mount.ecryptfs_private setuid binary
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
eCryptfs |
Triaged
|
Wishlist
|
Unassigned |
Bug Description
ecryptfs-utils currently provides a setuid binary:
/sbin/
Also, /sbin/umount.
This utility is what allows a normal user to mount and unmount their encrypted home or encrypted private directory.
The code drops root privileges immediately upon execution, sanitizes and validates all input and configuration parameters, and then resumes root privileges again for exactly one of two specific operations, one of:
* mount()
* execl(umount)
In both cases, the parameters to mount and umount have been checked such that the only directory the user is able to mount and unmount is their own private/home directory.
Still, setuid programs should be avoided, or at least constrained as much as possible.
For one thing, this program could become setgid, and restricted to an ecryptfs group.
Additionally, this program could perhaps make use of filesystem capabilitys, such as CAP_SYS_MOUNT.
This is a wishlist bug suggesting that this binary should be updated accordingly.
:-Dustin
Changed in ecryptfs: | |
importance: | Undecided → Wishlist |
status: | New → Confirmed |
Changed in ecryptfs: | |
assignee: | Dustin Kirkland (kirkland) → nobody |
Note that there is no CAP_SYS_MOUNT. You need CAP_SYS_ADMIN to mount a filesystem.
I'm not sure what else the helper programs might do which would require privilege, but it
shouldn't be too bad.
I've got this down as something to play with next week.