Eadword Posted May 14, 2019 Share Posted May 14, 2019 Hello everyone! Just setup a fully encrypted array and I noticed that by default the keyfile `/root/keyfile` is readable by all users. Wanted to see if maybe I am missing a security setting somewhere or if this is actually the default... I did write a quick user script to run at array startup which simply performs `chmod -R og-rwx /root`. Quote Link to comment
itimpi Posted May 14, 2019 Share Posted May 14, 2019 The /root location will not be visible acros the network so not easily accessible. If you can log in as root then the permissions are irrelevant. 1 Quote Link to comment
Eadword Posted May 14, 2019 Author Share Posted May 14, 2019 2 minutes ago, trurl said: I am not storing a keyfile. When I enter my keyfile to start the array, Unraid writes the keyfile to `/root/keyfile`. Quote Link to comment
Eadword Posted May 14, 2019 Author Share Posted May 14, 2019 5 minutes ago, itimpi said: The /root location will not be visible acros the network so not easily accessible. If you can log in as root then the permissions are irrelevant. Trying to set up different user accounts, they still would be able to access it with the default permissions--if I am not mistaken. Quote Link to comment
itimpi Posted May 14, 2019 Share Posted May 14, 2019 18 minutes ago, Eadword said: Trying to set up different user accounts, they still would be able to access it with the default permissions--if I am not mistaken. What user accounts? Unraid does not really support user accounts in the traditional Linux sense. In Unraid the user accounts are only intended to allow you to control share access, and /root is not part of any share. Quote Link to comment
trurl Posted May 14, 2019 Share Posted May 14, 2019 2 hours ago, Eadword said: I am not storing a keyfile. When I enter my keyfile to start the array, Unraid writes the keyfile to `/root/keyfile`. Did you actually read the linked thread? The whole point was explaining that the keyfile isn't actually in persistent storage. Here is the link again as a plain URL: https://forums.unraid.net/topic/73751-dont-store-a-keyfile/ Quote Link to comment
bonienl Posted May 14, 2019 Share Posted May 14, 2019 (edited) 2 hours ago, Eadword said: When I enter my keyfile to start the array, Unraid writes the keyfile to `/root/keyfile`. This is needed to start the array. Once the array is started you can delete this file using the GUI (see Main menu). Ps. regular users can not read this file, because regular users can not login to the system Edited May 14, 2019 by bonienl Quote Link to comment
Eadword Posted May 15, 2019 Author Share Posted May 15, 2019 6 hours ago, trurl said: Did you actually read the linked thread? The whole point was explaining that the keyfile isn't actually in persistent storage. Yes the link was illuminating to see that it is actually using a tmpfs mount or something, however, rephrasing my point to be "it's still in the filesystem" would be more accurate and any user could read it given the permissions. At least, that is where my mind went based on normal unix logic. Since apparently unraid doesn't really support users other than root according to itimpi, this point is moot. Quote Link to comment
limetech Posted May 15, 2019 Share Posted May 15, 2019 17 hours ago, Eadword said: Yes the link was illuminating to see that it is actually using a tmpfs mount or something, however, rephrasing my point to be "it's still in the filesystem" would be more accurate and any user could read it given the permissions. At least, that is where my mind went based on normal unix logic. Since apparently unraid doesn't really support users other than root according to itimpi, this point is moot. Yes we'll change that to 600 in next release, though at present doesn't make any difference. 1 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.