Bug 814098

Summary: The script "/usr/bin/ecryptfs-setup-swap" is broken (from ecryptfs-utils)
Product: [openSUSE] openSUSE 12.3 Reporter: Neil Rickert <nwr10cst-oslnx>
Component: OtherAssignee: Marcus Meissner <meissner>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: darin, forgotten_cAXlJ_FoSf, meissner
Version: Final   
Target Milestone: ---   
Hardware: x86-64   
OS: openSUSE 12.3   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Neil Rickert 2013-04-08 18:13:35 UTC 
User-Agent:       Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.34 (KHTML, like Gecko) rekonq/2.1 Safari/534.34

Problem 1: (testing on a system with unencrypted swap):
  /usr/bin/ecryptfs-setup-swap: line 175: /etc/init.d/boot.crypto: No such file or directory

Problem 2: (on the same system).  The script added a line for the encrypted
swap to the end of "/etc/fstab"
/dev/mapper/cryptswap1 none swap sw 0 0

However, if failed to remove or comment out the existing fstab entry for using the same partition unencrypted.

Problem 3: To encrypt, it added a line to "/etc/crypttab"
cryptswap1 /dev/sda8 /dev/urandom swap,cipher=aes-cbc-essiv:sha256

Notice that it used the device name "/dev/sda8".  It should have used the device ID "/dev/disk/by-id/ata-WDC_WD3200AAKS-75SBA0_WD-WCAPZ2050503-part8"

Problem 4: When I tried to use it on my primary desktop, it wanted to encrypt swap.  It failed to recognize that the existing swap is part of an encrypted LVM.

In summary - this is a terrible script.  Nobody should use it.  Perhaps nobody does use it, and that's why it hasn't been fixed.  And it probably should have been in "/usr/sbin" rather than in "/usr/bin".

Note: I only used it to test it out.  I normally would not have trusted it, and would have preferred to setup encrypted swap myself by more traditional methods.

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Comment 1 Darin Perusich 2013-08-05 20:18:52 UTC 
I was about to create a bug report for this but I see someone else already has;-)

I've branched and updated the ecryptfs-setup-swap-SuSE.patch which resolves problem 1-3 mentioned above, update to version 103 and created an SR (see below) for security/ecryptfs-utils. If/when this SR is accepted I'll branch 12.2:Update, and 12.3:Update and apply the patch and reference this ticket in the VC/SR so the updates get pushed through the system. 

https://build.opensuse.org/request/show/185986
Comment 2 Darin Perusich 2013-08-06 12:14:26 UTC 
I've created maintenance branch and updated the package so it's current with security/ecryptfs-utils and create a maintenancerequest to update openSUSE:12.3.

https://build.opensuse.org/request/show/186093
Comment 3 Marcus Meissner 2013-08-08 11:44:20 UTC 
in factory and maintenance.

thanks for your work :)
Comment 4 Swamp Workflow Management 2013-08-14 13:04:19 UTC 
openSUSE-RU-2013:1344-1: An update that has one recommended fix can now be installed.

Category: recommended (low)
Bug References: 814098
CVE References: 
Sources used:
openSUSE 12.3 (src):    ecryptfs-utils-103-7.4.1
Comment 5 Forgotten User cAXlJ_FoSf 2013-08-15 13:40:58 UTC 
The update seems to have introduced a regression related to the pam config, see bug 834993
Comment 6 Neil Rickert 2013-08-15 13:43:30 UTC 
The recent ecryptfs update has broken ecryptfs.

Specifically, after the update, pam_ecryptfs is no longer being used, so one has to manually run "ecryptfs-mount-private".
Comment 7 Darin Perusich 2013-08-15 19:23:00 UTC 
I'm seeing this too, for some reason on update pam-config is removing the ecryptfs bits from pam's common-auth and common-session, running "pam-config -a --ecryptfs" adds them back.

Here's the verbose output from manually updating the package with rpm. It looks to me like %post is executed and the %postun is run afterward which removes the pam bits.

