diff --git a/pam_mount-0.18-bump-max-par.diff b/pam_mount-0.18-bump-max-par.diff index acfea46..e58274c 100644 --- a/pam_mount-0.18-bump-max-par.diff +++ b/pam_mount-0.18-bump-max-par.diff @@ -1,7 +1,9 @@ ---- src/private.h -+++ src/private.h 2007/10/08 11:36:20 -@@ -3,7 +3,7 @@ - +Index: src/private.h +=================================================================== +--- src/private.h.orig ++++ src/private.h +@@ -4,7 +4,7 @@ + #include #include -#define MAX_PAR 127 diff --git a/pam_mount-0.18-umount-home-dir.dif b/pam_mount-0.18-umount-home-dir.dif index a86dfdf..bf3afa0 100644 --- a/pam_mount-0.18-umount-home-dir.dif +++ b/pam_mount-0.18-umount-home-dir.dif @@ -2,9 +2,17 @@ Index: scripts/umount.crypt =================================================================== --- scripts/umount.crypt.orig +++ scripts/umount.crypt -@@ -54,9 +54,20 @@ if [ -z "$DMDEVICE" ]; then - exit 1; - fi; +@@ -58,6 +58,7 @@ fi; + # ask cryptsetup about the underlying device + # + REALDEVICE=`cryptsetup status "$DMDEVICE" | sed -n '/device/s/[ ]*device:[ ]*//p'`; ++IMGDEVICE=`"$LOSETUP" -a | grep "$REALDEVICE" | awk -F\( '{ print $2 }' | sed 's/)//'` + + for ((x = 5; x >= 0; --x)); do + fuser -m "$1" || break; +@@ -65,6 +66,15 @@ for ((x = 5; x >= 0; --x)); do + sleep 1; + done; +# kill remaining user processes if we're unmounting a user's home dir +USER=`stat --format=%U $1 2>/dev/null` && getent passwd "$USER" | grep -e ":$1:" &> /dev/null @@ -15,15 +23,10 @@ Index: scripts/umount.crypt + sleep 1 +fi + -+ - # ask cryptsetup about the underlying device - # - REALDEVICE=`cryptsetup status "$DMDEVICE" | sed -n '/device/s/[ ]*device:[ ]*//p'`; -+IMGDEVICE=`"$LOSETUP" -a | grep "$REALDEVICE" | awk -F\( '{ print $2 }' | sed 's/)//'` - - for ((x = 5; x >= 0; --x)); do - fuser -m "$1" || break; -@@ -90,3 +101,12 @@ if echo "$REALDEVICE" | grep ^/dev/loop + umount "$1"; + if [ $? -ne 0 ]; then + echo "${0##*/}: error unmounting $1" >&2 +@@ -85,3 +95,12 @@ if echo "$REALDEVICE" | grep ^/dev/loop exit 1 fi fi diff --git a/pam_mount-0.32-post.dif b/pam_mount-0.32-post.dif deleted file mode 100644 index e446d15..0000000 --- a/pam_mount-0.32-post.dif +++ /dev/null @@ -1,290 +0,0 @@ -diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_mount-0.32/doc/pam_mount.8 new/pam_mount-0.33/doc/pam_mount.8 ---- old/pam_mount-0.32/doc/pam_mount.8 2007-09-09 14:10:23.000000000 +0200 -+++ new/pam_mount-0.33/doc/pam_mount.8 2008-02-06 00:46:20.000000000 +0100 -@@ -24,9 +24,8 @@ - in an automount/supermount config file. This is also necessary for securing - encrypted filesystems. - .PP --pam_mount "understands" SMB, NCP, and any type of filesystem that can be --mounted using the standard mount command. If someone has a particular need for --a different filesystem, feel free to ask me to include it and send me patches. -+pam_mount can mount any filesystem the kernel supports, and has supports the -+userspace helpers for SMB, CIFS, NCP, davfs, FUSE, and crypto mounts. - .PP - If you intend to use pam_mount to protect volumes on your computer using an - encrypted filesystem system, please know that there are many other issues you -diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_mount-0.32/doc/pam_mount.txt new/pam_mount-0.33/doc/pam_mount.txt ---- old/pam_mount-0.32/doc/pam_mount.txt 2007-09-09 14:10:23.000000000 +0200 -+++ new/pam_mount-0.33/doc/pam_mount.txt 2008-02-06 00:46:20.000000000 +0100 -@@ -27,26 +27,25 @@ - remote volume in /etc/fstab or in an automount/supermount config - file. This is also necessary for securing encrypted filesystems. - -- pam_mount "understands" SMB, NCP, and any type of filesystem that can -- be mounted using the standard mount command. If someone has a particu‐ -- lar need for a different filesystem, feel free to ask me to include it -- and send me patches. -- -- If you