Bug 1098714

Summary: cryptsetup luksFormat fails for non-root user
Product: [Fedora] Fedora Reporter: Steeve McCauley <steeve.mccauley>
Component: cryptsetupAssignee: Milan Broz <gmazyland>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: agk, dwysocha, extras-orphan, gmazyland, okozina, pjones, prockai, whulbert
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-17 20:05:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Steeve McCauley 2014-05-17 15:13:11 UTC 
Description of problem:

Attempting to format a luks file-based container on a loopback device fails

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. dd if=/dev/urandom of=./vol00 bs=1M count=50
2. losetup -f ./vol00
3. cryptsetup --verbose --verify-passphrase luksFormat /dev/loop0

Actual results:

$ cryptsetup --verbose --verify-passphrase luksFormat /dev/loop0

WARNING!
========
This will overwrite data on /dev/loop0 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase: 
Verify passphrase: 
Cannot initialize device-mapper, running as non-root user.
Command failed with code 5: Cannot initialize device-mapper, running as non-root user.


Expected results:

Expected cryptsetup luksFormat to succeed, and allow a subsequent call to luksOpen.

Additional info:

I also had to tweak some permissions to get the loopback devices to load, as shown in Bug #1019440 and #1045432.
Comment 1 Steeve McCauley 2014-05-17 15:19:56 UTC 
I attempted to change some permissions in /dev/mapper/ to chgrp from root to disk, as well as chmod g+rwx.

Kernel is,

Linux zorg 3.14.3-200.fc20.x86_64 #1 SMP Tue May 6 19:00:18 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
Comment 2 Milan Broz 2014-05-17 20:05:28 UTC 
Unfortunately, kernel device-mapper (including dm-crypt) requires root privilege to operate.

It is long term issue to allow operation for non-user. But please ask kernel device-mapper developers.

Cryptsetup cannot do anything here, both format and activate require dmcrypt device creation, allowing access to block device is not enough.
Comment 3 Steeve McCauley 2014-05-18 13:58:22 UTC 
Aw damn, really.  Sorry, I could have sworn I'd done this in the past.  I'll go nag the device-mapper guys.