fscrypt.git/cli-tests, branch v0.3.3 Go tool for managing Linux filesystem encryption filesystem: create metadata files with mode 0600 2022-02-23T20:35:04+00:00 Eric Biggers ebiggers@google.com 2022-02-23T20:35:04+00:00 06c989df4e31dd9f172f94fbd6243f49d4dd0b92 Currently, fscrypt policies and protectors are world readable, as they are created with mode 0644. While this can be nice for use cases where users share these files, those use cases seem to be quite rare, and it's not a great default security-wise since it exposes password hashes to all users. While fscrypt uses a very strong password hash algorithm, it would still be best to follow the lead of /etc/shadow and keep this information non-world-readable. Therefore, start creating these files with mode 0600. Of course, if users do actually want to share these files, they have the option of simply chmod'ing them to a less restrictive mode. An option could also be added to make fscrypt use the old mode 0644; however, the need for that is currently unclear. 
Currently, fscrypt policies and protectors are world readable, as they
are created with mode 0644.  While this can be nice for use cases where
users share these files, those use cases seem to be quite rare, and it's
not a great default security-wise since it exposes password hashes to
all users.  While fscrypt uses a very strong password hash algorithm, it
would still be best to follow the lead of /etc/shadow and keep this
information non-world-readable.

Therefore, start creating these files with mode 0600.

Of course, if users do actually want to share these files, they have the
option of simply chmod'ing them to a less restrictive mode.  An option
could also be added to make fscrypt use the old mode 0644; however, the
need for that is currently unclear.
Make all new metadata files owned by user when needed 2022-02-23T20:35:04+00:00 Eric Biggers ebiggers@google.com 2022-02-23T20:35:04+00:00 d4ce0b892cbe68db9f90f4015342e6a9069b079c Since commit 4c7c6631cc5a ("Set owner of login protectors to correct user"), login protectors are made owned by the user when root creates one on a user's behalf. That's good, but the same isn't true of other files that get created at the same time: - The policy protecting the directory - The protector link file, if the policy is on a different filesystem - The recovery protector, if the policy is on a different filesystem - The recovery instructions file In preparation for setting all metadata files to mode 0600, start making all these files owned by the user in this scenario as well. 
Since commit 4c7c6631cc5a ("Set owner of login protectors to correct
user"), login protectors are made owned by the user when root creates
one on a user's behalf.  That's good, but the same isn't true of other
files that get created at the same time:

- The policy protecting the directory
- The protector link file, if the policy is on a different filesystem
- The recovery protector, if the policy is on a different filesystem
- The recovery instructions file

In preparation for setting all metadata files to mode 0600, start making
all these files owned by the user in this scenario as well.
Strictly validate metadata file ownership by default 2022-02-23T20:35:04+00:00 Eric Biggers ebiggers@google.com 2022-02-23T20:35:04+00:00 74e870b7bd1585b4b509da47e0e75db66336e576 The metadata validation checks introduced by the previous commits are good, but to reduce the attack surface it would be much better to avoid reading and parsing files owned by other users in the first place. There are some possible use cases for users sharing fscrypt metadata files, but I think that for the vast majority of users it is unneeded and just opens up attack surface. Thus, make fscrypt (and pam_fscrypt) not process policies or protectors owned by other users by default. Specifically, * If fscrypt or pam_fscrypt is running as a non-root user, only policies and protectors owned by the user or by root can be used. * If fscrypt is running as root, any policy or protector can be used. (This is to match user expectations -- starting a sudo session should gain rights, not remove rights.) * If pam_fscrypt is running as root, only policies and protectors owned by root can be used. Note that this only applies when the root user themselves has an fscrypt login protector, which is rare. Add an option 'allow_cross_user_metadata' to /etc/fscrypt.conf which allows restoring the old behavior for anyone who really needs it. 
The metadata validation checks introduced by the previous commits are
good, but to reduce the attack surface it would be much better to avoid
reading and parsing files owned by other users in the first place.

There are some possible use cases for users sharing fscrypt metadata
files, but I think that for the vast majority of users it is unneeded
and just opens up attack surface.  Thus, make fscrypt (and pam_fscrypt)
not process policies or protectors owned by other users by default.
Specifically,

   * If fscrypt or pam_fscrypt is running as a non-root user, only
     policies and protectors owned by the user or by root can be used.

