Bug#806256: libpam-systemd: log out from a TTY and your X input devices get lost!

[Dmitriy Matrosov]

Package: bash
Version: 5.1-2+b1
Followup-For: Bug #806256

Hi.

This bug seems the same as "fixed" bugs #805605 and #810660, which are
definitely not fixed yet.  The freeze is caused by vt switch performed by
'clear_console', and the commited "fix" just changed vt (choosed for switch)
from 1 and 2 to 5 and 6:

@@ -205,7 +205,7 @@
 #if defined(__linux__)
   num = vtstat.v_active;
 #endif
-  tmp_num = (num == 1 ? 2 : 1);
+  tmp_num = (num == 6 ? 5 : 6);

   /* switch vt to clear the scrollback buffer */
   if (ioctl(fd, VT_ACTIVATE, tmp_num))

So, since this can't fix anything, the bug is easily reproducible:

1. Start X on vt 6.
2. Log in at any other vt.
3. Run '/usr/bin/clear_console' and X crashes/freezes.



-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'testing-security'), (40, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-6-amd64 (SMP w/16 CPU threads)
Locale: LANG=en_US.utf8, LC_CTYPE=ru_RU.utf8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages bash depends on:
ii  base-files   11
ii  debianutils  4.11.2
ii  libc62.31-11
ii  libtinfo66.2+20201114-2

Versions of packages bash recommends:
ii  bash-completion  1:2.11-2

Versions of packages bash suggests:
pn  bash-doc  

-- no debconf information

Bug#838291: wpasupplicant: networking.service fails to bring up wlan interface, when VERBOSE set to yes

[Dmitriy Matrosov]

On August 10, 2017 3:02:03 PM GMT+03:00, Kilian Krause  
wrote:
>Hi Dmitriy,
>
>since your bug actually breaks non-VERBOSE mode, I'd suggest using as
>patch:
>--(snip)--
># diff -u /etc/wpa_supplicant/functions.sh /tmp/functions.sh 
>--- /etc/wpa_supplicant/functions.sh2017-02-20 11:55:11.0
>+0100
>+++ /tmp/functions.sh   2017-08-10 13:58:58.532248148 +0200
>@@ -49,7 +49,7 @@
> 
> # verbosity variables
> if [ -n "$IF_WPA_VERBOSITY" ] || [ "$VERBOSITY" = "1" ]; then
>-   TO_NULL="/dev/stdout"
>+   TO_NULL="&1"
>DAEMON_VERBOSITY="--verbose"
> else
>TO_NULL="/dev/null"
>@@ -117,7 +117,7 @@
>;;
>"stderr")
>shift
>-   echo "$WPA_SUP_PNAME: $@" >/dev/stderr
>+   echo "$WPA_SUP_PNAME: $@" >&2
>;;
>*)
>;;
># 
>--(snip)--
>
>That one works for me and does maintain the current feature set.
>
>Best,
>Kilian

Hi.

I don't understand your patch. Following constructs do not work for me:

$ sh -c '( v="&1"; echo abc >$v; )'
$ sh -c '( v="/dev/null"; echo abc >$v; )'
$ bash -c '( v="&1"; echo abc >$v; )'
$ bash -c '( v="/dev/null"; echo abc >$v; )'
$

Only this one does:

$ sh -c '( v="&1"; eval "echo abc >$v"; )'
abc
$ sh -c '( v="/dev/null"; eval "echo abc >$v"; )'
$

In other words, as far as i understand, your patch breaks verbose mode.

But mine seems breaking non-verbose mode, yes, i see that now. I'm not sure,
whether using `eval` is a good fix. If not, `echo` lines may be rewritten
to
use separate function, which will log appropriately. And `wpa_cli`.. also
may
be rewritten as function. E.g.

run_and_log wpa_cli $WPACLISET_VARIABLE "$WPACLISET_VALUE"

which will just treat its first argument as command, or (may be safer) as

wpa_cli_wlog $WPACLISET_VARIABLE "$WPACLISET_VALUE"

which will just handle verbosity as appropriate.

(i didn't test this, just speculating and may be wrong.)

Bug#838291: wpasupplicant: networking.service fails to bring up wlan interface, when VERBOSE set to yes

[Dmitriy Matrosov]

Package: wpasupplicant
Version: 2.3-1+deb8u4
Severity: important
Tags: patch

Hi.

When verbose output is enabled:

# grep VERBOSE /etc/default/networking
VERBOSE=yes

`networking.service` fails to bring up wlan network interface, which uses
`wpa_action` (but `wpa_action` is not essential here):


# cat /etc/network/interfaces

# The loopback network interface
auto lo
iface lo inet loopback

auto wlan0
iface wlan0 inet manual
wpa-roam /etc/wpa_supplicant.conf

iface sgf.un inet static
address 192.168.2.7
netmask 255.255.255.0
network 192.168.2.0
broadcast 192.168.2.255
gateway 192.168.2.9


Let's start with:

# ip link show wlan0
3: wlan0:  mtu 1500 qdisc mq state DOWN 
mode DEFAULT group default qlen 1000
link/ether e8:de:27:e8:47:b1 brd ff:ff:ff:ff:ff:ff

# ps -f -C wpa_supplicant
UIDPID  PPID  C STIME TTY  TIME CMD

# systemctl status networking.service
● networking.service - LSB: Raise network interfaces.
   Loaded: loaded (/etc/init.d/networking)
  Drop-In: /run/systemd/generator/networking.service.d
   └─50-insserv.conf-$network.conf
/lib/systemd/system/networking.service.d
   └─network-pre.conf
   Active: inactive (dead) since Sun 2016-09-18 22:03:38 MSK; 44s ago
  Process: 29629 ExecStop=/etc/init.d/networking stop (code=exited, 
status=0/SUCCESS)
  Process: 26386 ExecStart=/etc/init.d/networking start (code=exited, 
status=0/SUCCESS)

Sep 18 22:03:38 reiji.sgf.un wpa_supplicant[26407]: wlan0: 
CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
Sep 18 22:03:38 reiji.sgf.un systemd[1]: Stopped LSB: Raise network 
interfaces..
Sep 18 22:03:38 reiji.sgf.un networking[29629]: wpa_supplicant: terminating 
wpa_supplicant daemon vi...pid
Sep 18 22:03:38 reiji.sgf.un networking[29629]: Stopped 
/sbin/wpa_supplicant (pid 26407).
Sep 18 22:03:38 reiji.sgf.un networking[29629]: run-parts --verbose 
/etc/network/if-post-down.d
Sep 18 22:03:38 reiji.sgf.un networking[29629]: run-parts: executing 
/etc/network/if-post-down.d/ava...mon
Sep 18 22:03:38 reiji.sgf.un networking[29629]: run-parts: executing 
/etc/network/if-post-down.d/wir...ols
Sep 18 22:03:38 reiji.sgf.un networking[29629]: run-parts: executing 
/etc/network/if-post-down.d/wpa...ant
Sep 18 22:03:38 reiji.sgf.un networking[29629]: done.
Sep 18 22:03:38 reiji.sgf.un wpa_supplicant[26407]: wlan0: 
CTRL-EVENT-TERMINATING
Hint: Some lines were ellipsized, use -l to show in full.

Then

# systemctl start networking.service

# journalctl -f _SYSTEMD_UNIT=networking.service
Sep 18 22:05:27 reiji.sgf.un networking[30162]: Configuring network 
interfaces...run-parts --exit-on-error --verbose /etc/network/if-pre-up.d
Sep 18 22:05:27 reiji.sgf.un networking[30162]: run-parts: executing 
/etc/network/if-pre-up.d/wireless-tools
Sep 18 22:05:27 reiji.sgf.un networking[30162]: run-parts: executing 
/etc/network/if-pre-up.d/wpasupplicant
Sep 18 22:05:27 reiji.sgf.un networking[30162]: Configuring interface 
wlan0=wlan0 (inet)
Sep 18 22:05:27 reiji.sgf.un networking[30162]: run-parts --exit-on-error 
--verbose /etc/network/if-pre-up.d
Sep 18 22:05:27 reiji.sgf.un networking[30162]: run-parts: executing 
/etc/network/if-pre-up.d/wireless-tools
Sep 18 22:05:27 reiji.sgf.un networking[30162]: run-parts: executing 
/etc/network/if-pre-up.d/wpasupplicant
Sep 18 22:05:27 reiji.sgf.un networking[30162]: 
/etc/network/if-pre-up.d/wpasupplicant: 112: 
/etc/network/if-pre-up.d/wpasupplicant: cannot create /dev/stdout: No such 
device or address
Sep 18 22:05:27 reiji.sgf.un networking[30162]: 
/etc/network/if-pre-up.d/wpasupplicant: 112: 
/etc/network/if-pre-up.d/wpasupplicant: cannot create /dev/stdout: No such 
device or address
Sep 18 22:05:27 reiji.sgf.un networking[30162]: 
/etc/network/if-pre-up.d/wpasupplicant: 112: 
/etc/network/if-pre-up.d/wpasupplicant: cannot create /dev/stdout: No such 
device or address
Sep 18 22:05:27 reiji.sgf.un wpa_supplicant[30182]: Successfully 
initialized wpa_supplicant
Sep 18 22:05:27 reiji.sgf.un networking[30162]: 
/etc/network/if-pre-up.d/wpasupplicant: 112: 
/etc/network/if-pre-up.d/wpasupplicant: cannot create /dev/stdout: No such 
device or address
Sep 18 22:05:27 reiji.sgf.un networking[30162]: 
/etc/network/if-pre-up.d/wpasupplicant: 112: 
/etc/network/if-pre-up.d/wpasupplicant: cannot create /dev/stdout: No such 
device or address
Sep 18 22:05:27 reiji.sgf.un networking[30162]: run-parts: 
/etc/network/if-pre-up.d/wpasupplicant exited with return code 1
Sep 18 22:05:27 reiji.sgf.un networking[30162]: run-parts --exit-on-error 
--verbose /etc/network/if-up.d
Sep 18 22:05:27 reiji.sgf.un networking[30162]: Failed to bring up wlan0.
Sep 18 22:05:27 reiji.sgf.un 

Bug#802212: libpam-ssh: pam-ssh returns PAM_NO_MODULE_DATA, when no .ssh directory found

[Dmitriy Matrosov]

Package: libpam-ssh
Version: 2.01-2
Severity: normal

Hi.

