LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   the file permission about encrypted swap on slackware 13.1 (https://www.linuxquestions.org/questions/slackware-14/the-file-permission-about-encrypted-swap-on-slackware-13-1-a-810604/)

hello.freeman 05-28-2010 12:17 AM
the file permission about encrypted swap on slackware 13.1
 
I use the follow command to create a encrypted swap :

Code:
bash# echo "cryptswap  /dev/sda5  none  swap" >> /etc/crypttab
and edit the 'fstab' file :
Code:
/dev/sda6 /                ext4        defaults        1  1
/dev/mapper/cryptswap  swap  swap  defaults  0  0

That's work fine, but I found the permission of '/dev/mapper/cryptswap' is like this :
Code:
hello@world:~$ ls -l /dev/mapper/cryptswap
brw-rw-r-- 1 root disk 253, 4 2010-05-28 12:55 /dev/mapper/cryptswap
Other users can read the file '/dev/mapper/cryptswap', does it harm the system's security ?

Mark Pettit 05-28-2010 01:28 AM
I think the strength of a system's security should not be based on whether someone can read (or access) the data, but whether someone can actually make head or tail of it - ie access the data in its cleartext format. If the data was so secure that no-one could ever get to it, then what would be the point of even encrypting it :-) So, unless the keys to decrypt the data were easily available, or the method was weak, I think you're OK.

GazL 05-28-2010 04:33 AM
This is the same issue as was reported here.

It happens on all luks devices, not just the swap. Upgrading to cryptsetup 1.1.1 fixes it, although it doesn't fix some of the other issues we've been talking about.


@Mark, That device with the 'others read' attribute is the unencrypted luks mapping of the swap device, not the encrypted partition that is its backing store. Therefore, it's wide open. hello.freeman is right to be concerned. This is definitely a security problem.

Mark Pettit 05-28-2010 05:06 AM
Ah I see. I did try to qualify my answer by asking if the data was in the cleartext. In this case it's not and I agree that it kinda makes the whole thing open and useless. Thanks.

hello.freeman 05-28-2010 05:48 AM
I fixed the problem by added a command in '/etc/rc.d/rc.S' :

Code:
    elif echo $OPTS | grep -wq swap ; then
      # If any of the volumes is to be used as encrypted swap,
      # then encrypt it using a random key and run mkswap:
      echo "Creating encrypted swap on device '$DEV' mapped to '${LUKS}':"
      /sbin/cryptsetup --cipher=aes --key-file=/dev/urandom --key-size=256 create $LUKS $DEV
      chmod 660 /dev/mapper/$LUKS  # Add this line to fix "$LUKS"'s permission
      mkswap /dev/mapper/$LUKS
    fi
It work well. I think writing udev rules also could fix the similar problem. I'll learn it.

thanks very much for the info.


All times are GMT -5. The time now is 02:54 PM.