ecryptfs-setup-private creates .ecryptfs dir with wrong permissions when GID is different than UID
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
eCryptfs |
Fix Released
|
High
|
Dustin Kirkland | ||
adduser (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
ecryptfs-utils (Ubuntu) |
Fix Released
|
High
|
Dustin Kirkland |
Bug Description
when adding a user with an encrypted home directory passing the group ID from the CLI, the utility fail to set the permissions to the .ecryptfs and .Private directory.
Here is an example:
adduser --uid 1030 --gid 115 --encrypt-home lmondesi
...
chown: invalid group: `lmondesi:lmondesi'
chown: invalid group: `lmondesi:lmondesi'
chown: invalid group: `lmondesi:lmondesi'
chown: invalid group: `lmondesi:lmondesi'
chown: invalid group: `lmondesi:lmondesi'
This causes the permissions for the /home/.
lmondesi@
total 16
drwxr-xr-x 4 root root 4096 2009-10-07 05:30 .
drwxr-xr-x 3 root root 4096 2009-10-07 05:30 ..
drwx------ 2 root root 4096 2009-10-07 05:30 .ecryptfs
drwx------ 2 root root 4096 2009-10-07 05:30 .Private
Related branches
- Dustin Kirkland (community): Needs Information
-
Diff: 5798 lines (+2544/-987)72 files modifiedREADME (+0/-5)
configure.ac (+4/-17)
debian/changelog (+311/-1)
debian/control (+49/-9)
debian/copyright (+10/-5)
debian/ecryptfs-utils.dirs (+0/-2)
debian/ecryptfs-utils.ecryptfs-utils-restore.upstart (+26/-0)
debian/ecryptfs-utils.ecryptfs-utils-save.upstart (+26/-0)
debian/ecryptfs-utils.install (+2/-1)
debian/ecryptfs-utils.postinst (+11/-35)
debian/libecryptfs0.shlibs (+1/-1)
debian/lintian/ecryptfs-utils (+13/-0)
debian/local/ecryptfs-utils.pam-auth-update (+3/-3)
debian/po/POTFILES.sh (+5/-0)
debian/po/ecryptfs-utils.pot (+407/-0)
debian/po/fr.po (+389/-0)
debian/rules (+38/-19)
doc/Makefile.am (+1/-2)
doc/ecryptfs-mount-private.txt (+1/-1)
doc/manpage/Makefile.am (+3/-0)
doc/manpage/ecryptfs-mount-private.1 (+2/-2)
doc/manpage/ecryptfs-rewrite-file.1 (+1/-1)
doc/manpage/ecryptfs-setup-private.1 (+2/-2)
doc/manpage/ecryptfs-setup-swap.1 (+29/-0)
doc/manpage/ecryptfs-stat.1 (+18/-0)
doc/manpage/ecryptfs.7 (+7/-135)
doc/manpage/mount.ecryptfs_private.1 (+1/-1)
doc/manpage/umount.ecryptfs.8 (+23/-0)
doc/manpage/umount.ecryptfs_private.1 (+1/-1)
doc/sourceforge_webpage/README (+0/-5)
lintian/ecryptfs-utils (+12/-0)
scripts/build-ubuntu.sh (+1/-1)
scripts/release.sh (+6/-2)
src/desktop/Makefile.am (+2/-1)
src/desktop/ecryptfs-record-passphrase (+6/-3)
src/include/ecryptfs.h (+5/-0)
src/key_mod/ecryptfs_key_mod_gpg.c (+5/-8)
src/key_mod/ecryptfs_key_mod_openssl.c (+28/-2)
src/key_mod/ecryptfs_key_mod_pkcs11_helper.c (+4/-3)
src/key_mod/ecryptfs_key_mod_tspi.c (+7/-3)
src/libecryptfs-swig/libecryptfs.i (+1/-1)
src/libecryptfs-swig/libecryptfs.py (+1/-1)
src/libecryptfs-swig/libecryptfs_wrap.c (+88/-47)
src/libecryptfs/cipher_list.c (+1/-1)
src/libecryptfs/cmd_ln_parser.c (+1/-1)
src/libecryptfs/decision_graph.c (+39/-13)
src/libecryptfs/key_management.c (+40/-102)
src/libecryptfs/libecryptfs.pc.in (+2/-2)
src/libecryptfs/main.c (+108/-30)
src/libecryptfs/module_mgr.c (+57/-11)
src/pam_ecryptfs/Makefile.am (+2/-2)
