FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 10-26-2010, 06:36 AM
Tomas Mraz
 
Default Mounting an encrypted volume presents the volume to all users on a machine

On Tue, 2010-10-26 at 00:28 +0200, nodata wrote:
> Hi,
>
> I'm concerned about the default behaviour of mounting encrypted volumes.
>
> The default behaviour is that a user must know and supply a passphrase
> in order to mount an encrypted volume. This is good: know the
> passphrase, you get to mount the volume.
>
> What I am concerned about is that the volume is mounted for _every_ user
> on the system to see.
>
> I've filed a bug about this, and it got closed:
> https://bugzilla.redhat.com/show_bug.cgi?id=646085
>
> I'm quite in favour of secure by default. In the worst case, the
> mountpoint would have permissions set to read access to all if you tick
> a box.
>
> Thoughts?
>

This could be achieved by using pam_namespace to separate the namespaces
of the logged-in users and mounting the encrypted volume as private into
the namespace. However it also means that when the user is
simultaneously logged in twice, he will not be able to access the
encrypted volume in the second session either. It also means that the
process that mounts the volume must run in the namespace of the user's
session (setuid helper would be needed instead of using system service
to mount the volume).

--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-26-2010, 10:07 AM
nodata
 
Default Mounting an encrypted volume presents the volume to all users on a machine

On 26/10/10 07:05, Qiang Li wrote:
> On Tue, 2010-10-26 at 00:28 +0200, nodata wrote:
>> Hi,
>>
>> I'm concerned about the default behaviour of mounting encrypted volumes.
>>
>> The default behaviour is that a user must know and supply a passphrase
>> in order to mount an encrypted volume. This is good: know the
>> passphrase, you get to mount the volume.
>>
>> What I am concerned about is that the volume is mounted for _every_ user
>> on the system to see.
>>
>> I've filed a bug about this, and it got closed:
>> https://bugzilla.redhat.com/show_bug.cgi?id=646085
>>
>> I'm quite in favour of secure by default. In the worst case, the
>> mountpoint would have permissions set to read access to all if you tick
>> a box.
>>
>> Thoughts?
>>
>
> I'd think you mixed the concept of volume encryption and permission.
> Once you supply the pass for the encrypted volume, it means that you
> grant the right to OS to mount this volume. Then the OS is in charge of
> permission settings. OS doesn't care about if it is encrypted or not, it
> only knows some volume wants to be mounted and it sets permission as the
> default schema.
>
> Qiang
>

Imagine that you want to login to the computer, your username is oiang.
I want to login too. My username is nodata. Now, I can only login to my
account and look at my files because only I know my password. You can
only login to your account because only you know your password.

Now imagine if you could read all of _my_ files and I could read all of
yours. That makes no sense. You _can_ configure that if you want, but by
default we go for security.

This is the same. You connect your encrypted hard disk to the system and
you can look at the files on it because you know the passphrase.

The fix to make this work is a 750 mode on /media/VOLUME-NAME
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-26-2010, 12:21 PM
Daniel J Walsh
 
Default Mounting an encrypted volume presents the volume to all users on a machine

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/26/2010 02:36 AM, Tomas Mraz wrote:
> On Tue, 2010-10-26 at 00:28 +0200, nodata wrote:
>> Hi,
>>
>> I'm concerned about the default behaviour of mounting encrypted volumes.
>>
>> The default behaviour is that a user must know and supply a passphrase
>> in order to mount an encrypted volume. This is good: know the
>> passphrase, you get to mount the volume.
>>
>> What I am concerned about is that the volume is mounted for _every_ user
>> on the system to see.
>>
>> I've filed a bug about this, and it got closed:
>> https://bugzilla.redhat.com/show_bug.cgi?id=646085
>>
>> I'm quite in favour of secure by default. In the worst case, the
>> mountpoint would have permissions set to read access to all if you tick
>> a box.
>>
>> Thoughts?
>>
>
> This could be achieved by using pam_namespace to separate the namespaces
> of the logged-in users and mounting the encrypted volume as private into
> the namespace. However it also means that when the user is
> simultaneously logged in twice, he will not be able to access the
> encrypted volume in the second session either. It also means that the
> process that mounts the volume must run in the namespace of the user's
> session (setuid helper would be needed instead of using system service
> to mount the volume).
>

