Source: cryptsetup Severity: normal
Hi. Several documents in cryptsetup imply that the distribution needs to take care that: /run/lock/cryptsetup exists and is readable by root only: e.g.: https://gitlab.com/cryptsetup/cryptsetup/blob/master/docs/LUKS2-locking.txt >We perform flock() on file descriptors of files stored in a private >directory (by default /run/lock/cryptsetup). The file name is derived >from major:minor couple of affected block device. Note we recommend >that access to private locking directory is supposed to be limited to >superuser only. For this method to work the distribution needs to >install the locking directory with appropriate access rights. or cryptsetup(8): >LUKS2 header locking > The LUKS2 on-disk metadata is updated in several steps and to achieve > proper atomic update, there is a locking mechanism. For an image in > file, code uses flock(2) system call. For a block device, lock is per‐ > formed over a special file stored in a locking directory (by default > /run/lock/cryptsetup). The locking directory should be created with > the proper security context by the distribution during the boot-up > phase. Only LUKS2 uses locks, other formats do not use this mechanism. This is not the case in Debian, it seems. Cheers, Chris.
