Re: Accessibility of swap files

[mp.lists@free.fr]

Karel Zak <kzak@...> writes:

>
> On Wed, Nov 21, 2012 at 01:46:59PM +0000, Sami Kerola wrote:
> > On Wed, Nov 21, 2012 at 10:08 AM, Karel Zak <kzak@...> wrote:
> > > On Tue, Nov 06, 2012 at 05:25:02PM +0100, Bernhard Voelker wrote:
> > >> On November 6, 2012 at 4:06 PM mp.lists@... wrote:
> > >> > As a first idea, it looks, as if such may be implemented, eg. by
> > >> >      letting swapon [and fstab-based "mounting"] by default not enable
a swap
> > >> > file, if it has non-root access permissions
> > >>
> > >> Did you know?
> > >> The swapon utility issues a warning diagnostic with --verbose:
> > >>
> > >>   # ls -l /tmp/swapfile
> > >>   -rw-r--r-- 1 berny users 134217728 Nov  6 17:03 /tmp/swapfile
> > >>
> > >>   # sbin/swapon -v  /tmp/swapfile
> > >>   swapon /tmp/swapfile
> > >>   swapon: /tmp/swapfile: insecure permissions 0644, 0600 suggested.
> > >>   swapon: /tmp/swapfile: insecure file owner 1000, 0 (root) suggested.
> > >>   swapon: /tmp/swapfile: found swap signature: version 1, page-size 4,
same byte
> > >> order
> > >>   swapon: /tmp/swapfile: pagesize=4096, swapsize=134217728,
devsize=134217728
> > >
> > >  this waring is there since year 1999.. so it's really nothing new.
> >
Fine.

This contains three kinds of information:
  - a line, which is redundant wrt the command line
  - two lines of {critical, in my opinion} warning about insecure fs permissions
  - another two lines, which characterise the content of the swapfile


...
>
>  since util-linux 2.9t:
>
>     /* people generally dislike this warning - now it is printed
>        only when `verbose' is set */
>
Does anybody have a pointer to the arguments, why people dislike to know
about insecure permissions?!

Since I can rarely imagine any useful use case of insecure swap file
permissions compared to the immense security hole, an open swap file usually
presents, I would propose to:
  - remove the first line, which is redundant to the command line
    {low prio; you may leave it in order not to break anything}
  -    write the two lines of critical warning [as cited above] also,
       if --verbose isn't set
       {at least}
    || refuse to swapon|mount a swap file with insecure permissions without
       a "--force" parameter {also in fstab}
       {preferrable}


To make my arguments more understandable on the social level:
it's a quite frequent use case, that some root is given the task to work on a
POSIX system, he does not have any deeper knowledge of, yet.  May be, it's a
fresh Unix installation or a VM image.  At least in my experience, it's a
relatively early activity in the life-cycle of a system to adjust a its swap
configuration.  root has a hard time, if he has to work in a complex
environment[, where is he is almost always in a situation, he does not know
enough about,] without compromising hese systems, when he can not rely on a
paranoid policy of those, who prepared his ground.


I hope, this makes my intention understandable, and lets reconsider their
good-enough-ness.


Best, Markus