Might be something we could add to seunshare?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkzGx7QACgkQrlYvE4MpobNHaACgrpZOOlI7IR tgPFEImpQnNZBs
SNsAnRjAIRe9TJCg8NbA9hHOMcxrjiLr
=Kwo5
-----END PGP SIGNATURE-----
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-26-2010, 01:44 PM
Matthew Garrett
 
Default Mounting an encrypted volume presents the volume to all users on a machine

On Tue, Oct 26, 2010 at 12:28:55AM +0200, nodata wrote:

> What I am concerned about is that the volume is mounted for _every_ user
> on the system to see.

Only if the permissions are set that way. chmod 0750 /whatever and it
won't be.

--
Matthew Garrett | mjg59@srcf.ucam.org
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-26-2010, 01:52 PM
Ric Wheeler
 
Default Mounting an encrypted volume presents the volume to all users on a machine

On 10/26/2010 09:44 AM, Matthew Garrett wrote:
> On Tue, Oct 26, 2010 at 12:28:55AM +0200, nodata wrote:
>
>> What I am concerned about is that the volume is mounted for _every_ user
>> on the system to see.
> Only if the permissions are set that way. chmod 0750 /whatever and it
> won't be.
>

I think that the concern is correct and valid - using encrypted block devices
with a mount time password is quite "weak" for system security in general, it is
just the easiest way to provide basic crypto. Much better suited for laptops
than servers where any root user would be able to peruse the mounted volume's
contents.

There are a host of other ways to do this though - ecryptfs (as Eric Sandeen
mentioned) does finer grained crypto (even though we are not huge fans of how
its design) and you can certainly encrypt files individually.

Ric

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-26-2010, 02:11 PM
Andrew Haley
 
Default Mounting an encrypted volume presents the volume to all users on a machine

On 10/26/2010 02:44 PM, Matthew Garrett wrote:
> On Tue, Oct 26, 2010 at 12:28:55AM +0200, nodata wrote:
>
>> What I am concerned about is that the volume is mounted for _every_ user
>> on the system to see.
>
> Only if the permissions are set that way. chmod 0750 /whatever and it
> won't be.

On my system an auto-mounted exchangeable volume always seems to be 0700.

Andrew.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-26-2010, 02:56 PM
nodata
 
Default Mounting an encrypted volume presents the volume to all users on a machine

On 26/10/10 16:00, Bruno Wolff III wrote:
> On Tue, Oct 26, 2010 at 12:07:56 +0200,
> nodata<lsof@nodata.co.uk> wrote:
>>
>> Now imagine if you could read all of _my_ files and I could read all of
>> yours. That makes no sense. You _can_ configure that if you want, but by
>> default we go for security.
>
> Once upon a time that was the default for systems.
>
>> This is the same. You connect your encrypted hard disk to the system and
>> you can look at the files on it because you know the passphrase.
>
> That is muddy thinking. The OS needs the password, you can't directly look
> at the disk using the password in your head. The OS needs to manage access
> to the encrypted device.

I don't really understand what you're trying to say here.

A person who knows the passphrase and nobody else (apart from super
users, the kernel, etc) should be the only one who can access the
unencrypted device.