When pam-ssh is enabled in common-session, like:

session optionalpam_ssh.so

and i `su` to user, which does not have .ssh directory, `su` will report error
at session close:

# su - test
test@shilvana:~$
test@shilvana:~$ logout
su: No module specific data is present
#

I think, this error is returned by pam_ssh.c. When .ssh. directory does not
exist, `pam_sm_open_session` will terminate at

if ((access(dotdir,F_OK)) == -1)

check. When session terminates, `pam_sm_close_session` will query
"ssh_agent_pid" pam data with `pam_get_data`. But this pam data is set by
`read_write_agent_env`, which was not called during `pam_sm_open_session`,
because we've returned too early. Thus, pam_ssh's `pam_sm_close_session`
returns PAM_NO_MODULE_DATA, which in turn returned by su.c, when it calls
`pam_close_session` in `prepare_pam_close_session`.

-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (990, 'stable-updates'), (990, 'stable'), (400, 'testing'), (300, 
'unstable')
Architecture: i386 (i686)

Kernel: Linux 3.16.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=ru_RU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libpam-ssh depends on:
ii  libc6  2.19-18+deb8u1
ii  libpam-runtime 1.1.8-3.1
ii  libpam0g   1.1.8-3.1
ii  libssl1.0.01.0.1k-3+deb8u1
ii  multiarch-support  2.19-18+deb8u1

Versions of packages libpam-ssh recommends:
ii  libpam-tmpdir0.09
ii  openssh-client [ssh-client]  1:6.7p1-5

libpam-ssh suggests no packages.

-- debconf-show failed

Bug#793684: rsnapshot incorrectly merges per-backup rsync_short_args

[Dmitriy Matrosov]

Package: rsnapshot
Version: 1.3.1-4
Severity: normal

Hi.

rsnapshot from Jessie incorrectly merges per-backup '+rsync_short_args=' rsync
short options. Version from Wheezy works fine.

How to reproduce:
1. Build 1.3.1-4..
$ git clone git://anonscm.debian.org/collab-maint/rsnapshot.git
$ git checkout debian/1.3.1-4

$ quilt push -a
Applying patch debian/patches/01_rsnapshot_conf.diff
patching file rsnapshot.conf.default.in
patching file rsnapshot-program.pl
patching file rsnapshot-program.pl

Applying patch debian/patches/03_pod_missing_back.diff
patching file rsnapshot-program.pl

Applying patch debian/patches/05_backup_pgsql.diff
patching file utils/backup_pgsql.sh

Applying patch debian/patches/06_fix_random_file_verify.diff
patching file utils/random_file_verify.sh

Applying patch debian/patches/08_manpage_hourly_to_daily.diff
patching file rsnapshot-program.pl

Applying patch debian/patches/09_strip_backtick.diff
patching file rsnapshot-program.pl

Applying patch debian/patches/10_space_destdir.diff
patching file rsnapshot-program.pl

Applying patch debian/patches/11_lvm_snapshots.diff
patching file rsnapshot.conf.default.in
Hunk #2 succeeded at 202 (offset 6 lines).
Hunk #3 succeeded at 235 (offset 6 lines).
patching file configure.ac

Applying patch debian/patches/12_include_conf_with_arguments.diff
patching file rsnapshot-program.pl

Applying patch debian/patches/13_print_warn.diff
patching file rsnapshot-program.pl

Now at patch debian/patches/13_print_warn.diff

$ ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make sets $(MAKE)... (cached) yes
checking for a BSD-compatible install... /usr/bin/install -c
checking for perl... /usr/bin/perl
checking for rsync... /usr/bin/rsync
checking for cp... /bin/cp
checking for rm... /bin/rm
checking for ssh... /usr/bin/ssh
checking for logger... /usr/bin/logger
checking for du... /usr/bin/du
configure: creating ./config.status
config.status: creating Makefile
config.status: creating rsnapshot
config.status: creating rsnapshot-diff
config.status: creating rsnapshot.conf.default
config.status: creating t/support/etc/configtest.conf
config.status: creating t/support/etc/rsync.conf
config.status: creating t/support/etc/gnu_cp.conf
config.status: creating t/support/etc/relative_delete_bugfix.conf
config.status: creating t/configtest.t
config.status: creating t/rsync.t
config.status: creating t/gnu_cp.t
config.status: creating t/relative_delete_bugfix.t

Now type  make testto run the regression test suite.
Then type make install to install the program.

After rsnapshot is installed, don't forget to copy
/usr/local/etc/rsnapshot.conf.default to /usr/local/etc/rsnapshot.conf

$ make
cd .  /bin/bash /home/sgf/Documents/rsnapshot/src/3rd/t/rsnapshot/missing 
--run aclocal-1.9
/home/sgf/Documents/rsnapshot/src/3rd/t/rsnapshot/missing: line 52: 
aclocal-1.9: command not found
WARNING: `aclocal-1.9' is missing on your system.  You should only need it 
if
 you modified `acinclude.m4' or `configure.ac'.  You might want
 to install the `Automake' and `Perl' packages.  Grab them from
 any GNU archive site.
 cd .  /bin/bash 
/home/sgf/Documents/rsnapshot/src/3rd/t/rsnapshot/missing --run automake-1.9 
--gnu
/home/sgf/Documents/rsnapshot/src/3rd/t/rsnapshot/missing: line 52: 
automake-1.9: command not found
WARNING: `automake-1.9' is missing on your system.  You should only need it 
if
 you modified `Makefile.am', `acinclude.m4' or `configure.ac'.
 You might want to install the `Automake' and `Perl' packages.
 Grab them from any GNU archive site.
cd .  /bin/bash /home/sgf/Documents/rsnapshot/src/3rd/t/rsnapshot/missing 
--run autoconf
/bin/bash ./config.status --recheck
running /bin/bash ./configure   --no-create --no-recursion
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make sets $(MAKE)... (cached) yes
checking for perl... /usr/bin/perl
checking for rsync... /usr/bin/rsync
checking for cp... /bin/cp
checking for rm... /bin/rm
checking for ssh... /usr/bin/ssh
checking for lvcreate... no
checking for lvremove... no
checking for mount... /bin/mount
checking for umount... /bin/umount
checking for logger... /usr/bin/logger
checking for du... /usr/bin/du
configure: creating ./config.status

Now type  make testto run the regression test suite.
Then 

Bug#793687: rsnapshot incorrectly handles quotes in per-backup rsync_long_args option

[Dmitriy Matrosov]

Package: rsnapshot
Version: 1.3.1-4
Severity: normal

Hi.

rsnapshot from Jessie incorrectly handles quotes in per-backup
'+rsync_long_args' option (in wheezy it works fine) - it does not remove them.
Though, quotes are required, if e.g. i want to add per-backup '--filter'
option.

How to reproduce:
1. Build..

$ git checkout debian/1.3.1-4
Previous HEAD position was 773afb8... Enable GNU cp and document 
stop_on_stale_lockfile option
HEAD is now at 324f3d7... Bump to Standards-Version 3.9.4, change 
Vcs-{Git,Browse} and avoid rsnapshot-HOWTO.en.html duplication

$ quilt push -a
Applying patch debian/patches/01_rsnapshot_conf.diff
patching file rsnapshot.conf.default.in
patching file rsnapshot-program.pl
patching file rsnapshot-program.pl

Applying patch debian/patches/03_pod_missing_back.diff
patching file rsnapshot-program.pl

Applying patch debian/patches/05_backup_pgsql.diff
patching file utils/backup_pgsql.sh

Applying patch debian/patches/06_fix_random_file_verify.diff
patching file utils/random_file_verify.sh

Applying patch debian/patches/08_manpage_hourly_to_daily.diff
patching file rsnapshot-program.pl

Applying patch debian/patches/09_strip_backtick.diff
patching file rsnapshot-program.pl

Applying patch debian/patches/10_space_destdir.diff
patching file rsnapshot-program.pl

Applying patch debian/patches/11_lvm_snapshots.diff
patching file rsnapshot.conf.default.in
Hunk #2 succeeded at 202 (offset 6 lines).
Hunk #3 succeeded at 235 (offset 6 lines).
patching file configure.ac

Applying patch debian/patches/12_include_conf_with_arguments.diff
patching file rsnapshot-program.pl

Applying patch debian/patches/13_print_warn.diff
patching file rsnapshot-program.pl

Now at patch debian/patches/13_print_warn.diff

$ ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make sets $(MAKE)... (cached) yes
checking for a BSD-compatible install... /usr/bin/install -c
checking for perl... /usr/bin/perl
checking for rsync... /usr/bin/rsync
checking for cp... /bin/cp
checking for rm... /bin/rm
checking for ssh... /usr/bin/ssh
checking for logger... /usr/bin/logger
checking for du... /usr/bin/du
configure: creating ./config.status
config.status: creating Makefile
config.status: creating rsnapshot
config.status: creating rsnapshot-diff
config.status: creating rsnapshot.conf.default
config.status: creating t/support/etc/configtest.conf
config.status: creating t/support/etc/rsync.conf
config.status: creating t/support/etc/gnu_cp.conf
config.status: creating t/support/etc/relative_delete_bugfix.conf
config.status: creating t/configtest.t
config.status: creating t/rsync.t
config.status: creating t/gnu_cp.t
config.status: creating t/relative_delete_bugfix.t

Now type  make testto run the regression test suite.
Then type make install to install the program.

After rsnapshot is installed, don't forget to copy
/usr/local/etc/rsnapshot.conf.default to /usr/local/etc/rsnapshot.conf

