fs/crypto: root read-access without key

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


Hi Ted,

 As of now root[1] can access the plain-text when the data is cached
 by the user-with-the-key and, root gets error no-key when data is
 not cached by the user-with-the-key. I think this behavior is a
 bug if not, wrong design, or looks like I am missing something.

 [1] for that matter any user who has read access to the files but
 does not have the keys.

Repo:
-----------
The user enters key of edir-user
$ e4crypt add_key /ext4/edir-user/

root with no-key is not able to read file-data yet.

# cat /ext4/edir-user/tf1
cat: tf1: Required key not available

now the user above, reads tf1
$ cat /ext4/edir-user/tf1
this is test created by user

So now root with no-key is able to read the file
# cat /ext4/edir-user/tf1
this is test created by user
-----------

 Instead, this should either always return cipher-text (thru DIO)
 or always return error-no-key. So that, behavior does not depend
 file-data cache.

 Hope we agree on the common behavior, BTRFS as of now returns
 error-no-key for all users without-the-key, however in the long
 term when relevant code is ready, it would be beneficial to
 provide the cipher-text in this context and the encryption
 metadata through the xattr. So that, we could use rsync -X
 without-key, to back up the encrypted files which will also copy
 the required encryption metadata through the extended attributes.
 Next, when rsync -X is run when key-is-in, it would read
 plain-text but no encryption metadata should be read at this time,
 as it has already reading the plain-text anyway. In this way
 we control the backup and restore.

 This may be controversial but just the idea floating so that we
 have better compatibility and, as probably extended attribute
 is more common across other OSs including NTFS, hopefully one day
 we could backup encrypted-file across FSs without having to decrypt,
 and decrypt at the destination only when required. This also
 means we need page->index to be common or we can provide such
 info through the extended attributes again or fs/crypto v2
 could add a feature to drop encryption metadata dependency on
 the page->index.

Thanks, Anand
[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux