| View previous topic :: View next topic |
| Author |
Message |
My_World
Guru
Joined: 01 Sep 2003
Posts: 339
Location: Kalahari Desert
|
 Posted: Mon Jun 26, 2006 7:28 am Post subject: Securing user accounts against root |
 |
|
What I want done:
To be able to secure the user accounts against root:
*) Root may not access or change files in a users ~ without their username/password.
Is there a way to do this? Or some similar method of protecting sensitive data from root. There is a million reasons I would like to be able to do this and am not going to discuss it here, all I want to know is if it can be done and how.
_________________
"Ubuntu" - an African word meaning "Gentoo is too hard for me". |
|
| Back to top |
|
 |
freigeist
Guru
Joined: 26 Jan 2004
Posts: 338
Location: Cologne, Germany
|
| Posted: Mon Jun 26, 2006 7:38 am Post subject: |
|
|
You may want to take a look at selinux and its role management to define rights more precisely, but you always need and want a "root" account. Without knowing the exact reason why you want this (don't trust your root?) it could be possible to strip some rights from an admin account and allow regular tasks but deny access to certain parts of the filesystem. Alternatively you could use sudo for administrative tasks (but dont allow a sudo bash  ) and disallow root login...beware that you could easily lock yourself out of the system... |
|
| Back to top |
|
|
ToeiRei
Veteran
Joined: 03 Jan 2005
Posts: 1191
Location: Austria
|
| Posted: Mon Jun 26, 2006 7:39 am Post subject: |
|
|
what about encryption?
Rei
_________________
Please stand by - The mailer daemon is busy burning your messages in hell... |
|
| Back to top |
|
|
at240
l33t
Joined: 12 Aug 2005
Posts: 603
Location: UK
|
| Posted: Mon Jun 26, 2006 7:57 am Post subject: |
|
|
| ToeiRei wrote: | | what about encryption? |
This would secure the data, but wouldn't stop an untrustworthy root from just deleting it. |
|
| Back to top |
|
|
My_World
Guru
Joined: 01 Sep 2003
Posts: 339
Location: Kalahari Desert
|
| Posted: Mon Jun 26, 2006 7:59 am Post subject: |
|
|
| freigeist wrote: | | You may want to take a look at selinux and its role management to define rights more precisely, but you always need and want a "root" account. Without knowing the exact reason why you want this (don't trust your root?) it could be possible to strip some rights from an admin account and allow regular tasks but deny access to certain parts of the filesystem. Alternatively you could use sudo for administrative tasks (but dont allow a sudo bash ) and disallow root login...beware that you could easily lock yourself out of the system... |
Yes, you will always need a root account, but that doesn't mean he/she needs to know every little sensitive detail of the company. There is info that is best kept by only the directors and no one else needs to know of this.
Encryption is an option, but then root can still rm -fr encrypted_file/folder
root should have limmited or NO access to the users ~, that is what I'm after.
_________________
"Ubuntu" - an African word meaning "Gentoo is too hard for me". |
|
| Back to top |
|
|
ToeiRei
Veteran
Joined: 03 Jan 2005
Posts: 1191
Location: Austria
|
| Posted: Mon Jun 26, 2006 7:59 am Post subject: |
|
|
well... depending on the data stored, it may be better having it deleted instead of read/modified/copied...
Rei
_________________
Please stand by - The mailer daemon is busy burning your messages in hell... |
|
| Back to top |
|
|
at240
l33t
Joined: 12 Aug 2005
Posts: 603
Location: UK
|
| Posted: Mon Jun 26, 2006 8:03 am Post subject: |
|
|
| ToeiRei wrote: | | well... depending on the data stored, it may be better having it deleted instead of read/modified/copied... |
I agree---I was just being pedantic.
And if some administrator does delete a company director's encrypted files, presumably that admin would soon learn the error of his ways...  |
|
| Back to top |
|
|
|
Networking & Security
