248495 – sys-fs/cryptsetup - Make swap partition check stricter in dmcrypt init.d

Bug 248495 - sys-fs/cryptsetup - Make swap partition check stricter in dmcrypt init.d

Summary: sys-fs/cryptsetup - Make swap partition check stricter in dmcrypt init.d

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	High enhancement
Assignee:	Gentoo's Team for Core System packages

URL:
Whiteboard:
Keywords:

Duplicates (1):	289055 (view as bug list)
Depends on:
Blocks:

Reported:	2008-11-24 00:04 UTC by Vladimir Berezniker
Modified:	2015-04-12 21:44 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add stricter checks for swap partition initialization (dm-crypt_swapcheck.patch,778 bytes, patch) 2008-11-24 00:05 UTC, Vladimir Berezniker	Details \| Diff
add PARTUUID handling (dmcrypt-PARTUUID.patch,389 bytes, patch) 2014-10-28 19:00 UTC, RB	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Vladimir Berezniker 2008-11-24 00:04:41 UTC

Currently rcscripts/addons/dm-crypt-start.sh checks whether partition is LUKS. However, it is possible to accidentaly point to a partition with data and have the data destroyed.

Attached patch uses blkid, to test for recognizable file systems and refuse to initialize swap on the partition.

Comment 1 Vladimir Berezniker 2008-11-24 00:05:22 UTC

Created attachment 173104 [details, diff]
Add stricter checks for swap partition initialization

Comment 2 Sven Wegener gentoo-dev

2009-04-15 23:24:56 UTC

I like the idea, but I don't like the dependency on e2fsprogs, although we already have a dependency on e2fsprogs-libs, and if blkid ever recognizes luks partitions, this will break.

Comment 3 Sven Wegener gentoo-dev

2009-04-16 00:01:45 UTC

Partly ignore that comment. blkid actually recognizes luks devices, but I was thinking about having the blkid check being applied to every source device, not only swap.

Comment 4 Marios Andreopoulos 2009-05-09 14:00:18 UTC

I believe that since this situation can lead to data loss, as partition numbers or ids can easily change due to repartitioning, remove or add drives, etc, this should be mentioned in the configuration file (/etc/init.d/dmcrypt) and maybe suggest users to create a standard encrypted partition for their swap and use the target= instead of swap= for it.

Although a case of data loss will probably be fault of the end user's poor memory (as he'll probably have forgotten to adjust dmcrypt) it would be better to point out this danger.

Comment 5 SpanKY gentoo-dev

2011-11-13 04:20:17 UTC

*** Bug 289055 has been marked as a duplicate of this bug. ***

Comment 6 RB 2014-10-28 19:00:42 UTC

Created attachment 387676 [details, diff]
add PARTUUID handling

Perhaps the "right" solution is to discourage use of explicit (unportable) partitions and to use UUID/PARTUUID instead.  It already does the prior but not the latter, and I had interest in PARTUUID since I'm using a real partition (/dev/sdX3).

I've modified /etc/init.d/dmcrypt to handle PARTUUID (see attached patch).  It doesn't follow the precise mode that it uses to handle UUID, but I couldn't seem to get the % suffix handling working right, so punted and used awk.

Comment 7 SpanKY gentoo-dev

2015-04-12 21:44:50 UTC

i've updated the docs to encourage people to use UUID/PARTUUID:
http://sources.gentoo.org/sys-fs/cryptsetup/files/1.0.6-dmcrypt.confd?r1=1.6&r2=1.7
http://sources.gentoo.org/sys-fs/cryptsetup/files/1.5.1-dmcrypt.rc?r1=1.7&r2=1.8