/var/crash is unencrypted
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apport (Ubuntu) |
Expired
|
Wishlist
|
Unassigned |
Bug Description
When using encrypted (ecryptfs) home directories, although the swap device is encrypted there is a potential information leak via /var/crash. I was able to successfully recover plaintext content from a file being edited within the encrypted directory when the editor crashed (triggered by SIGILL for testing) simply by mounting the root device on another system and extracting the core dump from the .crash file. As these files remain on the filesystem until cleaned up by cron this represents a significant vulnerability, especially for laptop users.
To reproduce:
1) Open a sensitive file for editing (e.g. in vim)
2) Trigger a core dump in the editor
[Alternatively: 1&2) steal a laptop]
3) Mount the device containing /var/crash on another system
4) Extract core dumps from /var/crash/*.crash
5) Search the dumps for sensitive plaintext
ProblemType: Bug
DistroRelease: Ubuntu 12.10
Package: apport 2.6.1-0ubuntu6
ProcVersionSign
Uname: Linux 3.5.0-18-lowlatency x86_64
ApportVersion: 2.6.1-0ubuntu6
Architecture: amd64
Date: Fri Nov 9 16:40:08 2012
EcryptfsInUse: Yes
InstallationDate: Installed on 2012-10-11 (28 days ago)
InstallationMedia: Ubuntu-Studio 12.04.1 "Precise Pangolin" - Release amd64 (20120818)
MarkForUpload: True
PackageArchitec
SourcePackage: apport
UpgradeStatus: Upgraded to quantal on 2012-10-26 (14 days ago)
Hi Julian - thanks for the bug report!
As the upstream maintainer of eCryptfs, I'd like to point out that this is a well known problem with partial disk encryption technologies such as eCryptfs. Information leaks are bound to happen when applications can write to locations outside of the encrypted mount point ($HOME, in your case).
The only solution to prevent unintentional information leaks to non-encrypted locations in the filesystem is to use full disk encryption solutions, such as LUKS/dm-crypt. For some users, partial encryption is the best solution while other user may require full disk encryption so Ubuntu offers both solutions.
I'm going to make this bug public so that the apport folks can have a look and determine if there is an easy, apport-specific solution but I expect them to mark this as Won't Fix.