rpm -U -vv /var/cache/zypp/packages/openSUSE-12.3-updates/x86_64/ecryptfs-utils-103-7.4.1.x86_64.rpm
D: ============== ./packages/openSUSE-12.3-updates/x86_64/ecryptfs-utils-103-7.4.1.x86_64.rpm
D: loading keyring from pubkeys in /var/lib/rpm/pubkeys/*.key
D: couldn't find any keys in /var/lib/rpm/pubkeys/*.key
D: loading keyring from rpmdb
D: opening  db environment /var/lib/rpm cdb:private:0x201
D: opening  db index       /var/lib/rpm/Packages 0x400 mode=0x0
D: locked   db index       /var/lib/rpm/Packages
D: opening  db index       /var/lib/rpm/Name nofsync:0x400 mode=0x0
D:  read h#       1 Header sanity check: OK
D:  read h#       2 Header sanity check: OK
D: added key gpg-pubkey-0dfb3188-41ed929b to keyring
D:  read h#       3 Header sanity check: OK
D: added key gpg-pubkey-a1912208-446a0899 to keyring
D:  read h#       4 Header sanity check: OK
D: added key gpg-pubkey-307e3d54-4be01a65 to keyring
D:  read h#       5 Header sanity check: OK
D: added key gpg-pubkey-7e2e3b05-4be037ca to keyring
D:  read h#       6 Header sanity check: OK
D: added key gpg-pubkey-9c800aca-4be01999 to keyring
D:  read h#       7 Header sanity check: OK
D: added key gpg-pubkey-56b4177a-4be18cab to keyring
D:  read h#       8 Header sanity check: OK
D: added key gpg-pubkey-3dbdc284-4be1884d to keyring
D:  read h#    1501 Header sanity check: OK
D: added key gpg-pubkey-05905ea8-4c5816a1 to keyring
D: Using legacy gpg-pubkey(s) from rpmdb
D: Expected size:       164292 = lead(96)+sigs(772)+pad(4)+data(163420)
D:   Actual size:       164292
D: ./packages/openSUSE-12.3-updates/x86_64/ecryptfs-utils-103-7.4.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
D: ========== relocations
D:  read h#    7528 Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
D:      added binary package [0]
D: found 0 source and 1 binary packages
D: ========== +++ ecryptfs-utils-103-7.4.1 x86_64/linux 0x0
D: opening  db index       /var/lib/rpm/Basenames nofsync:0x400 mode=0x0
D:  read h#    4764 Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
D:  Requires: /bin/sh                                       YES (db files)
D:  Requires: /bin/sh                                       YES (cached)
D:  Requires: /bin/sh                                       YES (cached)
D:  Requires: /bin/sh                                       YES (cached)
D:  read h#    5038 Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
D:  Requires: /usr/bin/pkg-config                           YES (db files)
D: opening  db index       /var/lib/rpm/Providename nofsync:0x400 mode=0x0
D:  read h#    4698 Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
D:  Requires: libc.so.6()(64bit)                            YES (db provides)
D:  Requires: libc.so.6(GLIBC_2.14)(64bit)                  YES (db provides)
D:  Requires: libc.so.6(GLIBC_2.2.5)(64bit)                 YES (db provides)
D:  Requires: libc.so.6(GLIBC_2.3)(64bit)                   YES (db provides)
D:  Requires: libc.so.6(GLIBC_2.3.4)(64bit)                 YES (db provides)
D:  Requires: libc.so.6(GLIBC_2.4)(64bit)                   YES (db provides)
D:  Requires: libc.so.6(GLIBC_2.8)(64bit)                   YES (db provides)
D:  read h#    4774 Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
D:  Requires: libcrypto.so.1.0.0()(64bit)                   YES (db provides)
D:  Requires: libdl.so.2()(64bit)                           YES (db provides)
D:  Requires: libdl.so.2(GLIBC_2.2.5)(64bit)                YES (db provides)
D:  Requires: libecryptfs.so.0()(64bit)                     YES (added provide)
D:  read h#    4724 Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
D:  Requires: libkeyutils.so.1()(64bit)                     YES (db provides)
D:  Requires: libkeyutils.so.1(KEYUTILS_0.3)(64bit)         YES (db provides)
D:  read h#    7259 Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
D:  Requires: libnss3.so()(64bit)                           YES (db provides)
D:  Requires: libnss3.so(NSS_3.2)(64bit)                    YES (db provides)
D:  Requires: libnss3.so(NSS_3.3)(64bit)                    YES (db provides)
D:  read h#    4910 Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
D:  Requires: libpam.so.0()(64bit)                          YES (db provides)
D:  Requires: libpam.so.0(LIBPAM_1.0)(64bit)                YES (db provides)
D:  Requires: libpam.so.0(LIBPAM_EXTENSION_1.0)(64bit)      YES (db provides)
D:  read h#    5584 Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
D:  Requires: libpkcs11-helper.so.1()(64bit)                YES (db provides)
D:  read h#    5273 Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
D:  Requires: libtspi.so.1()(64bit)                         YES (db provides)
D:  read h#    4926 Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
D:  Requires: pam-config                                    YES (db provides)
D:  read h#    4917 Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
D:  Requires: permissions                                   YES (db provides)
D:  read h#    7433 Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
D:  Requires: python(abi) = 2.7                             YES (db provides)
D:  Requires: rpmlib(CompressedFileNames) <= 3.0.4-1        YES (rpmlib provides)
D:  Requires: rpmlib(PayloadFilesHavePrefix) <= 4.0-1       YES (rpmlib provides)
D:  Requires: rpmlib(PayloadIsLzma) <= 4.4.6-1              YES (rpmlib provides)
D: opening  db index       /var/lib/rpm/Conflictname nofsync:0x400 mode=0x0
D: opening  db index       /var/lib/rpm/Obsoletename nofsync:0x400 mode=0x0
D: ========== --- ecryptfs-utils-96-7.1.2 x86_64/linux 0x0
D: opening  db index       /var/lib/rpm/Requirename nofsync:0x400 mode=0x0
D: ========== recording tsort relations
D:  Requires: libecryptfs.so.0()(64bit)                     YES (added provide)
D:  Requires: libecryptfs.so.0()(64bit)                     YES (added provide)
D: ========== tsorting packages (order, #predecessors, #succesors, depth)
D:     0    0    0    1   +ecryptfs-utils-103-7.4.1.x86_64
D:     1    0    0    1   -ecryptfs-utils-96-7.1.2.x86_64
D: installing binary packages
D: Selinux disabled.
D: closed   db index       /var/lib/rpm/Obsoletename
D: closed   db index       /var/lib/rpm/Conflictname
D: closed   db index       /var/lib/rpm/Providename
D: closed   db index       /var/lib/rpm/Requirename
D: closed   db index       /var/lib/rpm/Basenames
D: closed   db index       /var/lib/rpm/Name
D: closed   db index       /var/lib/rpm/Packages
D: closed   db environment /var/lib/rpm
D: opening  db environment /var/lib/rpm cdb:private:0x201
D: opening  db index       /var/lib/rpm/Packages (none) mode=0x42
D: locked   db index       /var/lib/rpm/Packages
D: sanity checking 2 elements
D: opening  db index       /var/lib/rpm/Name nofsync mode=0x42
D:  read h#    7528 Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
D: running pre-transaction scripts
D: computing 158 file fingerprints
D: opening  db index       /var/lib/rpm/Basenames nofsync mode=0x42
D: opening  db index       /var/lib/rpm/Group nofsync mode=0x42
D: opening  db index       /var/lib/rpm/Requirename nofsync mode=0x42
D: opening  db index       /var/lib/rpm/Providename nofsync mode=0x42
D: opening  db index       /var/lib/rpm/Conflictname nofsync mode=0x42
D: opening  db index       /var/lib/rpm/Obsoletename nofsync mode=0x42
D: opening  db index       /var/lib/rpm/Triggername nofsync mode=0x42
D: opening  db index       /var/lib/rpm/Dirnames nofsync mode=0x42
D: opening  db index       /var/lib/rpm/Installtid nofsync mode=0x42
D: opening  db index       /var/lib/rpm/Sigmd5 nofsync mode=0x42
D: opening  db index       /var/lib/rpm/Sha1header nofsync mode=0x42
Preparing packages...
D: computing file dispositions
D: 0x00000805     4096       881774       252405 /
D: 0x00000806     4096      1113656       393597 /usr
D: 0x00000807     4096      1426302       514234 /var
