Bug#806256: libpam-systemd: log out from a TTY and your X input devices get lost!
Package: bash Version: 5.1-2+b1 Followup-For: Bug #806256 Hi. This bug seems the same as "fixed" bugs #805605 and #810660, which are definitely not fixed yet. The freeze is caused by vt switch performed by 'clear_console', and the commited "fix" just changed vt (choosed for switch) from 1 and 2 to 5 and 6: @@ -205,7 +205,7 @@ #if defined(__linux__) num = vtstat.v_active; #endif - tmp_num = (num == 1 ? 2 : 1); + tmp_num = (num == 6 ? 5 : 6); /* switch vt to clear the scrollback buffer */ if (ioctl(fd, VT_ACTIVATE, tmp_num)) So, since this can't fix anything, the bug is easily reproducible: 1. Start X on vt 6. 2. Log in at any other vt. 3. Run '/usr/bin/clear_console' and X crashes/freezes. -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (990, 'testing'), (500, 'testing-security'), (40, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-6-amd64 (SMP w/16 CPU threads) Locale: LANG=en_US.utf8, LC_CTYPE=ru_RU.utf8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages bash depends on: ii base-files 11 ii debianutils 4.11.2 ii libc62.31-11 ii libtinfo66.2+20201114-2 Versions of packages bash recommends: ii bash-completion 1:2.11-2 Versions of packages bash suggests: pn bash-doc -- no debconf information
Bug#838291: wpasupplicant: networking.service fails to bring up wlan interface, when VERBOSE set to yes
On August 10, 2017 3:02:03 PM GMT+03:00, Kilian Krausewrote: >Hi Dmitriy, > >since your bug actually breaks non-VERBOSE mode, I'd suggest using as >patch: >--(snip)-- ># diff -u /etc/wpa_supplicant/functions.sh /tmp/functions.sh >--- /etc/wpa_supplicant/functions.sh2017-02-20 11:55:11.0 >+0100 >+++ /tmp/functions.sh 2017-08-10 13:58:58.532248148 +0200 >@@ -49,7 +49,7 @@ > > # verbosity variables > if [ -n "$IF_WPA_VERBOSITY" ] || [ "$VERBOSITY" = "1" ]; then >- TO_NULL="/dev/stdout" >+ TO_NULL="&1" >DAEMON_VERBOSITY="--verbose" > else >TO_NULL="/dev/null" >@@ -117,7 +117,7 @@ >;; >"stderr") >shift >- echo "$WPA_SUP_PNAME: $@" >/dev/stderr >+ echo "$WPA_SUP_PNAME: $@" >&2 >;; >*) >;; ># >--(snip)-- > >That one works for me and does maintain the current feature set. > >Best, >Kilian Hi. I don't understand your patch. Following constructs do not work for me: $ sh -c '( v="&1"; echo abc >$v; )' $ sh -c '( v="/dev/null"; echo abc >$v; )' $ bash -c '( v="&1"; echo abc >$v; )' $ bash -c '( v="/dev/null"; echo abc >$v; )' $ Only this one does: $ sh -c '( v="&1"; eval "echo abc >$v"; )' abc $ sh -c '( v="/dev/null"; eval "echo abc >$v"; )' $ In other words, as far as i understand, your patch breaks verbose mode. But mine seems breaking non-verbose mode, yes, i see that now. I'm not sure, whether using `eval` is a good fix. If not, `echo` lines may be rewritten to use separate function, which will log appropriately. And `wpa_cli`.. also may be rewritten as function. E.g. run_and_log wpa_cli $WPACLISET_VARIABLE "$WPACLISET_VALUE" which will just treat its first argument as command, or (may be safer) as wpa_cli_wlog $WPACLISET_VARIABLE "$WPACLISET_VALUE" which will just handle verbosity as appropriate. (i didn't test this, just speculating and may be wrong.)
Bug#838291: wpasupplicant: networking.service fails to bring up wlan interface, when VERBOSE set to yes
Package: wpasupplicant Version: 2.3-1+deb8u4 Severity: important Tags: patch Hi. When verbose output is enabled: # grep VERBOSE /etc/default/networking VERBOSE=yes `networking.service` fails to bring up wlan network interface, which uses `wpa_action` (but `wpa_action` is not essential here): # cat /etc/network/interfaces # The loopback network interface auto lo iface lo inet loopback auto wlan0 iface wlan0 inet manual wpa-roam /etc/wpa_supplicant.conf iface sgf.un inet static address 192.168.2.7 netmask 255.255.255.0 network 192.168.2.0 broadcast 192.168.2.255 gateway 192.168.2.9 Let's start with: # ip link show wlan0 3: wlan0:mtu 1500 qdisc mq state DOWN mode DEFAULT group default qlen 1000 link/ether e8:de:27:e8:47:b1 brd ff:ff:ff:ff:ff:ff # ps -f -C wpa_supplicant UIDPID PPID C STIME TTY TIME CMD # systemctl status networking.service ● networking.service - LSB: Raise network interfaces. Loaded: loaded (/etc/init.d/networking) Drop-In: /run/systemd/generator/networking.service.d └─50-insserv.conf-$network.conf /lib/systemd/system/networking.service.d └─network-pre.conf Active: inactive (dead) since Sun 2016-09-18 22:03:38 MSK; 44s ago Process: 29629 ExecStop=/etc/init.d/networking stop (code=exited, status=0/SUCCESS) Process: 26386 ExecStart=/etc/init.d/networking start (code=exited, status=0/SUCCESS) Sep 18 22:03:38 reiji.sgf.un wpa_supplicant[26407]: wlan0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD Sep 18 22:03:38 reiji.sgf.un systemd[1]: Stopped LSB: Raise network interfaces.. Sep 18 22:03:38 reiji.sgf.un networking[29629]: wpa_supplicant: terminating wpa_supplicant daemon vi...pid Sep 18 22:03:38 reiji.sgf.un networking[29629]: Stopped /sbin/wpa_supplicant (pid 26407). Sep 18 22:03:38 reiji.sgf.un networking[29629]: run-parts --verbose /etc/network/if-post-down.d Sep 18 22:03:38 reiji.sgf.un networking[29629]: run-parts: executing /etc/network/if-post-down.d/ava...mon Sep 18 22:03:38 reiji.sgf.un networking[29629]: run-parts: executing /etc/network/if-post-down.d/wir...ols Sep 18 22:03:38 reiji.sgf.un networking[29629]: run-parts: executing /etc/network/if-post-down.d/wpa...ant Sep 18 22:03:38 reiji.sgf.un networking[29629]: done. Sep 18 22:03:38 reiji.sgf.un wpa_supplicant[26407]: wlan0: CTRL-EVENT-TERMINATING Hint: Some lines were ellipsized, use -l to show in full. Then # systemctl start networking.service # journalctl -f _SYSTEMD_UNIT=networking.service Sep 18 22:05:27 reiji.sgf.un networking[30162]: Configuring network interfaces...run-parts --exit-on-error --verbose /etc/network/if-pre-up.d Sep 18 22:05:27 reiji.sgf.un networking[30162]: run-parts: executing /etc/network/if-pre-up.d/wireless-tools Sep 18 22:05:27 reiji.sgf.un networking[30162]: run-parts: executing /etc/network/if-pre-up.d/wpasupplicant Sep 18 22:05:27 reiji.sgf.un networking[30162]: Configuring interface wlan0=wlan0 (inet) Sep 18 22:05:27 reiji.sgf.un networking[30162]: run-parts --exit-on-error --verbose /etc/network/if-pre-up.d Sep 18 22:05:27 reiji.sgf.un networking[30162]: run-parts: executing /etc/network/if-pre-up.d/wireless-tools Sep 18 22:05:27 reiji.sgf.un networking[30162]: run-parts: executing /etc/network/if-pre-up.d/wpasupplicant Sep 18 22:05:27 reiji.sgf.un networking[30162]: /etc/network/if-pre-up.d/wpasupplicant: 112: /etc/network/if-pre-up.d/wpasupplicant: cannot create /dev/stdout: No such device or address Sep 18 22:05:27 reiji.sgf.un networking[30162]: /etc/network/if-pre-up.d/wpasupplicant: 112: /etc/network/if-pre-up.d/wpasupplicant: cannot create /dev/stdout: No such device or address Sep 18 22:05:27 reiji.sgf.un networking[30162]: /etc/network/if-pre-up.d/wpasupplicant: 112: /etc/network/if-pre-up.d/wpasupplicant: cannot create /dev/stdout: No such device or address Sep 18 22:05:27 reiji.sgf.un wpa_supplicant[30182]: Successfully initialized wpa_supplicant Sep 18 22:05:27 reiji.sgf.un networking[30162]: /etc/network/if-pre-up.d/wpasupplicant: 112: /etc/network/if-pre-up.d/wpasupplicant: cannot create /dev/stdout: No such device or address Sep 18 22:05:27 reiji.sgf.un networking[30162]: /etc/network/if-pre-up.d/wpasupplicant: 112: /etc/network/if-pre-up.d/wpasupplicant: cannot create /dev/stdout: No such device or address Sep 18 22:05:27 reiji.sgf.un networking[30162]: run-parts: /etc/network/if-pre-up.d/wpasupplicant exited with return code 1 Sep 18 22:05:27 reiji.sgf.un networking[30162]: run-parts --exit-on-error --verbose /etc/network/if-up.d Sep 18 22:05:27 reiji.sgf.un networking[30162]: Failed to bring up wlan0. Sep 18 22:05:27 reiji.sgf.un
Bug#802212: libpam-ssh: pam-ssh returns PAM_NO_MODULE_DATA, when no .ssh directory found
Package: libpam-ssh Version: 2.01-2 Severity: normal Hi. When pam-ssh is enabled in common-session, like: session optionalpam_ssh.so and i `su` to user, which does not have .ssh directory, `su` will report error at session close: # su - test test@shilvana:~$ test@shilvana:~$ logout su: No module specific data is present # I think, this error is returned by pam_ssh.c. When .ssh. directory does not exist, `pam_sm_open_session` will terminate at if ((access(dotdir,F_OK)) == -1) check. When session terminates, `pam_sm_close_session` will query "ssh_agent_pid" pam data with `pam_get_data`. But this pam data is set by `read_write_agent_env`, which was not called during `pam_sm_open_session`, because we've returned too early. Thus, pam_ssh's `pam_sm_close_session` returns PAM_NO_MODULE_DATA, which in turn returned by su.c, when it calls `pam_close_session` in `prepare_pam_close_session`. -- System Information: Debian Release: 8.2 APT prefers stable-updates APT policy: (990, 'stable-updates'), (990, 'stable'), (400, 'testing'), (300, 'unstable') Architecture: i386 (i686) Kernel: Linux 3.16.0-4-686-pae (SMP w/2 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=ru_RU.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libpam-ssh depends on: ii libc6 2.19-18+deb8u1 ii libpam-runtime 1.1.8-3.1 ii libpam0g 1.1.8-3.1 ii libssl1.0.01.0.1k-3+deb8u1 ii multiarch-support 2.19-18+deb8u1 Versions of packages libpam-ssh recommends: ii libpam-tmpdir0.09 ii openssh-client [ssh-client] 1:6.7p1-5 libpam-ssh suggests no packages. -- debconf-show failed
Bug#793684: rsnapshot incorrectly merges per-backup rsync_short_args
Package: rsnapshot Version: 1.3.1-4 Severity: normal Hi. rsnapshot from Jessie incorrectly merges per-backup '+rsync_short_args=' rsync short options. Version from Wheezy works fine. How to reproduce: 1. Build 1.3.1-4.. $ git clone git://anonscm.debian.org/collab-maint/rsnapshot.git $ git checkout debian/1.3.1-4 $ quilt push -a Applying patch debian/patches/01_rsnapshot_conf.diff patching file rsnapshot.conf.default.in patching file rsnapshot-program.pl patching file rsnapshot-program.pl Applying patch debian/patches/03_pod_missing_back.diff patching file rsnapshot-program.pl Applying patch debian/patches/05_backup_pgsql.diff patching file utils/backup_pgsql.sh Applying patch debian/patches/06_fix_random_file_verify.diff patching file utils/random_file_verify.sh Applying patch debian/patches/08_manpage_hourly_to_daily.diff patching file rsnapshot-program.pl Applying patch debian/patches/09_strip_backtick.diff patching file rsnapshot-program.pl Applying patch debian/patches/10_space_destdir.diff patching file rsnapshot-program.pl Applying patch debian/patches/11_lvm_snapshots.diff patching file rsnapshot.conf.default.in Hunk #2 succeeded at 202 (offset 6 lines). Hunk #3 succeeded at 235 (offset 6 lines). patching file configure.ac Applying patch debian/patches/12_include_conf_with_arguments.diff patching file rsnapshot-program.pl Applying patch debian/patches/13_print_warn.diff patching file rsnapshot-program.pl Now at patch debian/patches/13_print_warn.diff $ ./configure checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for gawk... gawk checking whether make sets $(MAKE)... yes checking whether make sets $(MAKE)... (cached) yes checking for a BSD-compatible install... /usr/bin/install -c checking for perl... /usr/bin/perl checking for rsync... /usr/bin/rsync checking for cp... /bin/cp checking for rm... /bin/rm checking for ssh... /usr/bin/ssh checking for logger... /usr/bin/logger checking for du... /usr/bin/du configure: creating ./config.status config.status: creating Makefile config.status: creating rsnapshot config.status: creating rsnapshot-diff config.status: creating rsnapshot.conf.default config.status: creating t/support/etc/configtest.conf config.status: creating t/support/etc/rsync.conf config.status: creating t/support/etc/gnu_cp.conf config.status: creating t/support/etc/relative_delete_bugfix.conf config.status: creating t/configtest.t config.status: creating t/rsync.t config.status: creating t/gnu_cp.t config.status: creating t/relative_delete_bugfix.t Now type make testto run the regression test suite. Then type make install to install the program. After rsnapshot is installed, don't forget to copy /usr/local/etc/rsnapshot.conf.default to /usr/local/etc/rsnapshot.conf $ make cd . /bin/bash /home/sgf/Documents/rsnapshot/src/3rd/t/rsnapshot/missing --run aclocal-1.9 /home/sgf/Documents/rsnapshot/src/3rd/t/rsnapshot/missing: line 52: aclocal-1.9: command not found WARNING: `aclocal-1.9' is missing on your system. You should only need it if you modified `acinclude.m4' or `configure.ac'. You might want to install the `Automake' and `Perl' packages. Grab them from any GNU archive site. cd . /bin/bash /home/sgf/Documents/rsnapshot/src/3rd/t/rsnapshot/missing --run automake-1.9 --gnu /home/sgf/Documents/rsnapshot/src/3rd/t/rsnapshot/missing: line 52: automake-1.9: command not found WARNING: `automake-1.9' is missing on your system. You should only need it if you modified `Makefile.am', `acinclude.m4' or `configure.ac'. You might want to install the `Automake' and `Perl' packages. Grab them from any GNU archive site. cd . /bin/bash /home/sgf/Documents/rsnapshot/src/3rd/t/rsnapshot/missing --run autoconf /bin/bash ./config.status --recheck running /bin/bash ./configure --no-create --no-recursion checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for gawk... gawk checking whether make sets $(MAKE)... yes checking whether make sets $(MAKE)... (cached) yes checking for perl... /usr/bin/perl checking for rsync... /usr/bin/rsync checking for cp... /bin/cp checking for rm... /bin/rm checking for ssh... /usr/bin/ssh checking for lvcreate... no checking for lvremove... no checking for mount... /bin/mount checking for umount... /bin/umount checking for logger... /usr/bin/logger checking for du... /usr/bin/du configure: creating ./config.status Now type make testto run the regression test suite. Then
Bug#793687: rsnapshot incorrectly handles quotes in per-backup rsync_long_args option
Package: rsnapshot Version: 1.3.1-4 Severity: normal Hi. rsnapshot from Jessie incorrectly handles quotes in per-backup '+rsync_long_args' option (in wheezy it works fine) - it does not remove them. Though, quotes are required, if e.g. i want to add per-backup '--filter' option. How to reproduce: 1. Build.. $ git checkout debian/1.3.1-4 Previous HEAD position was 773afb8... Enable GNU cp and document stop_on_stale_lockfile option HEAD is now at 324f3d7... Bump to Standards-Version 3.9.4, change Vcs-{Git,Browse} and avoid rsnapshot-HOWTO.en.html duplication $ quilt push -a Applying patch debian/patches/01_rsnapshot_conf.diff patching file rsnapshot.conf.default.in patching file rsnapshot-program.pl patching file rsnapshot-program.pl Applying patch debian/patches/03_pod_missing_back.diff patching file rsnapshot-program.pl Applying patch debian/patches/05_backup_pgsql.diff patching file utils/backup_pgsql.sh Applying patch debian/patches/06_fix_random_file_verify.diff patching file utils/random_file_verify.sh Applying patch debian/patches/08_manpage_hourly_to_daily.diff patching file rsnapshot-program.pl Applying patch debian/patches/09_strip_backtick.diff patching file rsnapshot-program.pl Applying patch debian/patches/10_space_destdir.diff patching file rsnapshot-program.pl Applying patch debian/patches/11_lvm_snapshots.diff patching file rsnapshot.conf.default.in Hunk #2 succeeded at 202 (offset 6 lines). Hunk #3 succeeded at 235 (offset 6 lines). patching file configure.ac Applying patch debian/patches/12_include_conf_with_arguments.diff patching file rsnapshot-program.pl Applying patch debian/patches/13_print_warn.diff patching file rsnapshot-program.pl Now at patch debian/patches/13_print_warn.diff $ ./configure checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for gawk... gawk checking whether make sets $(MAKE)... yes checking whether make sets $(MAKE)... (cached) yes checking for a BSD-compatible install... /usr/bin/install -c checking for perl... /usr/bin/perl checking for rsync... /usr/bin/rsync checking for cp... /bin/cp checking for rm... /bin/rm checking for ssh... /usr/bin/ssh checking for logger... /usr/bin/logger checking for du... /usr/bin/du configure: creating ./config.status config.status: creating Makefile config.status: creating rsnapshot config.status: creating rsnapshot-diff config.status: creating rsnapshot.conf.default config.status: creating t/support/etc/configtest.conf config.status: creating t/support/etc/rsync.conf config.status: creating t/support/etc/gnu_cp.conf config.status: creating t/support/etc/relative_delete_bugfix.conf config.status: creating t/configtest.t config.status: creating t/rsync.t config.status: creating t/gnu_cp.t config.status: creating t/relative_delete_bugfix.t Now type make testto run the regression test suite. Then type make install to install the program. After rsnapshot is installed, don't forget to copy /usr/local/etc/rsnapshot.conf.default to /usr/local/etc/rsnapshot.conf $ make cd . /bin/bash /home/sgf/Documents/rsnapshot/src/3rd/t/rsnapshot/missing --run aclocal-1.9 /home/sgf/Documents/rsnapshot/src/3rd/t/rsnapshot/missing: line 52: aclocal-1.9: command not found WARNING: `aclocal-1.9' is missing on your system. You should only need it if you modified `acinclude.m4' or `configure.ac'. You might want to install the `Automake' and `Perl' packages. Grab them from any GNU archive site. cd . /bin/bash /home/sgf/Documents/rsnapshot/src/3rd/t/rsnapshot/missing --run automake-1.9 --gnu /home/sgf/Documents/rsnapshot/src/3rd/t/rsnapshot/missing: line 52: automake-1.9: command not found WARNING: `automake-1.9' is missing on your system. You should only need it if you modified `Makefile.am', `acinclude.m4' or `configure.ac'. You might want to install the `Automake' and `Perl' packages. Grab them from any GNU archive site. cd . /bin/bash /home/sgf/Documents/rsnapshot/src/3rd/t/rsnapshot/missing --run autoconf /bin/bash ./config.status --recheck running /bin/bash ./configure --no-create --no-recursion checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for gawk... gawk checking whether make sets $(MAKE)... yes checking whether make sets $(MAKE)... (cached) yes checking for perl... /usr/bin/perl checking for rsync... /usr/bin/rsync checking for cp... /bin/cp checking for rm... /bin/rm checking for ssh... /usr/bin/ssh checking for lvcreate... no checking for lvremove... no
Bug#754956: rsnapshot running with lazy_delete deletes lockfile twice
([$$]: Lockfile $lockfile belongs to other process $pid, will not delete it!, 2); + syslog_warn([$$]: Lockfile $lockfile belongs to other process $pid, will not delete it); + return(1); + } + } + remove_lockfile(); + return (1); +} + # accepts no arguments # accepts the path to a lockfile and tries to remove it # returns undef if lockfile isn't defined in the config file, and 1 upon success And now the test again: # ls -la storage/ total 16 drwx-- 4 root root 4096 Jul 16 14:48 . drwx-- 4 root root 4096 Jul 16 14:48 .. drwx-- 3 root root 4096 Jul 16 14:47 hourly.0 drwx-- 3 root root 4096 Jul 16 14:46 hourly.1 Start two ./rsnapshot.patch instances: # ./rsnapshot.patch -c ./rsnapshot.conf hourly ; ls -l rsnapshot.pid WARNING: [2976]: Lockfile /root/test_lazy_delete/rsnapshot.pid belongs to other process 2979, will not delete it! -rw--- 1 root root 4 Jul 16 14:48 rsnapshot.pid (note, lockfile still exist!) # ./rsnapshot.patch -c ./rsnapshot.conf sync # And here is log. 'hourly' starts and goes up to `rm -rf`: [16/Jul/2014:14:48:22] ./rsnapshot.patch -c ./rsnapshot.conf hourly: started [16/Jul/2014:14:48:22] Setting locale to POSIX C [16/Jul/2014:14:48:22] echo 2976 /root/test_lazy_delete/rsnapshot.pid [16/Jul/2014:14:48:22] mv /root/test_lazy_delete/storage/hourly.1/ /root/test_lazy_delete/storage/_delete.2976/ [16/Jul/2014:14:48:22] mv /root/test_lazy_delete/storage/hourly.0/ /root/test_lazy_delete/storage/hourly.1/ [16/Jul/2014:14:48:22] rm -f /root/test_lazy_delete/rsnapshot.pid [16/Jul/2014:14:48:22] /root/test_lazy_delete/rm_wait -rf /root/test_lazy_delete/storage/_delete.2976 'sync' starts: [16/Jul/2014:14:48:26] ./rsnapshot.patch -c ./rsnapshot.conf sync: started [16/Jul/2014:14:48:26] Setting locale to POSIX C [16/Jul/2014:14:48:26] echo 2979 /root/test_lazy_delete/rsnapshot.pid [16/Jul/2014:14:48:26] mkdir -m 0755 -p /root/test_lazy_delete/storage/.sync/ [16/Jul/2014:14:48:26] /root/test_lazy_delete/rsync_wait -a --delete --numeric-ids --relative --delete-excluded --link-dest=/root/test_lazy_delete/storage/hourly.1/localhost/ /root/test_lazy_delete/./data /root/test_lazy_delete/storage/.sync/localhost/ 'hourly' finishes lazy delete, but notices, that lockfile no longer belongs to it, and leaves