Package: keyutils
Version: 1.5.6-1
Severity: normal
Tags: security
Hi.
Key timeout set in initramfs had reset after udev init script run.
How to reproduce:
1. Add key and set timeout on it in initramfs. E.g. use an encrypted root and
open it using decrypt_keyctl script from cryptsetup package (to cache
password). The crypttab entry may look like:
jessie_root /dev/reiji/enc_jessie_root reiji
luks,keyscript=decrypt_keyctl
The decrypt_keyctl script sets timeout of 60 seconds on all cached passwords.
2. Add init script (below), which runs before udev and waits for 60 seconds to
ensure, that timeout still works. It may have LSB header like:
### BEGIN INIT INFO
# Provides: keyctl-test
# Required-Start: mountkernfs
# Required-Stop:
# X-Interactive: false
# X-Start-Before: udev
# X-Stop-After: udev
# Default-Start: S
# Default-Stop: 0 6
# Short-Description: Wait for keyctl timeout to expire
# Description:
### END INIT INFO
and restart the system. You'll see line
key inaccessible (key has expired)
when keyctl-test script runs `keyctl show @u` after waiting for 60 seconds.
4. Now change LSB header, so keyctl-test starts right after udev. It may look
like:
### BEGIN INIT INFO
# Provides: keyctl-test
# Required-Start: udev
# Required-Stop: udev
# X-Interactive: false
# X-Start-Before: keyboard-setup mdadm-raid mountdevsubfs
# X-Stop-After:
# Default-Start: S
# Default-Stop: 0 6
# Short-Description: Wait for keyctl timeout to expire
# Description:
### END INIT INFO
and also restart the system. Now after waiting for 60 seconds `keyctl show @u`
will still list the key added during root fs unlocking from initramfs.
The keyctl-test init script may look like:
do_start()
{
echo "Waiting for keyctl timeout to expire.." >&2
sleep 60
echo "..done" >&2
keyctl show @u
}
case "$1" in
start)
do_start
;;
stop|restart|reload|force-reload|force-start)
echo "....."
;;
*)
echo "Usage: {start|stop|restart|reload|force-reload|force-start}"
exit 1
;;
esac
To workaround this i may use simple script for clearing keyring, which runs,
when all volumes requiring password have opened. I may run it using 'check='
option in crypttab. E.g. the last crypttab line, which uses cached password,
may look like:
w7 /dev/sdb2 reiji luks,keyscript=decrypt_keyctl,check=keyctl_clear
and keyctl_clear script should be placed in /lib/cryptsetup/checks/ and may
look like:
#!/bin/sh
keyctl clear @u || exit 0
--
Dmitriy Matrosov
-- System Information:
Debian Release: jessie/sid
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.13-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages keyutils depends on:
ii libc6 2.18-5
ii libkeyutils1 1.5.6-1
keyutils recommends no packages.
keyutils suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
