Re: fs/crypto: root read-access without key

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Feb 14, 2017 at 06:18:20PM +0800, Anand Jain wrote:
> 
> Hi Ted,
> 
>  As of now root[1] can access the plain-text when the data is cached
>  by the user-with-the-key and, root gets error no-key when data is
>  not cached by the user-with-the-key. I think this behavior is a
>  bug if not, wrong design, or looks like I am missing something.
> 
>  [1] for that matter any user who has read access to the files but
>  does not have the keys.

This is an explicit design decision.  The main issue is that the VFS
and the page cache fundamntally assumes that there is only a single
"view" of the state of the files.  So once something is cached in the
dcache and the page cache, the VFS will happily return it to any user
who has permissions.  The file system doesn't even get involved.

We could try and fix this by adding our own file system unique
premissions check, but that slows down every single file open with a
keyring search.  It also isn't a complete solution because if you pass
the fd around via a unix domain socket, or some such you can still end
up with weirdness where whether or not the process which is currently
trying to operate on the fd has access to the key (via the rings
unique, wild, and wonderful, and nonstandard/non-POSIX keyring access
scheme).

It also isn't complete, since someone could infer whether or not a
file exists, unless we also completely spike out the dcache, which
would be an even worse performance disaster.

So the current model is that if you want to protect file, the Unix
permissions do have to be set correctly, and root can read everything.
The presense or absense of keys is *not* currently intended to be an
access control mechanism.

						- Ted



[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux