[Bug 862975] New: Using "tmp" option in /etc/crypttab for /tmp creates unwritable /tmp
https://bugzilla.novell.com/show_bug.cgi?id=862975 https://bugzilla.novell.com/show_bug.cgi?id=862975#c0 Summary: Using "tmp" option in /etc/crypttab for /tmp creates unwritable /tmp Classification: openSUSE Product: openSUSE 13.1 Version: Final Platform: Other OS/Version: openSUSE 13.1 Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: arvidjaar@gmail.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0 /etc/crypttab provides "tmp" option in which case device is setup using random key every boot and fresh filesystem is created. This means that fileystem root permissions are reset to default 755, making it non-user writable. In the past /etc/init.d/boot.crypto would explicitly set /tmp permissions to 1777 after mounting it, but it was lost after migration to systemd. This causes all sort of serious issues including KDM failing to start. See https://forums.opensuse.org/showthread.php/495266-After-update-root-works-bu... Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=862975
https://bugzilla.novell.com/show_bug.cgi?id=862975#c1
Andrey Borzenkov
https://bugzilla.novell.com/show_bug.cgi?id=862975
https://bugzilla.novell.com/show_bug.cgi?id=862975#c2
Dr. Werner Fink
From systemd side we could try to add a ExecStartPost= line with the appropiate chmod in the cryptsetup-generator ... I'm only surprised that this is not already done(?)
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=862975
https://bugzilla.novell.com/show_bug.cgi?id=862975#c3
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=862975
https://bugzilla.novell.com/show_bug.cgi?id=862975#c4
Dr. Werner Fink
https://bugzilla.novell.com/show_bug.cgi?id=862975
https://bugzilla.novell.com/show_bug.cgi?id=862975#c5
--- Comment #5 from Andrey Borzenkov
What is converting the old configuration to the new configuration?
You misunderstand. Configuration remains the same; but in the past it was interpreted by boot.crypto and now it is interpreted by systemd cryptsetup generator. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=862975
https://bugzilla.novell.com/show_bug.cgi?id=862975#c6
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=862975
https://bugzilla.novell.com/show_bug.cgi?id=862975#c7
--- Comment #7 from Andrey Borzenkov
I don't know if systemd supports all options boot.crypto did though
it does support "tmp" option to the extent that filesystem is actually created every time. It does not enforce 1777 mode for this filesystem. It is not clear if this is implied by "tmp" option, but this was de-facto standard on openSUSE before systemd. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=862975
https://bugzilla.novell.com/show_bug.cgi?id=862975#c8
Dr. Werner Fink
https://bugzilla.novell.com/show_bug.cgi?id=862975
https://bugzilla.novell.com/show_bug.cgi?id=862975#c9
--- Comment #9 from Dr. Werner Fink
https://bugzilla.novell.com/show_bug.cgi?id=862975
https://bugzilla.novell.com/show_bug.cgi?id=862975#c10
Andrey Borzenkov
How does the line in /etc/fstab look? Also I'd like to see the generated units below /run/systemd for setting up the crypted devices. As well as the used links for this.
/etc/crypttab ==== cr_tmp /dev/disk/by-id/ata-QEMU_HARDDISK_QM00002-part1 /dev/urandom tmp ==== /etc/fstab ==== /dev/mapper/cr_tmp /tmp ext4 acl,user_xattr,nofail 0 2 ==== /run/systemd/generator/systemd-cryptsetup@cr_tmp.service ==== # Automatically generated by systemd-cryptsetup-generator [Unit] Description=Cryptography Setup for %I Documentation=man:systemd-cryptsetup@.service(8) man:crypttab(5) SourcePath=/etc/crypttab Conflicts=umount.target DefaultDependencies=no BindsTo=dev-mapper-%i.device IgnoreOnIsolate=true After=md.service dmraid.service After=systemd-readahead-collect.service systemd-readahead-replay.service Before=cryptsetup.target After=systemd-random-seed.service BindsTo=dev-disk-by\x2did-ata\x2dQEMU_HARDDISK_QM00002\x2dpart1.device After=dev-disk-by\x2did-ata\x2dQEMU_HARDDISK_QM00002\x2dpart1.device Before=umount.target [Service] Type=oneshot RemainAfterExit=yes TimeoutSec=0 ExecStart=/usr/lib/systemd/systemd-cryptsetup attach 'cr_tmp' '/dev/disk/by-id/ata-QEMU_HARDDISK_QM00002-part1' '/dev/urandom' 'tmp' ExecStop=/usr/lib/systemd/systemd-cryptsetup detach 'cr_tmp' ExecStartPost=/sbin/mke2fs '/dev/mapper/cr_tmp' ==== /run/systemd/generator/tmp.mount ==== # Automatically generated by systemd-fstab-generator [Unit] SourcePath=/etc/fstab [Mount] What=/dev/mapper/cr_tmp Where=/tmp Type=ext4 FsckPassNo=2 Options=acl,user_xattr,nofail ==== (In reply to comment #9)
Next question is why does /usr/lib/tmpfiles.d/tmp.conf with the line
d /tmp 1777 root root -
therein not work. Shouldn't that be done after the encrypted file is mounted?
Oh, that's interesting. Once upon a time encrypted filesystems were mounted by boot.crypto and so contained "noauto". On update it remains (more precisely, "noauto" is replace by "nofail" but it does not really matter). If /etc/fstab contains "noauto" or "nofail", dependency on local-fs.target is not generated. Which means that filesystem is mounted *after* systemd-tmpfiles-setup run (it needs to call mke2fs which takes time and local-fs.target does not wait for it). Recently there was discussion on systemd-devel, and common opinion was that by "nofail" user declares that filesystem is optional, so it makes no sense to delay startup by waiting on it. But note, that "tmp" option in /etc/crypttab does not necessary apply to /tmp; this case still is not covered by existing tmp.conf. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com