[Bug 1520652] [NEW] Erroneous "INSECURE OWNER FOR xxxxx.keyfile"

TJ ubuntu at iam.tj
Fri Nov 27 17:00:32 UTC 2015 

Public bug reported:

$ ll -n
-r-------- 1 0 0 4096 Sep  1 23:57 xxxxxxxx.keyfile

/lib/cryptsetup/cryptdisks.functions::check_key() checks ownership based
on the name/group alias, not the actual UID/GID, and therefore breaks if
"root" != UID/GID 0.

+ /usr/sbin/cryptdisks_start LUKS_HDD_BOOT
 * Starting crypto disk...                                                                                                                         * LUKS_HDD_BOOT: INSECURE OWNER FOR xxxxxxxx.keyfile, see /usr/share/doc/cryptsetup/README.Debian.
 * LUKS_HDD_BOOT: INSECURE OWNER GROUP FOR xxxxxxxx.keyfile, see /usr/share/doc/cryptsetup/README.Debian.
 * LUKS_HDD_BOOT (skipped, device /dev/disk/by-uuid/160fa39a-1205-4ad5-be44-9c2c943fb113 does not exist)...                                [fail] 
+ read DM_NAME DEVICE KEYFILE OPTIONS
+ exit 0


The script should not be relying on parsing 'ls' output either. The attached patch fixes both issues.

** Affects: cryptsetup (Ubuntu)
     Importance: Undecided
         Status: Triaged

** Patch added: "Use UID/GIDs not text aliases; use 'stat' no 'ls | sed'"
   https://bugs.launchpad.net/bugs/1520652/+attachment/4526366/+files/cryptdisk-use-UID-use-stat.patch

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/1520652

Title:
  Erroneous "INSECURE OWNER FOR xxxxx.keyfile"

Status in cryptsetup package in Ubuntu:
  Triaged

Bug description:
  $ ll -n
  -r-------- 1 0 0 4096 Sep  1 23:57 xxxxxxxx.keyfile

  /lib/cryptsetup/cryptdisks.functions::check_key() checks ownership
  based on the name/group alias, not the actual UID/GID, and therefore
  breaks if "root" != UID/GID 0.

  + /usr/sbin/cryptdisks_start LUKS_HDD_BOOT
   * Starting crypto disk...                                                                                                                         * LUKS_HDD_BOOT: INSECURE OWNER FOR xxxxxxxx.keyfile, see /usr/share/doc/cryptsetup/README.Debian.
   * LUKS_HDD_BOOT: INSECURE OWNER GROUP FOR xxxxxxxx.keyfile, see /usr/share/doc/cryptsetup/README.Debian.
   * LUKS_HDD_BOOT (skipped, device /dev/disk/by-uuid/160fa39a-1205-4ad5-be44-9c2c943fb113 does not exist)...                                [fail] 
  + read DM_NAME DEVICE KEYFILE OPTIONS
  + exit 0

  
  The script should not be relying on parsing 'ls' output either. The attached patch fixes both issues.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1520652/+subscriptions

More information about the foundations-bugs mailing list