Suggestion: Leaky temp directory with encrypted home directories
Rob King
jking at deadpixi.com
Fri Jul 2 15:42:50 UTC 2010
On Fri, 2010-07-02 at 09:16 -0500, Dustin Kirkland wrote:
> On Thu, Jul 1, 2010 at 2:55 PM, Rob King <jking at deadpixi.com> wrote:
> > Hello everyone,
> > Ubuntu's encrypted home directory feature is quite useful, and a good way
> > of increasing the security and privacy of information.
> > However, the scheme is a little "leaky". Applications still use the
> > default system-wide temporary directory (/tmp), which is not encrypted. For
> > applications that store things in the temporary directory, this can cause
> > leaks of sensitive information outside the encrypted home directory. For
> > things like Deja Dup, this can cause the entire contents of the home
> > directory to be copied into an unencrypted area.
> > I would suggest that, when a user enables the encrypted home directory
> > feature, the TMPDIR directory is set to a temporary directory inside that
> > user's home directory. This could easily be done in desktop sessions by
> > modifying ~/.xsessionrc. I'm not sure how easy this would be for
> > command-line logins.
>
> I agree that programs which leak truly sensitive nature to /tmp should
> be fixed. Please file a bug in Launchpad for each and every program
> you find that leaks sensitive data to /tmp.
>
While I agree that any program that writes sensitive data to /tmp is in
some way broken, I don't know that fixing them is a good long term
solution. For every program that is fixed, another will pop up that's
broken.
> However, it's worth mentioning that /tmp is wiped on every boot in
> Ubuntu. For this reason, I usually put my /tmp in a tmpfs in memory
> (on systems where I have a few GB of memory). Add this line to your
> /etc/fstab:
> tmpfs /tmp tmpfs rw
>
> This ensures that the data written to /tmp is never actually written
> to disk. I think this is an excellent best-practice for the security
> conscious.
>
This is a good solution, except that it only works on systems with
sufficient RAM - and even then, the RAM may be swapped to disk. By
setting a session-wide TMPDIR variable, temporary data is always written
to an area of the disk that is known to be encrypted.
Thanks,
Rob
More information about the Ubuntu-devel-discuss
mailing list