updatedb.conf should include ecryptfs in the PRUNEFS line

Bug #372631 reported by Nick Moffitt on 2009-05-06
This bug affects 3 people
Affects Status Importance Assigned to Milestone
mlocate (Ubuntu)

Bug Description

Binary package hint: mlocate

I am using ecryptfs-utils to create a ~/Private/ mount that I keep sensitive data in. I was shocked to find these files listed in a "locate" query. I believe that ecryptfs should be added to the list of excluded mlocate filesystems for two reasons:

  1) It is a reasonable expectation that file metadata in an ecryptfs is just as private as the file contents: if an attacker plugs my stolen spun-down drive into an enemy system, my file metadata are compromised.
  2) The cost to traverse an ecryptfs is noticeably higher than that of a raw ext3 filesystem

I have of course added this to my own copy, and the behavior is now precisely as I originally expected.

ProblemType: Bug
Architecture: i386
DistroRelease: Ubuntu 9.04
Package: mlocate 0.21.1-1ubuntu1
 PATH=(custom, user)
SourcePackage: mlocate
Uname: Linux 2.6.28-11-generic i686

Related branches

Nick Moffitt (nick-moffitt) wrote :
Nick Moffitt (nick-moffitt) wrote :

For completeness:

ii ecryptfs-utils 73-0ubuntu6 ecryptfs cryptographic filesystem (utilities)
ii libecryptfs0 73-0ubuntu6 ecryptfs cryptographic filesystem (library)

Chris Mayfield (csmayfield) wrote :

Same problem on 9.10. An alternative solution would be to add ecryptfs to the PRUNEFS list.

Nick Moffitt (nick-moffitt) wrote :

I'm not sure how that's an alternative, Chris. It sounds rather like what I suggested in the subject line of this bug.

Nick Moffitt (nick-moffitt) wrote :

Also I just noticed that this is present in Lucid, as my upgrade from karmic to lucid included a reversion of my previous change.

Dustin Kirkland  (kirkland) wrote :

I'll confirm this.

I think it's a reasonable expectation if your filenames themselves are encrypted.

Changed in mlocate (Ubuntu):
status: New → Confirmed
Nick Moffitt (nick-moffitt) wrote :

I can confirm that this is still present in Lucid

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mlocate - 0.22.2-1ubuntu1

mlocate (0.22.2-1ubuntu1) lucid; urgency=low

  * Add ecryptfs to PRUNEFS (LP: #372631).
  * Add fusesmb to PRUNEFS (LP: #222504).
  * Add devtmpfs to PRUNEFS; tmpfs was already there, so this should cover
    /dev (LP: #355404).
 -- Colin Watson <email address hidden> Wed, 24 Mar 2010 10:12:15 +0000

Changed in mlocate (Ubuntu):
status: Confirmed → Fix Released
Nick Moffitt (nick-moffitt) wrote :

Whoa, spoke only moments too soon! Many thanks, Colin!

Maybe it's a good idea to also add /home/.ecryptfs to PRUNEPATHS. Not a security issue, but it contains nothing useful for locate and thus it's a waste of a time scanning that.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers