Hi All,
Today a friend of mine showed me a security feature in Windows XP, which to my knowledge is not available under Linux.(Please tell me I am wrong).
So here goes, he showed me a security feature in Windows XP wherein the user can setup a custom access to their own files and restrict access to others, including Adminstrators.
Is there a way to do so in GNU/Linux systems (for root)? As I am not aware of any means, I was not able to give him any answers. This feature came to light when we were discussing our Company's adoption of IS)-27001. He has also claimed that this is also the reason why Linux adoption in Enterprises is very low.
Regards Cyril Chacko
On Mon, Jul 27, 2009 at 10:57 PM, Cyril Chackocyril.chacko@gmail.com wrote:
Hi All,
Today a friend of mine showed me a security feature in Windows XP, which to my knowledge is not available under Linux.(Please tell me I am wrong).
So here goes, he showed me a security feature in Windows XP wherein the user can setup a custom access to their own files and restrict access to others, including Adminstrators.
Please look into SELinux and related security model.
Is there a way to do so in GNU/Linux systems (for root)? As I am not aware of any means, I was not able to give him any answers. This feature came to light when we were discussing our Company's adoption of IS)-27001. He has also claimed that this is also the reason why Linux adoption in Enterprises is very low.
One more FUD. He is simply afraid to learn new technology and/or loosing his/her job if he is unable to manage new platform.
Regards Cyril Chacko
With regards,
On Mon, Jul 27, 2009 at 10:57 PM, Cyril Chackocyril.chacko@gmail.com wrote:
Hi All,
Today a friend of mine showed me a security feature in Windows XP, which to my knowledge is not available under Linux.(Please tell me I am wrong).
So here goes, he showed me a security feature in Windows XP wherein the user can setup a custom access to their own files and restrict access to others, including Adminstrators.
If something like this can be done as a normal user I would think of this as a security hole. This means that the user can deny the administrator access to certain portions of a system. Imagine the pain of having to administer when users goof up in these portions.
In any case, it would be nice if you could tell us how to do that.
Is there a way to do so in GNU/Linux systems (for root)? As I am not aware
This is possible in windows because the "Administrator" account in windows is not the same as root in *nix systems. The equivalent user to root is called "system" in Windows. Due to this I am guessing you can actually deny administrators from accessing your files. You surely cannot do this for the "system" user. (Disclaimer: I am only guessing. it has been ages since I last accessed a Windows box to do any real work)
As for setting up custom access (ACLs), look up the manpage for setfacl and getfacl commands on Linux. For even tighter security, look up SELinux.
Hi,
Thanks for all your replies, while googling I found an article for ACLs as well as for something known as Capabilites. Only the bare essentials are explained here. One is for Controlling access and the other is for Developers to write codes to reduce reliance on root authorisation for certain activities.
Will go into in depth of the technologies and see what i can learn.
In any case, it would be nice if you could tell us how to do that.
Is there a way to do so in GNU/Linux systems (for root)? As I am not
aware
Check this link out, it mentions the methods my friend mentioned to me about, especially the ones about inherited permissions,
http://www.le.ac.uk/cc/dsss/docs/acls1.shtml
http://www.le.ac.uk/cc/dsss/docs/acls1.shtml
This is possible in windows because the "Administrator" account in windows is not the same as root in *nix systems. The equivalent user to root is called "system" in Windows. Due to this I am guessing you can actually deny administrators from accessing your files. You surely cannot do this for the "system" user. (Disclaimer: I am only guessing. it has been ages since I last accessed a Windows box to do any real work)
As for setting up custom access (ACLs), look up the manpage for setfacl and getfacl commands on Linux. For even tighter security, look up SELinux.
Probably, my doze box is only a backup if things dont workout on my linux and i can find a solution for that. "system" user that is new for me. Will take a look at that.
-- Siddhesh Poyarekar http://siddhesh.in -- http://mm.glug-bom.org/mailman/listinfo/linuxers
Thanks for all the help.
Regards Cyril Chacko
On Monday 27 July 2009, Cyril Chacko wrote:
Hi All,
Today a friend of mine showed me a security feature in Windows XP, which to my knowledge is not available under Linux.(Please tell me I am wrong).
So here goes, he showed me a security feature in Windows XP wherein the user can setup a custom access to their own files and restrict access to others, including Adminstrators.
Once you have access to the disk. It is trivial to get out info UNLESS 1) sensitive data is encrypted 2) The encryption keys are accessible only with the owner.
