[arch-projects] [RFC 13/23] Check device with blkid before cryptsetup create
Matthew Monaco
dgbaley27 at 0x01b.net
Fri May 18 12:22:07 EDT 2012
From: Matthew Monaco <matthew.monaco at 0x01b.net>
Currently in rc.sysinit we check that blkid returns 2 before running
mkswap. This is a little bit stronger. Even without mkswap "cryptsetup
create" can be dangerous, so do the blkid check for all plain (non-LUKS)
mappings. Furthermore, just check for a non-zero return status, if this
is too broad we can get more specific.
Note: A user can still destroy her data if she enters the wrong password
for a cryptsetup create. This we'll leave as the user's fault; she
should be aware of the limitations of a plain mapping and the
--verify-passphrase cryptsetup option.
---
cryptmount.sh | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/cryptmount.sh b/cryptmount.sh
index d602043..03699d0 100755
--- a/cryptmount.sh
+++ b/cryptmount.sh
@@ -1,6 +1,6 @@
#!/bin/sh
-SHORTOPTS="LMUc:w:nqvho:O:"
+SHORTOPTS="LMUc:fw:nqvho:O:"
DEPS="cryptsetup blkid findmnt mkswap mktemp"
UDEVRUNNING=0
@@ -10,6 +10,7 @@ WAITTIME=10
CRYPTTAB=/etc/crypttab
OPTIONS=
FILTER="!noauto"
+FORCE=0
ct_print_usage() {
cat <<__EOF__
@@ -32,6 +33,8 @@ usage: $0 [OPTIONS] [-L]
options:
-c FILE set the crypttab location (default: /etc/crypttab)
+ -f force destructive operations even when a block device appears to
+ contain data
-w NUM wait time (seconds) for a device if it is not already available
-n dry run
-q decrease verbosity
@@ -115,6 +118,7 @@ ct_main() {
M) set_action map;;
U) set_action unmap;;
c) CRYPTTAB="$OPTARG";;
+ f) FORCE=1;;
w) WAITTIME=${OPTARG//[!0-9]};;
n) DRYRUN=1;;
q) LOGLEVEL=$(( LOGLEVEL - 1 ));;
@@ -381,7 +385,14 @@ ct_map() {
info "device '$dev' assumed to be plain"
- if run cryptsetup create $key $args "$name" "$dev"; then
+ # cryptsetup 'create' can be destructive, don't do it if blkid can
+ # identify the device type
+ if [ $FORCE -ne 1 ] && blkid -p "$dev" &>/dev/null; then
+ error "Refusing to call 'cryptsetup create' on device that might"
+ error " have data. If you are sure this is what you want, use"
+ error " the -f option"
+ ret=1
+ elif run cryptsetup create $key $args "$name" "$dev"; then
info "sucessfully mapped '$dev' to '/dev/mapper/$name'"
if [ $swap -eq 1 ]; then
if run mkswap -f -L "$name" "/dev/mapper/$name"; then
--
1.7.10.2
More information about the arch-projects
mailing list