not even root can read?

Posted on 2003-11-16
Last Modified: 2010-05-18
I've got an annoying and super-paranoid user...  grr... but he pays well enough.

Right now, when this user logs in, he's chroot-ed into /home/MrPissMeOff/ which has a bunch of directories such as /bin /lib /home etc.  He's locked in this jail and can't get out... fine.

What he's worried about is that I as root can get in.  Is it possible to set his /home/ (so actually /home/MrPissMeOff/home/) to a permission in such a way that not even root can read his files?  So that ONLY the owner can view them?

I thought I read somewhere that this was possible... but to take it further, can I still delete his files and account if need-be?

I'll raise the points if this gets complicated.
Question by:s_mack
  • 2
  • 2
  • 2
  • +1
LVL 40

Expert Comment

ID: 9763479
No, that's not possible on Linux or Unix. The root user can always readwrite/delete anything on the system.

Author Comment

ID: 9764418
there must be SOME way to guarantee the privacy of my users.  I guess I thought of one clumbsy method... have them encrypt their data.

Any other ideas anyone?
LVL 40

Expert Comment

ID: 9764821
The only way a system user can prevent root (or administrator on windows) from reading a file is to encrypt its contents. Of course, that doen't prevent root from deleting the file. A user must be able to trust the sysadmin of what ever system they are using. If they don't feel that they can trust the sysadmin they need to be running their own system where they own the root account.
Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

LVL 22

Expert Comment

ID: 9860613
Unfortunately, the user doesn't want to spend his time encrypting/decrypting the contents of his files. I would have thought that it is better to mount an encrypted filesystem. The best way to do this is to mount the encrypted filesystem as part of the login (.bashprofile) or other script depending on the setup, whereby the decryption key is provided by the user during this process:

The problem then is that the root user may access the files whilst they are mounted.

Therefore, I am wondering whether it is possible to create some form of 'agent' associated with the particular login, that would extract / replace files on the filesystem in the same way as the ssh agent works for ssh.

Any further suggestions on this approach?
LVL 22

Accepted Solution

pjedmond earned 20 total points
ID: 9860826
OK - here's the solution:

I knew that I'd seen something similar somewhere. As to how easy it is to implement, I don't know, not having ever tried, but it provids per user encryption. You also need the Encypting seesion manager (similar to the ssh agent in concept) to provide the 'on the fly' encryption/decryption.

Obviously as root, you can delete the containing files that hold the encrypted file systems, but you do not have direct access to the files themselves.

Anyone else seen this type of software anywhere else - I know that I've seen it elsewhere before, but cannot find the other instance:(


Author Comment

ID: 9861004
I'll further suggest the following site:

which looks like it is an effort at an improvement over the CFS you mention... check it out if you are interested.

However, it won't work with my particular setup.  My whole system depends heavily on rsync's ability to efficiently transfer only the portions of files that have changed.  Since encrypted data is statistically indistiguishable from compressed data, rsync finds no patterns for reconstruction and therefore cannot transfer the files in an efficient manner.  This would positively kill my bandwidth.  So if this is the only secure solution, then I'm afraid cost has to come before security.

If they are encrypting only select files, then I guess it wouldn't be so bad... but to have the entire filessytem encrypted is not viable in my case.

But it was a thoughtfull answer, and provided me with an interesting read - so points to you.  Thanks.

Expert Comment

ID: 9945272
What your client wants can be configured with Security Enhanced Linux which provides a more granular security model than the Unix/PAM that Linux suports. You can even give away your root password, but the real boss of the system is this patched kernel called SE-Linux.

It's aUS government project to provide open source solutions for the US government. See details at: and the theory at:

Security-enhanced Linux incorporates a strong, flexible mandatory access control architecture into Linux. It provides a mechanism to enforce the separation of information based on confidentiality and integrity requirements. This allows threats of tampering
and bypassing of application security mechanisms to be addressed and enables the confinement of damage that can be caused by malicious or flawed applications. Using the system's type enforcement and role-based access control abstractions, it is possible to configure the system to meet a wide range of security needs.

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Fine Tune your automatic Updates for Ubuntu / Debian
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question