Suggestion: Leaky temp directory with encrypted home directories

Rob King jking at deadpixi.com
Fri Jul 2 15:42:50 UTC 2010


On Fri, 2010-07-02 at 09:16 -0500, Dustin Kirkland wrote: 
> On Thu, Jul 1, 2010 at 2:55 PM, Rob King <jking at deadpixi.com> wrote:
> > Hello everyone,
> >    Ubuntu's encrypted home directory feature is quite useful, and a good way
> > of increasing the security and privacy of information.
> >    However, the scheme is a little "leaky". Applications still use the
> > default system-wide temporary directory (/tmp), which is not encrypted. For
> > applications that store things in the temporary directory, this can cause
> > leaks of sensitive information outside the encrypted home directory. For
> > things like Deja Dup, this can cause the entire contents of the home
> > directory to be copied into an unencrypted area.
> >    I would suggest that, when a user enables the encrypted home directory
> > feature, the TMPDIR directory is set to a temporary directory inside that
> > user's home directory. This could easily be done in desktop sessions by
> > modifying ~/.xsessionrc. I'm not sure how easy this would be for
> > command-line logins.
> 
> I agree that programs which leak truly sensitive nature to /tmp should
> be fixed.  Please file a bug in Launchpad for each and every program
> you find that leaks sensitive data to /tmp.
> 

While I agree that any program that writes sensitive data to /tmp is in
some way broken, I don't know that fixing them is a good long term
solution. For every program that is fixed, another will pop up that's
broken.

> However, it's worth mentioning that /tmp is wiped on every boot in
> Ubuntu.  For this reason, I usually put my /tmp in a tmpfs in memory
> (on systems where I have a few GB of memory).  Add this line to your
> /etc/fstab:
>   tmpfs /tmp tmpfs rw
> 
> This ensures that the data written to /tmp is never actually written
> to disk.  I think this is an excellent best-practice for the security
> conscious.
> 

This is a good solution, except that it only works on systems with
sufficient RAM - and even then, the RAM may be swapped to disk. By
setting a session-wide TMPDIR variable, temporary data is always written
to an area of the disk that is known to be encrypted. 

Thanks,
Rob






More information about the Ubuntu-devel-discuss mailing list