restrict root access for certain files or filesystems

illEatYourPuppies asked:

I want to store files for my users on encrypted filesystems. Every user would have his own filesystem with his own key. The user is able to log in to the system and mount his filesystem. When they are mounted, even the root is not able to access them.

The setup is:

  • LVM -> dm_crypt -> xfs.
  • when the user logs in, he mounts his filesystem in a way that the owner will be him
  • he can start programs, they will have the same right as the user, so they can read the files

However I want root not to access any of my users mounted filesystem. First I thought of writing a VFS kernel module (compiled with the kernel) and hijack the filesystm specific commands if the root wants to access the file of a different user. The problem is a root can do something like:

# su -secureuser

and voila read the mounted filesystem.

I was told to look aroud posix file capabilities , PAM , SELinux , but I don’t know these, and I’m sure, achieving my request is not convenient at all even with these things.

Here are some more, but they are about to restrict whole root access:

Do you have any ideas? Thanks for the answers! 🙂

My answer:

You should be able to accomplish this using SELinux MLS (Multi-Level Security) policy as a base, and adapting it to your needs. This is not a simple task, and if you don’t already know SELinux you will have to learn, or find someone who does.

This is also not a policy for a one-man operation, as it splits the security roles normally handed by root three (or more) ways and you therefore ideally should have three (or more) people who administer various aspects of the system.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.