Friday, October 29, 2010

A piece of GNIF wisdom

Heard at a meeting with GNIF clients:
"Well, you know, using the SSID of your wifi AP as a pre-shared key is not... really secure".
Posted by blind_key at 12:59 0 comments

Thursday, October 28, 2010

Cloud storage is hasbeen

Now we have a much better technique for storing securely sensitive data: the sms, aka the "SubMarine Storage".
This guaranties the sealing of stored data and avoids any unauthorized reuse!
Posted by mitshell at 16:11 0 comments

EncFS and MPD

As every reasonably paranoïd person should do, I encrypt all the "sensible" content of my work laptop. By sensible, I mean everything that is not related to work:
- music
- TV Shows
- pictures from 4chan
- CV (yes, searching a new job at work is OK)
For encryption, I use EncFS, a user-space encrypted filesystem built on FUSE.

I wanted to install MPD, to be able to play my music when I crash / kill X. Unfortunately, it was not as simple as I imagined, due to multiple permission problems. Here is the scenario:
- encrypted EncFS folder is ~/.sec/
- I mount it on ~/sec/
- music is inside ~/sec/music/

If I try to start mpd (with music_directory set to /home/rocco/sec/music in /etc/mpd.conf):
$ sudo mpd /etc/mpd.conf
failed to stat music directory "/home/rocco/sec/music": Permission denied
So mpd cannot access the music folder. Fortunately for me, the Arch Wiki has a solution for me: remount the directory to a directory where mpd has access, for example /var/lib/mpd.

$ sudo mkdir /var/lib/mpd/music
$ sudo mount --bind /home/rocco/sec/music/ /var/lib/mpd/music/
mount: block device /home/rocco/sec/music/ is write-protected, mounting read-only
mount: cannot mount block device /home/rocco/sec/music/ read-only

Say whaaaat ? A little strace magic gives us:

[...]
mount("/home/rocco/sec/music/", "/var/lib/mpd/music/", 0x805371f, MS_MGC_VAL|MS_BIND, NULL) = -1 EACCES (Permission denied)
[...]
mount("/home/rocco/sec/music/", "/var/lib/mpd/music/", 0x805371f, MS_MGC_VAL|MS_RDONLY|MS_BIND, NULL) = -1 EACCES (Permission denied)

So even root cannot mount the music folder... The solution lies in man encfs:
By default, all FUSE based filesystems are visible only to the user who mounted them. No other users (including root) can view the filesystem contents.
We must let FUSE know that we want the filesystem to be accessible to others. Add user_allow_other in /etc/fuse.conf and mount your EncFS directory with the option -o allow_other. The bind mount will then work:

$ encfs -o allow_other ~/.sec/ ~/sec/
$ sudo mount --bind /home/rocco/sec/music/ /var/lib/
$ sudo mpd /etc/mpd.conf
Posted by blind_key at 15:45 0 comments
Subscribe to: Posts (Atom)