Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Hiya! I have this little problem, I manage a small Linux-based fileserver, with a couple of different users. One of the users is going to use the server to store very confidential information that the other users never can get access too. The problem is that one of the other users (me) has to have the root-account for configuration.. So, my question is, is it possible to limit the access to this user's folders even from the root-account?
Encryption seems to be to be the best method in this case. But then you'd need to set up a policy for password storage in case he leaves the company. But then *someone else* would also have access to the password.
Outside of encryption, the thing about root is that even if root removes access from themselves to a resource, they can reinstate it. So I don't see how that would work out.
What about removable storage? Maybe a hotswappable hard drive that is stored in a safe? But that's about the same as the password issue, I suppose, as there would be a backup key, or the combination would be recorded elsewhere.
Yeah I was afraid that encryption would be the best option.. That I would have the ability to change the password isn't really much of a problem..
The problem, if using encryption, would be this: The person who uses this "private" folder doesn't really know anything about Linux and how to SSH to the server etc, we have to use Windows on our workcomputers, and we connect to the fileserver that has Samba on it. Is it possible to encrypt/decrypt on the fly like that if the user connects in that way, or will you have to do it the complicated way?
is it possible to limit the access to this user's folders even from the root-account?
Next to encryption, AFAIK that kind of compartmentalization is what SE Linux MLS is all about. You'll have to wait for people like Unixfool or Farslayer to drop by for help though. I haven't yet found the time to mess with a near-EAL4+ MLS running server.
If the user with the confidential information doesn't even trust the companies own system administrator, then the only reasonable option among the easy choices is to avoid storing such data on the Linux fileserver.
A somewhat more complicated solution would be to program an application for the user's Windows system, that manages the confidential informations or files and does the encryption and data transfer behind the scenes. This way the data would be stored on the fileserver, but due to the encryption no one would be able to use/misuse it. The user will have to keep his own Windows PC safe from attacks and has to maintain his passwords, but the system administrator would be free of any responsibility.
Thanks everyone for all the replies! Well, the thing is that I'm not a system administrator, I'm just an "agent" with somewhat more computer knowledge than the rest, so I was asked to do this sort of as a small project. But we decided that I could be trusted to not look at the confidential information that was to be stored on the disk. (And no, this is not government-grade confidential, but still.. Wouldn't be good if the information would get out)
Anyways.. Everything worked out fine, and I didn't have to go and install and configure a lot of other stuff, lyckily! Thanks again for the help! )