221
229
# Check ownership of $key
222
OWNER=$(ls -l "$key" | sed 's/^.\{10\}[+\.]\?.[^[:space:]]* \([^[:space:]]*\).*/\1/')
230
OWNER="$(/bin/ls -l "$(readlink -f $key)" | sed 's/^.\{10\}[+\.]\?.[^[:space:]]* \([^[:space:]]*\).*/\1/')"
223
231
if [ "$OWNER" != "root" ]; then
224
232
log_warning_msg "$dst: INSECURE OWNER FOR $key, see /usr/share/doc/cryptsetup/README.Debian."
232
240
# Check owner group of $key
233
GROUP=$(ls -l "$key" | sed 's/^.\{10\}[+\.]\?.[^[:space:]]* \([^[:space:]]*\).*/\1/')
241
GROUP="$(/bin/ls -l "$(readlink -f $key)" | sed 's/^.\{12\}[+\.]\?.[^[:space:]]* \([^[:space:]]*\).*/\1/')"
234
242
if [ "$GROUP" != "root" ]; then
235
243
log_warning_msg "$dst: INSECURE OWNER GROUP FOR $key, see /usr/share/doc/cryptsetup/README.Debian."
238
246
# Check group and other permissions
239
GMODE=$(ls -l "$key" | sed 's/[[:space:]].*//;s/^.\{4\}\(.\{3\}\).*/\1/')
240
OMODE=$(ls -l "$key" | sed 's/[[:space:]].*//;s/^.\{7\}\(.\{3\}\).*/\1/')
247
GMODE="$(/bin/ls -l "$(readlink -f $key)" | sed 's/[[:space:]].*//;s/^.\{4\}\(.\{3\}\).*/\1/')"
248
OMODE="$(/bin/ls -l "$(readlink -f $key)" | sed 's/[[:space:]].*//;s/^.\{7\}\(.\{3\}\).*/\1/')"
241
249
if [ "$GMODE" != "---" ] && [ "$OMODE" != "---" ]; then
242
250
log_warning_msg "$dst: INSECURE MODE FOR $key, see /usr/share/doc/cryptsetup/README.Debian."
285
293
PARAMS="$PARAMS --key-file=$key"
287
295
while [ "$tried" -lt "$TRIES" ] || [ "$TRIES" -eq "0" ]; do
296
export CRYPTTAB_TRIED="$tried"
288
297
if [ -n "$KEYSCRIPT" ]; then
289
if $KEYSCRIPT "$keyscriptarg" | cryptsetup $PARAMS luksOpen "$src" "${dst}_unformatted"; then
298
if $KEYSCRIPT "$keyscriptarg" | cryptsetup $PARAMS $LUKSPARAMS luksOpen "$src" "${dst}_unformatted"; then
293
if cryptsetup $PARAMS luksOpen "$src" "${dst}_unformatted"; then
302
if cryptsetup $PARAMS $LUKSPARAMS luksOpen "$src" "${dst}_unformatted"; then
320
329
PRECHECK="/lib/cryptsetup/checks/un_blkid"
323
if ! pre_out=$("$PRECHECK" "$src" 2> /dev/null) && \
332
if ! pre_out="$($PRECHECK "$src" 2>/dev/null)" && \
324
333
! /lib/cryptsetup/checks/blkid "$src" swap >/dev/null; then
325
334
log_warning_msg "$dst: the precheck for '$src' failed: $pre_out"
350
359
PARAMS="$PARAMS --key-file=$key"
352
361
while [ "$tried" -lt "$TRIES" ]; do
362
export CRYPTTAB_TRIED="$tried"
353
363
if [ -n "$KEYSCRIPT" ]; then
354
364
$KEYSCRIPT "$keyscriptarg" | cryptsetup $PLAINPARAMS $PARAMS create "${dst}_unformatted" "$src"
404
if swap_out=$(/lib/cryptsetup/checks/un_blkid "/dev/mapper/${dst}_unformatted" 2> /dev/null) || \
405
/lib/cryptsetup/checks/blkid "/dev/mapper/${dst}_unformatted" swap > /dev/null 2>&1; then
406
mkswap "/dev/mapper/${dst}_unformatted" > /dev/null 2>&1
414
if swap_out="$(/lib/cryptsetup/checks/un_blkid "/dev/mapper/${dst}_unformatted" 2>/dev/null)" || \
415
/lib/cryptsetup/checks/blkid "/dev/mapper/${dst}_unformatted" swap >/dev/null 2>&1; then
416
mkswap "/dev/mapper/${dst}_unformatted" >/dev/null 2>&1
408
418
log_warning_msg "$dst: the check for '/dev/mapper/$dst' failed. /dev/mapper/$dst contains data: $swap_out"
422
mkfs -t $TMPFS -q "/dev/mapper/${dst}_unformatted" > /dev/null 2>&1 || return 1
432
mkfs -t $TMPFS -q "/dev/mapper/${dst}_unformatted" >/dev/null 2>&1 || return 1
423
433
mkdir -p "/var/run/cryptsetup/$dst"
424
434
mount -t $TMPFS "/dev/mapper/${dst}_unformatted" "/var/run/cryptsetup/$dst" || return 1
425
435
chmod 1777 "/var/run/cryptsetup/$dst"
430
440
# Rename the device from its temp name to its final name, which will
431
441
# trigger mountall
432
442
finalize_device () {
434
dmsetup rename "${dst}_unformatted" "$dst"
443
if command -v udevadm >/dev/null 2>&1; then
446
dmsetup rename "${dst}_unformatted" "$dst"
437
449
# Removes a mapping
459
471
local module optmodule
462
optmodule=$(find "/lib/modules/$(uname -r)/kernel/arch" -name "${module}*.ko" 2> /dev/null)
474
optmodule=$(find "/lib/modules/$(uname -r)/kernel/arch" -name "${module}*.ko" 2>/dev/null)
463
475
if [ -n "$optmodule" ] && [ "$(echo -n "$optmodule" | wc -l)" -eq 1 ]; then
464
476
modprobe "$optmodule" 2>/dev/null && return 0
564
