FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 07-27-2008, 07:05 AM
"Joy Methew"
 
Default ACL

hello all....
can we deny root user to access user file from acl??
Thanks
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 07-27-2008, 07:28 PM
 
Default ACL

Deny root but allow users ?


Sent via BlackBerry from T-Mobile

-----Original Message-----
From: "Joy Methew" <ml4joy@gmail.com>

Date: Sun, 27 Jul 2008 12:35:31
To: General Red Hat Linux discussion list<redhat-list@redhat.com>
Subject: ACL


hello all....
can we deny root user to access user file from acl??
Thanks
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 07-28-2008, 01:08 PM
"Chris St. Pierre"
 
Default ACL

On Sun, 27 Jul 2008, Joy Methew wrote:


can we deny root user to access user file from acl??


No. Root is supreme. Root can do _everything_.

If you don't trust your root account, you've got far bigger problems
than this list -- or any list -- can help you with.

Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 07-28-2008, 01:12 PM
"Mark Haney"
 
Default ACL

Joy Methew wrote:

hello all....
can we deny root user to access user file from acl??
Thanks


Not a chance. Root can do ANYTHING. Hence the whole idea of 'work as
regular user not as root'. If you need to deny root access to
something, then there's a trust issue that could be a major security
problem.



--
Libenter homines id quod volunt credunt -- Caius Julius Caesar


Mark Haney
Sr. Systems Administrator
ERC Broadband
(828) 350-2415

Call (866) ERC-7110 for after hours support

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 07-28-2008, 01:15 PM
Laszlo BERES
 
Default ACL

Chris St. Pierre wrote:


No. Root is supreme. Root can do _everything_.


Except when you implement SELinux with strict or MLS policies. But I
think that's not an option in that case.


--
Laszlo BERES RHCE, RHCX
senior IT engineer, trainer

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 07-28-2008, 01:55 PM
"Mark Haney"
 
Default ACL

Laszlo BERES wrote:

Chris St. Pierre wrote:


No. Root is supreme. Root can do _everything_.


Except when you implement SELinux with strict or MLS policies. But I
think that's not an option in that case.




Are you saying you can deny root access to a file with SELinux? Is that
ever wise?



--
Libenter homines id quod volunt credunt -- Caius Julius Caesar


Mark Haney
Sr. Systems Administrator
ERC Broadband
(828) 350-2415

Call (866) ERC-7110 for after hours support

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 07-28-2008, 02:12 PM
Laszlo BERES
 
Default ACL

Mark Haney wrote:

Are you saying you can deny root access to a file with SELinux? Is that
ever wise?


Yes, it's possible. Wise or not, there are many scenarios when root
shouldn't see stored data, but have to administer basic system services.


--
Laszlo BERES RHCE, RHCX
senior IT engineer, trainer

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 07-28-2008, 02:19 PM
"Broekman, Maarten"
 
Default ACL

Yes. It is wise. If you have an application that writes sensitive
data, you may not want your admins to have access to it as root, either
for accounting reasons or otherwise.

Maarten Broekman
Email: maarten.broekman@fmr.com

-----Original Message-----
From: redhat-list-bounces@redhat.com
[mailto:redhat-list-bounces@redhat.com] On Behalf Of Laszlo BERES
Sent: Monday, July 28, 2008 10:13 AM
To: General Red Hat Linux discussion list
Subject: Re: ACL

Mark Haney wrote:

> Are you saying you can deny root access to a file with SELinux? Is
that
> ever wise?

Yes, it's possible. Wise or not, there are many scenarios when root
shouldn't see stored data, but have to administer basic system services.

--
Laszlo BERES RHCE, RHCX
senior IT engineer, trainer

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list


--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 07-28-2008, 02:47 PM
hike
 
Default ACL

No, it is not wise.

It is unethical for sysadmins to access this data without a specific reason
and approval.
If you cannot trust your sysadmins to act in an ethical fashion, YOU have
screwed up big-time.

YOU hire trustworthy people.
YOU train trustworthy people.

Locking-down SELinux does not stop unethical sysadmins.
It will just take a little longer to breach your ill-advised & INSULTING
security.
Once the unethical sysadmin that YOU hired breaks in, she will be (rightly)
pissed and really screw things up.

If you don't trust YOUR sysadmins, either quit (the preferred solution) or
fire the sysadmins.

Doesn't anybody think it is essential to hire TRUSTWORTHY people any more?
Doesn't ANY employer think it is essential to RESPECT their employee any
more?

These are two reasons that businesses in the U.S.A. suck big time!



On Mon, Jul 28, 2008 at 10:19 AM, Broekman, Maarten <
Maarten.Broekman@fmr.com> wrote:

> Yes. It is wise. If you have an application that writes sensitive
> data, you may not want your admins to have access to it as root, either
> for accounting reasons or otherwise.
>
> Maarten Broekman
> Email: maarten.broekman@fmr.com
>
> -----Original Message-----
> From: redhat-list-bounces@redhat.com
> [mailto:redhat-list-bounces@redhat.com] On Behalf Of Laszlo BERES
> Sent: Monday, July 28, 2008 10:13 AM
> To: General Red Hat Linux discussion list
> Subject: Re: ACL
>
> Mark Haney wrote:
>
> > Are you saying you can deny root access to a file with SELinux? Is
> that
> > ever wise?
>
> Yes, it's possible. Wise or not, there are many scenarios when root
> shouldn't see stored data, but have to administer basic system services.
>
> --
> Laszlo BERES RHCE, RHCX
> senior IT engineer, trainer
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 07-28-2008, 02:56 PM
"Mark Haney"
 
Default ACL

hike wrote:

No, it is not wise.

It is unethical for sysadmins to access this data without a specific reason
and approval.
If you cannot trust your sysadmins to act in an ethical fashion, YOU have
screwed up big-time.

YOU hire trustworthy people.
YOU train trustworthy people.

Locking-down SELinux does not stop unethical sysadmins.
It will just take a little longer to breach your ill-advised & INSULTING
security.
Once the unethical sysadmin that YOU hired breaks in, she will be (rightly)
pissed and really screw things up.

If you don't trust YOUR sysadmins, either quit (the preferred solution) or
fire the sysadmins.

Doesn't anybody think it is essential to hire TRUSTWORTHY people any more?
Doesn't ANY employer think it is essential to RESPECT their employee any
more?

These are two reasons that businesses in the U.S.A. suck big time!




I have to say, I certainly do agree with you. I was thinking the exact
same thing, but didn't want to turn this thread into a flame war.
Personally, it's a lack of respect on both sides that cause trouble.
Not respecting and trusting your admins leads to them acting like
children.


Remember being told, as a kid, 'don't do this' (whatever it was) and the
one and only thought on your mind is 'I HAVE to do that'? Every child
gets that way. Not trusting your admins gets the same result. (IMHO)


I don't think we need to make this a long, drawn out thread on ethics, I
only asked if that was wise simply because I think it's not and wanted
to hear what others say.




--
Libenter homines id quod volunt credunt -- Caius Julius Caesar


Mark Haney
Sr. Systems Administrator
ERC Broadband
(828) 350-2415

Call (866) ERC-7110 for after hours support

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 

Thread Tools




All times are GMT. The time now is 11:01 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org