LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   root access to user account (https://www.linuxquestions.org/questions/linux-newbie-8/root-access-to-user-account-816085/)

RudraB 06-24-2010 04:03 AM
root access to user account
 
I am a user of a cluster. I don't want root to see/copy files from my user account(obviously).
Is that possible to limit the access of root to users account?

vikas027 06-24-2010 05:13 AM
you can use sudo users . Follow this link

zirias 06-24-2010 05:16 AM
No. root can always access anything, that's the concept. If you can't trust the persons with root access to a certain machine, don't use that machine.

onebuck 06-24-2010 07:22 AM
Hi,

Quote:
Originally Posted by advanced (Post 4013444)
I am a user of a cluster. I don't want root to see/copy files from my user account(obviously).
Is that possible to limit the access of root to users account?
'root/superuser';

Quote:
excerpt from 'Unix and Unix-like';

In Unix-style computer operating systems, root is the conventional name of the user who has all rights or permissions (to all files and programs) in all modes (single- or multi-user). Alternative names include baron in BeOS and avatar on some Unix variants. BSD often provides a toor (“root” backwards) account in addition to a root account for better usability while performing administrative tasks. Regardless of the name, the superuser always has zero user ID. The root user can do many things an ordinary user cannot, such as changing the ownership of files and binding to network ports numbered below 1024. The etymology of the term may be that root is the only user account with permission to modify the root directory of a Unix system.[2]
So if there is problem with files being viewed by root/superuser then I suggest an alternate storage of your secure files that can be removed from the system.

There is the need for a root/superuser to be able to master control the environment of the system. If the superuser cannot be trusted then move to another system to find a trusted superuser. 'paranoia' is fine at times but this is not one.

:hattip:

RudraB 06-25-2010 01:15 AM
well, in that case, I need to keep my files encrpted...so that root cannot see this.
take the file:
Quote:
$ cat trial.sh
#!/bin/bash
echo "Hello World"
if i am trying to encrypt this:

Quote:
$ gpg -c trial.sh
it asks for passphrase and ends up with:
Quote:
$ gpg -c trial.sh
can't connect to `/home/rudra/.gnupg/S.gpg-agent': No such file or directory
and then:
Quote:
$ chmod 700 trial.sh.gpg
$ ./trial.sh.gpg
5�-��P�: command not found
./trial.sh.gpg: line 2: unexpected EOF while looking for matching ``'
./trial.sh.gpg: line 4: syntax error: unexpected end of file

Tinkster 06-25-2010 05:25 AM
This won't work; the shell has no idea what an encrypted file is,
and just like root it can't see "the real thing" - the commands
in the encrypted file.


To make the shell run it, decrypt it.


What exactly is your issue with root potentially seeing your
script, anyway? He's either the owner of the machine, or by
the owners will empowered to the ability to see all files.

If you don't want him to look at your files, don't store them
on his machine.


Cheers,
Tink

RudraB 06-26-2010 11:47 AM
Quote:
Originally Posted by Tinkster (Post 4014559)

What exactly is your issue with root potentially seeing your
script, anyway? He's either the owner of the machine, or by
the owners will empowered to the ability to see all files.
yes....but i am afraid he is making mess with my codes

Wim Sturkenboom 06-26-2010 12:38 PM
'root' can still mess with your codes by deleting your gpg'ed script ;) But why would root do so :confused:

I'm seeing a lack of trust here. Did you give root a reason not to trust you or is there a reason why you don't trust root?

PS MD5sums can be used to pick up unwanted changes in files.

frankbell 06-26-2010 08:44 PM
Root is God of the world of your login.

Store your files on removable media.

Remove the media.

Look for a new job.

imagine_me2 06-27-2010 03:01 PM
Use a virtual machine and enable encrypted file system. As you are the root of vm nothing can be done inside vm without your permission. Use of proper encryption policy will ensure that nothing can be done outside vm. (Eg. Boot time password, Boot loader password, Efs etc.).

Now you can work seamlessly with your files without have to decrypt them every time.

Only thing root can do is delete your files, or vm all together, but she cant mess with them.

You can use QEMU(widely available) for this purpose.

zirias 06-28-2010 02:51 AM
This last suggestion is interesting, but it's important to understand that root would always find a way to access your files, no matter what you do. The "easiest" way in the vm scenario would be to capture your keyboard input, either in the input-layer kernel driver for the local keyboard, or by modifying sshd (or whatever is used for remote access).

Of course, this is VERY paranoid, I just mention it to illustrate that it's a bad idea to use a system where you can't trust "root" to respect your privacy.

imagine_me2 06-28-2010 11:19 AM
To ensure security you have to work hard, specially when the scope of trust is small.
There are ways , which i cant mention here (the moderator once scolded me for similar reasons), to do that. It is up to you to find them.

Regards.

onebuck 06-28-2010 12:11 PM
Hi,
Quote:
Originally Posted by advanced (Post 4015723)
yes....but i am afraid he is making mess with my codes
How do you know this?

You sure it's not you or someone else with equivalent access?

As superuser most will do everything to the 'T' to prevent problems with a system. If a user does something that is not allowed then the 'superuser' will normally warn before any action(s). If the person doesn't adjust or correct their ways then most 'superuser' will just lock the violator out.
:hattip:

frieza 06-28-2010 01:52 PM
just to add my 2 cents i would have to agree with all the above posts that if you are afraid of root messing with your scripts then don't keep them on that machine since linux/unix systems were designed from the ground up for root to have full acess to the system, if you are afraid he/she will mess things up then simply keep a backup, which would be good practice anyways. root access trums user security access, and physical access trumps BOTH so it all comes down to trusting the powers that be or not using the system, period.

the real question being what do you have to hide?

Wim Sturkenboom 06-29-2010 12:10 AM
I think Elvis has left the building. Like to read his opinion on the matter.

RudraB 06-30-2010 01:23 AM
Quote:
Originally Posted by frieza (Post 4017446)
the real question being what do you have to hide?
Actually, he has messed some of my data. I have one another question. Actually, I am aware that root is the Boss. But, I found something like :
root can access anything by default....so I assume I can change this. It seems I cant. Hence I have another question:

Can I encrypt my scripts such a way that i can run the encrypted file itself?
I can encrypt file via vim -x ....but shell cant understand what is inside. can I run encrypted script?

zirias 06-30-2010 02:11 AM
Only if you prepend a self-decrypting routine. And, if they should run non-interactively, this routine needs to contain the decryption key -- quite pointless. Really, go get an account on a machine where you can trust the operators...


All times are GMT -5. The time now is 01:18 AM.