Password Protecting directories... 5

[B14speedfreak]

Hi all,

Just out of interest does anyone know how to password protect directories in Solaris? I have had a google search but just got a load of info about how to do it for webservers and apache, it needs to be Operating System level. Had a look on the Sun site as well but couldn't find anything.

Thanks in advance for any posts and for reading,

B14... aka... marky mark..

 

[marrow]

Never come across this, all you could do is create "newuser" (useradd)with a home directory of say /export/home/password_protected where of couse the directory "password_protected" needs a login & password to access all its files.

Permissions are probably just as good, can be as tight as required thus allowing no access to specific directories and/or files if required.

 

[B14speedfreak]

Erm yeah you see the problem is though, it needs to be protected from the root user, would that be possible? Surely root could just do a chmod 777 [dir]?

Thanks for the post though, that did come to mind...

B14...aka marky mark

 

[marrow]

Hmmm, root owners can get in everywhere, I don't see anyway around that situation. What are you trying to protect that can't be held on a PC?

 

[B14speedfreak]

Not really sure, my boss asked me to do it. Think we are going through an audit at the moment, must have something to do with that.

Was thinking of trying to use crypt or facl but they don't seem to be of much use.

Thanks for the replay....

B14... aka... MArky Mark...

 

[daFranze]

you can't prohibit root to access a local directory; you could prohibit other users to do so (create a new usergroup and add a password to that group)
root - by default - can not access a NFS shared directory (root is matched to anonymous user by NFS Server)

Best Regards, Franz
--
UNIX System Manager from Munich, Germany

 

[B14speedfreak]

Yeah I mean these are all valid points guys.

The only real way I can see round this is to maybe use Crypt or facl or something similar. I have been searching all day for something similar. One suggestion was to zip it up using gzip, apparently you can add passwords on like you can with winrar. But to be honest I don't think thats an option.

Any other ideas are welcomed....

Thanks,

B14... aka... marky mark...

 

[Annihilannic]

crypt does not use very strong encryption. openssl provides many different encryption options, for example to encrypt a file using DES3 you could use:

[tt]openssl enc -e -des3 -salt -a -in /source/file -out /encrypted/file[/tt]

Use -d instead of -e to decrypt it again. Remember to remove the /source/file or the operation is pointless.


Annihilannic.

 

[KenCunningham]

Haven't looked in any detail, but perhaps:

http://www.sun.com/software/security/jass/

might be an option?

 

[B14speedfreak]

Yeah I had a look at Jass a few weeks ago, also looked at Titan and the CIS tools as well. They are very good for hardening systems. However you really do have to make sure that you customize them properly otherwise they won't work as well.

I think that the information is pretty vital and we want to make sure that no one except certain people (possibly excluding people with root access) don't have access to the files.

Anyhow I think my boss has come up another solution (take it off the system and put it somewhere more secure).

Thanks all the posts though guys, they have been really useful.

B14... aka... Marky Mark...

 

[cspilman]

Well, if you're needing this for audit purposes you might want to take a look at sudo.

If the proper policies were setup, you would essentially have everyone login as their username and then use sudo whenever needed to run commands as root or another user. Sudo also allows you to be as granular as neede with the possibility of restricting certain files and maybe even directories.

http://www.courtesan.com/sudo/

Regards,
Chuck

 

[daFranze]

@Marky Mark

where have you left the Funky Bunch...?

in general: perhaps we get better solutions if you tell us more about what is your intention, your fears etc and what's your environment/business. With these few infos this thread is more or less brainstorming...

in UNIX root is the master user and can - as many people wrote above - access any file, as long as it resides on the same machine. You could deal with removable media or do remote mounts (-> anonymous on NFS), 'crypt'ing, 'pgp'ing, '3des'ing a file etc, but these things are not 100% save, since you need the plain file to edit/view and this file is accessable by root (or any other user depending on the acl or filerights); root can read your memory, can access your open files, etc.! If you can't trust root on this machine I would say move data to another host, where you are root/admin. If this machine is just a vServer in a hostfarm you are trapped - ether you trust or put up your own machine...

Best Regards, Franz
--
UNIX System Manager from Munich, Germany

 

[B14speedfreak]

Hi All,

Yeah well you see thats the thing, I am not quite sure about why this data has to be password protected (the powers that be havn't told me, I can only sumise (based on the directory name) that it is audit information). The directory is on both a production and test oracle box. The DBA's have root access however I am not sure weather or not the apps developers have the access or not (I am a lowly oracle Technitian (IE I do what the DBA's either havn't got time to do or don't want to do)). Anyhow I explained to my boss that the only realy way I could figure on doing it would involve a couple of shell scripts and propably crypt/(something similar), my boss didn't want to go down that route, so I think he has either moved them to a different mount point or to a different server. Maybe you see the prediciment that I am in?! My task was simply to find out if you could password protect a directory.

Anyhow that aside, I think you guys are all right, root access should be restricted as far as possible, and to be honest, only people who require root access to the boxes are the people who have it, (I am guessing its something to do with this audit business).

Hope this explains everything a bit more.

Thanks again,

B14.. aka.. Marky Mark...

 

[marrow]

I think I understand B14speedfreak; your boss (who is completely non-techical & non-unix?) simply has an auditphobia and is making sure he doesn't get any flak about the level of protection for sensitive data. In which case every unix user of every system world-wide would be in the same boat as him.
All any company can do is to control who actually has root access and of course change the passwd at regular intervals or after certain events (somebody leaving) and , at least one team must have ownership, be it DBA or a Tech. Support Group.

Good Luck anyway

 

[B14speedfreak]

No my boss is technical (hes been doing unix/oracle for quite a number years (not sure wheather hes testing me or not))...

Yeah I think root is owned by the DBA's (since they are Oracle boxes), but I am not fully sure to be honest.

I am not quite sure weather the data is oracle or unix based (I am guessing its audit data from Oracle since I did the Unix audit a week ago).

Anyhow there we go....

Think that covers it all really...

Thanks for all the posts guys they have been really useful,

B14... aka... Marky Mark...

 

[elgrandeperro]

Back to the original question, I believe B! orange book compliant solaris does do what you want.

http://www.sun.com/software/whitepapers/wp-ts8/ts8-wp.pdf

gene