eCryptfs

Merge lp:~tyhicks/ecryptfs/lp1597154-packaging into lp:ecryptfs

  1. lp1597154-packaging
  2. Merge into trunk
Proposed by Tyler Hicks
Status: Merged
Merge reported by: Tyler Hicks
Merged at revision: not available
Proposed branch: lp:~tyhicks/ecryptfs/lp1597154-packaging
Merge into: lp:ecryptfs
Diff against target: 84 lines (+52/-0)
3 files modified
debian/changelog (+6/-0)
debian/ecryptfs-utils.postinst (+42/-0)
src/utils/ecryptfs-setup-swap (+4/-0)
To merge this branch: bzr merge lp:~tyhicks/ecryptfs/lp1597154-packaging
Reviewer Review Type Date Requested Status
Martin Pitt (community) Approve
Jason Gerard DeRose (community) Approve
eCryptfs Pending
Review via email: mp+299605@code.launchpad.net

Description of the change

Changes to the Debian packaging to automatically fixup existing installations which are affected by the GPT unencrypted swap partitions that are marked as auto mount.

To post a comment you must log in.
Revision history for this message
Jason Gerard DeRose (jderose) wrote :

Tyler,

Reading through the code, everything looks solid.

I also (synthetically) tested your proposed postinst script using `sudo dash ecryptfs-utils.postinst configure` on an appropriately configured system with an NVMe drive on which I first deliberately unset bit 63, and it worked fine. Your postinst script likewise worked fine when running it again after bit 63 was already set. (Although note that I didn't yet test using a built package with this change, with all the real-word mechanics of the postinst script being called in exact the circumstance that it would be for normal users.)

There are a few small issue I found with https://www.shellcheck.net/ (within the code added by this merge) that should probably be addressed eventually, but nothing that I consider deal breaking.

Finally, thanks for your comment about keeping ecryptfs-utils.postinst and ecryptfs-setup-swap in-sync. A very smart call there, in my opinion.

As soon as there's a package in xenial-proposed, I'll put this change through its paces in a 100% real-world scenario.

-Jason

review: Approve
Revision history for this message
Martin Pitt (pitti) wrote :

I didn't realize that we didn't have a corresponding postinst snippet for un-marking those as swap partition; I did that in the vivid SRU (http://launchpadlibrarian.net/205003673/ecryptfs-utils_107-0ubuntu1_107-0ubuntu1.1.diff.gz), was that lost during merge?

Either way, thanks for bringing it back, and adjusting it for nvme!

review: Approve
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Thanks for the reviews.

@Jason I fixed up a couple of the shellcheck warnings before merging.

@Martin Yes, it looks like your postinst snippet for vivid was lost. The way that new upstream eCryptfs releases are cut and uploaded to Ubuntu makes this a possibility for any packaging changes that are not upstreamed to lp:ecryptfs. :/

Revision history for this message
Dustin Kirkland  (kirkland) wrote :

@pitti, it would be great if, when you upload to Ubuntu, you also
proposal a merge against lp:ecryptfs, so that we don't lose track of
it. I try to stay on top of non-maintainer uploads, and pull those
back upstream, but occasionally these get missed. Thanks!

Dustin Kirkland
Ubuntu Product & Strategy
Canonical, Ltd.