it in place: [16/Jul/2014:14:48:52] [2976]: Removing lock file, if we owns it. [16/Jul/2014:14:48:52] [2976]: Lockfile /root/test_lazy_delete/rsnapshot.pid belongs to other process 2979, will not delete it! [16/Jul/2014:14:48:52] WARNING: ./rsnapshot.patch -c ./rsnapshot.conf hourly: completed, but with some warnings 'sync' finishes and deletes its lockfile: [16/Jul/2014:14:48:56] rsync succeeded [16/Jul/2014:14:48:56] touch /root/test_lazy_delete/storage/.sync/ [16/Jul/2014:14:48:56] No directory to delete: /root/test_lazy_delete/storage/_delete.2979 [16/Jul/2014:14:48:56] [2979]: Removing lock file, if we owns it. [16/Jul/2014:14:48:56] rm -f /root/test_lazy_delete/rsnapshot.pid [16/Jul/2014:14:48:56] ./rsnapshot.patch -c ./rsnapshot.conf sync: completed successfully -- Dmitriy Matrosov Test config was: # # rsnapshot.conf - rsnapshot configuration file # # # # # PLEASE BE AWARE OF THE FOLLOWING RULES: # # # # This file requires tabs between elements # # # # Directories require a trailing slash: # # right: /home/ # # wrong: /home# # # # ### # CONFIG FILE VERSION # ### config_version 1.2 ### # SNAPSHOT ROOT DIRECTORY # ### # All snapshots will be stored under this root directory. # snapshot_root /root/test_lazy_delete/storage # If no_create_root is enabled, rsnapshot will not automatically create the # snapshot_root directory. This is particularly useful if you are backing # up to removable media, such as a FireWire or USB drive. # no_create_root 1 # # EXTERNAL PROGRAM DEPENDENCIES # # # LINUX USERS: Be sure to uncomment cmd_cp. This gives you extra features. # EVERYONE ELSE: Leave cmd_cp commented out for compatibility. # # See the README file or the man page for more details. # cmd_cp /bin/cp # uncomment this to use the rm program instead of the built-in perl routine. # cmd_rm /root/test_lazy_delete/rm_wait # rsync must be enabled for anything to work
Bug#748354: keyutils: key timeout have reset after udev starts
On 05/25/2014 11:22 PM, Christian Kastner wrote: I'd appreciate it if you could check the contents of /proc/keys right after boot. The fourth column should list the remaining time until the key expires, or perm if the expiry has been reset. Hi, Christian. Here is the result: From initramfs just after password had cached: 1a0f0935 I--Q--- 1 1m 3f01 0 0 user cryptkey-reiji: 27 21d6c5bf I--Q--- 2 perm 1f3f 0 65534 keyring _uid.0: 1 2849060a I--Q--- 1 perm 1f3f 0 65534 keyring _uid_ses.0: 1 Before udev started: 1a0f0935 I--Q--- 1 58s 3f01 0 0 user cryptkey-reiji: 27 21d6c5bf I--Q--- 2 perm 1f3f 0 65534 keyring _uid.0: 1 2849060a I--Q--- 1 perm 1f3f 0 65534 keyring _uid_ses.0: 1 After udev started: 1a0f0935 I--Q--- 1 4h 3f01 0 0 user cryptkey-reiji: 27 21d6c5bf I--Q--- 2 perm 1f3f 0 65534 keyring _uid.0: 1 2849060a I--Q--- 1 perm 1f3f 0 65534 keyring _uid_ses.0: 1 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#748354: keyutils: key timeout have reset after udev starts
Package: keyutils Version: 1.5.6-1 Severity: normal Tags: security Hi. Key timeout set in initramfs had reset after udev init script run. How to reproduce: 1. Add key and set timeout on it in initramfs. E.g. use an encrypted root and open it using decrypt_keyctl script from cryptsetup package (to cache password). The crypttab entry may look like: jessie_root /dev/reiji/enc_jessie_root reiji luks,keyscript=decrypt_keyctl The decrypt_keyctl script sets timeout of 60 seconds on all cached passwords. 2. Add init script (below), which runs before udev and waits for 60 seconds to ensure, that timeout still works. It may have LSB header like: ### BEGIN INIT INFO # Provides: keyctl-test # Required-Start:mountkernfs # Required-Stop: # X-Interactive: false # X-Start-Before:udev # X-Stop-After: udev # Default-Start: S # Default-Stop: 0 6 # Short-Description: Wait for keyctl timeout to expire # Description: ### END INIT INFO and restart the system. You'll see line key inaccessible (key has expired) when keyctl-test script runs `keyctl show @u` after waiting for 60 seconds. 4. Now change LSB header, so keyctl-test starts right after udev. It may look like: ### BEGIN INIT INFO # Provides: keyctl-test # Required-Start:udev # Required-Stop: udev # X-Interactive: false # X-Start-Before:keyboard-setup mdadm-raid mountdevsubfs # X-Stop-After: # Default-Start: S # Default-Stop: 0 6 # Short-Description: Wait for keyctl timeout to expire # Description: ### END INIT INFO and also restart the system. Now after waiting for 60 seconds `keyctl show @u` will still list the key added during root fs unlocking from initramfs. The keyctl-test init script may look like: do_start() { echo Waiting for keyctl timeout to expire.. 2 sleep 60 echo ..done 2 keyctl show @u } case $1 in start) do_start ;; stop|restart|reload|force-reload|force-start) echo . ;; *) echo Usage: {start|stop|restart|reload|force-reload|force-start} exit 1 ;; esac To workaround this i may use simple script for clearing keyring, which runs, when all volumes requiring password have opened. I may run it using 'check=' option in crypttab. E.g. the last crypttab line, which uses cached password, may look like: w7 /dev/sdb2 reiji luks,keyscript=decrypt_keyctl,check=keyctl_clear and keyctl_clear script should be placed in /lib/cryptsetup/checks/ and may look like: #!/bin/sh keyctl clear @u || exit 0 -- Dmitriy Matrosov -- System Information: Debian Release: jessie/sid APT prefers testing-updates APT policy: (500, 'testing-updates'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.13-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages keyutils depends on: ii libc6 2.18-5 ii libkeyutils1 1.5.6-1 keyutils recommends no packages. keyutils suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#748368: cryptsetup: decrypt_keyctl does not ask for password again, if wrong password have given
Package: cryptsetup Version: 2:1.6.4-4 Severity: normal Tags: patch Hi. If i've entered wrong password at decrypt_keyctl prompt, it'll use it in all following cryptsetup attempts, making all of them fail: # cryptdisks_start w7_data Starting crypto disk...w7_data (starting)... Caching passphrase for /dev/sda3: No device header detected with this passphrase. Using cached passphrase for /dev/sda3. No device header detected with this passphrase. Using cached passphrase for /dev/sda3. No device header detected with this passphrase. w7_data (failed)...failed. Attached patch makes decrypt_keyctl to ask for password again, if CRYPTTAB_TRIED is greater, than 0. So, unlocking may look like: Try once and press Ctrl-C: # cryptdisks_start w7_data Starting crypto disk...w7_data (starting)... Caching passphrase for /dev/sda3: No device header detected with this passphrase. Caching passphrase for /dev/sda3: Error reading passphrase. # It asks for password second time, when 1st attempt fails. Then try to open again: # cryptdisks_start w7_data Starting crypto disk...w7_data (starting)... Using cached passphrase for /dev/sda3. No device header detected with this passphrase. Caching passphrase for /dev/sda3: w7_data (started)...done. First, it tries cached (wrong) password. But, when it fails, asks again, and now succeeds. -- Package-specific info: -- /proc/cmdline BOOT_IMAGE=/vmlinuz-3.13-1-amd64 root=/dev/mapper/jessie_root ro quiet -- /etc/crypttab jessie_root /dev/reiji/enc_jessie_root reiji luks,keyscript=decrypt_keyctl jessie_usr /dev/reiji/enc_jessie_usr /etc/keys/jessie_usr.lukskey luks jessie_var /dev/reiji/enc_jessie_var /etc/keys/jessie_var.lukskey luks jessie_tmp /dev/reiji/enc_jessie_tmp /etc/keys/jessie_tmp.lukskey luks jessie_swap /dev/reiji/enc_jessie_swap /dev/urandom swap,cipher=aes-xts-plain64,size=256,hash=sha1 home/dev/reiji/enc_home /etc/keys/home.lukskey luks backup /dev/reiji/enc_backup /etc/keys/backup.lukskey luks w7_backup /dev/sdb4 reiji tcrypt,precheck=/bin/true,keyscript=decrypt_keyctl w7_data /dev/sda3 reiji tcrypt,precheck=/bin/true,keyscript=decrypt_keyctl w7 /dev/sdb2 reiji tcrypt,tcryptsystem,precheck=/bin/true,keyscript=decrypt_keyctl,check=keyctl_clear -- /etc/fstab # /etc/fstab: static file system information. # # Use 'blkid' to print the universally unique identifier for a # device; this may be used with UUID= as a more robust way to name devices # that works even if disks are added and removed. See fstab(5). # # file system mount point type options dump pass UUID=227ce6c3-0de7-4436-9e13-6442a3d7d8f4 /boot ext3defaults 0 2 /dev/mapper/jessie_root / ext4errors=remount-ro 0 1 /dev/mapper/jessie_usr /usrext4defaults0 2 /dev/mapper/jessie_var /varext4defaults0 2 /dev/mapper/jessie_tmp /var/tmpext4defaults0 2 /dev/mapper/jessie_swap noneswapsw 0 0 /dev/mapper/home/home ext4defaults0 2 /dev/mapper/backup /var/backupsext4defaults0 2 -- lsmod Module Size Used by nfsd 259239 2 auth_rpcgss51202 1 nfsd oid_registry 