root access to user account

RudraB · 06-24-2010, 04:03 AM

I am a user of a cluster. I don't want root to see/copy files from my user account(obviously).
Is that possible to limit the access of root to users account?

vikas027 · 06-24-2010, 05:13 AM

you can use sudo users . Follow this link

zirias · 06-24-2010, 05:16 AM

No. root can always access anything, that's the concept. If you can't trust the persons with root access to a certain machine, don't use that machine.

onebuck · 06-24-2010, 07:22 AM

Hi,

Quote:

Originally Posted by advanced

I am a user of a cluster. I don't want root to see/copy files from my user account(obviously).
Is that possible to limit the access of root to users account?

'root/superuser';

Quote:

excerpt from 'Unix and Unix-like';

In Unix-style computer operating systems, root is the conventional name of the user who has all rights or permissions (to all files and programs) in all modes (single- or multi-user). Alternative names include baron in BeOS and avatar on some Unix variants. BSD often provides a toor (“root” backwards) account in addition to a root account for better usability while performing administrative tasks. Regardless of the name, the superuser always has zero user ID. The root user can do many things an ordinary user cannot, such as changing the ownership of files and binding to network ports numbered below 1024. The etymology of the term may be that root is the only user account with permission to modify the root directory of a Unix system.[2]

So if there is problem with files being viewed by root/superuser then I suggest an alternate storage of your secure files that can be removed from the system.

There is the need for a root/superuser to be able to master control the environment of the system. If the superuser cannot be trusted then move to another system to find a trusted superuser. 'paranoia' is fine at times but this is not one.

RudraB · 06-25-2010, 01:15 AM

well, in that case, I need to keep my files encrpted...so that root cannot see this.
take the file:

Quote:

$ cat trial.sh
#!/bin/bash
echo "Hello World"

if i am trying to encrypt this:

Quote:

$ gpg -c trial.sh

it asks for passphrase and ends up with:

Quote:

$ gpg -c trial.sh
can't connect to `/home/rudra/.gnupg/S.gpg-agent': No such file or directory

and then:

Quote:

$ chmod 700 trial.sh.gpg
$ ./trial.sh.gpg
5�-��P�: command not found
./trial.sh.gpg: line 2: unexpected EOF while looking for matching ``'
./trial.sh.gpg: line 4: syntax error: unexpected end of file

Tinkster · 06-25-2010, 05:25 AM

This won't work; the shell has no idea what an encrypted file is,
and just like root it can't see "the real thing" - the commands
in the encrypted file.

To make the shell run it, decrypt it.

What exactly is your issue with root potentially seeing your
script, anyway? He's either the owner of the machine, or by
the owners will empowered to the ability to see all files.

If you don't want him to look at your files, don't store them
on his machine.

Cheers,
Tink

RudraB · 06-26-2010, 11:47 AM

Quote:

Originally Posted by Tinkster

What exactly is your issue with root potentially seeing your
script, anyway? He's either the owner of the machine, or by
the owners will empowered to the ability to see all files.

yes....but i am afraid he is making mess with my codes

Wim Sturkenboom · 06-26-2010, 12:38 PM

'root' can still mess with your codes by deleting your gpg'ed script

But why would root do so

I'm seeing a lack of trust here. Did you give root a reason not to trust you or is there a reason why you don't trust root?

PS MD5sums can be used to pick up unwanted changes in files.

frankbell · 06-26-2010, 08:44 PM

Root is God of the world of your login.

Store your files on removable media.

Remove the media.

Look for a new job.

imagine_me2 · 06-27-2010, 03:01 PM

Use a virtual machine and enable encrypted file system. As you are the root of vm nothing can be done inside vm without your permission. Use of proper encryption policy will ensure that nothing can be done outside vm. (Eg. Boot time password, Boot loader password, Efs etc.).

Now you can work seamlessly with your files without have to decrypt them every time.

Only thing root can do is delete your files, or vm all together, but she cant mess with them.

You can use QEMU(widely available) for this purpose.

zirias · 06-28-2010, 02:51 AM

This last suggestion is interesting, but it's important to understand that root would always find a way to access your files, no matter what you do. The "easiest" way in the vm scenario would be to capture your keyboard input, either in the input-layer kernel driver for the local keyboard, or by modifying sshd (or whatever is used for remote access).

Of course, this is VERY paranoid, I just mention it to illustrate that it's a bad idea to use a system where you can't trust "root" to respect your privacy.

imagine_me2 · 06-28-2010, 11:19 AM

To ensure security you have to work hard, specially when the scope of trust is small.
There are ways , which i cant mention here (the moderator once scolded me for similar reasons), to do that. It is up to you to find them.

Regards.

onebuck · 06-28-2010, 12:11 PM

Hi,

Quote:

Originally Posted by advanced

yes....but i am afraid he is making mess with my codes

How do you know this?

You sure it's not you or someone else with equivalent access?

As superuser most will do everything to the 'T' to prevent problems with a system. If a user does something that is not allowed then the 'superuser' will normally warn before any action(s). If the person doesn't adjust or correct their ways then most 'superuser' will just lock the violator out.

frieza · 06-28-2010, 01:52 PM

just to add my 2 cents i would have to agree with all the above posts that if you are afraid of root messing with your scripts then don't keep them on that machine since linux/unix systems were designed from the ground up for root to have full acess to the system, if you are afraid he/she will mess things up then simply keep a backup, which would be good practice anyways. root access trums user security access, and physical access trumps BOTH so it all comes down to trusting the powers that be or not using the system, period.

the real question being what do you have to hide?

Wim Sturkenboom · 06-29-2010, 12:10 AM

I think Elvis has left the building. Like to read his opinion on the matter.