Eadword Posted May 14, 2019 Share Posted May 14, 2019 Hello everyone! Just setup a fully encrypted array and I noticed that by default the keyfile `/root/keyfile` is readable by all users. Wanted to see if maybe I am missing a security setting somewhere or if this is actually the default... I did write a quick user script to run at array startup which simply performs `chmod -R og-rwx /root`. Link to comment
itimpi Posted May 14, 2019 Share Posted May 14, 2019 The /root location will not be visible acros the network so not easily accessible. If you can log in as root then the permissions are irrelevant. Link to comment
Eadword Posted May 14, 2019 Author Share Posted May 14, 2019 2 minutes ago, trurl said: I am not storing a keyfile. When I enter my keyfile to start the array, Unraid writes the keyfile to `/root/keyfile`. Link to comment
Eadword Posted May 14, 2019 Author Share Posted May 14, 2019 5 minutes ago, itimpi said: The /root location will not be visible acros the network so not easily accessible. If you can log in as root then the permissions are irrelevant. Trying to set up different user accounts, they still would be able to access it with the default permissions--if I am not mistaken. Link to comment
itimpi Posted May 14, 2019 Share Posted May 14, 2019 18 minutes ago, Eadword said: Trying to set up different user accounts, they still would be able to access it with the default permissions--if I am not mistaken. What user accounts? Unraid does not really support user accounts in the traditional Linux sense. In Unraid the user accounts are only intended to allow you to control share access, and /root is not part of any share. Link to comment
trurl Posted May 14, 2019 Share Posted May 14, 2019 2 hours ago, Eadword said: I am not storing a keyfile. When I enter my keyfile to start the array, Unraid writes the keyfile to `/root/keyfile`. Did you actually read the linked thread? The whole point was explaining that the keyfile isn't actually in persistent storage. Here is the link again as a plain URL: https://forums.unraid.net/topic/73751-dont-store-a-keyfile/ Link to comment
bonienl Posted May 14, 2019 Share Posted May 14, 2019 2 hours ago, Eadword said: When I enter my keyfile to start the array, Unraid writes the keyfile to `/root/keyfile`. This is needed to start the array. Once the array is started you can delete this file using the GUI (see Main menu). Ps. regular users can not read this file, because regular users can not login to the system Link to comment
Eadword Posted May 15, 2019 Author Share Posted May 15, 2019 6 hours ago, trurl said: Did you actually read the linked thread? The whole point was explaining that the keyfile isn't actually in persistent storage. Yes the link was illuminating to see that it is actually using a tmpfs mount or something, however, rephrasing my point to be "it's still in the filesystem" would be more accurate and any user could read it given the permissions. At least, that is where my mind went based on normal unix logic. Since apparently unraid doesn't really support users other than root according to itimpi, this point is moot. Link to comment
limetech Posted May 15, 2019 Share Posted May 15, 2019 17 hours ago, Eadword said: Yes the link was illuminating to see that it is actually using a tmpfs mount or something, however, rephrasing my point to be "it's still in the filesystem" would be more accurate and any user could read it given the permissions. At least, that is where my mind went based on normal unix logic. Since apparently unraid doesn't really support users other than root according to itimpi, this point is moot. Yes we'll change that to 600 in next release, though at present doesn't make any difference. Link to comment
Recommended Posts
Archived
This topic is now archived and is closed to further replies.