The following two patches are in no way intended to be applied, they're just for
conversation.
The one against mount.ecryptfs_private makes it use capabilities instead of
setuid. If we do a mount, it puts cap_sys_admin and cap_dac_override in
pE so it can do mount(2) and write to /etc/mtab.
Currently for umount, mount.ecryptfs_private does execl("/bin/umount"). So
the patch puts those capabilities in pI in the hopes that umount will have
them in fI.
The /bin/umount patch is needed because ordinarily umount refuses to unmount
an entry not in fstab unless the caller is euid=0. So the patch instead checks
whether the needed capabilities are in pE.
Finally, with these patches applied you need to do
The following two patches are in no way intended to be applied, they're just for
conversation.
The one against mount.ecryptfs_ private makes it use capabilities instead of
setuid. If we do a mount, it puts cap_sys_admin and cap_dac_override in
pE so it can do mount(2) and write to /etc/mtab.
Currently for umount, mount.ecryptfs_ private does execl(" /bin/umount" ). So
the patch puts those capabilities in pI in the hopes that umount will have
them in fI.
The /bin/umount patch is needed because ordinarily umount refuses to unmount
an entry not in fstab unless the caller is euid=0. So the patch instead checks
whether the needed capabilities are in pE.
Finally, with these patches applied you need to do
capset cap_sys_ admin,cap_ dac_override= pe /sbin/mount. ecryptfs_ private admin,cap_ dac_override= ie /bin/umount
capset cap_sys_