On 26/10/10 16:00, Bruno Wolff III wrote: > On Tue, Oct 26, 2010 at 12:07:56 +0200, > nodata<lsof@xxxxxxxxxxxx> wrote: >> >> Now imagine if you could read all of _my_ files and I could read all of >> yours. That makes no sense. You _can_ configure that if you want, but by >> default we go for security. > > Once upon a time that was the default for systems. > >> This is the same. You connect your encrypted hard disk to the system and >> you can look at the files on it because you know the passphrase. > > That is muddy thinking. The OS needs the password, you can't directly look > at the disk using the password in your head. The OS needs to manage access > to the encrypted device. I don't really understand what you're trying to say here. A person who knows the passphrase and nobody else (apart from super users, the kernel, etc) should be the only one who can access the unencrypted device. > >> The fix to make this work is a 750 mode on /media/VOLUME-NAME > > I'd surely suggest using 0700 instead of 0750 given your concerns about > other people being able to access the contents. > > Using selinux provides a way to limit accidental leaking in some circumstances > and may be a better approach if you have time to do the upfront work. > -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