>
>> The fix to make this work is a 750 mode on /media/VOLUME-NAME
>
> I'd surely suggest using 0700 instead of 0750 given your concerns about
> other people being able to access the contents.
>
> Using selinux provides a way to limit accidental leaking in some circumstances
> and may be a better approach if you have time to do the upfront work.
>

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-26-2010, 02:57 PM
nodata
 
Default Mounting an encrypted volume presents the volume to all users on a machine

On 26/10/10 16:11, Andrew Haley wrote:
> On 10/26/2010 02:44 PM, Matthew Garrett wrote:
>> On Tue, Oct 26, 2010 at 12:28:55AM +0200, nodata wrote:
>>
>>> What I am concerned about is that the volume is mounted for _every_ user
>>> on the system to see.
>>
>> Only if the permissions are set that way. chmod 0750 /whatever and it
>> won't be.
>
> On my system an auto-mounted exchangeable volume always seems to be 0700.
>
> Andrew.

Really? Any chance of a copy-paste?

This is what I get:

$ ls -la /media/
total 12
drwxr-xr-x. 3 root root 4096 Oct 26 16:51 .
dr-xr-xr-x. 24 root root 4096 Oct 26 16:51 ..
drwxr-xr-x. 4 root root 4096 Oct 23 17:40 WESTERNDIGITAL

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-26-2010, 04:14 PM
Vaclav Mocek
 
Default Mounting an encrypted volume presents the volume to all users on a machine

On 10/26/2010 03:57 PM, nodata wrote:
> On 26/10/10 16:11, Andrew Haley wrote:
>
>> On 10/26/2010 02:44 PM, Matthew Garrett wrote:
>>
>>> On Tue, Oct 26, 2010 at 12:28:55AM +0200, nodata wrote:
>>>
>>>
>>>> What I am concerned about is that the volume is mounted for _every_ user
>>>> on the system to see.
>>>>
>>> Only if the permissions are set that way. chmod 0750 /whatever and it
>>> won't be.
>>>
>> On my system an auto-mounted exchangeable volume always seems to be 0700.
>>
>> Andrew.
>>
> Really? Any chance of a copy-paste?
>
> This is what I get:
>
> $ ls -la /media/
> total 12
> drwxr-xr-x. 3 root root 4096 Oct 26 16:51 .
> dr-xr-xr-x. 24 root root 4096 Oct 26 16:51 ..
> drwxr-xr-x. 4 root root 4096 Oct 23 17:40 WESTERNDIGITAL
>
>
Exactly. It is 0755.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-26-2010, 05:01 PM
Andrew Haley
 
Default Mounting an encrypted volume presents the volume to all users on a machine

On 10/26/2010 05:14 PM, Vaclav Mocek wrote:
> On 10/26/2010 03:57 PM, nodata wrote:
>> On 26/10/10 16:11, Andrew Haley wrote:
>>
>>> On 10/26/2010 02:44 PM, Matthew Garrett wrote:
>>>
>>>> On Tue, Oct 26, 2010 at 12:28:55AM +0200, nodata wrote:
>>>>
>>>>
>>>>> What I am concerned about is that the volume is mounted for _every_ user
>>>>> on the system to see.
>>>>>
>>>> Only if the permissions are set that way. chmod 0750 /whatever and it
>>>> won't be.
>>>>
>>> On my system an auto-mounted exchangeable volume always seems to be 0700.
>>>
>> Really? Any chance of a copy-paste?
>>
>> This is what I get:
>>
>> $ ls -la /media/
>> total 12
>> drwxr-xr-x. 3 root root 4096 Oct 26 16:51 .
>> dr-xr-xr-x. 24 root root 4096 Oct 26 16:51 ..
>> drwxr-xr-x. 4 root root 4096 Oct 23 17:40 WESTERNDIGITAL
>>
>>
> Exactly. It is 0755.

$ ls -la /media
total 16
drwxr-xr-x. 3 root root 4096 2010-10-26 17:56 ./
dr-xr-xr-x. 28 root root 4096 2010-09-16 04:24 ../
drwx------. 2 aph aph 8192 1970-01-01 01:00 C0C1-215C/

Ahh, I think I may know why: it's a DOS filesystem. Sorry for
the noise.

And yes, I agree. 0755 makes no sense to me.

Andrew.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 

Thread Tools




All times are GMT. The time now is 02:08 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org