root access to user account
I am a user of a cluster. I don't want root to see/copy files from my user account(obviously).
Is that possible to limit the access of root to users account? |
you can use sudo users . Follow this link
|
No. root can always access anything, that's the concept. If you can't trust the persons with root access to a certain machine, don't use that machine.
|
Hi,
Quote:
Quote:
There is the need for a root/superuser to be able to master control the environment of the system. If the superuser cannot be trusted then move to another system to find a trusted superuser. 'paranoia' is fine at times but this is not one. :hattip: |
well, in that case, I need to keep my files encrpted...so that root cannot see this.
take the file: Quote:
Quote:
Quote:
Quote:
|
This won't work; the shell has no idea what an encrypted file is,
and just like root it can't see "the real thing" - the commands in the encrypted file. To make the shell run it, decrypt it. What exactly is your issue with root potentially seeing your script, anyway? He's either the owner of the machine, or by the owners will empowered to the ability to see all files. If you don't want him to look at your files, don't store them on his machine. Cheers, Tink |
Quote:
|
'root' can still mess with your codes by deleting your gpg'ed script ;) But why would root do so :confused:
I'm seeing a lack of trust here. Did you give root a reason not to trust you or is there a reason why you don't trust root? PS MD5sums can be used to pick up unwanted changes in files. |
Root is God of the world of your login.
Store your files on removable media. Remove the media. Look for a new job. |
Use a virtual machine and enable encrypted file system. As you are the root of vm nothing can be done inside vm without your permission. Use of proper encryption policy will ensure that nothing can be done outside vm. (Eg. Boot time password, Boot loader password, Efs etc.).
Now you can work seamlessly with your files without have to decrypt them every time. Only thing root can do is delete your files, or vm all together, but she cant mess with them. You can use QEMU(widely available) for this purpose. |
This last suggestion is interesting, but it's important to understand that root would always find a way to access your files, no matter what you do. The "easiest" way in the vm scenario would be to capture your keyboard input, either in the input-layer kernel driver for the local keyboard, or by modifying sshd (or whatever is used for remote access).
Of course, this is VERY paranoid, I just mention it to illustrate that it's a bad idea to use a system where you can't trust "root" to respect your privacy. |
To ensure security you have to work hard, specially when the scope of trust is small.
There are ways , which i cant mention here (the moderator once scolded me for similar reasons), to do that. It is up to you to find them. Regards. |
Hi,
Quote:
You sure it's not you or someone else with equivalent access? As superuser most will do everything to the 'T' to prevent problems with a system. If a user does something that is not allowed then the 'superuser' will normally warn before any action(s). If the person doesn't adjust or correct their ways then most 'superuser' will just lock the violator out. :hattip: |
just to add my 2 cents i would have to agree with all the above posts that if you are afraid of root messing with your scripts then don't keep them on that machine since linux/unix systems were designed from the ground up for root to have full acess to the system, if you are afraid he/she will mess things up then simply keep a backup, which would be good practice anyways. root access trums user security access, and physical access trumps BOTH so it all comes down to trusting the powers that be or not using the system, period.
the real question being what do you have to hide? |
I think Elvis has left the building. Like to read his opinion on the matter.
|
Quote:
root can access anything by default....so I assume I can change this. It seems I cant. Hence I have another question: Can I encrypt my scripts such a way that i can run the encrypted file itself? I can encrypt file via vim -x ....but shell cant understand what is inside. can I run encrypted script? |
Only if you prepend a self-decrypting routine. And, if they should run non-interactively, this routine needs to contain the decryption key -- quite pointless. Really, go get an account on a machine where you can trust the operators...
|
All times are GMT -5. The time now is 01:18 AM. |