updatedb.conf so filenames indexed & visible

Launchpad Bug Tracker Thu, 11 Apr 2019 09:40:41 -0700

*** This bug is a security vulnerability ***

You have been subscribed to a public security bug by Mike Salvatore 
(mikesalvatore):


The (default) PRUNEFS setting in /etc/updatedb.conf does not contain
either CryFS (fuse.cryfs) or EncFS (<fstype name unknown>).  Hence,
the unencrypted filenames (at least) contained within any _mounted_
CryFS/EncFS filesystem will be indexed by updatedb(5), and visible
to essentially everyone by mlocate(1).  That is, the names of files
within an encrypted vault can "leak".  This may not be desirable;
at the least then, perhaps, the manual page(s) should warn of the
possibility.

Obviously, similar problems may apply to other tools (such as, but not
limited to, glimpse(1) and KDE's baloo), some of which can also index
the contents of files contained within an encrypted vault---clearly a
worse problem.  However, the locate tools are, are as far as I'm aware,
much more commonly-installed.

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: mlocate 0.26-2ubuntu3.1
ProcVersionSignature: Ubuntu 4.15.0-47.50-generic 4.15.18
Uname: Linux 4.15.0-47-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.6
Architecture: amd64
CurrentDesktop: KDE
Date: Sun Apr  7 11:59:27 2019
InstallationDate: Installed on 2016-10-07 (912 days ago)
InstallationMedia: Kubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719)
SourcePackage: mlocate
UpgradeStatus: Upgraded to bionic on 2018-08-18 (232 days ago)
modified.conffile..etc.updatedb.conf:
 # updatedb.conf(5) — a configuration file for updatedb(8)
 PRUNE_BIND_MOUNTS="yes"
 # PRUNENAMES=".git .bzr .hg .svn"
 PRUNEPATHS="/tmp /var/spool /media /var/lib/os-prober /var/lib/ceph 
/home/.ecryptfs /var/lib/schroot /home/blf/.SiriKali /home/blf/Vaults"
 PRUNEFS="NFS nfs nfs4 rpc_pipefs afs binfmt_misc proc smbfs autofs iso9660 
ncpfs coda devpts ftpfs devfs devtmpfs fuse.mfs shfs sysfs cifs lustre tmpfs 
usbfs udf fuse.glusterfs fuse.sshfs curlftpfs ceph fuse.ceph fuse.rozofs 
ecryptfs fusesmb fuse.cryfs"
mtime.conffile..etc.updatedb.conf: 2019-04-07T11:36:52.592187

** Affects: mlocate (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug bionic
-- 
cryfs (& encfs) not prohibited in /etc/updatedb.conf so filenames indexed & 
visible
https://bugs.launchpad.net/bugs/1823518
You received this bug notification because you are a member of Ubuntu Bugs, 
which is subscribed to the bug report.

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1823518] [NEW] cryfs (& encfs) not prohibited in /etc/updatedb.conf so filenames indexed & visible

Reply via email to