ecryptfs-users team mailing list archive

Thread
Date

Re: (un)security of eCryptfs ?

To: ecryptfs-users@xxxxxxxxxxxxxxxxxxx
From: David Tomaschik <david@xxxxxxxxxxxxxxxxxx>
Date: Fri, 4 Feb 2011 13:59:49 -0500
In-reply-to: <90bbcd940cebcdc8005c54a954d10e45@mail3.volny.cz>

There are others on this list who can better comment on the specifics, but
there's a few things to be clarified.

When you mount an eCryptFS filesystem, the key is placed in the kernel
keyring, and the kernel handles transparent encryption/decryption of files
in the filesystem.  The key in the keyring only controls mounting of the
filesystem.  Once the filesystem is mounted, the kernel will continue to
look at that key for accessing files.  Once a filesystem is mounted, access
to the files is controlled via POSIX permissions, ACLs, or any number of
other mechanisms (chroots, etc.).

This is similar, of course, the LUKS Crypto system that does full-disk
encryption.  In both cases, decryption is used to mount a disk, and not to
control access to files.  If you don't want user 1 reading your files, make
sure they don't have permission to read the files.  :)

David

On Fri, Feb 4, 2011 at 1:29 PM, kapetr <kapetr@xxxxxxxxx> wrote:

> Hello,
>
> I'm new in using of eCryptfs, but the first test do not let me
> sleep.
>
> I'm using Ubuntu 10.10 - standard installation.
>
> Let see my steps:
>
> 1. I mount (as root or with sudo) my first eCryptfs in user1 subdirs
> with passwd1.
> 2. the key is ONLY in keyring @u of root, NOT by user1 - but:
>
> user1 can create and read files in that FS (file system) root can
> the same.
>
> ?? How can user1 work with files in this FS even if user1 has no key
> in his keyring ?!!!
>
> 3. root clears kis keyring with keyctl clear @u, but the FS is
> usable further ??!!
>
> 4. root unmounts this FS and mounts it again with another password
> passwd2
>
> 5. user1 can not see content of previous files (but can see
> names/size in "ls") and can create new files - AGAIN WITHOUT key
>
> 5. user1 adds passwd1 with ecryptfs-manager - so passwd2-key is in
> @keyring of root and passwd1-key is in keyring of user1
>
> 6. user1 can now see content of ALL previous files ??!! root too
> ??!!
>
> 7. and now! another user - user2 can also see all files, even if he
> has no keys !!
>
> HOW IS IT POSSIBLE ??
>
> I thing, that access to content of encrypted files should have ONLY
> the one, who has key of proper password in his keyring - and NOBODY
> ELSE.
>
> But this is by eCryptfs not so. Once anybody adds passwdX to his
> keyring, than anybody else !!! can read files  encrypted with this
> password. Even if this user deletes this key from his keyring !!!
>
> I can not believe my eyes ?!
>
> Please HELP.
>
> --kapetr
>
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~ecryptfs-users
> Post to     : ecryptfs-users@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~ecryptfs-users
> More help   : https://help.launchpad.net/ListHelp
>

-- 
David Tomaschik, RHCE, LPIC-1
GNU/Linux System Architect
GPG: 0x5DEA789B
david@xxxxxxxxxxxxxxxxxx

References

(un)security of eCryptfs ?
From: kapetr, 2011-02-04