Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow restrictions actions of LibreCrypt via registry #43

Open
Magissia opened this issue Jan 7, 2016 · 1 comment
Open

Allow restrictions actions of LibreCrypt via registry #43

Magissia opened this issue Jan 7, 2016 · 1 comment
Labels
enhancement wont fix

Comments

@Magissia
Copy link

Magissia commented Jan 7, 2016

We should be able to restrict specific parts of LibreCrypt via registry to allow system administrators to have a better management of who can do what.

Containers are defined as a crypted file containing the data in this message, volume are crypted volume, disks are crypted disks.

Restrictions could be stored per users in HKCU\Software\Policies\t-d-k\LibreCrypt and per machines in HKLM\Software\Policies\t-d-k\LibreCrypt , obviously the HKLM path will affect all users.

These keys should be available both per user and per machines, if a key is missing, it is treated as true.
If some of these settings can be managed by the user itself, theses rules should silently overwrite user's settings.
Please note
This suggestion is bound to #38 as it probably require rewriting big chunk of code to check these settings correctly. It aims to improve security on multi-user systems.
System is always elevated, as it is not affected by UAC, we should not need to make exception to the HKCU or HKLM rules for NT AUTHORITY\System
Users running as NT SERVICE have their own home folder and registry hive like any user, we should not need to make exception to the HKCU or HKLM rules for them, an administrator can manage the settings for these services using regedit or policies as usual.
If this project need userspace filesystem to mount a container, volume or drive only for one user, we can make use of dokany. (Open source + Signed drivers, works from Win7 to 10)

AllowMountingContainer
AllowMountingContainerWithoutElevation (don't require UAC elevation to mount)
AllowUnmountingContainer
AllowUnmountingContainerWithoutElevation (don't require UAC elevation to unmount)
AllowMountingVolume
AllowUnmountingVolume
DisallowMountingVolumeWithoutElevation (Require elevation for action)
DisallowUnmountingVolumeWithoutElevation (Require elevation for action)
AllowMountingDisk
AllowUnmountingDisk
DisallowMountingDiskWithoutElevation (Require elevation for action)
DisallowUnmountingDiskWithoutElevation (Require elevation for action)
AllowRemovableMediaVolume (Includes mounting and unmounting to prevent data loss)
AllowRemovableMediaVolumeWithoutElevation (Don't require UAC elevation to (un)mount)
AllowCreatingVolume (If disabled, even administrators cannot create crypted volumes, but still can create containers)
DisallowCreatingVolumeWithoutElevation
AllowCreatingDisk (If disabled, even administrators cannot crypt whole disk, but can still create containers)
DisallowCreatingDiskWithoutElevation
AllowCreatingRemovableMediaVolume (Same as AllowCreatingVolume, but affects removable media)
AllowCreatingRemovableMediaVolumeWithoutElevation (Don't require UAC elevation for action)
AllowCreatingRemovableMediaDisk (Same as AllowCreatingDisk, but affects removable media)
AllowCreatingRemovableMediaDiskWithoutElevation (Don't require UAC elevation for action)
MountContainerForCurrentUser (Mount containers only for current user, regardless of user choice)
MountContainerForAllUsersWithoutElevation (Mounting for all users doesn't require UAC elevation)
AllowMountVolumeForAllUsers (Allow user to mount volume for all users)
AllowMountDiskForAllUsers (Allow user to mount disk for all users)
UnmountingOtherUserContainersRequireElevation (Unmounting containers you didn't mount require elevation)
UnmountingOtherUserVolumeRequireElevation (Unmounting volumes you didn't mount require elevation)
UnmountingOtherUserDiskRequireElevation (Unmounting disks you didn't mount require elevation)

HKLM specifics rules
UserBeforeMachine (HKCU rules take precedence over HKLM rules in case of conflict)
SystemMountContainerForAllUsers (Containers mounted by NT AUTHORITY\System are mounted for everyone by default)
SystemMountVolumeForAllUsers (Volumes mounted by NT AUTHORITY\System are mounted for everyone by default)
SystemMountDiskForAllUsers (Disks mounted by NT AUTHORITY\System are mounted for all users by default)
ServiceMountContainerForAllUsers.$ServiceName (Containers mounted by $ServiceName are mounted for everyone by default)
ServiceMountVolumeForAllUsers.$ServiceName (Volumes mounted by $ServiceName are mounted for everyone by default)
ServiceMountDiskForAllUsers.$ServiceName (Disks mounted by $ServiceName are mounted for everyone by default)
@t-d-k
Copy link
Owner

t-d-k commented Jul 6, 2016

Do you mean to do a check in the driver or application? If in the application, Windows Group Policies can already do that. If in the driver, this wouldn't help #38 because any malicious app would probably run under the user's account anyway.

@t-d-k t-d-k closed this as completed Jul 6, 2016
@t-d-k t-d-k reopened this Jul 6, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement wont fix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Magissia @t-d-k