Package: initscripts
Version: 2.86.ds1-61
Severity: critical
File: /etc/init.d/checkroot.sh
Justification: causes serious data loss
I was rather horrified to watch my laptop boot with a dirty root
filesystem mounted read/write. Upon further investigation, I discovered
that checkroot.sh and checkfs.sh are hardcoded to bypass filesystem
checks if AC power is not present. This makes no sense.
If a journalling filesystem has errors, it should not be mounted
read/write until those errors are corrected. Non-journalling filesystems
always need fsck if they are umounted uncleanly, so they shouldn't be
mounted read/write without checking and possible correction either.
Both cases require fsck before mounting regardless of the power source.
Failing to fsck in either case can cause serious data loss, especially
if the filesystem's metadata falsely indicates occupied space is free
and the system is used for some time. This can lead to duplicate
allocations between filesystem metadata and user data, which leads to
data loss, security problems, unintentional data disclosure, and worse.
Recovery from errors of this kind is nearly impossible without a good set
of backups handy. Serious problems can remain undetected for sufficently
long periods of time that backups get corrupted as well.
The problem is even worse for laptops that are only rebooted due to
crashes, and only crash "in the field" while running on battery power.
Such machines may never run fsck until the corruption is sufficiently
bad that the machine is unusable.
I would propose that the battery power status should only be tested
in checkroot.sh and checkfs.sh if a configuration setting explicitly
permits it. For example, a variable FSCKONBATTERY might be added to
/etc/default/rcS with these options:
yes - check filesystems regardless of battery status (ignore
on_ac_power entirely). This should be the default.
no - don't check filesystems when on_ac_power returns false.
This is the current behavior.
The system should not corrupt data by default, which is why the default
I propose above is different from the current behavior.
Installed systems which are upgrading from legacy versions of initscripts
might preserve the old behavior in accordance with the principle of least
surprise, but all new systems should be installed with the default set
as above.
I would argue that unexpected data corruption is a much bigger surprise
than fscks on battery, but other bugs filed against this package suggest
people actually prefer the broken behavior, and these people would
probably complain if we fixed it for them.
-- System Information:
Debian Release: 5.0.1
APT prefers stable
APT policy: (500, 'stable'), (189, 'testing'), (179, 'unstable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.28.4-zb64 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages initscripts depends on:
ii debianutils 2.30 Miscellaneous utilities specific t
ii e2fsprogs 1.41.3-1 ext2/ext3/ext4 file system utiliti
ii libc6 2.9-4 GNU C Library: Shared libraries
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
ii mount 2.13.1.1-1 Tools for mounting and manipulatin
ii sysvinit-utils 2.86.ds1-61 System-V-like utilities
Versions of packages initscripts recommends:
ii psmisc 22.6-1 Utilities that use the proc filesy
initscripts suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
