use something like openssl enc -d +- -aes-256-ecb -in /home/user.key | mount -p0 /home/user. More informa‐ ++ pam_mount will read efsk from the local filesystem, perform fsk = D_sk ++ (efsk) and use fsk to mount the filesystem. If you change your system ++ password, simply regenerate efsk using efsk = E_sk (fsk). If you want ++ to mount this volume by hand, use something like openssl enc -d ++ -aes-256-ecb -in /home/user.key | mount -p0 /home/user. More informa‐ + tion about this technique is included in pam_mount.conf.xml. + +- A script named mkehd is provided with pam_mount to help create +- encrypted home directories. If you have an entry for a user using +- encrypted home directories in pam_mount.conf.xml, mkehd will create ++ A script named mkehd is provided with pam_mount to help create ++ encrypted home directories. If you have an entry for a user using ++ encrypted home directories in pam_mount.conf.xml, mkehd will create + necessary filesystem images and possibly encrypted filesystem keys. + +- Individual users may define additional volumes to mount if allowed by +- pam_mount.conf.xml (usually ~/.pam_mount.conf.xml). The volume keyword ++ Individual users may define additional volumes to mount if allowed by ++ pam_mount.conf.xml (usually ~/.pam_mount.conf.xml). The volume keyword + is the only valid keyword in these per-user configuration files. If the + luserconf parameter is set in pam_mount.conf.xml, allowing user-defined +- volume, then users may mount and unmount any volume they own at any +- mount point they own. On some filesystem configurations this may be a +- security flaw so user-defined volumes are not allowed by the example ++ volume, then users may mount and unmount any volume they own at any ++ mount point they own. On some filesystem configurations this may be a ++ security flaw so user-defined volumes are not allowed by the example + pam_mount.conf.xml distributed with pam_mount. + +- In general, you will leave all the first (general) parameters as pro‐ +- vided by default. You only have to provide the user/volume list in the ++ In general, you will leave all the first (general) parameters as pro‐ ++ vided by default. You only have to provide the user/volume list in the + end of the file, following the examples. + +- To ensure that your system and, possibly, the remote server are all ++ To ensure that your system and, possibly, the remote server are all + properly configured, you should try to mount all or some of the volumes + by hand, using the same commands and mount points provided in + pam_mount.conf.xml. This will save you a lot of grief, since it is more + difficult to debug the mounting process via pam_mount. + +- If you can mount the volumes by hand but it is not happening via +- pam_mount, you may want to enable the "debug" option in ++ If you can mount the volumes by hand but it is not happening via ++ pam_mount, you may want to enable the "debug" option in + pam_mount.conf.xml to see what is happening. + +- Verify if the user owns the mount point and has sufficient permissions +- over that. pam_mount will verify this and will refuse to mount the ++ Verify if the user owns the mount point and has sufficient permissions ++ over that. pam_mount will verify this and will refuse to mount the + remote volume if the user does not own that directory. + +- If pam_mount is having trouble unmounting volumes upon logging out, +- enable the debug variable and check the lsof variable in +- pam_mount.conf.xml. This causes pam_mount to run lsof upon logging out ++ If pam_mount is having trouble unmounting volumes upon logging out, ++ enable the debug variable and check the lsof variable in ++ pam_mount.conf.xml. This causes pam_mount to run lsof upon logging out + and write lsof's output to the system's logs. + + AUTHORS +diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_mount-0.32/Makefile.am new/pam_mount-0.33/Makefile.am +--- old/pam_mount-0.32/Makefile.am 2007-09-26 18:36:28.000000000 +0200 ++++ new/pam_mount-0.33/Makefile.am 2008-02-06 00:46:20.000000000 +0100 +@@ -23,3 +23,6 @@ + + AUTOMAKE_OPTIONS = foreign subdir-objects + SUBDIRS = config doc scripts src ++ ++install-data-hook: ++ mkdir -p ${DESTDIR}${localstatedir}/run/pam_mount; +diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_mount-0.32/scripts/mount.crypt new/pam_mount-0.33/scripts/mount.crypt +--- old/pam_mount-0.32/scripts/mount.crypt 2007-10-20 16:57:03.000000000 +0200 ++++ new/pam_mount-0.33/scripts/mount.crypt 2008-02-06 00:46:20.000000000 +0100 +@@ -111,7 +111,7 @@ + (keyfile) + keyfile="$VAL";; + (loop) +- if ! losetup "$DEVICE" &>/dev/null; then ++ if [ "`stat --format=\"%t\" \"$DEVICE\"`" == 7 ]; then + LOOP="true"; + fi; + ;; +diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_mount-0.32/src/mount.c new/pam_mount-0.33/src/mount.c +--- old/pam_mount-0.32/src/mount.c 2007-12-06 23:05:08.000000000 +0100 ++++ new/pam_mount-0.33/src/mount.c 2008-02-06 02:13:15.000000000 +0100 +@@ -397,6 +397,13 @@ + } + hmc_strcat(&ret, ","); + } ++ ++ if (*ret != '\0') ++ /* ++ * When string is not empty, there is always at least one ++ * comma -- nuke it. */ ++ ret[hmc_length(ret)-1] = '\0'; ++ + return ret; + } + static void log_pm_input(const struct config *const config, +diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_mount-0.32/src/pam_mount.c new/pam_mount-0.33/src/pam_mount.c +--- old/pam_mount-0.32/src/pam_mount.c 2007-12-01 13:34:59.000000000 +0100 ++++ new/pam_mount-0.33/src/pam_mount.c 2008-02-06 00:45:50.000000000 +0100 +@@ -96,8 +96,10 @@ + Args.auth_type = SOFT_TRY_PASS; + else if (strcmp("nullok", argv[i]) == 0) + Args.nullok = true; ++ else if (strcmp("debug", argv[i]) == 0) ++ Debug = true; + else +- w4rn("bad pam_mount option\n"); ++ w4rn("bad pam_mount option \"%s\"\n", argv[i]); + } + return; + } +diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_mount-0.32/src/rdconf1.c new/pam_mount-0.33/src/rdconf1.c +--- old/pam_mount-0.32/src/rdconf1.c 2007-12-06 23:05:08.000000000 +0100 ++++ new/pam_mount-0.33/src/rdconf1.c 2008-02-06 00:45:50.000000000 +0100 +@@ -727,9 +727,13 @@ + } + + /* realloc */ +- config->volume = xrealloc(config->volume, +- sizeof(struct vol) * (config->volcount + 1)); +- vpt = &config->volume[config->volcount++]; ++ vpt = xrealloc(config->volume, sizeof(struct vol) * ++ (config->volcount + 1)); ++ if (vpt == NULL) ++ return strerror(errno); ++ ++ config->volume = vpt; ++ vpt = &config->volume[config->volcount]; + memset(vpt, 0, sizeof(*vpt)); + + vpt->globalconf = config->level == CONTEXT_GLOBAL; +@@ -737,6 +741,8 @@ + vpt->type = CMD_LCLMOUNT; + vpt->options = HXbtree_init(HXBT_MAP | HXBT_CKEY | HXBT_CDATA | + HXBT_SCMP | HXBT_CID); ++ if (vpt->options == NULL) ++ return strerror(errno); + + /* [1] */ + strncpy(vpt->fstype, attr->fstype, sizeof(vpt->fstype)); +@@ -793,6 +799,7 @@ + + /* expandconfig() will set this later */ + vpt->used_wildcard = 0; ++ ++config->volcount; + return NULL; + + notforme: diff --git a/pam_mount-0.32.tar.bz2 b/pam_mount-0.32.tar.bz2 new file mode 100644 index 0000000..46aa7bb --- /dev/null +++ b/pam_mount-0.32.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:780028b58dbdbe40b035863635fc3ac56f882980d1bda55a234d5c4e5ce4ad60 +size 300527 diff --git a/pam_mount.changes b/pam_mount.changes index 5c4c339..31a074a 100644 --- a/pam_mount.changes +++ b/pam_mount.changes @@ -1,3 +1,20 @@ +------------------------------------------------------------------- +Wed Apr 2 18:02:12 CEST 2008 - mc@suse.de + +- update to version 0.32 +- notify about unknown options in /etc/pam.d/* +- support "debug" option for pam_mount in /etc/pam.d/* +- mount.crypt: detect loop devices by major number +- Fixed parsing of old-style pam_mount.conf with spaces in group names, + copy-and-paste typos and a missing return value. Added workaround for + CIFS volumes within NFS mounts with "root_squash" option. +- allow --keyfile to be used for non-LUKS too +- luksClose is the same as Remove (in umount.crypt) +- convert "local" fstype entries from old configuration format correctly. +- fixed parsing of old pam_mount.conf with spaces in group names +- fixed: When no volumes were to be mounted, return value + was not PAM_SUCCESS. + ------------------------------------------------------------------- Mon Oct 8 13:47:45 CEST 2007 - mc@suse.de diff --git a/pam_mount.spec b/pam_mount.spec index a6f7af6..fd447a2 100644 --- a/pam_mount.spec +++ b/pam_mount.spec @@ -1,7 +1,7 @@ # -# spec file for package pam_mount (Version 0.29) +# spec file for package pam_mount (Version 0.32) # -# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine # package are under the same license as the package itself. # @@ -10,17 +10,19 @@ # norootforbuild + Name: pam_mount BuildRequires: glib2-devel libHX10-devel libxml2-devel openssl-devel pam-devel perl-XML-Writer zlib-devel Summary: A PAM Module that can Mount Volumes for a User Session -Version: 0.29 +Version: 0.32 Release: 1 -Requires: lsof coreutils util-linux +Requires: lsof util-linux Recommends: cryptsetup -License: LGPL v2 or later +License: LGPL v2.1 or later Prefix: /usr Group: System/Libraries Source: %{name}-%{version}.tar.bz2 +Patch0: pam_mount-0.32-post.dif Patch1: pam_mount-0.18-umount-home-dir.dif Patch2: pam_mount-0.18-bump-max-par.