Home / server / Questions / 142441
Accepted
theomega
Asked: 2010-05-17 14:32:30 +0800 CST

Deny Home-Directory-Access for root

  • 772

Hy, a friend and me want to share a Linux-Machine. We both need to get root-rights via sudo for administering that machine. Is it somehow possible to deny the access to the home-folder for the other one, although he can become root?

Thanks!

linux permissions root

3 Answers

  1. Best Answer

    Only with something like SELinux.

    • 3

  2. You could install encrypted home directories. This page has a writeup on how to install under Ubuntu.

    • 1

  3. you could restrict/deny access to /bin/su and other methods of obtaining 'full' root access on the machine. also, you can restrict /what/ can be run with root privileges, for certain users in /etc/sudoers and enable full logging of things executed with sudo

    example:

    Defaults        logfile=/var/log/sudolog
userA     ALL = (root) /bin/ls, \
                       /usr/bin/apt-get update,  \
                       /usr/bin/vim /etc/*, \
                       !/usr/bin/su *root*

    and so on. you can provide the exact commands you want your friend to be able to use, including the command line parameters, if you want to lock it down further (like with apt-get in my example)

    you basically need to figure out /what/ he needs root access for, and dole it out sparingly. or learn to trust him.

    two additional examples; vim /etc/* allows the user to edit anything in /etc/ as root, and the last one denies access to su (just as an example, since no access to su is implied, anyhow.

    http://linux.die.net/man/5/sudoers , the man 5 sudoers in web form, has lots of examples to pick over.

    • 1