[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
Launchpad has imported 14 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=480547. If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. On 2009-01-18T19:22:45+00:00 Denis wrote: Created attachment 329304 Text file of session to show commands used to reproduce problem Description of problem:Any passphrase entered at mount will decrypt file Version-Release number of selected component (if applicable): ecryptfs-utils-61-0.fc10.i386 kernel-2.6.27.9-159.fc10.i686 How reproducible:Entering a wrong passphrase will decrypt file Steps to Reproduce: 1.As root, mount directory using ecryptfs 2.put file in directory 3.umount directory 4.mount directory again with wrong passphrase 5.file can be retrieved Actual results: file can be retrieved Expected results:should not be able to read file if wrong passphrase is entered at mount Additional info: Everything works as expected on FC9. Giving wrong passphrase during mount gives the error "Input/output error" when trying to access crypted file. Reply at: https://bugs.launchpad.net/ubuntu/+source/ecryptfs- utils/+bug/313812/comments/2 On 2009-01-23T20:21:59+00:00 Eric wrote: I think this is a feature, not a bug. The first passphrase ended up cached in your kernel crypto keychain, and so was still available to decrypt your old files. If you wish to clear it, use keyctl. Other users will not be able to see these files by entering arbitrary passphrases. -Eric Reply at: https://bugs.launchpad.net/ubuntu/+source/ecryptfs- utils/+bug/313812/comments/3 On 2009-01-24T15:39:49+00:00 Denis wrote: Hi Eric, Thanks a lot for the explanation. I played with keyctl and now see what is going on. However, this automatic caching leads to a false sense of security. Whatever strength I use for the crypted FS key (30+ characters), the overall security is only as strong as my (8 to 10 character) password. And I don't get any warning of this fact. Is there a way to disable this automatic caching? Until I understand more completely the whole process, it seems I must do an alias on the umount command to be immediately followed by "keyctl clear @u" command. Thank you very much for the time you spent on this. Reply at: https://bugs.launchpad.net/ubuntu/+source/ecryptfs- utils/+bug/313812/comments/4 On 2009-01-26T16:56:31+00:00 Michal wrote: Hi, I've talked about this with upstream with this conclusions: 1) it's not a bug, it's a feature. Even gnome-keyring doesn't clear out a key after an application uses it 2) If you want to clear your keyring, use `keyctl clear @u` 3) the password at mount time is not a password to read existing files. It is a password that is turned into a key which is used when creating new files 4) there will be added new mount option that will automatically clear keyring after umount (so mount with wrong passphrase will not work any more) Reply at: https://bugs.launchpad.net/ubuntu/+source/ecryptfs- utils/+bug/313812/comments/5 On 2009-01-27T10:58:22+00:00 Denis wrote: Thanks for the precisions. Item 3) makes it very clear and 4) will be a welcome enhancement. Thanks again. Reply at: https://bugs.launchpad.net/ubuntu/+source/ecryptfs- utils/+bug/313812/comments/9 On 2009-01-29T08:58:23+00:00 Michal wrote: extract from irc: > let me answer this question a different way, "when is this an actual problem?" > first, only a root user can perform an ecryptfs mount > non-root users can perform mounts through the setuid binary, > mount.ecryptfs_private, but in that case, what they can do is tightly > constrained > to perform a generic mount, it has to be a root user > now, for this to be a problem, the *root* user must: > a) establish an ecryptfs mount with one passphrase > b) unmount > c) do *not* clear the keyring > d) do *not* logout of the session > and then a malicious user must obtain access to *that* session > by either sitting down at the terminal, or accessing via vnc or screen or > some such > at that point, the malicious user has a root shell > and while accessing some encrypted data is a bad thing, there are a lot of > bad things that can happen at that point > so we can help with (c) by clearing the keys on unmount > but ultimately, (d) is the biggie ... the root user needs to logout of the > session if they want their data protected so I think you can still feel yourself safe :) anyway,
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
I'm seeing this problem with Ubuntu 14.10 when using `init=/lib/systemd/systemd` but I'm not sure if it is related or not... :-/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/313812 Title: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) To manage notifications about this bug go to: https://bugs.launchpad.net/ecryptfs/+bug/313812/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
@Thiago: Please open a new bug if you still experience issues with ecryptfs, as this bug has is fixed. Thanks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/313812 Title: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) To manage notifications about this bug go to: https://bugs.launchpad.net/ecryptfs/+bug/313812/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
