Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 03-11-2009, 02:18 PM   #1
LQ Newbie
Registered: Mar 2009
Posts: 3

Rep: Reputation: 0
Limit access to folder from all, even root

Hiya! I have this little problem, I manage a small Linux-based fileserver, with a couple of different users. One of the users is going to use the server to store very confidential information that the other users never can get access too. The problem is that one of the other users (me) has to have the root-account for configuration.. So, my question is, is it possible to limit the access to this user's folders even from the root-account?
Old 03-11-2009, 02:22 PM   #2
LQ 5k Club
Registered: May 2001
Location: Belgium
Distribution: Linux Mint
Posts: 8,516

Rep: Reputation: 896Reputation: 896Reputation: 896Reputation: 896Reputation: 896Reputation: 896Reputation: 896
perhaps he can use encryption?
Old 03-11-2009, 02:32 PM   #3
Registered: Oct 2004
Location: Southeast, U.S.A.
Distribution: Fedora (Desktop), CentOS (Server), Knoppix (Diags)
Posts: 934

Rep: Reputation: 38
Encryption seems to be to be the best method in this case. But then you'd need to set up a policy for password storage in case he leaves the company. But then *someone else* would also have access to the password.

Outside of encryption, the thing about root is that even if root removes access from themselves to a resource, they can reinstate it. So I don't see how that would work out.

What about removable storage? Maybe a hotswappable hard drive that is stored in a safe? But that's about the same as the password issue, I suppose, as there would be a backup key, or the combination would be recorded elsewhere.
Old 03-11-2009, 03:03 PM   #4
LQ Newbie
Registered: Mar 2009
Posts: 3

Original Poster
Rep: Reputation: 0
Yeah I was afraid that encryption would be the best option.. That I would have the ability to change the password isn't really much of a problem..

The problem, if using encryption, would be this: The person who uses this "private" folder doesn't really know anything about Linux and how to SSH to the server etc, we have to use Windows on our workcomputers, and we connect to the fileserver that has Samba on it. Is it possible to encrypt/decrypt on the fly like that if the user connects in that way, or will you have to do it the complicated way?
Old 03-11-2009, 03:12 PM   #5
LQ Newbie
Registered: Mar 2009
Posts: 20

Rep: Reputation: 3
the best way is for him to use some encryption tool on his Windows workstation and then save the files already encrypted onto the Linux fileserver.
Old 03-11-2009, 07:35 PM   #6
Registered: May 2001
Posts: 28,899
Blog Entries: 55

Rep: Reputation: 3357Reputation: 3357Reputation: 3357Reputation: 3357Reputation: 3357Reputation: 3357Reputation: 3357Reputation: 3357Reputation: 3357Reputation: 3357Reputation: 3357
Originally Posted by robinsodergren View Post
is it possible to limit the access to this user's folders even from the root-account?
Next to encryption, AFAIK that kind of compartmentalization is what SE Linux MLS is all about. You'll have to wait for people like Unixfool or Farslayer to drop by for help though. I haven't yet found the time to mess with a near-EAL4+ MLS running server.
Old 03-12-2009, 12:16 AM   #7
LQ Guru
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,986

Rep: Reputation: 1444Reputation: 1444Reputation: 1444Reputation: 1444Reputation: 1444Reputation: 1444Reputation: 1444Reputation: 1444Reputation: 1444Reputation: 1444
You cannot exclude root. Perhaps the data could be stored on a removable drive.

If the information is a government-grade "confidential" or "secret," then you should refer to the appropriate guidelines for the handling of such information, as issued by your government.
Old 03-12-2009, 05:46 AM   #8
Registered: Mar 2009
Posts: 102

Rep: Reputation: 18
If the user with the confidential information doesn't even trust the companies own system administrator, then the only reasonable option among the easy choices is to avoid storing such data on the Linux fileserver.

A somewhat more complicated solution would be to program an application for the user's Windows system, that manages the confidential informations or files and does the encryption and data transfer behind the scenes. This way the data would be stored on the fileserver, but due to the encryption no one would be able to use/misuse it. The user will have to keep his own Windows PC safe from attacks and has to maintain his passwords, but the system administrator would be free of any responsibility.

Arch Linux

Last edited by T74marcell; 03-14-2009 at 02:11 AM.
Old 03-12-2009, 08:35 AM   #9
Registered: Aug 2006
Posts: 92

Rep: Reputation: 16
I think some encryption programs (TrueCrypt) are compatible with both windows and linux. Maybe this would work...
Old 03-12-2009, 11:11 AM   #10
LQ Newbie
Registered: Mar 2009
Posts: 3

Original Poster
Rep: Reputation: 0
Thanks everyone for all the replies! Well, the thing is that I'm not a system administrator, I'm just an "agent" with somewhat more computer knowledge than the rest, so I was asked to do this sort of as a small project. But we decided that I could be trusted to not look at the confidential information that was to be stored on the disk. (And no, this is not government-grade confidential, but still.. Wouldn't be good if the information would get out)

Anyways.. Everything worked out fine, and I didn't have to go and install and configure a lot of other stuff, lyckily! Thanks again for the help! )


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
how to limit ftp access to root and one username only? RMLinux Linux - Newbie 5 12-02-2008 08:28 PM
How to allow normal user to access a program under the root folder vitalstrike82 Slackware 2 11-08-2008 04:39 PM
limit new userid with no shell to access particular folder only itik Linux - Security 1 10-08-2008 05:59 AM
Prevent access to root folder ]SK[ Linux - Security 6 08-14-2007 07:48 AM
Limit folder access in NFS Min Donner Linux - Networking 7 08-20-2004 02:54 PM

All times are GMT -5. The time now is 06:58 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration