updatedb.conf should include ecryptfs in the PRUNEFS line

Bug #372631 reported by Nick Moffitt
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
mlocate (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: mlocate

I am using ecryptfs-utils to create a ~/Private/ mount that I keep sensitive data in. I was shocked to find these files listed in a "locate" query. I believe that ecryptfs should be added to the list of excluded mlocate filesystems for two reasons:

  1) It is a reasonable expectation that file metadata in an ecryptfs is just as private as the file contents: if an attacker plugs my stolen spun-down drive into an enemy system, my file metadata are compromised.
  2) The cost to traverse an ecryptfs is noticeably higher than that of a raw ext3 filesystem

I have of course added this to my own copy, and the behavior is now precisely as I originally expected.

ProblemType: Bug
Architecture: i386
DistroRelease: Ubuntu 9.04
Package: mlocate 0.21.1-1ubuntu1
ProcEnviron:
 LC_COLLATE=C
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: mlocate
Uname: Linux 2.6.28-11-generic i686

Related branches

Revision history for this message
Nick Moffitt (nick-moffitt) wrote :
Revision history for this message
Nick Moffitt (nick-moffitt) wrote :

For completeness:

ii ecryptfs-utils 73-0ubuntu6 ecryptfs cryptographic filesystem (utilities)
ii libecryptfs0 73-0ubuntu6 ecryptfs cryptographic filesystem (library)

Revision history for this message
Chris Mayfield (csmayfield) wrote :

Same problem on 9.10. An alternative solution would be to add ecryptfs to the PRUNEFS list.

Revision history for this message
Nick Moffitt (nick-moffitt) wrote :

I'm not sure how that's an alternative, Chris. It sounds rather like what I suggested in the subject line of this bug.

Revision history for this message
Nick Moffitt (nick-moffitt) wrote :

Also I just noticed that this is present in Lucid, as my upgrade from karmic to lucid included a reversion of my previous change.

Revision history for this message
Dustin Kirkland  (kirkland) wrote :

I'll confirm this.

I think it's a reasonable expectation if your filenames themselves are encrypted.

Changed in mlocate (Ubuntu):
status: New → Confirmed
Revision history for this message
Nick Moffitt (nick-moffitt) wrote :

I can confirm that this is still present in Lucid

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mlocate - 0.22.2-1ubuntu1

---------------
mlocate (0.22.2-1ubuntu1) lucid; urgency=low

  * Add ecryptfs to PRUNEFS (LP: #372631).
  * Add fusesmb to PRUNEFS (LP: #222504).
  * Add devtmpfs to PRUNEFS; tmpfs was already there, so this should cover
    /dev (LP: #355404).
 -- Colin Watson <email address hidden> Wed, 24 Mar 2010 10:12:15 +0000

Changed in mlocate (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Nick Moffitt (nick-moffitt) wrote :

Whoa, spoke only moments too soon! Many thanks, Colin!

Revision history for this message
Rafael Monica (monraaf-deactivatedaccount) wrote :

Maybe it's a good idea to also add /home/.ecryptfs to PRUNEPATHS. Not a security issue, but it contains nothing useful for locate and thus it's a waste of a time scanning that.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.