User over in Bug #725862 is reporting a regression in Maverick after taking this update -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/313812 Title: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) To manage notifications about this bug go to: https://bugs.launchpad.net/ecryptfs/+bug/313812/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
This bug was fixed in the package ecryptfs-utils - 83-0ubuntu3.1maverick --- ecryptfs-utils (83-0ubuntu3.1maverick) maverick-proposed; urgency=low * Cherry pick upstream bzr commit r520 * src/utils/mount.ecryptfs_private.c: - fix bug LP: #313812, clear used keys on unmount - add ecryptfs_unlink_sigs to the mount opts, so that unmounts from umount.ecryptfs behave similarly - use ecryptfs_remove_auth_tok_from_keyring() on the sig and sig_fnek -- Dustin Kirkland kirkl...@ubuntu.com Fri, 11 Feb 2011 17:21:59 -0600 ** Changed in: ecryptfs-utils (Ubuntu Maverick) Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/313812 Title: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) To manage notifications about this bug go to: https://bugs.launchpad.net/ecryptfs/+bug/313812/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
** Tags removed: verification-needed ** Tags added: verification-done -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/313812 Title: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) To manage notifications about this bug go to: https://bugs.launchpad.net/ecryptfs/+bug/313812/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
This has been in maverick-proposed for 22 weeks now. Could someone test it, please. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/313812 Title: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) To manage notifications about this bug go to: https://bugs.launchpad.net/ecryptfs/+bug/313812/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
Verified for Maverick: Welcome to the Ubuntu Server! * Documentation: http://www.ubuntu.com/server/doc Last login: Thu Jul 28 14:41:12 2011 root@ubuntu:~# mount /dev/vda1 on / type ext4 (rw,errors=remount-ro) proc on /proc type proc (rw,noexec,nosuid,nodev) none on /sys type sysfs (rw,noexec,nosuid,nodev) fusectl on /sys/fs/fuse/connections type fusectl (rw) none on /sys/kernel/debug type debugfs (rw) none on /sys/kernel/security type securityfs (rw) none on /dev type devtmpfs (rw,mode=0755) none on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=0620) none on /dev/shm type tmpfs (rw,nosuid,nodev) none on /var/run type tmpfs (rw,nosuid,mode=0755) none on /var/lock type tmpfs (rw,noexec,nosuid,nodev) none on /var/lib/ureadahead/debugfs type debugfs (rw,relatime) # ubuntu has not logged in since boot: root@ubuntu:~# ls /home/ubuntu Access-Your-Private-Data.desktop README.txt # ubuntu logged in on another pseudo terminal: root@ubuntu:~# mount | grep ubuntu /home/ubuntu/.Private on /home/ubuntu type ecryptfs (ecryptfs_sig=5cb83cfa021dc74e,ecryptfs_fnek_sig=bb92820c0e6e63ad,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs) # ubuntu logged off: root@ubuntu:~# mount | grep ubuntu root@ubuntu:~# su - ubuntu keyctl_search: Required key not available Perhaps try the interactive 'ecryptfs-mount-private' To run a command as administrator (user root), use sudo command. See man sudo_root for details. Verification successful. ubuntu@ubuntu:~$ ls Access-Your-Private-Data.desktop README.txt ubuntu@ubuntu:~$ --- Ubuntu Bug Squad volunteer triager http://wiki.ubuntu.com/BugSquad ** Tags added: verification-done-maverick -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/313812 Title: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) To manage notifications about this bug go to: https://bugs.launchpad.net/ecryptfs/+bug/313812/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
I also verified on maverick. Note that the directions in the description are not right. Comment #39 gives the right recipe. In any case, -proposed fixes it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/313812 Title: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) To manage notifications about this bug go to: https://bugs.launchpad.net/ecryptfs/+bug/313812/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
This package has been in karmic-proposed for a long time without verification. I removed it as karmic is end-of-life now. ** Changed in: ecryptfs-utils (Ubuntu Karmic) Status: Fix Committed = Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/313812 Title: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
