Any way to encrypt a file so that no one can decrypt it.

[anomie]

I don't want to be pessimistic, but I don't think there is a way to achieve exactly what you are after.

Agreed.

Surely you can be more discriminating in the /etc/sudoers file? Grant users only the root permission for what they need?

Agreed.

What you're trying to do here is tricky as hell. You have lots of full-on sudoers on the box? So you're trying to hide from lots of folks with root access. That will not work without lots of help from your friendly selinux administrator.

Given the hairy scenario that you describe, I'd say you are actually going to want to run the script from a different box. Something is wrong with the whole picture.

[bigtomrodney]

At the risk of sounding cruel this is poorly implemented security. Actually this is non existant security. With root permission a user can become any other user. Encryption is not the answer and as I mentioned already there is a definite need to reel in the permissions to an absolute necessity. You may find a workaround to allow you to proceed in the direction you are going but remember it will only be that - a workaround. I would strongly rethink the security policy going forward.

[pavlo_7]

How about storing that file on another server where users don't have sudo permissions? And then let them (or script, or whatever) access the file remotely but only with certain permissions (controlled by the server where the file is).

[LoneWolf93]

Hi devils_casper,

Thank you for your reply. However, solution does not work as well. I have looked into this however, since there is a way to decrypt the file this will not work. Basically I want a one way ticket. I want to be able to encrypt the file and have it execute. However, I do not want there to be anyway of decrypting the file. So I want a member of the team to put their password into the file and encrypt the file and be safe that no one else is going to come along that has sudo access on the system to be able to decrypt the file. This is where the dilemma is.

Any thoughts?

Cheers,
Nathan.

The only plausible solution that crosses my mind at the moment is writing a script/program and hard code the encryption yourself in it (obviously in a way in which it is not retrievable from the output) and compile it. That way you've just "locked the door which has no key", even though there might be some techniques to analyze it and break to the source-code it's the safest way I can come up with meeting your problem specification. Hope it helps!

LW

[thusi02]

Hi bigtomrodney,

Thank you for that suggestion on the restrictive sudoers file. I am taking that approach and have restricted the users from shells, and su. I would ideally like each user to have a script of their own in the home directories and chmod the directory to 700 for them. However with ubuntu does anyone know how to restrict sudo from accessing home directories of other users? Also from preventing sudo from chowning and chmoding the home directories only?

Thank you
Regards,

Nathan.