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -58,6 +60,7 @@ include it and send me patches. %prep %setup -q +%patch0 -p2 %patch1 %patch2 @@ -110,8 +113,23 @@ rm -rf $RPM_BUILD_ROOT %doc %{_mandir}/man8/passwdehd.8.gz %doc %{_mandir}/man8/pmvarrun.8.gz %doc %{_mandir}/man8/umount.crypt.8.gz + %changelog -* Mon Oct 08 2007 - mc@suse.de +* Wed Apr 02 2008 mc@suse.de +- update to version 0.32 +- notify about unknown options in /etc/pam.d/* +- support "debug" option for pam_mount in /etc/pam.d/* +- mount.crypt: detect loop devices by major number +- Fixed parsing of old-style pam_mount.conf with spaces in group names, + copy-and-paste typos and a missing return value. Added workaround for + CIFS volumes within NFS mounts with "root_squash" option. +- allow --keyfile to be used for non-LUKS too +- luksClose is the same as Remove (in umount.crypt) +- convert "local" fstype entries from old configuration format correctly. +- fixed parsing of old pam_mount.conf with spaces in group names +- fixed: When no volumes were to be mounted, return value + was not PAM_SUCCESS. +* Mon Oct 08 2007 mc@suse.de - update to version 0.29 * pam_mount switched to an XML configuration. * added truecrypt support @@ -122,56 +140,56 @@ rm -rf $RPM_BUILD_ROOT * Implement the "soft_try_pass" option * add "nullok" option * --keyfile option added to mount.crypt -* Fri Sep 21 2007 - mc@suse.de +* Fri Sep 21 2007 mc@suse.de - remove the loopdevice for the image too [#326802] -* Thu Sep 20 2007 - mc@suse.de +* Thu Sep 20 2007 mc@suse.de - add required dependencies [#326802] -* Wed Apr 04 2007 - crivera@suse.de +* Wed Apr 04 2007 crivera@suse.de - Don't package mount_ehd, it's only for OpenBSD. Fixes 256214. -* Thu Mar 29 2007 - mc@suse.de +* Thu Mar 29 2007 mc@suse.de - add zlib-devel to BuildRequires -* Tue Mar 13 2007 - mc@suse.de +* Tue Mar 13 2007 mc@suse.de - fix reference counting of pmvarrun app [#252243] -* Tue Jan 23 2007 - mc@suse.de +* Tue Jan 23 2007 mc@suse.de - fix umount encrypted homedirectories [#237793] -* Thu Jan 18 2007 - mc@suse.de +* Thu Jan 18 2007 mc@suse.de - disable debug - increase MAX_PAR to be able to read longer keys -* Fri Jan 12 2007 - mc@suse.de +* Fri Jan 12 2007 mc@suse.de - add patch to kill all remaining user processes before unmounting crypted partition (pam_mount-0.18-umount-home-dir.dif) -* Fri Dec 08 2006 - dgollub@suse.de +* Fri Dec 08 2006 dgollub@suse.de - use UID of specified user for owner change of mount point (pam_mount-chownuid-fix.diff) -* Tue Sep 12 2006 - mc@suse.de +* Tue Sep 12 2006 mc@suse.de - Update to 0.18 * fixes memory corruptions, zero termination, segfaults * A crash on x86_64 has been fixed. pam_mount now changes to the root directory before attempting to (un)mount -* Mon Jul 31 2006 - kukuk@suse.de +* Mon Jul 31 2006 kukuk@suse.de - Update to version 0.16 bugfix release -* Wed Jan 25 2006 - mls@suse.de +* Wed Jan 25 2006 mls@suse.de - converted neededforbuild to BuildRequires -* Thu Dec 22 2005 - varkoly@suse.de +* Thu Dec 22 2005 varkoly@suse.de - Update to version 0.10.0 -* Mon Dec 19 2005 - ro@suse.de +* Mon Dec 19 2005 ro@suse.de - added symlinks to package -* Mon Jul 11 2005 - schubi@suse.de +* Mon Jul 11 2005 schubi@suse.de - Update to version 0.9.25 -* Mon Apr 11 2005 - kukuk@suse.de +* Mon Apr 11 2005 kukuk@suse.de - Update to version 0.9.22 [Bug #65110] -* Thu Jan 15 2004 - kukuk@suse.de +* Fri Jan 16 2004 kukuk@suse.de - Build as user - Add pam-devel to neededforbuild -* Mon Jan 12 2004 - kukuk@suse.de +* Mon Jan 12 2004 kukuk@suse.de - Update to version 0.9.9 -* Mon Oct 27 2003 - kukuk@suse.de +* Mon Oct 27 2003 kukuk@suse.de - Update to version 0.9.6 [Bug #32216] -* Wed May 28 2003 - kukuk@suse.de +* Wed May 28 2003 kukuk@suse.de - Initial package