From owner-freebsd-fs@FreeBSD.ORG Wed Aug 25 20:34:25 2004 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B60016A4CF for ; Wed, 25 Aug 2004 20:34:25 +0000 (GMT) Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by mx1.FreeBSD.org (Postfix) with ESMTP id AE35B43D1F for ; Wed, 25 Aug 2004 20:34:24 +0000 (GMT) (envelope-from simsong@csail.mit.edu) Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82])i7PKYMs0005768 for ; Wed, 25 Aug 2004 16:34:22 -0400 (EDT) Received: from melbourne-city-street.mit.edu (MELBOURNE-CITY-STREET.MIT.EDU [18.7.21.86])i7PKYITs015001 for ; Wed, 25 Aug 2004 16:34:22 -0400 (EDT) Received: from [192.168.1.21] (ip-64-7-15-235.dsl.bos.megapath.net [64.7.15.235]) )i7PKYGpq005814 for ; Wed, 25 Aug 2004 16:34:16 -0400 (EDT) Mime-Version: 1.0 (Apple Message framework v619) Content-Transfer-Encoding: 7bit Message-Id: <249AA14A-F6D6-11D8-87E0-000A95DA91E2@csail.mit.edu> Content-Type: text/plain; charset=US-ASCII; format=flowed To: freebsd-fs@freebsd.org From: "Simson L. Garfinkel" Date: Wed, 25 Aug 2004 16:34:20 -0400 X-Mailer: Apple Mail (2.619) Subject: problems with fsck_ffs X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Aug 2004 20:34:25 -0000 Greetings. I just had a RAID crash which required some recovery with fsck_ffs. Two problems with fsck_ffs in 5.2 were discovered: 1. There is a divide-by-0 error that happens under some conditions when the contents of the superblock and the backup superblock are partially damaged. =>Would you like a fix for this? 2. There is no obvious functionality to scan the whole hard-drive for backup superblocks. => I've written such a program. If I integrate it into fsck, will you take the mods? -Simson Garfinkel From owner-freebsd-fs@FreeBSD.ORG Thu Aug 26 14:43:50 2004 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 70BFF16A4CE for ; Thu, 26 Aug 2004 14:43:50 +0000 (GMT) Received: from pooker.samsco.org (pooker.samsco.org [168.103.85.57]) by mx1.FreeBSD.org (Postfix) with ESMTP id 21E0C43D60 for ; Thu, 26 Aug 2004 14:43:50 +0000 (GMT) (envelope-from scottl@samsco.org) Received: from [192.168.0.201] ([192.168.0.201]) (authenticated bits=0) by pooker.samsco.org (8.12.11/8.12.10) with ESMTP id i7QEj2MR007134; Thu, 26 Aug 2004 08:45:03 -0600 (MDT) (envelope-from scottl@samsco.org) Message-ID: <412DF685.4010505@samsco.org> Date: Thu, 26 Aug 2004 08:41:09 -0600 From: Scott Long User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.1) Gecko/20040801 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Simson L. Garfinkel" References: <249AA14A-F6D6-11D8-87E0-000A95DA91E2@csail.mit.edu> In-Reply-To: <249AA14A-F6D6-11D8-87E0-000A95DA91E2@csail.mit.edu> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=0.0 required=3.8 tests=none autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on pooker.samsco.org cc: freebsd-fs@freebsd.org Subject: Re: problems with fsck_ffs X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Aug 2004 14:43:50 -0000 Simson L. Garfinkel wrote: > Greetings. I just had a RAID crash which required some recovery with > fsck_ffs. > > Two problems with fsck_ffs in 5.2 were discovered: > > 1. There is a divide-by-0 error that happens under some conditions when > the contents of the superblock and the backup superblock are partially > damaged. > > =>Would you like a fix for this? Of course! > > 2. There is no obvious functionality to scan the whole hard-drive for > backup superblocks. > > => I've written such a program. If I integrate it into fsck, will > you take the mods? I'd definitely like to see it. Scott From owner-freebsd-fs@FreeBSD.ORG Thu Aug 26 14:57:05 2004 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 11D2A16A4CF for ; Thu, 26 Aug 2004 14:57:05 +0000 (GMT) Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by mx1.FreeBSD.org (Postfix) with ESMTP id 85B5D43D55 for ; Thu, 26 Aug 2004 14:57:04 +0000 (GMT) (envelope-from simsong@csail.mit.edu) Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82])i7QEtnuL014164; Thu, 26 Aug 2004 10:57:02 -0400 (EDT) Received: from melbourne-city-street.mit.edu (MELBOURNE-CITY-STREET.MIT.EDU [18.7.21.86])i7QEspCB028629; Thu, 26 Aug 2004 10:54:53 -0400 (EDT) Received: from [192.168.1.21] (ip-64-7-15-235.dsl.bos.megapath.net [64.7.15.235]) )i7QEsmpq016698; Thu, 26 Aug 2004 10:54:48 -0400 (EDT) In-Reply-To: <412DF685.4010505@samsco.org> References: <249AA14A-F6D6-11D8-87E0-000A95DA91E2@csail.mit.edu> <412DF685.4010505@samsco.org> Mime-Version: 1.0 (Apple Message framework v619) Content-Type: multipart/mixed; boundary=Apple-Mail-13--739225341 Message-Id: From: "Simson L. Garfinkel" Date: Thu, 26 Aug 2004 10:54:51 -0400 To: Scott Long X-Mailer: Apple Mail (2.619) cc: freebsd-fs@freebsd.org Subject: Re: problems with fsck_ffs X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Aug 2004 14:57:05 -0000 --Apple-Mail-13--739225341 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed Okay. Thanks for your interest! In fsck_ffs/setup.c, the variable sblock.fs_fsize was 0 because of my disk corruption. As a result, dev_bsize was being set to 0, which was resulting in a divide-by-zero. Here is the code and my fix: /* * Compute block size that the file system is based on, * according to fsbtodb, and adjust superblock block number * so we can tell if this is an alternate later. */ super *= dev_bsize; dev_bsize = sblock.fs_fsize / fsbtodb(&sblock, 1); /* SLG START */ if(dev_bsize==0){ printf("*** dev_bsize==0. This indicates on-disk corruption of the superblock.\n"); return (0); } /* SLG END */ Attached you'll find a program called find_super.c which scans the device for a superblock and fix_super.c which copied the good superblock into the expected superblock location. Ironically, even though fsck_ffs can take a "-b" option and do a full FSCK from any given superblock, mount will not take a superblock argument, so you still need to copy the good superblock into the known location. Both find_super.c and fix_super.c should be integrated into fsck_ffs. I'll do so if you think that this is a good way to proceed and if you seriously consider taking the changes. Th --Apple-Mail-13--739225341 Content-Transfer-Encoding: 7bit Content-Type: text/plain; x-unix-mode=0700; name="find_super.c" Content-Disposition: attachment; filename=find_super.c #include #include #include #include #include "/usr/src/sys/ufs/ufs/extattr.h" #include "/usr/src/sys/ufs/ufs/quota.h" #include "/usr/src/sys/ufs/ufs/inode.h" //#include "/usr/src/sys/ufs/ufs/ufsmount.h" #include "/usr/src/sys/ufs/ffs/fs.h" main(int argc,char **argv) { FILE *f = fopen(argv[1],"r"); if(!f) err(1,argv[1]); long block=0; printf("The FS structure is %d bytes large\n",sizeof(struct fs)); while(1){ char buf[8192]; struct fs *fs = (struct fs *)buf; if(fs->fs_magic!=0){ printf("\r%d ",block); } if(fread(buf,1,sizeof(buf),f)!=sizeof(buf)){ err(1,"end of file"); } if(fs->fs_magic==FS_UFS1_MAGIC) printf("UFS1 MAGIC at %d (%d)!\n",block,block*16); if(fs->fs_magic==FS_UFS2_MAGIC) printf("UFS2 MAGIC at %d (%d)!\n",block,block*16); if(fs->fs_magic==FS_BAD2_MAGIC) printf("UFS2 BAD MAGIC at %d (%d)!\n",block,block*16); block++; } } --Apple-Mail-13--739225341 Content-Transfer-Encoding: 7bit Content-Type: text/plain; x-unix-mode=0700; name="fix_super.c" Content-Disposition: attachment; filename=fix_super.c #include #include #include #include #include #include #include "/usr/src/sys/ufs/ufs/extattr.h" #include "/usr/src/sys/ufs/ufs/quota.h" #include "/usr/src/sys/ufs/ufs/inode.h" #include "/usr/src/sys/ufs/ffs/fs.h" main(int argc,char **argv) { int fd = open("/dev/da0s1e",O_RDWR); int fd2 = open("oldblock",O_WRONLY | O_CREAT); int buf[SBLOCKSIZE]; struct fs *fs = (struct fs *)buf; int from_block = 376224; //int to_block = SBLOCK_UFS1; int to_block = 128; if(fd<0) err(1,"fd"); if(fd2<0) err(1,"fd2"); lseek(fd,to_block*512,0); read(fd,buf,SBLOCKSIZE); write(fd2,buf,SBLOCKSIZE); /* make a copy */ /* now get the from_block */ lseek(fd,from_block*512,0); read(fd,buf,SBLOCKSIZE); if(fs->fs_magic==FS_UFS1_MAGIC) printf("UFS1 MAGIC at %d\n",from_block); if(fs->fs_magic==FS_UFS2_MAGIC) printf("UFS2 MAGIC at %d\n",from_block); if(fs->fs_magic==FS_BAD2_MAGIC) printf("UFS2 BAD MAGIC at %d\n",from_block); /* Now write it to the to_block */ lseek(fd,to_block*512,0); write(fd,buf,SBLOCKSIZE); printf("wrote to block %d\n",to_block); } --Apple-Mail-13--739225341 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed e good news is that I was able to recover my hard drive with 0 files lost! The bad news is that I had to spend about an hour programming in order to do so, which was kind of, well, unnevering. On Aug 26, 2004, at 10:41 AM, Scott Long wrote: > Simson L. Garfinkel wrote: >> Greetings. I just had a RAID crash which required some recovery with >> fsck_ffs. >> Two problems with fsck_ffs in 5.2 were discovered: >> 1. There is a divide-by-0 error that happens under some conditions >> when the contents of the superblock and the backup superblock are >> partially damaged. >> =>Would you like a fix for this? > > Of course! > >> 2. There is no obvious functionality to scan the whole hard-drive for >> backup superblocks. >> => I've written such a program. If I integrate it into fsck, will >> you take the mods? > > I'd definitely like to see it. > > Scott > --Apple-Mail-13--739225341-- From owner-freebsd-fs@FreeBSD.ORG Thu Aug 26 15:54:12 2004 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C7CF516A4CE for ; Thu, 26 Aug 2004 15:54:12 +0000 (GMT) Received: from mail-svr1.cs.utah.edu (mail-svr1.cs.utah.edu [155.99.198.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id A8AC643D46 for ; Thu, 26 Aug 2004 15:54:12 +0000 (GMT) (envelope-from saggarwa@cs.utah.edu) Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.98.65.40]) by mail-svr1.cs.utah.edu (Postfix) with ESMTP id 42747346D9 for ; Thu, 26 Aug 2004 09:54:12 -0600 (MDT) Received: by faith.cs.utah.edu (Postfix, from userid 4973) id 3C3012EC21; Thu, 26 Aug 2004 09:54:10 -0600 (MDT) Received: from localhost (localhost [127.0.0.1]) by faith.cs.utah.edu (Postfix) with ESMTP id AD7FF34406 for ; Thu, 26 Aug 2004 15:54:10 +0000 (UTC) Date: Thu, 26 Aug 2004 09:54:10 -0600 (MDT) From: Siddharth Aggarwal To: freebsd-fs@freebsd.org In-Reply-To: Message-ID: References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Finding newly allocated blocks X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Aug 2004 15:54:12 -0000 Hi, I am writing this pseudo disk driver for FreeBSD and for write operations, I'd like to distinguish between newly allocated blocks versus overwritten blocks, because there are different actions I want to take for write operations involving newly allocated blocks and for write operations involving previously written blocks. Is it possible to make this distinction in the strategy routine? I'm not sure if my question is clear, so I could give more details. Thanks. From owner-freebsd-fs@FreeBSD.ORG Thu Aug 26 17:56:20 2004 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E245C16A4CE for ; Thu, 26 Aug 2004 17:56:20 +0000 (GMT) Received: from mp2.macomnet.net (mp2.macomnet.net [195.128.64.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id A994043D2F for ; Thu, 26 Aug 2004 17:56:19 +0000 (GMT) (envelope-from maxim@macomnet.ru) Received-SPF: pass (mp2.macomnet.net: domain of maxim@macomnet.ru designates 127.0.0.1 as permitted sender) receiver=mp2.macomnet.net; client_ip=127.0.0.1; envelope-from=maxim@macomnet.ru; Received: from localhost (fsnz5t69@localhost [127.0.0.1]) by mp2.macomnet.net (8.12.11/8.12.11) with ESMTP id i7QHuG2p065131; Thu, 26 Aug 2004 21:56:16 +0400 (MSD) (envelope-from maxim@macomnet.ru) Date: Thu, 26 Aug 2004 21:56:15 +0400 (MSD) From: Maxim Konovalov To: "Simson L. Garfinkel" In-Reply-To: <412DF685.4010505@samsco.org> Message-ID: <20040826215305.H65086@mp2.macomnet.net> References: <249AA14A-F6D6-11D8-87E0-000A95DA91E2@csail.mit.edu> <412DF685.4010505@samsco.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-fs@freebsd.org Subject: Re: problems with fsck_ffs X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Aug 2004 17:56:21 -0000 [...] > > 2. There is no obvious functionality to scan the whole hard-drive for > > backup superblocks. > > > > => I've written such a program. If I integrate it into fsck, > > => will > > you take the mods? There are src/tools/tools/find-sb and ports/sysutils/scan_ffs. And I have my own implemetation of course :-) -- Maxim Konovalov From owner-freebsd-fs@FreeBSD.ORG Thu Aug 26 18:30:39 2004 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B671616A4CE for ; Thu, 26 Aug 2004 18:30:39 +0000 (GMT) Received: from citi.umich.edu (citi.umich.edu [141.211.133.111]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9D22443D1F for ; Thu, 26 Aug 2004 18:30:39 +0000 (GMT) (envelope-from rees@citi.umich.edu) Received: from citi.umich.edu (dumaguete.citi.umich.edu [141.211.133.51]) by citi.umich.edu (Postfix) with ESMTP id C21211BB71 for ; Thu, 26 Aug 2004 14:30:38 -0400 (EDT) To: freebsd-fs@freebsd.org From: Jim Rees In-Reply-To: Maxim Konovalov, Thu, 26 Aug 2004 21:56:15 +0400 Date: Thu, 26 Aug 2004 14:30:38 -0400 Sender: rees@citi.umich.edu Message-Id: <20040826183038.C21211BB71@citi.umich.edu> Subject: Re: problems with fsck_ffs X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Aug 2004 18:30:39 -0000 There are src/tools/tools/find-sb and ports/sysutils/scan_ffs. And I have my own implemetation of course :-) Yes, but find-sb really should be part of fsck. And while we're on the subject, maybe newfs should have an upper limit on how many spares it generates. Or at least stop telling you the block number of each one. The days when a large shop might have one or two disk drives, and you would actually write down the block numbers of the spares, are long gone. From owner-freebsd-fs@FreeBSD.ORG Thu Aug 26 19:23:43 2004 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D26F916A4CE for ; Thu, 26 Aug 2004 19:23:43 +0000 (GMT) Received: from nitroba.com (ip-64-7-15-234.dsl.bos.megapath.net [64.7.15.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1CE7F43D1D for ; Thu, 26 Aug 2004 19:23:43 +0000 (GMT) (envelope-from SIMSONG@ACM.ORG) Received: from r2i (KITCHEN.NITROBA.COM [192.168.1.9]) by nitroba.com (8.12.10/8.12.10) with SMTP id i7QJNaV2092098; Thu, 26 Aug 2004 15:23:37 -0400 (EDT) (envelope-from SIMSONG@ACM.ORG) Message-Id: <200408261923.i7QJNaV2092098@nitroba.com> Date: Thu, 26 Aug 2004 15:23:28 EST From: SIMSONG@ACM.ORG To: maxim@macomnet.ru, simsong@csail.mit.edu MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 X-Mailer: Seven Personal Edition (v 4.0) X-Scanned-By: MIMEDefang 2.39 cc: freebsd-fs@freebsd.org Subject: Re: problems with fsck_ffs X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Aug 2004 19:23:44 -0000 Ah. Everthying is in ports. But tools like this need to be statically linked and integrated in fsck so they are there when you need them. --- Original Message --- From: Maxim Konovalov Sent: Thu 8/26/2004 1:56 pm To: "Simson L. Garfinkel" Cc: freebsd-fs@freebsd.org Subject: Re: problems with fsck_ffs [...] > > 2. There is no obvious functionality to scan the whole hard-drive for > > backup superblocks. > > > > => I've written such a program. If I integrate it into fsck, > > => will > > you take the mods? There are src/tools/tools/find-sb and ports/sysutils/scan_ffs. And I have my own implemetation of course :-) -- Maxim Konovalov From owner-freebsd-fs@FreeBSD.ORG Fri Aug 27 20:42:46 2004 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2F9C516A4CE; Fri, 27 Aug 2004 20:42:46 +0000 (GMT) Received: from snowhite.cis.uoguelph.ca (snowhite.cis.uoguelph.ca [131.104.48.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9810143D2D; Fri, 27 Aug 2004 20:42:45 +0000 (GMT) (envelope-from rick@snowhite.cis.uoguelph.ca) Received: (from rick@localhost) by snowhite.cis.uoguelph.ca (8.9.3/8.9.3) id QAA92814; Fri, 27 Aug 2004 16:42:31 -0400 (EDT) Date: Fri, 27 Aug 2004 16:42:31 -0400 (EDT) From: rick@snowhite.cis.uoguelph.ca Message-Id: <200408272042.QAA92814@snowhite.cis.uoguelph.ca> To: fs@freebsd.org cc: rwatson@freebsd.org cc: nfsv4@ietf.org cc: deicher@sandia.gov cc: kern@openbsd.org Subject: fyi: yet another nfsv4 bsd server release X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Aug 2004 20:42:46 -0000 I have just put another release of my BSD NFSv4 server up anonymous ftp. The fixes were mostly related to problems that occurred under heavy load. I've moved the ftp site to ftp.cis.uoguelph.ca, since snowhite.cis.uoguelph.ca seemed really slow for ftp sometimes. So, if you're interested, it's anonymous ftpable from ftp.cis.uoguelph.ca in pub/nfsv4. Just in case you're interested, rick From owner-freebsd-fs@FreeBSD.ORG Sat Aug 28 05:17:03 2004 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C58816A4CE for ; Sat, 28 Aug 2004 05:17:03 +0000 (GMT) Received: from afields.ca (afields.ca [216.194.67.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id BBB6843D48 for ; Sat, 28 Aug 2004 05:17:02 +0000 (GMT) (envelope-from afields@afields.ca) Received: from afields.ca (localhost.afields.ca [127.0.0.1]) by afields.ca (8.12.11/8.12.11) with ESMTP id i7S5H01I076504; Sat, 28 Aug 2004 01:17:00 -0400 (EDT) (envelope-from afields@afields.ca) Received: (from afields@localhost) by afields.ca (8.12.11/8.12.11/Submit) id i7S5GuHZ076503; Sat, 28 Aug 2004 01:16:56 -0400 (EDT) (envelope-from afields) Date: Sat, 28 Aug 2004 01:16:56 -0400 From: Allan Fields To: David Kreil Message-ID: <20040828051655.GK33859@afields.ca> References: <20040720111637.GJ12833@afields.ca> <200408140457.i7E4vi603240@puffin.ebi.ac.uk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="opJtzjQTFsWo+cga" Content-Disposition: inline In-Reply-To: <200408140457.i7E4vi603240@puffin.ebi.ac.uk> User-Agent: Mutt/1.4i cc: freebsd-fs@freebsd.org Subject: Re: "sanitizing" disks: wiping swap, non-allocated space, and file-tails X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Aug 2004 05:17:03 -0000 --opJtzjQTFsWo+cga Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, sorry I didn't get back on this sooner.. On Sat, Aug 14, 2004 at 05:57:44AM +0100, David Kreil wrote: >=20 > > > I wonder, in particular, what issues I have to expect in wanting to k= eep > > > system relevant directories like /var on a gdbe partition. > >=20 > > The gbde attach should occur early enough during multiuser startup to a= void > > such problems, I don't recall if the provided rc script would be suffic= ient, > > I'll test a configuration soon, or let me know if you have any luck. >=20 > Have you yet had a chance to give it a try? > > I noticed that there have been additions to the rc.d script, like=20 > "gbde_swap_enable". Would you know whether, if I used the rc.d approach,= =20 Yes, it provides a good way to quickly enable encrypted swap. > whether that will that be early enough that I can have /var encrypted? > Else, how/where should I otherwise link in (as early as possible but afte= r the=20 > non-US keyboard support has loaded)? Key roles /var will play during startup: - logging: usually syslog or others want to write to /var/log - entropy: the entropy database default resides in /var/db (which is interesting, what effect does encrypting this have?) - run files: some daemons will create pid and lock files, others create sockets - networking: some network daemons use /var/db - mail: sendmail or other MDA might try to deliver some emails - savecore: crash dumps would be handled - etc.. Therefore you are correct, doing it properly requires that /var be mounted well before any daemons start. Following rcorder we get a ranking w/ a