SUID and luks

pmreid · #1 12th May 2006, 01:38 PM

Hello all

I have an external sata hard drive that I have encrypted using dmcrypt/luks. I have the following scripts (luksopen and luksclose) to create the mapping and mount respectively, which both work 100% fine if I run as root.

luksopen:

Code:

#! /bin/bash

devArray=(/dev/sata_external)
mapArray=(sata_external)
mntArray=(/home/pmreid/Media/My_Videos)


if ! /sbin/cryptsetup --help | grep -q luksFormat ; then
        echo "This script requires cryptsetup luks" >&2
        exit 1
fi

for (( i=0 ; i < ${#devArray[@]} ; ++i )) ; do
        dev=${devArray[$i]}
        if [ -z "$dev" ] || [ ! -e "$dev" ] ; then
                echo "Unable to find \"$dev\"" >&2
                continue
        #elif ! /sbin/cryptsetup isLuks "$dev" ; then
        #       echo "\"$dev\" doesn't seem to be a Luks encrypted volume" >&2
        #       continue
        fi

        map=${mapArray[$i]}
        # check whether device is already opened
        if [ -z "$map" ] ; then
                echo "Map name unspecified for \"$dev\"" >&2
                continue
        elif [ -e "/dev/mapper/$map" ]; then
                echo "\"/dev/mapper/$map\" already exists" >&2
                continue
        fi

        mnt=${mntArray[$i]}
        if [ -z "$mnt" ] || [ ! -d "$mnt" ] ; then
                echo "Unable to find mount point for \"$dev\"" >&2
                continue
        fi

        # ask whether to open the device or not
        #read -p "Next device in list is \"$dev\". Do you want to open and mount it? (y/N): "

        # skip device if desired
        #case "$answer" in
        #       y|Y)
        #               ;;
        #       *)
        #               echo "Skipping \"$dev\"" >&2
        #               continue
        #               ;;
        #esac

        # open and mount device
        j=3
        while [ $j -gt 0 ] && ! /sbin/cryptsetup luksOpen "$dev" "$map" ; do
                let "--j"
        done
        if [ $j -le 0 ] || ! mount "/dev/mapper/$map" "$mnt" ; then
                echo "Failed to mount \"/dev/mapper/$map\" on \"$mnt\"" >&2
        fi
done

luksclose:

Code:

#! /bin/bash

devArray=(/dev/sata_external)
mapArray=(sata_external)
mntArray=(/home/pmreid/Media/My_Videos)


if ! /sbin/cryptsetup --help | grep -q luksFormat ; then
        echo "This script requires cryptsetup luks" >&2
        exit 1
fi

for (( i=0 ; i < ${#devArray[@]} ; ++i )) ; do
        dev=${devArray[$i]}
        if [ -z "$dev" ] || [ ! -e "$dev" ] ; then
                echo "Unable to find \"$dev\"" >&2
                continue
        elif ! /sbin/cryptsetup isLuks "$dev" ; then
                echo "\"$dev\" doesn't seem to be a Luks encrypted volume" >&2
                continue
        fi

        map=${mapArray[$i]}
        # check whether device is already opened
        if [ -z "$map" ] ; then
                echo "Map name unspecified for \"$dev\"" >&2
                continue
        #elif [ -e "/dev/mapper/$map" ]; then
        #       echo "\"/dev/mapper/$map\" already exists" >&2
        #       continue
        fi

        mnt=${mntArray[$i]}
        if [ -z "$mnt" ] || [ ! -d "$mnt" ] ; then
                echo "Unable to find mount point for \"$dev\"" >&2
                continue
        fi

        # ask whether to open the device or not
        #read -p "Next device in list is \"$dev\". Do you want to open and mount it? (y/N): "

        # skip device if desired
        #case "$answer" in
        #       y|Y)
        #               ;;
        #       *)
        #               echo "Skipping \"$dev\"" >&2
        #               continue
        #               ;;
        #esac