D: ========== +++ ecryptfs-utils-103-7.4.1 x86_64-linux 0x0
D: Expected size:       164292 = lead(96)+sigs(772)+pad(4)+data(163420)
D:   Actual size:       164292
D: ecryptfs-utils-103-7.4.1.x86_64: Header V3 RSA/SHA256 Signature, key ID 3dbdc284: OK
D:   install: ecryptfs-utils-103-7.4.1 has 80 files
ecryptfs-utils-103-7.4.1.x86_64
D: ========== Directories not explicitly included in package:
D:          0 /lib64/security/
D:          1 /sbin/
D:          2 /usr/bin/
D:          3 /usr/include/
D:          4 /usr/lib/python2.7/site-packages/
D:          6 /usr/lib64/
D:          8 /usr/lib64/pkgconfig/
D:          9 /usr/lib64/python2.7/site-packages/
D:         11 /usr/share/applications/
D:         12 /usr/share/doc/packages/
D:         14 /usr/share/
D:         16 /usr/share/locale/ca/LC_MESSAGES/
D:         17 /usr/share/man/man1/
D:         18 /usr/share/man/man7/
D:         19 /usr/share/man/man8/
D: ==========
D: fini      100755  1 (   0,   0)     18848 /lib64/security/pam_ecryptfs.so;520d290a 
D: fini      100755  1 (   0,   0)     26040 /sbin/mount.ecryptfs;520d290a 
D: fini      100755  1 (   0,   0)     19128 /sbin/mount.ecryptfs_private;520d290a 
D: fini      100755  1 (   0,   0)     10624 /sbin/umount.ecryptfs;520d290a 
D: fini      120777  1 (   0,   0)        22 /sbin/umount.ecryptfs_private;520d290a 
D: fini      100755  1 (   0,   0)     10568 /usr/bin/ecryptfs-add-passphrase;520d290a 
D: fini      100755  1 (   0,   0)      1631 /usr/bin/ecryptfs-find;520d290a 
D: fini      100755  1 (   0,   0)     14792 /usr/bin/ecryptfs-generate-tpm-key;520d290a 
D: fini      100755  1 (   0,   0)     10576 /usr/bin/ecryptfs-insert-wrapped-passphrase-into-keyring;520d290a 
D: fini      100755  1 (   0,   0)     14800 /usr/bin/ecryptfs-manager;520d290a 
D: fini      100755  1 (   0,   0)      6232 /usr/bin/ecryptfs-migrate-home;520d290a 
D: fini      100755  1 (   0,   0)      2615 /usr/bin/ecryptfs-mount-private;520d290a 
D: fini      100755  1 (   0,   0)      3890 /usr/bin/ecryptfs-recover-private;520d290a 
D: fini      100755  1 (   0,   0)     10568 /usr/bin/ecryptfs-rewrap-passphrase;520d290a 
D: fini      100755  1 (   0,   0)      2062 /usr/bin/ecryptfs-rewrite-file;520d290a 
D: fini      100755  1 (   0,   0)     16282 /usr/bin/ecryptfs-setup-private;520d290a 
D: fini      100755  1 (   0,   0)      4926 /usr/bin/ecryptfs-setup-swap;520d290a 
D: fini      100755  1 (   0,   0)     10528 /usr/bin/ecryptfs-stat;520d290a 
D: fini      100755  1 (   0,   0)       802 /usr/bin/ecryptfs-umount-private;520d290a 
D: fini      100755  1 (   0,   0)     10560 /usr/bin/ecryptfs-unwrap-passphrase;520d290a 
D: fini      100755  1 (   0,   0)      5537 /usr/bin/ecryptfs-verify;520d290a 
D: fini      100755  1 (   0,   0)     10552 /usr/bin/ecryptfs-wrap-passphrase;520d290a 
D: fini      100755  1 (   0,   0)     15184 /usr/bin/ecryptfsd;520d290a 
D: fini      100644  1 (   0,   0)     21463 /usr/include/ecryptfs.h;520d290a 
D: fini      040755  2 (   0,   0)         0 /usr/lib/python2.7/site-packages/ecryptfs-utils 
D: fini      100644  1 (   0,   0)      1803 /usr/lib/python2.7/site-packages/ecryptfs-utils/libecryptfs.py;520d290a 
D: fini      100644  1 (   0,   0)      2297 /usr/lib/python2.7/site-packages/ecryptfs-utils/libecryptfs.pyc;520d290a 
D: fini      100644  1 (   0,   0)      2297 /usr/lib/python2.7/site-packages/ecryptfs-utils/libecryptfs.pyo;520d290a 
D: fini      040755  2 (   0,   0)         0 /usr/lib64/ecryptfs 
D: fini      100755  1 (   0,   0)     44792 /usr/lib64/ecryptfs/libecryptfs_key_mod_openssl.so;520d290a 
D: fini      100755  1 (   0,   0)     24144 /usr/lib64/ecryptfs/libecryptfs_key_mod_passphrase.so;520d290a 
D: fini      100755  1 (   0,   0)     70520 /usr/lib64/ecryptfs/libecryptfs_key_mod_pkcs11_helper.so;520d290a 
D: fini      100755  1 (   0,   0)     14928 /usr/lib64/ecryptfs/libecryptfs_key_mod_tspi.so;520d290a 
D: fini      100644  1 (   0,   0)      1001 /usr/lib64/libecryptfs.la;520d290a 
