fscrypt.git/README.md, branch v0.3.3 Go tool for managing Linux filesystem encryption filesystem: create metadata files with mode 0600 2022-02-23T20:35:04+00:00 Eric Biggers ebiggers@google.com 2022-02-23T20:35:04+00:00 06c989df4e31dd9f172f94fbd6243f49d4dd0b92 Currently, fscrypt policies and protectors are world readable, as they are created with mode 0644. While this can be nice for use cases where users share these files, those use cases seem to be quite rare, and it's not a great default security-wise since it exposes password hashes to all users. While fscrypt uses a very strong password hash algorithm, it would still be best to follow the lead of /etc/shadow and keep this information non-world-readable. Therefore, start creating these files with mode 0600. Of course, if users do actually want to share these files, they have the option of simply chmod'ing them to a less restrictive mode. An option could also be added to make fscrypt use the old mode 0644; however, the need for that is currently unclear. 
Currently, fscrypt policies and protectors are world readable, as they
are created with mode 0644.  While this can be nice for use cases where
users share these files, those use cases seem to be quite rare, and it's
not a great default security-wise since it exposes password hashes to
all users.  While fscrypt uses a very strong password hash algorithm, it
would still be best to follow the lead of /etc/shadow and keep this
information non-world-readable.

Therefore, start creating these files with mode 0600.

Of course, if users do actually want to share these files, they have the
option of simply chmod'ing them to a less restrictive mode.  An option
could also be added to make fscrypt use the old mode 0644; however, the
need for that is currently unclear.
Strictly validate metadata file ownership by default 2022-02-23T20:35:04+00:00 Eric Biggers ebiggers@google.com 2022-02-23T20:35:04+00:00 74e870b7bd1585b4b509da47e0e75db66336e576 The metadata validation checks introduced by the previous commits are good, but to reduce the attack surface it would be much better to avoid reading and parsing files owned by other users in the first place. There are some possible use cases for users sharing fscrypt metadata files, but I think that for the vast majority of users it is unneeded and just opens up attack surface. Thus, make fscrypt (and pam_fscrypt) not process policies or protectors owned by other users by default. Specifically, * If fscrypt or pam_fscrypt is running as a non-root user, only policies and protectors owned by the user or by root can be used. * If fscrypt is running as root, any policy or protector can be used. (This is to match user expectations -- starting a sudo session should gain rights, not remove rights.) * If pam_fscrypt is running as root, only policies and protectors owned by root can be used. Note that this only applies when the root user themselves has an fscrypt login protector, which is rare. Add an option 'allow_cross_user_metadata' to /etc/fscrypt.conf which allows restoring the old behavior for anyone who really needs it. 
The metadata validation checks introduced by the previous commits are
good, but to reduce the attack surface it would be much better to avoid
reading and parsing files owned by other users in the first place.

There are some possible use cases for users sharing fscrypt metadata
files, but I think that for the vast majority of users it is unneeded
and just opens up attack surface.  Thus, make fscrypt (and pam_fscrypt)
not process policies or protectors owned by other users by default.
Specifically,

   * If fscrypt or pam_fscrypt is running as a non-root user, only
     policies and protectors owned by the user or by root can be used.

   * If fscrypt is running as root, any policy or protector can be used.
     (This is to match user expectations -- starting a sudo session
     should gain rights, not remove rights.)

   * If pam_fscrypt is running as root, only policies and protectors
     owned by root can be used.  Note that this only applies when the
     root user themselves has an fscrypt login protector, which is rare.

Add an option 'allow_cross_user_metadata' to /etc/fscrypt.conf which
allows restoring the old behavior for anyone who really needs it.
Make 'fscrypt setup' offer a choice of directory modes 2022-02-23T20:35:04+00:00 Eric Biggers ebiggers@google.com 2022-02-23T20:35:04+00:00 6e355131670ad014e45f879475ddf800f0080d41 World-writable directories are not appropriate for some systems, so offer a choice of single-user-writable and world-writable modes, with single-user-writable being the default. Add a new documentation section to help users decide which one to use. 
World-writable directories are not appropriate for some systems, so
offer a choice of single-user-writable and world-writable modes, with
single-user-writable being the default.  Add a new documentation section
to help users decide which one to use.
Fix a few typos 2021-12-22T05:02:55+00:00 Eric Biggers ebiggers@google.com 2021-12-22T04:59:58+00:00 ee7bd64191beb715f883a7c91f0de0779b849af4 






README: elaborate on alternatives and threat model
2021-12-22T00:17:22+00:00

Eric Biggers
ebiggers@google.com

2021-12-22T00:03:08+00:00

9653450a7b13984f8b4c97ad35eefa8f816d53b4

Fixes https://github.com/google/fscrypt/issues/318





Fixes https://github.com/google/fscrypt/issues/318







README: write "Linux native filesystem encryption"
2021-12-22T00:03:08+00:00

Eric Biggers
ebiggers@google.com

2021-12-22T00:03:08+00:00

d6638ac45f6b6da373f7f724251aef03032915ad

"Linux filesystem encryption" sounds too vague.  Write "Linux native
filesystem encryption" instead.





"Linux filesystem encryption" sounds too vague.  Write "Linux native
filesystem encryption" instead.







README: document issue with ssh ChallengeResponseAuthentication
2021-12-20T02:41:39+00:00

Eric Biggers
ebiggers@google.com

2021-12-20T02:39:26+00:00

c7e3ce28b23017cfcc11a38fee888163d4e8d715

Update https://github.com/google/fscrypt/issues/321
Update https://github.com/google/fscrypt/issues/324





Update https://github.com/google/fscrypt/issues/321
Update https://github.com/google/fscrypt/issues/324







Adjust recovery passphrase generation
2021-10-05T22:30:30+00:00

Eric Biggers
ebiggers@google.com

2021-09-14T21:12:39+00:00

7fed63a84963cbd790e86a0e59ff14724bcf33c4

As per the feedback at https://github.com/google/fscrypt/issues/115
where users didn't understand that the recovery passphrase is important,
restore the original behavior where recovery passphrase generation
happens automatically without a prompt.  This applies to the case where
'fscrypt encrypt' is using a login protector on a non-root filesystem.

However, leave the --no-recovery option so that the recovery passphrase
can still be disabled if the user really wants to.  Also, clarify the
information provided about the recovery passphrase.

Update https://github.com/google/fscrypt/issues/115





As per the feedback at https://github.com/google/fscrypt/issues/115
where users didn't understand that the recovery passphrase is important,
restore the original behavior where recovery passphrase generation
happens automatically without a prompt.  This applies to the case where
'fscrypt encrypt' is using a login protector on a non-root filesystem.

However, leave the --no-recovery option so that the recovery passphrase
can still be disabled if the user really wants to.  Also, clarify the
information provided about the recovery passphrase.

Update https://github.com/google/fscrypt/issues/115







README: mention LTS kernel versions with symlink bug fix
2021-09-22T18:00:27+00:00

Eric Biggers
ebiggers@google.com

2021-09-22T18:00:27+00:00

ee5e47f3481c7f09f4f3f4bdf360f2c8b1b59a1e

Resolves https://github.com/google/fscrypt/issues/305





Resolves https://github.com/google/fscrypt/issues/305







README: clarify how restoring /.fscrypt directory works
2021-09-14T21:33:22+00:00

Eric Biggers
ebiggers@google.com

2021-09-14T18:07:42+00:00

955d3305cd117ad83411f75c2b3227fbaea60700

Update https://github.com/google/fscrypt/issues/115





Update https://github.com/google/fscrypt/issues/115