Ubuntu
ecryptfs-utils package

Protect data in an encrypted Private from being inadvertently copied elsewhere (eg, thumbnailers)

Bug #277655 reported by Dustin Kirkland 
8
Affects Status Importance Assigned to Milestone
eCryptfs
Fix Released
Wishlist
Unassigned
ecryptfs-utils (Ubuntu)
Fix Released
Wishlist
Unassigned

Bug Description

Intrepid introduced the new Private directory in the user's home directory. To prevent information leakage, thumbnailers etc should be forbidden from entering the directory (or should store their thumbnails inside the private dir). Has this been considered/solved?

Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Marking as 'Confirmed'.

I'm going to bring this up for discussion at the Ubuntu Developer Summit in December of 2008, and talk about how to fix this leakage of information in Jaunty.

:-Dustin

Changed in ecryptfs-utils:
importance: Undecided → Medium
status: New → Confirmed
Revision history for this message
Duncan Hawthorne (duncan.hawthorne) wrote :

Also consider the tracker and beagle search tools

Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Okay, just an FYI update, since I'm looking at this bug again...

I'm going to leave this open and attached to ecryptfs-utils.

However, this is a pervasive problem in general. It would take a complete package audit to find all the places where data might be leaked to /var/* or /tmp/*, or elsewhere.

Perhaps mandatory access control (SELinux/AppArmor) and exhaustive file labeling might help.

Also, encrypted home directories in jaunty should also help, in terms of user data that gets copied to ~/.* directories.

In the meantime, LVM and total disk encryption is likely the best option for users with a deep concern about this issue.

Good luck,
:-Dustin

Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Couple things to update here ...

With encrypted home directories now available in Jaunty, it's possible to keep all data, meta data, and cached data in your home directory encrypted.

For Karmic, I hope that /tmp becomes a tmpfs, entirely in RAM. Couple that with encrypted swap, and it should be possible to prevent tmp data from ever leaking to disk.

/var/tmp is a little bit trickier. For /var/tmp, there are relatively few applications that write data there. I'd like to take those on a case-by-case basis, and try to ensure that the data that gets written to /var/tmp is not leaked sensitive data.

Otherwise, these applications (thumbnailers and such), should be running as your non-privileged $USER and shouldn't really have write access to locations outside of $HOME, /tmp, /var/tmp, right? In which case, I think we should be able to cover those 3 cases...

:-Dustin

Changed in ecryptfs-utils (Ubuntu):
status: Confirmed → Triaged
Dustin Kirkland  (kirkland)
Changed in ecryptfs:
importance: Undecided → Medium
status: New → Confirmed
Changed in ecryptfs-utils (Ubuntu):
status: Triaged → Confirmed
Dustin Kirkland  (kirkland)
Changed in ecryptfs:
importance: Medium → Wishlist
Changed in ecryptfs-utils (Ubuntu):
importance: Medium → Wishlist
Revision history for this message
Dustin Kirkland  (kirkland) wrote :

We now have encrypted swap. This should help matters tremendously.

Additionally, I recommend making /tmp a tmpfs in memory, by adding the following line to your /etc/fstab:
tmpfs /tmp tmpfs rw

If other programs copy data out of a user's home directory to other locations *on disk*, bugs should be filed against those programs for leaking user data.

At this point I'm closing the eCryptfs aspects of this bug.

Thanks,
:-Dustin

Changed in ecryptfs:
status: Confirmed → Fix Released
Changed in ecryptfs-utils (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.