/var/crash is unencrypted

Hi Julian - thanks for the bug report!

As the upstream maintainer of eCryptfs, I'd like to point out that this is a well known problem with partial disk encryption technologies such as eCryptfs. Information leaks are bound to happen when applications can write to locations outside of the encrypted mount point ($HOME, in your case).

The only solution to prevent unintentional information leaks to non-encrypted locations in the filesystem is to use full disk encryption solutions, such as LUKS/dm-crypt. For some users, partial encryption is the best solution while other user may require full disk encryption so Ubuntu offers both solutions.

I'm going to make this bug public so that the apport folks can have a look and determine if there is an easy, apport-specific solution but I expect them to mark this as Won't Fix.

I haven't asked apport to write core dumps outside of $HOME. It just does is BY DEFAULT. As someone who has used GNU/Linux since the mid-90s and had countless core dumps land somewhere in my home directory I shouldn't have to suddenly worry about them ending up somewhere else. I also shouldn't have to use full-disk encryption to ensure that a small set of sensitive files are safe. Encryption isn't without cost - I don't want to have a pointless encryption layer in place while I'm recording direct to HD. This is 2012, not 1992 - “all or nothing” solutions don't cut it. If swap is encrypted, then core dumps should be too. Otherwise what's the point?

Why have you made this bug public? Why is an easy fix the goal? Why do you expect WONTFIX? Are you saying that if a fix isn't easy, it isn't worth doing? Dumping sensitive data somewhere public IS A BUG.

You can patronisingly point out as many “well known problems” as you like. It doesn't change the fact that this particular problem doesn't exist on Debian but does on Ubuntu, because they've decided to dump sensitive data in an unencrypted directory.

Using ecryptfs instead of full disk encryption is a trade-off. There are countless other directories where private information may get stored, and which isn't encrypted by default, such as /tmp, /var/tmp, etc.

You can turn off apport's core dump handling by modifying the /etc/default/apport file.

The problem with /var/crash is that it violates the principle of least surprise. Mounting /tmp and /var/tmp on tmpfs is a pretty obvious step to take for anyone who is familiar with any modern GNU/Linux flavour. As apport is Ubuntu specific it's considerably less obvious, and as this has a security implication this is a Bad Thing™. And I don't think “turn the feature off altogether” is a particularly good answer. It's on by default out of the box which means it's insecure by default.

Having thought about it, I think an obvious fix would be to dump into a per-user ~/.crash directory rather than have a global dropbox. This way they'd have the same level of protection as the user's home directory.

This release of Ubuntu is no longer receiving maintenance updates. If this is still an issue on a maintained version of Ubuntu please let us know.

[Expired for apport (Ubuntu) because there has been no activity for 60 days.]