-1

Warrning: this is probably against Unix philosophy and desgin, but I will ask it anyway.

Is there a way to achive privacy for three seperate /home/user folders? Problem which is rasing that question is that me and to other two guys have a VPS and we all want to have root privileges through sudo but dont want to be able to read/edit other users files.

Encryption doesnt seems like a good solution because when you want to access the folder you have to decrypt it and mount it somewhere and others can have access then, right?

Maybe disabling root account and writting some sudoers rules?

Any help will be appriciated.

notphunny
  • 3
  • 3

4 Answers4

2

It is possible with a sufficiently complete set of SELinux rules. You'd probably need to create a separate home file context and a root domain for each user, and then allow/deny access as appropriate.

Ignacio Vazquez-Abrams
  • 45,939
  • 6
  • 79
  • 84
  • 2
    Then again, someone has to maintain SELinux rules. Who, from the three guys is the one who should do it and have access to everything? Or should there be a fourth person, perhaps ISP, doing that? :-) – Janne Pikkarainen Oct 25 '11 at 10:44
2

root is root. root is for all intents and purposes God on that box; all seeing, all knowing and can do whatever s/he likes.

Depending on what you are trying to achieve however, a similar effect may be able to be produced by adding the regular user accounts to the root group combined with a very restrictive whitelist in sudoers. Be very aware of what you add to that whitelist though, as @dresende points out there is an almost infinite amount of ways to get a shell out of sudo if you aren't careful. Once you have a shell, you can do whatever you like.

Be aware though, that someone somewhere will need access to the root account. You can set up the ability to install and manage software or all sorts of things, but I can almost guarantee you that at some point someone will need something chownd, or even just chmoded while they don't have permission to do so normally.

Also, if you have network services such as a webserver which has access to each users files, then you end up with another attack vector for the other people sharing this VPS. The configuration as it is now doesn't allow access, but if the configuration is able to be tweaked by these other users... well, I'm sure you can see where that will head.

Beyond that, there's plenty of system configuration files which are shell scripts. Shell scripts can be modified to do stuff beyond configure services. This is the point, but also a potential weakpoint in a system like you propose. cp -a /home/user1 /home/user2/user1-home would be devastating in your scheme, and could be inserted, run and deleted without anyone noticing. There are plenty of ways for people to be malicious if that's what they are out to do, with very little slack given.

While I appreciate what you are trying to achieve, from a practical point of view it usually doesn't make sense to have a setup where absolutely no-one has root access. It almost always comes down to a matter of trust and privacy. Most sysadmins will respect peoples privacy. If for whatever reason you can't trust each other, or there is actual sensitive and/or confidential (not just stuff you'd rather people didn't see) information in play, then perhaps you can find a third party to administer the server, or perhaps a shared server is just not the right idea.

Matthew Scharley
  • 1,507
  • 3
  • 15
  • 19
  • Actually, I think selinux can even stop root from doing some stuff. I'm not familiar with it (I always disable it), but I think it might be able to isolate some folders even from root. – dresende May 31 '12 at 17:07
1

Your only option is disabling root account (a big random password for example) and some sudo rules. After doing that you could just remove write permission from group/others on the /home/user folders.

Be aware that some sudo rules might bite you. For example, giving access to a user to edit a file using vim can allow the user to do :sh and run anything as root.

dresende
  • 111
  • 3
  • So, how realistic is it to write sudo rules to cover all eventual legitimate admin needs, but without indirectly allowing a way to get full root access? – andol Oct 25 '11 at 10:49
  • @andol: Not very. In reality, 'all eventual legitimate admin needs' includes at least global `chown` and `chmod`. Even if you limit off those sorts of system commands, the list of alternative applications that can give you a shell is very long. Most 'smart' text editors, any scripting language, even seemingly simple stuff like `service` (RHEL init.d control script) can be abused if you have write access to `/etc/sysconfig` or `/etc/init.d` or some other config files. – Matthew Scharley Oct 25 '11 at 13:51
1

You wouldn't have root privileges if you did this.

Perhaps you need to discuss what specific privileges you all need, and then acheive these without root.

Of course, someone will need to have the root privilege - that could be the VPS admin at the hosting company I suppose.

dunxd
  • 9,632
  • 22
  • 81
  • 118