opencount=$(dmsetup info -c --noheadings -o open "$dst" 2> /dev/null || true)
576
opencount=$(dmsetup info -c --noheadings -o open "$dst" 2>/dev/null || true)
565
577
if [ -z "$opencount" ]; then
566
578
device_msg "$dst" "error"
576
#major=$(dmsetup info -c --noheadings -o major "$dst" 2> /dev/null || true)
577
#minor=$(dmsetup info -c --noheadings -o minor "$dst" 2> /dev/null || true)
578
src_major=$(dmsetup deps "$dst" 2> /dev/null | sed -e 's/^.*(\([0-9]*\), [0-9]*)$/\1/g' || true)
579
src_minor=$(dmsetup deps "$dst" 2> /dev/null | sed -e 's/^.*([0-9]*, \([0-9]*\))$/\1/g' || true)
588
#major=$(dmsetup info -c --noheadings -o major "$dst" 2>/dev/null || true)
589
#minor=$(dmsetup info -c --noheadings -o minor "$dst" 2>/dev/null || true)
590
src_major="$(dmsetup deps "$dst" 2>/dev/null | sed -e 's/^.*(\([0-9]*\), [0-9]*)$/\1/g' || true)"
591
src_minor="$(dmsetup deps "$dst" 2>/dev/null | sed -e 's/^.*([0-9]*, \([0-9]*\))$/\1/g' || true)"
581
593
if [ -z "$src_major" ] || [ -z "$src_minor" ]; then
582
594
device_msg "$dst" "error"
593
605
crypttab_start_one_disk () {
594
local dst src key opts result
606
local dst src key opts result
597
egrep -v "^[[:space:]]*(#|$)" "$TABFILE" | while read dst src key opts; do
598
if [ "xUUID=$ID_FS_UUID" = "x$src" ]; then
599
src="/dev/disk/by-uuid/${src#UUID=}"
600
elif [ "xLABEL=$ID_FS_LABEL_ENC" = "x$src" ]; then
601
src="/dev/disk/by-label/${src#LABEL=}"
602
elif [ "x$1" != "x$src" ]; then
604
for link in $DEVLINKS; do
605
if [ "x$link" = "x$src" ]; then
609
egrep -v "^[[:space:]]*(#|$)" "$TABFILE" | while read dst src key opts; do
610
if [ "xUUID=$ID_FS_UUID" = "x$src" ]; then
611
src="/dev/disk/by-uuid/${src#UUID=}"
612
elif [ "xLABEL=$ID_FS_LABEL_ENC" = "x$src" ]; then
613
src="/dev/disk/by-label/${src#LABEL=}"
614
elif [ "x$1" != "x$src" ]; then
616
for link in $DEVLINKS; do
617
if [ "x$link" = "x$src" ]; then
622
if [ -z "$found" ]; then
610
if [ -z "$found" ]; then
614
modprobe -qb dm-mod || true
615
modprobe -qb dm-crypt || true
616
dmsetup mknodes > /dev/null 2>&1 || true
619
handle_crypttab_line_start "$dst" "$src" "$key" "$opts" || ret=$?
626
modprobe -qb dm-mod || true
627
modprobe -qb dm-crypt || true
628
dmsetup mknodes > /dev/null 2>&1 || true
631
handle_crypttab_line_start "$dst" "$src" "$key" "$opts" || ret=$?
628
640
modprobe -qb dm-mod || true
629
641
modprobe -qb dm-crypt || true
630
dmsetup mknodes > /dev/null 2>&1 || true
642
dmsetup mknodes >/dev/null 2>&1 || true
631
643
if [ "$INITSTATE" != "init" ]; then
632
log_action_begin_msg "Starting $INITSTATE crypto disks"
644
log_action_begin_msg "Starting $INITSTATE crypto disks"
636
648
egrep -v "^[[:space:]]*(#|$)" "$TABFILE" | while read dst src key opts; do
638
if [ "${dev_match#UUID=}" != "$dev_match" ]; then
639
dev_match="$(readlink -f /dev/disk/by-uuid/${dev_match#UUID=})"
650
if [ "${dev_match#UUID=}" != "$dev_match" ]; then
651
dev_match="$(readlink -f /dev/disk/by-uuid/${dev_match#UUID=})"
640
652
elif [ "${dev_match#LABEL=}" != "$dev_match" ]; then
641
dev_match="$(readlink -f /dev/disk/by-label/${dev_match#LABEL=})"
643
# if there's already a udev-triggered job running for this
644
# device, wait for it to finish, then re-process to confirm
645
# that it's started successfully. In the general case this
646
# will just be a no-op, but we don't want to defer to the
647
# other job entirely because this is the fallback for fixing
648
# up any ordering-dependent decrypting.
649
while status cryptdisks-udev DEVNAME="$dev_match" 2>&1 | grep -q 'start'
653
dev_match="$(readlink -f /dev/disk/by-label/${dev_match#LABEL=})"
655
# if there's already a udev-triggered job running for this
656
# device, wait for it to finish, then re-process to confirm
657
# that it's started successfully. In the general case this
658
# will just be a no-op, but we don't want to defer to the
659
# other job entirely because this is the fallback for fixing
660
# up any ordering-dependent decrypting.
661
while status cryptdisks-udev DEVNAME="$dev_match" 2>&1 | grep -q 'start'
653
665
handle_crypttab_line_start "$dst" "$src" "$key" "$opts" <&3 || log_action_end_msg $?