D: fini      120777  1 (   0,   0)        20 /usr/lib64/libecryptfs.so;520d290a 
D: fini      120777  1 (   0,   0)        20 /usr/lib64/libecryptfs.so.0;520d290a 
D: fini      100755  1 (   0,   0)    136944 /usr/lib64/libecryptfs.so.0.0.0;520d290a 
D: fini      100644  1 (   0,   0)       198 /usr/lib64/pkgconfig/libecryptfs.pc;520d290a 
D: fini      040755  2 (   0,   0)         0 /usr/lib64/python2.7/site-packages/ecryptfs-utils 
D: fini      100644  1 (   0,   0)      1073 /usr/lib64/python2.7/site-packages/ecryptfs-utils/_libecryptfs.la;520d290a 
D: fini      120777  1 (   0,   0)        21 /usr/lib64/python2.7/site-packages/ecryptfs-utils/_libecryptfs.so;520d290a 
D: fini      120777  1 (   0,   0)        21 /usr/lib64/python2.7/site-packages/ecryptfs-utils/_libecryptfs.so.0;520d290a 
D: fini      100755  1 (   0,   0)     24104 /usr/lib64/python2.7/site-packages/ecryptfs-utils/_libecryptfs.so.0.0.0;520d290a 
D: fini      100644  1 (   0,   0)       221 /usr/share/applications/ecryptfs-mount-private.desktop;520d290a 
D: fini      100644  1 (   0,   0)       251 /usr/share/applications/ecryptfs-setup-private.desktop;520d290a 
D: fini      040755  2 (   0,   0)         0 /usr/share/doc/packages/ecryptfs-utils 
D: fini      100644  1 (   0,   0)     17982 /usr/share/doc/packages/ecryptfs-utils/COPYING;520d290a 
D: fini      100644  1 (   0,   0)      1181 /usr/share/doc/packages/ecryptfs-utils/NEWS;520d290a 
D: fini      100644  1 (   0,   0)     12560 /usr/share/doc/packages/ecryptfs-utils/README;520d290a 
D: fini      100644  1 (   0,   0)       617 /usr/share/doc/packages/ecryptfs-utils/THANKS;520d290a 
D: fini      100644  1 (   0,   0)     25338 /usr/share/doc/packages/ecryptfs-utils/ecryptfs-faq.html;520d290a 
D: fini      100644  1 (   0,   0)      1765 /usr/share/doc/packages/ecryptfs-utils/ecryptfs-pkcs11-helper-doc.txt;520d290a 
D: fini      040755  2 (   0,   0)         0 /usr/share/ecryptfs-utils 
D: fini      100644  1 (   0,   0)       180 /usr/share/ecryptfs-utils/ecryptfs-mount-private.txt;520d290a 
D: fini      100755  1 (   0,   0)      1025 /usr/share/ecryptfs-utils/ecryptfs-record-passphrase;520d290a 
D: fini      100644  1 (   0,   0)      1633 /usr/share/locale/ca/LC_MESSAGES/ecryptfs-utils.mo;520d290a 
D: fini      100644  1 (   0,   0)       606 /usr/share/man/man1/ecryptfs-add-passphrase.1.gz;520d290a 
D: fini      100644  1 (   0,   0)       624 /usr/share/man/man1/ecryptfs-find.1.gz;520d290a 
D: fini      100644  1 (   0,   0)       572 /usr/share/man/man1/ecryptfs-generate-tpm-key.1.gz;520d290a 
D: fini      100644  1 (   0,   0)       581 /usr/share/man/man1/ecryptfs-insert-wrapped-passphrase-into-keyring.1.gz;520d290a 
D: fini      100644  1 (   0,   0)       710 /usr/share/man/man1/ecryptfs-mount-private.1.gz;520d290a 
D: fini      100644  1 (   0,   0)      1035 /usr/share/man/man1/ecryptfs-recover-private.1.gz;520d290a 
D: fini      100644  1 (   0,   0)       586 /usr/share/man/man1/ecryptfs-rewrap-passphrase.1.gz;520d290a 
D: fini      100644  1 (   0,   0)       844 /usr/share/man/man1/ecryptfs-rewrite-file.1.gz;520d290a 
D: fini      100644  1 (   0,   0)      1798 /usr/share/man/man1/ecryptfs-setup-private.1.gz;520d290a 
D: fini      100644  1 (   0,   0)       815 /usr/share/man/man1/ecryptfs-setup-swap.1.gz;520d290a 
D: fini      100644  1 (   0,   0)       461 /usr/share/man/man1/ecryptfs-stat.1.gz;520d290a 
D: fini      100644  1 (   0,   0)       564 /usr/share/man/man1/ecryptfs-umount-private.1.gz;520d290a 
D: fini      100644  1 (   0,   0)       580 /usr/share/man/man1/ecryptfs-unwrap-passphrase.1.gz;520d290a 
D: fini      100644  1 (   0,   0)       736 /usr/share/man/man1/ecryptfs-verify.1.gz;520d290a 
D: fini      100644  1 (   0,   0)       579 /usr/share/man/man1/ecryptfs-wrap-passphrase.1.gz;520d290a 
D: fini      100644  1 (   0,   0)      1320 /usr/share/man/man1/mount.ecryptfs_private.1.gz;520d290a 
