First of all I’d like to dedicate this little filesystem to my dear friend Sara. It was your brief issue with auto-mounting the CIFS share on CentOS machine which inspired me to try this approach for securing passwords. Thank you for this and everything else 🙂
So, the fundamental thought behind this solution was the following: in order to keep the passwords secure what we want is limit their accessibility to the smallest possible subset of both users and binaries that require them to mount our filesystem. What does it mean in practice?
Let’s say we want to mount a CIFS share //foo.com/bar using the following credentials:
username=algoholic
password=cilohogla
domain=AD
It turns out that mount.cifs supports the credentials switch which lets one specify authentication credentials in a separate file. So we want to create a file containing the above credentials and make it accessible only to mount.cifs executed as particular user – ourselves.
The first problem that comes to mind is – how can we ever protect this file against the root user? Well, the short answer is we cannot. But we can make it harder for an ‘average’ root to dig his teeth into our precious credentials. This is the way credfs does it:
– packs all the protected files into a ZIP archive
– encrypts it using AES cipher with random key and IV
– stores the encrypted data, key and IV in the data.cpp file
– computes SHA1 digests for binaries that are supposed to be able to access the files
– stores the paths, digests and authorized username in the config.cpp file
– prepares a dedicated binary containing encrypted data that can be executed only by the authorized user
This binary is actually a FUSE filesystem which can be mounted anywhere we want and the protected files will be visible to all processes but accessible only to the ones set in config.cpp. By default FUSE also limits access to the user who mounted the filesystem and since only the authorized one can do this, this prevents other users from accessing it altogether.
When an authorized process is trying to access the files, its integrity is verified by recomputing the SHA1 digest and comparing it against the stored one.
It all sounds pretty sweet but of course has one week point – the root is all-powerful and can still trick the binary to think he’s actually us. Unfortunately there’s really no good way around this. What this approach gives you though even in such case is that only authorized binaries will be able to access the files so if they’re not vulnerable the root may access whatever system your credentials were protecting but will not lay hands on the plain-text version of your credentials. Unless of course he actually dumps the memory of the process. But I think it’s reasonable to assume most of sysadmins don’t have this level of expertise.
So all in all, it’s of course not a perfect solution but something to make it less obvious and more difficult to intercept your credentials. If I come up with something better (encrypted binaries a’la Skype, on-demand decryption of the protected files, reliable way to detect whether user is himself 😉 etc.) I’ll keep you posted!!!
Cheers.
PS. Source code downloads with more tutorial-like instructions are on the way. I just wanted to post something already because it’s been awfully long since last time 🙂
1 Comment