[pkg-cryptsetup-devel] Bug#994610: cryptsetup: creation/cleanup of /etc/crypttab
Guilhem Moulin
guilhem at debian.org
Sat Sep 18 16:04:41 BST 2021
On Sat, 18 Sep 2021 at 16:30:38 +0200, Christoph Anton Mitterer wrote:
> On Sat, 2021-09-18 at 16:04 +0200, Guilhem Moulin wrote:
>> src:cryptsetup isn't the only consumer of /etc/crypttab, so this is a
>> wontfix.
>
> Who else uses it that can work without cryptsetup? Systemd via
> libcryptsetup?
crypttab is part of our public API, and any (packaged or not) software
can hook into into without without explicitly depending on
cryptsetup-bin let alone cryptsetup. Removing that API is a wontfix.
> Then perhaps better to have a -common package that all can depend
> upon, than leaving cruft behind after purge?
I don't think the cleanup is worth the extra metadata and package cruft
overhead…
> And still, one could tighten the permissions.
I don't see why it makes more sense to og-rwx /etc/crypttab by default
compared to /etc/fstab or /etc/systemd/system. If that makes sense in
YOUR environment, then YOU are free to do it manually; src:cryptsetup
control files shouldn't change existing permission/ownership (it'd be a
valid bug if they do). Moreover tighter permissions have arguably
undesired side effects, such as broken bash completion for `sudo
cryptdisks_start <TAB>`.
Also FWIW /etc/crypttab is typically created by d-i, at least when a
using the “encrypted root FS” layout. I don't have data at hand to back
that up, but I believe that preinst snippet is usually a noop.
--
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20210918/3d9843f6/attachment.sig>
More information about the pkg-cryptsetup-devel
mailing list