Bug 84409 - Opening an encrypted device can time out during passpharse entry
Summary: Opening an encrypted device can time out during passpharse entry
Status: RESOLVED FIXED
Alias: None
Product: systemd
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: All Linux (All)
: medium normal
Assignee: systemd-bugs
QA Contact: systemd-bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-09-28 01:23 UTC by Hugo Grostabussiat
Modified: 2014-10-24 00:15 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments
Initial patch proposal (1.32 KB, patch)
2014-09-28 01:26 UTC, Hugo Grostabussiat 		Details | Splinter Review
View All

Description Hugo Grostabussiat 2014-09-28 01:23:55 UTC 
Attempting to "start" an encrypted device unit will time out after 90 seconds if no passphrase is entered.

The device entry in /etc/crypttab:
data_sec    UUID=[some UUID]   -

Steps to reproduce:
1) Run "systemd start dev-mapper-data_sec.device"
2) A password agent should ask for a password. Just leave it as is for 90 seconds (assuming your default JobTimeoutSec is 90).
3) The operation times out.
The expected behavior is that it should wait forever until the user types in the right passphrase or exceeds the maximum tries number.

Distribution: ArchLinux ARM
systemd version:
  systemd 216
  +PAM -AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 +SECCOMP +BLKID -ELFUTILS +KMOD -IDN 

Syslog output:
Sep 28 02:10:43 arch systemd[1]: Starting Cryptography Setup for data_sec...
Sep 28 02:10:44 arch systemd[1]: Failed to reset devices.list on /system.slice: Invalid argument
Sep 28 02:10:44 arch systemd[1]: Expecting device dev-mapper-data_sec.device...
Sep 28 02:10:44 arch systemd[1]: Started Forward Password Requests to Wall.
Sep 28 02:12:13 arch systemd[1]: Job dev-mapper-data_sec.device/start timed out.
Sep 28 02:12:13 arch systemd[1]: Timed out waiting for device dev-mapper-data_sec.device.
Sep 28 02:12:13 arch systemd[1]: Dependency failed for /mnt/data_sec.
Sep 28 02:12:13 arch systemd[1]: Dependency failed for Cryptography Setup for data_sec.
Sep 28 02:12:13 arch systemd[1]: Dependency failed for File System Check on /dev/mapper/data_sec.


If we take a closer look at the files generated by systemd-cryptsetup-generator (I removed unrelated files from the list):
/run/systemd/generator:
drwxr-xr-x 2 root root  60 28 sept. 00:48 cryptsetup.target.requires
drwxr-xr-x 2 root root  60 28 sept. 00:48 data_sec.d
drwxr-xr-x 2 root root  60 28 sept. 00:48 dev-disk-by\x2duuid-[some UUID].device.wants
drwxr-xr-x 2 root root  60 28 sept. 00:48 dev-mapper-data_sec.device.requires
-rw-r--r-- 1 root root 882 28 sept. 00:48 systemd-cryptsetup@data_sec.service

/run/systemd/generator/cryptsetup.target.requires:
lrwxrwxrwx 1 root root 38 28 sept. 00:48 systemd-cryptsetup@data_sec.service -> ../systemd-cryptsetup@data_sec.service

/run/systemd/generator/data_sec.d:
-rw-r--r-- 1 root root 83 28 sept. 00:48 90-device-timeout.conf


The "data_sec.d" contains the drop-in configuration file we need to disable device timeout, but the name of the directory is wrong.
It should be "dev-mapper-data_sec.device.d" instead of just "data_sec.d".

Looking at the source file src/cryptsetup/cryptsetup-generator.c, near the end of the create_disk() function (l. 249),
we can notice that the second parameter (unit name) of the write_drop_in() function is the first field from /etc/crypttab, which is the
dm device name witout the /dev/mapper prefix. Moreover, the name isn't escaped, so entering "../oops" in /etc/crypttab will cause
systemd-cryptsetup-generator to create a oops.d directory in /run/systemd.
Comment 1 Hugo Grostabussiat 2014-09-28 01:26:59 UTC 
Created attachment 106976 [details] [review]
Initial patch proposal
Comment 2 Lennart Poettering 2014-10-24 00:15:23 UTC 
Patch looks good! Applied! Thanks!

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.