D: fini      100644  1 (   0,   0)      1098 /usr/share/man/man1/umount.ecryptfs_private.1.gz;520d290a 
D: fini      100644  1 (   0,   0)      2643 /usr/share/man/man7/ecryptfs.7.gz;520d290a 
D: fini      100644  1 (   0,   0)       548 /usr/share/man/man8/ecryptfs-manager.8.gz;520d290a 
D: fini      100644  1 (   0,   0)      1074 /usr/share/man/man8/ecryptfs-migrate-home.8.gz;520d290a 
D: fini      100644  1 (   0,   0)       706 /usr/share/man/man8/ecryptfsd.8.gz;520d290a 
D: fini      100644  1 (   0,   0)       693 /usr/share/man/man8/mount.ecryptfs.8.gz;520d290a 
D: fini      100644  1 (   0,   0)       806 /usr/share/man/man8/pam_ecryptfs.8.gz;520d290a 
D: fini      100644  1 (   0,   0)       499 /usr/share/man/man8/umount.ecryptfs.8.gz;520d290a 
XZDIO:     345 reads,   668273 total bytes in 0.031202 secs
D: adding "ecryptfs-utils" to Name index.
D: adding 80 entries to Basenames index.
D: adding "Productivity/Security" to Group index.
D: adding 32 entries to Requirename index.
D: adding 10 entries to Providename index.
D: adding 20 entries to Dirnames index.
D: adding 1 entries to Installtid index.
D: adding 1 entries to Sigmd5 index.
D: adding "2f14343e8b774da49c156dd6ec92be76453cce3f" to Sha1header index.
D: %post(ecryptfs-utils-103-7.4.1.x86_64): scriptlet start
D: %post(ecryptfs-utils-103-7.4.1.x86_64): execv(/bin/sh) pid 8072
+ /sbin/ldconfig
+ '[' -x /usr/bin/chkstat ']'
+ /usr/bin/chkstat -n --set --system /sbin/mount.ecryptfs_private
setting /sbin/mount.ecryptfs_private to root:root 4755. (wrong permissions 0755)
+ /usr/sbin/pam-config -a --ecryptfs
D: %post(ecryptfs-utils-103-7.4.1.x86_64): waitpid(8072) rc 8072 status 0
D: ========== +++ ecryptfs-utils-96-7.1.2 x86_64-linux 0x0
D:     erase: ecryptfs-utils-96-7.1.2 has 78 files
ecryptfs-utils-96-7.1.2.x86_64
D: fini      100644  1 (   0,   0)       499 /usr/share/man/man8/umount.ecryptfs.8.gz skip
D: fini      100644  1 (   0,   0)       806 /usr/share/man/man8/pam_ecryptfs.8.gz skip
D: fini      100644  1 (   0,   0)       693 /usr/share/man/man8/mount.ecryptfs.8.gz skip
D: fini      100644  1 (   0,   0)       706 /usr/share/man/man8/ecryptfsd.8.gz skip
D: fini      100644  1 (   0,   0)       548 /usr/share/man/man8/ecryptfs-manager.8.gz skip
D: fini      100644  1 (   0,   0)      2643 /usr/share/man/man7/ecryptfs.7.gz skip
D: fini      100644  1 (   0,   0)      1098 /usr/share/man/man1/umount.ecryptfs_private.1.gz skip
D: fini      100644  1 (   0,   0)      1320 /usr/share/man/man1/mount.ecryptfs_private.1.gz skip
D: fini      100644  1 (   0,   0)       579 /usr/share/man/man1/ecryptfs-wrap-passphrase.1.gz skip
D: fini      100644  1 (   0,   0)       580 /usr/share/man/man1/ecryptfs-unwrap-passphrase.1.gz skip
D: fini      100644  1 (   0,   0)       564 /usr/share/man/man1/ecryptfs-umount-private.1.gz skip
D: fini      100644  1 (   0,   0)       461 /usr/share/man/man1/ecryptfs-stat.1.gz skip
D: fini      100644  1 (   0,   0)       815 /usr/share/man/man1/ecryptfs-setup-swap.1.gz skip
D: fini      100644  1 (   0,   0)      1798 /usr/share/man/man1/ecryptfs-setup-private.1.gz skip
D: fini      100644  1 (   0,   0)       844 /usr/share/man/man1/ecryptfs-rewrite-file.1.gz skip
D: fini      100644  1 (   0,   0)       586 /usr/share/man/man1/ecryptfs-rewrap-passphrase.1.gz skip
D: fini      100644  1 (   0,   0)      1035 /usr/share/man/man1/ecryptfs-recover-private.1.gz skip
D: fini      100644  1 (   0,   0)       710 /usr/share/man/man1/ecryptfs-mount-private.1.gz skip
D: fini      100644  1 (   0,   0)       581 /usr/share/man/man1/ecryptfs-insert-wrapped-passphrase-into-keyring.1.gz skip
D: fini      100644  1 (   0,   0)       572 /usr/share/man/man1/ecryptfs-generate-tpm-key.1.gz skip
D: fini      100644  1 (   0,   0)       606 /usr/share/man/man1/ecryptfs-add-passphrase.1.gz skip
D: fini      100644  1 (   0,   0)      1633 /usr/share/locale/ca/LC_MESSAGES/ecryptfs-utils.mo skip
D: fini      100755  1 (   0,   0)      1025 /usr/share/ecryptfs-utils/ecryptfs-record-passphrase skip
