Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: please help!

  1. #1
    Join Date
    Jun 2008
    Location
    Prescott, AZ
    Posts
    1,170

    Unhappy please help!

    Please, can someone help me!?! I've wasted days of digging through jargon of encrypted root and home partitions - I have crypt files with formatted filesystems in them with the right privileges, but I need my users (not root) to be able to mount and unmount them. (and not asking for passwords at boot-time) Can someone help me find the (users) command line syntax?

    Please help??!!!!

    fstab
    /dev/mapper/cr_00Patti.001 /home/patti/MyShares/flames ext3 acl,user_xattr,noauto 0 0
    /dev/mapper/cr_00Paul.001 /home/paul/MyShares/flames ext3 acl,user_xattr,noauto 0 0
    crypttab
    cr_00Patti.001 /SCRATCH-RAID10/Dirs/00Patti.001 none none
    cr_00Paul.001 /SCRATCH-RAID10/Dirs/00Paul.001 none none

  2. #2
    Join Date
    Jun 2008
    Location
    Kln, Deutschland
    Posts
    1,054

    Default Re: please help!

    It might be one of these examples when using an encrypted file -

    cryptsetup create mycryptfile /path/to/myfile.crypt - where "mycryptfile" is just a name you give that becomes the devicename, and the last part is your filename and path.

    -or-

    cryptsetup luksopen path/to/myfile.crypt mycryptfile - same as above but in reverse.

    ...maybe try the 2nd one first just in case "create" tries to overwrite the file!! I'm sure it simply creates the device name in /dev/mapper/, but I'm not 100% sure and cryptsetup --help is not much help!

    Then mount it:

    mount /dev/mycryptfile /wherever/youwantit/mounted

    I used to use encrypted files a few years ago but I seem to have lost my instructions on how to do it exactly. I hope that helps.
    HP dv6645, Nvidia 8400m-gs, KDE 4.

  3. #3
    Join Date
    Jun 2008
    Location
    Kln, Deutschland
    Posts
    1,054

    Default Re: please help!

    oh yes, and once you've got the files mounting properly, make a script with all that lot in for each user and put it in their ~/home/bin/ folder, then simply create an icon and shortcut in their menu or on their desktop that runs the script.

    I did one to mount it, and another to unmount it. But if you're better with bash scripting, then you could programme it to toggle. A much nicer solution.
    HP dv6645, Nvidia 8400m-gs, KDE 4.

  4. #4
    Join Date
    Jun 2008
    Location
    Prescott, AZ
    Posts
    1,170

    Exclamation Re: please help!

    These commands only seem to work for root - how can my users mount and unmount their cryptfiles?

    patti@TYAN2-Linux:~> cryptsetup luksopen /SCRATCH-RAID10/Dirs/00Patti.001

    Program 'cryptsetup' is present in package 'cryptsetup', which is installed on your system.

    Absolute path to 'cryptsetup' is '/sbin/cryptsetup', so it might be intended to be run only by user with superuser privileges (eg. root).

    bash: cryptsetup: command not found
    patti@TYAN2-Linux:~>


    This is TOTALLY confusing, and it doesn't need to be. I've got my crypt files setup - I just need to be able to mount and unmount them as non-root.

    HELP!!!!

  5. #5
    Join Date
    Jun 2008
    Location
    Prescott, AZ
    Posts
    1,170

    Default Re: please help!

    OK, I tried it as root. I noticed during boot that it asks for the passwords for my two users' crypt volumes. If I don't give them, then there are no entries made in /dev/mapper and I don't know if that is as-it-should-be.

    TYAN2-Linux:/home/patti # cryptsetup luksOpen /SCRATCH-RAID10/Dirs/00Patti.001 /home/patti/MyShares/flames
    Command failed: Can't get device information.

    TYAN2-Linux:/home/patti #
    TYAN2-Linux:/home/patti # cryptsetup luksOpen loop0 /SCRATCH-RAID10/Dirs/00Patti.001
    Command failed: Can not access device
    TYAN2-Linux:/home/patti # cryptsetup luksOpen loop1 /SCRATCH-RAID10/Dirs/00Patti.001
    Command failed: Can not access device
    TYAN2-Linux:/home/patti # cryptsetup create /SCRATCH-RAID10/Dirs/00Patti.001 loop1
    Command failed: dm_task_set_name: Device /SCRATCH-RAID10/Dirs/00Patti.001 not found
    TYAN2-Linux:/home/patti # cryptsetup create loop2 /SCRATCH-RAID10/Dirs/00Patti.001
    Command failed: BLKROGET failed on device: Inappropriate ioctl for device
    TYAN2-Linux:/home/patti # cryptsetup create /dev/mapper/cr_00Patti.001 /SCRATCH-RAID10/Dirs/00Patti.001
    Command failed: dm_task_set_name: Device /dev/mapper/cr_00Patti.001 not found
    TYAN2-Linux:/home/patti # cryptsetup create cr_00Patti.001 /SCRATCH-RAID10/Dirs/00Patti.001
    Command failed: BLKROGET failed on device: Inappropriate ioctl for device
    TYAN2-Linux:/home/patti #
    TYAN2-Linux:/home/patti #

    The crypt file and directory-to-which-to-mount are in bold above.