        # open and mount device
        j=3
        if [ $j -le 0 ] || ! umount "$mnt" ; then
                echo "Failed to unmount \"/dev/mapper/$map\" from \"$mnt\"" >&2
        fi
        if ! cryptsetup luksClose $map ; then
                echo "Failed to remove mapping $map from device!\n" >&2
        fi
done

I want them to run with my normal user. Scripts live in /usr/bin/ and are owned by root. I have done chmod 4755 which I thought was setting up the SUID link so normal users can run them. However, When I run luksopen, I get this error:

Code:

[pmreid@localhost ~]$ luksopen
mlockall failed: Cannot allocate memory
WARNING!!! Possibly insecure memory. Are you root?
Command failed: Can't get device information.

mount: only root can do that
Failed to mount "/dev/mapper/sata_external" on "/home/pmreid/Media/My_Videos"
[pmreid@localhost ~]$

and when I check in /dev/mapper the sata_external link has not been created.
Also, as a future enhancement, I will be encrypting my normal /home partition. I know how to get it mapped and mounted on boot by adding it to /etc/rc.local. What file do I edit to get it to be umounted and de-mapped on shutdown?

Many thanks.

Pete

AnimeFreak · #2 4th January 2009, 11:04 PM

I am new to Linux, but If you are trying to change permissions on files or folders try using:

gksudo nautilus

this will let you open nautilus as root.. Now, you can navigate to the files and change the permissions by right-clicking and selecting properties. Then, click the permissions tab.

BE CAREFUL WHEN USING root

If you get some wierd message, and have not created sudo.

Look Here:

http://www.mjmwired.net/resources/mj...-f10.html#sudo

I recommend removing Use 'ALL=(ALL) NOPASSWD:ALL' from the code:

echo 'loginname ALL=(ALL) ALL' >> /etc/sudoers

Where 'loginname' is your user account.
Use 'ALL=(ALL) NOPASSWD:ALL' if you don't want to be prompted a password.
If you are prompted for a password with 'sudo' it is the user password, not root.

This way you will have to enter a password for root access through sudo.

If you don't take out the code above, and someone got their hands on your system, they could really do some damage.

- AnimeFreak

AnimeFreak · #3 5th January 2009, 01:28 PM

I have a couple of questions about these scripts.

1.Are these shell scripts (.sh)?

Are you and the scripts using Fedora 10's default system encryption (the one that comes built into Fedora, and tha youcan access when fedora partitions your HDD when installing fedora)?

3.Also, If I can get them to work for you, may I modify and use them for my self?

PS: I am not really a programmer, but since you created the scripts already and verified them, i MAY be able to modify them and get them to work for me.

I am running from a liveDVD right now, but will probably reinstall fedora with system encryption later this week.

Also, have you configured sudo for your user account (not root).

- AnimeFreak

nick.stumpos · #4 5th January 2009, 02:19 PM

the proper way to do this is to edit the sudoers file to allow a group or your user to execute these commands with roots privileges. to give it suid permissions is an unnecessary risk

SteveGYBE · #5 5th January 2009, 02:24 PM

Basically when you run a shell script, the OS replaces your command

Code:

/usr/bin/script-command

with

Code:

/bin/bash /usr/bin/script-command

As /bin/bash is not SUID (at least I hope not!) your script is not run with root permissions.

However, SUID scripts are also well known to pose security risks - see http://www.faqs.org/faqs/unix-faq/fa...section-7.html. Much better to use sudo to provide the root access in a controlled manner - that is what sudo is designed to do.

AnimeFreak · #6 5th January 2009, 02:36 PM

Try creating a kickstart file also.

Place it on your desktop.

you can launch it at startup, too.

you could always mod the script and put sudo in the places it needs to go.

or

like I said, you can use a kickstart file and put sudo in front of the path to the script.

AnimeFreak · #7 6th January 2009, 07:10 AM

sorry, I did not mean kickstart file. I meant launcher.