LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 06-24-2010, 04:03 AM   #1
RudraB
Member
 
Registered: Mar 2007
Distribution: Fedora
Posts: 262

Rep: Reputation: 23
root access to user account


I am a user of a cluster. I don't want root to see/copy files from my user account(obviously).
Is that possible to limit the access of root to users account?
 
Old 06-24-2010, 05:13 AM   #2
vikas027
Senior Member
 
Registered: May 2007
Location: Sydney
Distribution: RHEL, CentOS, Debian
Posts: 1,266

Rep: Reputation: 99
you can use sudo users . Follow this link
 
0 members found this post helpful.
Old 06-24-2010, 05:16 AM   #3
zirias
Member
 
Registered: Jun 2010
Posts: 361

Rep: Reputation: 59
No. root can always access anything, that's the concept. If you can't trust the persons with root access to a certain machine, don't use that machine.
 
1 members found this post helpful.
Old 06-24-2010, 07:22 AM   #4
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: Slackware®
Posts: 11,061
Blog Entries: 1

Rep: Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374
Hi,

Quote:
Originally Posted by advanced View Post
I am a user of a cluster. I don't want root to see/copy files from my user account(obviously).
Is that possible to limit the access of root to users account?
'root/superuser';

Quote:
excerpt from 'Unix and Unix-like';

In Unix-style computer operating systems, root is the conventional name of the user who has all rights or permissions (to all files and programs) in all modes (single- or multi-user). Alternative names include baron in BeOS and avatar on some Unix variants. BSD often provides a toor (“root” backwards) account in addition to a root account for better usability while performing administrative tasks. Regardless of the name, the superuser always has zero user ID. The root user can do many things an ordinary user cannot, such as changing the ownership of files and binding to network ports numbered below 1024. The etymology of the term may be that root is the only user account with permission to modify the root directory of a Unix system.[2]
So if there is problem with files being viewed by root/superuser then I suggest an alternate storage of your secure files that can be removed from the system.

There is the need for a root/superuser to be able to master control the environment of the system. If the superuser cannot be trusted then move to another system to find a trusted superuser. 'paranoia' is fine at times but this is not one.

 
Old 06-25-2010, 01:15 AM   #5
RudraB
Member
 
Registered: Mar 2007
Distribution: Fedora
Posts: 262

Original Poster
Rep: Reputation: 23
well, in that case, I need to keep my files encrpted...so that root cannot see this.
take the file:
Quote:
$ cat trial.sh
#!/bin/bash
echo "Hello World"
if i am trying to encrypt this:

Quote:
$ gpg -c trial.sh
it asks for passphrase and ends up with:
Quote:
$ gpg -c trial.sh
can't connect to `/home/rudra/.gnupg/S.gpg-agent': No such file or directory
and then:
Quote:
$ chmod 700 trial.sh.gpg
$ ./trial.sh.gpg
5�-��P�: command not found
./trial.sh.gpg: line 2: unexpected EOF while looking for matching ``'
./trial.sh.gpg: line 4: syntax error: unexpected end of file
 
Old 06-25-2010, 05:25 AM   #6
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 22,965
Blog Entries: 11

Rep: Reputation: 865Reputation: 865Reputation: 865Reputation: 865Reputation: 865Reputation: 865Reputation: 865
This won't work; the shell has no idea what an encrypted file is,
and just like root it can't see "the real thing" - the commands
in the encrypted file.


To make the shell run it, decrypt it.


What exactly is your issue with root potentially seeing your
script, anyway? He's either the owner of the machine, or by
the owners will empowered to the ability to see all files.

If you don't want him to look at your files, don't store them
on his machine.


Cheers,
Tink
 
Old 06-26-2010, 11:47 AM   #7
RudraB
Member
 
Registered: Mar 2007
Distribution: Fedora
Posts: 262

Original Poster
Rep: Reputation: 23
Quote:
Originally Posted by Tinkster View Post

What exactly is your issue with root potentially seeing your
script, anyway? He's either the owner of the machine, or by
the owners will empowered to the ability to see all files.
yes....but i am afraid he is making mess with my codes
 
Old 06-26-2010, 12:38 PM   #8
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Rep: Reputation: 282Reputation: 282Reputation: 282
'root' can still mess with your codes by deleting your gpg'ed script But why would root do so

I'm seeing a lack of trust here. Did you give root a reason not to trust you or is there a reason why you don't trust root?

