[Bug 496279] New: Recent security updates appears to break mounting of LUKS crypto devices.
http://bugzilla.novell.com/show_bug.cgi?id=496279 Summary: Recent security updates appears to break mounting of LUKS crypto devices. Classification: openSUSE Product: openSUSE 11.1 Version: Final Platform: i586 OS/Version: openSUSE 11.1 Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: robin.listas@telefonica.net QAContact: qa@suse.de Found By: --- User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko/2009032600 SUSE/3.0.8-1.1.1 Firefox/3.0.8 On my 11. test partition, when mounting crypto LUKS filesystems via script /etc/init.d/boot.crypto, they are mounted twice, sometimes: minas-morgul:~ # rccrypto start cr_mm_1_amon_din Please enter passphrase for /dev/disk/by-id/usb-Initio_ST3320620AS_0010101650000DDEW-0:0-part1 (cr_mm_1_amon_din): Enter LUKS passphrase: Enter LUKS passphrase: key slot 0 unlocked. Command successful. /dev/disk/by-id/usb-Initio_ST3320620AS_0010101650000DDEW-0:0-part1... done minas-morgul:~ # mount | grep Amon /dev/mapper/cr_mm_1_amon_din on /mnt/usb/1_Amon_Din type reiserfs (rw,noexec,nosuid,nodev,noatime,user_xattr) /dev/dm-3 on /media/Amon_Din type reiserfs (rw,nosuid,nodev) and stopping it fails: minas-morgul:~ # rccrypto stop cr_mm_1_amon_din Command failed: Device busy /dev/disk/by-id/usb-Initio_ST3320620AS_0010101650000DDEW-0:0-part1... failed minas-morgul:~ # umount /media/Amon_Din minas-morgul:~ # rccrypto stop cr_mm_1_amon_din /dev/disk/by-id/usb-Initio_ST3320620AS_0010101650000DDEW-0:0-part1... done The filesystems are mounted via usb. I believe it happens when the process is slow, dmsetup is already called with the password, but the disk not mounted yet (fsck?), GNOME sees the device, and tries to automount it (under /media), before the script sees it. Nautilus opens a window with the device. Then the script finalizes and mounts it another time - I only want the script, not gnome to mount it. When things go corretly (after several failed attempts) nautilus does not show the window automatically and there is no corresponding device icon on the desktop. Last updates: Fri Apr 17 2009 Tue Apr 14 2009 libvolume_id1 128-9.7.1 Fri Apr 17 2009 Thu Apr 16 2009 java-1_6_0-openjdk 1.4_b14-24.4.3 Fri Apr 17 2009 Wed Apr 08 2009 gnome-panel 2.24.1-2.26.1 Fri Apr 17 2009 Mon Apr 06 2009 libgstinterfaces-0_10-0 0.10.21-2.21.2 Fri Apr 17 2009 Mon Apr 06 2009 krb5 1.6.3-132.5.1 Fri Apr 17 2009 Tue Apr 07 2009 mozilla-xulrunner190 1.9.0.8-1.1.1 Fri Apr 17 2009 Thu Apr 02 2009 module-init-tools 3.4-56.10.1 Fri Apr 17 2009 Wed Apr 01 2009 kernel-source 2.6.27.21-0.1.1 Fri Apr 17 2009 Tue Apr 14 2009 udev 128-9.7.1 Fri Apr 17 2009 Thu Apr 16 2009 java-1_6_0-openjdk-plugin 1.4_b14-24.4.3 Fri Apr 17 2009 Tue Mar 24 2009 postgresql-libs 8.3.7-0.1.1 Fri Apr 17 2009 Wed Apr 08 2009 gnome-panel-lang 2.24.1-2.26.1 Fri Apr 17 2009 Mon Apr 06 2009 gstreamer-0_10-plugins-base 0.10.21-2.21.2 Fri Apr 17 2009 Tue Apr 07 2009 mozilla-xulrunner190-gnomevfs 1.9.0.8-1.1.1 Fri Apr 17 2009 Tue Apr 07 2009 mozilla-xulrunner190-translations 1.9.0.8-1.1.1 Fri Apr 17 2009 Tue Apr 07 2009 MozillaFirefox 3.0.8-1.1.1 Fri Apr 17 2009 Thu Apr 02 2009 kernel-pae-base 2.6.27.21-0.1.2 Fri Apr 17 2009 Thu Apr 02 2009 kernel-debug-base 2.6.27.21-0.1.2 Fri Apr 17 2009 Tue Apr 07 2009 MozillaFirefox-translations 3.0.8-1.1.1 Fri Apr 17 2009 Thu Apr 02 2009 kernel-pae 2.6.27.21-0.1.2 Fri Apr 17 2009 Thu Apr 02 2009 kernel-debug 2.6.27.21-0.1.2 Fri Apr 17 2009 Thu Apr 02 2009 kernel-pae-extra 2.6.27.21-0.1.2 Fri Apr 17 2009 Thu Apr 02 2009 kernel-debug-extra 2.6.27.21-0.1.2 Sun Apr 19 2009 Thu Apr 02 2009 dbus-1 1.2.10-5.4.1 Reproducible: Sometimes -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=496279 User lnussel@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=496279#c1 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |robin.listas@telefonica.net --- Comment #1 from Ludwig Nussel <lnussel@novell.com> 2009-04-20 01:13:46 MDT --- what's the output of polkit-auth when called in a terminal of the logged in user as that user? