secure use of cryptsetup by non-root

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all,

# TLDR;

1) Is 'secure use of cryptsetup by non-root' a supported use case?
2) Can we add FAQ entries for this?

# Details

I am working on the use case to grant access to cryptsetup and LUKS devices to non root users but not allow them to access each other's devices or system luks devices ( /root and /home).  

If I grant sudo access to non root users they could run cryptsetup on any device.  This is a security hole and undesired.

I started working on this and recently posted an issue:  https://gitlab.com/cryptsetup/cryptsetup/-/issues/658

I ran into security problems with /run/cryptsetup and device mapper.  

In summary, even if I grant specific permissions on specific devices to specific users (using udev rules or whatever) cryptsetup still requires privileged system folders such as /run/cryptsetup for some operations.  If I grant the non root users access to /run/cryptsetup it is also a security hole.


# FAQ

This use case comes up from time to time.  Can we add it to the FAQ?

* 1.9 Can cryptsetup be run without root?

Elevated privileges are required to use cryptsetup and LUKS.  Some operations require root access.  There are a few features which will work without root access with the right switches but there are caveats.

* 1.10  What operations absolutely require root access?

Device-mapper requires root and cryptsetup uses device mapper to manage the decrypted container.

* 1.11 What are the caveats when running as non root other than device mapper?

The first issue that you will run into when running without root is that file locking is managed in /run/cryptsetup.  You may use --disable-locks but cryptsetup will no longer protect you from race conditions and problems with concurrent access to the same devices.

* 1.12 What can I do if cryptsetup is running out of memory?

Memory issues are generally related to the key derivation function.  You may be able to tune usage with the options --pbkdf-memory or --pbkdf pbkdf2.

_______________________________________________
dm-crypt mailing list -- dm-crypt@xxxxxxxx
To unsubscribe send an email to dm-crypt-leave@xxxxxxxx




[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux