LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 03-11-2009, 02:18 PM   #1
robinsodergren
LQ Newbie
 
Registered: Mar 2009
Posts: 3

Rep: Reputation: 0
Limit access to folder from all, even root


Hiya! I have this little problem, I manage a small Linux-based fileserver, with a couple of different users. One of the users is going to use the server to store very confidential information that the other users never can get access too. The problem is that one of the other users (me) has to have the root-account for configuration.. So, my question is, is it possible to limit the access to this user's folders even from the root-account?
 
Old 03-11-2009, 02:22 PM   #2
repo
LQ 5k Club
 
Registered: May 2001
Location: Belgium
Distribution: Linux Mint
Posts: 8,516

Rep: Reputation: 896Reputation: 896Reputation: 896Reputation: 896Reputation: 896Reputation: 896Reputation: 896
perhaps he can use encryption?
 
Old 03-11-2009, 02:32 PM   #3
SlowCoder
Member
 
Registered: Oct 2004
Location: Southeast, U.S.A.
Distribution: Fedora (Desktop), CentOS (Server), Knoppix (Diags)
Posts: 934

Rep: Reputation: 38
Encryption seems to be to be the best method in this case. But then you'd need to set up a policy for password storage in case he leaves the company. But then *someone else* would also have access to the password.

Outside of encryption, the thing about root is that even if root removes access from themselves to a resource, they can reinstate it. So I don't see how that would work out.

What about removable storage? Maybe a hotswappable hard drive that is stored in a safe? But that's about the same as the password issue, I suppose, as there would be a backup key, or the combination would be recorded elsewhere.
 
Old 03-11-2009, 03:03 PM   #4
robinsodergren
LQ Newbie
 
Registered: Mar 2009
Posts: 3

Original Poster
Rep: Reputation: 0
Yeah I was afraid that encryption would be the best option.. That I would have the ability to change the password isn't really much of a problem..

The problem, if using encryption, would be this: The person who uses this "private" folder doesn't really know anything about Linux and how to SSH to the server etc, we have to use Windows on our workcomputers, and we connect to the fileserver that has Samba on it. Is it possible to encrypt/decrypt on the fly like that if the user connects in that way, or will you have to do it the complicated way?
 
Old 03-11-2009, 03:12 PM   #5
tux99
LQ Newbie
 
Registered: Mar 2009
Posts: 20

Rep: Reputation: 3
the best way is for him to use some encryption tool on his Windows workstation and then save the files already encrypted onto the Linux fileserver.
 
Old 03-11-2009, 07:35 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,688
Blog Entries: 54

Rep: Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955
Quote:
Originally Posted by robinsodergren View Post
is it possible to limit the access to this user's folders even from the root-account?
Next to encryption, AFAIK that kind of compartmentalization is what SE Linux MLS is all about. You'll have to wait for people like Unixfool or Farslayer to drop by for help though. I haven't yet found the time to mess with a near-EAL4+ MLS running server.
 
Old 03-12-2009, 12:16 AM   #7
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,455

Rep: Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172
You cannot exclude root. Perhaps the data could be stored on a removable drive.

If the information is a government-grade "confidential" or "secret," then you should refer to the appropriate guidelines for the handling of such information, as issued by your government.
 
Old 03-12-2009, 05:46 AM   #8
T74marcell
Member
 
Registered: Mar 2009
Posts: 102

Rep: Reputation: 18
If the user with the confidential information doesn't even trust the companies own system administrator, then the only reasonable option among the easy choices is to avoid storing such data on the Linux fileserver.

A somewhat more complicated solution would be to program an application for the user's Windows system, that manages the confidential informations or files and does the encryption and data transfer behind the scenes. This way the data would be stored on the fileserver, but due to the encryption no one would be able to use/misuse it. The user will have to keep his own Windows PC safe from attacks and has to maintain his passwords, but the system administrator would be free of any responsibility.

Arch Linux

Last edited by T74marcell; 03-14-2009 at 02:11 AM.
 
Old 03-12-2009, 08:35 AM   #9
wsduvall
Member
 
Registered: Aug 2006
Posts: 92

Rep: Reputation: 16
I think some encryption programs (TrueCrypt) are compatible with both windows and linux. Maybe this would work...
 
Old 03-12-2009, 11:11 AM   #10
robinsodergren
LQ Newbie
 
Registered: Mar 2009
Posts: 3

Original Poster
Rep: Reputation: 0
Thanks everyone for all the replies! Well, the thing is that I'm not a system administrator, I'm just an "agent" with somewhat more computer knowledge than the rest, so I was asked to do this sort of as a small project. But we decided that I could be trusted to not look at the confidential information that was to be stored on the disk. (And no, this is not government-grade confidential, but still.. Wouldn't be good if the information would get out)

Anyways.. Everything worked out fine, and I didn't have to go and install and configure a lot of other stuff, lyckily! Thanks again for the help! )
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to limit ftp access to root and one username only? RMLinux Linux - Newbie 5 12-02-2008 08:28 PM
How to allow normal user to access a program under the root folder vitalstrike82 Slackware 2 11-08-2008 04:39 PM
limit new userid with no shell to access particular folder only itik Linux - Security 1 10-08-2008 05:59 AM
Prevent access to root folder ]SK[ Linux - Security 6 08-14-2007 07:48 AM
Limit folder access in NFS Min Donner Linux - Networking 7 08-20-2004 02:54 PM


All times are GMT -5. The time now is 03:52 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration