FS#30068 - [mlocate] updatedb.conf should ignore encrypted file systems
Attached to Project:
Arch Linux
Opened by Xyne (Xyne) - Tuesday, 29 May 2012, 22:05 GMT
Last edited by Allan McRae (Allan) - Tuesday, 19 June 2012, 15:28 GMT
Opened by Xyne (Xyne) - Tuesday, 29 May 2012, 22:05 GMT
Last edited by Allan McRae (Allan) - Tuesday, 19 June 2012, 15:28 GMT
|
Details
/etc/updatedb.conf lists file systems that should be ignored
with PRUNEFS. The current default ignores ephemeral file
systems (e.g. tmpfs) and network file systems (e.g.
cifs).
By default, it should also ignore encrypted file systems. By not ignoring encrypted file systems, the unencrypted names and locations of encrypted files (when mounted) are stored in the mlocate database, which may expose secret/private data to an attacker and will at the very least provide evidence of their existence. Please add at least the following to the default PRUNEFS array in updatedb.conf: ecryptfs fuse.encfs The first is for eCryptfs and the second is for EncFS. Both are widely used and available in [community]. eCryptfs is also officially supported upstream in the kernel. Thanks. |
This task depends upon
Closed by Allan McRae (Allan)
Tuesday, 19 June 2012, 15:28 GMT
Reason for closing: Implemented
Additional comments about closing: mlocate-0.25-2
Tuesday, 19 June 2012, 15:28 GMT
Reason for closing: Implemented
Additional comments about closing: mlocate-0.25-2
When an encrypted block device is decrypted and mounted, the encryption is transparent to the system. The block device behaves as though it were a regular partition as far as mounting goes, and the system only sees a generic file system (e.g. ext4). There is no way to detect that via the file system type.
eCryptfs and EncFS are stacked file systems. The system itself reports their file systems as encrypted (ecryptfs, fuse.encfs). This is different from encrypted block device. There is no need for "detection". The type is given in mtab and elsewhere.
There may be other encrypted file systems, but these two are the most common and most widely supported (as mentioned, eCryptfs is supported upstream in the kernel), so it makes sense to include them. If other systems become more popular then they can be added too. Given how obscure some of the current defaults are, this should not be an issue.
By adding ecryptfs and fuse.encfs to the PRUNEFS list, updatedb will *not* stores the plaintext names of the encrypted files.
You could argue that users should be aware of this and edit the list themselves, but it isn't obvious and there is no reason not to choose a secure setup by default. The file itself is added by the packager, so there is no issue of modifying upstream defaults either.
edit: typos
I don't really agree. Network file shares can be expected to be persistent in many cases, and the files located on them will often remain unchanged. The same applies to external devices. tmpfs is also usually mounted for extended periods of time and non-volatile for much of the session. Encrypted file systems are usually used the same way as tmpfs, i.e. mounted when needed, often for the duration of the session, but with the expectation that they will be unmounted at some point.
In any case, encrypted file systems are clearly in their own category and I think they should be included with the defaults.