May 14, 20197 yr Hello everyone! Just setup a fully encrypted array and I noticed that by default the keyfile `/root/keyfile` is readable by all users. Wanted to see if maybe I am missing a security setting somewhere or if this is actually the default... I did write a quick user script to run at array startup which simply performs `chmod -R og-rwx /root`.
May 14, 20197 yr The /root location will not be visible acros the network so not easily accessible. If you can log in as root then the permissions are irrelevant.
May 14, 20197 yr Author 2 minutes ago, trurl said: I am not storing a keyfile. When I enter my keyfile to start the array, Unraid writes the keyfile to `/root/keyfile`.
May 14, 20197 yr Author 5 minutes ago, itimpi said: The /root location will not be visible acros the network so not easily accessible. If you can log in as root then the permissions are irrelevant. Trying to set up different user accounts, they still would be able to access it with the default permissions--if I am not mistaken.
May 14, 20197 yr 18 minutes ago, Eadword said: Trying to set up different user accounts, they still would be able to access it with the default permissions--if I am not mistaken. What user accounts? Unraid does not really support user accounts in the traditional Linux sense. In Unraid the user accounts are only intended to allow you to control share access, and /root is not part of any share.
May 14, 20197 yr 2 hours ago, Eadword said: I am not storing a keyfile. When I enter my keyfile to start the array, Unraid writes the keyfile to `/root/keyfile`. Did you actually read the linked thread? The whole point was explaining that the keyfile isn't actually in persistent storage. Here is the link again as a plain URL: https://forums.unraid.net/topic/73751-dont-store-a-keyfile/
May 14, 20197 yr 2 hours ago, Eadword said: When I enter my keyfile to start the array, Unraid writes the keyfile to `/root/keyfile`. This is needed to start the array. Once the array is started you can delete this file using the GUI (see Main menu). Ps. regular users can not read this file, because regular users can not login to the system Edited May 14, 20197 yr by bonienl
May 15, 20197 yr Author 6 hours ago, trurl said: Did you actually read the linked thread? The whole point was explaining that the keyfile isn't actually in persistent storage. Yes the link was illuminating to see that it is actually using a tmpfs mount or something, however, rephrasing my point to be "it's still in the filesystem" would be more accurate and any user could read it given the permissions. At least, that is where my mind went based on normal unix logic. Since apparently unraid doesn't really support users other than root according to itimpi, this point is moot.
May 15, 20197 yr 17 hours ago, Eadword said: Yes the link was illuminating to see that it is actually using a tmpfs mount or something, however, rephrasing my point to be "it's still in the filesystem" would be more accurate and any user could read it given the permissions. At least, that is where my mind went based on normal unix logic. Since apparently unraid doesn't really support users other than root according to itimpi, this point is moot. Yes we'll change that to 600 in next release, though at present doesn't make any difference.
Archived
This topic is now archived and is closed to further replies.