PS MD5sums can be used to pick up unwanted changes in files.
 
Old 06-26-2010, 08:44 PM   #9
frankbell
Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Debian, Mageia, Mint
Posts: 7,457

Rep: Reputation: 1408Reputation: 1408Reputation: 1408Reputation: 1408Reputation: 1408Reputation: 1408Reputation: 1408Reputation: 1408Reputation: 1408Reputation: 1408
Root is God of the world of your login.

Store your files on removable media.

Remove the media.

Look for a new job.
 
Old 06-27-2010, 03:01 PM   #10
imagine_me2
Member
 
Registered: Nov 2009
Location: Kolkata, India
Distribution: Fedora 11
Posts: 136

Rep: Reputation: 22
Use a virtual machine and enable encrypted file system. As you are the root of vm nothing can be done inside vm without your permission. Use of proper encryption policy will ensure that nothing can be done outside vm. (Eg. Boot time password, Boot loader password, Efs etc.).

Now you can work seamlessly with your files without have to decrypt them every time.

Only thing root can do is delete your files, or vm all together, but she cant mess with them.

You can use QEMU(widely available) for this purpose.
 
Old 06-28-2010, 02:51 AM   #11
zirias
Member
 
Registered: Jun 2010
Posts: 361

Rep: Reputation: 59
This last suggestion is interesting, but it's important to understand that root would always find a way to access your files, no matter what you do. The "easiest" way in the vm scenario would be to capture your keyboard input, either in the input-layer kernel driver for the local keyboard, or by modifying sshd (or whatever is used for remote access).

Of course, this is VERY paranoid, I just mention it to illustrate that it's a bad idea to use a system where you can't trust "root" to respect your privacy.
 
Old 06-28-2010, 11:19 AM   #12
imagine_me2
Member
 
Registered: Nov 2009
Location: Kolkata, India
Distribution: Fedora 11
Posts: 136

Rep: Reputation: 22
To ensure security you have to work hard, specially when the scope of trust is small.
There are ways , which i cant mention here (the moderator once scolded me for similar reasons), to do that. It is up to you to find them.

Regards.
 
Old 06-28-2010, 12:11 PM   #13
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: Slackware®
Posts: 11,061
Blog Entries: 1

Rep: Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374
Hi,
Quote:
Originally Posted by advanced View Post
yes....but i am afraid he is making mess with my codes
How do you know this?

You sure it's not you or someone else with equivalent access?

As superuser most will do everything to the 'T' to prevent problems with a system. If a user does something that is not allowed then the 'superuser' will normally warn before any action(s). If the person doesn't adjust or correct their ways then most 'superuser' will just lock the violator out.
 
Old 06-28-2010, 01:52 PM   #14
frieza
Senior Member
 
Registered: Feb 2002
Location: harvard, il
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,079

Rep: Reputation: 368Reputation: 368Reputation: 368Reputation: 368
just to add my 2 cents i would have to agree with all the above posts that if you are afraid of root messing with your scripts then don't keep them on that machine since linux/unix systems were designed from the ground up for root to have full acess to the system, if you are afraid he/she will mess things up then simply keep a backup, which would be good practice anyways. root access trums user security access, and physical access trumps BOTH so it all comes down to trusting the powers that be or not using the system, period.

the real question being what do you have to hide?

Last edited by frieza; 06-28-2010 at 01:53 PM.
 
Old 06-29-2010, 12:10 AM   #15
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Rep: Reputation: 282Reputation: 282Reputation: 282
I think Elvis has left the building. Like to read his opinion on the matter.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
root account or user account arodlinux Suse/Novell 3 12-23-2008 08:59 PM
is it legitimate and allowed and can be done to make another user account set uid and gid to null 0 to make another root account with different name and possibly not damage the debian system creating and using that new account BenJoBoy Linux - Newbie 12 01-29-2006 10:02 AM
can not access directory from user account - only root walterbyrd Linux - General 1 03-04-2005 11:23 PM
Can root access be gained from regular user account without password? jdruin Linux - Security 5 11-22-2004 10:20 AM
Can Access Sites with root but not user account Obelus Linux - Networking 4 12-21-2003 03:28 PM


All times are GMT -5. The time now is 03:08 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration