[projects/geninitrd] luks: look for key in /etc/cryptsetup-keys.d

Wed, 28 Sep 2022 09:47:40 -0700 

commit a043f983b27fe3f8e697a1405462ce411ab28da8
Author: Jan Palus <[email protected]>
Date:   Wed Sep 28 17:46:24 2022 +0200

    luks: look for key in /etc/cryptsetup-keys.d
    
    if key is empty or "none" or "-" crypttab(5) instructs to look for key
    in "/etc/cryptsetup-keys.d/<LUKSNAME>.key". don't fail if it's missing
    though:
    
    If the field is not present or is "none" or "-", a key file named after
    the volume to unlock (i.e. the first column of the line), suffixed with
    .key is automatically loaded from the /etc/cryptsetup-keys.d/ and
    /run/cryptsetup-keys.d/ directories, if present.

 mod-luks.sh | 33 +++++++++++++++++++--------------
 1 file changed, 19 insertions(+), 14 deletions(-)
---
diff --git a/mod-luks.sh b/mod-luks.sh
index b6edde8..94b6499 100644
--- a/mod-luks.sh
+++ b/mod-luks.sh
@@ -117,26 +117,31 @@ luks_crypttab() {
        local LUKSNAME="$1"
 
        # copy from /etc/rc.d/init.d/cryptsetup
-       local dst src key opt mode owner
+       local dst src key opt mode owner failsafe
 
        while read dst src key opt; do
                [ "$dst" != "$LUKSNAME" ] && continue
 
-               if [ -n "$key" ] && ( [ "x$key" != "xnone" ] || [ "x$key" != 
"x-" ] ); then
-                       if test -e "$key" ; then
-                               mode=$(LC_ALL=C ls -l "$key" | cut -c 5-10)
-                               owner=$(LC_ALL=C ls -l $key | awk '{ print $3 
}')
-                               if [ "$mode" != "------" ] && ! key_is_random 
"$key"; then
-                                       die "INSECURE MODE FOR $key"
-                               fi
-                               if [ "$owner" != root ]; then
-                                       die "INSECURE OWNER FOR $key"
-                               fi
-                       else
-                               die "Key file for $dst not found"
+               failsafe=""
+
+               if [ -z "$key" ] || [ "x$key" = "xnone" ] || [ "x$key" = "x-" 
]; then
+                       failsafe=1
+                       key="/etc/cryptsetup-keys.d/$LUKSNAME.key"
+               fi
+
+               if test -e "$key" ; then
+                       mode=$(LC_ALL=C ls -l "$key" | cut -c 5-10)
+                       owner=$(LC_ALL=C ls -l $key | awk '{ print $3 }')
+                       if [ "$mode" != "------" ] && ! key_is_random "$key"; 
then
+                               die "INSECURE MODE FOR $key"
                        fi
-               else
+                       if [ "$owner" != root ]; then
+                               die "INSECURE OWNER FOR $key"
+                       fi
+               elif [ -n "$failsafe" ]; then
                        key=""
+               else
+                       die "Key file for $dst not found"
                fi
 
                src=$(find_devname "$src")
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/projects/geninitrd.git/commitdiff/ddf87c79b74022a30cec286191d31d186be184cf

_______________________________________________
pld-cvs-commit mailing list
[email protected]
http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit

Reply via email to