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=496279 User robin.listas@telefonica.net added comment http://bugzilla.novell.com/show_bug.cgi?id=496279#c2 Carlos Robinson <robin.listas@telefonica.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|robin.listas@telefonica.net | --- Comment #2 from Carlos Robinson <robin.listas@telefonica.net> 2009-04-20 18:18:59 MDT --- The session belongs to user 'cer', but '/etc/init.d/boot.crypto' has to be run as root. I had to reboot the test partition to run your command (the bug doesn't show tonight). Here goes: cer@minas-morgul:~> polkit-auth org.freedesktop.packagekit.package-eula-accept org.freedesktop.packagekit.system-sources-refresh org.freedesktop.consolekit.system.stop org.freedesktop.consolekit.system.stop-multiple-users org.freedesktop.consolekit.system.restart org.freedesktop.consolekit.system.restart-multiple-users org.freedesktop.hal.killswitch.bluetooth org.freedesktop.hal.killswitch.wlan org.freedesktop.hal.killswitch.wwan org.freedesktop.hal.lock org.freedesktop.hal.leds.brightness org.freedesktop.hal.storage.mount-removable org.freedesktop.hal.storage.unmount-others org.freedesktop.hal.storage.eject org.freedesktop.hal.storage.crypto-setup-removable org.freedesktop.hal.wol.enabled org.freedesktop.hal.wol.enable org.freedesktop.hal.wol.supported org.gnome.clockapplet.mechanism.settimezone org.freedesktop.hal.device-access.fingerprint-reader org.freedesktop.hal.device-access.audio-player org.freedesktop.hal.device-access.camera org.freedesktop.hal.device-access.cdrom org.freedesktop.hal.device-access.dvb org.freedesktop.hal.device-access.floppy org.freedesktop.hal.device-access.ieee1394-avc org.freedesktop.hal.device-access.ieee1394-iidc org.freedesktop.hal.device-access.joystick org.freedesktop.hal.device-access.mouse org.freedesktop.hal.device-access.pda org.freedesktop.hal.device-access.scanner org.freedesktop.hal.device-access.sound org.freedesktop.hal.device-access.video4linux org.freedesktop.hal.device-access.video org.freedesktop.hal.power-management.shutdown org.freedesktop.hal.power-management.shutdown-multiple-sessions org.freedesktop.hal.power-management.reboot org.freedesktop.hal.power-management.reboot-multiple-sessions org.freedesktop.hal.power-management.set-powersave org.freedesktop.hal.power-management.suspend org.freedesktop.hal.power-management.hibernate org.freedesktop.hal.power-management.cpufreq org.freedesktop.hal.power-management.lcd-panel org.freedesktop.hal.power-management.light-sensor org.freedesktop.hal.power-management.keyboard-backlight org.freedesktop.hal.dockstation.undock cer@minas-morgul:~> minas-morgul:~ # polkit-auth minas-morgul:~ -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=496279 User lnussel@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=496279#c3 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |security-team@suse.de AssignedTo|security-team@suse.de |dkukawka@novell.com Summary|Recent security updates |hal allows mounting of |appears to break mounting |devices in /etc/fstab |of LUKS crypto devices. | --- Comment #3 from Ludwig Nussel <lnussel@novell.com> 2009-04-21 06:55:22 MDT --- I can reproduce this here. Are you sure this didn't happen on an unpatched 11.1? It looks like a hal bug to me. Hal should refuse to mount devices specified in fstab. My guess is that the device is listed as /dev/mapper/something in fstab but hal only checks for e.g. /dev/dm-0. It then can't find /dev/dm-0 in fstab and allows the mount. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=496279 User lnussel@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=496279#c4 --- Comment #4 from Ludwig Nussel <lnussel@novell.com> 2009-04-21 06:55:55 MDT --- Created an attachment (id=287106) --> (http://bugzilla.novell.com/attachment.cgi?id=287106) lshal output of my virtual machine with luks device -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=496279 User lnussel@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=496279#c5 --- Comment #5 from Ludwig Nussel <lnussel@novell.com> 2009-04-21 07:00:55 MDT --- Created an attachment (id=287112) --> (http://bugzilla.novell.com/attachment.cgi?id=287112) udev info udev knows that /dev/dm-0 is listed as /dev/mapper/foo in fstab so udev just needs to be asked. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=496279 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #287112|application/octet-stream |text/plain mime type| | -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=496279 User robin.listas@telefonica.net added comment http://bugzilla.novell.com/show_bug.cgi?id=496279#c6 --- Comment #6 from Carlos Robinson <robin.listas@telefonica.net> 2009-04-21 07:14:55 MDT --- (In reply to comment #3)
I can reproduce this here. Are you sure this didn't happen on an unpatched 11.1? It looks like a hal bug to me. Hal should refuse to mount devices specified in fstab. My guess is that the device is listed as /dev/mapper/something in fstab but hal only checks for e.g. /dev/dm-0. It then can't find /dev/dm-0 in fstab and allows the mount.
I seldom use my 11.1 partition, I use it only for testing. But it is fully updated. Yes, the devices are listed in fstab: /dev/mapper/cr_mm_1_amon_din /mnt/usb/1_Amon_Din \ reiserfs noatime,user,noauto,user_xattr 0 0 with a corresponding entry in /etc/crypttab: cr_mm_1_amon_din \ /dev/disk/by-id/usb-Initio_ST3320620AS_0010101650000DDEW-0:0-part1 \ none noauto Yes, I have noticed before this time gnome trying to mount devices already listed in fstab: if I connect my usb encrypted disk, gnome prompts me for the LUKS password. Ah, no, bad example, the /dev/mapper node is not active at that moment, because the usb node is listed in /etc/crypttab, not fstab. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=496279 User robin.listas@telefonica.net added comment http://bugzilla.novell.com/show_bug.cgi?id=496279#c7 --- Comment #7 from Carlos Robinson <robin.listas@telefonica.net> 2009-04-21 07:19:45 MDT --- (In reply to comment #3)
I can reproduce this here. Are you sure this didn't happen on an unpatched 11.1?
Ah, you mean whether this problem does not appear as well on a not patched 11.1? I don't know, but I have not seen it before, nor in my 11.0. However, as this is "erratic", it could be lurking before, and just chanced to happen the other day. Can't say. I mean it is erratic, because it happened several times with three LUKS partitions minutes after booting, then it stopped happening as soon as I wrote this report. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=496279 https://bugzilla.novell.com/show_bug.cgi?id=496279#c8 Danny Kukawka <dkukawka@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX --- Comment #8 from Danny Kukawka <dkukawka@suse.com> 2011-08-30 09:19:06 UTC --- Sorry, 11.1 reached it's end-of-lifetime and is no longer supported. Feel free to reopen if you see the issue still on a currently supported system. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com