Why is OpenSSL able to use a key file my user shouldn't have access to?
The following command works even though I really don’t think I should have permission to the key file:
$ openssl aes-256-cbc -d -pbkdf2 -in etc_backup.tar.xz.enc -out etc_backup.tar.xz -k /etc/ssl/private/etcBackup.key
I’m unable to even ascertain the existence of the key file under my normal user. I’m a member of only two groups, my own group and vboxusers
.
The permissions leading up to that file:
<span style="color:#323232;">drwxr-xr-x 1 root root 4010 Jul 31 08:01 etc
</span><span style="color:#323232;">...
</span><span style="color:#323232;">drwxr-xr-x 1 root root 206 Jul 14 23:52 ssl
</span><span style="color:#323232;">...
</span><span style="color:#323232;">drwx------ 1 root root 26 Jul 31 14:07 private
</span><span style="color:#323232;">...
</span><span style="color:#323232;">-rw------- 1 root root 256 Jul 31 14:07 etcBackup.key
</span>
OpenSSL isn’t setuid:
<span style="color:#323232;">> ls -la $(which openssl)
</span><span style="color:#323232;">-rwxr-xr-x 1 root root 1004768 Jul 14 23:52 /usr/bin/openssl
</span>
There don’t appear to be any ACLs related to that key file:
<span style="color:#323232;">> sudo getfacl /etc/ssl/private/etcBackup.key
</span><span style="color:#323232;">[sudo] password for root:
</span><span style="color:#323232;">getfacl: Removing leading '/' from absolute path names
</span><span style="color:#323232;"># file: etc/ssl/private/etcBackup.key
</span><span style="color:#323232;"># owner: root
</span><span style="color:#323232;"># group: root
</span><span style="color:#323232;">user::rw-
</span><span style="color:#323232;">group::---
</span><span style="color:#323232;">other::---
</span><span style="color:#323232;">
</span><span style="color:#323232;">> sudo lsattr /etc/ssl/private/etcBackup.key
</span><span style="color:#323232;">---------------------- /etc/ssl/private/etcBackup.key
</span>
Finally, it’s not just the case that the original file was encrypted with an empty file:
<span style="color:#323232;">> openssl aes-256-cbc -d -pbkdf2 -in etc_backup.tar.xz.enc -out etc_backup.tar.xz -k /etc/ssl/private/abc.key
</span><span style="color:#323232;">bad decrypt
</span><span style="color:#323232;">4047F634B67F0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:providers/implementations/ciphers/ciphercommon_block.c:124
</span>
Does anyone know what I’ve missed here?