From 5f1dac6bf605871615b35891a3966fa474db5b20 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 29 Apr 2013 19:57:29 -0300
Subject: [PATCH] cryptsetup: warn if keyfiles are world-readable

---
 TODO                        |  6 +-----
 src/cryptsetup/cryptsetup.c | 18 ++++++++++++++----
 2 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/TODO b/TODO
index 339a34d01..78d168c36 100644
--- a/TODO
+++ b/TODO
@@ -158,8 +158,6 @@ Features:
 
 * use "log level" rather than "log priority" everywhere
 
-* ensure sd_journal_seek_monotonic actually works properly.
-
 * timedate: have global on/off switches for auto-time (NTP), and auto-timezone that connman can subscribe to.
 
 * Honour "-" prefix for InaccessibleDirectories= and ReadOnlyDirectories= to
@@ -366,10 +364,10 @@ Features:
   - nspawn: make it work for dwalsh and shared /usr containers -- tmpfs mounts as command line parameters, selinux exec context
 
 * cryptsetup:
-  - cryptsetup-generator: warn if the password files are world-readable
   - cryptsetup-generator: allow specification of passwords in crypttab itself
   - move cryptsetup key caching into kernel keyctl?
     https://bugs.freedesktop.org/show_bug.cgi?id=54982
+  - support rd.luks.allow-discards= kernel cmdline params in cryptsetup generator
 
 * move debug shell to tty6 and make sure this doesn't break the gettys on tty6
 
@@ -440,8 +438,6 @@ Features:
 
 * change Requires=basic.target to RequisiteOverride=basic.target
 
-* support rd.luks.allow-discards= kernel cmdline params in cryptsetup generator
-
 * when breaking cycles drop sysv services first, then services from /run, then from /etc, then from /usr
 
 * move passno parsing to fstab generator
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index a24e61a03..347394db8 100644
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -497,15 +497,25 @@ int main(int argc, char *argv[]) {
                                  crypt_get_volume_key_size(cd)*8,
                                  argv[3]);
 
-                        if (key_file)
-                                k = crypt_activate_by_keyfile_offset(cd, argv[2], CRYPT_ANY_SLOT, key_file, opt_keyfile_size,
-                                            opt_keyfile_offset, flags);
+                        if (key_file) {
+                                struct stat st;
+
+                                /* Ideally we'd do this on the open
+                                 * fd, but since this is just a
+                                 * warning it's OK to do this in two
+                                 * steps */
+                                if (stat(key_file, &st) >= 0 && (st.st_mode & 0005))
+                                        log_warning("Key file %s is world-readable. That's certainly not a good idea.", key_file);
+
+                                k = crypt_activate_by_keyfile_offset(
+                                                cd, argv[2], CRYPT_ANY_SLOT, key_file, opt_keyfile_size,
+                                                opt_keyfile_offset, flags);
                                 if (k < 0) {
                                         log_error("Failed to activate with key file '%s': %s", key_file, strerror(-k));
                                         key_file = NULL;
                                         continue;
                                 }
-                        else {
+                        } else {
                                 char **p;
 
                                 STRV_FOREACH(p, passwords) {
-- 
2.30.2