FS#23080 - [initscripts] crypt: no longer parsing crypttab properly
Attached to Project:
Arch Linux
Opened by Charles Cagle (escapade2d17) - Monday, 28 February 2011, 20:22 GMT
Last edited by Tom Gundersen (tomegun) - Sunday, 06 November 2011, 01:09 GMT
Opened by Charles Cagle (escapade2d17) - Monday, 28 February 2011, 20:22 GMT
Last edited by Tom Gundersen (tomegun) - Sunday, 06 November 2011, 01:09 GMT
|
Details
Description:
Upon updating initscripts from 2010.07-2 to 2011.02.1-1, during boot, parsing of /etc/crypttab now fails at line 274 of /etc/rc.d/functions when using a password containing the '#' character. This same password worked before upgrading. Changing the password field in crypttab to ASK fixes the problem. Steps to reproduce: add line to /etc/crypttab: <some-label> <some-device> '^password@containing#naughty*characters$' |
This task depends upon
Closed by Tom Gundersen (tomegun)
Sunday, 06 November 2011, 01:09 GMT
Reason for closing: Won't fix
Additional comments about closing: The functionality is deprecated, has been borken a long time and alternatives exist. Happy to take good patches though.
Sunday, 06 November 2011, 01:09 GMT
Reason for closing: Won't fix
Additional comments about closing: The functionality is deprecated, has been borken a long time and alternatives exist. Happy to take good patches though.
I'll see if I can come up with the cause of this problem though.
http://sprunge.us/jNUX
I get the error message "No key available with this passphrase".
Daves patch doesn't work for me. With this patch I get:
/etc/rc.d/functions: line 274: cannot create temp file for here-document: Read-only filesystem
Device doesn't exist or access denied.
Keyfile doesn't work either or I'm too stupid to understand. I wrote my passphrase into the file /etc/cryptkey and wrote "/etc/cryptkey" in the second column in the crypttab. This failes too with "No key available with this passphrase".
I have not looked further into the issue with the passphrase field yet, but I will.
What doesn't make sense is the eval, which actually will misinterpret your password should it contain a $ character, e.g.:
line="foo bar secretpas$phrase"
eval nspo=($line)
printf '%s\n' "${nspo[@]}"
You'll see that the 3rd column is neatly truncated to secretpas, as $phrase is interpreted via eval before assignment. not good.
For the '#'-sign it is enough to apply the attached patch. I think with this substring removal it is intended to remove comments at the end of line like this one:
home /dev/sda2 mysecretpass # this is the pass for my home partition
Is this right? Sadly, if there is no comment at the end of the line and you have a '#' in your pass, it removes this too, which alters your password obviously.
If you have a '$'-sign in your pass eval is trying to expand this as a variable, which is one of it purpose, isn't it? See this test script:
#!/bin/bash
phrase='foobar'
line='foo bar secretpas$phrase'
eval nspo=("${line}")
echo ${nspo[@]}
Output is: foo bar secretpasfoobar
Without eval the output is: foo bar secretpas$phrase
It'a also worth noting that the quotes are meaningless here. They're interpreted on the eval which means that word splitting occurs on the eval'd contents inside the array declaration. If we remove the eval, the quotes need to go as well or else nspo is declared as an array with a single element, instead of word splitting cutting it on IFS into 3+ elements.
Though, if someone posts a non-intrusive and tested fix to arch-projects@archlinux.org, I'll look into it.