diff options
| author | Eric Biggers <ebiggers@google.com> | 2022-02-23 12:35:04 -0800 |
|---|---|---|
| committer | Eric Biggers <ebiggers@google.com> | 2022-02-23 12:35:04 -0800 |
| commit | 74e870b7bd1585b4b509da47e0e75db66336e576 (patch) | |
| tree | 9b67ab42cebbfd25d917852260a5300292f39630 /cli-tests | |
| parent | 6e355131670ad014e45f879475ddf800f0080d41 (diff) | |
Strictly validate metadata file ownership by default
The metadata validation checks introduced by the previous commits are
good, but to reduce the attack surface it would be much better to avoid
reading and parsing files owned by other users in the first place.
There are some possible use cases for users sharing fscrypt metadata
files, but I think that for the vast majority of users it is unneeded
and just opens up attack surface. Thus, make fscrypt (and pam_fscrypt)
not process policies or protectors owned by other users by default.
Specifically,
* If fscrypt or pam_fscrypt is running as a non-root user, only
policies and protectors owned by the user or by root can be used.
* If fscrypt is running as root, any policy or protector can be used.
(This is to match user expectations -- starting a sudo session
should gain rights, not remove rights.)
* If pam_fscrypt is running as root, only policies and protectors
owned by root can be used. Note that this only applies when the
root user themselves has an fscrypt login protector, which is rare.
Add an option 'allow_cross_user_metadata' to /etc/fscrypt.conf which
allows restoring the old behavior for anyone who really needs it.
Diffstat (limited to 'cli-tests')
| -rw-r--r-- | cli-tests/t_encrypt.out | 2 | ||||
| -rw-r--r-- | cli-tests/t_single_user.out | 2 | ||||
| -rw-r--r-- | cli-tests/t_status.out | 2 | ||||
| -rw-r--r-- | cli-tests/t_v1_policy.out | 2 |
4 files changed, 4 insertions, 4 deletions
diff --git a/cli-tests/t_encrypt.out b/cli-tests/t_encrypt.out index b92c9d9..ecdc46b 100644 --- a/cli-tests/t_encrypt.out +++ b/cli-tests/t_encrypt.out @@ -71,7 +71,7 @@ Unlocked: Yes Protected with 1 protector: PROTECTOR LINKED DESCRIPTION desc1 No custom protector "prot" -ext4 filesystem "MNT" has 1 protector and 1 policy. +ext4 filesystem "MNT" has 1 protector and 1 policy (only including ones owned by fscrypt-test-user or root). All users can create fscrypt metadata on this filesystem. PROTECTOR LINKED DESCRIPTION diff --git a/cli-tests/t_single_user.out b/cli-tests/t_single_user.out index e788b3e..d038d52 100644 --- a/cli-tests/t_single_user.out +++ b/cli-tests/t_single_user.out @@ -1,7 +1,7 @@ ext4 filesystem "MNT" has 0 protectors and 0 policies. Only root can create fscrypt metadata on this filesystem. -ext4 filesystem "MNT" has 0 protectors and 0 policies. +ext4 filesystem "MNT" has 0 protectors and 0 policies (only including ones owned by fscrypt-test-user or root). Only root can create fscrypt metadata on this filesystem. diff --git a/cli-tests/t_status.out b/cli-tests/t_status.out index eb425d0..058c62c 100644 --- a/cli-tests/t_status.out +++ b/cli-tests/t_status.out @@ -7,7 +7,7 @@ ext4 supported Yes ext4 filesystem "MNT" has 0 protectors and 0 policies. All users can create fscrypt metadata on this filesystem. -ext4 filesystem "MNT" has 0 protectors and 0 policies. +ext4 filesystem "MNT" has 0 protectors and 0 policies (only including ones owned by fscrypt-test-user or root). All users can create fscrypt metadata on this filesystem. diff --git a/cli-tests/t_v1_policy.out b/cli-tests/t_v1_policy.out index 1f4f9d7..2353527 100644 --- a/cli-tests/t_v1_policy.out +++ b/cli-tests/t_v1_policy.out @@ -120,7 +120,7 @@ Unlocked: Partially (incompletely locked, or unlocked by another user) Protected with 1 protector: PROTECTOR LINKED DESCRIPTION desc2 No custom protector "prot" -ext4 filesystem "MNT" has 1 protector and 1 policy. +ext4 filesystem "MNT" has 1 protector and 1 policy (only including ones owned by fscrypt-test-user or root). All users can create fscrypt metadata on this filesystem. PROTECTOR LINKED DESCRIPTION |