Ubuntu
ureadahead package

ureadahead Caches eCryptfs Filesystem Contents

Bug #936822 reported by Githlar
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ureadahead (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

If you have autologin enabled or you're just a fast typist, ureadahead has the potential to cache pieces and whole filenames of files in an eCryptfs filesystem. This is a potential security vulnerability as it could theoretically provide a cryptanalyst vital pieces of plaintext data to break the filesystem encryption. It's a big "if" but it's possible.

My previous patch is incorrect. Turns out my ureadahead broke somehow, so I thought it was working when it really wasn't.

The actual problem lies not in /etc/init/ureadahead-other.conf, but in /etc/init/ureadahead.conf. I ended up adding a `post-stop script` section to `wipe` the file after it has been written. But, ideally, the file should never be written at all.

From what I gathered, ureadahead determines what it should cache by actual system devices, rather than mount points as I had suspected. The problem with this is that eCryptfs mounts /home/.ecryptfs/[user]/.ecryptfs which exists on the same device as /. So, ureadahead assumes that it should cache all these files on the root device (which obviously include /home/.ecryptfs/[user]/.ecryptfs) when invoked as `ureadahead --daemon` as in the /etc/init/ureadahead.conf file.

The ideal fix to this bug would be either a config file or a parameter for ureadahead that allows excluding of certain paths within a device's filesystem. I would assume this would be possible as ureadahead writes the whole filenames into its pack files.

I have retracted my patch.

See original description
Revision history for this message
Githlar (githlar-deactivatedaccount) wrote :

I only specifically patched for eCryptfs as it's the only encryption officially supported. It's a bit of a hack-y patch, but unfortunately busybox's /bin/sh can't do cool stuff like extglob in BASH... If that were the case it would have been !(ecryptfs) instead. But it works.

visibility: private → public
tags: added: ecryptfs ureadahead
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "ureadahead-other.diff" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Githlar (githlar-deactivatedaccount)
description: updated
Revision history for this message
Phillip Susi (psusi) wrote :

The files are always cached. The only thing ureadahead does is move the point where the files are loaded into the cache from first access to mount time. To read the data cached in ram, an attacker would have to have root access, in which case, the system is irreparably compromised anyhow.

Changed in ureadahead (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.