From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ot0-f170.google.com ([74.125.82.170]:34599 "EHLO mail-ot0-f170.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752336AbdBNKsN (ORCPT ); Tue, 14 Feb 2017 05:48:13 -0500 Received: by mail-ot0-f170.google.com with SMTP id t47so4110840ota.1 for ; Tue, 14 Feb 2017 02:48:13 -0800 (PST) MIME-Version: 1.0 In-Reply-To: <8f00a43e-c6eb-265e-f3ca-d306179d61d9@oracle.com> References: <8f00a43e-c6eb-265e-f3ca-d306179d61d9@oracle.com> From: Richard Weinberger Date: Tue, 14 Feb 2017 11:48:12 +0100 Message-ID: Subject: Re: fs/crypto: root read-access without key To: Anand Jain Cc: "Theodore Ts'o" , linux-fsdevel Content-Type: text/plain; charset=UTF-8 Sender: linux-fsdevel-owner@vger.kernel.org List-ID: Anand, On Tue, Feb 14, 2017 at 11:18 AM, Anand Jain wrote: > > Hi Ted, > > As of now root[1] can access the plain-text when the data is cached > by the user-with-the-key and, root gets error no-key when data is > not cached by the user-with-the-key. I think this behavior is a > bug if not, wrong design, or looks like I am missing something. > > [1] for that matter any user who has read access to the files but > does not have the keys. Well, as soon the key is loaded plaintext of pages and filenames will be stored in page- and dcache and any users that can access the files will see the plaintext. If you want to keep /secret really secret you have to apply correct DAC/MAC permissions as well. Or put /secret into a private mount namespace. -- Thanks, //richard