Question:
Is there any way to make a file inaccessible to root in linux?
Noah E
2010-01-19 21:51:45 UTC
I know it's a bizarre question, but I have a client that I've built a server for (CentOS 5.4) that I also administer. They have most of their business data on the server (redundant storage, off-site backups, etc.) but refuse to migrate the bookkeeping and payroll data off of an old laptop and onto the server, because they know I could get to it if I wanted to.

Is there a transparent encryption system that would work over smb or some way the boss and bookkeeper could have password control of a folder or share that root couldn't access without that password? All the client computers are running Windows XP, Vista or 7. A solution on the client side or the server side would be fine!
Four answers:
jplatt39
2010-01-20 00:01:17 UTC
Root is the administrative account period. If a file exists on that system, a root account can read it, execute it or delete it. Disabling the root account and doing everything through sudo is generally a good idea, even if it's sometimes called the "paranoid Unix Admin's approach" but the only way to "hide" a file from root is the way you hide it from everybody -- by putting a dot in the front of the name. And that only works until they do an ls -a
Uninformed hence not consenting
2010-01-19 23:04:00 UTC
No trust? Do you people really feel that a lowly* sys admin person should have access to sensitive business data? Sorry, but I totally agree with management here... (Boy, THERE'S a sentence I didn't think would ever come out of keyboard!)





* Just trying to make a point!
anonymous
2010-01-19 21:56:44 UTC
Doesn't sound like you have a very trustworthy relationship with your client.



If it makes them feel more comfortable, disable root account and use sudo for everything (Ubuntu approach).

If you have enough access to administer the box, then you will have enough access to be able to access the data in question.
tallsteve
2010-01-19 22:38:35 UTC
totally agreed. not a good client relationship if they cant trust you!



you need access before you can prevent giving yourself access right? perhaps httaccess, but you would still have access!


This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.
Loading...