Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora Development (http://www.linux-archive.org/fedora-development/)
-   -   Mounting an encrypted volume presents the volume to all users on a machine (http://www.linux-archive.org/fedora-development/444201-mounting-encrypted-volume-presents-volume-all-users-machine.html)

"Nathanael D. Noblet" 10-25-2010 10:31 PM

Mounting an encrypted volume presents the volume to all users on a machine
 
On 10/25/2010 04:28 PM, nodata wrote:
> Hi,
>
> I'm concerned about the default behaviour of mounting encrypted volumes.
>
> The default behaviour is that a user must know and supply a passphrase
> in order to mount an encrypted volume. This is good: know the
> passphrase, you get to mount the volume.
>
> What I am concerned about is that the volume is mounted for _every_ user
> on the system to see.
>
> I've filed a bug about this, and it got closed:
> https://bugzilla.redhat.com/show_bug.cgi?id=646085
>
> I'm quite in favour of secure by default. In the worst case, the
> mountpoint would have permissions set to read access to all if you tick
> a box.

Wouldn't they be restricted based on the contents of the encrypted volume?
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

nodata 10-25-2010 10:33 PM

Mounting an encrypted volume presents the volume to all users on a machine
 
On 26/10/10 00:31, Nathanael D. Noblet wrote:
> On 10/25/2010 04:28 PM, nodata wrote:
>> Hi,
>>
>> I'm concerned about the default behaviour of mounting encrypted volumes.
>>
>> The default behaviour is that a user must know and supply a passphrase
>> in order to mount an encrypted volume. This is good: know the
>> passphrase, you get to mount the volume.
>>
>> What I am concerned about is that the volume is mounted for _every_ user
>> on the system to see.
>>
>> I've filed a bug about this, and it got closed:
>> https://bugzilla.redhat.com/show_bug.cgi?id=646085
>>
>> I'm quite in favour of secure by default. In the worst case, the
>> mountpoint would have permissions set to read access to all if you tick
>> a box.
>
> Wouldn't they be restricted based on the contents of the encrypted volume?

What do you mean?
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

nodata 10-25-2010 10:40 PM

Mounting an encrypted volume presents the volume to all users on a machine
 
On 26/10/10 00:31, Nathanael D. Noblet wrote:
> On 10/25/2010 04:28 PM, nodata wrote:
>> Hi,
>>
>> I'm concerned about the default behaviour of mounting encrypted volumes.
>>
>> The default behaviour is that a user must know and supply a passphrase
>> in order to mount an encrypted volume. This is good: know the
>> passphrase, you get to mount the volume.
>>
>> What I am concerned about is that the volume is mounted for _every_ user
>> on the system to see.
>>
>> I've filed a bug about this, and it got closed:
>> https://bugzilla.redhat.com/show_bug.cgi?id=646085
>>
>> I'm quite in favour of secure by default. In the worst case, the
>> mountpoint would have permissions set to read access to all if you tick
>> a box.
>
> Wouldn't they be restricted based on the contents of the encrypted volume?

Yes. Once the volume is mounted it will be treated with normal UNIX
permissions. So you would have to create a sub-directory on the volume
where the permissions were strict and create files under that.

My point is that if the disk is encrypted, and the user knows the
passphrase to access files on the device, then it doesn't make sense to
let everyone else see what's on the device as well: it only make sense
to decrypt the device to the user who knows the passphrase.

There's an argument that other people will want to see what's on the
device too. That's fine: the user can opt-in to that. But secure by
default should be what we're aiming at.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

"Nathanael D. Noblet" 10-25-2010 10:45 PM

Mounting an encrypted volume presents the volume to all users on a machine
 
On 10/25/2010 04:40 PM, nodata wrote:

>> Wouldn't they be restricted based on the contents of the encrypted volume?
>
> Yes. Once the volume is mounted it will be treated with normal UNIX
> permissions. So you would have to create a sub-directory on the volume
> where the permissions were strict and create files under that.
>
> My point is that if the disk is encrypted, and the user knows the
> passphrase to access files on the device, then it doesn't make sense to
> let everyone else see what's on the device as well: it only make sense
> to decrypt the device to the user who knows the passphrase.
>
> There's an argument that other people will want to see what's on the
> device too. That's fine: the user can opt-in to that. But secure by
> default should be what we're aiming at.

I encrypt /home... So for my use case it doesn't make much sense. I
guess I can see the case where you have some random storage that is
encrypted, however I'm not sure how common this is, and file permissions
keeps them at bay once mounted anyway. I guess if they could get root,
once you decrypt they have access, but if they have root... you've got
other problems.

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Eric Sandeen 10-26-2010 02:19 AM

Mounting an encrypted volume presents the volume to all users on a machine
 
nodata wrote:
> Hi,
>
> I'm concerned about the default behaviour of mounting encrypted volumes.
>
> The default behaviour is that a user must know and supply a passphrase
> in order to mount an encrypted volume. This is good: know the
> passphrase, you get to mount the volume.
>
> What I am concerned about is that the volume is mounted for _every_ user
> on the system to see.
>
> I've filed a bug about this, and it got closed:
> https://bugzilla.redhat.com/show_bug.cgi?id=646085
>
> I'm quite in favour of secure by default. In the worst case, the
> mountpoint would have permissions set to read access to all if you tick
> a box.
>
> Thoughts?
>

If you want something closer to per-file encryption, try out ecryptfs.

http://ecryptfs.sourceforge.net/ecryptfs-faq.html#compare

-Eric
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Przemek Klosowski 10-26-2010 06:18 PM

Mounting an encrypted volume presents the volume to all users on a machine
 
On 10/25/2010 06:40 PM, nodata wrote:
> On 26/10/10 00:31, Nathanael D. Noblet wrote:
>> On 10/25/2010 04:28 PM, nodata wrote:
>>> Hi,
>>>
>>> I'm concerned about the default behaviour of mounting encrypted volumes.
>>>
>>> The default behaviour is that a user must know and supply a passphrase
>>> in order to mount an encrypted volume. This is good: know the
>>> passphrase, you get to mount the volume.
>>>
>>> What I am concerned about is that the volume is mounted for _every_ user
>>> on the system to see.
>>>

The security role and rationale for the filesystem encryption is to
prevent the access to lost or stolen media, when you can't rely on the
mechanisms existent within the OS. The underlying device encryption
technology is not set up to keep track of who is accessing the data
after it is decrypted and made available to the system, as you correctly
point out.

Such user-differentiated authorization is provided by the filesystem
access rights, ACLs and SELinux attributes. Note that unlike the first
two mechanisms, SELinux can protect the data even for systems with
compromised root---as someone said, SELinux can be configured so that
you can tell people "here's the root password; now break into my computer".

What you are asking for improves security by adding additional depth,
but it requires a fairly intensive redesign and reimplementation of the
device encryption, so it befall on you to provide a good analysis and
justification of the tradeoffs.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

"Nathanael D. Noblet" 10-26-2010 07:16 PM

Mounting an encrypted volume presents the volume to all users on a machine
 
On 10/26/2010 01:03 PM, Gregory Maxwell wrote:
> I think that a small change in the default mount behavior so that the
> mountpoint encrypted is always owned by the user and mode 700— or if
> it were mounted under the user's home directory, perhaps with a
> checkbox (defaulting to off) on the password dialog "Make this volume
> available to all users on my system", would better meet the user's
> expectations of how an encrypted volume should behave.

Just out of curiosity... when are these being mounted? If we are talking
about mounting a partition from a user session that's one thing and can
easily make it user only accessible with a checkbox I guess. I'm
wondering though, when you plug in a USB thumbdrive... don't all users
have access? What's the difference here? Are we talking about system
wide mounts like mine where only /home is encrypted??

Just wondering.
--
Nathanael d. Noblet
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel


All times are GMT. The time now is 04:26 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.