few possible entry points: preseedrandom rcconf.sh initrandom dumpon vinum gbde_swap <- gbde <- here (works fine, no dependencies on /var yet) ccd // should ccd come before gbde ? swap1 early.sh -> /etc/rc.early <- or perhaps here for custom attaches fsck root mountcritlocal var cleanvar [ /var ] addswap sysctl random [ /var/db/entropy ] NETWORKING [ /var/db .. ] mountcritremote syslogd [ /var/log ] savecore [ /var/crash ] // If encrypted swap, may not work etc. # grep -nR var `rcorder /etc/rc.d/*|awk '/mountcritlocal/{nextfile;} {pri= nt}'` Note with the provided gbde rc script: -l/-L is required and expects lock files to be made in /etc though you can also specify a gbde_lockdir in /etc/rc.conf such as /etc/bde to store all your keys. (Remember to take frequent back-ups). > > There are several approaches to securing /etc, but I can elaborate > > more after further testing. The short term approach is not storing > > private keys, etc. on an unencrypted root. Support for encrypted > > root is possible w/ some work, but there are a few issues to sort > > out first. >=20 > Do I need an encrypted root? What would be the main benefit of this? The benefit would be to guarantee that nothing of importance is stored in the clear on /. Normally / is limited to system files, but as you've mentioned system files can be private keys or password databases, and it's possible for something else to be written by anyone w/ sufficient permissions. Restrictive permissions combined with encryption of sensitive areas of the file system could prevent most leakage scenarios absent full disk or root encryption. > I think I'd need an encrypted /var (as it holds logs, mail&printer spool,= =20 > ...), and possibly /etc/ssh/ - any other sensitive system areas (besides = swap). You could easily use gbde here by using a vnode backed md, though there are some more direct approaches to vnode level encryption: Example md usage setup: mv /etc/ssh /etc/ssh.dist mdconfig -a -t vnode -f /etc/ssh.bde -s 4m -u 22 gbde init /dev/md22 -f /dev/stdin<<-_INIT_ number_of_keys=3D4 random_flush=3Dyes _INIT_ gbde attach /dev/md22 newfs -o space /dev/md22.bde mkdir -p /etc/ssh; chmod 755 /etc/ssh mount /dev/md22.bde /etc/ssh cp -RPp /etc/ssh.dist/* /etc/ssh &&\ rm -rf /etc/ssh.dist startup: gbde attach /dev/md22 &&\ mount /dev/md22.bde /etc/ssh shutdown: umount /dev/md22.bde &&\ gbde detach /dev/md22 The same of course would apply to any private keys/password databases and certificates. > Where do you stand now with your setup? I'd be grateful to learn from you= r=20 > experience. I've done the encrypted /var and /tmp successfully and w/ provided rc scripts as well. I will continue experimentation on GBDE for root/full system image setups. I plan to elaborate further on the subject and will post more details to the lists. I can try to collect some practical examples, as I originally set out to do earlier this summer, and put up a web page. > With many thanks again for your help, >=20 > David. >=20 > ------------------------------------------------------------------------ > Dr David Philip Kreil ("`-''-/").___..--''"`-._ > Research Fellow `6_ 6 ) `-. ( ).`-.__.`) > University of Cambridge (_Y_.)' ._ ) `._ `. ``-..-' > ++44 1223 764107, fax 333992 _..`--'_..-_/ /--'_.' ,' > www.inference.phy.cam.ac.uk/dpk20 (il),-'' (li),' ((!.-' >=20 --=20 Allan Fields, AFRSL - http://afields.ca 2D4F 6806 D307 0889 6125 C31D F745 0D72 39B4 5541 --opJtzjQTFsWo+cga Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQFBMBVH90UNcjm0VUERAoCSAKCdTQYHmX6lpxkW7brncYumI+RoXwCbBkJE na+ibEa/3P0L1+rwVaEBjyQ= =Xcqz -----END PGP SIGNATURE----- --opJtzjQTFsWo+cga-- From owner-freebsd-fs@FreeBSD.ORG Sat Aug 28 11:33:07 2004 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC85216A4CE for ; Sat, 28 Aug 2004 11:33:07 +0000 (GMT) Received: from maui.ebi.ac.uk (maui.ebi.ac.uk [193.62.196.100]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9AB1143D91 