/dev/mapper/* -> /dev/dm-* symlink scheme breaks partman-crypto

FWIW I've worked around this for d-i by turning these symlinks off in the libdevmapper udeb, but I'm leaving the bug open since things in the normal system might be affected too.

This is considerably more serious for me than just encrypted swap/tmpfs.

It seriously compromises the security of my pam-mounted, luks-encrypted, lvm home partitions.

When a user logs in, everything mounts correctly. The encrypted volume is decrypted in /dev/mapper, and is also symlinked to, e.g., /dev/dm-7. /dev/dm-7 mounts as, e.g., /home/chris.

At logout, pam_mount calls umount.crypt to unmount the home partition and close the encrypted luks volume. The home partition umounts successfully, but umount.crypt fails to close the luks volume with the error:

Command failed: dm_task_set_name: Device /dev/dm-7 not found

Yet /dev/dm-7 certainly exists. My data is left unencrypted in /dev/mapper/_dev_mapper_chris symlinked to /dev/dm-7.

This is obviously bad from a security standpoint if multiple users share a machine. Furthermore, if I log out, and then attempt to log in again, pam_mount is unable to initialize the luks volume, because it was never closed during the log out. So I have go back to a console, log in as another user, and manually close the luks volume from the previous session before I can log in again. Argh!

Colin, can you explain your workaround a little more thoroughly? How do you turn the symlinks off in the libdevmapper udeb? That sounds a bit, uh, complicated. Any other workarounds, or ETA for a fix in the gutsy repos?

Moving milestone.

My problem is very similar to chris' above.

I rely on luks encrypted hard drives for regular backups to hard drives. The script mounts and unmounts the encrypted drive on demand.

I was going to move the service from a Debian Etch machine to a machine running Ubuntu, but this is a real show stopper for me since unmounting properly seems to be impossible.

Colin, can you go into more detail about your work around? I have never messed with udebs before, and I am not sure where to start.

My workaround is not relevant. The developer responsible knows exactly what to do here and just needs to do it. :-)

Well, "not relevant" so long as it gets done soon, but this bug has
been open for a month, and I need a solution sooner rather than later.

Truthfully, I am in the middle of setting up a Debian box right now
because I don't see am imminent solution for this.

Thanks anyway!

-- Chris

On 9/7/07, Colin Watson <email address hidden> wrote:
> My workaround is not relevant. The developer responsible knows exactly
> what to do here and just needs to do it. :-)
>
> --
> /dev/mapper/* -> /dev/dm-* symlink scheme breaks partman-crypto
> https://bugs.launchpad.net/bugs/126379
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Chris: to apply the same workaround to your system, edit /etc/udev/rules.d/65-dmsetup.rules and follow the directions in the comment beginning "this is temporary".

Hi Colin: Thanks. I suspect that these are rules from Gusty?

It would seem that this bug is also in Feisty, and the dmsetup.rules under feisty don't have any obvious section to change. I will have a poke around Gusty and see if I can't puzzle it out. Thanks again.

The problem you're encountering in Feisty is not this bug; it's a difficult systemic problem in the process of being fixed in Gutsy (I believe). It's probably rather hard to backport the fixes.

I'll fix this with a udev upload next week

Moving milestone to beta.

devmapper (2:1.02.20-1ubuntu4) gutsy; urgency=low

  * Make the device take the /dev/mapper name in all cases.
    LP: #126379, #144049.
  * Drop udeb patch since it's not needed.

 -- Scott James Remnant <email address hidden> Mon, 24 Sep 2007 13:37:29 +0100