  6. #6
    Join Date
    Jun 2008
    Location
    Kln, Deutschland
    Posts
    1,054

    Default Re: please help!

    OK, after spending MANY hours getting instructions from a Linux veteran friend of mine, I managed to get an example working.

    The only problem is that in my example I use sudo.

    The thing is that sadly openSUSE doesn't use the sudo command to it's fullest potential, ie it asks for the root password instead of the user's password (who is allowed to run apps as the root user).

    This can be changed by modifying /etc/sudoers, but be warned that is quite a dangerous thing to do, and you really should ask for advice from someone who is much wiser than I am before you attempt it!

    So anyway, using the sudo command, this is how I created, formatted, mounted, and unmounted an encrypted file -

    Code:
    ------------------------------------------------------------------------
    How to create an encrypted file and get it mounted into a folder - 
    
    1. Create the file - dd if=/dev/zero of=/home/growbag/test.crypt count=3000 bs=1024 (3gig-ish)
    2. losetup - sudo losetup /dev/loop0 /home/growbag/test.crypt
    3. cryptsetup create - sudo cryptsetup create growbagstest /dev/loop0 (enter passphrase)
    4. cryptsetup luksformat - sudo cryptsetup luksFormat /dev/mapper/growbagstest
    5. Format - sudo mkreiserfs --format=3.6 --label=growbagstest /dev/mapper/growbagstest
    6. Mount - sudo mount -t auto /dev/mapper/growbagstest /home/growbag/zzz/
    
    To unmount it again - 
    
    1. unmount - sudo umount /dev/mapper/growbagstest
    2. cryptsetup remove - sudo cryptsetup remove growbagstest
    3. losetup - sudo losetup -d /dev/loop0
    4. Done :)
    ------------------------------------------------------------------------
    Of course you don't need to create or format the file, so just ignore those extra steps. I decided to post them here just in case I lost the instructions I just spent nearly 4 hours creating!



    Now, if you can't get sudo working properly, an alternative is to tell it to allow certain users to run certain commands without asking for a password!

    It's something like adding the relevent lines into /etc/sudoers (through visudo obviously!).

    You would need a line something like the following for each user -

    Code:
    patti   ALL = (ALL) /sbin/cryptsetup, /bin/mount, /bin/umount
    user2   ALL = (ALL) /sbin/cryptsetup, /bin/mount, /bin/umount
    etc.....
    I am not 100% sure of those lines, and playing with visudo or /etc/sudoers is VERY dangerous, so please research it further before attempting it.

    Plus doing the above will also allow those users to potentially do nasty things to the system and create a rather large security hole.

    If you have got that working, that should allow the selected users to create the mapping devices, and mount their encrypted files.

    BUT it could also allow those users to mount and unmount ANY device on the entire system and possibly read/write to it or do other horrid things!!!!

    I would then put the following into /etc/boot.local so that the encrypted files get assigned to loop devices on boot without it asking for a password -

    Code:
    losetup /dev/loop0 /SCRATCH-RAID10/Dirs/00Patti.001
    and so on for each user....

    The next step is to make 2 shell scripts, one to mount the encrypted file, and another to unmount it. Put them in ~/bin/ and then they can simply be linked to a menu or desktop icon so the user simply has to click to mount their file, and click another to unmount it again when finished -

    Code:
    # ~/bin/mount-encrypted.sh
    # It should ask for both the user's (sudo) password
    # and also the encrypted file's password
    #
    sudo cryptsetup create patti /dev/loop0
    sudo mount /dev/mapper/patti /home/patti/MyShares/flames/
    Code:
    # ~/bin/unmount-encrypted.sh
    # unmounts an encrypted file
    #
    sudo umount /dev/mapper/patti
    sudo cryptsetup remove patti
    Give those a try and see how it goes.
    HP dv6645, Nvidia 8400m-gs, KDE 4.

  7. #7
    Join Date
    Jun 2008
    Location
    Prescott, AZ
    Posts
    1,170

    Default Re: please help!

    Wow - thank you! I'm baking brownies this weekend - what's your snailmail and I'll send you some.

    My efforts so far:
    patti@TYAN2-Linux:~> dd if=/dev/zero of=/home/patti/test.crypt count=3000 bs=1024
    3000+0 records in
    3000+0 records out
    3072000 bytes (3.1 MB) copied, 0.0315739 s, 97.3 MB/s
    patti@TYAN2-Linux:~> sudo losetup /dev/loop0 /home/patti/test.crypt
    root's password:
    sudo: losetup: command not found
    patti@TYAN2-Linux:~>


    I never learned vi, so I tried editing /etc/sudoers as root with Kate - I uncommented a "sample" line it contained and added cryptsetup, etc.:
    # Samples
    %users ALL=/sbin/mount, /sbin/losetup, /sbin/cryptsetup, /cdrom, /sbin/umount, /cdrom

    Then rebooted and...
    patti@TYAN2-Linux:~> losetup /dev/loop0 /SCRATCH-RAID10/Dirs/00Patti.001
    Program 'losetup' is present in package 'util-linux', which is installed on your system.
    Absolute path to 'losetup' is '/sbin/losetup', so it might be intended to be run only by user with superuser privileges (eg. root).
    bash: losetup: command not found
    patti@TYAN2-Linux:~>

    ...So the changes to sudoers didn't "take" Strange!

