cryptsetup complains about INSECURE OWNER on boot after installing selinux

Bug #231339 reported by goto on 2008-05-17
Affects Status Importance Assigned to Milestone
cryptsetup (Ubuntu)
Reinhard Tartler

Bug Description

Binary package hint: cryptsetup

The problem appears to arise from the fact that SElinux-labeled volumes use POSIX file attributes such that an `ls -l` looks like this:
-r--------+ 1 root root 96 2007-11-20 15:15 volume_key

instead of just
-r-------- 1 root root 96 2007-11-20 15:15 volume_key

As a result the check_key() function in /lib/cryptsetup/cryptdisks.functions gets confused when trying to figure out the owner of the key file.

I have encountered this supposed bug with 2:1.0.5-2ubuntu12 (Ubuntu Hardy).
Attached please find a patch that will solve the problem. Feel free to improve on it.

goto (gotolaunchpad) wrote :
Changed in cryptsetup:
status: New → Triaged
importance: Undecided → Medium
Changed in cryptsetup:
assignee: nobody → siretart
status: Triaged → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cryptsetup - 2:1.0.6-2ubuntu1

cryptsetup (2:1.0.6-2ubuntu1) intrepid; urgency=low

  * Merge new debian version. Remaining changes:
    - Add XSBC-Vcs-Bzr tag to indicate that this package is managed using
      bzr on launchpad.
    - debian/rules: cryptsetup is linked dynamically against libgcrypt and
    - cryptdisks.functions: stop usplash on user input. LP #62751
    - Parse comments in lines not starting with '#', LP #185380
    - If the encrypted source device hasn't shown up yet, give it a
      little while to deal with removable devices. LP #164044
  * Depend on race-free version of libdevmapper, thus making udevsettle
    call from cryptsetup binary unnecessary. Dropping patch
  * remove patch from LP #73862, loading optimized modules has been solved
    in debian in another way.
  * cryptdisk.functions: remove spurious call to load_optimized_module.
    LP: #239946
  * bugfix: make regex work if keyfile has extended attributes. LP: #231339.
  * remove patch in cryptdisks.functions for rexecing the script itself for
    ensuring that a tty is always available. (See LP #58794.) According to
    Scott, this is not necessary anymore.

cryptsetup (2:1.0.6-2) unstable; urgency=low

  [ Jonas Meurer ]
  * Taken from ubuntu:
    - debian/scripts/luksformat: Use 256 bit key size by default. (LP: #78508)
    - debian/patches/02_manpage.patch: Clarify default key sizes (128 for
      luksFormat and 256 for create) in cryptsetup.8. (side-note in LP #78508)
  * Use 'shred -uz' instead of 'rm -r' to remove a tempfile that contains a
    key in gen-ssl-key example script.

  [ David Härdeman ]
  * Misc bugfixes to askpass, make sure it is installed to the correct
    location and is built using pedantic mode.
  * Change the initramfs script to use askpass to prompt for
    passphrases, this should hopefully fix #382375 and #465902 once it
    is enabled in the init scripts as well.
  * Add a keyscript called passdev which allows a keyfile to be
    retrieved from a device which is first mounted, mainly useful to get
    keyfiles off USB devices etc.
  * Unbreak MODULES=dep booting (closes: #478268)
  * Relax checks for suspend devices a bit (closes: #477658)
  * Convert man pages to docbook.

cryptsetup (2:1.0.6-1ubuntu4) intrepid; urgency=low

  [ Kjell Braden ]
  * Fix configuration parsing (LP: #239808)

  [ Reinhard Tartler ]
  * cryptroot-script: use 'echo' instead of 'log_begin_msg' (LP: #237723)

 -- Reinhard Tartler <email address hidden> Sat, 14 Jun 2008 23:28:51 +0200

Changed in cryptsetup:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers