From the Canyon Edge -- :-Dustin

Monday, July 27, 2009

Restricting Who Can Encrypt their $HOME or $HOME/Private in Ubuntu

I'm listening to the UK Podcast S02E09 right now, and there was a question from a user about restricting who can encrypt their home or private directory under Ubuntu. (A bit later in the broadcast, these fine fellows interview yours truly.)

Dave Walker and Alan Pope were discussing this. Perhaps you have a shared system at home and you want to encrypt your home directory, but don't want to give this privilege to your unruly 10 year old ;-)

Here's a simple recipe for solving this using Unix Discretionary Access Controls:

sudo addgroup ecryptfs
sudo usermod -a -G ecryptfs [allowed users]
sudo chown root:ecryptfs /sbin/mount.ecryptfs_private
sudo chmod 4750 /sbin/mount.ecryptfs_private

So you create an ecryptfs group, add your allowed users to the ecryptfs group, chown the setuid binary 4750, such that only users in the ecryptfs group can execute it. Done!

I'll note that Fedora 11 ships with /sbin/mount.ecryptfs_private permissioned by default in such a way. I don't plan to change Ubuntu's default behavior unless required by the Ubuntu Security Team.

-rwsr-x--- 1 root ecryptfs 12216 2009-07-21 02:36 /sbin/ecryptfs_private*