I'm working on a server with Fedora 6 and I can access root password. My problem is that even other people can ... and I'd like to have at least a private directory, but until now I couldn't find a clear answer...
So I'd like to know if it's possiple to restrict access to a directory even from the root or, if this is not allowed, which is the best way to know who access my file and when...
It's generally NOT possible to prevent root from seeing a local disk. You can, however, try to create a user-space filesystem which squashes root's access to it. I think cryptfs used to do this. The other possibility is using setfacl to achieve this effect. However, root can always call setfacl to remove whatever restrictions you add.
The long-term solution is to separate the root privilege into roles and have those roles separated through a judicious sudo configuration.
I've just "discovered" that I have CRYPTSETUP installed on my server with FEDORA 6, but I couldn't find yet many information about it, while I'm getting many information about TRUECRYPT and its installation seems to be a little complicated on my linux version. Any opinion about that???Are these two tools reliable in the same way?
In particular I couldn't find any answer about this two questions (for both the toos):
If I'm logged on the linux box where the encrypted volume is and I've mounted it, then all logged users will see the volume as well???
Using remote access, will be possible to see my encrypted volume?
In any case I think I'm going to use CRYPTSETUP and trying to see how it works.
Thanks in advance for any suggestion!!!
I looked at the CRYPTSETUP and LUKS for Linux and found it lacking your specific requirements. I was trying to find what I actually used a few years ago. I believe it was Matt Blaze's CFS, described here by Linux Journal (free subscription required) Using CFS, the Cryptographic Filesystem.
CFS does not guarantee that root cannot get access to the files. However, it can make it very difficult on hardenened systems where even root cannot access /proc/$$/mem. For more info, see the last paragraph on page 4 of Matt's paper.