Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 564894

Summary: sys-fs/ecryptfs-utils mount.ecryptfs_private doesn't work unless suid flag is set
Product: Gentoo Linux Reporter: Nick Kossifidis <mickflemm>
Component: [OLD] Core systemAssignee: No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it <maintainer-needed>
Status: UNCONFIRMED ---    
Severity: normal CC: crypto+disabled, email
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Nick Kossifidis 2015-11-04 22:07:30 UTC
mount.ecryptfs_private needs elevated privileges to mount() the user's encrypted "private" folder (e.g. the one that was set up by ecryptfs-setup-private). There are two ways to do that:

a) Have mount.ecryptfs_private marked with the suid bit and owned by root so that it always runs as root (that introduces a security risk and portage will print a warning about it)

b) Use file system capabilities and mark mount.ecryptfs_private with cap_dac_read_search,cap_setgid,cap_setuid,cap_sys_admin+ep and not require the suid bit set (sys_admin to mount(), setuid/setgid because it sets its uid/gid to 0 internally and dac_read_search because normally the private directory -the mountpoint- is only accessible by the user -not by root, at least not without dac_read_search-).

Currently only the first option is available when enabling the suid USE flag, without it mount.ecryptfs_private won't work and the user won't know until he/she tries to use it. It would be much better to print a warning message to alert the user that by not using the suid flag he/she won't be able to use mount.ecryptfs_private. Also it would be much better if the ebuild supported the filecaps USE flag and made the second option available to the users.
Comment 1 Adrien DAUGABEL 2019-12-31 10:53:24 UTC
Hi,
Same problem and same fix : add setuid on mount.ecryptfs_private.