No sudo access after installing of Ubuntu amd64 from July 2 daily.

Bug #395082 reported by Luke Yelavich on 2009-07-03
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ecryptfs-utils (Ubuntu)
High
Dustin Kirkland 
user-setup (Ubuntu)
Undecided
Unassigned

Bug Description

I was installing and enabled encrypted home, which at a glance of the syslog, seems to have broken things to the point where I wasn't added to the groups I should have been.

Syslog attached.

 affects ubuntu/user-setup

Luke Yelavich (themuso) wrote :
Colin Watson (cjwatson) wrote :

Firstly, something seems to have gone wrong with ecryptfs, and it seems to be below the level of user-setup. Dustin, could you have a look at this?

Secondly, there's a robustness consideration in user-setup. If something goes wrong while setting up ecryptfs, it needs to inform the user about it - presumably as a red-screen error - so that they don't end up unknowingly having an unencrypted home directory. Furthermore it then needs to carry on and do the rest of its work as normal.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package user-setup - 1.27ubuntu2

---------------
user-setup (1.27ubuntu2) karmic; urgency=low

  * Error out more gracefully, although with a clear red-screen error, if
    /dev/shm/.ecryptfs-$USER doesn't exist when trying to set up home
    directory encryption (LP: #395082).

 -- Colin Watson <email address hidden> Fri, 03 Jul 2009 13:47:52 +0100

Changed in user-setup (Ubuntu):
status: New → Fix Released
Dustin Kirkland  (kirkland) wrote :

Colin-

I can confirm this issue. I'll spend some time next week merging ecryptfs-utils, enacting the /home/.ecryptfs changes we previously discussed, and fixing the current issue.

Thanks,
:-Dustin

Changed in ecryptfs-utils (Ubuntu):
assignee: nobody → Dustin Kirkland (kirkland)
importance: Undecided → High
milestone: none → karmic-alpha-3
status: New → Confirmed
Dustin Kirkland  (kirkland) wrote :

Okay, I think I've found the source of this problem. Looks like 'keyctl show' is broken, which causes the ecryptfs-setup-private internal testing to fail:

foo@x200:~$ ecryptfs-setup-private
Enter your login passphrase:
ERROR: Your login passphrase is incorrect
Enter your login passphrase:
Enter your mount passphrase [leave blank to generate one]:

************************************************************************
YOU SHOULD RECORD THIS MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION:
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
************************************************************************

Done configuring.

Testing mount/write/umount/read...
keyctl_unlink: Invalid argument
ERROR: Could not unmount private ecryptfs directory (2)
foo@x200:~$ keyctl show
Session Keyring
       -3 --alswrv 1001 1001 keyring: _ses
foo@x200:~$ keyctl list @u
2 keys in keyring:
873330432: --alswrv 1001 1001 user: 0da32a6c73733d7d
189980458: --alswrv 1001 1001 user: b6d731657a532554

Changed in ecryptfs-utils (Ubuntu):
status: Confirmed → In Progress
status: In Progress → Fix Committed
Dustin Kirkland  (kirkland) wrote :

Caused by bug #400484.

I have a fix, will be in -76 merge.

:-Dustin

Launchpad Janitor (janitor) wrote :
Download full text (4.4 KiB)

This bug was fixed in the package ecryptfs-utils - 76-0ubuntu1

---------------
ecryptfs-utils (76-0ubuntu1) karmic; urgency=low

  [ Dustin Kirkland ]
  * src/utils/ecryptfs-setup-swap: switch from vol_id to blkid,
    LP: #376486
  * debian/ecryptfs-utils.postinst, src/utils/ecryptfs-setup-private:
    don't echo mount passphrase if running in bootstrap mode; prune
    potential leakages from install log, LP: #383650
  * SECURITY UPDATE: mount passphrase recorded in install log (LP: #383650).
    - debian/ecryptfs-utils.postinst: prune private information from
      installer log
    - src/utils/ecryptfs-setup-private: don't echo passphrase if running in
      bootstrap mode
    - CVE-2009-1296
  * src/utils/ecryptfs-setup-private: make some of the lanuage more readable,
    (thanks, anrxc)
  * README, configure.ac, debian/control, debian/rules,
    doc/sourceforge_webpage/README, src/libecryptfs-swig/libecryptfs.py,
    src/libecryptfs-swig/libecryptfs_wrap.c,
    src/libecryptfs/key_management.c, src/libecryptfs/libecryptfs.pc.in,
    src/libecryptfs/main.c, src/pam_ecryptfs/Makefile.am,
    src/utils/manager.c, src/utils/mount.ecryptfs.c: move build from gcrypt
    to nss (this change has been pending for some time)
  * src/utils/ecryptfs-dot-private: dropped, was too hacky
  * ecryptfs-mount-private.1, ecryptfs-setup-private.1: align the
    documentation and implementation of the wrapping-independent feature,
    LP: #383746
  * src/utils/ecryptfs-umount-private: use keyctl list @u, since keyctl show
    stopped working, LP: #400484, #395082
  * src/utils/mount.ecryptfs_private.c: fix counter file locking; solves
    a longstanding bug about "random" umount caused by cronjobs, LP: #358573

  [ Michal Hlavinka (edits by Dustin Kirkland) ]
  * doc/manpage/ecryptfs-mount-private.1,
    doc/manpage/ecryptfs-rewrite-file.1,
    doc/manpage/ecryptfs-setup-private.1, doc/manpage/ecryptfs.7,
    doc/manpage/mount.ecryptfs_private.1,
    doc/manpage/umount.ecryptfs_private.1: documentation updated to note
    possible ecryptfs group membership requirements; Fix ecrypfs.7 man
    page and key_mod_openssl's error message; fix typo
  * src/libecryptfs/decision_graph.c: put a finite limit (5 tries) on
    interactive input; fix memory leaks when asking questions
  * src/libecryptfs/module_mgr.c: Don't error out with EINVAL when
    verbosity=0 and some options are missing.
  * src/utils/umount.ecryptfs.c: no error for missing key when removing it
  * src/libecryptfs-swig/libecryptfs.i: fix compile werror, cast char*
  * src/utils/ecryptfs_add_passphrase.c: fix/test/use return codes;
    return nonzero for --fnek when not supported but used
  * src/include/ecryptfs.h, src/key_mod/ecryptfs_key_mod_openssl.c,
    src/libecryptfs/module_mgr.c: refuse mounting with too small rsa
    key (key_mod_openssl)
  * src/utils/ecryptfs_insert_wrapped_passphrase_into_keyring.c: fix return
    codes
  * src/utils/ecryptfs-rewrite-file: polish output
  * src/libecryptfs/key_management.c: inform about full keyring; insert fnek
    sig into keyring if fnek support check fails; don't fail if key already
    exists in keyring
  * src/utils/ecryptfs-setup-private: if th...

Read more...

Changed in ecryptfs-utils (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments