[Pkg-sysvinit-devel] Bug#526398: /etc/init.d/checkroot.sh: can cause serious data corruption if booting on battery power

Zygo Blaxell zblaxell at dactyl.hungrycats.org
Thu Apr 30 22:12:34 UTC 2009 

Package: initscripts
Version: 2.86.ds1-61
Severity: critical
File: /etc/init.d/checkroot.sh
Justification: causes serious data loss

I was rather horrified to watch my laptop boot with a dirty root
filesystem mounted read/write.  Upon further investigation, I discovered
that checkroot.sh and checkfs.sh are hardcoded to bypass filesystem
checks if AC power is not present.  This makes no sense.  

If a journalling filesystem has errors, it should not be mounted
read/write until those errors are corrected.  Non-journalling filesystems
always need fsck if they are umounted uncleanly, so they shouldn't be
mounted read/write without checking and possible correction either.
Both cases require fsck before mounting regardless of the power source.

Failing to fsck in either case can cause serious data loss, especially
if the filesystem's metadata falsely indicates occupied space is free
and the system is used for some time.  This can lead to duplicate
allocations between filesystem metadata and user data, which leads to
data loss, security problems, unintentional data disclosure, and worse.
Recovery from errors of this kind is nearly impossible without a good set
of backups handy.  Serious problems can remain undetected for sufficently
long periods of time that backups get corrupted as well.

The problem is even worse for laptops that are only rebooted due to
crashes, and only crash "in the field" while running on battery power.
Such machines may never run fsck until the corruption is sufficiently
bad that the machine is unusable.

I would propose that the battery power status should only be tested
in checkroot.sh and checkfs.sh if a configuration setting explicitly
permits it.  For example, a variable FSCKONBATTERY might be added to
/etc/default/rcS with these options:

	yes - check filesystems regardless of battery status (ignore
	on_ac_power entirely).	This should be the default.

	no - don't check filesystems when on_ac_power returns false.
	This is the current behavior.

The system should not corrupt data by default, which is why the default
I propose above is different from the current behavior.  

Installed systems which are upgrading from legacy versions of initscripts
might preserve the old behavior in accordance with the principle of least
surprise, but all new systems should be installed with the default set
as above.

I would argue that unexpected data corruption is a much bigger surprise
than fscks on battery, but other bugs filed against this package suggest
people actually prefer the broken behavior, and these people would
probably complain if we fixed it for them.




-- System Information:
Debian Release: 5.0.1
  APT prefers stable
  APT policy: (500, 'stable'), (189, 'testing'), (179, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.28.4-zb64 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages initscripts depends on:
ii  debianutils                  2.30        Miscellaneous utilities specific t
ii  e2fsprogs                    1.41.3-1    ext2/ext3/ext4 file system utiliti
ii  libc6                        2.9-4       GNU C Library: Shared libraries
ii  lsb-base                     3.2-20      Linux Standard Base 3.2 init scrip
ii  mount                        2.13.1.1-1  Tools for mounting and manipulatin
ii  sysvinit-utils               2.86.ds1-61 System-V-like utilities

Versions of packages initscripts recommends:
ii  psmisc                        22.6-1     Utilities that use the proc filesy

initscripts suggests no packages.

-- no debconf information

More information about the Pkg-sysvinit-devel mailing list