   * If fscrypt is running as root, any policy or protector can be used.
     (This is to match user expectations -- starting a sudo session
     should gain rights, not remove rights.)

   * If pam_fscrypt is running as root, only policies and protectors
     owned by root can be used.  Note that this only applies when the
     root user themselves has an fscrypt login protector, which is rare.

Add an option 'allow_cross_user_metadata' to /etc/fscrypt.conf which
allows restoring the old behavior for anyone who really needs it.
Make 'fscrypt setup' offer a choice of directory modes 2022-02-23T20:35:04+00:00 Eric Biggers ebiggers@google.com 2022-02-23T20:35:04+00:00 6e355131670ad014e45f879475ddf800f0080d41 World-writable directories are not appropriate for some systems, so offer a choice of single-user-writable and world-writable modes, with single-user-writable being the default. Add a new documentation section to help users decide which one to use. 
World-writable directories are not appropriate for some systems, so
offer a choice of single-user-writable and world-writable modes, with
single-user-writable being the default.  Add a new documentation section
to help users decide which one to use.
cli-tests: fix broken test 2022-01-19T19:07:03+00:00 Eric Biggers ebiggers@google.com 2022-01-19T19:07:00+00:00 6eb31650b4dc42cd0a40a962a0d513eeb827d9f5 I'm not sure how this passed the GitHub checks. 
I'm not sure how this passed the GitHub checks.
Merge pull request #337 from google/broken-links 2022-01-19T05:11:01+00:00 Eric Biggers ebiggers@google.com 2022-01-19T05:11:01+00:00 fac30865c04de8f4698776e94dd86c7a88fd5da2 filesystem: store mountpoint in link files as a fallback 
filesystem: store mountpoint in link files as a fallback
 cmd/fscrypt: don't load protector in remove-protector-from-policy 2021-12-23T17:44:13+00:00 Eric Biggers ebiggers@google.com 2021-12-23T17:39:08+00:00 6ebd5a54eae2dfb16b66da649e75848fe6030b7f Make remove-protector-from-policy work even if the protector cannot be loaded (for example, due to having been deleted already). Fixes https://github.com/google/fscrypt/issues/258 Fixes https://github.com/google/fscrypt/issues/272 
Make remove-protector-from-policy work even if the protector cannot be
loaded (for example, due to having been deleted already).

Fixes https://github.com/google/fscrypt/issues/258
Fixes https://github.com/google/fscrypt/issues/272
cli-tests: add helper functions to get protector descriptors 2021-12-23T17:39:08+00:00 Eric Biggers ebiggers@google.com 2021-12-23T17:39:08+00:00 57be034ce4700fb07c10b771628c1c63d8483d09 






filesystem: store mountpoint in link files as a fallback
2021-12-23T04:46:16+00:00

Eric Biggers
ebiggers@google.com

2021-12-23T04:46:16+00:00

5ae7da4ee6582099de5d1b14733f8d58f4dc2816

Currently, linked protectors use filesystem link files of the form
"UUID=<uuid>".  These links get broken if the filesystem's UUID changes,
e.g. due to the filesystem being re-created even if the ".fscrypt"
directory is backed up and restored.

To prevent links from being broken (in most cases), start storing the
mountpoint path in the link files too, in the form
"UUID=<uuid>\nPATH=<path>\n".  When following a link, try the UUID
first, and if it doesn't work try the PATH.  While it's possible that
the path changed too, for login protectors (the usual use case of linked
protectors) this won't be an issue as the path will always be "/".

An alternative solution would be to fall back to scanning all
filesystems for the needed protector descriptor.  I decided not to do
that, since relying on a global scan doesn't seem to be a good design.
It wouldn't scale to large numbers of filesystems, it could cross
security boundaries, and it would make it possible for adding a new
filesystem to break fscrypt on existing filesystems.  And if a global
scan was an acceptable way to find protectors during normal use, then
there would be no need for link files in the first place.

Note: this change is backwards compatible (i.e., fscrypt will continue
to recognize old link files) but not forwards-compatible (i.e., previous
versions of fscrypt won't recognize new link files).