$ make
cd .  /bin/bash /home/sgf/Documents/rsnapshot/src/3rd/t/rsnapshot/missing 
--run aclocal-1.9
/home/sgf/Documents/rsnapshot/src/3rd/t/rsnapshot/missing: line 52: 
aclocal-1.9: command not found
WARNING: `aclocal-1.9' is missing on your system.  You should only need it 
if
 you modified `acinclude.m4' or `configure.ac'.  You might want
 to install the `Automake' and `Perl' packages.  Grab them from
 any GNU archive site.
 cd .  /bin/bash 
/home/sgf/Documents/rsnapshot/src/3rd/t/rsnapshot/missing --run automake-1.9 
--gnu
/home/sgf/Documents/rsnapshot/src/3rd/t/rsnapshot/missing: line 52: 
automake-1.9: command not found
WARNING: `automake-1.9' is missing on your system.  You should only need it 
if
 you modified `Makefile.am', `acinclude.m4' or `configure.ac'.
 You might want to install the `Automake' and `Perl' packages.
 Grab them from any GNU archive site.
cd .  /bin/bash /home/sgf/Documents/rsnapshot/src/3rd/t/rsnapshot/missing 
--run autoconf
/bin/bash ./config.status --recheck
running /bin/bash ./configure   --no-create --no-recursion
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make sets $(MAKE)... (cached) yes
checking for perl... /usr/bin/perl
checking for rsync... /usr/bin/rsync
checking for cp... /bin/cp
checking for rm... /bin/rm
checking for ssh... /usr/bin/ssh
checking for lvcreate... no
checking for lvremove... no

Bug#754956: rsnapshot running with lazy_delete deletes lockfile twice

[Dmitriy Matrosov]

 ([$$]: Lockfile $lockfile belongs to other 
process $pid, will not delete it!, 2);
+   syslog_warn([$$]: Lockfile $lockfile belongs to other 
process $pid, will not delete it);
+   return(1);
+   }
+   }
+   remove_lockfile();
+   return (1);
+}
+
 # accepts no arguments
 # accepts the path to a lockfile and tries to remove it
 # returns undef if lockfile isn't defined in the config file, and 1 upon 
success



And now the test again:

# ls -la storage/
total 16
drwx-- 4 root root 4096 Jul 16 14:48 .
drwx-- 4 root root 4096 Jul 16 14:48 ..
drwx-- 3 root root 4096 Jul 16 14:47 hourly.0
drwx-- 3 root root 4096 Jul 16 14:46 hourly.1

Start two ./rsnapshot.patch instances:

# ./rsnapshot.patch -c ./rsnapshot.conf hourly ; ls -l rsnapshot.pid
WARNING: [2976]: Lockfile /root/test_lazy_delete/rsnapshot.pid belongs to 
other process 2979, will not delete it!
-rw--- 1 root root 4 Jul 16 14:48 rsnapshot.pid

(note, lockfile still exist!)

# ./rsnapshot.patch -c ./rsnapshot.conf sync
#

And here is log. 'hourly' starts and goes up to `rm -rf`:

[16/Jul/2014:14:48:22] ./rsnapshot.patch -c ./rsnapshot.conf hourly: started
[16/Jul/2014:14:48:22] Setting locale to POSIX C
[16/Jul/2014:14:48:22] echo 2976  /root/test_lazy_delete/rsnapshot.pid
[16/Jul/2014:14:48:22] mv /root/test_lazy_delete/storage/hourly.1/ 
/root/test_lazy_delete/storage/_delete.2976/
[16/Jul/2014:14:48:22] mv /root/test_lazy_delete/storage/hourly.0/ 
/root/test_lazy_delete/storage/hourly.1/
[16/Jul/2014:14:48:22] rm -f /root/test_lazy_delete/rsnapshot.pid
[16/Jul/2014:14:48:22] /root/test_lazy_delete/rm_wait -rf 
/root/test_lazy_delete/storage/_delete.2976

'sync' starts:

[16/Jul/2014:14:48:26] ./rsnapshot.patch -c ./rsnapshot.conf sync: started
[16/Jul/2014:14:48:26] Setting locale to POSIX C
[16/Jul/2014:14:48:26] echo 2979  /root/test_lazy_delete/rsnapshot.pid
[16/Jul/2014:14:48:26] mkdir -m 0755 -p 
/root/test_lazy_delete/storage/.sync/
[16/Jul/2014:14:48:26] /root/test_lazy_delete/rsync_wait -a --delete 
--numeric-ids --relative --delete-excluded 
--link-dest=/root/test_lazy_delete/storage/hourly.1/localhost/ 
/root/test_lazy_delete/./data /root/test_lazy_delete/storage/.sync/localhost/

'hourly' finishes lazy delete, but notices, that lockfile no longer belongs to
it, and leaves it in place:

[16/Jul/2014:14:48:52] [2976]: Removing lock file, if we owns it.
[16/Jul/2014:14:48:52] [2976]: Lockfile 
/root/test_lazy_delete/rsnapshot.pid belongs to other process 2979, will not 
delete it!
[16/Jul/2014:14:48:52] WARNING: ./rsnapshot.patch -c ./rsnapshot.conf 
hourly: completed, but with some warnings

'sync' finishes and deletes its lockfile:

[16/Jul/2014:14:48:56] rsync succeeded
[16/Jul/2014:14:48:56] touch /root/test_lazy_delete/storage/.sync/
[16/Jul/2014:14:48:56] No directory to delete: 
/root/test_lazy_delete/storage/_delete.2979
[16/Jul/2014:14:48:56] [2979]: Removing lock file, if we owns it.
[16/Jul/2014:14:48:56] rm -f /root/test_lazy_delete/rsnapshot.pid
[16/Jul/2014:14:48:56] ./rsnapshot.patch -c ./rsnapshot.conf sync: 
completed successfully


--
Dmitriy Matrosov


Test config was:

