2

I want to store files for my users on encrypted filesystems. Every user would have his own filesystem with his own key. The user is able to log in to the system and mount his filesystem. When they are mounted, even the root is not able to access them.

The setup is:

  • LVM -> dm_crypt -> xfs.
  • when the user logs in, he mounts his filesystem in a way that the owner will be him
  • he can start programs, they will have the same right as the user, so they can read the files

However I want root not to access any of my users mounted filesystem. First I thought of writing a VFS kernel module (compiled with the kernel) and hijack the filesystm specific commands if the root wants to access the file of a different user. The problem is a root can do something like:

# su -secureuser

and voila read the mounted filesystem.

I was told to look aroud posix file capabilities , PAM , SELinux , but I don't know these, and I'm sure, achieving my request is not convenient at all even with these things.

Here are some more, but they are about to restrict whole root access: http://www.centos.org/docs/4/4.5/Security_Guide/s2-wstation-privileges-noroot.html

Do you have any ideas? Thanks for the answers! :)

illEatYourPuppies
  • 123
  • 1
  • 3
  • Are these users logging into a shell and storing files, or storing via NFS/ftp? This is a very odd implementation, we need to know their use. – David Houde Jan 30 '13 at 20:28
  • they will be using mostly FTP, they will not have a direct access to their shell. They can start some specific applications through a web UI. So in fact a webserver will execute commands where the setuid bit is set and the owner of the command will be the specific user. (because as I want restrict to 'su' or 'sudo' in the name of these users) – illEatYourPuppies Jan 31 '13 at 10:48

3 Answers3

3

You should be able to accomplish this using SELinux MLS (Multi-Level Security) policy as a base, and adapting it to your needs. This is not a simple task, and if you don't already know SELinux you will have to learn, or find someone who does.

This is also not a policy for a one-man operation, as it splits the security roles normally handed by root three (or more) ways and you therefore ideally should have three (or more) people who administer various aspects of the system.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
3

First you have to realize that even if you limit root account the admins could have access to physical server and change the server configuration from a Live CD. So you should start by trusting your admins.

I can see a few solutions. None is simple, but they are doable. Here they are:

  • use different bind namespaces. Use PAM to configure them. You might need to develop a PAM module.
  • SELinux (as mentioned by Michael Hampton), AppArmor or some other kernel space "application firewall".
  • Linux Containers, one for each user. I think this is the easiest solution.
  • Virtual Machines (XEN, KVM), one for each user.
  • a LD_PRELOAD library that will check the access for FS operations (open, getdents).
  • develop a kernel module that will do the filtering (similar to SELinux...)

Please note that you will have to limit the root access separately, depending on the chosen solution. You need to limit also the access to the raw device.

Mircea Vutcovici
  • 17,619
  • 4
  • 56
  • 83
  • what do you mean by linux container? It will probably be virtual machine for each user. I did not want to do that because I thought to be huge overhead, but probably it can be configured not to be as much as I expected. – illEatYourPuppies Jan 31 '13 at 22:23
  • It is a type of virtualization with low overhead. See: http://en.wikipedia.org/wiki/LXC – Mircea Vutcovici Jan 31 '13 at 23:41
1

In Unix/Linux, there is NO way you can restrict root from accessing a file mounted by user. It just doesn't work.

Daniel t.
  • 9,291
  • 1
  • 33
  • 36