conf/102700: [PATCH] Add encrypted /tmp support to GELI/GBDE rc.d
scripts
Shaun Amott
shaun at FreeBSD.org
Wed Aug 30 17:50:23 UTC 2006
>Number: 102700
>Category: conf
>Synopsis: [PATCH] Add encrypted /tmp support to GELI/GBDE rc.d scripts
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Wed Aug 30 17:50:20 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Shaun Amott
>Release: FreeBSD 6.1-STABLE i386
>Organization:
>Environment:
>Description:
The following patch adds support to the geli and gbde rc.d scripts for
one-time encrypted /tmp partitions, much like the "encswap" partitions
that are already supported.
I have been doing this successfully via rc.{early,local} for some time
now, but I feel it would be a useful addition to the standard scripts.
How to use it?
1) Change your /tmp device in /etc/fstab:
From...
/dev/ad0s2e /tmp ufs rw 2 2
To one of...
/dev/ad0s2e.eli /tmp ufs rw 2 2
/dev/ad0s2e.bde /tmp ufs rw 2 2
2) Tell the script about it:
geli_enctmp_devices="ad0s1e"
3) Reboot to find a secure, encrypted /tmp
There was also (it seems) a typo in 'gbde', which has been fixed as part
of the patch:
- case "${gbde_devices-auto}" in
+ case "${gbde_devices:-enctmp}" in
>How-To-Repeat:
>Fix:
--- encswap.diff begins here ---
Index: defaults/rc.conf
===================================================================
RCS file: /home/ncvs/src/etc/defaults/rc.conf,v
retrieving revision 1.294
diff -u -r1.294 rc.conf
--- defaults/rc.conf 17 Aug 2006 20:13:24 -0000 1.294
+++ defaults/rc.conf 30 Aug 2006 17:40:58 -0000
@@ -55,13 +55,17 @@
# Experimental - test before enabling
gbde_autoattach_all="NO" # YES automatically mounts gbde devices from fstab
-gbde_devices="NO" # Devices to automatically attach (list, or AUTO)
+gbde_devices="ENCTMP" # Devices to automatically attach (list, or AUTO/ENCTMP)
+ # Set to ENCTMP to auto-mount enctmp devices only
+gbde_enctmp_devices="" # Encrypted /tmp devices listed in /etc/fstab
gbde_attach_attempts="3" # Number of times to attempt attaching gbde devices
gbde_lockdir="/etc" # Where to look for gbde lockfiles
# GELI disk encryption configuration.
geli_devices="" # List of devices to automatically attach in addition to
# GELI devices listed in /etc/fstab.
+geli_enctmp_devices="" # GELI encrypted /tmp devices listed in /etc/fstab
+geli_enctmp_flags="-e AES -l 256 -s 4096" # Encrypted /tmp flags
geli_tries="" # Number of times to attempt attaching geli device.
# If empty, kern.geom.eli.tries will be used.
geli_default_flags="" # Default flags for geli(8).
Index: rc.d/gbde
===================================================================
RCS file: /home/ncvs/src/etc/rc.d/gbde,v
retrieving revision 1.13
diff -u -r1.13 gbde
--- rc.d/gbde 14 Aug 2005 17:28:15 -0000 1.13
+++ rc.d/gbde 30 Aug 2006 17:40:59 -0000
@@ -7,6 +7,7 @@
#
# PROVIDE: disks
+# REQUIRE: initrandom
# KEYWORD: nojail
. /etc/rc.subr
@@ -19,10 +20,13 @@
find_gbde_devices()
{
- case "${gbde_devices-auto}" in
+ case "${gbde_devices:-enctmp}" in
[Aa][Uu][Tt][Oo])
gbde_devices=""
;;
+ [Ee][Nn][Cc][Tt][Mm][Pp])
+ gbde_devices="${gbde_enctmp_devices}"
+ ;;
*)
return 0
;;
@@ -82,24 +86,45 @@
parent=${device%.bde}
parent=${parent#/dev/}
parent_=`ltr ${parent} '/' '_'`
- eval "lock=\${gbde_lock_${parent_}-\"${gbde_lockdir}/${parent_}.lock\"}"
- if [ -e "/dev/${parent}" -a ! -e "/dev/${parent}.bde" ]; then
- echo "Configuring Disk Encryption for ${parent}."
- count=1
- while [ ${count} -le ${gbde_attach_attempts} ]; do
- if [ -e "${lock}" ]; then
- gbde attach ${parent} -l ${lock}
- else
- gbde attach ${parent}
- fi
- if [ -e "/dev/${parent}.bde" ]; then
+ istmp=0
+
+ if [ ! -z "${gbde_enctmp_devices}" ]; then
+ for dev in ${gbde_enctmp_devices}; do
+ if [ ${dev} = ${parent} ]; then
+ istmp=1
break
fi
- echo "Attach failed; attempt ${count} of ${gbde_attach_attempts}."
- count=$((${count} + 1))
done
fi
+
+ eval "lock=\${gbde_lock_${parent_}-\"${gbde_lockdir}/${parent_}.lock\"}"
+ if [ -e "/dev/${parent}" -a ! -e "/dev/${parent}.bde" ]; then
+ if [ ${istmp} -eq 1 ]; then
+ echo "Configuring Encrypted Temporary Space for ${parent}."
+
+ passphrase=`dd if=/dev/random count=1 2>/dev/null | md5 -q`
+ gbde init "${device}" -P "${passphrase}" \
+ && gbde attach "${device}" -p "${passphrase}" \
+ && newfs -U /dev/${device}.bde
+ else
+ echo "Configuring Disk Encryption for ${parent}."
+
+ count=1
+ while [ ${count} -le ${gbde_attach_attempts} ]; do
+ if [ -e "${lock}" ]; then
+ gbde attach ${parent} -l ${lock}
+ else
+ gbde attach ${parent}
+ fi
+ if [ -e "/dev/${parent}.bde" ]; then
+ break
+ fi
+ echo "Attach failed; attempt ${count} of ${gbde_attach_attempts}."
+ count=$((${count} + 1))
+ done
+ fi
+ fi
done
}
Index: rc.d/gbde2
===================================================================
RCS file: rc.d/gbde2
diff -N rc.d/gbde2
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ rc.d/gbde2 30 Aug 2006 17:40:59 -0000
@@ -0,0 +1,53 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 Shaun Amott <shaun at FreeBSD.org>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# PROVIDE: gbde2
+# REQUIRE: mountcritlocal
+# KEYWORD: nojail
+# BEFORE: tmp
+
+. /etc/rc.subr
+
+name="gbde2"
+start_cmd="gbde2_start"
+stop_cmd=":"
+
+gbde2_start()
+{
+ for provider in ${gbde_enctmp_devices}; do
+ mountpoint=`awk "/^\/dev\/${provider}/ {print \\$2}" /etc/fstab`
+ ismounted=`mount | awk "/^\/dev\/${provider}/ {print \\$3}"`
+ if [ ! -z "${mountpoint}" -a "${mountpoint}" = "${ismounted}" ]; then
+ chmod 1777 ${mountpoint}
+ fi
+ done
+}
+
+load_rc_config $name
+run_rc_command "$1"
Index: rc.d/geli
===================================================================
RCS file: /home/ncvs/src/etc/rc.d/geli,v
retrieving revision 1.3
diff -u -r1.3 geli
--- rc.d/geli 23 Sep 2005 23:53:35 -0000 1.3
+++ rc.d/geli 30 Aug 2006 17:40:59 -0000
@@ -60,21 +60,42 @@
for provider in ${devices}; do
provider_=`ltr ${provider} '/' '_'`
+ istmp=0
+
+ if [ ! -z "${geli_enctmp_devices}" ]; then
+ for prov in ${geli_enctmp_devices}; do
+ if [ ${prov} = ${provider} ]; then
+ istmp=1
+ break
+ fi
+ done
+ fi
+
eval "flags=\${geli_${provider_}_flags}"
if [ -z "${flags}" ]; then
- flags=${geli_default_flags}
+ if [ ${istmp} -eq 1 ]; then
+ flags=${geli_enctmp_flags}
+ else
+ flags=${geli_default_flags}
+ fi
fi
if [ -e "/dev/${provider}" -a ! -e "/dev/${provider}.eli" ]; then
- echo "Configuring Disk Encryption for ${provider}."
- count=1
- while [ ${count} -le ${geli_tries} ]; do
- geli attach ${flags} ${provider}
- if [ -e "/dev/${provider}.eli" ]; then
- break
- fi
- echo "Attach failed; attempt ${count} of ${geli_tries}."
- count=$((count+1))
- done
+ if [ ${istmp} = 1 ]; then
+ echo "Configuring Encrypted Temporary Space for ${provider}."
+ geli onetime ${flags} ${provider} \
+ && newfs -U /dev/${provider}.eli
+ else
+ echo "Configuring Disk Encryption for ${provider}."
+ count=1
+ while [ ${count} -le ${geli_tries} ]; do
+ geli attach ${flags} ${provider}
+ if [ -e "/dev/${provider}.eli" ]; then
+ break
+ fi
+ echo "Attach failed; attempt ${count} of ${geli_tries}."
+ count=$((count+1))
+ done
+ fi
fi
done
}
Index: rc.d/geli2
===================================================================
RCS file: /home/ncvs/src/etc/rc.d/geli2,v
retrieving revision 1.1
diff -u -r1.1 geli2
--- rc.d/geli2 14 Aug 2005 18:02:21 -0000 1.1
+++ rc.d/geli2 30 Aug 2006 17:40:59 -0000
@@ -30,6 +30,7 @@
# PROVIDE: geli2
# REQUIRE: mountcritlocal
# KEYWORD: nojail
+# BEFORE: tmp
. /etc/rc.subr
@@ -44,6 +45,25 @@
for provider in ${devices}; do
provider_=`ltr ${provider} '/' '_'`
+ istmp=0
+
+ if [ ! -z "${geli_enctmp_devices}" ]; then
+ for prov in ${geli_enctmp_devices}; do
+ if [ ${prov} = ${provider} ]; then
+ istmp=1
+ break
+ fi
+ done
+ fi
+
+ if [ ${istmp} -eq 1 ]; then
+ mountpoint=`awk "/^\/dev\/${provider}/ {print \\$2}" /etc/fstab`
+ ismounted=`mount | awk "/^\/dev\/${provider}/ {print \\$3}"`
+ if [ ! -z "${mountpoint}" -a "${mountpoint}" = "${ismounted}" ]; then
+ chmod 1777 ${mountpoint}
+ fi
+ fi
+
eval "autodetach=\${geli_${provider_}_autodetach}"
if [ -z "${autodetach}" ]; then
autodetach=${geli_autodetach}
--- encswap.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list