Hi, While working on the automated test suite I wrote a scenario testing that Debian bug #645466 is fixed. When running said scenario for Tails 0.17 (with the changes necessary for the test suite applied) it turns out it's not, so...
Re-opened ticket: https://tails.boum.org/bugs/writable_system_disk:_belongs_to_floppy_group/ New commits in bugfix/writable_boot_media: ae530a1 New fix for bugs/writable_system_disk:_belongs_to_floppy_group 05c8cf6 Add a shell library for determining stuff about the boot device. I revived the previous bugfix branch for this and implemented a fix which uses a udev rule to get closer to the root of the problem compared to the previous fix, which happened at live-config time. Obviously the old fix only worked if udev starts before live-config, and I suspect something has changed w.r.t. that. The end result of the new fix is that the boot device (e.g. /dev/sda) and all its children (i.e. boot/system partition (e.g. /dev/sda1, "Tails") and any persistent partition (e.g. /dev/sda2, "TailsData")) get group ownership 'disk' instead of Debian's default of 'floppy'. That's different compared to the old fix, which only changes the ownership like that for the boot device and boot/system partition (e.g. /dev/sda and /dev/sda1). I half expected this difference to create permission issues for tails-persistence-setup, and that we got, but seemingly for other reasons... With the new fix, tails-persistence-setup exits due to a permission error at an inappropriate time, resulting in an unbootable Tails (at least after creating a new persistent partition). After both creation and deletion I get this output: created /org/freedesktop/UDisks/devices/dm_2d0. Problem opening /dev/sda for reading! Error is 13. You must run this program as root or use sudo! "/sbin/sgdisk" unexpectedly returned exit value 2 at (eval 347) line 13 at /usr/share/perl5/Tails/Persistence/Setup.pm line 935 The error occurs in the function fix_system_partition_attribues(), so I'm not surprised that it makes Tails unbootable. For the record, modyfing the new udev rules to set group ownership to 'floppy' instead of 'disk' and restarting the udev service makes this t-p-s issue go away. In fact, writing rules that makes it so that only the boot device (/dev/sda) is owned by 'floppy' but that its children is owned by 'disk' is enough. As I alluded to above, I was expecting this new fix to introduce issues with the *persistent partition* but it's created without issue and can be unlocked + mounted etc. In fact, according to my tests, the call to `sgdisk` on the boot device (/dev/sda) is the only thing that has permission issues because it is owned by 'disk' instead of 'floppy' (I guess the rest is udisks magic). This worries me as the old fix should have set the same group ownership for the boot device (remember, only the persistent partition's ownership differs between the old and new fix). Did the old fix never work? Or am I missing something? Any way, the focus should be on getting the new fix to work. As I'm overcommitted with other obligations I won't have time to look into the exact workings of t-p-s vs udisks/sgdisk permissions vs group privileges etc. very soon to learn what exactly is going on. Please, maintainer of t-p-s, could you have a look? I hope the above clues make it clear enough. Note: The same approach used by the udev rule added in this branch could make it so that only the TailsData partition *on the boot device* is hidden in 99-hide-TailsData.rules if that's what we want. Ticket todo/hide_only_current_running_TailsData has been updated accordingly. Cheers! _______________________________________________ tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev
