Ah thanks for your clarification :-) Best wishes, Chris.
On Wed, 2018-08-15 at 17:14 +0200, Guilhem Moulin wrote: > Control: retitle -1 cryptsetup: missing LUKS2 header locking > directory > > On Wed, 15 Aug 2018 at 16:41:27 +0200, Christoph Anton Mitterer > wrote: > > Several documents in cryptsetup imply that the distribution > > needs to take care that: > > /run/lock/cryptsetup > > exists and is readable by root only: > > Since v2.0.1 the LUKS2 header lockdir defaults to ‘/run/cryptsetup’, > cf. > > > https://gitlab.com/cryptsetup/cryptsetup/commit/6f4c15b2b2d5e7a9cd7e08b55c319b6e272544f6 > > > This is not the case in Debian, it seems. > > We ship upstream's /usr/lib/tmpfiles.d/cryptsetup.conf as part of the > ‘cryptsetup-bin’ package; when PID 1 is systemd, systemd-tmpfiles(8) > takes care of creating the lockdir with suitable > permissions. Moreover, > our SysV init scripts and initramfs-tools boot scripts run > `mkdir -pm0700 /run/cryptsetup`. > > (Also, the directory is created automatically if it doesn't exist but > its parent does, cf. > lib/utils_device_locking.c:open_lock_dir(). That > behavior is undocumented though, and with “usual” init systems the > situation should never arise.) >