intend to use pam_mount to protect volumes on your computer -- using an encrypted filesystem system, please know that there are many -- other issues you need to consider in order to protect your data. For -- example, you probably want to disable or encrypt your swap partition -+ pam_mount can mount any filesystem the kernel supports, and has sup‐ -+ ports the userspace helpers for SMB, CIFS, NCP, davfs, FUSE, and crypto -+ mounts. -+ -+ If you intend to use pam_mount to protect volumes on your computer -+ using an encrypted filesystem system, please know that there are many -+ other issues you need to consider in order to protect your data. For -+ example, you probably want to disable or encrypt your swap partition - (the cryptoswap can help you do this). Do not assume a system is secure - without carefully considering potential threats. - - NASTY DETAILS -- The primary configuration file for the pam_mount module is -- pam_mount.conf.xml. On most platforms this file is read from -- /etc/security/pam_mount.conf.xml. On OpenBSD pam_mount reads its con‐ -- figuration file from /etc/pam_mount.conf.xml. pam_mount.conf.xml con‐ -+ The primary configuration file for the pam_mount module is -+ pam_mount.conf.xml. On most platforms this file is read from -+ /etc/security/pam_mount.conf.xml. On OpenBSD pam_mount reads its con‐ -+ figuration file from /etc/pam_mount.conf.xml. pam_mount.conf.xml con‐ - tains many comments documenting its use. - -- In addition, you must include two entries in the system's applicable -+ In addition, you must include two entries in the system's applicable - /etc/pam.d/SERVICE config files, as the following example shows: - - auth required pam_securetty.so -@@ -61,14 +60,14 @@ - +++ session optional pam_mount.so - - When "sufficient" is used in the second column, you must make sure that -- pam_mount is added before this entry. Otherwise pam_mount will not get -- executed should a previous PAM module succeed. Also be aware of the -- "include" statements. These make PAM look into the specified file. If -+ pam_mount is added before this entry. Otherwise pam_mount will not get -+ executed should a previous PAM module succeed. Also be aware of the -+ "include" statements. These make PAM look into the specified file. If - there is a "sufficient" statement, then the pam_mount entry must either - be in the included file before the "sufficient" statement or before the - "include" statement. - -- If you use pam_ldap, pam_winbind, or any other authentication services -+ If you use pam_ldap, pam_winbind, or any other authentication services - that make use of PAM's sufficient keyword then model your configuration - on the following: - -@@ -81,17 +80,17 @@ - - This allows the following: - -- 1. pam_mount will prompt for a password and export it to the PAM sys‐ -+ 1. pam_mount will prompt for a password and export it to the PAM sys‐ - tem. - -- 2. pam_ldap will use the password from the PAM system to try and -+ 2. pam_ldap will use the password from the PAM system to try and - authenticate the user. If this succedes, the user will be authenti‐ - cated. If it fails, pam_unix will try to authenticate. - -- 3. pam_unix will try to authenticate the user if pam_ldap fails. If -+ 3. pam_unix will try to authenticate the user if pam_ldap fails. If - pam_unix fails, then the authentication will be refused. - -- Alternatively, the following is possible (thanks to Andrew Morgan for -+ Alternatively, the following is possible (thanks to Andrew Morgan for - the hint!): - - auth [success=2 default=ignore] pam_unix2.so -@@ -99,20 +98,20 @@ - auth requisite pam_deny.so - auth optional pam_mount.so use_first_pass - -- It may seem odd, but the first three lines will make it so that at -- least one of pam_unix2 or pam_ldap has to succeed. As you can see, -- pam_mount will be run