#
# rsnapshot.conf - rsnapshot configuration file #
#
#   #
# PLEASE BE AWARE OF THE FOLLOWING RULES:   #
#   #
# This file requires tabs between elements  #
#   #
# Directories require a trailing slash: #
#   right: /home/   #
#   wrong: /home#
#   #
#

###
# CONFIG FILE VERSION #
###

config_version  1.2

###
# SNAPSHOT ROOT DIRECTORY #
###

# All snapshots will be stored under this root directory.
#
snapshot_root   /root/test_lazy_delete/storage

# If no_create_root is enabled, rsnapshot will not automatically create the
# snapshot_root directory. This is particularly useful if you are backing
# up to removable media, such as a FireWire or USB drive.
#
no_create_root  1

#
# EXTERNAL PROGRAM DEPENDENCIES #
#

# LINUX USERS:   Be sure to uncomment cmd_cp. This gives you extra features.
# EVERYONE ELSE: Leave cmd_cp commented out for compatibility.
#
# See the README file or the man page for more details.
#
cmd_cp  /bin/cp

# uncomment this to use the rm program instead of the built-in perl routine.
#
cmd_rm  /root/test_lazy_delete/rm_wait

# rsync must be enabled for anything to work

Bug#748354: keyutils: key timeout have reset after udev starts

[Dmitriy Matrosov]

On 05/25/2014 11:22 PM, Christian Kastner wrote:

I'd appreciate it if you
could check the contents of /proc/keys right after boot. The fourth
column should list the remaining time until the key expires, or perm
if the expiry has been reset.


Hi, Christian.

Here is the result:

From initramfs just after password had cached:
1a0f0935 I--Q--- 1 1m   3f01 0 0 user cryptkey-reiji: 27
21d6c5bf I--Q--- 2 perm 1f3f 0 65534 keyring _uid.0: 1
2849060a I--Q--- 1 perm 1f3f 0 65534 keyring _uid_ses.0: 1

Before udev started:
1a0f0935 I--Q--- 1 58s  3f01 0 0 user cryptkey-reiji: 27
21d6c5bf I--Q--- 2 perm 1f3f 0 65534 keyring _uid.0: 1
2849060a I--Q--- 1 perm 1f3f 0 65534 keyring _uid_ses.0: 1

After udev started:
1a0f0935 I--Q--- 1 4h   3f01 0 0 user cryptkey-reiji: 27
21d6c5bf I--Q--- 2 perm 1f3f 0 65534 keyring _uid.0: 1
2849060a I--Q--- 1 perm 1f3f 0 65534 keyring _uid_ses.0: 1


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#748354: keyutils: key timeout have reset after udev starts

[Dmitriy Matrosov]

Package: keyutils
Version: 1.5.6-1
Severity: normal
Tags: security

Hi.

Key timeout set in initramfs had reset after udev init script run.

How to reproduce:
1. Add key and set timeout on it in initramfs. E.g. use an encrypted root and
open it using decrypt_keyctl script from cryptsetup package (to cache
password). The crypttab entry may look like:

jessie_root   /dev/reiji/enc_jessie_root   reiji   
luks,keyscript=decrypt_keyctl

The decrypt_keyctl script sets timeout of 60 seconds on all cached passwords.
2. Add init script (below), which runs before udev and waits for 60 seconds to
ensure, that timeout still works. It may have LSB header like:

### BEGIN INIT INFO
# Provides:  keyctl-test
# Required-Start:mountkernfs
# Required-Stop: 
# X-Interactive: false
# X-Start-Before:udev
# X-Stop-After:  udev
# Default-Start: S
# Default-Stop:  0 6
# Short-Description: Wait for keyctl timeout to expire
# Description:
### END INIT INFO

and restart the system. You'll see line

key inaccessible (key has expired)

when keyctl-test script runs `keyctl show @u` after waiting for 60 seconds.
4. Now change LSB header, so keyctl-test starts right after udev. It may look
like:

### BEGIN INIT INFO
# Provides:  keyctl-test
# Required-Start:udev
# Required-Stop: udev
# X-Interactive: false
# X-Start-Before:keyboard-setup mdadm-raid mountdevsubfs
# X-Stop-After:  
# Default-Start: S
# Default-Stop:  0 6
# Short-Description: Wait for keyctl timeout to expire
# Description:
### END INIT INFO

and also restart the system. Now after waiting for 60 seconds `keyctl show @u`
will still list the key added during root fs unlocking from initramfs.

The keyctl-test init script may look like:

do_start()
{
echo Waiting for keyctl timeout to expire.. 2
sleep 60
echo ..done 2
keyctl show @u
}

case $1 in
start)
do_start
;;
stop|restart|reload|force-reload|force-start)
echo .
;;
*)
echo Usage: {start|stop|restart|reload|force-reload|force-start}
exit 1
;;
esac



To workaround this i may use simple script for clearing keyring, which runs,
when all volumes requiring password have opened. I may run it using 'check='
option in crypttab. E.g. the last crypttab line, which uses cached password,
may look like:

w7   /dev/sdb2   reiji   luks,keyscript=decrypt_keyctl,check=keyctl_clear

and keyctl_clear script should be placed in /lib/cryptsetup/checks/ and may
look like:

#!/bin/sh

keyctl clear @u || exit 0

--
Dmitriy Matrosov

-- System Information:
Debian Release: jessie/sid
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.13-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages keyutils depends on:
ii  libc6 2.18-5
ii  libkeyutils1  1.5.6-1

keyutils recommends no packages.

keyutils suggests no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#748368: cryptsetup: decrypt_keyctl does not ask for password again, if wrong password have given

[Dmitriy Matrosov]

Package: cryptsetup
Version: 2:1.6.4-4
Severity: normal
Tags: patch

Hi.

