[prev in list] [next in list] [prev in thread] [next in thread]
List: ecryptfs-devel
Subject: [Ecryptfs-devel] [PATCH] rework of ecryptfs home confidential
From: Dustin Kirkland <kirkland () canonical ! com>
Date: 2008-05-07 2:17:23
Message-ID: 1210126643.8868.30.camel () t61p ! dustinkirkland ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
[Attachment #4 (multipart/mixed)]
[PATCH] rework of ecryptfs home confidential directory setup
This patch represents a total rework of the helper script associated
with this how-to:
* http://ecryptfs.sourceforge.net/ecryptfs-pam-doc.txt
CHANGES:
* src/utils/Makefile.am: Updated makefile, I'm really not sure if I did
this correctly, please review these changes closely. Please feel free
to update this accordingly upon checkin if necessary.
* src/utils/ecryptfs-mount-confidential: Small script extracted from
ecryptfs-setup-pam-wrapped.sh. This is the code that previously was
appended to the user's bash scripts. Instead, create a standalone
script, runnable by any user to do this.
* src/utils/ecryptfs-setup-confidential: This script is the rework of
ecryptfs-setup-pam-wrapped.sh. The changes include:
- header added, with description, history, and at least a Canonical
copyright; Mike can add an IBM one if necessary
- created a usage() function, parameter description updated
accordingly, exits 1
- use consistent indentation (tabs)
- removed all known bashisms, so that this operates in a
posix-compatible shell (eg, dash)
- check for username in /etc/passwd
- look for mount/login password first on the command line, then as an
environment variable, and finally if both are empty, interactively
prompt
- look for /etc/pam.d/system-auth and then /etc/pam.d/common-auth;
this provides support for both RH-based and Debian-based PAM-setups
- collapse the mkdir/chown operations to a single command line
- use mktemp for tempfiles
- strengthen grep regex's
- use chmod/chown --reference when overwriting config files
- rebuild the pam conf file in perhaps a more reliable manner
- add a call to the ecryptfs-mount-confidential script
to .bash_profile
- add an unmount call to .bash_logout
- backup any previous wrapped-passphrase file to a timestamped rename
* src/utils/ecryptfs-setup-pam-wrapped.sh: deleted
TODO:
* There are two BUG's noted in src/utils/ecryptfs-setup-confidential,
where passphrases will be momentarily visible in the process table to
unprivileged users. A viable workaround should be established for
these.
TESTING:
* I've tested this thoroughly under Ubuntu Hardy.
Signed-off-by: Dustin Kirkland <kirkland@canonical.com>
--
> -Dustin
Dustin Kirkland
Ubuntu Server Developer
Canonical, LTD
kirkland@canonical.com
GPG: 1024D/83A61194
diff --git a/src/utils/Makefile.am b/src/utils/Makefile.am
index 624e5fb..572304f 100644
--- a/src/utils/Makefile.am
+++ b/src/utils/Makefile.am
@@ -5,7 +5,9 @@ bin_PROGRAMS=ecryptfs-manager ecryptfs-wrap-passphrase \
ecryptfs-insert-wrapped-passphrase-into-keyring \
ecryptfs-rewrap-passphrase \
ecryptfs-add-passphrase ecryptfs-zombie-kill \
- ecryptfs-zombie-list
+ ecryptfs-zombie-list \
+ ecryptfs-setup-confidential \
+ ecryptfs-mount-confidential
noinst_PROGRAMS=test
TESTS=test
diff --git a/src/utils/ecryptfs-mount-confidential \
b/src/utils/ecryptfs-mount-confidential new file mode 100755
index 0000000..16f2034
--- /dev/null
+++ b/src/utils/ecryptfs-mount-confidential
@@ -0,0 +1,14 @@
+#!/bin/sh
+# This script mounts a user's ~/Confidential ecryptfs folder
+#
+# Original by Michael Halcrow, IBM
+# Extracted to a stand-alone script by Dustin Kirkland <kirkland@canonical.com>
+
+
+if [ -f $HOME/.ecryptfs/auto-mount ]; then
+ if ! mount | grep "$HOME/Confidential type ecryptfs"; then
+ mount -i $HOME/Confidential
+ fi
+fi
+
+ecryptfs-zombie-kill
diff --git a/src/utils/ecryptfs-setup-confidential \
b/src/utils/ecryptfs-setup-confidential new file mode 100755
index 0000000..7133509
--- /dev/null
+++ b/src/utils/ecryptfs-setup-confidential
@@ -0,0 +1,146 @@
+#!/bin/sh
+# This script sets up an ecryptfs mount in a user's ~/Confidential, configures
+# fstab, pam, and bash to attach and wrap on login.
+#
+# Originally ecryptfs-setup-pam-wrapped.sh by Michael Halcrow, IBM
+#
+# Ported for use on Ubuntu by Dustin Kirkland <kirkland@canonical.com>
+# Copyright (C) 2008 Canonical Ltd.
+
+usage() {
+ echo
+ echo "Usage:"
+ echo "# $0 USERNAME [MOUNT-PASSPHRASE] [LOGIN-PASSPHRASE]"
+ echo
+ echo " Special characters are not allowed in the USERNAME."
+ echo
+ echo " Be sure to properly escape your parameters according to your"
+ echo " shell's special character nuances, and also surround the"
+ echo " parameters by double quotes, if necessary."
+ echo
+ echo " If you want to avoid MOUNT-PASSPHRASE and/or LOGIN-PASSPHRASE"
+ echo " from being logged in your shell history, you may either:"
+ echo " 1) export the environment variables MOUNTPASS and LOGINPASS"
+ echo " 2) leave empty and you will be interactively prompted"
+ echo " BEWARE: They will, however, be displayed on STDOUT, so be"
+ echo " wary of shoulder surfers."
+ echo
+ exit 1
+}
+
+if ! whoami | grep "^root$" >/dev/null ; then
+ echo "ERROR: Please run this script as root"
+ exit 1
+fi
+
+USERNAME="$1"
+
+if [ -z "$USERNAME" ]; then
+ echo "ERROR: Must provide a username"
+ usage
+else
+ if ! grep "^$USERNAME:" /etc/passwd >/dev/null; then
+ echo "ERROR: User [$USERNAME] does not exist"
+ exit 1
+ fi
+fi
+
+if [ -z "$MOUNTPASS" ]; then
+ if [ -z "$2" ]; then
+ read -p "Enter your mount passphrase: " -r MOUNTPASS
+ if [ -z "$MOUNTPASS" ]; then
+ echo "ERROR: You must provide a mount passphrase"
+ usage
+ fi
+ else
+ MOUNTPASS="$2"
+ fi
+fi
+
+if [ -z "$LOGINPASS" ]; then
+ if [ -z "$2" ]; then
+ read -p "Enter your login passphrase: " -r LOGINPASS
+ if [ -z "$LOGINPASS" ]; then
+ echo "ERROR: You must provide the login passphrase"
+ usage
+ fi
+ else
+ LOGINPASS="$3"
+ fi
+fi
+
+if [ -f "/etc/pam.d/system-auth" ]; then
+ PAM_CONF=/etc/pam.d/system-auth
+elif [ -f "/etc/pam.d/common-auth" ]; then
+ PAM_CONF=/etc/pam.d/common-auth
+else
+ echo "ERROR: Cannot determine location of PAM system/common auth configuration"
+ exit 1
+fi
+
+echo "Using username [$USERNAME]"
+echo "Using mount passphrase [$MOUNTPASS]"
+echo "Using login passphrase [$LOGINPASS]"
+echo "Using pam configuration file [$PAM_CONF]"
+echo
+echo "This script will attempt to set up your system to mount"
+echo "/home/$USERNAME/Confidential with eCryptfs automatically on login,"
+echo "using your login passphrase."
