Re: Calling a program when inode is unlinked?

Ignoramus17480 wrote:
> On 9 Dec 2005 17:16:40 -0800, prg <rdgentry1@xxxxxxxxxxxxx> wrote:
> >
> > Ignoramus17480 wrote:
> >> For a security related application. Suppose that one wants to make a
> >> security enhancement for a linux system so that whenever a inode's
> >> link count becomes zero, a program is called to wipe the contents
> >> before the file's sectors are passed to the free pool. Can, or has,
> >> that been done?
> >>
> >> i
> >
> > $ man stat
> > $ man shred
> >
> It's not what I am looking for. I can delete any files I want and
> overwrite them (and wrote a utility to do it years ago). What I want
> is to know that even files that I do not know about, are deleted.

Was afraid that was what you meant, but tried to slide by on-the-cheap.

> Let's say, for example, that I edit a encrypted file with credit card
> numbers, re-encrypt it and save it. The problem is that an editor like
> vim could have created its temp file, which it would then delete.

But what if the _file_system_ were encrypted, not just the file? And
what about temp files that did not, in fact, get cleaned up at all?

> That deleted file was not shredded and is a security risk. If burglars
> break in and find remainder of that temp file, they could reconstruct
> credit card numbers. That's what I want to prevent by trying to find
> out if all unwanted sectors can be shredded.
> If you google for "ext3 privacy patch" (or ext2) you would find that
> someone wrote something, but for kernel 2.4, and I am running 2.6.
> Something like that for 2.6 would be ideal.
> i

You mean this one:

In any case, something like that would be necessary -- ie., patching
the kernel and having all the fun of maintaining it and installing it
everywhere needed.

The only other way I can think of would be to write a kernel module
that intercepts the system call(s) that deletes a file and substitutes
a "secure" delete/shred function in its place. Sounds good, no? I
haven't a clue where to begin searching the source code :-(

I do have some example code around somewhere that shows how to write
such a module, but it's late and I'm too lazy/tired to hunt it down
now. If you're interested, I can locate it tomorrow.

But ...
You can get carried away with this sort of thing. Filesystem
encryption seems more "mainstream" and even that leaves some people
worried about leftover data on swap. After all, a burglar is more
likely to find "goodies" in existing files than to take the time
recovering deleted files that may or more likely will not be useful.
If the FS is encrypted, a deleted file is no more revealing than an
existing one -- nay, even less so ;-)

till we meet again,