Re: strawman proposal: homed directories for users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2024-10-08 at 17:57 +0200, Lennart Poettering wrote:
> On Mo, 07.10.24 12:59, Simo Sorce (simo@xxxxxxxxxx) wrote:
> 
> > > The homed approach would make other things possible too. For example,
> > > sharing of /home in dual-boot scenarios. Right now a manual setup
> > > needs to be done, and login details need to be propagated each time,
> > > but with homed, dual-boot and reinstall are very similar scenarios,
> > > so if we get one to work, we get the other one for free.
> > > 
> > > Zbyszek
> > 
> > The homed approach can work only in cases where you basically have only
> > one user and all the OSs use the same approach.
> 
> Hmm, what? No, homed works fine with multiple users. I have multiple
> users right now on my local system.

Here I was talking specifically about the case of a multi-boot system.

In general it is not practical for large deployments to manually carry
around all user data and allow mounting of the home on multiple
systems. So it is by definition a "single user system", even though you
can have multiple user drives, sorry for the confusion. 

> 
> > I see a few issues with security that needs to be addressed.
> 
> Like what? Please be explicit, otherwise smells like FUD.

Keep in mind my perspective is one of large deployments, not single
system cared for by their own admin, so do not take my comment to the
simple single-user case.

> I am pretty sure the security model is a lot cleaner than anything the
> sssd/IPA world would do, because we lock disk encryption to user
> provided credentials, FIDO2/PKCS#11 and such, and can suspend the home
> dir's encryption key on suspend. It should be a massive step up in
> security.

You can lock a laptop disk via TPM and similar with clevis/tang as
well, w/o tying it to a single user, how you do it depends on what your
constraints are.

> Hence I am very curious where you think the security issues are?

Sorry, I did not mean in any way to imply there are open security issue
with systemd-homed, I meant only that we need to analyze the security
assumptions in the context of making this a default and ensure we
protect what we mean to protect, and address the risk profile we
define.

> > What happens if I plug a disk into a laptop that sports a "homed"
> > directory, will the laptop suddenly allow a stranger to just login into
> > the machine?
> 
> No. systemd-homed user records are signed. User records not signed by
> a recognized key are not accepted.
> 
> I am not sure if sssd/IPA stuff has something similar? is there any
> cryptographic integration protection part of its user database?

SSSD/IPA only accept users from the domain they are bound to via the
keytab on the disk, all the data is authenticated that way, then stored
locally. The assumption is that the disk where the cache is stored is
encrypted of course.

> > What happens if there are conflicts of uid or gid ?
> 
> In the systemd-homed world uid/gid are assigned when the home dir is
> first activated on a host. A free UID/GID is allocated then, and
> idmapping is used to ensure that the home dir appears owned by the
> right user (or in other words: on disk all files are owned by
> user/group "nobody", only the idmapping makes them appear owned by the
> user locally). This UID/GID binding is persisted on the local system,
> but can differ between systems.
> 
> > Will it now allow this other user to access files and directories that
> > should be reserved to other users?
> 
> No. At moment the binding of the home dir to the local host is
> established a free UID/GID is taken from a very specific range. This
> should make collisions unlikely. (though not impossible, because this
> system of course relies on everyone being equally careful before
> taking possession of a UID/GID, and as I understand the IPA world is
> systematically opposed to that, which is sad, but nothing I can
> change).

I do not understand what you mean with this comment, in a domain all
UIDs are consistent, that said you can also do local assignment in
theory, it just is rarely a good idea (NFS doe snot support that, it is
the externalities of network protocols assuming consistent IDs that
force our hand in default configurations).

> 
> > What happen if you want to change the user to be a corporate directory
> > provided one?
> 
> Enterprisey IPA/SSSD/AD/LDAP style stuff really is not in focus for
> systemd-homed, as mentioned many times.

Ok, so this already means that Fedora would need 2 different behaviors
in the single user vs laptop in a domain configuration. That is an
important thing to point out.

> > Can you configure autologin for those uses cases (like kiosks or a home
> > entertainment system) where that makes sense to do ?
> 
> No you cannot, the security model relies on unlock keys to be provided
> before the home directory is accessible. It's a strength of the model,
> not a weakness, that user data is actually protected by the provided
> user authentication credentials.

So that is another use case that you need to know in advance before
installation, how hard it is to "convert" the system if you made the
incorrect choice?

> As I understand the IPA/sssd model is a lot more traditional there,
> and does not consider the user's data as something to protect? I'd
> call that highly problematic, but I guess it's from a different time.

It is not from a different time, it is from a different use case.
In general you expect full disk encryption on corporate/centrally
managed machines, not per-user encryption, unless you can escrow per-
user encryption credentials, which I do not think systemd-homed is well
positioned to do currently.

> Note that systemd-homed is *one* provider of user accounts, but it's
> not to be the only one. The way I see it there are always multiple in
> play:
> 
> 1. static system users configured via /etc/passwd, /etc/shadow & co.
> 2. dynamic system users allocated via systemd's DynamicUser=1
> 3. systemd-homed ones for high-security, local users
> 4. traditional unix users configured via /etc/passwd, /etc/shadow & co.
> 5. sssd provided ones for networked enterprise accounts
> 
> Of course, item 1 and 4 are the same pretty much, just differ in UID
> range.
> 
> In your kiosk usecase always opt for option 4 I think.
> 
> > Is this tied to a specific file system type?
> 
> homed has various backends. If you use the LUKS backend you really
> want to use btrfs, because it allows both online grow & shrink. Other
> file systems are a lot more limited, but also supported for the LUKS
> backend. But there's also a plain directory backend where we make
> almost any restrictions (at weaker security of course). And there's an
> fscrypt backend (which only requires an fs that supports fscrypt), at
> mid-level security (because fscrypt protectes file contents, not
> metadata, unlike the LUKS/dm-crypt backend which protects everything.)

Thanks,
this conversation confirms that we need a more broad security analysis
and requirement discussion before any change in default can be
considered, and buy in from the installer people if
multiple different options end up needing to be provided.

Simo.

-- 
Simo Sorce
Distinguished Engineer
RHEL Crypto Team
Red Hat, Inc

-- 
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux