On Sat, 21 Oct 2006 20:15:07 +0200 Jonas Meurer <[EMAIL PROTECTED]> wrote:
> > # /etc/init.d/cryptdisks start > > Starting remaining crypto disks...STICK! > > home(starting) > > - INSECURE MODE FOR /media/usbstick/keyfile-shinkupaddo.luks > > done. > > where does this "STICK!" come from? Heh, ups, thats from my 'echo "STICK!"; read' in do_mounts, because I need a delay for loading the usb-storage etc. > which version of cryptsetup did you use before? i believe that this > was 1.0.4~rc2-1 because 1.0.4-1 introduced 'set -e' for the > initscript. dpkg.log says: upgrade cryptsetup 2:1.0.4~rc2-1 2:1.0.4-2 (and afterwards to -3) so you're correct. > > > also, how are permissions of the keyfile? > > > > the keyfile is on a vfat usb-stick, permissions are: > > # ls -alh /media/usbstick/keyfile-shinkupaddo.luks > > -rwxr-xr-x 1 root root 256 2006-08-28 > > 09:08 /media/usbstick/keyfile-shinkupaddo.luks > > > > Because of this I get the insecure more message (as I did in prior > > versions too, but there the luks partotion was open after that) > > As I understand, the behavior should be "give warning, but > > continue" (check_key || continue) - am I right? > > no, 'check_key || continue' actually says 'continue with the next > device if check_key fails. > i wonder whether this was different in the past. It worked with rc2, the warning came and partition was opened. But I dunno why ;-) > anyway it's not unusual to keep the key on a vfat usb-stick, so > cryptsetup should be able to cope with this situation. > > maybe the permission check should include a check for filesystems > which do not support file permissions, and go on with a warning in > these cases. Yep, that's a good idea. Another one I had: check if mountpoint is inside /media/ and wait for user action (inserting stick and waing for driver) which is now done by my 'read', because identifying the usb stick on boot is too slow and mounting fails. Isn't related to this "bug" but would be nice ;) Regards Evgeni -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