** Changed in: ecryptfs-utils (Ubuntu Karmic) Status: In Progress = Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/313812 Title: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
This bug was fixed in the package ecryptfs-utils - 83-0ubuntu3.1 --- ecryptfs-utils (83-0ubuntu3.1) lucid-proposed; urgency=low * Cherry pick upstream bzr commit r520 * src/utils/mount.ecryptfs_private.c: - fix bug LP: #313812, clear used keys on unmount - add ecryptfs_unlink_sigs to the mount opts, so that unmounts from umount.ecryptfs behave similarly - use ecryptfs_remove_auth_tok_from_keyring() on the sig and sig_fnek -- Dustin Kirkland kirkl...@ubuntu.com Fri, 11 Feb 2011 17:21:59 -0600 ** Changed in: ecryptfs-utils (Ubuntu Lucid) Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/313812 Title: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
Setting back to v-needed for karmic/maverick. ** Tags removed: verification-done -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/313812 Title: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
Confirmed fixed for Lucid, ecryptfs-utils 83-0ubuntu3.1. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/313812 Title: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
** Tags added: verification-done ** Tags removed: verification-needed ** Tags added: verification-done-lucid verification-needed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/313812 Title: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
** Branch linked: lp:ubuntu/karmic-proposed/ecryptfs-utils -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/313812 Title: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
Accepted ecryptfs-utils into maverick-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance! ** Changed in: ecryptfs-utils (Ubuntu Maverick) Status: In Progress = Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/313812 Title: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
** Branch linked: lp:ubuntu/maverick-proposed/ecryptfs-utils -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/313812 Title: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
Accepted ecryptfs-utils into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance! ** Changed in: ecryptfs-utils (Ubuntu Lucid) Status: In Progress = Fix Committed ** Tags added: verification-needed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/313812 Title: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
Rejecting uploaded maverick update: FAILED: ecryptfs-utils (The source ecryptfs-utils - 83-0ubuntu3.1 is already accepted in ubuntu/lucid and you cannot upload the same version within the same distribution. You have to modify the source version and re-upload.) Please reupload with fixed version number. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/313812 Title: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
** Branch linked: lp:ubuntu/lucid-proposed/ecryptfs-utils -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/313812 Title: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
** Changed in: ecryptfs-utils (Ubuntu Karmic) Status: Triaged = In Progress ** Changed in: ecryptfs-utils (Ubuntu Karmic) Assignee: (unassigned) = Dustin Kirkland (kirkland) ** Changed in: ecryptfs-utils (Ubuntu Lucid) Status: Triaged = In Progress ** Changed in: ecryptfs-utils (Ubuntu Lucid) Assignee: (unassigned) = Dustin Kirkland (kirkland) ** Changed in: ecryptfs-utils (Ubuntu Maverick) Status: Triaged = In Progress ** Changed in: ecryptfs-utils (Ubuntu Maverick) Assignee: (unassigned) = Dustin Kirkland (kirkland) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/313812 Title: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
Howdy, I just prepared a round of SRUs to fix this bug in Karmic, Lucid, and Maverick. I would really appreciate if some of the people suffering from this bug could test out the proposed packages as soon as they're accepted and built. Cheers! Dustin ** Description changed: How to reproduce : 1) setup a private directory 2) sudo -s cd / mkdir source mkdir target cp ~user/.Private/example.pdf source file /source/example.pdf /source/example.pdf: data mount -t ecryptfs source target Passphrase: type anything that is not your passphrase or passwords - Select cipher: - 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (loaded) - 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) - 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded) - 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) - 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) - 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded) - Selection [aes]: - Select key bytes: - 1) 16 - 2) 32 - 3) 24 - Selection [16]: + Select cipher: + 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (loaded) + 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) + 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded) + 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) + 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) + 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded) + Selection [aes]: + Select key bytes: + 1) 16 + 2) 32 + 3) 24 + Selection [16]: Enable plaintext passthrough (y/n) [n]: n Attempting to mount with the following options: - ecryptfs_key_bytes=16 - ecryptfs_cipher=aes - ecryptfs_sig=4c748f746abcc24e + ecryptfs_key_bytes=16 + ecryptfs_cipher=aes + ecryptfs_sig=4c748f746abcc24e WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt], - it looks like you have never mounted with this key - before. This could mean that you have typed your + it looks like you have never mounted with this key + before. This could mean that you have typed your passphrase wrong. Would you like to proceed with the mount (yes/no)? yes Would you like to append sig [4c748f746abcc24e] to - [/root/.ecryptfs/sig-cache.txt] + [/root/.ecryptfs/sig-cache.txt] in order to avoid this warning in the future (yes/no)? no Not adding sig to user sig cache file; continuing with mount. Mounted eCryptfs file /source/example.pdf /source/example.pdf: PDF document, version 1.4 + Now I know that the files are really encrypted (using a wrong passphrase + on files copied to another computer makes the file unreadable), but I + don't understand how root on my system can mount my files without the + correct passphrase... is the passphrase stored somewhere? This is really + strange and doesn't give me too much confidence in this technology. + Let's hope I overlooked something. - Now I know that the files are really encrypted (using a wrong passphrase on files copied to another computer makes the file unreadable), but I don't understand how root on my system can mount my files without the correct passphrase... is the passphrase stored somewhere? This is really strange and doesn't give me too much confidence in this technology. Let's hope I overlooked something. + + SRU Justification: + + Impact: This bug affects users of Ubuntu's encrypted home/private + directory feature if they are concerned about a malicious or snooping + root user on the system. + + Minimal patch: The minimal patch can be found in upstream commit r520: + * http://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/520 + + Reproduce instructions: Follow the excellent instructions in this bug + description. + + Regression potential: Minimal. The key removal code is the last thing that happens before the umount is attempted. If for some reason the new key-unlinking code failed (it should not; errors are ignored; keys are removed on a best-effort basis), then the umount might not happen. As I said, this should be a near impossible situation. I think this update should be very safe. It's been in Natty now for a couple of weeks. + ** Changed in: ecryptfs-utils (Ubuntu Karmic) Milestone: None = karmic-updates ** Changed in: ecryptfs-utils (Ubuntu Lucid) Milestone: None = lucid-updates ** Changed in: ecryptfs-utils (Ubuntu Maverick) Milestone: None = maverick-updates -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/313812 Title: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
@Dustin, is there any reason why we can't simply use the same fix as is being used in mount.ecryptfs.c, in mount.ecryptfs_private.c? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/313812 Title: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
** Changed in: ecryptfs Status: Triaged = In Progress ** Also affects: ecryptfs-utils (Ubuntu Natty) Importance: Medium Status: Confirmed ** Changed in: ecryptfs-utils (Ubuntu Natty) Status: Confirmed = In Progress ** Changed in: ecryptfs-utils (Ubuntu Natty) Assignee: (unassigned) = Dustin Kirkland (kirkland) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/313812 Title: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
** Branch linked: lp:ecryptfs -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/313812 Title: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
Let's give this a week or two in Natty Alpha2, and then we can put together an SRU for Karmic/Lucid/Maverick. ** Changed in: ecryptfs-utils (Ubuntu Jaunty) Status: Confirmed = Won't Fix ** Changed in: ecryptfs-utils (Ubuntu Karmic) Status: Confirmed = Triaged ** Changed in: ecryptfs-utils (Ubuntu Maverick) Status: Confirmed = Triaged ** Changed in: ecryptfs-utils (Ubuntu Lucid) Status: Confirmed = Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/313812 Title: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
Okay, fixed this once and for all in r520! Big thanks to Tyler and Serge for helping find a suitable approach (and believe me, I have spent several days trying several different approaches). So the current fix modifies the setuid umount.ecryptfs_private helper. We can't do it in umount.ecryptfs, because this runs as root, and root can't unlink the non-root user's keys (at least not with the existing implementation). But if we do it in the umount.ecryptfs_private helper, we can do it as the user before doing the setuid(0) and calling the unmount. Note that the failure to unlink the keys is a non-fatal error. A suitable message (and a pointer to how to unlink keys correctly) is shown on stderr, but the unlink proceeds. Doing this here is quite nice, as it allows us to use the reference counting code, etc, and only unlink when there are no other open references to the mount. This will be released in ecryptfs-utils-85. ** Changed in: ecryptfs Status: In Progress = Fix Committed ** Changed in: ecryptfs-utils (Ubuntu Natty) Status: In Progress = Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/313812 Title: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
