Hello,
Bastian Kleineidam schrieb:
Hi,
Am Friday 20 February 2009 11:50:48 schrieb Wearenotalone:
Yesterday i continued looking for a solution to my problem. At first i
changed my <volume> definition to
<volume fskeycipher="aes-256-cbc" fskeyhash="sha512"
options="fsk_cipher=aes-256-cbc,fsk_hash=sha512,keyfile=/my/encrypted.key,f
sck,noexec,nodev,nosuid,relatime,cipher=aes-cbc-essiv:sha256,keybits=256,has
h=sha512" fskeypath="/my/encrypted.key" user="MYUSERNAME" mountpoint="/mnt"
path="/my/encrypted.img" />
Was there a mount error without the changes? The options fsk_cipher and
fsk_hash are duplicates of fskeycipher and fskeyhash, so I am wondering why
you added them.
These entries are leftovers from my unsuccessful attempt to use the
fsk_hash option with libpam_mount 0.44-1+lenny3. At the moment i use
this config for version 1.9, 1.10 and 1.18:
<volume fskeycipher="aes-256-cbc" fskeyhash="sha512"
options="fsck,noexec,nodev,nosuid,relatime,cipher=aes-cbc-essiv:sha256"
fskeypath="/my/encrypted.key" user="MYUSERNAME" mountpoint="/mnt/tmp1"
path="/my/encrypted.img" fstype="crypt" />
With version libpam-mount 1.9 and the keybits=256 option set, i get a
segfault everytime i log out. Without the keybits option, everything
seems to be fine. With the newest libpam-mount 1.10 it is still the same.
After this unsatisfactory result i updated libpam-mount to version 1.18
Please test with official Debian packages, unless you want to take this
problem to the official mailing list.
I will package libpam-mount >> 1.10 when there is a safe upgrade path for the
new cmtab code (ie.a fallback to mtab).
Ok, i just wanted to inform you that the segfault is gone with the
newest version. But even if this segfault is gone, the problems (unmount
not successful / loop device on top of LUKS partition) still exist. For
future tests i set up a VM with Debian so that i can test different
libpam-mount packages without risking data loss. The previously
mentioned tests in this mail (libpam-mount 1.9 and 1.10) were carried
out in this VM (got the same results with my regular system before).
But why is a loop device attached to my LUKS partition? Is it not enough
if only the LUKS partition is mounted and not another loop device on top
of it?
What is your exact setup after mounting? I assume the following
/my/encrypted.img ----> (loop)
/dev/loop0 ----> (luks)
/dev/mapper/_my_enrypted_img ----> (loop)
/dev/loop1
If this is the case, the second /dev/loop1 mount is indeed unneeded.
With keybits option and libpam-mount 1.10 ( before logout ):
$ losetup -a
/dev/loop0: [0801]:441553 (/my/encrypted.img)
/dev/loop1: [000d]:23903 (/dev/mapper/_my_encrypted_img)
$ mount | grep /my/encrypted.img
/my/encrypted.img on /mnt/tmp1 type crypt
(keybits=256,noexec,nodev,nosuid,relatime)
$ cat /etc/mtab | grep /my/encrypted.img
/my/encrypted.img /mnt/tmp1 crypt
keybits=256,noexec,nodev,nosuid,relatime 0 0
$ tail -n 28 /var/log/all
Feb 24 18:09:34 MYHOSTNAME login[5707]: pam_mount(pam_mount.c:312):
pam_mount 1.10: entering auth stage
Feb 24 18:09:34 MYHOSTNAME login[5707]: pam_unix(login:session): session
opened for user MYUSERNAME by LOGIN(uid=0)
Feb 24 18:09:34 MYHOSTNAME login[5707]: pam_mount(pam_mount.c:458):
pam_mount 1.10: entering session stage
Feb 24 18:09:34 MYHOSTNAME login[5707]: pam_mount(pam_mount.c:479): back
from global readconfig
Feb 24 18:09:34 MYHOSTNAME login[5707]: pam_mount(pam_mount.c:481):
per-user configurations not allowed by pam_mount.conf.xml
Feb 24 18:09:34 MYHOSTNAME login[5707]: pam_mount(misc.c:38): Session
open: (uid=0, euid=0, gid=1000, egid=1000)
Feb 24 18:09:34 MYHOSTNAME login[5707]: pam_mount(rdconf2.c:182):
checking sanity of volume record (/my/encrypted.img)
Feb 24 18:09:34 MYHOSTNAME login[5707]: pam_mount(pam_mount.c:536):
about to perform mount operations
Feb 24 18:09:34 MYHOSTNAME login[5707]: pam_mount(mount.c:181): Mount
info: globalconf, user=MYUSERNAME <volume server="(null)"
path="/my/encrypted.img" mountpoint="/mnt/tmp1" cipher="(null)"
fskeypath="/my/encrypted.key" fskeycipher="aes-256-cbc"
fskeyhash="sha512"
options="keybits=256,fsck,noexec,nodev,nosuid,relatime,cipher=aes-cbc-essiv:sha256"
/> fstab=0
Feb 24 18:09:34 MYHOSTNAME login[5707]: pam_mount(mount-sysv.c:57):
realpath of volume "/mnt/tmp1" is "/mnt/tmp1"
Feb 24 18:09:34 MYHOSTNAME login[5707]: pam_mount(mount-sysv.c:61):
checking to see if /my/encrypted.img is already mounted at /mnt/tmp1
Feb 24 18:09:34 MYHOSTNAME login[5707]: pam_mount(mount.c:494): checking
for encrypted filesystem key configuration
Feb 24 18:09:34 MYHOSTNAME login[5707]: pam_mount(mount.c:497): about to
start building mount command
Feb 24 18:09:34 MYHOSTNAME login[5707]: command: [mount.crypt]
[-ofsk_cipher=aes-256-cbc] [-ofsk_hash=sha512]
[-okeyfile=/my/encrypted.key]
[-okeybits=256,fsck,noexec,nodev,nosuid,relatime,cipher=aes-cbc-essiv:sha256]
[/my/encrypted.img] [/mnt/tmp1]
Feb 24 18:09:34 MYHOSTNAME login[5723]: pam_mount(misc.c:38):
set_myuid<pre>: (uid=0, euid=0, gid=1000, egid=1000)
Feb 24 18:09:34 MYHOSTNAME login[5723]: pam_mount(misc.c:38):
set_myuid<post>: (uid=0, euid=0, gid=1000, egid=1000)
Feb 24 18:09:36 MYHOSTNAME login[5707]: pam_mount(mount.c:75): mount errors:
Feb 24 18:09:36 MYHOSTNAME login[5707]: pam_mount(mount.c:78): Command
successful.
Feb 24 18:09:36 MYHOSTNAME kernel: [ 3446.248291] kjournald starting.
Commit interval 5 seconds
Feb 24 18:09:36 MYHOSTNAME kernel: [ 3446.285072] EXT3 FS on loop1,
internal journal
Feb 24 18:09:36 MYHOSTNAME kernel: [ 3446.287153] EXT3-fs: mounted
filesystem with ordered data mode.
Feb 24 18:09:36 MYHOSTNAME login[5707]: pam_mount(mount.c:539): waiting
for mount
Feb 24 18:09:36 MYHOSTNAME login[5707]: command: [pmvarrun] [-u]
[MYUSERNAME] [-o] [1]
Feb 24 18:09:36 MYHOSTNAME login[5759]: pam_mount(misc.c:38):
set_myuid<pre>: (uid=0, euid=0, gid=1000, egid=1000)
Feb 24 18:09:36 MYHOSTNAME login[5759]: pam_mount(misc.c:38):
set_myuid<post>: (uid=0, euid=0, gid=1000, egid=1000)
Feb 24 18:09:36 MYHOSTNAME login[5707]: pam_mount(pam_mount.c:418):
pmvarrun says login count is 1
Feb 24 18:09:36 MYHOSTNAME login[5707]: pam_mount(pam_mount.c:550): done
opening session (ret=0)
/my/encrypted.img ----> /dev/loop0 ----> /dev/mapper/_my_encrypted_img
----> /dev/loop1 ----> /mnt/tmp1 (see log from /var/log/all: ... kernel:
[ 3446.285072] EXT3 FS on loop1 ... )
=> I think your assumption is correct :)
At the moment i am searching for the place in the sources where the
(second) loop device (/dev/loop1) is attached to my LUKS partition. Do
you have a hint where i could search?
Is this only occuring in the 1.18 codebase, or in 1.10 also?
As you can see above this also occurs in 1.9 and 1.10.
After looking through some lines of code (only 1.18 codebase) i think
that the place where the loop device is attached to my LUKS partition is
not in libpam-mount (mount.crypt). The problem is rather the way how the
mount command is called in mount.crypt: keybits option set =>
mount.crypt calls regular mount command => regular mount command implies
loop option => /dev/mapper/_my_encrypted_img mounted with loop1 device
to /mnt/tmp1 => unmount /mnt/tmp1 => loop1 still open => trying to
luksClose /dev/mapper/_my_encrypted_img => segfault (1.9 / 1.10) and
unmount error (1.9 / 1.10 / 1.18).
Anymore questions?
Best Regards,
WANA
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
