« back to all changes in this revision
Viewing changes to src/utils/ecryptfs-setup-private
- browse files at revision 467
- compare with another revision
- download diff
- download tarball
- view history from revision 467
- Committer: Dustin Kirkland
- Date: 2009-11-02 23:00:09 UTC
- Revision ID: kirkland@canonical.com-20091102230009-v4vyk793sqop6lzy
which was broken by the gettext integration, LP: #471725;
in doing so, use $() in place of ``, use '' for gettext arguments,
and wrap gettext in "", like this: foo="$(gettext 'blah blah')"
in doing so, use $() in place of ``, use '' for gettext arguments,
and wrap gettext in "", like this: foo="$(gettext 'blah blah')"
- files modified:
- debian/changelog
added
removed
src/utils/ecryptfs-setup-private
11
11
ECRYPTFS_DIR="/home/.ecryptfs"
12
12
PW_ATTEMPTS=3
13
13
TEXTDOMAIN="ecryptfs-utils"
14
MESSAGE=`gettext "Enter your login passphrase"`
14
MESSAGE="$(gettext 'Enter your login passphrase')"
15
15
CIPHER="aes"
16
16
KEYBYTES="16"
17
17
FNEK=
81
81
}
82
82
83
83
error() {
84
echo `gettext "ERROR:"` "$@" 1>&2
84
echo "$(gettext 'ERROR: ')" "$@" 1>&2
85
85
exit 1
86
86
}
87
87
102
102
103
103
filename_encryption_available() {
104
104
version=$(cat /sys/fs/ecryptfs/version 2>/dev/null)
105
[ -z "$version" ] && error `gettext "Can't get ecryptfs version, ecryptfs kernel module not loaded?"`
105
[ -z "$version" ] && error "$(gettext 'Cannot get ecryptfs version, ecryptfs kernel module not loaded?')"
106
106
[ $(($version & 0x100)) -eq 0 ] && return 1
107
107
return 0
108
108
}
129
129
;;
130
130
-w|--wrapping)
131
131
WRAPPING_PASS="INDEPENDENT"
132
MESSAGE=`gettext "Enter your wrapping passphrase"`
132
MESSAGE="$(gettext 'Enter your wrapping passphrase')"
133
133
shift 1
134
134
;;
135
135
-f|--force)
153
153
exit 0
154
154
;;
155
155
-b|--bootstrap)
156
[ `whoami` = "root" ] || error `gettext "You must be root to bootstrap encrypt a home directory"`
156
[ `whoami` = "root" ] || error "$(gettext 'You must be root to bootstrap encrypt a home directory')"
157
157
BOOTSTRAP=1
158
158
MOUNTPASS=`random_passphrase $KEYBYTES`
159
159
RANDOM_MOUNTPASS=1
172
172
# Prompt for the USER name, if not on the command line and not in the env
173
173
if [ -z "$USER" ]; then
174
174
while [ true ]; do
175
echo -n gettext `"Enter the username: "`
175
echo -n "$(gettext 'Enter the username: ')"
176
176
USER=`head -n1`
177
177
echo
178
178
if [ -z "$USER" ]; then
179
echo `gettext "ERROR: "` `gettext "You must provide a username"`
179
echo "$(gettext 'ERROR: ')" "$(gettext 'You must provide a username')"
180
180
continue
181
181
else
182
182
# Verify that the user exists
183
183
if ! id "$USER" >/dev/null; then
184
echo `gettext "ERROR: "` `gettext "User does not exist"` " [$USER]"
184
echo "$(gettext 'ERROR: ')" "$(gettext 'User does not exist')" " [$USER]"
185
185
continue
186
186
fi
187
187
break
189
189
done
190
190
else
191
191
# Verify that the user exists
192
id "$USER" >/dev/null || error `gettext "User does not exist"` "[$USER]"
192
id "$USER" >/dev/null || error "$(gettext 'User does not exist')" "[$USER]"
193
193
fi
194
194
195
195
# Obtain USER's primary group
198
198
# Check if the ecryptfs group exists, and user is member of ecryptfs group
199
199
if grep -qs "^ecryptfs:" /etc/group; then
200
200
if ! id "$USER" | grep -qs "\(ecryptfs\)"; then
201
error `gettext "User needs to be a member of ecryptfs group"`
201
error "$(gettext 'User needs to be a member of ecryptfs group')"
202
202
fi
203
203
fi
204
204
205
205
# Obtain the user's home directory
206
206
HOME=`getent passwd "$USER" | awk -F: '{print $6}'`
207
207
if [ ! -d "$HOME" ]; then
208
error `gettext "User home directory does not exist"` "[$HOME]"
208
error "$(gettext 'User home directory does not exist')" "[$HOME]"
209
209
fi
210
210
211
211
if [ "$BOOTSTRAP" = "1" ]; then
224
224
225
225
# Check for previously setup private directory
226
226
if [ -s "$HOME/.ecryptfs/wrapped-passphrase" -a "$FORCE" != "1" ]; then
227
error `gettext "wrapped-passphrase file already exists, use --force to overwrite."`
227
error "$(gettext 'wrapped-passphrase file already exists, use --force to overwrite.')"
228
228
fi
229
229
if [ -s "$HOME/.ecryptfs/$PRIVATE_DIR.sig" -a "$FORCE" != "1" ]; then
230
error "$PRIVATE_DIR.sig" `gettext "file already exists, use --force to overwrite."`
230
error "$PRIVATE_DIR.sig" "$(gettext 'file already exists, use --force to overwrite.')"
231
231
fi
232
232
233
233
# Check for active mounts
234
grep -qs "$MOUNTPOINT " /proc/mounts && error "[$MOUNTPOINT]" `gettext "is already mounted"`
235
grep -qs "$CRYPTDIR " /proc/mounts && error "[$CRYPTDIR]" `gettext "is already mounted"`
234
grep -qs "$MOUNTPOINT " /proc/mounts && error "[$MOUNTPOINT]" "$(gettext 'is already mounted')"
235
grep -qs "$CRYPTDIR " /proc/mounts && error "[$CRYPTDIR]" "$(gettext 'is already mounted')"
236
236
237
237
# Check that the mount point and encrypted directory are empty (skip symlinks).
238
238
# Perhaps one day we could provide a migration mode (using rsync or something),
239
239
# but this would be VERY hard to do safely.
240
240
count=`ls -Al "$MOUNTPOINT" 2>/dev/null | egrep -c "^[drwx-]{10}"`
241
241
if [ "$count" != "0" ]; then
242
error "$MOUNTPOINT" `gettext "must be empty before proceeding"`
242
error "$MOUNTPOINT" "$(gettext 'must be empty before proceeding')"
243
243
fi
244
244
count=`ls -Al "$CRYPTDIR" 2>/dev/null | egrep -c "^[dlrwx-]{10}"`
245
245
if [ "$count" != "0" ]; then
246
error "$CRYPTDIR" `gettext "must be empty before proceeding"`
246
error "$CRYPTDIR" "$(gettext 'must be empty before proceeding')"
247
247
fi
248
248
249
249
stty_orig=`stty -g`
265
265
stty $stty_orig
266
266
echo
267
267
if [ "$LOGINPASS" != "$LOGINPASS2" ]; then
268
echo `gettext "ERROR:"` `gettext "Wrapping passphrases must match"`
268
echo "$(gettext 'ERROR: ')" "$(gettext 'Wrapping passphrases must match')"
269
269
else
270
270
break
271
271
fi
273
273
continue
274
274
fi
275
275
if [ -z "$LOGINPASS" ]; then
276
echo `gettext "ERROR:"` `gettext "You must provide a login passphrase"`
276
echo "$(gettext 'ERROR: ')" "$(gettext 'You must provide a login passphrase')"
277
277
tries=$(($tries + 1))
278
278
else
279
279
if [ "$NOPWCHECK" = "1" ]; then
280
echo `gettext "INFO:"` `gettext "Skipping password verification"`
280
echo "$(gettext 'INFO:')" "$(gettext 'Skipping password verification')"
281
281
break
282
282
else
283
283
if printf "%s\0" "$LOGINPASS" | /sbin/unix_chkpwd "$USER" nullok; then
284
284
break
285
285
else
286
echo `gettext "ERROR:"` `gettext "Your login passphrase is incorrect"`
286
echo "$(gettext 'ERROR: ')" "$(gettext 'Your login passphrase is incorrect')"
287
287
tries=$(($tries + 1))
288
288
fi
289
289
fi
290
290
fi
291
291
done
292
292
if [ $tries -ge $PW_ATTEMPTS ]; then
293
error `gettext "Too many incorrect password attempts, exiting"`
293
error "$(gettext 'Too many incorrect password attempts, exiting')"
294
294
fi
295
295
fi
296
296
299
299
tries=0
300
300
while [ $tries -lt $PW_ATTEMPTS ]; do
301
301
stty -echo
302
echo -n `gettext "Enter your mount passphrase [leave blank to generate one]: "`
302
