Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

/boot/dietpi/func/dietpi-set_swapfile 128 /dev/zram0 fails #3869

Closed
mennerausr opened this issue Oct 26, 2020 · 2 comments · Fixed by #3870
Closed

/boot/dietpi/func/dietpi-set_swapfile 128 /dev/zram0 fails #3869

mennerausr opened this issue Oct 26, 2020 · 2 comments · Fixed by #3870
Labels
Enhancement 💨 Solution available 🥂 Definite solution has been done
Milestone
v6.34

Comments

@mennerausr
Copy link

mennerausr commented Oct 26, 2020
edited by MichaIng

Details:

  • Date | Tue Oct 27 00:08:37 CET 2020
  • DietPi version | v6.33.3 (MichaIng/master)
  • Image creator | DietPi Core Team
  • Pre-image | Raspbian Lite
  • Hardware | RPi Zero W (armv6l) (ID=1)
  • Kernel version | Linux raspi0w 5.4.72+ #1356 Thu Oct 22 13:56:00 BST 2020 armv6l GNU/Linux
  • Distro | buster (ID=5,RASPBIAN=1)
  • Command | swapon /dev/zram0
  • Exit code | 255
  • Software title | DietPi-Set_swapfile

Steps to reproduce:

  1. ...
  2. ...

Expected behaviour:

  • ...

Actual behaviour:

  • ...

Extra details:

  • ...

Additional logs:

swapon: /dev/zram0: insecure permissions 0644, 0600 suggested.
swapon: /dev/zram0: swapon failed: Invalid argument
@MichaIng
Copy link
Owner

MichaIng commented Oct 26, 2020
edited

Many thanks for your report.

Interesting, AFAIK permissions were correct automatically when we implemented this. I'll try to replicate on VM, else it doesn't hurt to re-set the permissions, 600 simply makes sense for RAM content.

... works fine here:

2020-10-27 00:25:40 root@VM-Buster:~# /boot/dietpi/func/dietpi-set_swapfile 128 zram
[ SUB1 ] DietPi-Set_swapfile > Applying 128 zram
[ INFO ] DietPi-Set_swapfile | Disabling and deleting all existing swap files
[  OK  ] DietPi-Set_swapfile | swapoff -a
[  OK  ] DietPi-Set_swapfile | Generating new swap space
[ INFO ] DietPi-Set_swapfile | Size = 128 MiB
[ INFO ] DietPi-Set_swapfile | Path = /dev/zram0
[  OK  ] DietPi-Set_swapfile | modprobe zram
[  OK  ] DietPi-Set_swapfile | eval echo 1 > /sys/block/zram0/reset
[  OK  ] DietPi-Set_swapfile | eval echo '128M' > /sys/block/zram0/disksize
[  OK  ] DietPi-Set_swapfile | mkswap /dev/zram0
[  OK  ] DietPi-Set_swapfile | swapon /dev/zram0
[  OK  ] DietPi-Set_swapfile | eval echo 'zram' > /etc/modules-load.d/dietpi-zram-swap.conf
[  OK  ] DietPi-Set_swapfile | eval echo 'SUBSYSTEM=="block", KERNEL=="zram0", ACTION=="add", ATTR{disksize}="128M", RUN+="/sbin/mkswap /dev/zram0", RUN+="/sbin/swapon /dev/zram0"' > /etc/udev/rules.d/98-dietpi-zram-swap.rules
[  OK  ] DietPi-Set_swapfile | eval echo 'swappiness=50' > /etc/sysctl.d/98-dietpi-zram-swap.conf
[  OK  ] DietPi-Set_swapfile | Setting in /boot/dietpi.txt adjusted: AUTO_SETUP_SWAPFILE_SIZE=128
[  OK  ] DietPi-Set_swapfile | Setting in /boot/dietpi.txt adjusted: AUTO_SETUP_SWAPFILE_LOCATION=zram
[ INFO ] DietPi-Set_swapfile | Setting /tmp tmpfs size: 1061 MiB
[  OK  ] DietPi-Set_swapfile | mount -o remount /tmp
2020-10-27 00:26:09 root@VM-Buster:~# l /dev/zram0
brw-rw---- 1 root disk 254, 0 Oct 27 00:26 /dev/zram0

But indeed disk group has R/W access. Not sure why swapon is not complaining here but we should apply 600 definitely. Please try:

sed -i '\|/sys/block/zram0/disksize|a\\t\t\tG_EXEC chmod 0600 /dev/zram0' /boot/dietpi/func/dietpi-set_swapfile

........

Ah now I see difference: Please use zram only as argument, not /dev/zram0. Probably we should allow both 😉. But the hardened permissions are still a reasonable enhancement.

@MichaIng MichaIng added this to the v6.34 milestone Oct 26, 2020
@MichaIng MichaIng linked a pull request Oct 26, 2020 that will close this issue
DietPi-Set_swapfile | Enhance zram-swap hardening and input tolerance #3870
Merged
MichaIng added a commit that referenced this issue Oct 26, 2020
@MichaIng
v6.34
2fb2dc0 
+ CHANGELOG | Hardened permissions of the /dev/zram0 zram-swap device to be only accessible by root user (mode 0600) and interpret input argument "/dev/zram0" and "zram0" as zram-swap as well, aside of "zram" only. Many thanks to @hansjuergenmay for reporting a related issue: #3869
@MichaIng
Copy link
Owner

MichaIng commented Oct 26, 2020
edited

This fixes both, hardens the zram-swap device permissions and allows /dev/zram0 input to be interpreted correctly: #3870

@MichaIng MichaIng mentioned this issue Dec 8, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Enhancement 💨 Solution available 🥂 Definite solution has been done
Projects
None yet
Milestone
v6.34
Development

Successfully merging a pull request may close this issue.

DietPi-Set_swapfile | Enhance zram-swap hardening and input tolerance MichaIng/DietPi
2 participants
@MichaIng @mennerausr