Hi Jonas, On Wed, 09 Dec 2015 at 23:28:51 +0100, Jonas Meurer wrote: > Am 09.12.2015 um 19:58 schrieb Guilhem Moulin: >> I forgot an important piece of information: UMASK should be changed to >> 0077 to ensure that regular users can't access the keys. > > Sounds reasonable. I added it the the SVN repository for now. But am I > correct that setting the UMASK in initramfs.conf will have an impact on > all files that are added to the initramfs? This might lead to unwanted > side effects.
No, you're not :-P UMASK is documented in initramfs.conf(5) as
follows:
“UMASK Set the umask value of the generated initramfs file. Useful to
not disclose eventual keys.”
Indeed the generated initrd.img is created with permission 0644 minus
$UMASK (which defaults to the process' umask(2)), while files are being
being copied ignoring the $UMASK value.
~$ sudo lsinitramfs -l /initrd.img | grep scripts/local-top/cryptroot
-rwxr-xr-x 1 root root 9608 Dec 9 05:08
scripts/local-top/cryptroot
~$ sudo ls -l /boot/initrd.img-4.2.0-1-amd64
-rw------- 1 root root 4128472 Dec 9 21:40 /boot/initrd.img-4.2.0-1-amd64
> Why not set the key file permissions directly while copying it to the
> initramfs in cryptroot hook?
That would defeat the purpose of keep regular users at bay from the
private key material. As long as I have read access to the initrd.img I
can decompress it (possibly on another machine) and read the content of
any file it contains, regardless of their permission. Pretty much like
a tarball.
Cheers,
--
Guilhem.
signature.asc
Description: PGP signature