    Then I went into YaST and said patti could run losetup as root and tried it again:

    patti@TYAN2-Linux:~> losetup /dev/loop0 /home/patti/test.crypt
    Program 'losetup' is present in package 'util-linux', which is installed on your system.
    Absolute path to 'losetup' is '/sbin/losetup', so it might be intended to be run only by user with superuser privileges (eg. root).
    bash: losetup: command not found
    patti@TYAN2-Linux:~> su losetup /dev/loop0 /home/patti/test.crypt
    su: user losetup does not exist
    patti@TYAN2-Linux:~>


    Aggggh!!!

  8. #8
    Join Date
    Jun 2008
    Location
    Prescott, AZ
    Posts
    1,170

    Default Re: please help!

    More Fun - NOT!!!!!

    patti@TYAN2-Linux:~> dd if=/dev/zero of=/home/patti/test.crypt count=100000 bs=1024
    100000+0 records in
    100000+0 records out
    102400000 bytes (102 MB) copied, 0.598009 s, 171 MB/s
    patti@TYAN2-Linux:~> su losetup /dev/loop0 /home/patti/test.crypt
    su: user losetup does not exist
    patti@TYAN2-Linux:~> sudo cryptsetup create testfile /dev/loop0
    root's password:
    sudo: cryptsetup: command not found
    patti@TYAN2-Linux:~>
    patti@TYAN2-Linux:~> su
    Password:
    TYAN2-Linux:/home/patti # dd if=/dev/zero of=/home/patti/test.crypt count=100000 bs=1024
    100000+0 records in
    100000+0 records out
    102400000 bytes (102 MB) copied, 0.579562 s, 177 MB/s
    TYAN2-Linux:/home/patti # losetup /dev/loop0 /home/patti/test.crypt
    TYAN2-Linux:/home/patti # sudo cryptsetup create testfile /dev/loop0
    Enter passphrase:
    TYAN2-Linux:/home/patti #

  9. #9

    Default Re: please help!

    Try the whole path as sudo /sbin/cryptsetup iirc sudo uses the users path which won't include /sbin
    Man first, have a try at Info, have a look at Wiki, if all that fails Scroogle!!!!!
    If I've helped click on the Rep button I don't know what it does but it sounds cool.

  10. #10
    Join Date
    Jun 2008
    Location
    Prescott, AZ
    Posts
    1,170

    Default Re: please help!

    OK, I'll give that a try - here's what works so far, but only as su:

    patti@TYAN2-Linux:~> su
    Password:
    TYAN2-Linux:/home/patti # dd if=/dev/zero of=/SCRATCH-RAID10/Dirs/00Paul.001 count=10000000 bs=1024
    10000000+0 records in
    10000000+0 records out
    10240000000 bytes (10 GB) copied, 63.8181 s, 160 MB/s
    TYAN2-Linux:/home/patti # losetup /dev/loop1 /SCRATCH-RAID10/Dirs/00Paul.001
    TYAN2-Linux:/home/patti # cryptsetup create paulcrypt /dev/loop1
    Enter passphrase:
    TYAN2-Linux:/home/patti # cryptsetup luksFormat /dev/mapper/paulcrypt

    WARNING!
    ========
    This will overwrite data on /dev/mapper/paulcrypt irrevocably.

    Are you sure? (Type uppercase yes): YES
    Enter LUKS passphrase:
    Verify passphrase:
    Command successful.
    TYAN2-Linux:/home/patti # mkfs -t ext3 /dev/mapper/paulcrypt
    mke2fs 1.41.1 (01-Sep-2008)
    Filesystem label=

    <snip!>

    Writing inode tables: done
    Creating journal (32768 blocks): done
    Writing superblocks and filesystem accounting information: done

    This filesystem will be automatically checked every 20 mounts or
    180 days, whichever comes first. Use tune2fs -c or -i to override.
    TYAN2-Linux:/home/patti # mount -t auto /dev/mapper/paulcrypt /home/paul/MyShares/flames
    TYAN2-Linux:/home/patti # umount /dev/mapper/paulcrypt
    TYAN2-Linux:/home/patti # cryptsetup remove paulcrypt
    TYAN2-Linux:/home/patti # losetup -d /dev/loop1
    TYAN2-Linux:/home/patti #


    I have a question - the Luks passphrase I understand in the luksFormat command - but what is the other passphrase being asked for and why there? (in bold above)

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •