Private directory

Giordano_Bruno · October 27, 2008, 3:21pm

Hi there,

I'm working on a server with Fedora 6 and I can access root password. My problem is that even other people can ... and I'd like to have at least a private directory, but until now I couldn't find a clear answer...

So I'd like to know if it's possiple to restrict access to a directory even from the root or, if this is not allowed, which is the best way to know who access my file and when...

Thanks in advance for any suggestion!!!

GB

otheus · October 28, 2008, 10:01am

It's generally NOT possible to prevent root from seeing a local disk. You can, however, try to create a user-space filesystem which squashes root's access to it. I think cryptfs used to do this. The other possibility is using setfacl to achieve this effect. However, root can always call setfacl to remove whatever restrictions you add.

The long-term solution is to separate the root privilege into roles and have those roles separated through a judicious sudo configuration.

Giordano_Bruno · October 28, 2008, 10:31am

Thank you very much!!! I'm going to look for setfacl and cryptfs on internet and try to solve the problem:eek:

Giordano_Bruno · October 31, 2008, 8:52am

Hi,

I've just "discovered" that I have CRYPTSETUP installed on my server with FEDORA 6, but I couldn't find yet many information about it, while I'm getting many information about TRUECRYPT and its installation seems to be a little complicated on my linux version. Any opinion about that???Are these two tools reliable in the same way?

In particular I couldn't find any answer about this two questions (for both the toos):

If I'm logged on the linux box where the encrypted volume is and I've mounted it, then all logged users will see the volume as well???
Using remote access, will be possible to see my encrypted volume?

In any case I think I'm going to use CRYPTSETUP and trying to see how it works.
Thanks in advance for any suggestion!!!

Giordano Bruno

otheus · November 1, 2008, 5:11pm

Giordano,

I looked at the CRYPTSETUP and LUKS for Linux and found it lacking your specific requirements. I was trying to find what I actually used a few years ago. I believe it was Matt Blaze's CFS, described here by Linux Journal (free subscription required) Using CFS, the Cryptographic Filesystem.

CFS does not guarantee that root cannot get access to the files. However, it can make it very difficult on hardenened systems where even root cannot access /proc/$$/mem. For more info, see the last paragraph on page 4 of Matt's paper.

Here are quite a few other possibilities:

http://www.usenix.org/events/usenix01/freenix01/full\_papers/cattaneo/cattaneo_html/index.html

I leave you with some other links that might be relevant:

Download TCFS 3.0b2 for Linux

I believe the risk here is that a root user, who exists on the host where your filesystem is mounted, can "su " to the user that has already entered

CryptFS, whose original authors describe their work here:

Cryptfs: A Stackable Vnode Level Encryption File System

And I think is downloadable here:

Download DM CryptFS 0.3.2 for Linux

Also note Download cryptmount 3.1 for Linux which contains the following description:

Giordano_Bruno · November 23, 2008, 7:22am

Thanks a lot for all your suggestion!!!

I couldn't find a "safe" solution to my problem and now I was wondering if using something like a virtual machine is a another way???

Giordano Bruno