[209] in The Cryptographic File System users list
Re: using cfs with /home
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Oct 17 09:47:16 2000
From owner-cfs-users@crypto.com Tue Oct 17 13:47:16 2000
Return-Path: <owner-cfs-users@crypto.com>
Delivered-To: cfs-mtg@CHARON.MIT.EDU
Received: (qmail 7255 invoked from network); 17 Oct 2000 13:47:16 -0000
Received: from mx.crypto.com (207.140.168.138)
by charon.mit.edu with SMTP; 17 Oct 2000 13:47:16 -0000
Received: (from majordomo@localhost)
by MultiHostMXServer (8.9.3/8.9.x4) id JAA00151
for cfs-users-list; Tue, 17 Oct 2000 09:41:37 -0400 (EDT)
X-Authentication-Warning: mx.crypto.com: majordomo set sender to owner-cfs-users@crypto.com using -f
Received: from nsa.research.att.com (H-135-207-24-155.research.att.com [135.207.24.155])
by MultiHostMXServer (8.9.3/8.9.x4) with ESMTP id JAA23889
for <cfs-users@crypto.com>; Tue, 17 Oct 2000 09:41:36 -0400 (EDT)
Received: from mail-blue.research.att.com (mail-blue.research.att.com [135.207.30.102]) by nsa.research.att.com (8.7.3/8.7.3) with ESMTP id JAA09987 for <cfs-users@nsa.research.att.com>; Tue, 17 Oct 2000 09:41:34 -0400 (EDT)
Received: by mail-blue.research.att.com (Postfix)
id 5A5CB4CE2B; Tue, 17 Oct 2000 09:41:35 -0400 (EDT)
Delivered-To: cfs-users@research.att.com
Received: from black-ice.cc.vt.edu (black-ice.cc.vt.edu [128.173.14.71])
by mail-blue.research.att.com (Postfix) with ESMTP id 157554CE27
for <cfs-users@research.att.com>; Tue, 17 Oct 2000 09:41:35 -0400 (EDT)
Received: from black-ice.cc.vt.edu (valdis@localhost [127.0.0.1])
by black-ice.cc.vt.edu (8.12.0.PreAlpha2/8.12.0.PreAlpha2) with ESMTP id e9HDfYn34114;
Tue, 17 Oct 2000 09:41:34 -0400
Message-Id: <200010171341.e9HDfYn34114@black-ice.cc.vt.edu>
X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4+dev
To: "Ravikant K.Rao" <ravi@symonds.net>
Cc: cfs-users@research.att.com
Subject: Re: using cfs with /home
In-Reply-To: Your message of "Mon, 16 Oct 2000 21:14:06 PDT."
<20001016211406.A32299@symonds.net>
From: Valdis.Kletnieks@vt.edu
X-Url: http://black-ice.cc.vt.edu/~valdis/
X-Face: 34C9$Ewd2zeX+\!i1BA\j{ex+$/V'JBG#;3_noWWYPa"|,I#`R"{n@w>#:{)FXyiAS7(8t(
^*w5O*!8O9YTe[r{e%7(yVRb|qxsRYw`7J!`AM}m_SHaj}f8eb@d^L>BrX7iO[<!v4-0bVIpaxF#-)
%9#a9h6JXI|T|8o6t\V?kGl]Q!1V]GtNliUtz:3},0"hkPeBuu%E,j(:\iOX-P,t7lRR#
References: <20001016061907.B23833@symonds.net> <200010161359.e9GDxkV25592@black-ice.cc.vt.edu>
<20001016211406.A32299@symonds.net>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_-1597811548P";
micalg=pgp-sha1; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Date: Tue, 17 Oct 2000 09:41:33 -0400
Sender: owner-cfs-users@crypto.com
Precedence: bulk
--==_Exmh_-1597811548P
Content-Type: text/plain; charset=us-ascii
On Mon, 16 Oct 2000 21:14:06 PDT, "Ravikant K.Rao" said:
> Oh - My whole original idea of encrypting /home and /home/$USER
> was for a multiuser setup, so that no one user can peek into another
> user's setup
chmod 700 $HOME
Seriously.
If file permissions aren't stopping user A and B from getting into each
other's stuff, you have BIGGER problems. Once user A logs in and gets
CFS to attach his $HOME, user B can just telnet in and start poking around.
On a properly managed Unix system, user B won't get very far ANYHOW with
properly set permissions. And if the permissions aren't correct, CFS won't
help you at all.
CFS was designed for a *different* threat model. It will allow you to dump
a file system to a remote tape device (since the actual file system blocks
are encrypted). It will protect data if an adversary has physical access
to the hard drive.
It will however *NOT* do much to keep one user out of another's hair.
--
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
--==_Exmh_-1597811548P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Exmh version 2.2 06/16/2000
iQA/AwUBOexXDHAt5Vm009ewEQJcjQCcDTGPmvxJIVCUZC93dSwHca6E0UMAnjNo
ZGFyA1d1/ILb5gXQsCJJi6Z6
=+ym7
-----END PGP SIGNATURE-----
--==_Exmh_-1597811548P--
