From owner-freebsd-bugs@FreeBSD.ORG Wed Aug 30 17:50:23 2006 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA8C616A4DF for ; Wed, 30 Aug 2006 17:50:23 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5497243D6A for ; Wed, 30 Aug 2006 17:50:21 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k7UHoLu2032840 for ; Wed, 30 Aug 2006 17:50:21 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k7UHoLHw032839; Wed, 30 Aug 2006 17:50:21 GMT (envelope-from gnats) Resent-Date: Wed, 30 Aug 2006 17:50:21 GMT Resent-Message-Id: <200608301750.k7UHoLHw032839@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Shaun Amott Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 57BDE16A4E9 for ; Wed, 30 Aug 2006 17:50:09 +0000 (UTC) (envelope-from shaun@inerd.com) Received: from dione.picobyte.net (host-212-158-207-124.bulldogdsl.com [212.158.207.124]) by mx1.FreeBSD.org (Postfix) with SMTP id 697E643D62 for ; Wed, 30 Aug 2006 17:50:06 +0000 (GMT) (envelope-from shaun@inerd.com) Received: from charon.picobyte.net (charon.picobyte.net [IPv6:2001:4bd0:201e::fe03]) by dione.picobyte.net (Postfix) with ESMTP for ; Wed, 30 Aug 2006 18:50:05 +0100 (BST) Message-Id: <1156960205.2175@charon.picobyte.net> Date: Wed, 30 Aug 2006 18:50:05 +0100 From: Shaun Amott To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: conf/102700: [PATCH] Add encrypted /tmp support to GELI/GBDE rc.d scripts X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Shaun Amott List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Aug 2006 17:50:23 -0000 >Number: 102700 >Category: conf >Synopsis: [PATCH] Add encrypted /tmp support to GELI/GBDE rc.d scripts >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Aug 30 17:50:20 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Shaun Amott >Release: FreeBSD 6.1-STABLE i386 >Organization: >Environment: >Description: The following patch adds support to the geli and gbde rc.d scripts for one-time encrypted /tmp partitions, much like the "encswap" partitions that are already supported. I have been doing this successfully via rc.{early,local} for some time now, but I feel it would be a useful addition to the standard scripts. How to use it? 1) Change your /tmp device in /etc/fstab: From... /dev/ad0s2e /tmp ufs rw 2 2 To one of... /dev/ad0s2e.eli /tmp ufs rw 2 2 /dev/ad0s2e.bde /tmp ufs rw 2 2 2) Tell the script about it: geli_enctmp_devices="ad0s1e" 3) Reboot to find a secure, encrypted /tmp There was also (it seems) a typo in 'gbde', which has been fixed as part of the patch: - case "${gbde_devices-auto}" in + case "${gbde_devices:-enctmp}" in >How-To-Repeat: >Fix: --- encswap.diff begins here --- Index: defaults/rc.conf =================================================================== RCS file: /home/ncvs/src/etc/defaults/rc.conf,v retrieving revision 1.294 diff -u -r1.294 rc.conf --- defaults/rc.conf 17 Aug 2006 20:13:24 -0000 1.294 +++ defaults/rc.conf 30 Aug 2006 17:40:58 -0000 @@ -55,13 +55,17 @@ # Experimental - test before enabling gbde_autoattach_all="NO" # YES automatically mounts gbde devices from fstab -gbde_devices="NO" # Devices to automatically attach (list, or AUTO) +gbde_devices="ENCTMP" # Devices to automatically attach (list, or AUTO/ENCTMP) + # Set to ENCTMP to auto-mount enctmp devices only +gbde_enctmp_devices="" # Encrypted /tmp devices listed in /etc/fstab gbde_attach_attempts="3" # Number of times to attempt attaching gbde devices gbde_lockdir="/etc" # Where to look for gbde lockfiles # GELI disk encryption configuration. geli_devices="" # List of devices to automatically attach in addition to # GELI devices listed in /etc/fstab. +geli_enctmp_devices="" # GELI encrypted /tmp devices listed in /etc/fstab +geli_enctmp_flags="-e AES -l 256 -s 4096" # Encrypted /tmp flags geli_tries="" # Number of times to attempt attaching geli device. # If empty, kern.geom.eli.tries will be used. geli_default_flags="" # Default flags for geli(8). Index: rc.d/gbde =================================================================== RCS file: /home/ncvs/src/etc/rc.d/gbde,v retrieving revision 1.13 diff -u -r1.13 gbde --- rc.d/gbde 14 Aug 2005 17:28:15 -0000 1.13 +++ rc.d/gbde 30 Aug 2006 17:40:59 -0000 @@ -7,6 +7,7 @@ # # PROVIDE: disks +# REQUIRE: initrandom # KEYWORD: nojail . /etc/rc.subr @@ -19,10 +20,13 @@ find_gbde_devices() { - case "${gbde_devices-auto}" in + case "${gbde_devices:-enctmp}" in [Aa][Uu][Tt][Oo]) gbde_devices="" ;; + [Ee][Nn][Cc][Tt][Mm][Pp]) + gbde_devices="${gbde_enctmp_devices}" + ;; *) return 0 ;; @@ -82,24 +86,45 @@ parent=${device%.bde} parent=${parent#/dev/} parent_=`ltr ${parent} '/' '_'` - eval "lock=\${gbde_lock_${parent_}-\"${gbde_lockdir}/${parent_}.lock\"}" - if [ -e "/dev/${parent}" -a ! -e "/dev/${parent}.bde" ]; then - echo "Configuring Disk Encryption for ${parent}." - count=1 - while [ ${count} -le ${gbde_attach_attempts} ]; do - if [ -e "${lock}" ]; then - gbde attach ${parent} -l ${lock} - else - gbde attach ${parent} - fi - if [ -e "/dev/${parent}.bde" ]; then + istmp=0 + + if [ ! -z "${gbde_enctmp_devices}" ]; then + for dev in ${gbde_enctmp_devices}; do + if [ ${dev} = ${parent} ]; then + istmp=1 break fi - echo "Attach failed; attempt ${count} of ${gbde_attach_attempts}." - count=$((${count} + 1)) done fi + + eval "lock=\${gbde_lock_${parent_}-\"${gbde_lockdir}/${parent_}.lock\"}" + if [ -e "/dev/${parent}" -a ! -e "/dev/${parent}.bde" ]; then + if [ ${istmp} -eq 1 ]; then + echo "Configuring Encrypted Temporary Space for ${parent}." + + passphrase=`dd if=/dev/random count=1 2>/dev/null | md5 -q` + gbde init "${device}" -P "${passphrase}" \ + && gbde attach "${device}" -p "${passphrase}" \ + && newfs -U /dev/${device}.bde + else + echo "Configuring Disk Encryption for ${parent}." + + count=1 + while [ ${count} -le ${gbde_attach_attempts} ]; do + if [ -e "${lock}" ]; then + gbde attach ${parent} -l ${lock} + else + gbde attach ${parent} + fi + if [ -e "/dev/${parent}.bde" ]; then + break + fi + echo "Attach failed; attempt ${count} of ${gbde_attach_attempts}." + count=$((${count} + 1)) + done + fi + fi done } Index: rc.d/gbde2 =================================================================== RCS file: rc.d/gbde2 diff -N rc.d/gbde2 --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ rc.d/gbde2 30 Aug 2006 17:40:59 -0000 @@ -0,0 +1,53 @@ +#!