From 85a747493ff368a72f511619ecd391016ecb933c Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Wed, 23 Feb 2022 12:35:04 -0800 Subject: Extend ownership validation to entire directory structure A previous commit extended file ownership validation to policy and protector files (by default -- there's an opt-out in /etc/fscrypt.conf). However, that didn't apply to the parent directories: MOUNTPOINT MOUNTPOINT/.fscrypt MOUNTPOINT/.fscrypt/policies MOUNTPOINT/.fscrypt/protectors The problem is that if the parent directories aren't trusted (owned by another non-root user), then untrusted changes to their contents can be made at any time, including the introduction of symlinks and so on. While it's debatable how much of a problem this really is, given the other validations that are done, it seems to be appropriate to validate the parent directories too. Therefore, this commit applies the same ownership validations to the above four directories as are done on the metadata files themselves. In addition, it is validated that none of these directories are symlinks except for ".fscrypt" where this is explicitly supported. --- cmd/fscrypt/setup.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'cmd/fscrypt/setup.go') diff --git a/cmd/fscrypt/setup.go b/cmd/fscrypt/setup.go index 1da0d16..b9a16e8 100644 --- a/cmd/fscrypt/setup.go +++ b/cmd/fscrypt/setup.go @@ -83,7 +83,7 @@ func setupFilesystem(w io.Writer, path string) error { } username := ctx.TargetUser.Username - err = ctx.Mount.CheckSetup() + err = ctx.Mount.CheckSetup(ctx.TrustedUser) if err == nil { return &filesystem.ErrAlreadySetup{Mount: ctx.Mount} } -- cgit v1.2.3