+echo
+
+# Setup confidential directory in home
+modprobe ecryptfs
+mkdir -m 700 -p /home/$USERNAME/Confidential
+chown $USERNAME:$USERNAME /home/$USERNAME/Confidential
+
+# Prune out of fstab, and check for an active mount
+tmpfile=`mktemp`
+grep -v "\/home\/$USERNAME\/Confidential.*,ecryptfs_sig=.*" /etc/fstab > $tmpfile
+chmod --reference /etc/fstab $tmpfile
+chown --reference /etc/fstab $tmpfile
+mv -f $tmpfile /etc/fstab
+umount /home/$USERNAME/Confidential
+if mount | grep "/home/$USERNAME/Confidential type ecryptfs"; then
+ echo "ERROR: /home/$USERNAME/Confidential still mounted after umount"
+ exit 1
+fi
+
+# Setup /etc/fstab
+# BUG: passwd will be momentarily visible in "ps -ef" output
+mount -t ecryptfs /home/$USERNAME/Confidential /home/$USERNAME/Confidential -o \
key=passphrase:passwd="$MOUNTPASS",ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n,no_sig_cache
+grep ecryptfs_sig /etc/mtab | sed \
's/ecryptfs_cipher\=aes,ecryptfs_key_bytes\=16/ecryptfs_cipher\=aes,ecryptfs_key_bytes\=16,user,noauto,/' \
>> /etc/fstab +umount /home/$USERNAME/Confidential
+
+# Setup PAM
+tmpfile1=`mktemp`
+grep -v "pam_ecryptfs.so" $PAM_CONF > $tmpfile1
+tmpfile2=`mktemp`
+grep -B 100000 "auth\s.*pam_unix.so" $tmpfile1 | grep -v "auth\s.*pam_unix.so" > \
$tmpfile2 +echo "password required pam_ecryptfs.so" >> $tmpfile2
+grep "auth\s.*pam_unix.so" $PAM_CONF >> $tmpfile2
+echo "auth required pam_ecryptfs.so unwrap" >> $tmpfile2
+grep -A 100000 "auth\s.*pam_unix.so" $tmpfile1 | grep -v "auth\s.*pam_unix.so" >> \
$tmpfile2 +rm -f $tmpfile1
+chmod --reference $PAM_CONF $tmpfile2
+chown --reference $PAM_CONF $tmpfile2
+mv -f $tmpfile2 $PAM_CONF
+
+# Setup bash profile and home dir
+if ! grep "ecryptfs-mount-confidential" /home/$USERNAME/.bash_profile >/dev/null; \
then + echo "ecryptfs-mount-confidential" >> /home/$USERNAME/.bash_profile
+ chown $USERNAME:$USERNAME /home/$USERNAME/.bash_profile
+fi
+if ! grep "umount.*/home/$USERNAME/Confidential" /home/$USERNAME/.bash_logout \
>/dev/null; then + echo "umount -l /home/$USERNAME/Confidential" >> \
> /home/$USERNAME/.bash_logout
+ chown $USERNAME:$USERNAME /home/$USERNAME/.bash_logout
+fi
+mkdir -m 700 /home/$USERNAME/.ecryptfs
+chown $USERNAME:$USERNAME /home/$USERNAME/.ecryptfs
+touch /home/$USERNAME/.ecryptfs/auto-mount
+chown $USERNAME:$USERNAME /home/$USERNAME/.ecryptfs/auto-mount
+timestamp=`date +%Y%m%d%H%M%S`
+mv -f /home/$USERNAME/.ecryptfs/wrapped-passphrase \
/home/$USERNAME/.ecryptfs/wrapped-passphrase.$timestamp +# BUG: passphrases will be \
momentarily visible in "ps -ef" output +/usr/bin/ecryptfs-wrap-passphrase \
/home/$USERNAME/.ecryptfs/wrapped-passphrase "$MOUNTPASS" "$LOGINPASS" +chmod 600 \
/home/$USERNAME/.ecryptfs/wrapped-passphrase +chown $USERNAME:$USERNAME \
/home/$USERNAME/.ecryptfs/wrapped-passphrase
diff --git a/src/utils/ecryptfs-setup-pam-wrapped.sh \
b/src/utils/ecryptfs-setup-pam-wrapped.sh deleted file mode 100755
index db87c7c..0000000
--- a/src/utils/ecryptfs-setup-pam-wrapped.sh
+++ /dev/null
@@ -1,92 +0,0 @@
-#!/bin/sh
-
-echo
-echo "You must run this script as root. Do not use sudo; either log in"
-echo "as root or use 'su -'"
-echo
-echo "This script applies to Open Client systems only with the \
IBM-security-compliance RPM installed"
-echo
-
-whoami | grep "^root$" &> /dev/null
-if test $? == 1; then
- echo "Please run this script as root"
- echo
- exit
-fi
-
-echo "USAGE:"
-echo " # ecryptfs-setup-pam-wrapped.sh [username] [mount passphrase] [wrapping \
passphrase]"
-echo
-echo "Be sure to properly escape your parameters according to your shell's special \
character nuances, and also surround the parameters by double quotes, \
if need be."