/bin/sh +# +# Copyright (c) 2006 Shaun Amott +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# PROVIDE: gbde2 +# REQUIRE: mountcritlocal +# KEYWORD: nojail +# BEFORE: tmp + +. /etc/rc.subr + +name="gbde2" +start_cmd="gbde2_start" +stop_cmd=":" + +gbde2_start() +{ + for provider in ${gbde_enctmp_devices}; do + mountpoint=`awk "/^\/dev\/${provider}/ {print \\$2}" /etc/fstab` + ismounted=`mount | awk "/^\/dev\/${provider}/ {print \\$3}"` + if [ ! -z "${mountpoint}" -a "${mountpoint}" = "${ismounted}" ]; then + chmod 1777 ${mountpoint} + fi + done +} + +load_rc_config $name +run_rc_command "$1" Index: rc.d/geli =================================================================== RCS file: /home/ncvs/src/etc/rc.d/geli,v retrieving revision 1.3 diff -u -r1.3 geli --- rc.d/geli 23 Sep 2005 23:53:35 -0000 1.3 +++ rc.d/geli 30 Aug 2006 17:40:59 -0000 @@ -60,21 +60,42 @@ for provider in ${devices}; do provider_=`ltr ${provider} '/' '_'` + istmp=0 + + if [ ! -z "${geli_enctmp_devices}" ]; then + for prov in ${geli_enctmp_devices}; do + if [ ${prov} = ${provider} ]; then + istmp=1 + break + fi + done + fi + eval "flags=\${geli_${provider_}_flags}" if [ -z "${flags}" ]; then - flags=${geli_default_flags} + if [ ${istmp} -eq 1 ]; then + flags=${geli_enctmp_flags} + else + flags=${geli_default_flags} + fi fi if [ -e "/dev/${provider}" -a ! -e "/dev/${provider}.eli" ]; then - echo "Configuring Disk Encryption for ${provider}." - count=1 - while [ ${count} -le ${geli_tries} ]; do - geli attach ${flags} ${provider} - if [ -e "/dev/${provider}.eli" ]; then - break - fi - echo "Attach failed; attempt ${count} of ${geli_tries}." - count=$((count+1)) - done + if [ ${istmp} = 1 ]; then + echo "Configuring Encrypted Temporary Space for ${provider}." + geli onetime ${flags} ${provider} \ + && newfs -U /dev/${provider}.eli + else + echo "Configuring Disk Encryption for ${provider}." + count=1 + while [ ${count} -le ${geli_tries} ]; do + geli attach ${flags} ${provider} + if [ -e "/dev/${provider}.eli" ]; then + break + fi + echo "Attach failed; attempt ${count} of ${geli_tries}." + count=$((count+1)) + done + fi fi done } Index: rc.d/geli2 =================================================================== RCS file: /home/ncvs/src/etc/rc.d/geli2,v retrieving revision 1.1 diff -u -r1.1 geli2 --- rc.d/geli2 14 Aug 2005 18:02:21 -0000 1.1 +++ rc.d/geli2 30 Aug 2006 17:40:59 -0000 @@ -30,6 +30,7 @@ # PROVIDE: geli2 # REQUIRE: mountcritlocal # KEYWORD: nojail +# BEFORE: tmp . /etc/rc.subr @@ -44,6 +45,25 @@ for provider in ${devices}; do provider_=`ltr ${provider} '/' '_'` + istmp=0 + + if [ ! -z "${geli_enctmp_devices}" ]; then + for prov in ${geli_enctmp_devices}; do + if [ ${prov} = ${provider} ]; then + istmp=1 + break + fi + done + fi + + if [ ${istmp} -eq 1 ]; then + mountpoint=`awk "/^\/dev\/${provider}/ {print \\$2}" /etc/fstab` + ismounted=`mount | awk "/^\/dev\/${provider}/ {print \\$3}"` + if [ ! -z "${mountpoint}" -a "${mountpoint}" = "${ismounted}" ]; then + chmod 1777 ${mountpoint} + fi + fi + eval "autodetach=\${geli_${provider_}_autodetach}" if [ -z "${autodetach}" ]; then autodetach=${geli_autodetach} --- encswap.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted: