Ubuntu
ecryptfs-utils package

ecryptfs-setup-private creates .ecryptfs dir with wrong permissions when GID is different than UID

Bug #445301 reported by Luis Mondesi
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
eCryptfs
Fix Released
High
Dustin Kirkland 
adduser (Ubuntu)
Invalid
Undecided
Unassigned
ecryptfs-utils (Ubuntu)
Fix Released
High
Dustin Kirkland 
Ubuntu ubuntu-9.10

Bug Description

when adding a user with an encrypted home directory passing the group ID from the CLI, the utility fail to set the permissions to the .ecryptfs and .Private directory.

Here is an example:

adduser --uid 1030 --gid 115 --encrypt-home lmondesi
...
chown: invalid group: `lmondesi:lmondesi'
chown: invalid group: `lmondesi:lmondesi'
chown: invalid group: `lmondesi:lmondesi'
chown: invalid group: `lmondesi:lmondesi'
chown: invalid group: `lmondesi:lmondesi'

This causes the permissions for the /home/.ecryptfs/lmondesi/.{ecryptfs,Private} which obviously prevents it from being mounted

lmondesi@zod:/home/.ecryptfs/lmondesi$ ls -la
total 16
drwxr-xr-x 4 root root 4096 2009-10-07 05:30 .
drwxr-xr-x 3 root root 4096 2009-10-07 05:30 ..
drwx------ 2 root root 4096 2009-10-07 05:30 .ecryptfs
drwx------ 2 root root 4096 2009-10-07 05:30 .Private

Related branches

lp:~ecryptfs/ecryptfs/ecryptfs-utils
Dustin Kirkland  (community): Needs Information
Diff: 5798 lines (+2544/-987)
72 files modified
README (+0/-5)
configure.ac (+4/-17)
debian/changelog (+311/-1)
debian/control (+49/-9)
debian/copyright (+10/-5)
debian/ecryptfs-utils.dirs (+0/-2)
debian/ecryptfs-utils.ecryptfs-utils-restore.upstart (+26/-0)
debian/ecryptfs-utils.ecryptfs-utils-save.upstart (+26/-0)
debian/ecryptfs-utils.install (+2/-1)
debian/ecryptfs-utils.postinst (+11/-35)
debian/libecryptfs0.shlibs (+1/-1)
debian/lintian/ecryptfs-utils (+13/-0)
debian/local/ecryptfs-utils.pam-auth-update (+3/-3)
debian/po/POTFILES.sh (+5/-0)
debian/po/ecryptfs-utils.pot (+407/-0)
debian/po/fr.po (+389/-0)
debian/rules (+38/-19)
doc/Makefile.am (+1/-2)
doc/ecryptfs-mount-private.txt (+1/-1)
doc/manpage/Makefile.am (+3/-0)
doc/manpage/ecryptfs-mount-private.1 (+2/-2)
doc/manpage/ecryptfs-rewrite-file.1 (+1/-1)
doc/manpage/ecryptfs-setup-private.1 (+2/-2)
doc/manpage/ecryptfs-setup-swap.1 (+29/-0)
doc/manpage/ecryptfs-stat.1 (+18/-0)
doc/manpage/ecryptfs.7 (+7/-135)
doc/manpage/mount.ecryptfs_private.1 (+1/-1)
doc/manpage/umount.ecryptfs.8 (+23/-0)
doc/manpage/umount.ecryptfs_private.1 (+1/-1)
doc/sourceforge_webpage/README (+0/-5)
lintian/ecryptfs-utils (+12/-0)
scripts/build-ubuntu.sh (+1/-1)
scripts/release.sh (+6/-2)
src/desktop/Makefile.am (+2/-1)
src/desktop/ecryptfs-record-passphrase (+6/-3)
src/include/ecryptfs.h (+5/-0)
src/key_mod/ecryptfs_key_mod_gpg.c (+5/-8)
src/key_mod/ecryptfs_key_mod_openssl.c (+28/-2)
src/key_mod/ecryptfs_key_mod_pkcs11_helper.c (+4/-3)
src/key_mod/ecryptfs_key_mod_tspi.c (+7/-3)
src/libecryptfs-swig/libecryptfs.i (+1/-1)
src/libecryptfs-swig/libecryptfs.py (+1/-1)
src/libecryptfs-swig/libecryptfs_wrap.c (+88/-47)
src/libecryptfs/cipher_list.c (+1/-1)
src/libecryptfs/cmd_ln_parser.c (+1/-1)
src/libecryptfs/decision_graph.c (+39/-13)
src/libecryptfs/key_management.c (+40/-102)
src/libecryptfs/libecryptfs.pc.in (+2/-2)
src/libecryptfs/main.c (+108/-30)
src/libecryptfs/module_mgr.c (+57/-11)
src/pam_ecryptfs/Makefile.am (+2/-2)
src/pam_ecryptfs/pam_ecryptfs.c (+66/-51)
src/python/ecryptfsapi.py (+82/-0)
src/utils/Makefile.am (+4/-3)
src/utils/ecryptfs-dot-private (+0/-34)
src/utils/ecryptfs-migrate-home (+195/-0)
src/utils/ecryptfs-mount-private (+8/-7)
src/utils/ecryptfs-rewrite-file (+29/-15)
src/utils/ecryptfs-setup-private (+125/-126)
src/utils/ecryptfs-setup-swap (+100/-89)
src/utils/ecryptfs-umount-private (+14/-16)
src/utils/ecryptfs_add_passphrase.c (+11/-7)
src/utils/ecryptfs_generate_tpm_key.c (+4/-1)
src/utils/ecryptfs_insert_wrapped_passphrase_into_keyring.c (+15/-5)
src/utils/ecryptfs_rewrap_passphrase.c (+0/-1)
src/utils/ecryptfs_unwrap_passphrase.c (+12/-3)
src/utils/ecryptfs_wrap_passphrase.c (+0/-1)
src/utils/io.c (+29/-12)
src/utils/manager.c (+1/-1)
src/utils/mount.ecryptfs.c (+13/-26)
src/utils/mount.ecryptfs_private.c (+32/-107)
src/utils/umount.ecryptfs.c (+4/-0)
lp:ubuntu/lucid/ecryptfs-utils
Philip Muškovac (yofel)
affects: ubuntu → ecryptfs-utils (Ubuntu)
Sean Sosik-Hamor (sciri)
Changed in ecryptfs-utils (Ubuntu):
status: New → Confirmed
Revision history for this message
Sean Sosik-Hamor (sciri) wrote :

