[pkg-cryptsetup-devel] Bug#906212: cryptsetup: locking dir missing
Christoph Anton Mitterer
calestyo at scientia.net
Wed Aug 15 15:41:27 BST 2018
Source: cryptsetup
Severity: normal
Hi.
Several documents in cryptsetup imply that the distribution
needs to take care that:
/run/lock/cryptsetup
exists and is readable by root only:
e.g.:
https://gitlab.com/cryptsetup/cryptsetup/blob/master/docs/LUKS2-locking.txt
>We perform flock() on file descriptors of files stored in a private
>directory (by default /run/lock/cryptsetup). The file name is derived
>from major:minor couple of affected block device. Note we recommend
>that access to private locking directory is supposed to be limited to
>superuser only. For this method to work the distribution needs to
>install the locking directory with appropriate access rights.
or cryptsetup(8):
>LUKS2 header locking
> The LUKS2 on-disk metadata is updated in several steps and to achieve
> proper atomic update, there is a locking mechanism. For an image in
> file, code uses flock(2) system call. For a block device, lock is per‐
> formed over a special file stored in a locking directory (by default
> /run/lock/cryptsetup). The locking directory should be created with
> the proper security context by the distribution during the boot-up
> phase. Only LUKS2 uses locks, other formats do not use this mechanism.
This is not the case in Debian, it seems.
Cheers,
Chris.
More information about the pkg-cryptsetup-devel
mailing list