Re: Mounting an encrypted volume presents the volume to all users on a machine

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/26/2010 02:36 AM, Tomas Mraz wrote:
> On Tue, 2010-10-26 at 00:28 +0200, nodata wrote: 
>> Hi,
>>
>> I'm concerned about the default behaviour of mounting encrypted volumes.
>>
>> The default behaviour is that a user must know and supply a passphrase 
>> in order to mount an encrypted volume. This is good: know the 
>> passphrase, you get to mount the volume.
>>
>> What I am concerned about is that the volume is mounted for _every_ user 
>> on the system to see.
>>
>> I've filed a bug about this, and it got closed:
>>   https://bugzilla.redhat.com/show_bug.cgi?id=646085
>>
>> I'm quite in favour of secure by default. In the worst case, the 
>> mountpoint would have permissions set to read access to all if you tick 
>> a box.
>>
>> Thoughts?
>>
> 
> This could be achieved by using pam_namespace to separate the namespaces
> of the logged-in users and mounting the encrypted volume as private into
> the namespace. However it also means that when the user is
> simultaneously logged in twice, he will not be able to access the
> encrypted volume in the second session either. It also means that the
> process that mounts the volume must run in the namespace of the user's
> session (setuid helper would be needed instead of using system service
> to mount the volume).
> 

Might be something we could add to seunshare?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkzGx7QACgkQrlYvE4MpobNHaACgrpZOOlI7IRtgPFEImpQnNZBs
SNsAnRjAIRe9TJCg8NbA9hHOMcxrjiLr
=Kwo5
-----END PGP SIGNATURE-----
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux