0
i'm new in linux, so i'm sorry if my problem is a bit confusing.
I'd like to do following:
create a second root account
write the file by using this account
the first root account shouldn't be able to edit this file (and no other accounts either).
Is it possible?
evfwcqcg
Posted 2012-03-16T15:33:55.350
Reputation: 329
10
Effectively speaking, no you cannot do this. you can effect this using sudo, but ultimately if you have the power of uid=0, you can do anything you want.
keltor
Posted 2012-03-16T15:33:55.350
Reputation: 226
11
What you actually want is to have two users with equal privileges. Neither of them is root.
Der Hochstapler
Posted 2012-03-16T15:33:55.350
Reputation: 77 228
2
The purpose of the root account is to be able to do everything. It must be use only the system administrator, and use only when necessary.
Every users (even administrator) should use a regular account.
So who the system Administrator? The one who will use the first account or the second?
It's not possible to create a second root account.
The concept of a root account, is to be unique and able to do everything
Nettogrof
Posted 2012-03-16T15:33:55.350
Reputation: 356
1
As previously stated, root is root. What you may want is an encrypted file(s). Here is a wrapper using Bcrypt
#!/bin/sh
[ "${1##*.}" == "bfe" ] && BASENAME=${1%.bfe} || BASENAME=${1}
BASENAME=${BASENAME##*/}
MD5=`echo "$USER:$BASENAME"|md5sum`
echo "${MD5:0:32}
${MD5:0:32}" |bcrypt "$1"
This one allows users to encrypt their own files, but only uses an md5sum of the user name and file's basename for the "salt".
If you wanted to get really paranoid you could use some pseudo-steganography with bcrypt's -o option and >> some-large.jpg (I wrote a partial example here: ... just as proof of concept)
Another way to do this would be to embed the file in a c program so that it only spits out the data if getenv(USER) matches your admin account name
of course none of this will permit root from moving,renaming,deleting... only from editing in a useful way
technosaurus
Posted 2012-03-16T15:33:55.350
Reputation: 996
0
I believe what you're asking for is role based access control or RBAC. It's been a standard part of Windows and Solaris for quite some time. For the Linux world, you need to look at using SELinux. I think it's a bit too involved for a post here, but you should be able to find a tutorial by googling "SELinux RBAC"
JOTN
Posted 2012-03-16T15:33:55.350
Reputation: 531
7This is the "I'm an omnipotent being who would like to create a rock I cannot lift" problem... best you can do is encrypt the file, which prevents it being read or altered but does not prevent it being corrupted or deleted. – pjc50 – 2012-03-16T15:54:05.857
1Does SE Linux support two-person control? That is, sys admin (root) actions don't take effect until approved by the security admin? – mpez0 – 2012-03-16T16:47:40.933