LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 10-18-2014, 04:05 AM   #1
GazL
LQ Veteran
 
Registered: May 2008
Posts: 6,882

Rep: Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988
Re-write of crypttab/cryptsetup handling - Request for peer review, wider testing.


I don't know whether Pat will be interested in this or not (but if he is, he's welcome to it).

After the shellshock stuff occurred I started looking at the Slackware system scripts for bashisms with an eye to making them shell agnostic.

One of the first I noticed was the crypttab handling code in rc.S which uses arrays. What I expected to be a quick fix, ended up as an extensive rewrite, including adding support for the more useful subset of the options on the freedesktop.org/systemd crypttab page.

Anyway, the results of my labour are here, for any who feel adventurous and want to help me out with feedback and testing,(but don't apply it untested to any boxes you care about, just in case I got something wrong. ).


UPDATE 20/10: Updated the rc.cryptsetup to include the safety-check suggested by Eric. Now split into two separate patch files, one per package.

Last edited by GazL; 12-11-2014 at 11:43 AM.
 
Old 10-18-2014, 09:17 AM   #2
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559

Rep: Reputation: 8105Reputation: 8105Reputation: 8105Reputation: 8105Reputation: 8105Reputation: 8105Reputation: 8105Reputation: 8105Reputation: 8105Reputation: 8105Reputation: 8105
I like this, and you have my blessing :-) Pat will hopefully also be convinced and apply it.

The one thing that has always been missing in my LUKS implementation in rc.S, was a check right before encrypting a swap volume and enabling it. I have had one bug report in the past where someone added an extra harddisk to his computer, as a result the disk numbering changed and at boot, rc.S overwrote a data partition and turned it into swap.

Can you add a check for the existence of partitions with filesystems on the volume right before LUKS-ifying it as an encrypted swap?

Eric
 
3 members found this post helpful.
Old 10-18-2014, 10:06 AM   #3
GazL
LQ Veteran
 
Registered: May 2008
Posts: 6,882

Original Poster
Rep: Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988
Thanks for the feedback.

The unconditionally nuke-it if its tagged 'swap' approach has always concerned me too. Might be able to do something with 'blkid' in order to preform a sanity check. Leave it with me.
 
Old 10-18-2014, 10:32 AM   #4
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 492Reputation: 492Reputation: 492Reputation: 492Reputation: 492
You seem to be good at bash, but if you cannot solve it, post it in the programming forum and solution will be found.
 
Old 10-18-2014, 11:02 AM   #5
GazL
LQ Veteran
 
Registered: May 2008
Posts: 6,882

Original Poster
Rep: Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988
I think adding a construct like this at the appropriate place will do the job:
Code:
blkid -p -n noswap $DEV && { echo "Not on your nelly!" ; continue ;}
A Normal filesystem will match the noswap filter and blkid will return 0.
A Swap partition or an empty partition will return 2.

The only thing that could be an issue is that as the partition may be left containing random data under some circumstances, though not in normal operation, its possible that blkid could be fooled into thinking that its a filesystem and trigger the fail-safe.

Need to do a bit more testing, but I think this is the best I'm going to come up with. If anyone has a better approach, I'm open to suggestions.

Last edited by GazL; 10-18-2014 at 11:34 AM.
 
Old 10-18-2014, 11:18 AM   #6
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: Rocky Linux
Posts: 4,770

Rep: Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210
Quote:
Originally Posted by Alien Bob View Post
I have had one bug report in the past where someone added an extra harddisk to his computer, as a result the disk numbering changed and at boot, rc.S overwrote a data partition and turned it into swap.
The way I avoid that problem is by using /dev/disk/by-id/xxxx to identify the partition. That ID includes the drive serial number. Conversion to GPT can also eliminate the issue, since that gives each partition a UUID independent of the partition's content.
 