-echo
-echo "No special characters allowed in the username."
-echo
-
-if test "x$1" == "x"; then
- echo "Must provide a username"
- echo
- exit
-fi
-
-if test "x$2" == "x"; then
- echo "Must provide a mount passphrase"
- echo
- exit
-fi
-
-if test "x$3" == "x"; then
- echo "Must provide a wrapping passphrase"
- echo
- exit
-fi
-
-echo "Using username [$1]"
-echo "Using mount passphrase [$2]"
-echo "Using wrapping passphrase [$3]"
-echo
-echo "This script will attempt to set up your system to mount eCryptfs"
-echo "automatically on login, using your login passphrase."
-echo
-
-modprobe ecryptfs
-mkdir /home/$1/Confidential
-chown $1:$1 /home/$1/Confidential
-chmod 700 /home/$1/Confidential
-grep -v "ecryptfs_sig" /etc/fstab > /tmp/fstab
-mv -f /tmp/fstab /etc/fstab
-umount /home/$1/Confidential
-mount | grep "/home/$1/Confidential type ecryptfs"
-if test $? == 0; then
- echo "ERROR: /home/$1/Confidential still mounted after umount; cannot continue with \
setup"
- exit 1
-fi
-mount -t ecryptfs /home/$1/Confidential /home/$1/Confidential -o \
key=passphrase:passwd="$2",cipher=aes,ecryptfs_key_bytes=16,passthrough=n,no_sig_cache
-grep ecryptfs_sig /etc/mtab | sed \
's/ecryptfs_cipher\=aes,ecryptfs_key_bytes\=16/ecryptfs_cipher\=aes,ecryptfs_key_bytes\=16,user,noauto,/' \
>> /etc/fstab
-umount /home/$1/Confidential
-cp -f /etc/pam.d/system-auth /etc/pam.d/.system-auth-before-pam_ecryptfs
-grep -v "pam_ecryptfs" /etc/pam.d/system-auth > /tmp/system-auth
-mv -f /tmp/system-auth /etc/pam.d/system-auth
-grep -v "auth.*pam_deny" /etc/pam.d/system-auth > /tmp/system-auth
-mv -f /tmp/system-auth /etc/pam.d/system-auth
-cat /etc/pam.d/system-auth | sed 's/auth.*pam_unix\.so\(.*\)/auth required \
pam_unix.so\1\nauth required pam_ecryptfs.so unwrap/' > \
/tmp/system-auth
-mv -f /tmp/system-auth /etc/pam.d/system-auth
-cat /etc/pam.d/system-auth | sed \
's/password\s*sufficient\s*pam_unix\.so\(.*\)/password required \
pam_ecryptfs.so\npassword sufficient pam_unix.so\1/' > \
/tmp/system-auth
-mv -f /tmp/system-auth /etc/pam.d/system-auth
-grep "Confidential type ecryptfs" /home/$1/.bash_profile
-if test $? != 0; then
- cp -f /home/$1/.bash_profile /home/$1/.bash_profile-before-pam_ecryptfs
- echo "if test -e \$HOME/.ecryptfs/auto-mount; then" >> /home/$1/.bash_profile
- echo " mount | grep \"\$HOME/Confidential type ecryptfs\"" >> \
/home/$1/.bash_profile
- echo " if test \$? != 0; then" >> /home/$1/.bash_profile
- echo " mount -i \$HOME/Confidential" >> /home/$1/.bash_profile