D: fini      100644  1 (   0,   0)       180 /usr/share/ecryptfs-utils/ecryptfs-mount-private.txt skip
D: fini      100755  1 (   0,   0)      1653 /usr/share/ecryptfs-utils/ecryptfs-find 
D: fini      040755  2 (   0,   0)      4096 /usr/share/ecryptfs-utils skip
D: fini      100644  1 (   0,   0)      1765 /usr/share/doc/packages/ecryptfs-utils/ecryptfs-pkcs11-helper-doc.txt skip
D: fini      100644  1 (   0,   0)      5979 /usr/share/doc/packages/ecryptfs-utils/ecryptfs-pam-doc.txt 
D: fini      100644  1 (   0,   0)     25338 /usr/share/doc/packages/ecryptfs-utils/ecryptfs-faq.html skip
D: fini      100644  1 (   0,   0)       617 /usr/share/doc/packages/ecryptfs-utils/THANKS skip
D: fini      100644  1 (   0,   0)     12560 /usr/share/doc/packages/ecryptfs-utils/README skip
D: fini      100644  1 (   0,   0)      1181 /usr/share/doc/packages/ecryptfs-utils/NEWS skip
D: fini      100644  1 (   0,   0)     17982 /usr/share/doc/packages/ecryptfs-utils/COPYING skip
D: fini      040755  2 (   0,   0)      4096 /usr/share/doc/packages/ecryptfs-utils skip
D: fini      100644  1 (   0,   0)       251 /usr/share/applications/ecryptfs-setup-private.desktop skip
D: fini      100644  1 (   0,   0)       221 /usr/share/applications/ecryptfs-mount-private.desktop skip
D: fini      100755  1 (   0,   0)     24104 /usr/lib64/python2.7/site-packages/ecryptfs-utils/_libecryptfs.so.0.0.0 skip
D: fini      120777  1 (   0,   0)        21 /usr/lib64/python2.7/site-packages/ecryptfs-utils/_libecryptfs.so.0 skip
D: fini      120777  1 (   0,   0)        21 /usr/lib64/python2.7/site-packages/ecryptfs-utils/_libecryptfs.so skip
D: fini      100644  1 (   0,   0)      1073 /usr/lib64/python2.7/site-packages/ecryptfs-utils/_libecryptfs.la skip
D: fini      040755  2 (   0,   0)      4096 /usr/lib64/python2.7/site-packages/ecryptfs-utils skip
D: fini      100644  1 (   0,   0)       198 /usr/lib64/pkgconfig/libecryptfs.pc skip
D: fini      100755  1 (   0,   0)    136944 /usr/lib64/libecryptfs.so.0.0.0 skip
D: fini      120777  1 (   0,   0)        20 /usr/lib64/libecryptfs.so.0 skip
D: fini      120777  1 (   0,   0)        20 /usr/lib64/libecryptfs.so skip
D: fini      100644  1 (   0,   0)      1001 /usr/lib64/libecryptfs.la skip
D: fini      100755  1 (   0,   0)     14928 /usr/lib64/ecryptfs/libecryptfs_key_mod_tspi.so skip
D: fini      100755  1 (   0,   0)     70520 /usr/lib64/ecryptfs/libecryptfs_key_mod_pkcs11_helper.so skip
D: fini      100755  1 (   0,   0)     24144 /usr/lib64/ecryptfs/libecryptfs_key_mod_passphrase.so skip
D: fini      100755  1 (   0,   0)     44792 /usr/lib64/ecryptfs/libecryptfs_key_mod_openssl.so skip
D: fini      040755  2 (   0,   0)      4096 /usr/lib64/ecryptfs skip
D: fini      100644  1 (   0,   0)      2297 /usr/lib/python2.7/site-packages/ecryptfs-utils/libecryptfs.pyo skip
D: fini      100644  1 (   0,   0)      2297 /usr/lib/python2.7/site-packages/ecryptfs-utils/libecryptfs.pyc skip
D: fini      100644  1 (   0,   0)      1803 /usr/lib/python2.7/site-packages/ecryptfs-utils/libecryptfs.py skip
D: fini      040755  2 (   0,   0)      4096 /usr/lib/python2.7/site-packages/ecryptfs-utils skip
D: fini      100644  1 (   0,   0)     21463 /usr/include/ecryptfs.h skip
D: fini      100755  1 (   0,   0)     15184 /usr/bin/ecryptfsd skip
D: fini      100755  1 (   0,   0)     10552 /usr/bin/ecryptfs-wrap-passphrase skip
D: fini      100755  1 (   0,   0)      5537 /usr/bin/ecryptfs-verify skip
D: fini      100755  1 (   0,   0)     10560 /usr/bin/ecryptfs-unwrap-passphrase skip
D: fini      100755  1 (   0,   0)       802 /usr/bin/ecryptfs-umount-private skip
D: fini      100755  1 (   0,   0)     10528 /usr/bin/ecryptfs-stat skip
D: fini      100755  1 (   0,   0)      4926 /usr/bin/ecryptfs-setup-swap skip
D: fini      100755  1 (   0,   0)     16282 /usr/bin/ecryptfs-setup-private skip
D: fini      100755  1 (   0,   0)      2062 /usr/bin/ecryptfs-rewrite-file skip