Fixes https://github.com/google/fscrypt/issues/311





Currently, linked protectors use filesystem link files of the form
"UUID=<uuid>".  These links get broken if the filesystem's UUID changes,
e.g. due to the filesystem being re-created even if the ".fscrypt"
directory is backed up and restored.

To prevent links from being broken (in most cases), start storing the
mountpoint path in the link files too, in the form
"UUID=<uuid>\nPATH=<path>\n".  When following a link, try the UUID
first, and if it doesn't work try the PATH.  While it's possible that
the path changed too, for login protectors (the usual use case of linked
protectors) this won't be an issue as the path will always be "/".

An alternative solution would be to fall back to scanning all
filesystems for the needed protector descriptor.  I decided not to do
that, since relying on a global scan doesn't seem to be a good design.
It wouldn't scale to large numbers of filesystems, it could cross
security boundaries, and it would make it possible for adding a new
filesystem to break fscrypt on existing filesystems.  And if a global
scan was an acceptable way to find protectors during normal use, then
there would be no need for link files in the first place.

Note: this change is backwards compatible (i.e., fscrypt will continue
to recognize old link files) but not forwards-compatible (i.e., previous
versions of fscrypt won't recognize new link files).

Fixes https://github.com/google/fscrypt/issues/311







filesystem: avoid accessing irrelevant filesystems
2021-12-20T16:24:15+00:00

Eric Biggers
ebiggers@google.com

2021-12-20T04:17:20+00:00

d0b9e2c995beb13c70a1549923df482ff773f09b

Forbid 'fscrypt setup' on filesystems that aren't expected to support
encryption (other than the root filesystem), and skip looking for
fscrypt metadata directories on such filesystems.  This has two
benefits.  First, it avoids the printing of annoying warnings like:

	pam_fscrypt[75038]: stat /run/user/0/.fscrypt: permission denied
	pam_fscrypt[75038]: stat /run/user/0/.fscrypt/policies: permission denied
	pam_fscrypt[75038]: stat /run/user/0/.fscrypt/protectors: permission denied
	pam_fscrypt[75038]: stat /sys/firmware/efi/efivars/.fscrypt: invalid argument
	pam_fscrypt[75038]: stat /sys/firmware/efi/efivars/.fscrypt/policies: invalid argument
	pam_fscrypt[75038]: stat /sys/firmware/efi/efivars/.fscrypt/protectors: invalid argument
	pam_fscrypt[75038]: stat /sys/fs/pstore/.fscrypt: permission denied
	pam_fscrypt[75038]: stat /sys/fs/pstore/.fscrypt/policies: permission denied
	pam_fscrypt[75038]: stat /sys/fs/pstore/.fscrypt/protectors: permission denied

Second, it avoids long delays or side effects on some filesystems.

To do this, introduce an allowlist of filesystem types that fscrypt will
recognize.  I wanted to avoid doing this, since this list will need to
be updated in the future, but I don't see a better solution.





Forbid 'fscrypt setup' on filesystems that aren't expected to support
encryption (other than the root filesystem), and skip looking for
fscrypt metadata directories on such filesystems.  This has two
benefits.  First, it avoids the printing of annoying warnings like:

	pam_fscrypt[75038]: stat /run/user/0/.fscrypt: permission denied
	pam_fscrypt[75038]: stat /run/user/0/.fscrypt/policies: permission denied
	pam_fscrypt[75038]: stat /run/user/0/.fscrypt/protectors: permission denied
	pam_fscrypt[75038]: stat /sys/firmware/efi/efivars/.fscrypt: invalid argument
	pam_fscrypt[75038]: stat /sys/firmware/efi/efivars/.fscrypt/policies: invalid argument
	pam_fscrypt[75038]: stat /sys/firmware/efi/efivars/.fscrypt/protectors: invalid argument
	pam_fscrypt[75038]: stat /sys/fs/pstore/.fscrypt: permission denied
	pam_fscrypt[75038]: stat /sys/fs/pstore/.fscrypt/policies: permission denied
	pam_fscrypt[75038]: stat /sys/fs/pstore/.fscrypt/protectors: permission denied

Second, it avoids long delays or side effects on some filesystems.

To do this, introduce an allowlist of filesystem types that fscrypt will
recognize.  I wanted to avoid doing this, since this list will need to
be updated in the future, but I don't see a better solution.