On Sat, 18 Sep 2021 at 16:30:38 +0200, Christoph Anton Mitterer wrote: > On Sat, 2021-09-18 at 16:04 +0200, Guilhem Moulin wrote: >> src:cryptsetup isn't the only consumer of /etc/crypttab, so this is a >> wontfix. > > Who else uses it that can work without cryptsetup? Systemd via > libcryptsetup?
crypttab is part of our public API, and any (packaged or not) software can hook into into without without explicitly depending on cryptsetup-bin let alone cryptsetup. Removing that API is a wontfix. > Then perhaps better to have a -common package that all can depend > upon, than leaving cruft behind after purge? I don't think the cleanup is worth the extra metadata and package cruft overhead… > And still, one could tighten the permissions. I don't see why it makes more sense to og-rwx /etc/crypttab by default compared to /etc/fstab or /etc/systemd/system. If that makes sense in YOUR environment, then YOU are free to do it manually; src:cryptsetup control files shouldn't change existing permission/ownership (it'd be a valid bug if they do). Moreover tighter permissions have arguably undesired side effects, such as broken bash completion for `sudo cryptdisks_start <TAB>`. Also FWIW /etc/crypttab is typically created by d-i, at least when a using the “encrypted root FS” layout. I don't have data at hand to back that up, but I believe that preinst snippet is usually a noop. -- Guilhem.
signature.asc
Description: PGP signature
