ecryptfs team mailing list archive
-
ecryptfs team
-
Mailing list archive
-
Message #01809
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
Accepted ecryptfs-utils into lucid-proposed, the package will build now
and be available in a few hours. Please test and give feedback here. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed. Thank you in advance!
** Changed in: ecryptfs-utils (Ubuntu Lucid)
Status: In Progress => Fix Committed
** Tags added: verification-needed
--
You received this bug notification because you are a member of eCryptfs,
which is a direct subscriber.
https://bugs.launchpad.net/bugs/313812
Title:
umount of ecryptfs does not automatically clear the keyring (can be
mounted by root later)
Status in eCryptfs - Enterprise Cryptographic Filesystem:
Fix Released
Status in “ecryptfs-utils” package in Ubuntu:
Fix Released
Status in “ecryptfs-utils” source package in Lucid:
Fix Committed
Status in “ecryptfs-utils” source package in Maverick:
In Progress
Status in “ecryptfs-utils” source package in Natty:
Fix Released
Status in “ecryptfs-utils” source package in Jaunty:
Won't Fix
Status in “ecryptfs-utils” source package in Karmic:
In Progress
Status in “ecryptfs-utils” package in Fedora:
Fix Released
Bug description:
How to reproduce :
1) setup a private directory
2)
sudo -s
cd /
mkdir source
mkdir target
cp ~user/.Private/example.pdf source
file /source/example.pdf
/source/example.pdf: data
mount -t ecryptfs source target
Passphrase: type anything that is not your passphrase or passwords
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (loaded)
2) blowfish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
Selection [aes]:
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]:
Enable plaintext passthrough (y/n) [n]: n
Attempting to mount with the following options:
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=4c748f746abcc24e
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.
Would you like to proceed with the mount (yes/no)? yes
Would you like to append sig [4c748f746abcc24e] to
[/root/.ecryptfs/sig-cache.txt]
in order to avoid this warning in the future (yes/no)? no
Not adding sig to user sig cache file; continuing with mount.
Mounted eCryptfs
file /source/example.pdf
/source/example.pdf: PDF document, version 1.4
Now I know that the files are really encrypted (using a wrong
passphrase on files copied to another computer makes the file
unreadable), but I don't understand how root on my system can mount my
files without the correct passphrase... is the passphrase stored
somewhere? This is really strange and doesn't give me too much
confidence in this technology. Let's hope I overlooked something.
============
SRU Justification:
Impact: This bug affects users of Ubuntu's encrypted home/private
directory feature if they are concerned about a malicious or snooping
root user on the system.
Minimal patch: The minimal patch can be found in upstream commit r520:
* http://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/520
Reproduce instructions: Follow the excellent instructions in this bug
description.
Regression potential: Minimal. The key removal code is the last thing that happens before the umount is attempted. If for some reason the new key-unlinking code failed (it should not; errors are ignored; keys are removed on a best-effort basis), then the umount might not happen. As I said, this should be a near impossible situation. I think this update should be very safe. It's been in Natty now for a couple of weeks.
============