D: fini      100755  1 (   0,   0)     10568 /usr/bin/ecryptfs-rewrap-passphrase skip
D: fini      100755  1 (   0,   0)      3890 /usr/bin/ecryptfs-recover-private skip
D: fini      100755  1 (   0,   0)      2615 /usr/bin/ecryptfs-mount-private skip
D: fini      100755  1 (   0,   0)      6232 /usr/bin/ecryptfs-migrate-home skip
D: fini      100755  1 (   0,   0)     14800 /usr/bin/ecryptfs-manager skip
D: fini      100755  1 (   0,   0)     10576 /usr/bin/ecryptfs-insert-wrapped-passphrase-into-keyring skip
D: fini      100755  1 (   0,   0)     14792 /usr/bin/ecryptfs-generate-tpm-key skip
D: fini      100755  1 (   0,   0)     10568 /usr/bin/ecryptfs-add-passphrase skip
D: fini      120777  1 (   0,   0)        22 /sbin/umount.ecryptfs_private skip
D: fini      100755  1 (   0,   0)     10624 /sbin/umount.ecryptfs skip
D: fini      100755  1 (   0,   0)     19128 /sbin/mount.ecryptfs_private skip
D: fini      100755  1 (   0,   0)     26040 /sbin/mount.ecryptfs skip
D: fini      100755  1 (   0,   0)     18848 /lib64/security/pam_ecryptfs.so skip
D: %postun(ecryptfs-utils-96-7.1.2.x86_64): scriptlet start
D: %postun(ecryptfs-utils-96-7.1.2.x86_64): execv(/bin/sh) pid 8076
+ /sbin/ldconfig
+ /usr/sbin/pam-config -d --ecryptfs
D: %postun(ecryptfs-utils-96-7.1.2.x86_64): waitpid(8076) rc 8076 status 0
D:   --- h#    7528 ecryptfs-utils-96-7.1.2.x86_64
D: removing "ecryptfs-utils" from Name index.
D: removing 78 entries from Basenames index.
D: removing "Productivity/Security" from Group index.
D: removing 29 entries from Requirename index.
D: removing 10 entries from Providename index.
D: removing 20 entries from Dirnames index.
D: removing 1 entries from Installtid index.
D: removing 1 entries from Sigmd5 index.
D: removing "68b13ec3b4ff129837893e24156e3ef0606512ea" from Sha1header index.
D: running post-transaction scripts
D: closed   db index       /var/lib/rpm/Sha1header
D: closed   db index       /var/lib/rpm/Sigmd5
D: closed   db index       /var/lib/rpm/Installtid
D: closed   db index       /var/lib/rpm/Dirnames
D: closed   db index       /var/lib/rpm/Triggername
D: closed   db index       /var/lib/rpm/Obsoletename
D: closed   db index       /var/lib/rpm/Conflictname
D: closed   db index       /var/lib/rpm/Providename
D: closed   db index       /var/lib/rpm/Requirename
D: closed   db index       /var/lib/rpm/Group
D: closed   db index       /var/lib/rpm/Basenames
D: closed   db index       /var/lib/rpm/Name
D: closed   db index       /var/lib/rpm/Packages
D: closed   db environment /var/lib/rpm
Comment 8 Forgotten User cAXlJ_FoSf 2013-08-15 19:34:46 UTC 
(In reply to comment #7)
> I'm seeing this too, for some reason on update pam-config is removing the
> ecryptfs bits from pam's common-auth and common-session, running "pam-config -a
> --ecryptfs" adds them back.

On upgrade the %post scriptlet of the new version is run before the %postun of the old one. You probably should to guard pam-config calls with checks for upgrades

[ "$1" -eq 0 ] && /usr/sbin/pam-config -d --ecryptfs

See 
http://en.opensuse.org/openSUSE:Packaging_scriptlet_snippets
Comment 9 Darin Perusich 2013-08-15 19:45:27 UTC 
bah! Thanks Guido, I'm fixing the packaging and submitting an mr for this shortly, where I'll reference this and Bug 834993.
Comment 10 Darin Perusich 2013-08-15 19:50:17 UTC 
Updated the packaging to not call pam-config on update and created mr 195394.

https://build.opensuse.org/request/show/195394
Comment 11 Bernhard Wiedemann 2013-08-16 14:00:09 UTC 
This is an autogenerated message for OBS integration:
This bug (814098) was mentioned in
https://build.opensuse.org/request/show/195444 Factory / ecryptfs-utils
Comment 12 Swamp Workflow Management 2013-08-23 09:04:19 UTC 
openSUSE-RU-2013:1375-1: An update that has two recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 814098,834993
CVE References: 
Sources used:
openSUSE 12.3 (src):    ecryptfs-utils-103-7.9.1