Results 1 to 4 of 4

Thread: Insure confidentiality of /home/user even from root

  1. #1

    Insure confidentiality of /home/user even from root

    Hi there,

    I got a tricky question (Well, it seems to be).
    I am the admin of a small serveur with 3 users. I'd like to insure them a complete confidentiality of their data, but not using virtualisation.

    What I want to do is to restrict my access for not being possible to acces to their /home/user folder for example.

    Any solution?

    By encrypting the folder ? But it has to be always accessible to the user.
    If it is possible, I guess I'll still have the right to modify the password and then, access to their data. But this is fine as they will rapidly know that I've changed their password.

    Thank you for your help !!
    Freedif.org, news & tutorials on self-hosting services.

  2. #2
    Join Date
    Aug 2006
    Location
    Michigan
    Beans
    392
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Insure confidentiality of /home/user even from root

    Well the best thing to do in this situation would be to make sure:
    1. No user is a part of another users group
    2. Make sure to change the mode is recursively changed for each users home directory (/home/user) to 750
    3. Have each user add the command 'umask 027' to their ~/.bashrc file (default dir = 750, default file = 640)
    4. No one can access root from sudo (sudo su -)
    5. No one know the root password (randomize it)

    Lets take into note that I just wanted to show you the options you can do if you wish to try and place your server in 'complete confidentiality'. These changes can place risks in the future when it comes to administering the box (problem arises but no one can go into root without rebooting the machine). I don't advise in using all of them on your box but using some of these to help complete you goal shouldn't hurt.

    The administrator of a server will always have complete access to that box and if anyone is worried about 'confidentiality', I would write up a Service Level Agreement which will talk about the purpose of the server, what your role is on the server, what you will do in case of an emergency, etc...

    Hope this helps.
    ThisIsBryan: The Site | About Me
    HowTo: Setup Ubuntu Desktop with LVM Partitions WIKI
    Hardware Profile: Dell XPS 14z; 4GB DDR3 RAM; 700GB HD; Intel Corporation Centrino Advanced-N 6230; Intel i7 CPU @ 2.80 GHz

  3. #3

    Re: Insure confidentiality of /home/user even from root

    Thank you for your answer.
    It is indeed difficult to hide stuff to the admin...quite normal behavour anyway.

    I'll implement the umash setting tho. Very useful !
    Thank you !
    Freedif.org, news & tutorials on self-hosting services.

  4. #4
    Join Date
    Apr 2008
    Location
    Far, far away
    Beans
    2,148
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: Insure confidentiality of /home/user even from root

    You can just migrate users onto encrypted homes. This is fairly easy and once done not even root can see the contents of their home folders. Even if they get physical access. The solution given above doesn't help at all since someone with physical access can undo everything.

    See, http://blog.dustinkirkland.com/2009/...directory.html

    This can also be chosen as an option when installing first time. Users use their home as normal. I've been using this for a couple years now without any problem mostly because I don't want someone who steals my notebook while travelling to see my content. Each user login unlocks the home for them with their normal password. You can also easily support two-factor authentication if need be.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •