not even root can read?

Posted on 2003-11-16
Last Modified: 2010-05-18
I've got an annoying and super-paranoid user...  grr... but he pays well enough.

Right now, when this user logs in, he's chroot-ed into /home/MrPissMeOff/ which has a bunch of directories such as /bin /lib /home etc.  He's locked in this jail and can't get out... fine.

What he's worried about is that I as root can get in.  Is it possible to set his /home/ (so actually /home/MrPissMeOff/home/) to a permission in such a way that not even root can read his files?  So that ONLY the owner can view them?

I thought I read somewhere that this was possible... but to take it further, can I still delete his files and account if need-be?

I'll raise the points if this gets complicated.
Question by:s_mack
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
LVL 40

Expert Comment

ID: 9763479
No, that's not possible on Linux or Unix. The root user can always readwrite/delete anything on the system.

Author Comment

ID: 9764418
there must be SOME way to guarantee the privacy of my users.  I guess I thought of one clumbsy method... have them encrypt their data.

Any other ideas anyone?
LVL 40

Expert Comment

ID: 9764821
The only way a system user can prevent root (or administrator on windows) from reading a file is to encrypt its contents. Of course, that doen't prevent root from deleting the file. A user must be able to trust the sysadmin of what ever system they are using. If they don't feel that they can trust the sysadmin they need to be running their own system where they own the root account.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 22

Expert Comment

ID: 9860613
Unfortunately, the user doesn't want to spend his time encrypting/decrypting the contents of his files. I would have thought that it is better to mount an encrypted filesystem. The best way to do this is to mount the encrypted filesystem as part of the login (.bashprofile) or other script depending on the setup, whereby the decryption key is provided by the user during this process:

The problem then is that the root user may access the files whilst they are mounted.

Therefore, I am wondering whether it is possible to create some form of 'agent' associated with the particular login, that would extract / replace files on the filesystem in the same way as the ssh agent works for ssh.

Any further suggestions on this approach?
LVL 22

Accepted Solution

pjedmond earned 20 total points
ID: 9860826
OK - here's the solution:

I knew that I'd seen something similar somewhere. As to how easy it is to implement, I don't know, not having ever tried, but it provids per user encryption. You also need the Encypting seesion manager (similar to the ssh agent in concept) to provide the 'on the fly' encryption/decryption.

Obviously as root, you can delete the containing files that hold the encrypted file systems, but you do not have direct access to the files themselves.

Anyone else seen this type of software anywhere else - I know that I've seen it elsewhere before, but cannot find the other instance:(


Author Comment

ID: 9861004
I'll further suggest the following site:

which looks like it is an effort at an improvement over the CFS you mention... check it out if you are interested.

However, it won't work with my particular setup.  My whole system depends heavily on rsync's ability to efficiently transfer only the portions of files that have changed.  Since encrypted data is statistically indistiguishable from compressed data, rsync finds no patterns for reconstruction and therefore cannot transfer the files in an efficient manner.  This would positively kill my bandwidth.  So if this is the only secure solution, then I'm afraid cost has to come before security.

If they are encrypting only select files, then I guess it wouldn't be so bad... but to have the entire filessytem encrypted is not viable in my case.

But it was a thoughtfull answer, and provided me with an interesting read - so points to you.  Thanks.

Expert Comment

ID: 9945272
What your client wants can be configured with Security Enhanced Linux which provides a more granular security model than the Unix/PAM that Linux suports. You can even give away your root password, but the real boss of the system is this patched kernel called SE-Linux.

It's aUS government project to provide open source solutions for the US government. See details at: and the theory at:

Security-enhanced Linux incorporates a strong, flexible mandatory access control architecture into Linux. It provides a mechanism to enforce the separation of information based on confidentiality and integrity requirements. This allows threats of tampering
and bypassing of application security mechanisms to be addressed and enables the confinement of damage that can be caused by malicious or flawed applications. Using the system's type enforcement and role-based access control abstractions, it is possible to configure the system to meet a wide range of security needs.

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (, affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below.…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question