[pkg-cryptsetup-devel] Bug#901795: cryptsetup: new version may break 3rd party keyscripts (and thus boot)

Guilhem Moulin guilhem at debian.org
Tue Jun 26 03:14:51 BST 2018


On Tue, 26 Jun 2018 at 03:28:17 +0200, Christoph Anton Mitterer wrote:
> If you like I can send you the full set of scripts&hooks for review.

Just open a wishlist bugs and everybody will be able to look at it? :-)

>> Right now we'd like things to settle a bit, and fixing actual
>> regression
>> have higher priority.  I'll plan to start working on this once the
>> package enters testing, but I'm not promising anything.
> 
> I'd now simply start to use the "interface" you suggested me in your
> last mail.

I'll repeat it here: it's still subject to change!  This thread is not
meant to document the interface, but to understand what your needs are.

> Question on that:
> 
>>  . /lib/cryptsetup/functions
>>
>>  [ -s "$DESTDIR/cryptroot/crypttab" ] || return 0
> 
> Why is this necessary? I assume when I PREREQ=cryptroot, than
> $DESTDIR/cryptroot/crypttab finished(!) and contains all devices needed
> to be unlocked during initramfs, right?

No, it's for the case where cryptsetup's initramfs integration is not
processed (because the package isn't installed, because /etc/crypttab is
empty or nonexistent, or because /etc/cryptsetup-initramfs/conf-hook
specifies CRYPTSETUP=n).
 
>>  while read CRYPTTAB_NAME CRYPTTAB_SOURCE CRYPTTAB_KEY CRYPTTAB_OPTIONS; do
> Do you guys do any quoting in "$DESTDIR/cryptroot/crypttab"?
> Cause read without -r will interpret \ as quoting character... and this
> is IMO always a bit dangerous if the same is then used...

Hmm good point, you can have spaces and tabs (and options values
containing ‘,’) by prefixing them with ‘/’ in your /etc/crypttab, but
lines are unquoted when the hook reads /etc/crypttab, and
$DESTDIR/cryptroot/crypttab is quote-free so special characters are
lost.  (Note that the handling of special characters in /etc/crypttab
was not documented — thus not supported — before 2:2.0.3-2.)

>>      if [ "${CRYPTTAB_NAME#\#}" = "$CRYPTTAB_NAME" ] \
> What is this intended for?

It removes comments (not necessary currently as the hook removes them
already).

> (Oh and did you guys notice that this is a bashism? ${var#word} is not
> POSIX sh compatbile)

It very much is, see http://pubs.opengroup.org/onlinepubs/9699919799/
sec. 2.6.2 “Parameter Expansion”.  Anyway we're not targeting POSIX
shell but dash (which has a handful of features not in POSIX shell) for
the hook files, and busybox's ash (which is a superset of dash) in the
scripts.

-- 
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20180626/b8b1ea97/attachment.sig>


More information about the pkg-cryptsetup-devel mailing list