Is there a way to do so in GNU/Linux systems (for root)? As I am not aware of any means, I was not able to give him any answers.
Obviously you friend knows little about computing and even lesser about security.
This feature came to light when we were discussing our Company's adoption of IS)-27001. He has also claimed that this is also the reason why Linux adoption in Enterprises is very low.
If this friend is a decision maker in your organisation, i would be looking for another job.
On Tuesday 28 July 2009, jtd wrote:
On Monday 27 July 2009, Cyril Chacko wrote:
Hi All,
Today a friend of mine showed me a security feature in Windows XP, which to my knowledge is not available under Linux.(Please tell me I am wrong).
So here goes, he showed me a security feature in Windows XP wherein the user can setup a custom access to their own files and restrict access to others, including Adminstrators.
Once you have access to the disk. It is trivial to get out info UNLESS
That should read Once you have physical access it is trivial to get out info UNLESS
- sensitive data is encrypted
- The encryption keys are accessible only with the owner.
Is there a way to do so in GNU/Linux systems (for root)? As I am not aware of any means, I was not able to give him any answers.
Yes do 1 and 2.
Obviously you friend knows little about computing and even lesser about security.
This feature came to light when we were discussing our Company's adoption of IS)-27001. He has also claimed that this is also the reason why Linux adoption in Enterprises is very low.
If this friend is a decision maker in your organisation, i would be looking for another job.
-- Rgds JTD
On Monday 27 Jul 2009, Cyril Chacko wrote:
So here goes, he showed me a security feature in Windows XP wherein the user can setup a custom access to their own files and restrict access to others, including Adminstrators.
How do those files get backed up or checked by anti-virus then? Sounds like FUD to me.
Regards,
-- Raju
On Monday 27 Jul 2009 10:57:57 pm Cyril Chacko wrote:
Today a friend of mine showed me a security feature in Windows XP, which to my knowledge is not available under Linux.(Please tell me I am wrong).
So here goes, he showed me a security feature in Windows XP wherein the user can setup a custom access to their own files and restrict access to others, including Adminstrators.
coolness - so a disgruntled employee can lock out the owner. Is this security? is it a feature? It is a stupid flaw. It is axiomatic that root can access everything - this is the only way a system can be secure.
coolness - so a disgruntled employee can lock out the owner. Is this security? is it a feature? It is a stupid flaw. It is axiomatic that root can access everything - this is the only way a system can be secure.
You could always encrypt a partition, right?
On Tuesday 28 Jul 2009 11:24:25 am Debayan Banerjee wrote:
coolness - so a disgruntled employee can lock out the owner. Is this security? is it a feature? It is a stupid flaw. It is axiomatic that root can access everything - this is the only way a system can be secure.
You could always encrypt a partition, right?
and root cannot access it?
On Tue, Jul 28, 2009 at 12:07 PM, Kenneth Gonsalveslawgon@au-kbc.org wrote:
You could always encrypt a partition, right?
and root cannot access it?
Not until he/she has the password. But that is a moot point since you need root access to encrypt a partition.
On Tuesday 28 July 2009, Siddhesh Poyarekar wrote:
On Tue, Jul 28, 2009 at 12:07 PM, Kenneth Gonsalveslawgon@au-kbc.org
wrote:
You could always encrypt a partition, right?
and root cannot access it?
Not until he/she has the password. But that is a moot point since you need root access to encrypt a partition.
But not a file.
'Confidential files' of specific nature may best be stored on a removable storage medium. End of story.
Sorry about top posting though.
On 7/28/09, jtd jtd@mtnl.net.in wrote:
On Tuesday 28 July 2009, Siddhesh Poyarekar wrote:
On Tue, Jul 28, 2009 at 12:07 PM, Kenneth Gonsalveslawgon@au-kbc.org
wrote:
You could always encrypt a partition, right?
and root cannot access it?
Not until he/she has the password. But that is a moot point since you need root access to encrypt a partition.
But not a file.
-- Rgds JTD -- http://mm.glug-bom.org/mailman/listinfo/linuxers
On Tuesday 28 July 2009, Nishit Dave wrote:
'Confidential files' of specific nature may best be stored on a removable storage medium. End of story.
Alongwith other peoples interesting stuff. Which is pickpocketed by the spy who loves you.
Of course she could kidnap you and tickle you to death to get the info, but we will restrict ourselves to computer methods ;-). Even though the first method has immense potential.
Sorry about top posting though.
On 7/28/09, jtd jtd@mtnl.net.in wrote:
On Tuesday 28 July 2009, Siddhesh Poyarekar wrote:
On Tue, Jul 28, 2009 at 12:07 PM, Kenneth Gonsalveslawgon@au-kbc.org
wrote:
You could always encrypt a partition, right?
and root cannot access it?
Not until he/she has the password. But that is a moot point since you need root access to encrypt a partition.
But not a file.
-- Rgds JTD -- http://mm.glug-bom.org/mailman/listinfo/linuxers
-- Sent from my mobile device
On Tue, Jul 28, 2009 at 1:22 PM, jtdjtd@mtnl.net.in wrote:
Not until he/she has the password. But that is a moot point since you need root access to encrypt a partition.
But not a file.
No need for it either. Sysadmins need not have access to the information. All they need is access to the file to be able to back it up, restore, etc. whenever necessary.
On Tuesday 28 July 2009, Kenneth Gonsalves wrote:
On Tuesday 28 Jul 2009 11:24:25 am Debayan Banerjee wrote:
coolness - so a disgruntled employee can lock out the owner. Is this security? is it a feature? It is a stupid flaw. It is axiomatic that root can access everything - this is the only way a system can be secure.
You could always encrypt a partition, right?
and root cannot access it?
Not if the keys are with the encryptor. Besides the caveat pointed out by Siddhesh Poyarekar.
On Mon, Jul 27, 2009 at 10:57 PM, Cyril Chacko cyril.chacko@gmail.comwrote:
Hi All,
Today a friend of mine showed me a security feature in Windows XP, which to my knowledge is not available under Linux.(Please tell me I am wrong).
So here goes, he showed me a security feature in Windows XP wherein the user can setup a custom access to their own files and restrict access to others, including Adminstrators.
Is there a way to do so in GNU/Linux systems (for root)? As I am not aware of any means, I was not able to give him any answers. This feature came to light when we were discussing our Company's adoption of IS)-27001. He has also claimed that this is also the reason why Linux adoption in Enterprises is very low.
Read selinux. Way back in 1997 when selinux was not available, I used to use a software called SEOS (Security for Open Systems) for securing servers in Citibank. We had an id called secadm which was held by a security officer. The id secadm had rights to define who can access what. Even the root id could be prevented from accessing confidential data. These rights used to be maintained in a databse called the Policy Model Database. The way seos worked was it trapped all system calls before it reached the kernel. SEOS was developed by the Israeli army and the software was subsequently bought by CA and sold as Etrust.
SELINUX uses the same kind of concept which SEOS, ETrust uses.
Cyril Chacko wrote:
Hi All,
Today a friend of mine showed me a security feature in Windows XP, which to my knowledge is not available under Linux.(Please tell me I am wrong).
So here goes, he showed me a security feature in Windows XP wherein the user can setup a custom access to their own files and restrict access to others, including Adminstrators.
What he did not tell you is that Administrator is the 'baap' of the system and when annoyed, he can take ownership of any folder/file and throw the delinquent user out. These are security features of the NTFS file system, not Windows XP. The problem starts when you receive legitimate files from outsiders by email and you try to save them on these partitions over the LAN. It does not allow you to do it even when you become owner of the file and you have write permissions to the folder.
Is there a way to do so in GNU/Linux systems (for root)? As I am not aware of any means, I was not able to give him any answers. This feature came to light when we were discussing our Company's adoption of IS)-27001. He has also claimed that this is also the reason why Linux adoption in Enterprises is very low.
Linux does not believe in semi permissions. It is either yes or no for the user.
On Tuesday 28 July 2009, Rony wrote:
Cyril Chacko wrote:
Hi All,
Today a friend of mine showed me a security feature in Windows XP, which to my knowledge is not available under Linux.(Please tell me I am wrong).
Linux does not believe in semi permissions. It is either yes or no for the user.
Some of the methods available to protect info on a drive.
http://www.linux-mag.com/cache/7444/1.html
-
Cyril Chacko -
Debayan Banerjee -
Dinesh Shah (દિનેશ શાહ/दिनेश शाह) -
jtd -
Kenneth Gonsalves -
Manvendra Bhangui -
Nishit Dave -
Raj Mathur -
Rony -
Siddhesh Poyarekar