If i've entered wrong password at decrypt_keyctl prompt, it'll use it in all
following cryptsetup attempts, making all of them fail:

# cryptdisks_start w7_data
Starting crypto disk...w7_data (starting)...
Caching passphrase for /dev/sda3: No device header detected with this 
passphrase.
Using cached passphrase for /dev/sda3.
No device header detected with this passphrase.
Using cached passphrase for /dev/sda3.
No device header detected with this passphrase.
w7_data (failed)...failed.

Attached patch makes decrypt_keyctl to ask for password again, if
CRYPTTAB_TRIED is greater, than 0. So, unlocking may look like:

Try once and press Ctrl-C:

# cryptdisks_start w7_data
Starting crypto disk...w7_data (starting)...
Caching passphrase for /dev/sda3: No device header detected with this 
passphrase.
Caching passphrase for /dev/sda3: Error reading passphrase.
#

It asks for password second time, when 1st attempt fails. Then try to open 
again:

# cryptdisks_start w7_data
Starting crypto disk...w7_data (starting)...
Using cached passphrase for /dev/sda3.
No device header detected with this passphrase.
Caching passphrase for /dev/sda3: w7_data (started)...done.

First, it tries cached (wrong) password. But, when it fails, asks again, and 
now succeeds.

-- Package-specific info:
-- /proc/cmdline
BOOT_IMAGE=/vmlinuz-3.13-1-amd64 root=/dev/mapper/jessie_root ro quiet

-- /etc/crypttab
jessie_root /dev/reiji/enc_jessie_root  reiji   
luks,keyscript=decrypt_keyctl
jessie_usr  /dev/reiji/enc_jessie_usr   /etc/keys/jessie_usr.lukskey
luks
jessie_var  /dev/reiji/enc_jessie_var   /etc/keys/jessie_var.lukskey
luks
jessie_tmp  /dev/reiji/enc_jessie_tmp   /etc/keys/jessie_tmp.lukskey
luks
jessie_swap /dev/reiji/enc_jessie_swap  /dev/urandom
swap,cipher=aes-xts-plain64,size=256,hash=sha1
home/dev/reiji/enc_home /etc/keys/home.lukskey  
luks
backup  /dev/reiji/enc_backup   /etc/keys/backup.lukskey
luks
w7_backup   /dev/sdb4   reiji   
tcrypt,precheck=/bin/true,keyscript=decrypt_keyctl
w7_data /dev/sda3   reiji   
tcrypt,precheck=/bin/true,keyscript=decrypt_keyctl
w7  /dev/sdb2   reiji   
tcrypt,tcryptsystem,precheck=/bin/true,keyscript=decrypt_keyctl,check=keyctl_clear

-- /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# file system mount point   type  options   dump  pass
UUID=227ce6c3-0de7-4436-9e13-6442a3d7d8f4 /boot   ext3defaults  
  0   2

/dev/mapper/jessie_root /   ext4errors=remount-ro 0   1
/dev/mapper/jessie_usr  /usrext4defaults0   2
/dev/mapper/jessie_var  /varext4defaults0   2
/dev/mapper/jessie_tmp  /var/tmpext4defaults0   2

/dev/mapper/jessie_swap noneswapsw  0   0

/dev/mapper/home/home   ext4defaults0   2
/dev/mapper/backup  /var/backupsext4defaults0   2

-- lsmod
Module  Size  Used by
nfsd  259239  2 
auth_rpcgss51202  1 nfsd
oid_registry   12419  1 auth_rpcgss
nfs_acl12511  1 nfsd
nfs   183626  0 
lockd  79321  2 nfs,nfsd
fscache45542  1 nfs
sunrpc224626  6 nfs,nfsd,auth_rpcgss,lockd,nfs_acl
fuse   78793  1 
blowfish_generic   12464  0 
blowfish_x86_6421132  0 
blowfish_common16487  2 blowfish_generic,blowfish_x86_64
ecb12737  0 
des_generic20851  0 
cast5_avx_x86_64   49760  0 
cast5_generic  20813  1 cast5_avx_x86_64
cast_common12313  2 cast5_generic,cast5_avx_x86_64
cbc12696  0 
twofish_generic16569  0 
twofish_avx_x86_64 46079  0 
twofish_x86_64_3way25483  1 twofish_avx_x86_64
twofish_x86_64 12541  2 twofish_avx_x86_64,twofish_x86_64_3way
twofish_common 20585  4 
twofish_generic,twofish_avx_x86_64,twofish_x86_64_3way,twofish_x86_64
serpent_avx_x86_64 46241  0 
serpent_sse2_x86_6450146  0 
serpent_generic29140  2 serpent_sse2_x86_64,serpent_avx_x86_64
xts12679  2 serpent_sse2_x86_64,twofish_x86_64_3way
algif_skcipher 13008  0 
af_alg 12988  1 algif_skcipher
raid1  34596  2 
snd_hda_codec_hdmi  

