[dm-crypt] u?mount (8) helper script for luks encrypted disks

Matthias Schniedermeyer ms at citd.de
Fri Aug 30 01:16:05 CEST 2013


On 29.08.2013 07:50, Milan Broz wrote:
> On 26.8.2013 10:23, Matthias Schniedermeyer wrote:
> >Personally i "solved" this by renaming /bin/mount to /bin/mount.orig
> >and putting a shell-script as /bin/mount that checks if i want to mount
> >a /dev/mapper/XXX and does the setup of XXX before it calls
> >/bin/mount.orig.
> 
> Underlying device construction can be very complex task sometimes
> (it can be combination of lvm, mdraid, multipath, partitions and whatever.)
> 
> So while it works for your use case, it will not work for other.

And there will never be a "one size fits all" solution for this.

Sure, someone could create a "monster" that could cope with anything.
But that wouldn't be KISS.

So for the cases that are simple, a mount-option to exec something 
before the actual mount happens would suffice.
(I aimed my solutions for autofs with ghosting.)

> >"Back then" when i implemented that about 1.5 years ago i tried to
> >explain to Karel Zak (util-linux maintainer) that a generic "premount"
> >and "postumount" command in (u)mount could solve this generic problem.
> >The Problem that all cryptographic-setups need (at least) one more step
> >to setup(/tear-down) a device. But that didn't happen and i didn't try
> >to open the issue again.
> 
> 
> For that particular case, LUKS tear down, I think we had a better approach.
> Just implement auto removal on last device close (similar to loop device
> autoclear flag.)
> 
> For more info see
> https://bugzilla.redhat.com/show_bug.cgi?id=873734

I will see if it works and can kill the umount-part if it works for me.

> 
> Milan
> 
> p.s.
> Be very careful with shell scripts in mount helpers here.
> It will run under the same UID as mount, which means root for LUKS here.

In my case that's not the case, Shell-scripts (under normal 
circumstances) can't be SUIDed. So as i've intercepted the original call 
to mount it will run with the UID of the caller and will only SUID root 
when mount.orig is execed.

So if i would call it as my user, it simply wouldn't work as it couldn't 
construct the mapper.



-- 

Matthias


More information about the dm-crypt mailing list