From 886a355a893951afa67e6f95616777980b700e7c Mon Sep 17 00:00:00 2001 From: Patrick J Volkerding Date: Mon, 1 Aug 2022 23:30:59 +0000 Subject: Mon Aug 1 23:30:59 UTC 2022 a/cryptsetup-2.5.0-x86_64-2.txz: Rebuilt. Use file descriptor 3 in rc.luks's main loop so that sdtin works properly for cryptsetup and/or a keyscript. PiterPunk gave it to me like this and then I proceeded to break it. Sorry about that. --- source/a/cryptsetup/cryptsetup.SlackBuild | 11 ++- source/a/cryptsetup/doinst.sh | 12 +++ source/a/cryptsetup/rc.luks | 90 +++++++++++++++++ source/a/sysvinit-scripts/scripts/rc.6 | 12 ++- source/a/sysvinit-scripts/scripts/rc.S | 109 ++++----------------- .../a/sysvinit-scripts/sysvinit-scripts.SlackBuild | 4 +- 6 files changed, 142 insertions(+), 96 deletions(-) create mode 100644 source/a/cryptsetup/doinst.sh create mode 100644 source/a/cryptsetup/rc.luks (limited to 'source/a') diff --git a/source/a/cryptsetup/cryptsetup.SlackBuild b/source/a/cryptsetup/cryptsetup.SlackBuild index e31194315..fea2faf99 100755 --- a/source/a/cryptsetup/cryptsetup.SlackBuild +++ b/source/a/cryptsetup/cryptsetup.SlackBuild @@ -25,7 +25,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=cryptsetup VERSION=${VERSION:-$(echo $PKGNAM-*.tar.xz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=${BUILD:-1} +BUILD=${BUILD:-2} # Automatically determine the architecture we're building on: if [ -z "$ARCH" ]; then @@ -87,6 +87,7 @@ CFLAGS="$SLKCFLAGS" \ --sysconfdir=/etc \ --enable-cryptsetup-reencrypt \ --enable-libargon2 \ + --disable-asciidoc \ --mandir=/usr/man \ --docdir=/usr/doc/cryptsetup-$VERSION \ --build=$ARCH-slackware-linux || exit 1 @@ -118,9 +119,14 @@ mkdir -p $PKG/sbin ln -sf ../../sbin/cryptsetup . ) +# Add the rc script: +mkdir -p $PKG/etc/rc.d +cat $CWD/rc.luks > $PKG/etc/rc.d/rc.luks.new +chmod 755 $PKG/etc/rc.d/rc.luks.new + mkdir -p $PKG/usr/doc/$PKGNAM-$VERSION cp -a \ - AUTHORS COPYING* INSTALL NEWS README* TODO FAQ \ + AUTHORS* COPYING* INSTALL* NEWS* README* TODO* FAQ* \ $PKG/usr/doc/$PKGNAM-$VERSION # Convert pdf files to text. We do not package bloated PDFs. @@ -159,6 +165,7 @@ find $PKG | xargs file | grep -e "executable" -e "shared object" \ | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null mkdir -p $PKG/install +zcat $CWD/doinst.sh > $PKG/install/doinst.sh cat $CWD/slack-desc > $PKG/install/slack-desc cd $PKG diff --git a/source/a/cryptsetup/doinst.sh b/source/a/cryptsetup/doinst.sh new file mode 100644 index 000000000..3d03e45fa --- /dev/null +++ b/source/a/cryptsetup/doinst.sh @@ -0,0 +1,12 @@ +config() { + NEW="$1" + OLD="`dirname $NEW`/`basename $NEW .new`" + # If there's no config file by that name, mv it over: + if [ ! -r $OLD ]; then + mv $NEW $OLD + elif [ "`cat $OLD | md5sum`" = "`cat $NEW | md5sum`" ]; then # toss the redundant copy + rm $NEW + fi + # Otherwise, we leave the .new copy for the admin to consider... +} +config etc/rc.d/rc.luks.new diff --git a/source/a/cryptsetup/rc.luks b/source/a/cryptsetup/rc.luks new file mode 100644 index 000000000..243244969 --- /dev/null +++ b/source/a/cryptsetup/rc.luks @@ -0,0 +1,90 @@ +#!/bin/bash +# Open any volumes created by cryptsetup. +# +# Some notes on /etc/crypttab in Slackware: +# Only LUKS formatted volumes are supported (except for swap) +# crypttab follows the following format: +# +# +# : This is the name of your LUKS volume. +# For example: crypt-home +# +# : This is the device containing your LUKS volume. +# For example: /dev/sda2 +# +# : This is either the volume password in plain text, or the name of +# a key file. Use 'none' to interactively enter password on boot. +# +# : Comma-separated list of options. Note that there must be a +# password field for any options to be picked up (use a password of 'none' to +# get a password prompt at boot). The following options are supported: +# +# discard -- this will cause --allow-discards to be passed to the cryptsetup +# program while opening the LUKS volume. +# +# ro -- this will cause --readonly to be passed to the cryptsetup program while +# opening the LUKS volume. +# +# swap -- this option cannot be used with other options. The device given will +# be formatted as a new encrypted volume with a random key on boot, and used as +# swap. +# +# keyscript= -- get the password from the named script's stdout. +# The only parameter sent to script is the field, but the script can +# ignore it. +# + +if [ -f /etc/crypttab -a -x /sbin/cryptsetup ]; then + # First, check for device-mapper support. + if ! grep -wq device-mapper /proc/devices ; then + # If device-mapper exists as a module, try to load it. + # Try to load a device-mapper kernel module: + /sbin/modprobe -q dm-mod + fi + # NOTE: we only support LUKS formatted volumes (except for swap)! + # The input for this loop comes from after the "done" below, so that we can + # use fd3 and keep stdin functional for password entry or in case a keyscript + # requires it: + while read line <&3; do + eval LUKSARRAY=( $line ) + LUKS="${LUKSARRAY[0]}" + DEV="${LUKSARRAY[1]}" + PASS="${LUKSARRAY[2]}" + OPTS="${LUKSARRAY[3]}" + KEYSCRIPT="$(echo $OPTS | sed -n 's/.*keyscript=\([^,]*\).*/\1/p')" + LUKSOPTS="" + if echo $OPTS | grep -wq ro ; then LUKSOPTS="${LUKSOPTS} --readonly" ; fi + if echo $OPTS | grep -wq discard ; then LUKSOPTS="${LUKSOPTS} --allow-discards" ; fi + # Skip LUKS volumes that were already unlocked (in the initrd): + /sbin/cryptsetup status $LUKS 2>/dev/null | head -n 1 | grep -q "is active" && continue + if /sbin/cryptsetup isLuks $DEV 2>/dev/null ; then + if [ -z "${LUKSOPTS}" ]; then + echo "Unlocking LUKS encrypted volume '${LUKS}' on device '$DEV':" + else + echo "Unlocking LUKS encrypted volume '${LUKS}' on device '$DEV' with options '${LUKSOPTS}':" + fi + if [ -x "${KEYSCRIPT}" ]; then + # A password was outputted by a script + ${KEYSCRIPT} "${PASS}" | /sbin/cryptsetup ${LUKSOPTS} luksOpen $DEV $LUKS + echo + elif [ -n "${PASS}" -a "${PASS}" != "none" ]; then + if [ -f "${PASS}" ]; then + # A password was given a key-file filename + /sbin/cryptsetup ${LUKSOPTS} --key-file=${PASS} luksOpen $DEV $LUKS + else + # A password was provided in plain text + echo "${PASS}" | /sbin/cryptsetup ${LUKSOPTS} luksOpen $DEV $LUKS + fi + else + # No password was given, or a password of 'none' was given + /sbin/cryptsetup ${LUKSOPTS} luksOpen $DEV $LUKS + fi + elif echo $OPTS | grep -wq swap ; then + # If any of the volumes is to be used as encrypted swap, + # then encrypt it using a random key and run mkswap: + echo "Creating encrypted swap volume '${LUKS}' on device '$DEV':" + /sbin/cryptsetup --cipher=aes --key-file=/dev/urandom --key-size=256 create $LUKS $DEV + mkswap /dev/mapper/$LUKS + fi + done 3< <(grep -vE '^(#|$)' /etc/crypttab) +fi diff --git a/source/a/sysvinit-scripts/scripts/rc.6 b/source/a/sysvinit-scripts/scripts/rc.6 index 6370a1a86..41525c355 100644 --- a/source/a/sysvinit-scripts/scripts/rc.6 +++ b/source/a/sysvinit-scripts/scripts/rc.6 @@ -139,6 +139,8 @@ fi # Unmount any NFS, SMB, or CIFS filesystems: echo "Unmounting remote filesystems:" /bin/umount -v -a -l -f -r -t nfs,nfs4,smbfs,cifs | tr -d ' ' | grep successfully | sed "s/:successfullyunmounted/ has been successfully unmounted./g" +# Update PATH hashes: +hash -r # Stop D-Bus: if [ -x /etc/rc.d/rc.messagebus ]; then @@ -147,7 +149,7 @@ fi # Try to shut down pppd: PS="$(ps ax)" -if echo "$PS" | /bin/grep -q -w pppd ; then +if echo "$PS" | grep -q -w pppd ; then if [ -x /usr/sbin/ppp-off ]; then /usr/sbin/ppp-off fi @@ -162,7 +164,7 @@ fi # Bring down the networking system, but first make sure that this # isn't a diskless client with the / partition mounted via NFS: -if ! /bin/mount | /bin/grep -q -e 'on / type nfs' -e 'on / type nfs4' ; then +if ! /bin/mount | grep -q -e 'on / type nfs' -e 'on / type nfs4' ; then if [ -x /etc/rc.d/rc.inet1 ]; then /etc/rc.d/rc.inet1 stop fi @@ -210,7 +212,7 @@ if [ ! "$1" = "fast" ]; then fi # Try to turn off quota. -if /bin/grep -q quota /etc/fstab ; then +if grep -q quota /etc/fstab ; then if [ -x /sbin/quotaoff -a -z "$container" ]; then echo "Turning off filesystem quotas." /sbin/quotaoff -a @@ -268,6 +270,8 @@ fi if [ -z "$container" ]; then echo "Unmounting local file systems:" /bin/umount -v -a -t no,proc,sysfs,devtmpfs,fuse.gvfsd-fuse,tmpfs + # Update PATH hashes: + hash -r # JFS needs a sync here or the / partition cannot be remounted read-only. # In spite of this, it seems that a JFS root partition will always be checked # (and found to be clean) at boot: @@ -322,7 +326,7 @@ wait if [ -x /sbin/genpowerd -a -z "$container" ]; then # See if this is a powerfail situation: - if /bin/egrep -q "FAIL|SCRAM" /etc/upsstatus 2> /dev/null ; then + if egrep -q "FAIL|SCRAM" /etc/upsstatus 2> /dev/null ; then # Signal UPS to shut off the inverter: /sbin/genpowerd -k if [ ! $? = 0 ]; then diff --git a/source/a/sysvinit-scripts/scripts/rc.S b/source/a/sysvinit-scripts/scripts/rc.S index 6cb7e3915..7c004e6f5 100644 --- a/source/a/sysvinit-scripts/scripts/rc.S +++ b/source/a/sysvinit-scripts/scripts/rc.S @@ -105,81 +105,9 @@ if [ -z "$container" ]; then fi fi -# Open any volumes created by cryptsetup. -# -# Some notes on /etc/crypttab in Slackware: -# Only LUKS formatted volumes are supported (except for swap) -# crypttab follows the following format: -# -# -# : This is the name of your LUKS volume. -# For example: crypt-home -# -# : This is the device containing your LUKS volume. -# For example: /dev/sda2 -# -# : This is either the volume password in plain text, or the name of -# a key file. Use 'none' to interactively enter password on boot. -# -# : Comma-separated list of options. Note that there must be a -# password field for any options to be picked up (use a password of 'none' to -# get a password prompt at boot). The following options are supported: -# -# discard -- this will cause --allow-discards to be passed to the cryptsetup -# program while opening the LUKS volume. -# -# ro -- this will cause --readonly to be passed to the cryptsetup program while -# opening the LUKS volume. -# -# swap -- this option cannot be used with other options. The device given will -# be formatted as a new encrypted volume with a random key on boot, and used as -# swap. -# -if [ -f /etc/crypttab -a -x /sbin/cryptsetup -a -z "$container" ]; then - # First, check for device-mapper support. - if ! grep -wq device-mapper /proc/devices ; then - # If device-mapper exists as a module, try to load it. - # Try to load a device-mapper kernel module: - /sbin/modprobe -q dm-mod - fi - # NOTE: we only support LUKS formatted volumes (except for swap)! - cat /etc/crypttab | grep -v "^#" | grep -v "^$" | while read line; do - eval LUKSARRAY=( $line ) - LUKS="${LUKSARRAY[0]}" - DEV="${LUKSARRAY[1]}" - PASS="${LUKSARRAY[2]}" - OPTS="${LUKSARRAY[3]}" - LUKSOPTS="" - if echo $OPTS | grep -wq ro ; then LUKSOPTS="${LUKSOPTS} --readonly" ; fi - if echo $OPTS | grep -wq discard ; then LUKSOPTS="${LUKSOPTS} --allow-discards" ; fi - # Skip LUKS volumes that were already unlocked (in the initrd): - /sbin/cryptsetup status $LUKS 2>/dev/null | head -n 1 | grep -q "is active" && continue - if /sbin/cryptsetup isLuks $DEV 2>/dev/null ; then - if [ -z "${LUKSOPTS}" ]; then - echo "Unlocking LUKS encrypted volume '${LUKS}' on device '$DEV':" - else - echo "Unlocking LUKS encrypted volume '${LUKS}' on device '$DEV' with options '${LUKSOPTS}':" - fi - if [ -n "${PASS}" -a "${PASS}" != "none" ]; then - if [ -f "${PASS}" ]; then - # A password was given a key-file filename - /sbin/cryptsetup ${LUKSOPTS} --key-file=${PASS} luksOpen $DEV $LUKS - else - # A password was provided in plain text - echo "${PASS}" | /sbin/cryptsetup ${LUKSOPTS} luksOpen $DEV $LUKS - fi - else - # No password was given, or a password of 'none' was given - /sbin/cryptsetup ${LUKSOPTS} luksOpen $DEV $LUKS /dev/tty0 2>&1 - fi - elif echo $OPTS | grep -wq swap ; then - # If any of the volumes is to be used as encrypted swap, - # then encrypt it using a random key and run mkswap: - echo "Creating encrypted swap volume '${LUKS}' on device '$DEV':" - /sbin/cryptsetup --cipher=aes --key-file=/dev/urandom --key-size=256 create $LUKS $DEV - mkswap /dev/mapper/$LUKS - fi - done +# Open any volumes created by cryptsetup: +if [ -x /etc/rc.d/rc.luks -a -f /etc/crypttab -a -x /sbin/cryptsetup -a -z "$container" ]; then + /etc/rc.d/rc.luks start fi # Enable swapping: @@ -360,7 +288,11 @@ fi # Check all the non-root filesystems: if [ ! -r /etc/fastboot -a -z "$container" ]; then echo "Checking non-root filesystems:" - /sbin/fsck $FORCEFSCK -C -R -A -a + if [ -z "$FORCEFSCK" ]; then + /sbin/fsck -C -M -R -A -a + else + /sbin/fsck $FORCEFSCK -C -R -A -a + fi fi # Mount usbfs only if it is found in /etc/fstab: @@ -374,21 +306,22 @@ if [ -z "$container" ]; then fi fi -# Mount non-root file systems in fstab, but not NFS or SMB -# because TCP/IP is not yet configured, and not proc or sysfs -# because those have already been mounted. Also check that -# devpts is not already mounted before attempting to mount -# it. With a 2.6.x or newer kernel udev mounts devpts. +# Mount non-root file systems in fstab, but not NFS or SMB because TCP/IP is +# not yet configured, and not proc or sysfs because those have already been +# mounted. Also check that devpts is not already mounted before attempting to +# mount it. if [ -z "$container" ]; then - echo "Mounting non-root local filesystems:" + SKIPFS="nonfs,nosmbfs,nocifs,noproc,nosysfs" if /bin/grep -wq devpts /proc/mounts ; then - # This pipe after the mount command is just to convert the new - # mount verbose output back to the old format that contained - # more useful information: - /sbin/mount -a -v -t nonfs,nosmbfs,nocifs,noproc,nosysfs,nodevpts | grep successfully | cut -f 1 -d : | tr -d ' ' | while read dev ; do mount | grep " ${dev} " ; done - else - /sbin/mount -a -v -t nonfs,nosmbfs,nocifs,noproc,nosysfs | grep successfully | cut -f 1 -d : | tr -d ' ' | while read dev ; do mount | grep " ${dev} " ; done + SKIPFS="${SKIPFS},nodevpts" fi + echo "Mounting non-root local filesystems:" + # This pipe after the mount command is just to convert the new + # mount verbose output back to the old format that contained + # more useful information: + ( /sbin/mount -a -v -o remount -O ro -v -t ${SKIPFS} ; /sbin/mount -a -v -t ${SKIPFS} ) | \ + grep successfully | cut -f 1 -d : | tr -d ' ' | \ + while read dev ; do mount | grep " ${dev} " ; done fi # Make sure that /var/run is a symbolic link pointing to /run: diff --git a/source/a/sysvinit-scripts/sysvinit-scripts.SlackBuild b/source/a/sysvinit-scripts/sysvinit-scripts.SlackBuild index 2f918911a..de8360c2f 100755 --- a/source/a/sysvinit-scripts/sysvinit-scripts.SlackBuild +++ b/source/a/sysvinit-scripts/sysvinit-scripts.SlackBuild @@ -23,9 +23,9 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=sysvinit-scripts -VERSION=${VERSION:-15.0} +VERSION=${VERSION:-15.1} ARCH=noarch -BUILD=${BUILD:-11} +BUILD=${BUILD:-1} # If the variable PRINT_PACKAGE_NAME is set, then this script will report what # the name of the created package would be, and then exit. This information -- cgit v1.2.3-80-g2a13