Keyfile Permissions


Eadword

Recommended Posts

Hello everyone!

Just setup a fully encrypted array and I noticed that by default the keyfile `/root/keyfile` is readable by all users. Wanted to see if maybe I am missing a security setting somewhere or if this is actually the default... I did write a quick user script to run at array startup which simply performs `chmod -R og-rwx /root`.

Link to comment
5 minutes ago, itimpi said:

The /root location will not be visible acros the network so not easily accessible.    If you can log in as root then the permissions are irrelevant.

Trying to set up different user accounts, they still would be able to access it with the default permissions--if I am not mistaken.

Link to comment
18 minutes ago, Eadword said:

Trying to set up different user accounts, they still would be able to access it with the default permissions--if I am not mistaken.

What user accounts?   Unraid does not really support user accounts in the traditional Linux sense.    In Unraid the user accounts are only intended to allow you to control share access, and /root is not part of any share.

Link to comment
2 hours ago, Eadword said:

When I enter my keyfile to start the array, Unraid writes the keyfile to `/root/keyfile`.

This is needed to start the array.

Once the array is started you can delete this file using the GUI (see Main menu).

 

Ps. regular users can not read this file, because regular users can not login to the system

Edited by bonienl
Link to comment
6 hours ago, trurl said:

Did you actually read the linked thread? The whole point was explaining that the keyfile isn't actually in persistent storage.

 

Yes the link was illuminating to see that it is actually using a tmpfs mount or something, however, rephrasing my point to be "it's still in the filesystem" would be more accurate and any user could read it given the permissions. At least, that is where my mind went based on normal unix logic. Since apparently unraid doesn't really support users other than root according to itimpi, this point is moot.

Link to comment
17 hours ago, Eadword said:

Yes the link was illuminating to see that it is actually using a tmpfs mount or something, however, rephrasing my point to be "it's still in the filesystem" would be more accurate and any user could read it given the permissions. At least, that is where my mind went based on normal unix logic. Since apparently unraid doesn't really support users other than root according to itimpi, this point is moot.

Yes we'll change that to 600 in next release, though at present doesn't make any difference.

  • Upvote 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.