Mount parameters

Mount parameters

[Wilson]

Hi,

is it possible to mount a ecryptfs home directory with mount
parameters such as noexec?

I'm trying to build an hardened Ubuntu install (it's just an hobby for
learning something, noting professional) and I'm stuck trying to
prevent execution from home even for users with cyphered home.

I'm mounting the whole /home with noexec in fstab, but cyphered home
are obviously unaffected and I'm unable to find a way to say to
ecryptfs to do so, can it be done?

Thanks,

Wilson

Re: Mount parameters

[Michael Chang]

My gut feeling is you really want Apparmor or SELinux to restrict
execution, since users can just mount new filesystems wherever with
exec set (especially on a Desktop configuration with e.g. GNOME
installed).

However, ecryptfs takes the "noexec" parameter at mount time, just
like most FUSE filesystems. You can test this by mounting it from the
command line and passing it as an option. Where you would set that so
that it always takes effect depends on how you're mounting the
directories...

Michael Chang

On Thu, Oct 2, 2014 at 3:55 PM, Michael Chang <thenewme91@gmail.com> wrote:
> My gut feeling is you really want Apparmor or SELinux to restrict execution,
> since users can just mount new filesystems wherever with exec set
> (especially on a Desktop configuration with e.g. GNOME installed).
>
> However, ecryptfs takes the "noexec" parameter at mount time, just like most
> FUSE filesystems. You can test this by mounting it from the command line and
> passing it as an option. Where you would set that so that it always takes
> effect depends on how you're mounting the directories...
>
> Michael Chang
>
> On Thu, Oct 2, 2014 at 3:41 PM, Wilson <wilson.ubuntu@gmail.com> wrote:
>>
>> Hi,
>>
>> is it possible to mount a ecryptfs home directory with mount
>> parameters such as noexec?
>>
>> I'm trying to build an hardened Ubuntu install (it's just an hobby for
>> learning something, noting professional) and I'm stuck trying to
>> prevent execution from home even for users with cyphered home.
>>
>> I'm mounting the whole /home with noexec in fstab, but cyphered home
>> are obviously unaffected and I'm unable to find a way to say to
>> ecryptfs to do so, can it be done?
>>
>> Thanks,
>>
>> Wilson
>> --
>> To unsubscribe from this list: send the line "unsubscribe ecryptfs" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>
>
>
> --
> Michael Chang



-- 
Michael Chang

Re: Mount parameters

[Wilson]

Thanks for the immediate answer.

My present goal is just to prevent automated or accidental execution
of treacherous downloads while letting users to execute their own code
if they really want (next step will be to give permission to mount FS
to some users and not others), so the noexec parameter seemed the
obvious way to do it (and for users with a not encrypted home it works
fine).


I'm using the standard "use a crypted home" by Ubuntu, so as far as I
know I'm using the PAM module, I'm just unable to find out where to
look to configure it (either globally or for a single user).

I've the feeling that I'm missing something obvious, but I can't find it.

Wilson

2014-10-03 0:56 GMT+02:00 Michael Chang <thenewme91@gmail.com>:
> My gut feeling is you really want Apparmor or SELinux to restrict
> execution, since users can just mount new filesystems wherever with
> exec set (especially on a Desktop configuration with e.g. GNOME
> installed).
>
> However, ecryptfs takes the "noexec" parameter at mount time, just
> like most FUSE filesystems. You can test this by mounting it from the
> command line and passing it as an option. Where you would set that so
> that it always takes effect depends on how you're mounting the
> directories...
>
> Michael Chang
>
> On Thu, Oct 2, 2014 at 3:55 PM, Michael Chang <thenewme91@gmail.com> wrote:
>> My gut feeling is you really want Apparmor or SELinux to restrict execution,
>> since users can just mount new filesystems wherever with exec set
>> (especially on a Desktop configuration with e.g. GNOME installed).
>>
>> However, ecryptfs takes the "noexec" parameter at mount time, just like most
>> FUSE filesystems. You can test this by mounting it from the command line and
>> passing it as an option. Where you would set that so that it always takes
>> effect depends on how you're mounting the directories...
>>
>> Michael Chang
>>
>> On Thu, Oct 2, 2014 at 3:41 PM, Wilson <wilson.ubuntu@gmail.com> wrote:
>>>
>>> Hi,
>>>
>>> is it possible to mount a ecryptfs home directory with mount
>>> parameters such as noexec?
>>>
>>> I'm trying to build an hardened Ubuntu install (it's just an hobby for
>>> learning something, noting professional) and I'm stuck trying to
>>> prevent execution from home even for users with cyphered home.
>>>
>>> I'm mounting the whole /home with noexec in fstab, but cyphered home
>>> are obviously unaffected and I'm unable to find a way to say to
>>> ecryptfs to do so, can it be done?
>>>
>>> Thanks,
>>>
>>> Wilson
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe ecryptfs" in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>>
>>
>>
>> --
>> Michael Chang
>
>
>
> --
> Michael Chang
> --
> To unsubscribe from this list: send the line "unsubscribe ecryptfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Mount parameters

[Michael Chang]

Hmm... that doesn't prevent executing commands of the form "wget
'$URL' | /bin/bash" which are increasingly common.

You could also set umask to prevent new files from having the execute
bit set, but with shell and script interpreters (bash, python, etc.)
I'm not sure how fruitful that will be.

On Thu, Oct 2, 2014 at 4:21 PM, Wilson <wilson.ubuntu@gmail.com> wrote:
> Thanks for the immediate answer.
>
> My present goal is just to prevent automated or accidental execution
> of treacherous downloads while letting users to execute their own code
> if they really want (next step will be to give permission to mount FS
> to some users and not others), so the noexec parameter seemed the
> obvious way to do it (and for users with a not encrypted home it works
> fine).
>
>
> I'm using the standard "use a crypted home" by Ubuntu, so as far as I
> know I'm using the PAM module, I'm just unable to find out where to
> look to configure it (either globally or for a single user).
>
> I've the feeling that I'm missing something obvious, but I can't find it.
>
> Wilson
>
> 2014-10-03 0:56 GMT+02:00 Michael Chang <thenewme91@gmail.com>:
>> My gut feeling is you really want Apparmor or SELinux to restrict
>> execution, since users can just mount new filesystems wherever with
>> exec set (especially on a Desktop configuration with e.g. GNOME
>> installed).
>>
>> However, ecryptfs takes the "noexec" parameter at mount time, just
>> like most FUSE filesystems. You can test this by mounting it from the
>> command line and passing it as an option. Where you would set that so
>> that it always takes effect depends on how you're mounting the
>> directories...
>>
>> Michael Chang
>>
>> On Thu, Oct 2, 2014 at 3:55 PM, Michael Chang <thenewme91@gmail.com> wrote:
>>> My gut feeling is you really want Apparmor or SELinux to restrict execution,
>>> since users can just mount new filesystems wherever with exec set
>>> (especially on a Desktop configuration with e.g. GNOME installed).
>>>
>>> However, ecryptfs takes the "noexec" parameter at mount time, just like most
>>> FUSE filesystems. You can test this by mounting it from the command line and
>>> passing it as an option. Where you would set that so that it always takes
>>> effect depends on how you're mounting the directories...
>>>
>>> Michael Chang
>>>
>>> On Thu, Oct 2, 2014 at 3:41 PM, Wilson <wilson.ubuntu@gmail.com> wrote:
>>>>
>>>> Hi,
>>>>
>>>> is it possible to mount a ecryptfs home directory with mount
>>>> parameters such as noexec?
>>>>
>>>> I'm trying to build an hardened Ubuntu install (it's just an hobby for
>>>> learning something, noting professional) and I'm stuck trying to
>>>> prevent execution from home even for users with cyphered home.
>>>>
>>>> I'm mounting the whole /home with noexec in fstab, but cyphered home
>>>> are obviously unaffected and I'm unable to find a way to say to
>>>> ecryptfs to do so, can it be done?
>>>>
>>>> Thanks,
>>>>
>>>> Wilson
>>>> --
>>>> To unsubscribe from this list: send the line "unsubscribe ecryptfs" in
>>>> the body of a message to majordomo@vger.kernel.org
>>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>
>>>
>>>
>>>
>>> --
>>> Michael Chang
>>
>>
>>
>> --
>> Michael Chang
>> --
>> To unsubscribe from this list: send the line "unsubscribe ecryptfs" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html



