# block root user from reading folder...?

## sven_sol

I've noticed that root is denied access to several files, usually files that are used or created by services.

So I was wondering if it was possible to create a website and block a the folder off to everyone except the web service itself - i.e. apache so that the web application is the one controlling the contents?

 :Confused: 

----------

## ac_static

Its been awhile since I took a close look at the kernel sources relating to filesystems, so don't take this as the gospel truth, but for the most part I don't believe what you're asking is possible.  The last time I did look at how it was handled ( kernel < 2.x.x ), it was something to the effect of:  if uid == 0, grant access, otherwise test permissions.

If the files are being accessed by nfs, then I guess it would easy enough to do... but the last time I checked, that was not recomended by the Apache people.

I suppose if it were really necessary, you could write a cgi/scripted web app that would encode uploaded files, and then decode them on a http request, but I think the bigger question would be: why?

----------

## Monkeh

root cannot be denied access to normal files. It's specifically designed to bypass all permissions. I believe you probably encountered lock files and the such, which are different from normal files, and cannot, to my knowledge, be read by anyone.

You can control permissions in such a way to deny all but one user access to files, but root itself can access whatever it likes.

----------

## sven_sol

ah.. ok then.

Its for a project that I'm working on.  I basically don't want anyone to access my source code for this appliction that I'm writing in PHP.

I just thought of if because I saw this:

srw-------  1 svensol users         0 Sep 19 16:05 alsa-dmix-9016-1127145932-413474

and sockets come up with an access denied type of message and I wanted to see if it was possible.

"wrong tree" and "barking" are coming to mind.   :Sad: 

----------

## UberLord

Not true

However, you do need either selinux or hardened-sources and enable GRSec.

With either of those you can make root Just Another User  :Smile: 

http://www.gentoo.org/proj/en/hardened/index.xml

----------

## sven_sol

Thanks UberLord,

big learning curve here I come!!   :Rolling Eyes: 

----------

## UberLord

Too big a learning curve for me atm - but it's probably one of my projects next year  :Smile: 

If you have problems, the best place to ask is probably #gentoo-hardened on irc.freenode.net

----------

## sven_sol

so not something I can learn how to do in a week then...    :Laughing: 

----------

## Monkeh

 *UberLord wrote:*   

> Not true
> 
> However, you do need either selinux or hardened-sources and enable GRSec.
> 
> With either of those you can make root Just Another User 
> ...

 

Ah. I was thinking with the standard kernel.. Plus I haven't yet looked into either SELinux or GRSec seriously. *makes note to look into common kernel patches before talking out of his backside*

----------

## bigfunkymo

you're probably going to need some sort of cryptographic solution

----------

## calr0x

Wouldn't this be perfect for gpg?

----------

## sven_sol

thats fine if I'm just going to encrypt it, but how would it run?  I still need it as a usable web application.

I'm begining to think about eAccelerator or the like but thats something else - using eAccelerator to compile all the source code, use it with lighttpd (something else to learn!) and remove all the plain-text code.  That way I still have a running app   :Very Happy: 

How about making the folder its in encrypted? But, again, how can I get the service to read it and not root, or is this back to making root a normal user?

----------

## krolden

 *UberLord wrote:*   

> Too big a learning curve for me atm - but it's probably one of my projects next year 

 

It's my MSc thesis this year.  So no way to avoid it for me.

----------

## calr0x

I am positive there is no way you can have a webpage be served from a system where the root user cannot read it.  No matter what method chosen it must exist unencrypted on that system, either in ram or on the disk.

I think yer just asking too much to find a situation where the systems admin.... can't admin.  By its very nature you do not own that system..   The best you can hope for I'm afraid is to store it encrypted on that system..  See, we haven't even touched the concept of keyloggers. 

If that admin wants that info, he can get it trivially...  =(

----------

## sven_sol

Yea, completly agree with that now, but I'm going to give the eAccelerator a go in the next couple of days.

From what I've read on it so far it still needs the plain text PHP file there and then compile and runs it.  It keep a compiled version for execution later.

Now - what I want to do is pre-compile everything and then remove the plain text files.  

I just hope thats possible.  

Answers on a post card to...  :Smile: 

----------

## calr0x

 :Very Happy: 

It would be nice to have some "right to privacy" to some degree, even when on a foreign system...  Some way to guarantee that you can operate in a limited way truly secure and private..

----------

## sven_sol

But wouldn't that leave you to the mercy of that particular user?  You'd get the blame for something that isn't really your fault.

I agree to privacy and the right to keep hold of my code, but on a forign system (e.g ISP) that could only be a bad thing.  

Would you give someone a login account to your server(s) without the ability to see what they're doing!?   Script kiddies would love that!! "K00l 4n 1P 4dDr3s5 7o a774k 4r0m!!   :Twisted Evil:  "  A few simple scripts and you can pretty much waht you want... But this is all for a completly different topic! 

I just want to be able to turn my PHP code into an unsuable bunch of gibberish but still usable as an application failling th elock it out of roots reach.  Hmm.

Maybe I'm attacking this from the wrong angle.  Say I do for the encryption way, could it be mounted automatically from boot for only the service to access it (leaving aside the attack to disclose the code..)  

Too many options..   :Shocked:   :Shocked:   :Shocked: 

----------

## calr0x

 *Quote:*   

> Some way to guarantee that you can operate in a limited way truly secure and private..

 

It's unresonable to expect full private access...  But basic doc protection/etc would be better.  And who even holds an admin liable for a users behavior anyway?

You couldn't have it automount as you would need to enter your gpg passphrase on boot.

----------

## sven_sol

Sorry about that - didnt ready the message properly!   :Embarassed:    I know its an old(sih) thread, but its nice to close them off.

I've sorted it now.  Used eAccelerator to build the encoded file and removed all trace of the plain text.  Works like a dream!!  Set the folder to immutable and root can't accidently delete it now.

Just need to make sure it can't be decoded now   :Wink: 

Cheers everyone!!

----------

