[Bug 936822] Re: ureadahead Caches eCryptfs Filesystem Contents

Phillip Susi psusi at ubuntu.com
Thu Jul 19 02:07:13 UTC 2012 

The files are always cached.  The only thing ureadahead does is move the
point where the files are loaded into the cache from first access to
mount time.  To read the data cached in ram, an attacker would have to
have root access, in which case, the system is irreparably compromised
anyhow.


** Changed in: ureadahead (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ureadahead in Ubuntu.
https://bugs.launchpad.net/bugs/936822

Title:
  ureadahead Caches eCryptfs Filesystem Contents

Status in “ureadahead” package in Ubuntu:
  Invalid

Bug description:
  If you have autologin enabled or you're just a fast typist, ureadahead
  has the potential to cache pieces and whole filenames of files in an
  eCryptfs filesystem. This is a potential security vulnerability as it
  could theoretically provide a cryptanalyst vital pieces of plaintext
  data to break the filesystem encryption. It's a big "if" but it's
  possible.

  My previous patch is incorrect. Turns out my ureadahead broke somehow,
  so I thought it was working when it really wasn't.

  The actual problem lies not in /etc/init/ureadahead-other.conf, but in
  /etc/init/ureadahead.conf. I ended up adding a `post-stop script`
  section to `wipe` the file after it has been written. But, ideally,
  the file should never be written at all.

  From what I gathered, ureadahead determines what it should cache by
  actual system devices, rather than mount points as I had suspected.
  The problem with this is that eCryptfs mounts
  /home/.ecryptfs/[user]/.ecryptfs which exists on the same device as /.
  So, ureadahead assumes that it should cache all these files on the
  root device (which obviously include /home/.ecryptfs/[user]/.ecryptfs)
  when invoked as `ureadahead --daemon` as in the
  /etc/init/ureadahead.conf file.

  The ideal fix to this bug would be either a config file or a parameter
  for ureadahead that allows excluding of certain paths within a
  device's filesystem. I would assume this would be possible as
  ureadahead writes the whole filenames into its pack files.

  I have retracted my patch.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ureadahead/+bug/936822/+subscriptions

More information about the foundations-bugs mailing list