Restricting Who Can Encrypt their $HOME or $HOME/Private in Ubuntu

July 27, 2009

I’m listening to the UK Podcast S02E09 right now, and there was a question from a user about restricting who can encrypt their home or private directory under Ubuntu. (A bit later in the broadcast, these fine fellows interview yours truly.)

Dave Walker and Alan Pope were discussing this. Perhaps you have a shared system at home and you want to encrypt your home directory, but don’t want to give this privilege to your unruly 10 year old 😉

Here’s a simple recipe for solving this using Unix Discretionary Access Controls:

sudo addgroup ecryptfs
sudo usermod -a -G ecryptfs [allowed users]
sudo chown root:ecryptfs /sbin/mount.ecryptfs_private
sudo chmod 4750 /sbin/mount.ecryptfs_private

So you create an ecryptfs group, add your allowed users to the ecryptfs group, chown the setuid binary 4750, such that only users in the ecryptfs group can execute it. Done!

I’ll note that Fedora 11 ships with /sbin/mount.ecryptfs_private permissioned by default in such a way. I don’t plan to change Ubuntu’s default behavior unless required by the Ubuntu Security Team.

-rwsr-x--- 1 root ecryptfs 12216 2009-07-21 02:36 /sbin/ecryptfs_private*



One Response to “Restricting Who Can Encrypt their $HOME or $HOME/Private in Ubuntu”

  1. mgedmin Says:

    If you don't want the changes to permissions and ownership to disappear on the first security update of ecryptfs-utils, you should use dpkg-statoverride.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: