My notes on making encrypted filesystems 'Just Work(tm)'
David Zeuthen
david at fubar.dk
Wed Dec 15 14:28:58 PST 2004
On Wed, 2004-12-15 at 16:16 -0600, W. Michael Petullo wrote:
> In my work on pam_mount I realized that many UNIXes allow one to view the
> environment a process is running in by using the "ps" command. Because
> non-root users can use this technique, passing passphrases using
> environment variables is a bad idea.
>
Oh yeah. One just gotta love UNIX :-/
> This is why I propose passing these parameters using pipes. Instead of
> reading its environment, a script could read its parameters from stdin.
> If we don't do something like this I don't know how hald would pass a
> passphrase to methods.d/Crypto/Sesame/Setup safely.
>
Right, OK, I hear you, we should think of something here. Using a pipe
to extract arguments seems like a good idea; I'll factor that in as
another possibility when specifying the mapping from interfaces/methods
to binaries, including how to pass the arguments (environment,
positional parameters, pipe or a combination) (might be specified as
properties you can merge using a .fdi file; might be XML files - we'll
see).
> An alternative is to set the name of a file in
> methods.d/Crypto/Sesame/Setup's environment (ie: PASS_FILE) and write
> Setup to read the passphrase out of that file. Though this is a solution,
> it is quite ugly.
>
Ugly in many ways - the system might be mostly read-only like the
Stateless Fedora project.
Cheers,
David
_______________________________________________
hal mailing list
hal at lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/hal
More information about the Hal
mailing list