Dear All.

First of all, I want to explain my thoughts:

There is "root" - it can read everything - every file in every directory.

I have a /home/"user" which I need to close from entering to everyone except its owner and of course "root".

From other side, I need to give system management rights to some "users", but they do not have to get access to /home/"user" directory.

I do not know how to do it.
I tried "sudo", but sudo changes user id to root, and that user can read and modify my files. I did "whoami" on "sudo xterm" and got "root".

I need advise.
Thanks.

You can configure /etc/sudoers to run an application as a different user but root is the default because some utilities require its privileges.


What specific "system management rights" do these users need and how did you configure that? Root has access to things and that is a default anyone has to accept. If you can't trust a user to not deliberately sniff around /home/user then ask yourself how much you would trust the user with system management? Also if there are specific privacy concerns you may want to deal with that preventively and encrypt that users files or the file system, only to be mounted when the user is using the account? If none of this works for you please be verbose in your reply, add examples of users and commands and the nature of contents of /home/user.

Thank you for the answer - I will try to explain.

Question is not about the trust. I just want to setup an environment where several network administrators can share one FreeBSD/Linux, they need to get the root privileges, but also they need to have their home folders closed against each other.

And I probably found one very good solution: sudoers configuration file can describe what exactly user, which is getting root, can do. All I need is to analyze what they will need or just to wait for their offers.

Thanks again.

Create a new group and change /home/user to have read/write access at group level, with your new group. Then add your admin staff to that group.

This is the way to go IMO. Otherwise (in case they become simply root), they could change the permissions of the home directories of other root users anyway or just su to any of the other root users.

You know, I start to suspect that in original form, *unix is not "multi root (through sudo)" OS, neither Linux nor FreeBSD. Because if user gets root from sudo + xtem and it can do everything, read, write and delete. It is not good at all. Also if one is root, mounts another disk, one also can read there everything unencrypted. I started do not like it, there is no any sign of privacy.

I want to research if selinux can help me to get what I want on Fedora. I will write here if I find anything interesting.

Thanks.

This is something typical to nearly any OS : root or administrator can get access to everything that is not encrypted.
Even on a windows system, anyone who is in the administrator group can take ownership and change permissions to get access.

SELinux could but then you would be using a strict MLS-like policy.