echo -n "$(gettext 'Enter your mount passphrase [leave blank to generate one]: ')"
303
303
MOUNTPASS=`head -n1`
304
304
stty $stty_orig
305
305
echo
309
309
break
310
310
else
311
311
stty -echo
312
echo -n `gettext "Enter your mount passphrase (again): "`
312
echo -n "$(gettext 'Enter your mount passphrase (again): ')"
313
313
MOUNTPASS2=`head -n1`
314
314
stty $stty_orig
315
315
echo
316
316
if [ "$MOUNTPASS" != "$MOUNTPASS2" ]; then
317
echo `gettext "ERROR:"` `gettext "Mount passphrases do not match"`
317
echo "$(gettext 'ERROR: ')" "$(gettext 'Mount passphrases do not match')"
318
318
tries=$(($tries + 1))
319
319
else
320
320
break
322
322
fi
323
323
done
324
324
if [ $tries -ge $PW_ATTEMPTS ]; then
325
error `gettext "Too many incorrect passphrase attempts, exiting"`
325
error "$(gettext 'Too many incorrect passphrase attempts, exiting')"
326
326
fi
327
327
fi
328
328
329
329
echo
330
330
echo "************************************************************************"
331
echo `gettext "YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION."`
331
echo "$(gettext 'YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.')"
332
332
echo " ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase"
333
echo `gettext "THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME."`
333
echo "$(gettext 'THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.')"
334
334
echo "************************************************************************"
335
335
echo
336
336
337
337
###############################################################################
338
338
339
339
# Setup private directory in home
340
mkdir -m 700 -p "$CRYPTDIR" || error `gettext "Could not create crypt directory"` "[$CRYPTDIR]"
341
mkdir -m 700 -p "$MOUNTPOINT" || error `gettext "Could not create mount directory"` "[$MOUNTPOINT]"
340
mkdir -m 700 -p "$CRYPTDIR" || error "$(gettext 'Could not create crypt directory')" "[$CRYPTDIR]"
341
mkdir -m 700 -p "$MOUNTPOINT" || error "$(gettext 'Could not create mount directory')" "[$MOUNTPOINT]"
342
342
ln -sf /usr/share/ecryptfs-utils/ecryptfs-mount-private.txt "$MOUNTPOINT"/README.txt
343
343
ln -sf /usr/share/ecryptfs-utils/ecryptfs-mount-private.desktop "$MOUNTPOINT"/Access-Your-Private-Data.desktop
344
344
chmod 500 "$MOUNTPOINT"
345
345
346
346
# Setup ~/.ecryptfs directory
347
347
if [ "$NOAUTOMOUNT" = "1" ]; then
348
echo `gettext "INFO:"` "$HOME/$PRIVATE_DIR" `gettext "will not be mounted on login"`
348
echo "$(gettext 'INFO:')" "$HOME/$PRIVATE_DIR" "$(gettext 'will not be mounted on login')"
349
349
else
350
touch $HOME/.ecryptfs/auto-mount || error `gettext "Could not setup ecryptfs auto-mount"`
350
touch $HOME/.ecryptfs/auto-mount || error "$(gettext 'Could not setup ecryptfs auto-mount')"
351
351
fi
352
352
if [ "$NOAUTOUMOUNT" = "1" ]; then
353
echo `gettext "INFO:"` "$HOME/$PRIVATE_DIR" `gettext "will not be unmounted on logout"`
353
echo "$(gettext 'INFO:')" "$HOME/$PRIVATE_DIR" "$(gettext 'will not be unmounted on logout')"
354
354
else
355
touch $HOME/.ecryptfs/auto-umount || error `gettext "Could not setup ecryptfs auto-umount"`
355
touch $HOME/.ecryptfs/auto-umount || error "$(gettext 'Could not setup ecryptfs auto-umount')"
356
356
fi
357
357
358
358
if [ "$WRAPPING_PASS" = "LOGIN" ]; then
359
rm -f $HOME/.ecryptfs/wrapping-independent || error `gettext "Could not remove ecryptfs wrapping-independent"`
359
rm -f $HOME/.ecryptfs/wrapping-independent || error "$(gettext 'Could not remove ecryptfs wrapping-independent')"
360
360
else
361
touch $HOME/.ecryptfs/wrapping-independent || error `gettext "Could not setup ecryptfs wrapping-independent"`
361
touch $HOME/.ecryptfs/wrapping-independent || error "$(gettext 'Could not setup ecryptfs wrapping-independent')"
362
362
fi
363
363
364
364
366
366
timestamp=`date +%Y%m%d%H%M%S`
367
367
for i in "$HOME/.ecryptfs/wrapped-passphrase" "$HOME/.ecryptfs/$PRIVATE_DIR.sig"; do
368
368
if [ -s "$i" ]; then
369
mv -f "$i" "$i.$timestamp" || error `gettext "Could not backup existing data"` "[$i]"
369
mv -f "$i" "$i.$timestamp" || error "(gettext 'Could not backup existing data')" "[$i]"
370
370
fi
371
371
done
372
372
382
382
printf "%s" "$MOUNTPASS" > "$temp"
383
383
mv "$temp" "/dev/shm/.ecryptfs-$USER"
384
384
else
385
printf "%s\n%s" "$MOUNTPASS" "$LOGINPASS" | ecryptfs-wrap-passphrase "$HOME/.ecryptfs/wrapped-passphrase" - || error `gettext "Could not wrap passphrase"`
385
printf "%s\n%s" "$MOUNTPASS" "$LOGINPASS" | ecryptfs-wrap-passphrase "$HOME/.ecryptfs/wrapped-passphrase" - || error "$(gettext 'Could not wrap passphrase')"
386
386
fi
387
387
umask $u
388
388
390
390
# On subsequent logins, this should be handled by "pam_ecryptfs.so unwrap"
391
391
response=`printf "%s" "$MOUNTPASS" | ecryptfs-add-passphrase $FNEK -`
392
392
if [ $? -ne 0 ]; then
393
error `gettext "Could not add passphrase to the current keyring"`
393
error "$(gettext 'Could not add passphrase to the current keyring')"
394
394
fi
395
395
sig=`echo "$response" | grep "Inserted auth tok" | sed "s/^.*\[//" | sed "s/\].*$//"`
396
396
if ! echo "$sig" | egrep -qs "^[0-9a-fA-F]{$KEYBYTES,$KEYBYTES}$"; then
397
error `gettext "Could not obtain the key signature"`
397
error "$(gettext 'Could not obtain the key signature')"
398
398
fi
399
399
temp=`mktemp`
400
echo "$sig" > "$temp" || error `gettext "Could not create signature file"` "[$HOME/.ecryptfs/$PRIVATE_DIR.sig]"
400
echo "$sig" > "$temp" || error "$(gettext 'Could not create signature file')" "[$HOME/.ecryptfs/$PRIVATE_DIR.sig]"
401
401
mv "$temp" "$HOME/.ecryptfs/$PRIVATE_DIR.sig"
402
402
temp=`mktemp`
403
echo "$MOUNTPOINT" > "$temp" || error `gettext "Could not create mountpoint file"` "[$HOME/.ecryptfs/$PRIVATE_DIR.mnt]"
403
echo "$MOUNTPOINT" > "$temp" || error "$(gettext 'Could not create mountpoint file')" "[$HOME/.ecryptfs/$PRIVATE_DIR.mnt]"
404
404
mv "$temp" "$HOME/.ecryptfs/$PRIVATE_DIR.mnt"
405
405
406
406
echo
407
echo `gettext "Done configuring."`
407
echo "$(gettext 'Done configuring.')"
