70
/* returns: 0 for pam automounting not set, 1 for set, <0 for error */
71
static int ecryptfs_pam_automount_set(const char *homedir)
77
&file_path, "%s/.ecryptfs/%s",
79
ECRYPTFS_DEFAULT_WRAPPED_PASSPHRASE_FILENAME) == -1)
81
if (stat(file_path, &s) != 0) {
87
if (asprintf(&file_path, "%s/.ecryptfs/auto-mount", homedir) == -1)
89
if (stat(file_path, &s) != 0) {
100
68
PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
101
69
const char **argv)
184
152
auth_tok_sig, passphrase, salt);
155
syslog(LOG_WARNING, "There is already a key in the "
156
"user session keyring for the given "
190
161
syslog(LOG_ERR, "Error adding passphrase key token to "
191
"user session keyring; rc = [%ld]\n", rc);
162
"user session keyring; rc = [%d]\n", rc);
194
165
if (fork() == 0) {
195
166
if ((rc = ecryptfs_set_zombie_session_placeholder())) {
196
167
syslog(LOG_ERR, "Error attempting to create "
197
168
"and register zombie process; "
216
187
return PAM_SUCCESS;
219
static struct passwd *fetch_pwd(pam_handle_t *pamh)
222
const char *username = NULL;
223
struct passwd *pwd = NULL;
225
rc = pam_get_user(pamh, &username, NULL);
226
if (rc != PAM_SUCCESS || username == NULL) {
227
syslog(LOG_ERR, "Error getting passwd info for user [%s]; "
228
"rc = [%ld]\n", username, rc);
231
pwd = getpwnam(username);
233
syslog(LOG_ERR, "Error getting passwd info for user [%s]; "
234
"rc = [%ld]\n", username, rc);
240
static int private_dir(pam_handle_t *pamh, int mount)
243
struct passwd *pwd = NULL;
244
char *sigfile = NULL;
245
char *autofile = NULL;
246
char *recorded = NULL;
248
char *automount = "auto-mount";
249
char *autoumount = "auto-umount";
255
if ((pwd = fetch_pwd(pamh)) == NULL) {
256
/* fetch_pwd() logged a message */
265
(asprintf(&autofile, "%s/.ecryptfs/%s", pwd->pw_dir, a) < 0)
266
|| autofile == NULL) {
267
syslog(LOG_ERR, "Error allocating memory for autofile name");
271
(asprintf(&sigfile, "%s/.ecryptfs/%s.sig", pwd->pw_dir,
272
PRIVATE_DIR) < 0) || sigfile == NULL) {
273
syslog(LOG_ERR, "Error allocating memory for sigfile name");
276
if (stat(sigfile, &s) != 0) {
277
/* No sigfile, no need to mount private dir */
280
if (!S_ISREG(s.st_mode)) {
281
/* No sigfile, no need to mount private dir */
284
if ((pid = fork()) < 0) {
285
syslog(LOG_ERR, "Error setting up private mount");
290
if ((asprintf(&recorded,
291
"%s/.ecryptfs/.wrapped-passphrase.recorded",
292
pwd->pw_dir) < 0) || recorded == NULL) {
294
"Error allocating memory for recorded name");
297
if (stat(recorded, &s) != 0 && stat("/usr/share/ecryptfs-utils/ecryptfs-record-passphrase", &s) == 0) {
298
/* User has not recorded their passphrase */
299
unlink("/var/lib/update-notifier/user.d/ecryptfs-record-passphrase");
300
symlink("/usr/share/ecryptfs-utils/ecryptfs-record-passphrase", "/var/lib/update-notifier/user.d/ecryptfs-record-passphrase");
301
fd = open("/var/lib/update-notifier/dpkg-run-stamp", O_WRONLY|O_CREAT|O_NONBLOCK, 0666);
304
if (stat(autofile, &s) != 0) {
305
/* User does not want to auto-mount */
307
"Skipping automatic eCryptfs mount");
310
/* run mount.ecryptfs_private as the user */
311
setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid);
312
execl("/sbin/mount.ecryptfs_private",
313
"mount.ecryptfs_private", NULL);
315
if (stat(autofile, &s) != 0) {
316
/* User does not want to auto-unmount */
318
"Skipping automatic eCryptfs unmount");
321
/* run umount.ecryptfs_private as the user */
322
setresuid(pwd->pw_uid, pwd->pw_uid, pwd->pw_uid);
323
execl("/sbin/umount.ecryptfs_private",
324
"umount.ecryptfs_private", NULL);
328
waitpid(pid, &rc, 0);
330
"Mount of private directory return code [%d]", rc);
337
static int mount_private_dir(pam_handle_t *pamh)
339
return private_dir(pamh, 1);
342
static int umount_private_dir(pam_handle_t *pamh)
344
return private_dir(pamh, 0);
348
191
pam_sm_open_session(pam_handle_t *pamh, int flags,
349
192
int argc, const char *argv[])
351
mount_private_dir(pamh);
352
194
return PAM_SUCCESS;
433
rc = asprintf(&unwrapped_pw_filename, "/dev/shm/.ecryptfs-%s", name);
435
syslog(LOG_ERR, "Unable to allocate memory\n");
439
265
if ((rc = ecryptfs_read_salt_hex_from_rc(salt_hex))) {
266
syslog(LOG_WARNING, "Unable to read salt value from user's "
267
".ecryptfsrc file; using default\n");
440
268
from_hex(salt, ECRYPTFS_DEFAULT_SALT_HEX, ECRYPTFS_SALT_SIZE);
442
270
from_hex(salt, salt_hex, ECRYPTFS_SALT_SIZE);
444
/* If /dev/shm/.ecryptfs-$USER exists and owned by the user
445
and ~/.ecryptfs/wrapped-passphrase does not exist
446
and a new_passphrase is set:
447
wrap the unwrapped passphrase file */
448
if (stat(unwrapped_pw_filename, &s) == 0 && (s.st_uid == uid) &&
449
stat(wrapped_pw_filename, &s) != 0 &&
450
new_passphrase != NULL && *new_passphrase != '\0' &&
451
name != NULL && *name != '\0') {
453
rc = ecryptfs_wrap_passphrase_file(wrapped_pw_filename,
454
new_passphrase, salt, unwrapped_pw_filename);
457
"Error wrapping cleartext password; "
463
if (!old_passphrase || !new_passphrase || *new_passphrase == '\0') {
464
syslog(LOG_WARNING, "eCryptfs PAM passphrase change module "
465
"retrieved at least one NULL passphrase; nothing to "
467
rc = PAM_AUTHTOK_RECOVER_ERR;
470
271
rc = PAM_SUCCESS;
471
272
if ((child_pid = fork()) == 0) {
472
273
char passphrase[ECRYPTFS_MAX_PASSWORD_LENGTH + 1];
added
removed
src/pam_ecryptfs/pam_ecryptfs.c