- echo " fi" >> /home/$1/.bash_profile
- echo "fi" >> /home/$1/.bash_profile
- echo "ecryptfs-zombie-kill" >> /home/$1/.bash_profile
-fi
-mkdir -p /home/$1/.ecryptfs
-chown $1:$1 /home/$1/.ecryptfs
-touch /home/$1/.ecryptfs/auto-mount
-chown $1:$1 /home/$1/.ecryptfs/auto-mount
-rm -f /home/$1/.ecryptfs/wrapped-passphrase
-/usr/bin/ecryptfs-wrap-passphrase /home/$1/.ecryptfs/wrapped-passphrase "$2" "$3"
-chown $1:$1 /home/$1/.ecryptfs/wrapped-passphrase
["ecryptfs-confidential.patch" (ecryptfs-confidential.patch)]
diff --git a/src/utils/Makefile.am b/src/utils/Makefile.am
index 624e5fb..572304f 100644
--- a/src/utils/Makefile.am
+++ b/src/utils/Makefile.am
@@ -5,7 +5,9 @@ bin_PROGRAMS=ecryptfs-manager ecryptfs-wrap-passphrase \
ecryptfs-insert-wrapped-passphrase-into-keyring \
ecryptfs-rewrap-passphrase \
ecryptfs-add-passphrase ecryptfs-zombie-kill \
- ecryptfs-zombie-list
+ ecryptfs-zombie-list \
+ ecryptfs-setup-confidential \
+ ecryptfs-mount-confidential
noinst_PROGRAMS=test
TESTS=test
diff --git a/src/utils/ecryptfs-mount-confidential \
b/src/utils/ecryptfs-mount-confidential new file mode 100755
index 0000000..16f2034
--- /dev/null
+++ b/src/utils/ecryptfs-mount-confidential
@@ -0,0 +1,14 @@
+#!/bin/sh
+# This script mounts a user's ~/Confidential ecryptfs folder
+#
+# Original by Michael Halcrow, IBM
+# Extracted to a stand-alone script by Dustin Kirkland <kirkland@canonical.com>
+
+
+if [ -f $HOME/.ecryptfs/auto-mount ]; then
+ if ! mount | grep "$HOME/Confidential type ecryptfs"; then
+ mount -i $HOME/Confidential
+ fi
+fi
+
+ecryptfs-zombie-kill
diff --git a/src/utils/ecryptfs-setup-confidential \
b/src/utils/ecryptfs-setup-confidential new file mode 100755
index 0000000..7133509
--- /dev/null
+++ b/src/utils/ecryptfs-setup-confidential
@@ -0,0 +1,146 @@
+#!/bin/sh
+# This script sets up an ecryptfs mount in a user's ~/Confidential, configures
+# fstab, pam, and bash to attach and wrap on login.
+#
+# Originally ecryptfs-setup-pam-wrapped.sh by Michael Halcrow, IBM
+#
+# Ported for use on Ubuntu by Dustin Kirkland <kirkland@canonical.com>
+# Copyright (C) 2008 Canonical Ltd.
+
+usage() {
+ echo
+ echo "Usage:"
+ echo "# $0 USERNAME [MOUNT-PASSPHRASE] [LOGIN-PASSPHRASE]"
+ echo
+ echo " Special characters are not allowed in the USERNAME."
+ echo
+ echo " Be sure to properly escape your parameters according to your"
+ echo " shell's special character nuances, and also surround the"
+ echo " parameters by double quotes, if necessary."
