[LU-15767] If the user regain access to the encrypted directory from another client, the contents of the files will be deleted Created: 20/Apr/22 Updated: 05/May/22 Resolved: 05/May/22 |
|
| Status: | Resolved |
| Project: | Lustre |
| Component/s: | None |
| Affects Version/s: | Lustre 2.15.0 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major |
| Reporter: | Oleg Kulachenko (Inactive) | Assignee: | Sebastien Buisson |
| Resolution: | Cannot Reproduce | Votes: | 0 |
| Labels: | encryption, sec, security | ||
| Issue Links: |
|
||||||||
| Severity: | 3 | ||||||||
| Rank (Obsolete): | 9223372036854775807 | ||||||||
| Description |
|
On Client 1:
# fscrypt setup Defaulting to policy_version 1 because kernel doesn't support v2. Customizing passphrase hashing difficulty for this system... Created global config file at "/etc/fscrypt.conf". Metadata directories created at "/.fscrypt". [root@trevis-90vm4 ~]# fscrypt setup /mnt/lustre Metadata directories created at "/mnt/lustre/.fscrypt". Change in /etc/fscrypt.conf policy_version field from 1 to 2 On Client 2:
# fscrypt setup Defaulting to policy_version 1 because kernel doesn't support v2. Customizing passphrase hashing difficulty for this system... Created global config file at "/etc/fscrypt.conf". Metadata directories created at "/.fscrypt". Change in /etc/fscrypt.conf policy_version field from 1 to 2
On Client 1:
# mkdir /mnt/lustre/private # ls -la /mnt/lustre/ total 16 drwxr-xr-x 5 root root 4096 Apr 20 12:37 . drwxr-xr-x. 3 root root 4096 Mar 1 02:01 .. drwxr-xr-x 4 root root 4096 Apr 20 08:41 .fscrypt drwxr-xr-x 2 root root 4096 Apr 20 12:37 private
On Client 2:
[root@trevis-90vm5 ~]# ls -la /mnt/lustre/
total 16
drwxr-xr-x 5 root root 4096 Apr 20 12:37 .
drwxr-xr-x. 3 root root 4096 Mar 1 02:01 ..
drwxr-xr-x 4 root root 4096 Apr 20 08:41 .fscrypt
drwxr-xr-x 2 root root 4096 Apr 20 12:37 private
On Client 1:
# fscrypt encrypt /mnt/lustre/private The following protector sources are available: 1 - Your login passphrase (pam_passphrase) 2 - A custom passphrase (custom_passphrase) 3 - A raw 256-bit key (raw_key) Enter the source number for the new protector [2 - custom_passphrase]: 2 Enter a name for the new protector: shield Enter custom passphrase for protector "shield": Confirm passphrase: "/mnt/lustre/private" is now encrypted, unlocked, and ready for use. # echo "encrypt data" > /mnt/lustre/private/encrypt_file1 # echo "encrypt data" > /mnt/lustre/private/encrypt_file2 # ls -la /mnt/lustre/private total 8 drwx------ 2 root root 4096 Apr 20 12:42 . drwxr-xr-x 5 root root 4096 Apr 20 12:37 .. -rw-r--r-- 1 root root 0 Apr 20 12:42 encrypt_file1 -rw-r--r-- 1 root root 0 Apr 20 12:42 encrypt_file2 # cat /mnt/lustre/private/encrypt_file1 encrypt data # cat /mnt/lustre/private/encrypt_file2 encrypt data
On Client 2: # ls -la /mnt/lustre/private/ total 8 drwx------ 2 root root 4096 Apr 20 12:42 . drwxr-xr-x 5 root root 4096 Apr 20 12:37 .. -rw-r--r-- 1 root root 0 Apr 20 12:42 1SSaHn+b7U0XyzL82SNzjWDOS6PGKx3pAjn7WD8I1vC -rw-r--r-- 1 root root 0 Apr 20 12:42 piJmwoKUzymPjQ+53PFWANKGtXX82h0+HFPC7gFLR1B # cat /mnt/lustre/private/1SSaHn+b7U0XyzL82SNzjWDOS6PGKx3pAjn7WD8I1vC cat: /mnt/lustre/private/1SSaHn+b7U0XyzL82SNzjWDOS6PGKx3pAjn7WD8I1vC: Required key not available # cat /mnt/lustre/private/piJmwoKUzymPjQ+53PFWANKGtXX82h0+HFPC7gFLR1B cat: /mnt/lustre/private/piJmwoKUzymPjQ+53PFWANKGtXX82h0+HFPC7gFLR1B: Required key not available # echo "new data" > /mnt/lustre/private/1SSaHn+b7U0XyzL82SNzjWDOS6PGKx3pAjn7WD8I1vC -bash: /mnt/lustre/private/1SSaHn+b7U0XyzL82SNzjWDOS6PGKx3pAjn7WD8I1vC: Required key not available # echo "new data" > /mnt/lustre/private/piJmwoKUzymPjQ+53PFWANKGtXX82h0+HFPC7gFLR1B -bash: /mnt/lustre/private/piJmwoKUzymPjQ+53PFWANKGtXX82h0+HFPC7gFLR1B: Required key not available
On Client 2: # fscrypt unlock /mnt/lustre/private Enter custom passphrase for protector "shield": "/mnt/lustre/private" is now unlocked and ready for use.