408
408
echo
409
409
410
410
# Skip the tests if we're in bootstrap mode, but exit with the encrypted
434
434
fi
435
435
436
436
# Now let's perform some basic mount/write/umount/read sanity testing...
437
echo `gettext "Testing mount/write/umount/read..."`
438
/sbin/mount.ecryptfs_private || error `gettext "Could not mount private ecryptfs directory"`
439
temp=`mktemp "$MOUNTPOINT/ecryptfs.test.XXXXXX"` || error_testing "$temp" `gettext "Could not create empty file"`
440
random_data=`head -c 16000 /dev/urandom | od -x` || error_testing "$temp" `gettext "Could not generate random data"`
441
echo "$random_data" > "$temp" || error_testing "$temp" `gettext "Could not write encrypted file"`
442
md5sum1=`md5sum "$temp"` || error_testing "$temp" `gettext "Could not read encrypted file"`
443
/sbin/umount.ecryptfs_private || error_testing "$temp" `gettext "Could not unmount private ecryptfs directory"`
444
/sbin/mount.ecryptfs_private || error_testing "$temp" `gettext "Could not mount private ecryptfs directory (2)"`
445
md5sum2=`md5sum "$temp"` || error_testing "$temp" `gettext "Could not read encrypted file (2)"`
437
echo "$(gettext 'Testing mount/write/umount/read...')"
438
/sbin/mount.ecryptfs_private || error "$(gettext 'Could not mount private ecryptfs directory')"
439
temp=`mktemp "$MOUNTPOINT/ecryptfs.test.XXXXXX"` || error_testing "$temp" "$(gettext 'Could not create empty file')"
440
random_data=`head -c 16000 /dev/urandom | od -x` || error_testing "$temp" "$(gettext 'Could not generate random data')"
441
echo "$random_data" > "$temp" || error_testing "$temp" "$(gettext 'Could not write encrypted file')"
442
md5sum1=`md5sum "$temp"` || error_testing "$temp" "$(gettext 'Could not read encrypted file')"
443
/sbin/umount.ecryptfs_private || error_testing "$temp" "$(gettext 'Could not unmount private ecryptfs directory')"
444
/sbin/mount.ecryptfs_private || error_testing "$temp" "$(gettext 'Could not mount private ecryptfs directory (2)')"
445
md5sum2=`md5sum "$temp"` || error_testing "$temp" "$(gettext 'Could not read encrypted file (2)')"
446
446
rm -f "$temp"
447
447
# Use ecryptfs-umount-private on the final run, to clear the used keys
448
448
# out of the keyring
449
ecryptfs-umount-private || error_testing "$temp" `gettext "Could not unmount private ecryptfs directory (2)"`
449
ecryptfs-umount-private || error_testing "$temp" "$(gettext 'Could not unmount private ecryptfs directory (2)')"
450
450
if [ "$md5sum1" != "$md5sum2" ]; then
451
error `gettext "Testing failed."`
451
error "$(gettext 'Testing failed.')"
452
452
else
453
echo `gettext "Testing succeeded."`
453
echo "$(gettext 'Testing succeeded.')"
454
454
fi
455
455
456
456
echo
457
echo `gettext "Logout, and log back in to begin using your encrypted directory."`
457
echo "$(gettext 'Logout, and log back in to begin using your encrypted directory.')"
458
458
echo
459
459
460
exit 0
Loggerhead is a web-based interface for Breezy
Version: 2.0.1