for ; Sat, 28 Aug 2004 11:33:06 +0000 (GMT) (envelope-from kreil@ebi.ac.uk) Received: from puffin.ebi.ac.uk (puffin.ebi.ac.uk [193.62.196.89]) by maui.ebi.ac.uk (8.11.7+Sun/8.11.7) with ESMTP id i7SBWvF04108; Sat, 28 Aug 2004 12:32:57 +0100 (BST) Received: from puffin.ebi.ac.uk (kreil@localhost) by puffin.ebi.ac.uk (8.11.6/8.11.6) with ESMTP id i7SBWuu20662; Sat, 28 Aug 2004 12:32:57 +0100 Message-Id: <200408281132.i7SBWuu20662@puffin.ebi.ac.uk> X-Mailer: exmh version 2.4 06/23/2000 with nmh-1.0.4 To: Allan Fields In-Reply-To: Your message of "Sat, 28 Aug 2004 01:16:56 EDT." <20040828051655.GK33859@afields.ca> X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 28 Aug 2004 12:32:56 +0100 From: David Kreil X-EBI-Information: This email is scanned using www.mailscanner.info. X-EBI: Found to be clean X-EBI-SpamCheck: not spam, SpamAssassin (score=-8, required 5, HABEAS_SWE -8.00) cc: freebsd-fs@freebsd.org cc: David Kreil Subject: Re: "sanitizing" disks: wiping swap, non-allocated space, and file-tails X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Aug 2004 11:33:08 -0000 Dear Allan, That's great, thank you so much for the update! Just to guide me - what do you think will be the time scale until you can make your rc scripts and what you've learned in your setup available? If I can afford to wait, this would probably be easiest for me. Else, I'd want to take what you've told me so far, and get struggling on my own. Will I need 5-CURRENT for stuff to work, or can I stick to latest Release? One more question about the rc startup process - is the keyboard initialized before gbde (so that the right keyboard map is used for typing in gbde passwords on non US keyboards)? With many thanks again for your help, David. > > --opJtzjQTFsWo+cga > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > Content-Transfer-Encoding: quoted-printable > > Hi, sorry I didn't get back on this sooner.. > > On Sat, Aug 14, 2004 at 05:57:44AM +0100, David Kreil wrote: > >=20 > > > > I wonder, in particular, what issues I have to expect in wanting to k= > eep > > > > system relevant directories like /var on a gdbe partition. > > >=20 > > > The gbde attach should occur early enough during multiuser startup to a= > void > > > such problems, I don't recall if the provided rc script would be suffic= > ient, > > > I'll test a configuration soon, or let me know if you have any luck. > >=20 > > Have you yet had a chance to give it a try? > > > > I noticed that there have been additions to the rc.d script, like=20 > > "gbde_swap_enable". Would you know whether, if I used the rc.d approach,= > =20 > > Yes, it provides a good way to quickly enable encrypted swap. > > > whether that will that be early enough that I can have /var encrypted? > > Else, how/where should I otherwise link in (as early as possible but afte= > r the=20 > > non-US keyboard support has loaded)? > > Key roles /var will play during startup: > - logging: usually syslog or others want to write to /var/log > - entropy: the entropy database default resides in /var/db (which > is interesting, what effect does encrypting this have?) > - run files: some daemons will create pid and lock files, others > create sockets > - networking: some network daemons use /var/db > - mail: sendmail or other MDA might try to deliver some emails > - savecore: crash dumps would be handled > - etc.. > > Therefore you are correct, doing it properly requires that /var be > mounted well before any daemons start. Following rcorder we get a > ranking w/ a few possible entry points: > preseedrandom > rcconf.sh > initrandom > dumpon > vinum > gbde_swap <- > gbde <- here (works fine, no dependencies on /var yet) > ccd // should ccd come before gbde ? > swap1 > early.sh -> /etc/rc.early <- or perhaps here for custom attaches > fsck > root > mountcritlocal > var > cleanvar [ /var ] > addswap > sysctl > random [ /var/db/entropy ] > NETWORKING [ /var/db .. ] > mountcritremote > syslogd [ /var/log ] > savecore [ /var/crash ] // If encrypted swap, may not work > etc. > > # grep -nR var `rcorder /etc/rc.d/*|awk '/mountcritlocal/{nextfile;} {pri= > nt}'` > > Note with the provided gbde rc script: -l/-L is required and expects > lock files to be made in /etc though you can also specify a gbde_lockdir > in /etc/rc.conf such as /etc/bde to store all your keys. (Remember > to take frequent back-ups). > > > > There are several approaches to securing /etc, but I can elaborate > > > more after further testing. The short term approach is not storing > > > private keys, etc. on an unencrypted root. Support for encrypted > > > root is possible w/ some work, but there are a few issues to sort > > > out first. > >=20 > > Do I need an encrypted root? What would be the main benefit of this? > > The benefit would be to guarantee that nothing of importance is > stored in the clear on /. > > Normally / is limited to system files, but as you've mentioned system > files can be private keys or password databases, and it's possible for > something else to be written by anyone w/ sufficient permissions. > Restrictive permissions combined with encryption of sensitive areas > of the file system could prevent most leakage scenarios absent full > disk or root encryption. > > > I think I'd need an encrypted /var (as it holds logs, mail&printer spool,= > =20 > > ...), and possibly /etc/ssh/ - any other sensitive system areas (besides = > swap). > > You could easily use gbde here by using a vnode backed md, though > there are some more direct approaches to vnode level encryption: > > Example md usage > setup: > mv /etc/ssh /etc/ssh.dist > mdconfig -a -t vnode -f /etc/ssh.bde -s 4m -u 22 > gbde init /dev/md22 -f /dev/stdin<<-_INIT_ > number_of_keys=3D4 > random_flush=3Dyes > _INIT_ > gbde attach /dev/md22 > newfs -o space /dev/md22.bde > mkdir -p /etc/ssh; chmod 755 /etc/ssh > mount /dev/md22.bde /etc/ssh > cp -RPp /etc/ssh.dist/* /etc/ssh &&\ > rm -rf /etc/ssh.dist > startup: > gbde attach /dev/md22 &&\ > mount /dev/md22.bde /etc/ssh > shutdown: > umount /dev/md22.bde &&\ > gbde detach /dev/md22 > > The same of course would apply to any private keys/password databases > and certificates. > > > Where do you stand now with your setup? I'd be grateful to learn from you= > r=20 > > experience. > > I've done the encrypted /var and /tmp successfully and w/ provided rc > scripts as well. I will continue experimentation on GBDE for > root/full system image setups. > > I plan to elaborate further on the subject and will post more details > to the lists. I can try to collect some practical examples, as I > originally set out to do earlier this summer, and put up a web page. > > > With many thanks again for your help, > >=20 > > David. > >=20 > > ------------------------------------------------------------------------ > > Dr David Philip Kreil ("`-''-/").___..--''"`-._ > > Research Fellow `6_ 6 ) `-. ( ).`-.__.`) > > University of Cambridge (_Y_.)' ._ ) `._ `. ``-..-' > > ++44 1223 764107, fax 333992 _..`--'_..-_/ /--'_.' ,' > > www.inference.phy.cam.ac.uk/dpk20 (il),-'' (li),' ((!.-' > >=20 > > --=20 > Allan Fields, AFRSL - http://afields.ca > 2D4F 6806 D307 0889 6125 C31D F745 0D72 39B4 5541 > > --opJtzjQTFsWo+cga > Content-Type: application/pgp-signature > Content-Disposition: inline > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.1 (FreeBSD) > > iD8DBQFBMBVH90UNcjm0VUERAoCSAKCdTQYHmX6lpxkW7brncYumI+RoXwCbBkJE > na+ibEa/3P0L1+rwVaEBjyQ= > =Xcqz > -----END PGP SIGNATURE----- > > --opJtzjQTFsWo+cga-- > ------------------------------------------------------------------------ Dr David Philip Kreil ("`-''-/").___..--''"`-._ Research Fellow `6_ 6 ) `-. ( ).`-.__.`) University of Cambridge (_Y_.)' ._ ) `._ `. ``-..-' ++44 1223 764107, fax 333992 _..`--'_..-_/ /--'_.' ,' www.inference.phy.cam.ac.uk/dpk20 (il),-'' (li),' ((!.-'