-- 
Michael Chang

Re: Mount parameters

[Wilson]

Well, to be honest, the next thing to learn in my plan was "how to set
interpreters' apparmor profiles to prevent unwanted script execution
from home and removable volumes" ;)
I'm told that you can do that, so, even if I see some difficult (bash
will ever need to read .bashrc and so on) I'm willing to try (I've
done something similar with browsers and it made me learn a lot).
Otherwise I'm bound to try selinux.

ps: do you know how to set the pam profile to use some parameters?


2014-10-03 1:25 GMT+02:00 Michael Chang <thenewme91@gmail.com>:
> Hmm... that doesn't prevent executing commands of the form "wget
> '$URL' | /bin/bash" which are increasingly common.
>
> You could also set umask to prevent new files from having the execute
> bit set, but with shell and script interpreters (bash, python, etc.)
> I'm not sure how fruitful that will be.
>
> On Thu, Oct 2, 2014 at 4:21 PM, Wilson <wilson.ubuntu@gmail.com> wrote:
>> Thanks for the immediate answer.
>>
>> My present goal is just to prevent automated or accidental execution
>> of treacherous downloads while letting users to execute their own code
>> if they really want (next step will be to give permission to mount FS
>> to some users and not others), so the noexec parameter seemed the
>> obvious way to do it (and for users with a not encrypted home it works
>> fine).
>>
>>
>> I'm using the standard "use a crypted home" by Ubuntu, so as far as I
>> know I'm using the PAM module, I'm just unable to find out where to
>> look to configure it (either globally or for a single user).
>>
>> I've the feeling that I'm missing something obvious, but I can't find it.
>>
>> Wilson
>>
>> 2014-10-03 0:56 GMT+02:00 Michael Chang <thenewme91@gmail.com>:
>>> My gut feeling is you really want Apparmor or SELinux to restrict
>>> execution, since users can just mount new filesystems wherever with
>>> exec set (especially on a Desktop configuration with e.g. GNOME
>>> installed).
>>>
>>> However, ecryptfs takes the "noexec" parameter at mount time, just
>>> like most FUSE filesystems. You can test this by mounting it from the
>>> command line and passing it as an option. Where you would set that so
>>> that it always takes effect depends on how you're mounting the
>>> directories...
>>>
>>> Michael Chang
>>>
>>> On Thu, Oct 2, 2014 at 3:55 PM, Michael Chang <thenewme91@gmail.com> wrote:
>>>> My gut feeling is you really want Apparmor or SELinux to restrict execution,
>>>> since users can just mount new filesystems wherever with exec set
>>>> (especially on a Desktop configuration with e.g. GNOME installed).
>>>>
>>>> However, ecryptfs takes the "noexec" parameter at mount time, just like most
>>>> FUSE filesystems. You can test this by mounting it from the command line and
>>>> passing it as an option. Where you would set that so that it always takes
>>>> effect depends on how you're mounting the directories...
>>>>
>>>> Michael Chang
>>>>
>>>> On Thu, Oct 2, 2014 at 3:41 PM, Wilson <wilson.ubuntu@gmail.com> wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> is it possible to mount a ecryptfs home directory with mount
>>>>> parameters such as noexec?
>>>>>
>>>>> I'm trying to build an hardened Ubuntu install (it's just an hobby for
>>>>> learning something, noting professional) and I'm stuck trying to
>>>>> prevent execution from home even for users with cyphered home.
>>>>>
>>>>> I'm mounting the whole /home with noexec in fstab, but cyphered home
>>>>> are obviously unaffected and I'm unable to find a way to say to
>>>>> ecryptfs to do so, can it be done?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Wilson
>>>>> --
>>>>> To unsubscribe from this list: send the line "unsubscribe ecryptfs" in
>>>>> the body of a message to majordomo@vger.kernel.org
>>>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Michael Chang
>>>
>>>
>>>
>>> --
>>> Michael Chang
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe ecryptfs" in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>
>
> --
> Michael Chang