ecryptfs team mailing list archive

Thread
Date
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)

To: ecryptfs@xxxxxxxxxxxxxxxxxxx
From: C de-Avillez <hggdh2@xxxxxxxxxx>
Date: Thu, 28 Jul 2011 19:57:25 -0000
Reply-to: Bug 313812 <313812@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Verified for Maverick:

Welcome to the Ubuntu Server!
 * Documentation:  http://www.ubuntu.com/server/doc
Last login: Thu Jul 28 14:41:12 2011
root@ubuntu:~# mount
/dev/vda1 on / type ext4 (rw,errors=remount-ro)
proc on /proc type proc (rw,noexec,nosuid,nodev)
none on /sys type sysfs (rw,noexec,nosuid,nodev)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
none on /sys/kernel/debug type debugfs (rw)
none on /sys/kernel/security type securityfs (rw)
none on /dev type devtmpfs (rw,mode=0755)
none on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=0620)
none on /dev/shm type tmpfs (rw,nosuid,nodev)
none on /var/run type tmpfs (rw,nosuid,mode=0755)
none on /var/lock type tmpfs (rw,noexec,nosuid,nodev)
none on /var/lib/ureadahead/debugfs type debugfs (rw,relatime)

# ubuntu has not logged in since boot:

root@ubuntu:~# ls /home/ubuntu
Access-Your-Private-Data.desktop  README.txt

# ubuntu logged in on another pseudo terminal:

root@ubuntu:~# mount | grep ubuntu
/home/ubuntu/.Private on /home/ubuntu type ecryptfs (ecryptfs_sig=5cb83cfa021dc74e,ecryptfs_fnek_sig=bb92820c0e6e63ad,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs)

# ubuntu logged off:

root@ubuntu:~# mount | grep ubuntu
root@ubuntu:~# su - ubuntu
keyctl_search: Required key not available
Perhaps try the interactive 'ecryptfs-mount-private'
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

Verification successful.
ubuntu@ubuntu:~$ ls
Access-Your-Private-Data.desktop  README.txt
ubuntu@ubuntu:~$ 

---
Ubuntu Bug Squad volunteer triager
http://wiki.ubuntu.com/BugSquad

** Tags added: verification-done-maverick

-- 
You received this bug notification because you are a member of eCryptfs,
which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/313812

Title:
  umount of ecryptfs does not automatically clear the keyring (can be
  mounted by root later)

Status in eCryptfs - Enterprise Cryptographic Filesystem:
  Fix Released
Status in “ecryptfs-utils” package in Ubuntu:
  Fix Released
Status in “ecryptfs-utils” source package in Lucid:
  Fix Released
Status in “ecryptfs-utils” source package in Maverick:
  Fix Committed
Status in “ecryptfs-utils” source package in Natty:
  Fix Released
Status in “ecryptfs-utils” source package in Jaunty:
  Won't Fix
Status in “ecryptfs-utils” source package in Karmic:
  Won't Fix
Status in “ecryptfs-utils” package in Fedora:
  Fix Released

Bug description:
  How to reproduce :

  1) setup a private directory
  2)
  sudo -s

  cd /

  mkdir source

  mkdir target

  cp ~user/.Private/example.pdf source

  file /source/example.pdf
  /source/example.pdf: data

  mount -t ecryptfs source target
  Passphrase: type anything that is not your passphrase or passwords
  Select cipher:
   1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (loaded)
   2) blowfish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
   3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
   4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
   5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
   6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
  Selection [aes]:
  Select key bytes:
   1) 16
   2) 32
   3) 24
  Selection [16]:
  Enable plaintext passthrough (y/n) [n]: n
  Attempting to mount with the following options:
    ecryptfs_key_bytes=16
    ecryptfs_cipher=aes
    ecryptfs_sig=4c748f746abcc24e
  WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
  it looks like you have never mounted with this key
  before. This could mean that you have typed your
  passphrase wrong.

  Would you like to proceed with the mount (yes/no)? yes
  Would you like to append sig [4c748f746abcc24e] to
  [/root/.ecryptfs/sig-cache.txt]
  in order to avoid this warning in the future (yes/no)? no
  Not adding sig to user sig cache file; continuing with mount.
  Mounted eCryptfs

  file /source/example.pdf
  /source/example.pdf: PDF document, version 1.4

  Now I know that the files are really encrypted (using a wrong
  passphrase on files copied to another computer makes the file
  unreadable), but I don't understand how root on my system can mount my
  files without the correct passphrase... is the passphrase stored
  somewhere? This is really strange and doesn't give me too much
  confidence in this technology. Let's hope I overlooked something.

  ============
  SRU Justification:

  Impact: This bug affects users of Ubuntu's encrypted home/private
  directory feature if they are concerned about a malicious or snooping
  root user on the system.

  Minimal patch: The minimal patch can be found in upstream commit r520:
   * http://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/520

  Reproduce instructions:  Follow the excellent instructions in this bug
  description.

  Regression potential: Minimal.  The key removal code is the last thing that happens before the umount is attempted.  If for some reason the new key-unlinking code failed (it should not; errors are ignored; keys are removed on a best-effort basis), then the umount might not happen.  As I said, this should be a near impossible situation.  I think this update should be very safe.  It's been in Natty now for a couple of weeks.
  ============

To manage notifications about this bug go to:
https://bugs.launchpad.net/ecryptfs/+bug/313812/+subscriptions