On Tue, Jul 12, 2016 at 11:03 PM, Tyler Hicks <email address hidden> wrote:
> Thanks for the reviews.
>
> @Jason I fixed up a couple of the shellcheck warnings before merging.
>
> @Martin Yes, it looks like your postinst snippet for vivid was lost. The way that new upstream eCryptfs releases are cut and uploaded to Ubuntu makes this a possibility for any packaging changes that are not upstreamed to lp:ecryptfs. :/
> --
> https://code.launchpad.net/~tyhicks/ecryptfs/lp1597154-packaging/+merge/299605
> Your team eCryptfs is requested to review the proposed merge of lp:~tyhicks/ecryptfs/lp1597154-packaging into lp:ecryptfs.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'debian/changelog'
--- debian/changelog 2016-07-06 22:31:21 +0000
+++ debian/changelog 2016-07-08 21:35:34 +0000
@@ -18,6 +18,12 @@
18 erroneously prompted to enter a pass-phrase to unlock their swap partition18 erroneously prompted to enter a pass-phrase to unlock their swap partition
19 at boot. (LP: #1597154)19 at boot. (LP: #1597154)
2020
21 [ Tyler Hicks ]
22 * debian/ecryptfs-utils.postinst: Fix any unencrypted GPT swap partitions
23 that have mistakenly remained marked as auto mount. This should only
24 modify the swap partitions on systems that ecryptfs-setup-swap has been
25 used on. (LP: #1447282, LP: #1597154)
26
21 -- Dustin Kirkland <kirkland@ubuntu.com> Fri, 26 Feb 2016 18:00:18 -060027 -- Dustin Kirkland <kirkland@ubuntu.com> Fri, 26 Feb 2016 18:00:18 -0600
2228
23ecryptfs-utils (111) xenial; urgency=medium29ecryptfs-utils (111) xenial; urgency=medium
2430
=== modified file 'debian/ecryptfs-utils.postinst'
--- debian/ecryptfs-utils.postinst 2015-08-04 16:29:37 +0000
+++ debian/ecryptfs-utils.postinst 2016-07-08 21:35:34 +0000
@@ -66,6 +66,48 @@
66 done66 done
67 done < /etc/crypttab67 done < /etc/crypttab
68 fi68 fi
69
70 # Fix up GPT unencrypted swap partitions that have not been
71 # marked as no-auto mounting in order to prevent systemd from
72 # using them before the encrypted swap can be initialized
73 # (LP: #1447282, LP: #1597154).
74 #
75 # IMPORTANT: Much of this code is duplicated from
76 # ecryptfs-setup-swap. Please keep the two in sync when making
77 # any changes.
78 if [ -e /etc/crypttab ] && [ -e /etc/fstab ]; then
79 while read mapper_dev phys_dev keyfile options; do
80 # only consider cryptswapN devices from ecryptfs-setup-swap
81 [ "$mapper_dev" != "${mapper_dev#cryptswap}" ] || continue
82 [ "${options#*swap,}" != "$options" ] || continue
83 # ignore devices without offset=, they would cause #953875 again
84 [ "${options%offset=*}" != "$options" ] || continue
85 # get/verify UUID
86 uuid="${phys_dev#UUID=}"
87 [ -e /dev/disk/by-uuid/$uuid ] || continue
88
89 # If this is a GPT partition, mark it as no-auto mounting, to avoid
90 # auto-activating it on boot
91 swap_dev=$(blkid -U $uuid)
92 if [ "$(blkid -p -s PART_ENTRY_SCHEME -o value "$swap_dev")" = "gpt" ]; then
93 # Correctly handle NVMe/MMC drives, as well as any similar physical
94 # block device that follow the "/dev/foo0p1" pattern (LP: #1597154)
95 if echo "$swap_dev" | grep -qE "^/dev/.+[0-9]+p[0-9]+$"; then
96 drive=$(echo "$swap_dev" | sed "s:\(.\+[0-9]\)p[0-9]\+:\1:")
97 else
98 drive=$(echo "$swap_dev" | sed "s:\(.\+[^0-9]\)[0-9]\+:\1:")
99 fi
100 partno=$(echo "$swap_dev" | sed "s:.\+[^0-9]\([0-9]\+\):\1:")
101 if [ -b "$drive" ] && \
102 ! printf "x\np\n" | fdisk "$drive" | grep -q "^$swap_dev .* GUID:.*\b63\b"; then
103 # toggle flag 63 ("no auto")
104 echo "Marking GPT swap partition $swap_dev as no-auto ..."
105 # unfortunately fdisk fails on "cannot re-read part table" and is very verbose
106 printf "x\nS\n$partno\n63\nr\nw\n" | fdisk "$drive" >/dev/null 2>&1 || true
107 fi
108 fi
109 done < /etc/crypttab
110 fi
69 ;;111 ;;
70 abort-upgrade|abort-remove|abort-deconfigure)112 abort-upgrade|abort-remove|abort-deconfigure)
71113
72114
=== modified file 'src/utils/ecryptfs-setup-swap'
--- src/utils/ecryptfs-setup-swap 2016-07-06 22:31:21 +0000
+++ src/utils/ecryptfs-setup-swap 2016-07-08 21:35:34 +0000
@@ -165,6 +165,10 @@
165165
166 # If this is a GPT partition, mark it as no-auto mounting, to avoid166 # If this is a GPT partition, mark it as no-auto mounting, to avoid
167 # auto-activating it on boot167 # auto-activating it on boot
168 #
169 # IMPORTANT: Much of this code is duplicated in
170 # debian/ecryptfs-utils.postinst. Please keep the two in sync when
171 # making any changes.
168 if [ "$(blkid -p -s PART_ENTRY_SCHEME -o value "$swap")" = "gpt" ]; then172 if [ "$(blkid -p -s PART_ENTRY_SCHEME -o value "$swap")" = "gpt" ]; then
169 # Correctly handle NVMe/MMC drives, as well as any similar physical173 # Correctly handle NVMe/MMC drives, as well as any similar physical
170 # block device that follow the "/dev/foo0p1" pattern (LP: #1597154)174 # block device that follow the "/dev/foo0p1" pattern (LP: #1597154)

Subscribers

People subscribed via source and target branches