This file is indexed.

/usr/bin/zEscrow-cli is in zescrow-client 1.7-0ubuntu1.

This file is owned by root:root, with mode 0o755.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
#!/bin/sh
#    zEscrow - aka ecryptfs-escrow-private
#    Copyright (C) 2012 Dustin Kirkland <dustin.kirkland@gmail.com>
#    Copyright (C) 2012 Scot-Irish Lads, LLC
#    Copyright (C) 2012 Gazzang, Inc.
#
#    Authors: Dustin Kirkland <dustin.kirkland@gmail.com>
#    	      Wesley Wiedenmeier <magicalchicken@mail.magicalchicken.dnsdynamic.net>
#
#    This program is free software: you can redistribute it and/or modify
#    it under the terms of the GNU Affero General Public License as
#    published by the Free Software Foundation, version 3 of the License.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU Affero General Public License for more details.
#
#    You should have received a copy of the GNU Affero General Public License
#    along with this program.  If not, see <http://www.gnu.org/licenses/>.

# Bail immediately on errors!
set -e

error() {
	printf "ERROR: %s\n" "$@" 1>&2
	printf "ERROR: Beware, this escrow did NOT succeed!\n\n"
	exit 1
}

PKG="zEscrow"

# Bail out early, if this isn't an ecryptfs setup
if [ ! -f "$HOME/.ecryptfs/wrapped-passphrase" ] || [ ! -f "$HOME/.ecryptfs/Private.sig" ]; then
	error "Unable to find eCryptfs configuration at [$HOME/.ecryptfs/]"
fi

# Create our temp workspace in memory
tempfile=$(mktemp --tmpdir=/dev/shm $PKG-XXXXXXXXXXXX.tar.gz.gpg)
tempdir=$(mktemp -d /dev/shm/$PKG-XXXXXXXXXXXX)
gpg_dir=$(mktemp -d /dev/shm/$PKG-XXXXXXXXXXXX)
trap "(rm -rf $tempfile $tempdir $gpg_dir 2>/dev/null) || true" EXIT HUP INT QUIT TERM

if [ -z "$1" ]; then
	# No server specified, prompt interactively
    cat "/usr/share/$PKG/welcome-text"

	# Get the zEscrow server
	# NOTE: Use lower case "e" here, messes with SSL cert
	default_server="https://zescrow.gazzang.com"
	printf "Key escrow server [$default_server]: "
	server=$(head -n1)
else
	# Looks like we got a server as a command argument
	server="$1"
fi
[ -n "$server" ] || server="$default_server"

# Ensure SSL
if ! (echo "$server" | grep -qs "^https://"); then
	error "For your security, this server URL must use an https server [$server]"
fi

# Get the zEscrow server public GPG key and import into temporary keyring
gpg_opts="-q --yes --no-default-keyring --keyring ecryptfs --homedir $gpg_dir --status-fd 1"
pubkey=$(curl -s -o- $server/gpg.pub) || error "Invalid key escrow server"
status=$(printf "%s" "$pubkey" | gpg $gpg_opts --import) || error "Unable to import server public key"
(printf "%s" "$status" | grep "^\[GNUPG:\] IMPORT_OK") || error "Server public key import failed"
fingerprint=$(printf "%s" "$status" | grep -m1 "^\[GNUPG:\] IMPORT_OK" | awk '{print $4}')
(printf "%s" "$fingerprint" | grep "^[0-9A-F]\{40,40\}$") || error "Invalid server fingerprint"
(printf "%s:6:\n" ${fingerprint} | gpg $gpg_opts --import-ownertrust 2>/dev/null) || error "Invalid server fingerprint"

# Copy .ecryptfs data to our temp dir
# Except for the wrapped-passphrase file
# Don't store the user's login passphrase
# But only their random mount passphrase
mkdir -m 700 -p "$tempdir/ecryptfs"
cp -af "$HOME"/.ecryptfs/. "$tempdir"/ecryptfs/
rm -f "$tempdir/ecryptfs/wrapped-passphrase"
touch "$tempdir/ecryptfs/unwrapped-passphrase"
chmod 600 "$tempdir/ecryptfs/unwrapped-passphrase"

if [ -t 0 ]; then
	# Interactively prompt for login passphrase
    cat "/usr/share/$PKG/password-text"

	# Store the stty, which we modify
	stty_orig=$(stty -g)
	trap "(stty $stty_orig; rm -rf $tempfile $tempdir $gpg_dir 2>/dev/null) || true" EXIT HUP INT QUIT TERM
	stty -echo
	printf "Your LOGIN passphrase: "
	passphrase=$(head -n1)
	stty $stty_orig
	printf "\n"
else
	# Wrapping passphrase is on stdin
	passphrase=$(cat /dev/stdin)
fi

# Catch blank passphrases
if [ -z $passphrase ]; then
    error "Missing passphrase."
fi

if !(printf "%s" "$passphrase" | ecryptfs-unwrap-passphrase "$HOME/.ecryptfs/wrapped-passphrase" - > "$tempdir/ecryptfs/unwrapped-passphrase"); then
	error "Failed to unwrap passphrase.  Incorrect LOGIN passphrase?"
fi
touch -r "$HOME/.ecryptfs/wrapped-passphrase" "$tempdir/ecryptfs/unwrapped-passphrase"
touch -r "$HOME/.ecryptfs/" "$tempdir/ecryptfs/"

# Create our encrypted ascii-armored tarball
tar -C "$tempdir" -zcvf - "ecryptfs" | gpg $gpg_opts -a -e -r 0x$fingerprint 2>/dev/null > "$tempfile"
md5_1=$(tar -C "$tempdir" -zcf - "ecryptfs" | md5sum | awk '{print $1}')
rm -rf "$tempdir" "$gpg_dir"

# Push to the escrow server
for i in $(seq 1 30); do
	# Auto retry for up to 30 seconds
	if url=$(curl -s -o- -X POST --data-urlencode payload@"$tempfile" $server/deposit/index.html) && [ -n "$url" ];then
		break
	else
		sleep 1
	fi
done
rm -f "$tempfile"
[ -n "$url" ] || error "Failed to upload to server"

# Check md5
md5_2=$(printf "%s" "$url" | sed -e "s:.*=::" -e "s:-.*::")
[ "$md5_1" = "$md5_2" ] || error "Data received by server [$md5_2] does not match data sent [$md5_1]"

# Finish up
if [ -z "$1" ]; then
	echo "
#####################################################################
# To complete this escrow, you MUST go to this url, login,
# and associate an email address with your upload IMMEDIATELY!
#
# $url
#
#####################################################################
"
	# Launch browser?
	while true; do
		printf "Go to [%s] now [Y/n]: " "$url"
		answer=$(head -n1)
		case "$answer" in
			n*|N*)
				exit 0
			;;
			Y*|y*)
				exec sensible-browser $url
			;;
		esac
	done
else
	printf "URL: $url\n"
fi