LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   A strange question: Limiting root access (https://www.linuxquestions.org/questions/linux-security-4/a-strange-question-limiting-root-access-243494/)

sibtay 10-16-2004 02:29 PM
A strange question: Limiting root access
 
Hi

It is not a programming related question, but being a programmer myself i think if this question has an answer then its gotta be a programmer

Well i am faced with a situation where i want to limit root's access to a particular portion of disk.

I know it sounds crazy but i do believe that people around the world might have faced this dilemma before. However i have searched the web but to no avail.

I know by using encrypted file systems the root even cannot view the files placed on a partition that is encrypted. But still i have heard that a super user can delete that "encrypted partition"..if not view its contents.

So i need a solution that allows only the owner of a certain portion of disk (for example a partition, or a directory etc) to have complete access and not even the super user should be able to view, modify or delete its contents.

If the solution does not exists then i am willing to get into the kernel's code. So if anyone does not know the solution but can provide me a good link from where i could get help in changing the kernel's code in this area (file's ownerships, partion's access etc), i 'll be gratefull

Thank You

david_ross 10-16-2004 02:33 PM
This probably isn't the answer you are looking for but I would be inclined jsut to forget the root user and just give another user sudo access to deal with maintainance issues then just don't give this user access to the specific part of the system or let them run applications which could affect it.

sibtay 10-16-2004 02:44 PM
thank you david...but this problem was raised from the Grid Computing research group how are doing their grid stuff on linux
We (the LUGs) gave them this solution but this will not work for them since they 'll be sending fragments of a particular job to different computers..so it is not possible to lock the root's account and force them to use some other account

Thankz anyway

Strike 10-17-2004 12:18 AM
Describe the application more and we can help you more.

With clients and servers, you can basically never trust the client, unless you can check that they've done the right thing. So, depending upon the application, if you are going to send off data to be processed, it's best if you can verify (to within a certain percentage probability if not absolutely) that they have done the correct thing with it. One of the easiest ways of doing this is sending the same thing to be done by several clients and when a certain number of them agree, accept that as "sure enough". Or, depending upon the application, you may be able to perform only a small portion of the computation that the client does and verify that the answer given by the client jives with the results of the small portion of computation you've done. Generally this isn't doable because of how the problem works, but it's a possibility.

SciYro 10-18-2004 07:30 AM
limit the root users access ... maybe RSBAC is what you want? (its included, or at least some of it, i think, in grsec)


All times are GMT -5. The time now is 11:43 AM.