Mounting an encrypted volume presents the volume to all users on a machine
Nathanael D. Noblet
nathanael at gnat.ca
Mon Oct 25 22:45:24 UTC 2010
On 10/25/2010 04:40 PM, nodata wrote:
>> Wouldn't they be restricted based on the contents of the encrypted volume?
>
> Yes. Once the volume is mounted it will be treated with normal UNIX
> permissions. So you would have to create a sub-directory on the volume
> where the permissions were strict and create files under that.
>
> My point is that if the disk is encrypted, and the user knows the
> passphrase to access files on the device, then it doesn't make sense to
> let everyone else see what's on the device as well: it only make sense
> to decrypt the device to the user who knows the passphrase.
>
> There's an argument that other people will want to see what's on the
> device too. That's fine: the user can opt-in to that. But secure by
> default should be what we're aiming at.
I encrypt /home... So for my use case it doesn't make much sense. I
guess I can see the case where you have some random storage that is
encrypted, however I'm not sure how common this is, and file permissions
keeps them at bay once mounted anyway. I guess if they could get root,
once you decrypt they have access, but if they have root... you've got
other problems.
More information about the devel
mailing list