is there a secure store associated with user?

Sergei G sergeig.public at
Tue Mar 8 08:23:23 UTC 2016

My co-worker and I have discussed the issue of protecting sensitive data on
Windows with DPAPI vs Linux world.

MS DPAPI is secure, because it relies on user's password to encrypt user's
data store.  However, when windows services are involved, windows service
control manager (SCM) needs to store user's password, so it can unlock
DPAPI store when it starts the service.  Thus, Windows OS has to store a
form of user's password somewhere...  (Windows AD security is excluded from
this picture).

Our goal is to apply defense in depth and in this case it is a protection
of CONTENT of a file in case it was downloaded by an attacker.  Standard
ACL solution does not work, because www user by definition has access to a
file's content to be able to work with (load it into application memory).
The file is not meant to be served, but it may be serviced due to a
vulnerability or misconfiguration.  That's the scenario that we are
defending against.


One solution could be the deployment of a "security service" providing data
over a Unix file socket. The "security service" simply returns password to
the application and application decrypts sensitive data on the fly or uses
this password to establish DB connection. A direct download of file's
content would not result in sensitive data exposure.

The compromise is only possible if attacker gains ability to execute
arbitrary code as www user and instructs system to connect to "security
service".  The same is true to DPAPI protection.  If attacker can execute
arbitrary code as a service user, then he or she can return originally
protected data in plain text form.

In some way this is similar to WSC-DPAPI at the conceptual level.  WSC
knows the user's password, unlocks user's store and starts application with
user's context.  This "security service" plays a similar 3rd party role of
knowing the password and returning it.  Unfortunately, some form of
application ACL is necessary in this case.

Does it make any sense?  Is it too much protection for the payoff?

Does something like this exist today?

This is not an active project for me, but it is an important issue to wrap
my mind around.

Thank you

On Wed, Mar 2, 2016 at 12:54 PM, Polytropon <freebsd at> wrote:

> On Wed, 2 Mar 2016 10:45:10 -0800, Sergei G wrote:
> > I am looking for FreeBSD (and Linux) equivalent of DP API in windows. For
> > example, windows service has access to a secure data store associated
> with
> > user account.  When I register service I enter service user id and
> password
> > and that password unlocks user store.
> This can be done using regular user:group permissions. Let's say
> you run the service under a specific user "service" ; let's
> furthermore say that Bob's user data is owned by bob:bob. Then
> you just have to make user "service" a member of the group "bob"
> and set the file attributes to rw-/r--/---, for example: user
> can read and write, service can only read, nobody else can do
> anything.
> In this case, the password of Bob doesn't even have to be known
> to the service. Locking and unlocking is a matter of group
> menbership. This is controlled by the system administrator.
> Oh, and an additional approach is using ACLs. Here, the user
> himself can "unlock" things easily, if desired.
> There are probably many other ways that make such a way of access
> control possible.
> > Is there something like that in Unix
> > world?
> Yes, somehow. :-)
> --
> Polytropon
> Magdeburg, Germany
> Happy FreeBSD user since 4.0
> Andra moi ennepe, Mousa, ...

More information about the freebsd-questions mailing list