Bug#748286: cryptsetup: crypttab does not support truecrypt volumes

[Dmitriy Matrosov]

/cryptsetup/askpass
fi
-   elif [ $key != ${key%/dev/*} ]; then
+   else
+   # Two original cases here:
# no keyscript, device key = special treatment
+   # no keyscript, key = file input
keyscriptarg=
key=$key
-   KEYSCRIPT=
-   else
-   # no keyscript, key = file input
-   keyscriptarg=$key
-   key=-
-   KEYSCRIPT=cat
+   KEYSCRIPT=tcrypt_no_pass
+   PARAMS=$PARAMS --key-file=$key
+   fi
+   # Add additional key files, if any.
+   if [ -n $TCRYPTKEYS ]; then
+   IFS=$nl
+   # FIXME: Pathname expansion still runs on filenames, may be
+   # disable it?
+   set -- $TCRYPTKEYS
+   for f; do
+   PARAMS=${PARAMS:+$PARAMS }--key-file=$f
+   done
+   set --
+   IFS=$OIFS
fi
 
-   PARAMS=$PARAMS --key-file=$key
-
while [ $tried -lt $TRIES ] || [ $TRIES -eq 0 ]; do
export CRYPTTAB_TRIED=$tried
-   if [ -n $KEYSCRIPT ]; then
-   if $KEYSCRIPT $keyscriptarg | cryptsetup $PARAMS 
$TCRYPTPARAMS open --type tcrypt $src ${dst}_unformatted; then
-   break
-   fi
-   else
-   if cryptsetup $PARAMS $TCRYPTPARAMS open --type tcrypt 
$src ${dst}_unformatted; then
-   break
-   fi
+   # KEYSCRIPT is always set, so i don't need to check.
+   if $KEYSCRIPT $keyscriptarg | cryptsetup $PARAMS 
$TCRYPTPARAMS open --type tcrypt $src ${dst}_unformatted; then
+   break
fi
 
tried=$(( $tried + 1 ))
@@ -402,7 +434,7 @@ do_tcrypt () {
 
if [ -n $CHECK ]  ! $CHECK /dev/mapper/${dst}_unformatted 
$CHECKARGS; then
log_warning_msg $dst: the check for '/dev/mapper/$dst' failed
-   cryptsetup luksClose ${dst}_unformatted
+   cryptsetup close ${dst}_unformatted
return 1
fi
 



--
Dmitriy Matrosov






-- Package-specific info:
-- /proc/cmdline
BOOT_IMAGE=/vmlinuz-3.13-1-amd64 root=/dev/mapper/jessie_root ro quiet

-- /etc/crypttab
jessie_root /dev/reiji/enc_jessie_root  reiji   
luks,keyscript=decrypt_keyctl
jessie_usr  /dev/reiji/enc_jessie_usr   /etc/keys/jessie_usr.lukskey
luks
jessie_var  /dev/reiji/enc_jessie_var   /etc/keys/jessie_var.lukskey
luks
jessie_tmp  /dev/reiji/enc_jessie_tmp   /etc/keys/jessie_tmp.lukskey
luks
jessie_swap /dev/reiji/enc_jessie_swap  /dev/urandom
swap,cipher=aes-xts-plain64,size=256,hash=sha1
home/dev/reiji/enc_home /etc/keys/home.lukskey  
luks
backup  /dev/reiji/enc_backup   /etc/keys/backup.lukskey
luks
w7_backup   /dev/sdb4   reiji   
tcrypt,precheck=/bin/true,keyscript=decrypt_keyctl
w7_data /dev/sda3   reiji   
tcrypt,precheck=/bin/true,keyscript=decrypt_keyctl
w7  /dev/sdb2   reiji   
tcrypt,tcryptsystem,precheck=/bin/true,keyscript=decrypt_keyctl,check=keyctl_clear
flash   /dev/sdc1   none
tcrypt,precheck=/bin/true,tcryptkey=/root/flash-21.tckey,tcryptkey=/root/flash-22.tckey

-- /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# file system mount point   type  options   dump  pass
UUID=227ce6c3-0de7-4436-9e13-6442a3d7d8f4 /boot   ext3defaults  
  0   2

/dev/mapper/jessie_root /   ext4errors=remount-ro 0   1
/dev/mapper/jessie_usr  /usrext4defaults0   2
/dev/mapper/jessie_var  /varext4defaults0   2
/dev/mapper/jessie_tmp  /var/tmpext4defaults0   2

/dev/mapper/jessie_swap noneswapsw  0   0

/dev/mapper/home/home   ext4defaults0   2
/dev/mapper/backup  /var/backupsext4defaults0   2

-- lsmod
Module  Size  Used by
nls_utf8   12456  0 
nls_cp437  16553  0 
vfat   17135  0 
fat53794  1 vfat
nfsd  259239  2 
auth_rpcgss51202  1 nfsd
oid_registry   12419  1 auth_rpcgss
nfs_acl12511  1 nfsd
nfs   183626  0 
lockd  79321  2 nfs,nfsd