12419 1 auth_rpcgss nfs_acl12511 1 nfsd nfs 183626 0 lockd 79321 2 nfs,nfsd fscache45542 1 nfs sunrpc224626 6 nfs,nfsd,auth_rpcgss,lockd,nfs_acl fuse 78793 1 blowfish_generic 12464 0 blowfish_x86_6421132 0 blowfish_common16487 2 blowfish_generic,blowfish_x86_64 ecb12737 0 des_generic20851 0 cast5_avx_x86_64 49760 0 cast5_generic 20813 1 cast5_avx_x86_64 cast_common12313 2 cast5_generic,cast5_avx_x86_64 cbc12696 0 twofish_generic16569 0 twofish_avx_x86_64 46079 0 twofish_x86_64_3way25483 1 twofish_avx_x86_64 twofish_x86_64 12541 2 twofish_avx_x86_64,twofish_x86_64_3way twofish_common 20585 4 twofish_generic,twofish_avx_x86_64,twofish_x86_64_3way,twofish_x86_64 serpent_avx_x86_64 46241 0 serpent_sse2_x86_6450146 0 serpent_generic29140 2 serpent_sse2_x86_64,serpent_avx_x86_64 xts12679 2 serpent_sse2_x86_64,twofish_x86_64_3way algif_skcipher 13008 0 af_alg 12988 1 algif_skcipher raid1 34596 2 snd_hda_codec_hdmi
Bug#748286: cryptsetup: crypttab does not support truecrypt volumes
/cryptsetup/askpass fi - elif [ $key != ${key%/dev/*} ]; then + else + # Two original cases here: # no keyscript, device key = special treatment + # no keyscript, key = file input keyscriptarg= key=$key - KEYSCRIPT= - else - # no keyscript, key = file input - keyscriptarg=$key - key=- - KEYSCRIPT=cat + KEYSCRIPT=tcrypt_no_pass + PARAMS=$PARAMS --key-file=$key + fi + # Add additional key files, if any. + if [ -n $TCRYPTKEYS ]; then + IFS=$nl + # FIXME: Pathname expansion still runs on filenames, may be + # disable it? + set -- $TCRYPTKEYS + for f; do + PARAMS=${PARAMS:+$PARAMS }--key-file=$f + done + set -- + IFS=$OIFS fi - PARAMS=$PARAMS --key-file=$key - while [ $tried -lt $TRIES ] || [ $TRIES -eq 0 ]; do export CRYPTTAB_TRIED=$tried - if [ -n $KEYSCRIPT ]; then - if $KEYSCRIPT $keyscriptarg | cryptsetup $PARAMS $TCRYPTPARAMS open --type tcrypt $src ${dst}_unformatted; then - break - fi - else - if cryptsetup $PARAMS $TCRYPTPARAMS open --type tcrypt $src ${dst}_unformatted; then - break - fi + # KEYSCRIPT is always set, so i don't need to check. + if $KEYSCRIPT $keyscriptarg | cryptsetup $PARAMS $TCRYPTPARAMS open --type tcrypt $src ${dst}_unformatted; then + break fi tried=$(( $tried + 1 )) @@ -402,7 +434,7 @@ do_tcrypt () { if [ -n $CHECK ] ! $CHECK /dev/mapper/${dst}_unformatted $CHECKARGS; then log_warning_msg $dst: the check for '/dev/mapper/$dst' failed - cryptsetup luksClose ${dst}_unformatted + cryptsetup close ${dst}_unformatted return 1 fi -- Dmitriy Matrosov -- Package-specific info: -- /proc/cmdline BOOT_IMAGE=/vmlinuz-3.13-1-amd64 root=/dev/mapper/jessie_root ro quiet -- /etc/crypttab jessie_root /dev/reiji/enc_jessie_root reiji luks,keyscript=decrypt_keyctl jessie_usr /dev/reiji/enc_jessie_usr /etc/keys/jessie_usr.lukskey luks jessie_var /dev/reiji/enc_jessie_var /etc/keys/jessie_var.lukskey luks jessie_tmp /dev/reiji/enc_jessie_tmp /etc/keys/jessie_tmp.lukskey luks jessie_swap /dev/reiji/enc_jessie_swap /dev/urandom swap,cipher=aes-xts-plain64,size=256,hash=sha1 home/dev/reiji/enc_home /etc/keys/home.lukskey luks backup /dev/reiji/enc_backup /etc/keys/backup.lukskey luks w7_backup /dev/sdb4 reiji tcrypt,precheck=/bin/true,keyscript=decrypt_keyctl w7_data /dev/sda3 reiji tcrypt,precheck=/bin/true,keyscript=decrypt_keyctl w7 /dev/sdb2 reiji tcrypt,tcryptsystem,precheck=/bin/true,keyscript=decrypt_keyctl,check=keyctl_clear flash /dev/sdc1 none tcrypt,precheck=/bin/true,tcryptkey=/root/flash-21.tckey,tcryptkey=/root/flash-22.tckey -- /etc/fstab # /etc/fstab: static file system information. # # Use 'blkid' to print the universally unique identifier for a # device; this may be used with UUID= as a more robust way to name devices # that works even if disks are added and removed. See fstab(5). # # file system mount point type options dump pass UUID=227ce6c3-0de7-4436-9e13-6442a3d7d8f4 /boot ext3defaults 0 2 /dev/mapper/jessie_root / ext4errors=remount-ro 0 1 /dev/mapper/jessie_usr /usrext4defaults0 2 /dev/mapper/jessie_var /varext4defaults0 2 /dev/mapper/jessie_tmp /var/tmpext4defaults0 2 /dev/mapper/jessie_swap noneswapsw 0 0 /dev/mapper/home/home ext4defaults0 2 /dev/mapper/backup /var/backupsext4defaults0 2 -- lsmod Module Size Used by nls_utf8 12456 0 nls_cp437 16553 0 vfat 17135 0 fat53794 1 vfat nfsd 259239 2 auth_rpcgss51202 1 nfsd oid_registry 12419 1 auth_rpcgss nfs_acl12511 1 nfsd nfs 183626 0 lockd 79321 2 nfs,nfsd