Comment 0 for bug 732628

check_ownerships() function doesn't work as it should because of a race condition. Arguments of both mount() and umount() calls can be changed between the check and the usage. This may lead to arbitrary mount point umounting or probably to gaining ability to try passphrases of otherpeople's ecryptfs storages.

lock_counter() is also racy. It (1) tries to check existance and ownership of the file before open(), (2) neither use stat() instead of lstat() nor O_NOFOLLOW, (3) is not protected against deletion of the lock file by the owner. The lock file should be probably created in root only writable directory before dropping EUID.