Interesting story about improvements to user’s home directories on Linux.

  • brombek@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    4 years ago

    For me this looks like he is trying to work around fundamentally broken model of ACLs written to file system that UNIX uses. The only way to get this right and not have mountains of complexity is to use object-capability system instead of ACL; but this would not be UNIX anymore.

    Also the idea of erasing your LUKS key is kinda pointless since your RAM will also contain most of your recently opened files in page cache - so if you can read your LUKS key from RAM you can also read some of your files from RAM. If you want your files to be really secure just shut down the computer or suspend to disk (“hibernate”) with encryption of the suspend file - this would be no different for what he proposes (since no user program can run anyway) and also better for CO2 emissions…

    • federico3@lemmy.ml
      link
      fedilink
      arrow-up
      0
      arrow-down
      1
      ·
      4 years ago

      Not at all. File access control in UNIX works just fine, but no kernel-based access control can protect all user homes against a successful privilege escalation. Encryption, instead, does.

      The idea that erasing keys is pointless is also incorrect: it’s possible to implement proper scrubbing of keys and caches in RAM, and also CPU registers, CPU caches and so on. Once the sensitive content is wiped the kernel can be compromised by an attacker but the data will not be immediately at risk.

      • brombek@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        4 years ago

        What I am saying is that if you have access to RAM (e.g. via https://en.wikipedia.org/wiki/IEEE_1394#Security_issues or in general https://en.wikipedia.org/wiki/DMA_attack) then not all content of your files is secure unless you “scrub” the entire content of RAM.

        So if you were to scrub page cache, loaded programs will still have some or all parts of the files loaded in RAM. E.g. my vim process will have some of my source code loaded. My SSH agent will have my keys loaded in RAM, my browser will have the very text you are reading loaded in RAM.

        So scrubbing keys from RAM will protect most of your data but not all of your data - false sense of security. So you better understand that trade-off before using such proposed system. It is still better than having you disk wide open but it will never be perfect.

        • federico3@lemmy.ml
          link
          fedilink
          arrow-up
          0
          arrow-down
          1
          ·
          4 years ago

          the idea of erasing your LUKS key is kinda pointless … opened files in page cache

          So scrubbing keys from RAM will protect most of your data but not all of your data

          Now you are shifting the goalposts.

          This is not a design flaw in LUKS or in ACLs. Applications can be closed, the SSH agent can scrub its memory and so on.