search

mhogomchungu / zuluCrypt

zuluCrypt is a front end to cryptsetup and tcplay and it allows easy management of encrypted block devices
https://mhogomchungu.github.io/zuluCrypt
Other
504 stars 60 forks source link

Feature Request: Permissions hardening/options for FAT filesystem containers #142

Closed GIJack closed 4 years ago

GIJack commented 4 years ago

Feature request.

Give the options for setting fmask and dmask FAT filesystem options when mounting FAT formated containers. At very lease change the options away from the insecure defaults.

mhogomchungu commented 4 years ago

What options would you like to be used as defaults?

Its possible to set custom mount options based on file systems and based on a file system that is in a particular device..

How to set mount options based on file systems of certain type:

  1. Create a text file at /etc/zuluCrypt/generic_fs_options.
  2. In it, add vfat fmask=abc,dmask=def where "abc" and "def" are your preferred options.

ps: "FAT" file system is usually reported as "vfat" so i have used "vfat" in my example. The entry for the file system you added above must match the file system blkid tool reported on the device for it to work.

How to set mount options based on a file system on a particular device.

  1. Create a text file at /etc/zuluCrypt/fs_options
  2. In it, add UUID=XYZ fmask=abc,dmask=def where "XYZ" is the UUID of a file system on a device you want to customize its mount options, "abc" and "def" are your preferred mount options.
GIJack commented 4 years ago

fmask=0177 dmask=0077

Essentially only the user who mounted the partition can use it. will prevent a leak. Especially as GUI systems tend to be one user at a time.

The GUI should have a GUI option, the CLI should have switches. or even the CLI should just have an option for "Filesystem Options", and pass that on to mount -o

mhogomchungu commented 4 years ago

The default mount point prefix in zuluCrypt is /run/media/privave/$USER/ and there is a compile time switch to change it to /home/$USER.

Only the person who created the mount point has access to these mount point prefixes because they are "private". If a user want other users to gain access to the mount point, they can allow them by checking "share mount point" checkbox and an additional "publicly" sharable mount point will be created at /run/media/public

In summary, only you will have access to the mount point you created unless you explicitly allow others to access it.

mhogomchungu commented 4 years ago

Closing this one as "invalid". The permissions on the mount point are irrelevant because only the user who created the mount point has access to it.