+ echo
+ echo " If you want to avoid MOUNT-PASSPHRASE and/or LOGIN-PASSPHRASE"
+ echo " from being logged in your shell history, you may either:"
+ echo " 1) export the environment variables MOUNTPASS and LOGINPASS"
+ echo " 2) leave empty and you will be interactively prompted"
+ echo " BEWARE: They will, however, be displayed on STDOUT, so be"
+ echo " wary of shoulder surfers."
+ echo
+ exit 1
+}
+
+if ! whoami | grep "^root$" >/dev/null ; then
+ echo "ERROR: Please run this script as root"
+ exit 1
+fi
+
+USERNAME="$1"
+
+if [ -z "$USERNAME" ]; then
+ echo "ERROR: Must provide a username"
+ usage
+else
+ if ! grep "^$USERNAME:" /etc/passwd >/dev/null; then
+ echo "ERROR: User [$USERNAME] does not exist"
+ exit 1
+ fi
+fi
+
+if [ -z "$MOUNTPASS" ]; then
+ if [ -z "$2" ]; then
+ read -p "Enter your mount passphrase: " -r MOUNTPASS
+ if [ -z "$MOUNTPASS" ]; then
+ echo "ERROR: You must provide a mount passphrase"
+ usage
+ fi
+ else
+ MOUNTPASS="$2"
+ fi
+fi
+
+if [ -z "$LOGINPASS" ]; then
+ if [ -z "$2" ]; then
+ read -p "Enter your login passphrase: " -r LOGINPASS
+ if [ -z "$LOGINPASS" ]; then
+ echo "ERROR: You must provide the login passphrase"
+ usage
+ fi
+ else
+ LOGINPASS="$3"
+ fi
+fi
+
+if [ -f "/etc/pam.d/system-auth" ]; then
+ PAM_CONF=/etc/pam.d/system-auth
+elif [ -f "/etc/pam.d/common-auth" ]; then
+ PAM_CONF=/etc/pam.d/common-auth
+else
+ echo "ERROR: Cannot determine location of PAM system/common auth configuration"
+ exit 1
+fi
+
+echo "Using username [$USERNAME]"
+echo "Using mount passphrase [$MOUNTPASS]"
+echo "Using login passphrase [$LOGINPASS]"
+echo "Using pam configuration file [$PAM_CONF]"
+echo
+echo "This script will attempt to set up your system to mount"
+echo "/home/$USERNAME/Confidential with eCryptfs automatically on login,"
+echo "using your login passphrase."
+echo
+
+# Setup confidential directory in home
+modprobe ecryptfs
+mkdir -m 700 -p /home/$USERNAME/Confidential
+chown $USERNAME:$USERNAME /home/$USERNAME/Confidential
+
+# Prune out of fstab, and check for an active mount
+tmpfile=`mktemp`
+grep -v "\/home\/$USERNAME\/Confidential.*,ecryptfs_sig=.*" /etc/fstab > $tmpfile
+chmod --reference /etc/fstab $tmpfile
+chown --reference /etc/fstab $tmpfile
+mv -f $tmpfile /etc/fstab
+umount /home/$USERNAME/Confidential
+if mount | grep "/home/$USERNAME/Confidential type ecryptfs"; then
+ echo "ERROR: /home/$USERNAME/Confidential still mounted after umount"
+ exit 1
+fi
+
+# Setup /etc/fstab
+# BUG: passwd will be momentarily visible in "ps -ef" output
+mount -t ecryptfs /home/$USERNAME/Confidential /home/$USERNAME/Confidential -o \
key=passphrase:passwd="$MOUNTPASS",ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n,no_sig_cache
+grep ecryptfs_sig /etc/mtab | sed \
's/ecryptfs_cipher\=aes,ecryptfs_key_bytes\=16/ecryptfs_cipher\=aes,ecryptfs_key_bytes\=16,user,noauto,/' \
>> /etc/fstab +umount /home/$USERNAME/Confidential
+
+# Setup PAM
+tmpfile1=`mktemp`
+grep -v "pam_ecryptfs.so" $PAM_CONF > $tmpfile1
+tmpfile2=`mktemp`
+grep -B 100000 "auth\s.*pam_unix.so" $tmpfile1 | grep -v "auth\s.*pam_unix.so" > \
$tmpfile2 +echo "password required pam_ecryptfs.so" >> $tmpfile2
+grep "auth\s.*pam_unix.so" $PAM_CONF >> $tmpfile2
+echo "auth required pam_ecryptfs.so unwrap" >> $tmpfile2
+grep -A 100000 "auth\s.*pam_unix.so" $tmpfile1 | grep -v "auth\s.*pam_unix.so" >> \
$tmpfile2 +rm -f $tmpfile1
+chmod --reference $PAM_CONF $tmpfile2
+chown --reference $PAM_CONF $tmpfile2
+mv -f $tmpfile2 $PAM_CONF
+
+# Setup bash profile and home dir
+if ! grep "ecryptfs-mount-confidential" /home/$USERNAME/.bash_profile >/dev/null; \
then + echo "ecryptfs-mount-confidential" >> /home/$USERNAME/.bash_profile
+ chown $USERNAME:$USERNAME /home/$USERNAME/.bash_profile
+fi
+if ! grep "umount.*/home/$USERNAME/Confidential" /home/$USERNAME/.bash_logout \
>/dev/null; then + echo "umount -l /home/$USERNAME/Confidential" >> \
> /home/$USERNAME/.bash_logout
+ chown $USERNAME:$USERNAME /home/$USERNAME/.bash_logout
+fi
+mkdir -m 700 /home/$USERNAME/.ecryptfs
+chown $USERNAME:$USERNAME /home/$USERNAME/.ecryptfs
+touch /home/$USERNAME/.ecryptfs/auto-mount
+chown $USERNAME:$USERNAME /home/$USERNAME/.ecryptfs/auto-mount
+timestamp=`date +%Y%m%d%H%M%S`
+mv -f /home/$USERNAME/.ecryptfs/wrapped-passphrase \
/home/$USERNAME/.ecryptfs/wrapped-passphrase.$timestamp +# BUG: passphrases will be \
momentarily visible in "ps -ef" output +/usr/bin/ecryptfs-wrap-passphrase \
/home/$USERNAME/.ecryptfs/wrapped-passphrase "$MOUNTPASS" "$LOGINPASS" +chmod 600 \
/home/$USERNAME/.ecryptfs/wrapped-passphrase +chown $USERNAME:$USERNAME \
/home/$USERNAME/.ecryptfs/wrapped-passphrase
diff --git a/src/utils/ecryptfs-setup-pam-wrapped.sh \
b/src/utils/ecryptfs-setup-pam-wrapped.sh deleted file mode 100755
index db87c7c..0000000
--- a/src/utils/ecryptfs-setup-pam-wrapped.sh
+++ /dev/null
@@ -1,92 +0,0 @@
-#!/bin/sh
-
-echo
-echo "You must run this script as root. Do not use sudo; either log in"
-echo "as root or use 'su -'"
-echo
-echo "This script applies to Open Client systems only with the \
IBM-security-compliance RPM installed"
-echo
-
-whoami | grep "^root$" &> /dev/null
-if test $? == 1; then
- echo "Please run this script as root"
- echo
- exit
-fi
-
-echo "USAGE:"
-echo " # ecryptfs-setup-pam-wrapped.sh [username] [mount passphrase] [wrapping \
passphrase]"
-echo
-echo "Be sure to properly escape your parameters according to your shell's special \
character nuances, and also surround the parameters by double quotes, \
if need be."
-echo
-echo "No special characters allowed in the username."
-echo
-
-if test "x$1" == "x"; then
- echo "Must provide a username"
- echo
- exit
-fi
-
-if test "x$2" == "x"; then
- echo "Must provide a mount passphrase"
- echo
- exit
-fi
-
-if test "x$3" == "x"; then
- echo "Must provide a wrapping passphrase"
- echo
- exit
-fi
-
-echo "Using username [$1]"
-echo "Using mount passphrase [$2]"
-echo "Using wrapping passphrase [$3]"
-echo
-echo "This script will attempt to set up your system to mount eCryptfs"
-echo "automatically on login, using your login passphrase."
-echo
-
-modprobe ecryptfs
-mkdir /home/$1/Confidential
-chown $1:$1 /home/$1/Confidential
-chmod 700 /home/$1/Confidential
-grep -v "ecryptfs_sig" /etc/fstab > /tmp/fstab
-mv -f /tmp/fstab /etc/fstab
-umount /home/$1/Confidential
-mount | grep "/home/$1/Confidential type ecryptfs"
-if test $? == 0; then
- echo "ERROR: /home/$1/Confidential still mounted after umount; cannot continue with \
setup"
- exit 1
-fi
-mount -t ecryptfs /home/$1/Confidential /home/$1/Confidential -o \
key=passphrase:passwd="$2",cipher=aes,ecryptfs_key_bytes=16,passthrough=n,no_sig_cache
-grep ecryptfs_sig /etc/mtab | sed \
's/ecryptfs_cipher\=aes,ecryptfs_key_bytes\=16/ecryptfs_cipher\=aes,ecryptfs_key_bytes\=16,user,noauto,/' \
>> /etc/fstab
-umount /home/$1/Confidential
-cp -f /etc/pam.d/system-auth /etc/pam.d/.system-auth-before-pam_ecryptfs
-grep -v "pam_ecryptfs" /etc/pam.d/system-auth > /tmp/system-auth
-mv -f /tmp/system-auth /etc/pam.d/system-auth
-grep -v "auth.*pam_deny" /etc/pam.d/system-auth > /tmp/system-auth
-mv -f /tmp/system-auth /etc/pam.d/system-auth
-cat /etc/pam.d/system-auth | sed 's/auth.*pam_unix\.so\(.*\)/auth required \
pam_unix.so\1\nauth required pam_ecryptfs.so unwrap/' > \
/tmp/system-auth
-mv -f /tmp/system-auth /etc/pam.d/system-auth
-cat /etc/pam.d/system-auth | sed \
's/password\s*sufficient\s*pam_unix\.so\(.*\)/password required \
pam_ecryptfs.so\npassword sufficient pam_unix.so\1/' > \
/tmp/system-auth
-mv -f /tmp/system-auth /etc/pam.d/system-auth
-grep "Confidential type ecryptfs" /home/$1/.bash_profile
-if test $? != 0; then
- cp -f /home/$1/.bash_profile /home/$1/.bash_profile-before-pam_ecryptfs
- echo "if test -e \$HOME/.ecryptfs/auto-mount; then" >> /home/$1/.bash_profile
- echo " mount | grep \"\$HOME/Confidential type ecryptfs\"" >> \
/home/$1/.bash_profile
- echo " if test \$? != 0; then" >> /home/$1/.bash_profile
- echo " mount -i \$HOME/Confidential" >> /home/$1/.bash_profile
- echo " fi" >> /home/$1/.bash_profile
- echo "fi" >> /home/$1/.bash_profile
- echo "ecryptfs-zombie-kill" >> /home/$1/.bash_profile
-fi
-mkdir -p /home/$1/.ecryptfs
-chown $1:$1 /home/$1/.ecryptfs
-touch /home/$1/.ecryptfs/auto-mount
-chown $1:$1 /home/$1/.ecryptfs/auto-mount
-rm -f /home/$1/.ecryptfs/wrapped-passphrase
-/usr/bin/ecryptfs-wrap-passphrase /home/$1/.ecryptfs/wrapped-passphrase "$2" "$3"
-chown $1:$1 /home/$1/.ecryptfs/wrapped-passphrase
["signature.asc" (application/pgp-signature)]
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
eCryptfs-devel mailing list
eCryptfs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ecryptfs-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic