Ubuntu
ecryptfs-utils package

Bug #579876
Comment #13

Comment 13 for bug 579876

Revision history for this message

Brian Murray (brian-murray) wrote on 2011-04-18:

#13

While it may not be fixable I think would be helpful if an attempt to change a users password by root were to produce a warning message. This warning message is more discoverable than a question or bug report in Launchpad. Some irc discussion from #ubuntu-devel regarding this:

16:14 < bdmurray> kirkland: could passwd somehow warn about bug 579876?
16:14 < ubottu> Launchpad bug 579876 in ecryptfs-utils (Ubuntu) "encrypted home directory isn't mounted if password changed by another user" [High,Won't fix] https://launchpad.net/bugs/579876
16:15 < kirkland> bdmurray: would take some pam hackery, should probably talk to slangasek
16:15 < kirkland> bdmurray: i could probably make pam_ecryptfs say something
16:15 < bdmurray> that seems nicer than hoping people find an answer in Launchpad
16:15 < slangasek> does pam_ecryptfs stack before or after pam_{unix,krb5,fwibble} for password changes?
16:16 * kirkland checks
16:16 < kirkland> slangasek: that's common-password?
16:16 -!- jbicha [~jeremy@unaffiliated/jbicha] has quit [Quit: leaving]
16:16 < slangasek> yes
16:16 < kirkland> slangasek: ecryptfs is last
16:17 -!- jbicha [~jeremy@unaffiliated/jbicha] has joined #ubuntu-devel
16:17 < slangasek> hmm, ok
16:17 < kirkland> slangasek: if old password is empty, i was thinking i could throw a warning message
16:17 < slangasek> and how's it marked? optional, requisite, etc?
16:17 < kirkland> password optional pam_ecryptfs.so
16:17 < slangasek> yeah, I'm thinking you could downright abort the stack instead, if you wanted :)
16:18 < kirkland> slangasek: i deliberately did not, in the beginning
16:18 < kirkland> slangasek: more and more people are complaining about this
16:19 -!- raphink [~raphink@ubuntu/member/raphink] has quit [Ping timeout: 246 seconds]
16:21 < slangasek> well, I guess giving no option for root to change the password would get a different set of people complaining
16:22 -!- mterry [~<email address hidden>] has quit [Ping timeout: 246 seconds]
16:22 < slangasek> a prompt that has to be explicitly acked might be the best
16:22 < slangasek> so pam_ecryptfs will never prompt for a password of its own in the event that the login credentials don't match the ecryptfs creds?
16:26 -!- jbicha [~jeremy@unaffiliated/jbicha] has quit [Read error: Connection reset by peer]
16:27 -!- jbicha [~jeremy@unaffiliated/jbicha] has joined #ubuntu-devel
16:28 < kirkland> slangasek: correct
16:28 < slangasek> should it?

While it may not be fixable I think would be helpful if an attempt to change a users password by root were to produce a warning message.  This warning message is more discoverable than a question or bug report in Launchpad.  Some irc discussion from #ubuntu-devel regarding this:

16:14 < bdmurray> kirkland: could passwd somehow warn about bug 579876?
16:14 < ubottu> Launchpad bug 579876 in ecryptfs-utils (Ubuntu) "encrypted home directory isn't mounted if password changed by another user" [High,Won't fix] https://launchpad.net/bugs/579876
16:15 < kirkland> bdmurray: would take some pam hackery, should probably talk to slangasek
16:15 < kirkland> bdmurray: i could probably make pam_ecryptfs say something
16:15 < bdmurray> that seems nicer than hoping people find an answer in Launchpad
16:15 < slangasek> does pam_ecryptfs stack before or after pam_{unix,krb5,fwibble} for password changes?
16:16  * kirkland checks
16:16 < kirkland> slangasek: that's common-password?
16:16 -!- jbicha [~jeremy@unaffiliated/jbicha] has quit [Quit: leaving]
16:16 < slangasek> yes
16:16 < kirkland> slangasek: ecryptfs is last
16:17 -!- jbicha [~jeremy@unaffiliated/jbicha] has joined #ubuntu-devel
16:17 < slangasek> hmm, ok
16:17 < kirkland> slangasek: if old password is empty, i was thinking i could throw a warning message
16:17 < slangasek> and how's it marked?  optional, requisite, etc?
16:17 < kirkland> password        optional        pam_ecryptfs.so
16:17 < slangasek> yeah, I'm thinking you could downright abort the stack instead, if you wanted :)
16:18 < kirkland> slangasek: i deliberately did not, in the beginning
16:18 < kirkland> slangasek: more and more people are complaining about this
16:19 -!- raphink [~raphink@ubuntu/member/raphink] has quit [Ping timeout: 246 seconds]
16:21 < slangasek> well, I guess giving no option for root to change the password would get a different set of people complaining
16:22 -!- mterry [~mike@pool-108-20-74-149.bstnma.fios.verizon.net] has quit [Ping timeout: 246 seconds]
16:22 < slangasek> a prompt that has to be explicitly acked might be the best
16:22 < slangasek> so pam_ecryptfs will never prompt for a password of its own in the event that the login credentials don't match the ecryptfs creds?
16:26 -!- jbicha [~jeremy@unaffiliated/jbicha] has quit [Read error: Connection reset by peer]
16:27 -!- jbicha [~jeremy@unaffiliated/jbicha] has joined #ubuntu-devel
16:28 < kirkland> slangasek: correct
16:28 < slangasek> should it?

Ubuntuecryptfs-utils package

Comment 13 for bug 579876

Ubuntu
ecryptfs-utils package