src/pam_ecryptfs/pam_ecryptfs.c (+66/-51)
src/python/ecryptfsapi.py (+82/-0)
src/utils/Makefile.am (+4/-3)
src/utils/ecryptfs-dot-private (+0/-34)
src/utils/ecryptfs-migrate-home (+195/-0)
src/utils/ecryptfs-mount-private (+8/-7)
src/utils/ecryptfs-rewrite-file (+29/-15)
src/utils/ecryptfs-setup-private (+125/-126)
src/utils/ecryptfs-setup-swap (+100/-89)
src/utils/ecryptfs-umount-private (+14/-16)
src/utils/ecryptfs_add_passphrase.c (+11/-7)
src/utils/ecryptfs_generate_tpm_key.c (+4/-1)
src/utils/ecryptfs_insert_wrapped_passphrase_into_keyring.c (+15/-5)
src/utils/ecryptfs_rewrap_passphrase.c (+0/-1)
src/utils/ecryptfs_unwrap_passphrase.c (+12/-3)
src/utils/ecryptfs_wrap_passphrase.c (+0/-1)
src/utils/io.c (+29/-12)
src/utils/manager.c (+1/-1)
src/utils/mount.ecryptfs.c (+13/-26)
src/utils/mount.ecryptfs_private.c (+32/-107)
src/utils/umount.ecryptfs.c (+4/-0)
affects: | ubuntu → ecryptfs-utils (Ubuntu) |
Changed in ecryptfs-utils (Ubuntu): | |
status: | New → Confirmed |
Changed in ecryptfs-utils (Ubuntu): | |
status: | Confirmed → In Progress |
importance: | Undecided → High |
milestone: | none → ubuntu-9.10 |
assignee: | nobody → Dustin Kirkland (kirkland) |
Changed in ecryptfs: | |
status: | New → In Progress |
assignee: | nobody → Dustin Kirkland (kirkland) |
importance: | Undecided → High |
Changed in adduser (Ubuntu): | |
status: | Confirmed → Invalid |
Changed in ecryptfs: | |
status: | In Progress → Fix Committed |
Changed in ecryptfs: | |
status: | Fix Committed → Fix Released |
When creating a new user with a GID different than the UID using adduser --encrypt-home, the GID is not passed at all from adduser to ecryptfs- setup-private:
if (defined( $encrypt_ home)) {
&systemcall( $ecryptfs_ setup_private, '-b', '-u', $new_name);
printf gtx("Setting up encryption ...\n") if $verbose;
}
ecryptfs- setup-private then blindly chowns to $USER:$USER assuming the GID matches the UID:
chown $USER:$USER "$CRYPTDIR" /dev/shm/ .ecryptfs- $USER
(multiple chowns below this)
sciri@baka:~$ sudo adduser --encrypt-home --gid 2500 testuser
Adding user `testuser' ...
Adding new user `testuser' (1000) with group `warthogs' ...
Creating home directory `/home/testuser' ...
Setting up encryption ...
******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ** unwrap- passphrase ~/.ecryptfs/ wrapped- passphrase ******* ******* ******* ******* ******* ******* ******* ******* ******* **
YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.
ecryptfs-
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
*******
Done configuring.
chown: invalid group: `testuser:testuser' ecryptfs/ testuser/
chown: invalid group: `testuser:testuser'
chown: invalid group: `testuser:testuser'
chown: invalid group: `testuser:testuser'
chown: invalid group: `testuser:testuser'
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for testuser
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y
sciri@baka:~$ sudo ls -al /home/.
total 16
drwxr-xr-x 4 root root 4096 2009-10-08 10:27 .
drwxr-xr-x 3 root root 4096 2009-10-08 10:27 ..
drwx------ 2 root root 4096 2009-10-08 10:27 .ecryptfs
drwx------ 2 root root 4096 2009-10-08 10:27 .Private