** Changed in: ecryptfs Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/313812 Title: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
This bug was fixed in the package ecryptfs-utils - 85-0ubuntu1 --- ecryptfs-utils (85-0ubuntu1) natty; urgency=low [ Dustin Kirkland ] * src/utils/ecryptfs-recover-private: clean sigs of invalid characters * src/utils/mount.ecryptfs_private.c: - fix bug LP: #313812, clear used keys on unmount - add ecryptfs_unlink_sigs to the mount opts, so that unmounts from umount.ecryptfs behave similarly - use ecryptfs_remove_auth_tok_from_keyring() on the sig and sig_fnek [ pres...@gmail.com ] * src/utils/ecryptfs-migrate-home: - support user databases outside of /etc/passwd, LP: #627506 -- Dustin Kirkland kirkl...@ubuntu.com Sun, 19 Dec 2010 10:50:52 -0600 ** Changed in: ecryptfs-utils (Ubuntu Natty) Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/313812 Title: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
** Branch linked: lp:ubuntu/ecryptfs-utils -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/313812 Title: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
Has this stalled? Is anybody actively looking for a resolution to this issue? -- umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) https://bugs.launchpad.net/bugs/313812 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
On Fri, Aug 13, 2010 at 7:42 AM, Dave Walker davewal...@ubuntu.com wrote: Has this stalled? Is anybody actively looking for a resolution to this issue? I'm not currently looking at it. I have a working solution that requires two minor, empty stubs added to PAM, and a small patch to eCryptfs. The PAM hooks were rejected. I haven't had the drive to push harder on that, or look for a different solution. -- umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) https://bugs.launchpad.net/bugs/313812 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
More side effects working with encrypted homes: 1) The same side effect explained above between user1 and user2 happens if user2 is a privileged user and if user2 has his home directory encrypted. 2) If you have your home encrypted, accessing remotely with ssh is not possible if you demand using private public keys (setting PasswordAuthentication = no in the file /etc/ssh/sshd_config ), because the sshd daemon has to access ~/.ssh/authorized_keys file in a directory which is not yet mounted. IMHO, home directory encryption is still unreliable and it should be userd with care. In its current state, it only protects after rebooting the machine ( please tell me if this observation is wrong ), and consequently only protects from a disk or machine physical theft. -- umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) https://bugs.launchpad.net/bugs/313812 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
The following effect may be a consequence of the same bug. Distribution: Ubuntu 10.04 1) Create user1 ( with administrative privileges ) 2) Create user2 ( without administrative privileges ) 3) Logged as user2 set up a private directory, logout login, create some files in ~/Private, logout. 4) Logged as user1 change user2 password. 5) Logged as user2 (using the new password defined by user1) you can access the /home/user2/Private directory and its contents. The effect persists until you reboot. Conclusion: A privileged user can access private data from others (who recently have logged in and out ) by means of changing their password. -- umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) https://bugs.launchpad.net/bugs/313812 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
@Serge: I haven't submitted this bug or not even commented on it so why did you write Quoting papukaija ? I only added some tags to this bug report and nothing else. -- umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) https://bugs.launchpad.net/bugs/313812 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
Quoting papukaija (313...@bugs.launchpad.net): @Serge: I haven't submitted this bug or not even commented on it so why did you write Quoting papukaija ? I only added some tags to this bug report and nothing else. Sorry, my mail client added that. -- umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) https://bugs.launchpad.net/bugs/313812 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
Quoting papukaija (313...@bugs.launchpad.net): ** Tags added: jaunty karmic lucid maverick patch -- umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) https://bugs.launchpad.net/bugs/313812 You received this bug notification because you are a member of eCryptfs Developers, which is subscribed to eCryptfs. Status in eCryptfs - Enterprise Cryptographic Filesystem: Triaged Status in “ecryptfs-utils” package in Ubuntu: Confirmed Status in “ecryptfs-utils” source package in Lucid: Confirmed Status in “ecryptfs-utils” source package in Maverick: Confirmed Status in “ecryptfs-utils” source package in Jaunty: Confirmed Status in “ecryptfs-utils” source package in Karmic: Confirmed Status in “ecryptfs-utils” package in Fedora: Fix Released Bug description: How to reproduce : 1) setup a private directory 2) sudo -s cd / mkdir source mkdir target cp ~user/.Private/example.pdf source file /source/example.pdf /source/example.pdf: data mount -t ecryptfs source target Passphrase: type anything that is not your passphrase or passwords Select cipher: 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (loaded) 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded) 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded) Selection [aes]: Select key bytes: 1) 16 2) 32 3) 24 Selection [16]: Enable plaintext passthrough (y/n) [n]: n Attempting to mount with the following options: ecryptfs_key_bytes=16 ecryptfs_cipher=aes ecryptfs_sig=4c748f746abcc24e WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt], it looks like you have never mounted with this key before. This could mean that you have typed your passphrase wrong. Would you like to proceed with the mount (yes/no)? yes Would you like to append sig [4c748f746abcc24e] to [/root/.ecryptfs/sig-cache.txt] in order to avoid this warning in the future (yes/no)? no Not adding sig to user sig cache file; continuing with mount. Mounted eCryptfs file /source/example.pdf /source/example.pdf: PDF document, version 1.4 But you're not just logging in as root. You're using sudo which will keep your keyrings and much of your environment from your user shell. Try the following instead: Create a new user. After doing the ecryptfs unmount, 'switch user' (leave your original user logged in) to the new user, and sudo from that new user. Then try the ecryptfs mount from that shell. Does it still work? Now I know that the files are really encrypted (using a wrong passphrase on files copied to another computer makes the file unreadable), but I don't understand how root on my system can mount my files without the correct passphrase... is the passphrase stored somewhere? This is really strange and doesn't give me too much confidence in this technology. Let's hope I Good! WhatEVER you do, do not trust anything which claims to keep you safe from root. overlooked something. -- umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) https://bugs.launchpad.net/bugs/313812 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
** Tags added: jaunty karmic lucid maverick patch -- umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) https://bugs.launchpad.net/bugs/313812 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
** Changed in: ecryptfs-utils (Ubuntu) Status: Fix Released = Confirmed ** Also affects: ecryptfs-utils (Ubuntu Jaunty) Importance: Undecided Status: New ** Also affects: ecryptfs-utils (Ubuntu Karmic) Importance: Undecided Status: New ** Also affects: ecryptfs-utils (Ubuntu Maverick) Importance: Undecided Status: Confirmed ** Also affects: ecryptfs-utils (Ubuntu Lucid) Importance: Undecided Status: New ** Changed in: ecryptfs-utils (Ubuntu Lucid) Status: New = Confirmed ** Changed in: ecryptfs-utils (Ubuntu Karmic) Status: New = Confirmed ** Changed in: ecryptfs-utils (Ubuntu Jaunty) Importance: Undecided = Medium ** Changed in: ecryptfs-utils (Ubuntu Jaunty) Status: New = Confirmed ** Changed in: ecryptfs-utils (Ubuntu Lucid) Importance: Undecided = Medium ** Changed in: ecryptfs-utils (Ubuntu Maverick) Importance: Undecided = Medium ** Changed in: ecryptfs-utils (Ubuntu Karmic) Importance: Undecided = Medium ** This bug has been flagged as a security vulnerability -- umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) https://bugs.launchpad.net/bugs/313812 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
** Visibility changed to: Public ** This bug is no longer flagged as a security vulnerability -- umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) https://bugs.launchpad.net/bugs/313812 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
Dustin, I realize those patches are not in finished form, but it looks like the changes to ecryptfs_add_auth_tok_to_keyring() will cause a regression in the case of non-pam initiated eCryptfs mounts. I don't think we want auth toks for those types of mounts to be specific to any session. Also, the keyring variable should technically be of type key_serial_t. Do you know what is going on in ecryptfs_validate_keyring() when KEY_SPEC_SESSION_KEYRING is being linked to KEY_SPEC_USER_KEYRING? Isn't that essentially the same thing as what your patch is doing with the first call to add_key() in ecryptfs_add_auth_tok_to_keyring()? -- umount of ecryptfs does not automatically clear the keyring (can be mounted by root later) https://bugs.launchpad.net/bugs/313812 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