When creating a new user with a GID different than the UID using adduser --encrypt-home, the GID is not passed at all from adduser to ecryptfs-setup-private:

      if (defined($encrypt_home)) {
        printf gtx("Setting up encryption ...\n") if $verbose;
        &systemcall($ecryptfs_setup_private, '-b', '-u', $new_name);
      }

ecryptfs-setup-private then blindly chowns to $USER:$USER assuming the GID matches the UID:

        chown $USER:$USER "$CRYPTDIR" /dev/shm/.ecryptfs-$USER
        (multiple chowns below this)

sciri@baka:~$ sudo adduser --encrypt-home --gid 2500 testuser
Adding user `testuser' ...
Adding new user `testuser' (1000) with group `warthogs' ...
Creating home directory `/home/testuser' ...
Setting up encryption ...

************************************************************************
YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.
  ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
************************************************************************

Done configuring.

chown: invalid group: `testuser:testuser'
chown: invalid group: `testuser:testuser'
chown: invalid group: `testuser:testuser'
chown: invalid group: `testuser:testuser'
chown: invalid group: `testuser:testuser'
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for testuser
Enter the new value, or press ENTER for the default
 Full Name []:
 Room Number []:
 Work Phone []:
 Home Phone []:
 Other []:
Is the information correct? [Y/n] y
sciri@baka:~$ sudo ls -al /home/.ecryptfs/testuser/
total 16
drwxr-xr-x 4 root root 4096 2009-10-08 10:27 .
drwxr-xr-x 3 root root 4096 2009-10-08 10:27 ..
drwx------ 2 root root 4096 2009-10-08 10:27 .ecryptfs
drwx------ 2 root root 4096 2009-10-08 10:27 .Private

Changed in adduser (Ubuntu):
status: New → Confirmed
summary: - ecryptfs-utils creates dir with wrong permissions
+ ecryptfs-setup-private creates .ecryptfs dir with wrong permissions when
+ GID is different than UID
Revision history for this message
Sean Sosik-Hamor (sciri) wrote :

sciri@baka:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu karmic (development branch)
Release: 9.10
Codename: karmic
sciri@baka:~$ apt-cache policy adduser
adduser:
  Installed: 3.110ubuntu6
  Candidate: 3.110ubuntu6
  Version table:
 *** 3.110ubuntu6 0
        500 http://archive.ubuntu.com karmic/main Packages
        100 /var/lib/dpkg/status
sciri@baka:~$ apt-cache policy ecryptfs-utils
ecryptfs-utils:
  Installed: 81-0ubuntu1
  Candidate: 81-0ubuntu1
  Version table:
 *** 81-0ubuntu1 0
        500 http://archive.ubuntu.com karmic/main Packages
        100 /var/lib/dpkg/status

Dustin Kirkland  (kirkland)
Changed in ecryptfs-utils (Ubuntu):
status: Confirmed → In Progress
importance: Undecided → High
milestone: none → ubuntu-9.10
assignee: nobody → Dustin Kirkland (kirkland)
Dustin Kirkland  (kirkland)
Changed in ecryptfs:
status: New → In Progress
assignee: nobody → Dustin Kirkland (kirkland)
importance: Undecided → High
Changed in adduser (Ubuntu):
status: Confirmed → Invalid
Dustin Kirkland  (kirkland)
Changed in ecryptfs:
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ecryptfs-utils - 81-0ubuntu2

---------------
ecryptfs-utils (81-0ubuntu2) karmic; urgency=low

  * src/utils/ecryptfs-setup-private: fix bug where setup-private
    incorrectly assumed that the home/private dir ownerships should
    be owned by USER:USER; instead, default to USER:GROUP, where
    GROUP is the USER's primary group by default, cherry-pick upstream
    r463, LP: #445301

 -- Dustin Kirkland <email address hidden> Wed, 14 Oct 2009 14:20:42 -0500

Changed in ecryptfs-utils (Ubuntu):
status: In Progress → Fix Released
Dustin Kirkland  (kirkland)
Changed in ecryptfs:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.