The Linux application under consideration is one that will be used by multiple employees of a company, and which, in order to carry out some of its functions, must be able to access a secret passphrase1 that most regular users of the applications are not authorized to see.
One possibility that comes to mind is to create a special Unix user foo
(for example), with minimal privileges, make foo
the owner of both the application's executable and the passphrase file, set the permissions of the passphrase file to 0400 (i.e. accessible only to foo
, and only for reading), and then set the setuid bit of the application's executable. In this way, whenever the application runs, it would run as foo
, and therefore would have read-access to the passphrase file, but this file would still remain inaccessible to any other unprivileged user.
This scheme is only as strong as the security of a standard Unix filesystem. In particular, anyone with root privileges can access the passphrase file directly.
Now, setuid applications are notoriously difficult to implement properly.
Therefore, I would like to know of other architectures for achieving the same goal, and that may be easier to implement.
(NB: even though I have tagged this question with [unix] and [linux], I am not looking for strategies that depend on Linux/Unix-specific features, like the setuid feature described above. All I require of a candidate architecture is that it be easily implementable under Linux.)
1 In case it matters, this passphrase is to be used for symmetric cryptography.