1 members found this post helpful.
Old 10-18-2014, 03:25 PM   #7
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 492Reputation: 492Reputation: 492Reputation: 492Reputation: 492
Quote:
Originally Posted by GazL View Post
I think adding a construct like this at the appropriate place will do the job:
Code:
blkid -p -n noswap $DEV && { echo "Not on your nelly!" ; continue ;}
A Normal filesystem will match the noswap filter and blkid will return 0.
A Swap partition or an empty partition will return 2.

The only thing that could be an issue is that as the partition may be left containing random data under some circumstances, though not in normal operation, its possible that blkid could be fooled into thinking that its a filesystem and trigger the fail-safe.

Need to do a bit more testing, but I think this is the best I'm going to come up with. If anyone has a better approach, I'm open to suggestions.
I think adding this check is the fastest and best fix ATM. Using disk UUIDs would be a slightly better solution, but would be harder to implement.
 
Old 10-20-2014, 06:38 AM   #8
GazL
LQ Veteran
 
Registered: May 2008
Posts: 6,882

Original Poster
Rep: Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988
Updated the rc.cryptsetup attached to post #1 to include the safety-check suggested by Eric.
 
Old 03-02-2015, 01:03 AM   #9
gnashley
Amigo developer
 
Registered: Dec 2003
Location: Germany
Distribution: Slackware
Posts: 4,928

Rep: Reputation: 612Reputation: 612Reputation: 612Reputation: 612Reputation: 612Reputation: 612
Can you re-attach your files? The link no longer works.
 
Old 03-02-2015, 06:33 AM   #10
GazL
LQ Veteran
 
Registered: May 2008
Posts: 6,882

Original Poster
Rep: Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988
Yep, I tend to treat LQ attachments as transitory and housekeep them after a few months to avoid leaving 'stale' stuff around. I really should sign up with github for these sorts of things.

I don't have the nicely formatted patch files anymore, but here's the raw rc.cryptsetup taken from my system.

Last edited by GazL; 06-06-2015 at 12:33 PM.
 
1 members found this post helpful.
Old 03-02-2015, 12:42 PM   #11
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 492Reputation: 492Reputation: 492Reputation: 492Reputation: 492
There's a bug in that version with quoting. Here is a patch to fix it and to allow it to run with /bin/ash:
Code:
--- rc.cryptsetup.txt	2015-03-02 12:40:10.992298601 -0600
+++ rc.cryptsetup.new	2015-03-02 12:38:18.045710627 -0600
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/ash
 #  rc.cryptsetup [start|stop]
 #
 #  Use cryptsetup to open or close any encrypted volumes that are
@@ -27,8 +27,8 @@ do
   for word in $line
   do
     [ -z "$a" ]  &&  a="$word"  ||  a="$a $word"
-    [ "$a" != "${a#\"}" -a "$a" = "${a%\"}" ]  &&  continue
-    [ "$a" != "${a#"'"}" -a "$a" = "${a%"'"}" ]  &&  continue
+    [ "$a" != "${a#\"}" ] && [ "$a" = "${a%\"}" ]  &&  continue
+    [ "$a" != "${a#\'}" ] && [ "$a" = "${a%\'}" ]  &&  continue
     [ -z "$LUKS" ]  &&  { LUKS="$a" ; a="" ; }  &&  continue
     [ -z "$DEV" ]   &&  { DEV="$a" ; a="" ; }   &&  continue
     [ -z "$PASS" ]  &&  { PASS="$a" ; a="" ; }  &&  continue
 
Old 03-02-2015, 01:42 PM   #12
GazL
LQ Veteran
 
Registered: May 2008
Posts: 6,882

Original Poster
Rep: Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988
That section runs fine with both bash and ash here as is. What symptoms are you seeing and for what input?

Code:
root@ws1:/tmp# cat crypttab 
test /dev/test1 "passphrase one"
test2 /dev/test2 'passphrase two' ro
test3 /dev/test3 "What's the passphrase" ro
test4 /dev/test4 unquoted
root@ws1:/tmp# ./rc.crypttest 
luks: test
dev: /dev/test1
pass: "passphrase one"
opts: 

luks: test2
dev: /dev/test2
pass: 'passphrase two'
opts: ro

luks: test3
dev: /dev/test3
pass: "What's the passphrase"
opts: ro

luks: test4
dev: /dev/test4
pass: unquoted
opts:

Last edited by GazL; 03-02-2015 at 01:43 PM.
 
Old 03-02-2015, 02:16 PM   #13
GazL
LQ Veteran
 
Registered: May 2008
Posts: 6,882

Original Poster
Rep: Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988
P.S. I chose the quoting carefully as the different shell implementations can be inconsistent when escaping within double quotes. Here, see what happens when you use your "${a#\'}" in ash:
Code:
bash-4.2$ a="'word'"
bash-4.2$ export a
bash-4.2$ bash
bash-4.2$ echo "${a#"'"}"
word'
bash-4.2$ echo "${a#\'}"
word'
bash-4.2$ ash
$ echo "${a#"'"}"
word'
$ echo "${a#\'}"
'word'
$ ksh
$ echo "${a#"'"}"
word'
$ echo "${a#\'}"
word'
$
"${a#"'"}" may look a little odd -- well, ok, to be fair, it looks a lot odd -- but it works consistently across shells.

Last edited by GazL; 03-02-2015 at 02:52 PM.
 
Old 03-02-2015, 03:19 PM   #14
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 492Reputation: 492Reputation: 492Reputation: 492Reputation: 492
Well, the original seems to run, but in geany the quoting is reported as being off. checkbashisms also reports this:
Code:
bash-4.2$ checkbash -p -x rc.cryptsetup
possible bashism in rc.cryptsetup line 30 (test -a/-o):
    [ "$a" != "${a#\"}" -a "$a" = "${a%\"}" ]  &&  continue
possible bashism in rc.cryptsetup line 31 (test -a/-o):
    [ "$a" != "${a#"'"}" -a "$a" = "${a%"'"}" ]  &&  continue
error: rc.cryptsetup: Unterminated quoted string found, EOF reached. Wanted: <'>
but, I guess it runs as is.
 
Old 03-02-2015, 04:10 PM   #15
GazL
LQ Veteran
 
Registered: May 2008
Posts: 6,882

Original Poster
Rep: Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988Reputation: 4988
Yeah, I'm not surprised that syntax highlighters/checkers are having a hard time with it.

Though my original code works, that quoting is definitely ugly. Thinking about it, using a couple of intermediate variables should avoid the need for double-quoting and ought to work.

So,
Code:
  for word in $line
  do
    [ -z "$a" ]  &&  a="$word"  ||  a="$a $word"
    b=${a#\'} ; e=${a%\'} ; [ "$a" != "$b" ]  &&  [ "$a" = "$e" ]  &&  continue
    b=${a#\"} ; e=${a%\"} ; [ "$a" != "$b" ]  &&  [ "$a" = "$e" ]  &&  continue
    [ -z "$LUKS" ]  &&  { LUKS="$a" ; a="" ; }  &&  continue
    [ -z "$DEV" ]   &&  { DEV="$a" ; a="" ; }   &&  continue
    [ -z "$PASS" ]  &&  { PASS="$a" ; a="" ; }  &&  continue
    OPTS="$a"
  done
  unset a b e word
That looks cleaner, and seems to work on first viewing. Need to test it out a little more though.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Peer Review Request - Fail2Ban behind a Load Balancer TenTenths Linux - Server 1 10-01-2014 09:59 AM
Request for peer review of my rc.fetchmail daemon script please Old_Fogie Slackware 3 05-21-2012 01:20 AM
amanda-server, selfcheck request failed: recv error: Connection reset by peer malayo Linux - Server 3 02-25-2011 05:30 AM
[SOLVED] Bug in cryptsetup and/or in rc.S in processing /etc/crypttab in slackware-current fdeak Slackware 2 01-23-2011 09:58 AM
Peer Review Starts for Software Patent Applications weibullguy General 0 06-23-2007 08:01 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 04:21 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration