[pkg-cryptsetup-devel] [dm-crypt] u?mount (8) helper script for luks encrypted disks
Matthias Schniedermeyer
ms at citd.de
Thu Aug 29 23:16:05 UTC 2013
On 29.08.2013 07:50, Milan Broz wrote:
> On 26.8.2013 10:23, Matthias Schniedermeyer wrote:
> >Personally i "solved" this by renaming /bin/mount to /bin/mount.orig
> >and putting a shell-script as /bin/mount that checks if i want to mount
> >a /dev/mapper/XXX and does the setup of XXX before it calls
> >/bin/mount.orig.
>
> Underlying device construction can be very complex task sometimes
> (it can be combination of lvm, mdraid, multipath, partitions and whatever.)
>
> So while it works for your use case, it will not work for other.
And there will never be a "one size fits all" solution for this.
Sure, someone could create a "monster" that could cope with anything.
But that wouldn't be KISS.
So for the cases that are simple, a mount-option to exec something
before the actual mount happens would suffice.
(I aimed my solutions for autofs with ghosting.)
> >"Back then" when i implemented that about 1.5 years ago i tried to
> >explain to Karel Zak (util-linux maintainer) that a generic "premount"
> >and "postumount" command in (u)mount could solve this generic problem.
> >The Problem that all cryptographic-setups need (at least) one more step
> >to setup(/tear-down) a device. But that didn't happen and i didn't try
> >to open the issue again.
>
>
> For that particular case, LUKS tear down, I think we had a better approach.
> Just implement auto removal on last device close (similar to loop device
> autoclear flag.)
>
> For more info see
> https://bugzilla.redhat.com/show_bug.cgi?id=873734
I will see if it works and can kill the umount-part if it works for me.
>
> Milan
>
> p.s.
> Be very careful with shell scripts in mount helpers here.
> It will run under the same UID as mount, which means root for LUKS here.
In my case that's not the case, Shell-scripts (under normal
circumstances) can't be SUIDed. So as i've intercepted the original call
to mount it will run with the UID of the caller and will only SUID root
when mount.orig is execed.
So if i would call it as my user, it simply wouldn't work as it couldn't
construct the mapper.
--
Matthias
More information about the pkg-cryptsetup-devel
mailing list