after successful authentification with theses -+ It may seem odd, but the first three lines will make it so that at -+ least one of pam_unix2 or pam_ldap has to succeed. As you can see, -+ pam_mount will be run after successful authentification with theses - subsystems. - -- If your volume has a different password than your system account, then -- encrypt the password to the volume you wish mounted using your system -- password as the key and store it somewhere on your system's local -+ If your volume has a different password than your system account, then -+ encrypt the password to the volume you wish mounted using your system -+ password as the key and store it somewhere on your system's local - filesystem. pam_mount supports transparently decrypting this filesystem - key, as long as the cipher used is supported by openssl. Given: - - sk system key, the key or password used to log into the system - -- fsk filesystem key, the key that allows you to use the filesystem -+ fsk filesystem key, the key that allows you to use the filesystem - you wish pam_mount to mount for you - - E and D -@@ -121,48 +120,48 @@ - efsk encrypted filesystem key, efsk = E_sk (fsk), stored somewhere on - the local filesystem (ie: /home/user.key) - -- pam_mount will read efsk from the local filesystem, perform fsk = D_sk -- (efsk) and use fsk to mount the filesystem. If you change your system -- password, simply regenerate efsk using efsk = E_sk (fsk). If you want -- to mount this volume by hand, use something like openssl enc -d -- -aes-256-ecb -in /home/user.key | mount -p0 /home/user. More informa‐ -+ pam_mount will read efsk from the local filesystem, perform fsk = D_sk -+ (efsk) and use fsk to mount the filesystem. If you change your system -+ password, simply regenerate efsk using efsk = E_sk (fsk). If you want -+ to mount this volume by hand, use something like openssl enc -d -+ -aes-256-ecb -in /home/user.key | mount -p0 /home/user. More informa‐ - tion about this technique is included in pam_mount.conf.xml. - -- A script named mkehd is provided with pam_mount to help create -- encrypted home directories. If you have an entry for a user using -- encrypted home directories in pam_mount.conf.xml, mkehd will create -+ A script named mkehd is provided with pam_mount to help create -+ encrypted home directories. If you have an entry for a user using -+ encrypted home directories in pam_mount.conf.xml, mkehd will create - necessary filesystem images and possibly encrypted filesystem keys. - -- Individual users may define additional volumes to mount if allowed by -- pam_mount.conf.xml (usually ~/.pam_mount.conf.xml). The volume keyword -+ Individual users may define additional volumes to mount if allowed by -+ pam_mount.conf.xml (usually ~/.pam_mount.conf.xml). The volume keyword - is the only valid keyword in these per-user configuration files. If the - luserconf parameter is set in pam_mount.conf.xml, allowing user-defined -- volume, then users may mount and unmount any volume they own at any -- mount point they own. On some filesystem configurations this may be a -- security flaw so user-defined volumes are not allowed by the example -+ volume, then users may mount and unmount any volume they own at any -+ mount point they own. On some filesystem configurations this may be a -+ security flaw so user-defined volumes are not allowed by the example - pam_mount.conf.xml distributed with pam_mount. - -- In general, you will leave all the first (general) parameters as pro‐ -- vided by default. You only have to provide the user/volume list in the -+ In general, you will leave all the first (general) parameters as pro‐ -+ vided by default. You only have to provide the user/volume list in the - end of the file, following the examples. - -- To ensure that your system and, possibly, the remote server are all -+ To ensure that your system and, possibly, the remote server are all - properly configured, you should try to mount all or some of the volumes - by hand, using the same commands and mount points provided in - pam_mount.conf.xml. This will save you a lot of grief, since it is more - difficult to debug the mounting process via pam_mount. - -- If you can mount the volumes by hand but it is not happening via -- pam_mount, you may want to enable the "debug" option in -+ If you can mount the volumes by hand but it is not happening via -+ pam_mount, you may want to enable the "debug" option in - pam_mount.conf.xml to see what is happening. - -- Verify if the user owns the mount point and has sufficient permissions -- over that. pam_mount will verify this and will refuse to mount the -+ Verify if the user owns the mount point and has sufficient permissions -+ over that. pam_mount will verify this and will refuse to mount the - remote volume if the user does not own that directory. - -- If pam_mount is having trouble unmounting volumes upon logging out, -- enable the debug variable and check the lsof variable in -- pam_mount.conf.xml. This causes pam_mount to run lsof upon logging out -+ If pam_mount is having trouble unmounting volumes upon logging out, -+ enable the debug variable and check the lsof variable in -+ pam_mount.conf.xml. This causes pam_mount to run lsof upon logging out - and write lsof's output to the system's logs. - - AUTHORS -diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_mount-0.32/Makefile.am new/pam_mount-0.33/Makefile.am ---- old/pam_mount-0.32/Makefile.am 2007-09-26 18:36:28.000000000 +0200 -+++ new/pam_mount-0.33/Makefile.am 2008-02-06 00:46:20.000000000 +0100 -@@ -23,3 +23,6 @@ - - AUTOMAKE_OPTIONS = foreign subdir-objects - SUBDIRS = config doc scripts src -+ -+install-data-hook: -+ mkdir -p ${DESTDIR}${localstatedir}/run/pam_mount; -diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_mount-0.32/scripts/mount.crypt new/pam_mount-0.33/scripts/mount.crypt ---- old/pam_mount-0.32/scripts/mount.crypt 2007-10-20 16:57:03.000000000 +0200 -+++ new/pam_mount-0.33/scripts/mount.crypt 2008-02-06 00:46:20.000000000 +0100 -@@ -111,7 +111,7 @@ - (keyfile) - keyfile="$VAL";; - (loop) -- if ! losetup "$DEVICE" &>/dev/null; then -+ if [ "`stat --format=\"%t\" \"$DEVICE\"`" == 7 ]; then - LOOP="true"; - fi; - ;; -diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_mount-0.32/src/mount.c new/pam_mount-0.33/src/mount.c ---- old/pam_mount-0.32/src/mount.c 2007-12-06 23:05:08.000000000 +0100 -+++ new/pam_mount-0.33/src/mount.c 2008-02-06 02:13:15.000000000 +0100 -@@ -397,6 +397,13 @@ - } - hmc_strcat(&ret, ","); - } -+ -+ if (*ret != '\0') -+ /* -+ * When string is not empty, there is always at least one -+ * comma -- nuke it. */ -+ ret[hmc_length(ret)-1] = '\0'; -+ - return ret; - } - static void log_pm_input(const struct config *const config, -diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_mount-0.32/src/pam_mount.c new/pam_mount-0.33/src/pam_mount.c ---- old/pam_mount-0.32/src/pam_mount.c 2007-12-01 13:34:59.000000000 +0100 -+++ new/pam_mount-0.33/src/pam_mount.c 2008-02-06 00:45:50.000000000 +0100 -@@ -96,8 +96,10 @@ - Args.auth_type = SOFT_TRY_PASS; - else if (strcmp("nullok", argv[i]) == 0) - Args.nullok = true; -+ else if (strcmp("debug", argv[i]) == 0) -+ Debug = true; - else -- w4rn("bad pam_mount option\n"); -+ w4rn("bad pam_mount option \"%s\"\n", argv[i]); - } - return; - } -diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_mount-0.32/src/rdconf1.c new/pam_mount-0.33/src/rdconf1.c ---- old/pam_mount-0.32/src/rdconf1.c 2007-12-06 23:05:08.000000000 +0100 -+++ new/pam_mount-0.33/src/rdconf1.c 2008-02-06 00:45:50.000000000 +0100 -@@ -727,9 +727,13 @@ - } - - /* realloc */ -- config->volume = xrealloc(config->volume, -- sizeof(struct vol) * (config->volcount + 1)); -- vpt = &config->volume[config->volcount++]; -+ vpt = xrealloc(config->volume, sizeof(struct vol) * -+ (config->volcount + 1)); -+ if (vpt == NULL) -+ return strerror(errno); -+ -+ config->volume = vpt; -+ vpt = &config->volume[config->volcount]; - memset(vpt, 0, sizeof(*vpt)); - - vpt->globalconf = config->level == CONTEXT_GLOBAL; -@@ -737,6 +741,8 @@ - vpt->type = CMD_LCLMOUNT; - vpt->options = HXbtree_init(HXBT_MAP | HXBT_CKEY | HXBT_CDATA | - HXBT_SCMP | HXBT_CID); -+ if (vpt->options == NULL) -+ return strerror(errno); - - /* [1] */ - strncpy(vpt->fstype, attr->fstype, sizeof(vpt->fstype)); -@@ -793,6 +799,7 @@ - - /* expandconfig() will set this later */ - vpt->used_wildcard = 0; -+ ++config->volcount; - return NULL; - - notforme: diff --git a/pam_mount-0.32.tar.bz2 b/pam_mount-0.32.tar.bz2 deleted file mode 100644 index 46aa7bb..0000000 --- a/pam_mount-0.32.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:780028b58dbdbe40b035863635fc3ac56f882980d1bda55a234d5c4e5ce4ad60 -size 300527 diff --git a/pam_mount-0.35.tar.bz2 b/pam_mount-0.35.tar.bz2 new file mode 100644 index 0000000..b4fe580 --- /dev/null +++ b/pam_mount-0.35.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:636d9a8f7a280882a3c4a409478a4c92dce1bdd7ea4faa0c2fb3f736dd22eeae +size 305939 diff --git a/pam_mount.changes b/pam_mount.changes index 31a074a..5a1eb37 100644 --- a/pam_mount.changes +++ b/pam_mount.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Mon Apr 7 11:41:25 CEST 2008 - mc@suse.de + +- update to version 0.35 + - mount.crypt: fix loop device detection + - mount.crypt: wait for dm devices to show up + - fixed: mount flag and value were one argument + - pmvarrun: support unprivileged mode + - Support for SSH keyboard-interactive authenticated volumes + - documentation updates + ------------------------------------------------------------------- Wed Apr 2 18:02:12 CEST 2008 - mc@suse.de diff --git a/pam_mount.spec b/pam_mount.spec index fd447a2..1405a5b 100644 --- a/pam_mount.spec +++ b/pam_mount.spec @@ -1,5 +1,5 @@ # -# spec file for package pam_mount (Version 0.32) +# spec file for package pam_mount (Version 0.35) # # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine @@ -12,17 +12,19 @@ Name: pam_mount -BuildRequires: glib2-devel libHX10-devel libxml2-devel openssl-devel pam-devel perl-XML-Writer zlib-devel +BuildRequires: libHX10-devel libxml2-devel openssl-devel pam-devel perl-XML-Writer pkg-config +BuildRequires: linux-kernel-headers Summary: A PAM Module that can Mount Volumes for a User Session -Version: 0.32 +Version: 0.35 Release: 1 -Requires: lsof util-linux +# psmisc: /bin/fuser +Recommends: cifs-mount psmisc Recommends: cryptsetup +Requires: lsof util-linux License: LGPL v2.1 or later Prefix: /usr Group: System/Libraries Source: %{name}-%{version}.tar.bz2 -Patch0: pam_mount-0.32-post.dif Patch1: pam_mount-0.18-umount-home-dir.dif Patch2: pam_mount-0.18-bump-max-par.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -60,7 +62,6 @@ include it and send me patches. %prep %setup -q -%patch0 -p2 %patch1 %patch2 @@ -102,6 +103,7 @@ rm -rf $RPM_BUILD_ROOT %{_prefix}/bin/mkehd %{_prefix}/bin/autoehd %{_prefix}/bin/passwdehd +%{_prefix}/bin/pmt-fd0ssh /sbin/mount.crypt /sbin/umount.crypt %{_sbindir}/pmvarrun @@ -115,6 +117,14 @@ rm -rf $RPM_BUILD_ROOT %doc %{_mandir}/man8/umount.crypt.8.gz %changelog +* Mon Apr 07 2008 mc@suse.de +- update to version 0.35 + - mount.crypt: fix loop device detection + - mount.crypt: wait for dm devices to show up + - fixed: mount flag and value were one argument + - pmvarrun: support unprivileged mode + - Support for SSH keyboard-interactive authenticated volumes + - documentation updates * Wed Apr 02 2008 mc@suse.de - update to version 0.32 - notify about unknown options in /etc/pam.d/*