After that the file size is 0 On Client 1: # ls -la /mnt/lustre/private/ total 8 drwx------ 2 root root 4096 Apr 20 12:42 . drwxr-xr-x 6 root root 4096 Apr 20 13:00 .. -rw-r--r-- 1 root root 0 Apr 20 12:42 encrypt_file1 -rw-r--r-- 1 root root 0 Apr 20 12:42 encrypt_file2 # cat /mnt/lustre/private/encrypt_file1 # cat /mnt/lustre/private/encrypt_file2
On Client 2: # ls -la /mnt/lustre/private/ total 8 drwx------ 2 root root 4096 Apr 20 12:42 . drwxr-xr-x 6 root root 4096 Apr 20 13:00 .. -rw-r--r-- 1 root root 0 Apr 20 12:42 encrypt_file1 -rw-r--r-- 1 root root 0 Apr 20 12:42 encrypt_file2 # cat /mnt/lustre/private/encrypt_file1 # cat /mnt/lustre/private/encrypt_file2
This is the first encrypted directory on this file system. With all the following encrypted directories, the bug could not be repeated.
|
| Comments |
| Comment by Andreas Dilger [ 20/Apr/22 ] |
|
There are some operations that can be done without the encryption key: Without the key --------------- Some filesystem operations may be performed on encrypted regular files, directories, and symlinks even before their encryption key has been added, or after their encryption key has been removed: : - Files may be deleted. That is, nondirectory files may be deleted with unlink() as usual, and empty directories may be deleted with rmdir() as usual. Therefore, ``rm`` and ``rm -r`` will work as expected. : Without the key, regular files cannot be opened or truncated. Attempts to do so will fail with ENOKEY. This implies that any regular file operations that require a file descriptor, such as read(), write(), mmap(), fallocate(), and ioctl(), are also forbidden. So it looks like truncating the file shouldn't be allowed without a key, as that might e.g. corrupt the last block, or (potentially) remove important records from the end of a file or similar. |
| Comment by Sebastien Buisson [ 25/Apr/22 ] |
|
This is weird, as truncate with or without the encryption key is exercised in sanity-sec test_48a. |
| Comment by Sebastien Buisson [ 25/Apr/22 ] |
|
Could you please specify the following:
|
| Comment by Sebastien Buisson [ 25/Apr/22 ] |
|
This step, carried out on client1, is already a problem: # echo "encrypt data" > /mnt/lustre/private/encrypt_file1 # echo "encrypt data" > /mnt/lustre/private/encrypt_file2 # ls -la /mnt/lustre/private total 8 drwx------ 2 root root 4096 Apr 20 12:42 . drwxr-xr-x 5 root root 4096 Apr 20 12:37 .. -rw-r--r-- 1 root root 0 Apr 20 12:42 encrypt_file1 -rw-r--r-- 1 root root 0 Apr 20 12:42 encrypt_file2 Right after you created files encrypt_file1 and encrypt_file2, they appear with a size of 0, locally on the node where you created them. This should certainly not happen. Can you reproduce the same behavior on a regular, non-encrypted directory, as you explain making sure this is the first directory on this file system? |
| Comment by Sebastien Buisson [ 25/Apr/22 ] |
|
I tried to reproduce with servers and clients installed with CentOS 8.3 and kernel 4.18.0-240.10.1.el8_3.x86_64, and current tip of Lustre master branch (commit "c6cf295d8f |
| Comment by Oleg Kulachenko (Inactive) [ 26/Apr/22 ] |
fscrypt --version fscrypt version v0.2.9
4.18.0-348.2.1.el8_lustre.x86_64 CentOS Linux release 8.5.2111
4.18.0-348.2.1.el8_lustre.x86_64 CentOS Linux release 8.5.2111
lustre-release 03e4b451b0dc95fc4af2f1f48ba88b8b57ad366c Build #4283 |
| Comment by Andreas Dilger [ 27/Apr/22 ] |
|
Is it possible that this problem is the same as Oleg, if you are able to reproduce this, could you please apply the patch https://review.whamcloud.com/47156 "LU--15787 sec: block enc unaware clients on enc files" on the server to see if that fixes it. |
| Comment by Oleg Kulachenko (Inactive) [ 27/Apr/22 ] |
|
adilger thank you very much. I'll try to reproduce it |
| Comment by Peter Jones [ 05/May/22 ] |
|
Could not be reproduced, perhaps addressed by |