~mrooney/ecryptfs/nautilus-integration

#!/bin/sh

 

echo

echo "You must run this script as root. Do not use sudo; either log in"

echo "as root or use 'su -'"

echo

echo "This script applies to Open Client systems only with the IBM-security-compliance RPM installed"

echo

 

whoami | grep "^root$" &> /dev/null

if test $? == 1; then

  echo "Please run this script as root"

  echo

  exit

fi

 

echo "USAGE:"

echo " # ecryptfs-setup-pam-wrapped.sh [username] [mount passphrase] [wrapping passphrase]"

echo

echo "Be sure to properly escape your parameters according to your shell's special character nuances, and also surround the parameters by double quotes, if need be."

echo

echo "No special characters allowed in the username."

echo

 

if test "x$1" == "x"; then

    echo "Must provide a username"

    echo

    exit

fi

 

if test "x$2" == "x"; then

    echo "Must provide a mount passphrase"

    echo

    exit

fi

 

if test "x$3" == "x"; then

    echo "Must provide a wrapping passphrase"

    echo

    exit

fi

 

echo "Using username [$1]"

echo "Using mount passphrase [$2]"

echo "Using wrapping passphrase [$3]"

echo

echo "This script will attempt to set up your system to mount eCryptfs"

echo "automatically on login, using your login passphrase."

echo

 

modprobe ecryptfs

mkdir /home/$1/Confidential

chown $1:$1 /home/$1/Confidential

chmod 700 /home/$1/Confidential

grep -v "ecryptfs_sig" /etc/fstab > /tmp/fstab

mv -f /tmp/fstab /etc/fstab

umount /home/$1/Confidential

mount | grep "/home/$1/Confidential type ecryptfs"

if test $? == 0; then

 echo "ERROR: /home/$1/Confidential still mounted after umount; cannot continue with setup"

 exit 1

fi

mount -t ecryptfs /home/$1/Confidential /home/$1/Confidential -o key=passphrase:passwd="$2",cipher=aes,ecryptfs_key_bytes=16,passthrough=n,no_sig_cache

grep ecryptfs_sig /etc/mtab | sed 's/ecryptfs_cipher\=aes,ecryptfs_key_bytes\=16/ecryptfs_cipher\=aes,ecryptfs_key_bytes\=16,user,noauto,/' >> /etc/fstab

umount /home/$1/Confidential

cp -f /etc/pam.d/system-auth /etc/pam.d/.system-auth-before-pam_ecryptfs

grep -v "pam_ecryptfs" /etc/pam.d/system-auth > /tmp/system-auth

mv -f /tmp/system-auth /etc/pam.d/system-auth

grep -v "auth.*pam_deny" /etc/pam.d/system-auth > /tmp/system-auth

mv -f /tmp/system-auth /etc/pam.d/system-auth

cat /etc/pam.d/system-auth | sed 's/auth.*pam_unix\.so\(.*\)/auth required pam_unix.so\1\nauth required pam_ecryptfs.so unwrap/' > /tmp/system-auth

mv -f /tmp/system-auth /etc/pam.d/system-auth

cat /etc/pam.d/system-auth | sed 's/password\s*sufficient\s*pam_unix\.so\(.*\)/password required pam_ecryptfs.so\npassword sufficient pam_unix.so\1/' > /tmp/system-auth

mv -f /tmp/system-auth /etc/pam.d/system-auth

grep "Confidential type ecryptfs" /home/$1/.bash_profile

if test $? != 0; then

    cp -f /home/$1/.bash_profile /home/$1/.bash_profile-before-pam_ecryptfs

    echo "if test -e \$HOME/.ecryptfs/auto-mount; then" >> /home/$1/.bash_profile

    echo "  mount | grep \"\$HOME/Confidential type ecryptfs\"" >> /home/$1/.bash_profile

    echo "  if test \$? != 0; then" >> /home/$1/.bash_profile

    echo "    mount -i \$HOME/Confidential" >> /home/$1/.bash_profile

    echo "  fi" >> /home/$1/.bash_profile

    echo "fi" >> /home/$1/.bash_profile

    echo "ecryptfs-zombie-kill" >> /home/$1/.bash_profile

fi

mkdir -p /home/$1/.ecryptfs

chown $1:$1 /home/$1/.ecryptfs

touch /home/$1/.ecryptfs/auto-mount

chown $1:$1 /home/$1/.ecryptfs/auto-mount

rm -f /home/$1/.ecryptfs/wrapped-passphrase

/usr/bin/ecryptfs-wrap-passphrase /home/$1/.ecryptfs/wrapped-passphrase "$2" "$3"

chown $1:$1 /home/$1/.ecryptfs/wrapped-passphrase