On Tue, Feb 14, 2017 at 07:00:40PM +0000, Al Viro wrote: > On Tue, Feb 14, 2017 at 10:50:23AM -0500, Theodore Ts'o wrote: > > > It also isn't complete, since someone could infer whether or not a > > file exists, unless we also completely spike out the dcache, which > > would be an even worse performance disaster. > > > > So the current model is that if you want to protect file, the Unix > > permissions do have to be set correctly, and root can read everything. > > The presense or absense of keys is *not* currently intended to be an > > access control mechanism. > > Not that root couldn't simply take over any process of the user in > question and ptrace its way into issuing arbitrary syscalls... Well, that might not be true if someone makes the file group readable and the group includes some user which doesn't have the key. I consider that a configuration bug, but yes, as far as restricted root, that's really only for those people who are comforted by the _illusion_ of security. Sort of like TSA patdowns at airports. :-) - Ted
