From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.saout.de ([127.0.0.1]) by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IHPTMxXTAriR for ; Fri, 30 Aug 2013 01:16:13 +0200 (CEST) Received: from awesome.dsw2k3.info (unknown [IPv6:2a01:198:661:1f::3]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.saout.de (Postfix) with ESMTPS for ; Fri, 30 Aug 2013 01:16:13 +0200 (CEST) Date: Fri, 30 Aug 2013 01:16:05 +0200 From: Matthias Schniedermeyer Message-ID: <20130829231605.GA25013@citd.de> References: <1377358818.1313.21.camel@ryx.lan> <20130826082310.GA10172@citd.de> <521EE10F.4040602@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <521EE10F.4040602@gmail.com> Subject: Re: [dm-crypt] u?mount (8) helper script for luks encrypted disks List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Milan Broz Cc: dm-crypt@saout.de, Debian Cryptsetup Team , Steffen Vogel On 29.08.2013 07:50, Milan Broz wrote: > On 26.8.2013 10:23, Matthias Schniedermeyer wrote: > >Personally i "solved" this by renaming /bin/mount to /bin/mount.orig > >and putting a shell-script as /bin/mount that checks if i want to mount > >a /dev/mapper/XXX and does the setup of XXX before it calls > >/bin/mount.orig. > > Underlying device construction can be very complex task sometimes > (it can be combination of lvm, mdraid, multipath, partitions and whatever.) > > So while it works for your use case, it will not work for other. And there will never be a "one size fits all" solution for this. Sure, someone could create a "monster" that could cope with anything. But that wouldn't be KISS. So for the cases that are simple, a mount-option to exec something before the actual mount happens would suffice. (I aimed my solutions for autofs with ghosting.) > >"Back then" when i implemented that about 1.5 years ago i tried to > >explain to Karel Zak (util-linux maintainer) that a generic "premount" > >and "postumount" command in (u)mount could solve this generic problem. > >The Problem that all cryptographic-setups need (at least) one more step > >to setup(/tear-down) a device. But that didn't happen and i didn't try > >to open the issue again. > > > For that particular case, LUKS tear down, I think we had a better approach. > Just implement auto removal on last device close (similar to loop device > autoclear flag.) > > For more info see > https://bugzilla.redhat.com/show_bug.cgi?id=873734 I will see if it works and can kill the umount-part if it works for me. > > Milan > > p.s. > Be very careful with shell scripts in mount helpers here. > It will run under the same UID as mount, which means root for LUKS here. In my case that's not the case, Shell-scripts (under normal circumstances) can't be SUIDed. So as i've intercepted the original call to mount it will run with the UID of the caller and will only SUID root when mount.orig is execed. So if i would call it as my user, it simply wouldn't work as it couldn't construct the mapper. -- Matthias