Re: Userland encrypted filesystem that root cannot access.

• Next message: Russell King: "Re: IP autoconfig doesn't work in 2.3.46"
• Previous message: Jens Axboe: "Re: CD audio problems with kernels > 2.2.10"
• In reply to: Mike A. Harris: "Re: Userland encrypted filesystem that root cannot access."
• Next in thread: Mike A. Harris: "Re: Userland encrypted filesystem that root cannot access."
• Reply: Mike A. Harris: "Re: Userland encrypted filesystem that root cannot access."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Feb 19, 2000 at 01:00:51AM -0500, Mike A. Harris wrote:
> On Fri, 18 Feb 2000, Craig B Agricola wrote:
> >From: Craig B Agricola <agricolc@btv.ibm.com>
> >Mike,
> > The general answer to this, at least from the perspective of a
> >paranoid user, is that it is not possible in a UNIX environment to
> >achieve this. Since a the data structures for the mounted filesystem,
> >as well as any cached data, are in memory, and since root can access
> >memory freely, you'll never be able to keep a secret from root. Of
> >course, this would take effort on root's part to build an image of the
> >mounted disk from the data as it passes through memory, but it is
> >still not "secure". I don't want to answer this as though I have an
> >authoritative answer though, since I haven't yet gotten a chance to fully
> >grok the capabilities system, which may allow you to do something like
> >this, but...
> Well, I definitely expected that such would be the case at least
> currently. What I really wanted to know was wether it is
> possible to have an encrypted fs, that when a user logs in and
> mounts it, if while mounted, root goes: cd path_to_encryptedfs
>
> The data is not readable. Root may be able to hunt around in
> kmem, or whatever, but the likelyhood of it is slim for the idea
> that I'm interested in. 100% security isn't necessary, more of a
> "obscure" the dumb root user from looking at user's private
> files. Not obscure the smart root user who can read kmem, and
> wants to spend the time to do so... ;o)

Security thru obscurity never works in long run. A dumb administrator may be
not able to break your encryption scheme but think about him as about a script
kiddie - a somewhat smarter guy could write a tool for catching passwords when
your software becames more known.

On the other hand using PGP on a large server with 5 people having root access
is a quite similar aproach. I can trust them to some extent and hope they have
many more interesting things to do.

R.

-- 
I am not reading the users' mail, it is boring. - some root
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

• Next message: Russell King: "Re: IP autoconfig doesn't work in 2.3.46"
• Previous message: Jens Axboe: "Re: CD audio problems with kernels > 2.2.10"
• In reply to: Mike A. Harris: "Re: Userland encrypted filesystem that root cannot access."
• Next in thread: Mike A. Harris: "Re: Userland encrypted filesystem that root cannot access."
• Reply: Mike A. Harris: "Re: Userland encrypted filesystem that root cannot access."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Wed Feb 23 2000 - 21:00:23 EST