14

file encryption that root cannot read

view full story
linux-howto

http://askubuntu.com – I have regular user access to a friend's root server. I can put my data there and he (as a normal user) could not read my data, but with the root account he could. If I use something like en encrypted home folder, he could still read the data when I am logged in. Is there some way to protect the data in a way that only I can read it and not root? (HowTos)

missing's picture
Submitted by missing on 07/07/2012 – Made popular on 07/07/2012

Stories similar to file encryption that root cannot read

I have access to a shared remote computer from which I would like to run some code I have written which uses an interpreter (not a compiled code). I would like to protect this source code from other users who have root access to the remote machine. There are a variety of ways to make an encrypted folder in linux.

I wanted to avoid using SSH root login to backup my remote server. Thus I set up a non-root user account on the server and place it under the root group thinking that it would possess the same privilege as a root user. But I soon realize that it cannot read files that are not grouped as root and files without the read permission for the group root.

When I run ls -l on the www folder and everything that's inside, I see that root:root are the owner/group

When I run ps aux | grep apache2, I get the first process owned by root (I assume this is normal, but why is it owned by root and not www-data?) and I get 6 other processes owned by www-data.

Now, since the ls -l /var/www shows -rw-r--r--, it should mean that www-data has no write privileg

On a regular linux machine, when I use sudo -s as a normal user, I become root but HOME still points to ~user, so every admin has his own environment etc. (this is without env_reset or always_set_home set).

On a system where the home directories live on an AFS file system, this also works, if the environment variable KRB5CCNAME is preseved, as root can read this file in /tmp.

A folder under the directory /var/www/xml keeps changing permission from www-data to root meaning that no php file is able to write into the folder.

I think this happens when I restart the server.

drwxr-xr-x 6 root www-data 4096 Sep 10 13:40 xml

drwxr-xr-x 6 www-data www-data 4096 Sep 10 13:40 xml

How do I make sure this does not happen?

I've been looking for this for quite a while now but couldn't find a satisfying answer.

My scenario: I'm using encfs to encrypt a few directories in my home folder. To make it easier to access I set up auto mount with gnome-encfs which stores the encryption passwords in my gnome keyring.

CentOs doesn't recognise www-data but want to change ownership on my files folder. All my folders are owned by root at the moment. Confused as to what should be owned by apache and what she be owned by me the root user? Also when it says root root does that mean root user me and group apache root?

root user can write to a file even if its write permissions are not set.

root user can read a file even if its read permissions are not set.

root user cannot execute a file when its execute permissions are not set.

Why?

user$ echo '#!'$(which bash) > file user$ chmod 000 file user$ ls -l file ---------- 1 user user 12 Jul 17 11:11 file user$ cat file # Normal user canno

How can I create directories so:

/data /data/user1 /data/user2

and make sure that whenever root writes inside them, depending on which directory it writes to, different owners are set.

Example:

Root writes to /data -> normal file creation Root writes to /data/user1 -> any files created therein are automatically owned by user1 and readable by others (the same should apply if user1 writes to