Any way to encrypt a file so that no one can decrypt it. - Page 2

08-07-2007

#11 (permalink)

anomie

Linux Guru

Join Date: Mar 2005

Location: Texas

Posts: 1,697

Quote:

Originally Posted by kakariko81280

I don't want to be pessimistic, but I don't think there is a way to achieve exactly what you are after.

Agreed.

Quote:

Originally Posted by bigtomrodney

Surely you can be more discriminating in the /etc/sudoers file? Grant users only the root permission for what they need?

Agreed.

What you're trying to do here is tricky as hell. You have lots of full-on sudoers on the box? So you're trying to hide from lots of folks with root access. That will not work without lots of help from your friendly selinux administrator.

Given the hairy scenario that you describe, I'd say you are actually going to want to run the script from a different box. Something is wrong with the whole picture.

08-07-2007	#12 (permalink)
bigtomrodney /etc/init.d/moderator Join Date: Nov 2004 Location: Sunny South-East of Ireland Posts: 6,038	At the risk of sounding cruel this is poorly implemented security. Actually this is non existant security. With root permission a user can become any other user. Encryption is not the answer and as I mentioned already there is a definite need to reel in the permissions to an absolute necessity. You may find a workaround to allow you to proceed in the direction you are going but remember it will only be that - a workaround. I would strongly rethink the security policy going forward. __________________ Registered Linux user #378740 New members read here / Forum Rules #linuxforums on irc.freenode.net

08-08-2007	#13 (permalink)
pavlo_7 Linux Enthusiast Join Date: Jul 2005 Location: Maryland Posts: 517	How about storing that file on another server where users don't have sudo permissions? And then let them (or script, or whatever) access the file remotely but only with certain permissions (controlled by the server where the file is).

08-08-2007

#14 (permalink)

LoneWolf93

Just Joined!

Join Date: Jul 2007

Location: Malta

Posts: 11

Quote:

Originally Posted by thusi02

Hi devils_casper,

Thank you for your reply. However, solution does not work as well. I have looked into this however, since there is a way to decrypt the file this will not work. Basically I want a one way ticket. I want to be able to encrypt the file and have it execute. However, I do not want there to be anyway of decrypting the file. So I want a member of the team to put their password into the file and encrypt the file and be safe that no one else is going to come along that has sudo access on the system to be able to decrypt the file. This is where the dilemma is.

Any thoughts?

Cheers,
Nathan.

The only plausible solution that crosses my mind at the moment is writing a script/program and hard code the encryption yourself in it (obviously in a way in which it is not retrievable from the output) and compile it. That way you've just "locked the door which has no key", even though there might be some techniques to analyze it and break to the source-code it's the safest way I can come up with meeting your problem specification. Hope it helps!

LW

08-08-2007	#15 (permalink)
thusi02 Just Joined! Join Date: Jul 2006 Posts: 6	Hi bigtomrodney, Thank you for that suggestion on the restrictive sudoers file. I am taking that approach and have restricted the users from shells, and su. I would ideally like each user to have a script of their own in the home directories and chmod the directory to 700 for them. However with ubuntu does anyone know how to restrict sudo from accessing home directories of other users? Also from preventing sudo from chowning and chmoding the home directories only? Thank you Regards, Nathan.

Are you a Linux Guru who is willing to share your in-depth Linux knowledge? Try our new Article submission system.