i think i found a hole in the script proposed in the encryption HOWTO (http://encryptionhowto.sourceforge.net/) to setup an encripted loop device. The script is dumped at the end of this text. It allows any user of the box to learn the password used to encrypt the block device on this box, so to read/write its content. Note it isnt a bug of the encrypted loop device in itself but a bug in a admin script. To send the password to losetup, the script puts it in the command line: echo "$PASS1" | losetup -e "$CIPHER" -p 0 "$LOOPDEV" "$UNDERLYING" Any user on the same box, can see the password using 'ps' so i considere it as a hole. ------------------------------ mkloop.sh ------------------------- #!/bin/bash # the cipher is the first command line argument CIPHER="$1" # the loop device to use is the second LOOPDEV="$2" # the underlying file is third UNDERLYING="$3" echo I am going to switch swap off \- we have no means to keep pages echo locked in memory with shell scripts. read -p "Continue <y|n>? " [ $REPLY = 'y' ] || exit 1 echo -n OK, swap off... swapoff -a echo done # until the two passphrases match and are not empty... until [ "$PASS1" = "$PASS2" -a -n "$PASS1" ]; do # the bash read buitlin has to support the -s option. # Don't use read without -s!! read -s -p "Enter Passphrase: " PASS1; echo read -s -p "Re-enter Passphrase: " PASS2; echo done # setup the loop device using the passphrase given on STDIN. echo "$PASS1" | losetup -e "$CIPHER" -p 0 "$LOOPDEV" "$UNDERLYING" echo -n swap on... swapon -a echo done - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
