1) This bug affects any users using Intrepid's easy-to-configure "Automatic Login" option, in conjunction with Encrypted Private Directories. Encrypted Private Directories absolutely *require* that you enter your password at some point, in order to unwrap the mount passphrase and mount the encrypted Private directory. This might seem obvious to the technical among us, but it's not obvious to some of our users.
2) The proposed fix, which has been committed upstream, involves the following, in order to provide an interactive mechanism for prompting for a password when attempting to access the encrypted private directory:
* doc/ecryptfs-mount-private.txt: new file, to be placed as
"README.txt" in a user's unmount encrypted ~/Private directory
* src/desktop/ecryptfs-mount-private.desktop: new desktop file,
to be installed in each user's unmounted Private dir, providing a
clickable way to mount (tested in Gnome and KDE)
* src/utils/ecryptfs-setup-private: link the readme and desktop file
into the unmount Private dir
* src/utils/ecryptfs-mount-private: completely overhauled to
interactively prompt for a user's login password, unwrap the mount
passphrase and insert into the keyring, and perform the mount
* src/utils/ecryptfs-umount-private: completely overhauled to drop the
deprecated (and broken) counter mechanism, and very simply call
umount.ecryptfs_private
* src/utils/mount.ecryptfs_private.c: provide a helpful "hint" when a
key isn't found, that perhaps they user wants to try the interactive
ecryptfs-mount-private utility
* See: http://git.kernel.org/?p=linux/kernel/git/mhalcrow/ecryptfs-utils.git;a=commit;h=923a2e4bc05e8a6bb4a3ca836f9080b13bd84b3c
3) Patch is attached.
4) TEST CASE:
a) install Ubuntu or Kubuntu, and configure the system for "Automatic Login"
b) sudo apt-get install ecryptfs-utils
c) ecryptfs-setup-private
d) mount.ecryptfs_private
e) copy some data into ~/Private
f) reboot, allow the machine to automatically login
g) try to access ~/Private, only will see symlink saying that the directory has been unmounted
5) The only regression potential I see is the overloading of the ecryptfs-mount-private and ecryptfs-umount-private utilities. These were two small, wrapper scripts which have been included in the package, but broken and deprecated. Their functionality was completely supplanted by the mount.ecryptfs_private setuid binary and the built-in counter functionality, and the hooks in pam_ecryptfs to call mount.ecryptfs_private/umount.ecryptfs_private. Before the pam module handled this, these utilities were added to .bash_profile. That never made it into Ubuntu, and these utilities have not been used. As upstream, the intention is for these utilities to become the interactive wrapper for the compact, hardened /sbin/mount.ecryptfs_private.
Stable Release Update Request
Per: /wiki.ubuntu. com/StableRelea seUpdates
* https:/
1) This bug affects any users using Intrepid's easy-to-configure "Automatic Login" option, in conjunction with Encrypted Private Directories. Encrypted Private Directories absolutely *require* that you enter your password at some point, in order to unwrap the mount passphrase and mount the encrypted Private directory. This might seem obvious to the technical among us, but it's not obvious to some of our users.
2) The proposed fix, which has been committed upstream, involves the following, in order to provide an interactive mechanism for prompting for a password when attempting to access the encrypted private directory: mount-private. txt: new file, to be placed as ecryptfs- mount-private. desktop: new desktop file, ecryptfs- setup-private: link the readme and desktop file ecryptfs- mount-private: completely overhauled to ecryptfs- umount- private: completely overhauled to drop the ecryptfs_ private mount.ecryptfs_ private. c: provide a helpful "hint" when a mount-private utility git.kernel. org/?p= linux/kernel/ git/mhalcrow/ ecryptfs- utils.git; a=commit; h=923a2e4bc05e8 a6bb4a3ca836f90 80b13bd84b3c
* doc/ecryptfs-
"README.txt" in a user's unmount encrypted ~/Private directory
* src/desktop/
to be installed in each user's unmounted Private dir, providing a
clickable way to mount (tested in Gnome and KDE)
* src/utils/
into the unmount Private dir
* src/utils/
interactively prompt for a user's login password, unwrap the mount
passphrase and insert into the keyring, and perform the mount
* src/utils/
deprecated (and broken) counter mechanism, and very simply call
umount.
* src/utils/
key isn't found, that perhaps they user wants to try the interactive
ecryptfs-
* See: http://
3) Patch is attached.
4) TEST CASE: setup-private private
a) install Ubuntu or Kubuntu, and configure the system for "Automatic Login"
b) sudo apt-get install ecryptfs-utils
c) ecryptfs-
d) mount.ecryptfs_
e) copy some data into ~/Private
f) reboot, allow the machine to automatically login
g) try to access ~/Private, only will see symlink saying that the directory has been unmounted
5) The only regression potential I see is the overloading of the ecryptfs- mount-private and ecryptfs- umount- private utilities. These were two small, wrapper scripts which have been included in the package, but broken and deprecated. Their functionality was completely supplanted by the mount.ecryptfs_ private setuid binary and the built-in counter functionality, and the hooks in pam_ecryptfs to call mount.ecryptfs_ private/ umount. ecryptfs_ private. Before the pam module handled this, these utilities were added to .bash_profile. That never made it into Ubuntu, and these utilities have not been used. As upstream, the intention is for these utilities to become the interactive wrapper for the compact, hardened /sbin/mount. ecryptfs_ private.
:-Dustin