37
submitted 4 months ago* (last edited 4 months ago) by poki@discuss.online to c/linux@lemmy.ml

(More) Specifics:

  • Undoing the protection should include filling in a password.
  • The password should be different from the one used with sudo or any other passwords that are used for acquiring elevated privileges.

All (possible) solutions and suggestions are welcome! Thanks in advance!

Edit: Perhaps additional specifications:

  • With 'displace‘, I mean anything involving that resembles the result of mv, cp (move, cut, copy) or whatsoever. The files should remain in their previously assigned locations/places and should not be able to 'pop up' anywhere.
  • I require for the files to be unreadable.
  • I don't care if it's modifiable or not.
  • I don't require this for my whole system! Only for a specific set of files.
you are viewing a single comment's thread
view the rest of the comments
[-] poki@discuss.online -1 points 4 months ago

It seems I wasn't clear as most people misunderstood me.

But, to give a very precise example; say

  • I had a folder called ~/some/folder.
  • It was on an encrypted drive.
  • And I had done additional work to encrypt the folder again.
  • And say, I used chattr, chmod or chown or similar utilities that remove access as long as one doesn't have elevated privileges.
  • And say, I had done whatever (additional thing) mentioned in your comment.

Then, what prevents whosoever, to copy that file through cloning the complete disk?

Even if they're not able to get past the password, it will be found on the cloned disk. SO, basically, I ask for some method that prevents the file to even be copied through a disk clone. I don't care that it has three passwords protecting it. What I want is for the disk clone (or whatever sophisticated copy/mv/cut or whatsoever utility exists) to somehow fail while trying to attempt the action on the protected files.

[-] bitfucker@programming.dev 5 points 4 months ago* (last edited 4 months ago)

By definition, you can't. Any software level solution will fail since you can just move the drive somewhere else. It must be baked into the hardware and firmware.

Edit to add further clarification. Do you need it to be failing on every device or just on a device that you control? Since as stated before, moving a mass storage will completely overthrow any software solution

[-] poki@discuss.online 1 points 4 months ago

Do you need it to be failing on every device or just on a device that you control?

Actually, I'm fine with a solution that only works on a device that I control. But, failing on every device is nice as well.

[-] bitfucker@programming.dev 2 points 4 months ago

Right, working on every device requires a hardware solution. I haven't encountered any such hardware yet but I do know that it is possible. Next, your second requirement makes what you're trying to accomplish impossible. Privilege escalation by definition will escalate the privilege. The problem lies in the fact that the root user is basically a god in linux. You can even wipe your system if you so desire. However, you can read more into SELinux or other similar systems. It works by basically running check on the kernel level not user level. But the only solutions I can think of will make other day-to-day tasks more of a hassle. Also, note that whoever knows how to modify the SELinux can also bypass the system. I found an answer on serverfault that points to a blog. However, I haven't read the blog yet. You may find an answer there.

[-] poki@discuss.online 1 points 4 months ago
[-] bitfucker@programming.dev 2 points 4 months ago

You're welcome. I also recommends Arch Wiki on SELinux. It helps clarify a lot of things and how different it is with traditional linux privilege escalation.

[-] poki@discuss.online 1 points 4 months ago
[-] lambalicious@lemmy.sdf.org 3 points 4 months ago

I ask for some method that prevents the file to even be copied through a disk clone

Oh that's quite simple! Just don't have the files on the first disk in the first place. Make them a remote mount from a server, for example via sshfs, webdav, etc. Heck, even ftp if it comes down to it. That way, even though you can clone the disks, you can not get to the files if you don't also have the full authentication requirements for the remote server (such as a password).

At a conceptual level, you can't do anything via root to prevent someone who clones the disk from... well, cloning the disk. Having physical access to a disk is a much higher level of access than even root, so if what you are looking for is for your content to not be cloned, you need to fortify physical access to the device.

[-] poki@discuss.online 2 points 4 months ago

Understood. Thank you!

this post was submitted on 22 Jun 2024
37 points (93.0% liked)

Linux

48214 readers
891 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS