secure files

24/08/2006, 07h38

hello

i want to learn how to protect some files so that others,even root,
cannot open or modify the files like source codes etc. is that possible
on unix ?

thank you in advance.

24/08/2006, 08h48

ph wrote:

> i want to learn how to protect some files so that others,even root,
> cannot open or modify the files like source codes etc. is that possible
> on unix ?

Not as such. But many systems implement access control lists, which
might .

24/08/2006, 15h20

ph wrote:
> hello
>
> i want to learn how to protect some files so that others,even root,
> cannot open or modify the files like source codes etc. is that possible
> on unix ?
>
> thank you in advance.
>

Some systems support "extended attributes", i.e. beyond just rwx.
For these, "immutable" may be an attribute that can be applied
to the files and directory they are in. If set, root can't
modify the file. Of course, root can probably reset the attribute.

Can they be stored on a NFS server where a remote root has no
special privilege?

24/08/2006, 16h48

In article <qfGdneaD8449KHDZnZ2dnUVZ_tmdnZ2d@comcast.com>,
Jon LaBadie <jxlabadie@axcxmx.org> wrote:

> ph wrote:
> > hello
> >
> > i want to learn how to protect some files so that others,even root,
> > cannot open or modify the files like source codes etc. is that possible
> > on unix ?
> >
> > thank you in advance.
> >
>
> Some systems support "extended attributes", i.e. beyond just rwx.
> For these, "immutable" may be an attribute that can be applied
> to the files and directory they are in. If set, root can't
> modify the file. Of course, root can probably reset the attribute.
>
> Can they be stored on a NFS server where a remote root has no
> special privilege?

Unix runs with the assumption that root has total access to everything
in the filesystem. Once someone has root on a system, they have that
access. The only way to protect against this is to either

1) store the file on the system encrypted with one of the various
encryption programs (research for that is left to the reader)

2) don't store it on the system except when you're using it (e.g. buy a
thumb drive)

--
DeeDee, don't press that button! DeeDee! NO! Dee...

30/08/2006, 12h22

"ph" <pilhun@gmail.com> writes:

> i want to learn how to protect some files so that others,even root,
> cannot open or modify the files like source codes etc. is that possible
> on unix ?

not really - unless you use rm(1) and even that isn't safe.
What use is a file that can't be read by anyone including root?
Don't have them on the computer if you don't want root to read it.

--
Sending unsolicited commercial e-mail to this account incurs a fee of
$500 per message, and acknowledges the legality of this contract.

01/09/2006, 09h00

I believe, the only way to protect the files from reading,
is to encrypt them, and to protect from tampering,
is to checksum (digitally sign) them.

Checksums must be kept on a physically secure media, like on
a USB stick that you carry with you. USB stick may as well be
encrypted and protected with a passphrase.

Some unices offer encrypted filesystems that can be mounted
only after submitting the passphrase-protected private key.
Theft or illegal copy of such media or even the whole machine
gives the thieves no access to the data.
However, once and as long as mounted, the data can be
read/modified by anyone who has relevant local or remote access
to the machine.

You may want to crosspost to security newsgroups
to get some more detailed answers.

Regards,
Andrei

24/08/2006, 07h38	#1 (permalink)
ph Messages: n/a Hébergeur:	secure files hello i want to learn how to protect some files so that others,even root, cannot open or modify the files like source codes etc. is that possible on unix ? thank you in advance.

24/08/2006, 08h48	#2 (permalink)
Marcin Dobrucki Messages: n/a Hébergeur:	Re: secure files ph wrote: > i want to learn how to protect some files so that others,even root, > cannot open or modify the files like source codes etc. is that possible > on unix ? Not as such. But many systems implement access control lists, which might .

24/08/2006, 15h20	#3 (permalink)
Jon LaBadie Messages: n/a Hébergeur:	Re: secure files ph wrote: > hello > > i want to learn how to protect some files so that others,even root, > cannot open or modify the files like source codes etc. is that possible > on unix ? > > thank you in advance. > Some systems support "extended attributes", i.e. beyond just rwx. For these, "immutable" may be an attribute that can be applied to the files and directory they are in. If set, root can't modify the file. Of course, root can probably reset the attribute. Can they be stored on a NFS server where a remote root has no special privilege?

24/08/2006, 16h48	#4 (permalink)
Michael Vilain Messages: n/a Hébergeur:	Re: secure files In article <qfGdneaD8449KHDZnZ2dnUVZ_tmdnZ2d@comcast.com>, Jon LaBadie <jxlabadie@axcxmx.org> wrote: > ph wrote: > > hello > > > > i want to learn how to protect some files so that others,even root, > > cannot open or modify the files like source codes etc. is that possible > > on unix ? > > > > thank you in advance. > > > > Some systems support "extended attributes", i.e. beyond just rwx. > For these, "immutable" may be an attribute that can be applied > to the files and directory they are in. If set, root can't > modify the file. Of course, root can probably reset the attribute. > > Can they be stored on a NFS server where a remote root has no > special privilege? Unix runs with the assumption that root has total access to everything in the filesystem. Once someone has root on a system, they have that access. The only way to protect against this is to either 1) store the file on the system encrypted with one of the various encryption programs (research for that is left to the reader) 2) don't store it on the system except when you're using it (e.g. buy a thumb drive) -- DeeDee, don't press that button! DeeDee! NO! Dee...

30/08/2006, 12h22	#5 (permalink)
Bruce Barnett Messages: n/a Hébergeur:	Re: secure files "ph" <pilhun@gmail.com> writes: > i want to learn how to protect some files so that others,even root, > cannot open or modify the files like source codes etc. is that possible > on unix ? not really - unless you use rm(1) and even that isn't safe. What use is a file that can't be read by anyone including root? Don't have them on the computer if you don't want root to read it. -- Sending unsolicited commercial e-mail to this account incurs a fee of $500 per message, and acknowledges the legality of this contract.

01/09/2006, 09h00	#6 (permalink)
aryzhov@spasu.net Messages: n/a Hébergeur:	Re: secure files I believe, the only way to protect the files from reading, is to encrypt them, and to protect from tampering, is to checksum (digitally sign) them. Checksums must be kept on a physically secure media, like on a USB stick that you carry with you. USB stick may as well be encrypted and protected with a passphrase. Some unices offer encrypted filesystems that can be mounted only after submitting the passphrase-protected private key. Theft or illegal copy of such media or even the whole machine gives the thieves no access to the data. However, once and as long as mounted, the data can be read/modified by anyone who has relevant local or remote access to the machine. You may want to crosspost to security newsgroups to get some more detailed answers. Regards, Andrei

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email