On Mon, Aug 14, 2006 at 01:35:00PM +0200, Max Vozeler wrote:
> On Mon, Aug 14, 2006 at 09:39:57AM +0200, Lionel Elie Mamane wrote:
>> On Sun, Aug 06, 2006 at 05:06:41PM +0200, Lionel Elie Mamane wrote:
>>> On Wed, Jul 26, 2006 at 12:03:23PM +0200, Max Vozeler wrote:
>>>> At the start of mkinitramfs umask is initialized to 0022.
>>> I've filed a bug to ask it to be initialised to 0077. Simplest,
>>> easiest.
>> OK, he's reluctant to have it done unconditionally, so I made it a
>> configuration option. Here is the loop-aes-utils side of that
>> (untested, roughly done), assuming he takes my second patch.
> Too bad, but I think we can live with it.
> -ENOPATCHATTACHED :-)
Really, this time.
>> The question is, do we want to do it unconditionally when
>> loop-aes-utils is installed? Should we rather duplicate (or move)
>> the logic checking for "is the root on encrypted root?" to
>> /etc/initramfs-tools/conf.d/loopaes?
> I've thought about that too. IMHO it would be preferrable to check
> whether we need it and only set umask if so. Without testing: Could
> we figure this out in conf.d and export a flag like HAVE_LOOPAES or
> so to be used by initramfs-tools-hook?
mkinitramfs sources /usr/share/initramfs-tools/scripts/functions and
/usr/share/initramfs-tools/hook-functions before sourcing the config
files, so I foresee no particular problem in doing that (it is what I
called "moving the logic checking for \"is the root on encrypted
root?\" to /etc/initramfs-tools/conf.d/loopaes").
--
Lionel
diff -uN --recursive loop-aes-utils-2.12r.v3/debian/initramfs-tools-conf
loop-aes-utils-2.12r.v4/debian/initramfs-tools-conf
--- loop-aes-utils-2.12r.v3/debian/initramfs-tools-conf 1970-01-01
01:00:00.000000000 +0100
+++ loop-aes-utils-2.12r.v4/debian/initramfs-tools-conf 2006-08-14
09:30:11.957112433 +0200
@@ -0,0 +1,3 @@
+# When the root is on loop-aes, cryptographic keys are in the
+# initramfs; hence restrict the umask.
+UMASK=0077
diff -uN --recursive loop-aes-utils-2.12r.v3/debian/loop-aes-utils.dirs
loop-aes-utils-2.12r.v4/debian/loop-aes-utils.dirs
--- loop-aes-utils-2.12r.v3/debian/loop-aes-utils.dirs 2006-07-25
17:56:05.918240004 +0200
+++ loop-aes-utils-2.12r.v4/debian/loop-aes-utils.dirs 2006-08-14
09:32:53.896459335 +0200
@@ -7,3 +7,4 @@
/usr/share/lintian/overrides
/usr/share/initramfs-tools/scripts/local-top
/usr/share/initramfs-tools/hooks
+/etc/initramfs-tools/conf.d/
diff -uN --recursive loop-aes-utils-2.12r.v3/debian/rules
loop-aes-utils-2.12r.v4/debian/rules
--- loop-aes-utils-2.12r.v3/debian/rules 2006-07-25 17:56:05.918240004
+0200
+++ loop-aes-utils-2.12r.v4/debian/rules 2006-08-14 09:33:13.681845029
+0200
@@ -67,6 +67,7 @@
# initramsfs-tools integration
install -m 755 debian/initramfs-tools-script
$(DIR)/usr/share/initramfs-tools/scripts/local-top/loopaes
install -m 755 debian/initramfs-tools-hook
$(DIR)/usr/share/initramfs-tools/hooks/loopaes
+ install -m 755 debian/initramfs-conf
$(DIR)/etc/initramfs-tools/conf.d/loopaes
binary-indep: build install
