Linux

49469 readers

693 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago

MODERATORS

[email protected]

Systemd’s Lennart Poettering Wants to Bring Linux Home Directories into the 21st Century (thenewstack.io)

submitted 4 years ago by [email protected] to c/[email protected]

6 comments fedilink hide all child comments

Interesting story about improvements to user's home directories on Linux.

all 7 comments

sorted by: hot top controversial new old

[–] [email protected] 0 points 4 years ago (1 children)

For me this looks like he is trying to work around fundamentally broken model of ACLs written to file system that UNIX uses. The only way to get this right and not have mountains of complexity is to use object-capability system instead of ACL; but this would not be UNIX anymore.

Also the idea of erasing your LUKS key is kinda pointless since your RAM will also contain most of your recently opened files in page cache - so if you can read your LUKS key from RAM you can also read some of your files from RAM. If you want your files to be really secure just shut down the computer or suspend to disk ("hibernate") with encryption of the suspend file - this would be no different for what he proposes (since no user program can run anyway) and also better for CO2 emissions...

[–] [email protected] -1 points 4 years ago (1 children)

Not at all. File access control in UNIX works just fine, but no kernel-based access control can protect all user homes against a successful privilege escalation. Encryption, instead, does.

The idea that erasing keys is pointless is also incorrect: it's possible to implement proper scrubbing of keys and caches in RAM, and also CPU registers, CPU caches and so on. Once the sensitive content is wiped the kernel can be compromised by an attacker but the data will not be immediately at risk.

[–] [email protected] 0 points 4 years ago (1 children)

What I am saying is that if you have access to RAM (e.g. via https://en.wikipedia.org/wiki/IEEE_1394#Security_issues or in general https://en.wikipedia.org/wiki/DMA_attack) then not all content of your files is secure unless you "scrub" the entire content of RAM.

So if you were to scrub page cache, loaded programs will still have some or all parts of the files loaded in RAM. E.g. my vim process will have some of my source code loaded. My SSH agent will have my keys loaded in RAM, my browser will have the very text you are reading loaded in RAM.

So scrubbing keys from RAM will protect most of your data but not all of your data - false sense of security. So you better understand that trade-off before using such proposed system. It is still better than having you disk wide open but it will never be perfect.

[–] [email protected] -1 points 4 years ago

the idea of erasing your LUKS key is kinda pointless ... opened files in page cache

So scrubbing keys from RAM will protect most of your data but not all of your data

Now you are shifting the goalposts.

This is not a design flaw in LUKS or in ACLs. Applications can be closed, the SSH agent can scrub its memory and so on.