From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id AM1zN9E8UGLVYQEAgWs5BA (envelope-from ) for ; Fri, 08 Apr 2022 15:46:57 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id kBDfNNE8UGL+TQEA9RJhRA (envelope-from ) for ; Fri, 08 Apr 2022 15:46:57 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 3F03116497 for ; Fri, 8 Apr 2022 15:46:57 +0200 (CEST) Received: from localhost ([::1]:38884 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ncowx-0003pl-MZ for larch@yhetil.org; Fri, 08 Apr 2022 09:46:55 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:60320) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ncolW-000349-I7 for bug-guix@gnu.org; Fri, 08 Apr 2022 09:35:08 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:40427) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ncolS-0003f0-64 for bug-guix@gnu.org; Fri, 08 Apr 2022 09:35:04 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ncolR-0001tM-VR for bug-guix@gnu.org; Fri, 08 Apr 2022 09:35:01 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#54770: Non-root LUKS devices unusable after Shepherd upgrade Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 08 Apr 2022 13:35:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 54770 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 54770@debbugs.gnu.org Received: via spool by 54770-submit@debbugs.gnu.org id=B54770.16494248647221 (code B ref 54770); Fri, 08 Apr 2022 13:35:01 +0000 Received: (at 54770) by debbugs.gnu.org; 8 Apr 2022 13:34:24 +0000 Received: from localhost ([127.0.0.1]:34324 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ncokq-0001sP-Ch for submit@debbugs.gnu.org; Fri, 08 Apr 2022 09:34:24 -0400 Received: from eggs.gnu.org ([209.51.188.92]:38422) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ncoko-0001sC-Hp for 54770@debbugs.gnu.org; Fri, 08 Apr 2022 09:34:22 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:35960) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ncokj-0003Zo-3Q for 54770@debbugs.gnu.org; Fri, 08 Apr 2022 09:34:17 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To: From; bh=F4X6jefhz5O31jMsNHxqITQsUc9kIkq8ynFtFzPzq9Y=; b=bFST1gFwjwRwUIbVsA9V XuqruYC0LzjPzuyfFOVCPpOJVs8RpeV8NITiLsHx8RzzSmj++8K8dcf9nwJcXkty/m8SCFAuB+dqq qY1XHVwnFMZgBDkusx7pNc1bzNDBFBUIaSY/ofb4fYORWtGpUgvLJmNsDpa0eMieo3QJa6HNVFSJH RdWg1AjfWXRa96Kl/y/uHLTFuy+ZEXlss6lh8MNeKpUrQ/bFH/vvV+q9HGbaMl73WOK5gCfG3JX0b NMFcbOSnz9KjTBozXlCMacMlXx7YwseA30ID8NZksU21HmO5HkrHqJXhfRMzo/1yyYmYLYEERhEXa icEWYHSn9/7uhw==; Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=45268 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ncokg-0005nB-GI for 54770@debbugs.gnu.org; Fri, 08 Apr 2022 09:34:16 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <87r168etvd.fsf@inria.fr> <87mtgvdiou.fsf@gnu.org> Date: Fri, 08 Apr 2022 15:34:12 +0200 In-Reply-To: <87mtgvdiou.fsf@gnu.org> ("Ludovic =?UTF-8?Q?Court=C3=A8s?="'s message of "Fri, 08 Apr 2022 11:32:17 +0200") Message-ID: <878rsfd7hn.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1649425617; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=F4X6jefhz5O31jMsNHxqITQsUc9kIkq8ynFtFzPzq9Y=; b=JcuzCEq+AKExG0RFYgWJ/0gyz5Cy4Kh+Mgq5Dek6+CB+Y9FuXJfxprTbuSLitC5cqTn3BJ ZfFXDefErgMVyx6Vt4CRO72PKI1O6Clteu6YV5JjRWBCSx1znWWc2aDWX8wekpfstyM5O/ TSPSz3d5FNxYPBQMySogM6NicewLhC8UtrRlHR7KEKAp+hpPJTFvJQthiAe+SdwIeKtSYO VB7Zu6DgzVywp6TLpxwie3cng99wmqaMA0X9uS5AjTgCQ+m1MiIsH4WCr+alQFvIRXcO/Q 4udYbEHqXnbdttVi7bj2sXFouKzt4551POEmIoiLVPdQIWFjjK3EIi62olQWhw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1649425617; a=rsa-sha256; cv=none; b=j5pkkQqrc+Bnr62ateUvB6cFVNW4T01j6vIrt19hBpzCESLbg4Jzlgr6xJfiodig30T8or FFjYa2T3EppzWTfFP/1mfvzJb4KgYKJfxcixDoDwLZ15Tp80ljyrFXXw9S0sEd0xDBgMzy A9u9UwK74CBkylnKiAD7hnTjr0eZDXWQknsnfTZRryOESqmW60j3xlHFUG375BPZtXuFGe mEZfItO0DVj9qX0oIzNSRVMnPl5dD31zxTBLG4Bpy3xEHeDvlgHwSijlktqefVwDmx43Xu fVBgRGLghMYpympJPYDizIy2tGHR0tVBgMsKQiBxbOUeyUIr8J34HKFC99O3AQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b=bFST1gFw; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -3.97 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b=bFST1gFw; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 3F03116497 X-Spam-Score: -3.97 X-Migadu-Scanner: scn1.migadu.com X-TUID: qzpu9O8Wg2p/ --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable A note on my debugging tricks, for posterity=E2=80=A6 Initially, I tried to reproduce the issue (in a VM) with a Guile or Bash process that would be invoked from shepherd before =E2=80=98user-processes= =E2=80=99 and that would try to read from stdin: --8<---------------cut here---------------start------------->8--- (simple-service 'input shepherd-root-service-type (list (shepherd-service (provision '(input)) (start #~(lambda () (pk 'tty-before? (current-input-port) (isatty? (current-input-port))) (with-output-to-file "/dev/tty1" (lambda () (system* #$(file-append coreutils "/bin/ls") "-l" "/proc/s= elf/fd") (with-input-from-file "/dev/tty1" (lambda () (pk 'tty? (isatty? (current-input-port))) (system* #$(file-append coreutils "/bin/ls") "-l" "/proc/self/fd") (system* "/bin/sh" "-c" "echo read; read x; echo = got $x; read y")))))))))) (simple-service 'wait-for-input user-processes-service-type '(input)) --8<---------------cut here---------------end--------------->8--- For some reason, that did not reproduce the issue; =E2=80=98isatty?=E2=80= =99 would return true. So I though I=E2=80=99d arrange to run =E2=80=98cryptsetup open --type luks= =E2=80=99. To do that, I copied the header of a real LUKS partition: sudo dd if=3D/dev/sda2 of=3D/tmp/luks.img bs=3D1024 count=3D1025 and then came up with an OS config that would try to open than fake LUKS device: --=-=-= Content-Type: text/x-scheme Content-Disposition: inline (use-modules (gnu)) (use-service-modules networking ssh shepherd) (use-package-modules base linux screen ssh) (operating-system (host-name "komputilo") (timezone "Europe/Berlin") (locale "en_US.utf8") ;; Boot in "legacy" BIOS mode, assuming /dev/sdX is the ;; target hard disk, and "my-root" is the label of the target ;; root file system. (bootloader (bootloader-configuration (bootloader grub-bootloader) (targets '("/dev/sdX")))) (mapped-devices (list (mapped-device (source "/dev/loop0") (target "root") (type luks-device-mapping)))) (file-systems (cons (file-system (device (file-system-label "my-root")) (mount-point "/") (type "ext4")) %base-file-systems)) ;; This is where user accounts are specified. The "root" ;; account is implicit, and is initially created with the ;; empty password. (users (cons (user-account (name "alice") (comment "Bob's sister") (group "users") ;; Adding the account to the "wheel" group ;; makes it a sudoer. Adding it to "audio" ;; and "video" allows the user to play sound ;; and access the webcam. (supplementary-groups '("wheel" "audio" "video"))) %base-user-accounts)) ;; Globally-installed packages. (packages (cons screen %base-packages)) ;; Add services to the baseline: a DHCP client and ;; an SSH server. (services (append (list (service dhcp-client-service-type) (simple-service 'losetup activation-service-type #~(system* #$(file-append util-linux "/sbin/losetup") "/dev/loop0" #$(local-file "/tmp/luks.img"))) (service openssh-service-type (openssh-configuration (openssh openssh-sans-x) (port-number 2222)))) %base-services))) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable That=E2=80=99s enough to see whether =E2=80=98cryptsetup open=E2=80=99 mana= ges to read the passphrase and all. Eventually I confirmed by testing it on the bare metal, on a victim=E2=80= =99s laptop. Currently we don=E2=80=99t have an installation test with cleartext root + encrypted home; we should prolly do that. Ludo=E2=80=99. --=-=-=--