[211] in The Cryptographic File System users list
Re: using cfs with /home
daemon@ATHENA.MIT.EDU (Ravikant K. Rao)
Tue Oct 17 13:34:06 2000
From owner-cfs-users@crypto.com Tue Oct 17 17:34:06 2000
Return-Path: <owner-cfs-users@crypto.com>
Delivered-To: cfs-mtg@CHARON.MIT.EDU
Received: (qmail 8689 invoked from network); 17 Oct 2000 17:34:04 -0000
Received: from mx.crypto.com (207.140.168.138)
by charon.mit.edu with SMTP; 17 Oct 2000 17:34:04 -0000
Received: (from majordomo@localhost)
by MultiHostMXServer (8.9.3/8.9.x4) id NAA22432
for cfs-users-list; Tue, 17 Oct 2000 13:30:04 -0400 (EDT)
X-Authentication-Warning: mx.crypto.com: majordomo set sender to owner-cfs-users@crypto.com using -f
Received: from nsa.research.att.com (H-135-207-24-155.research.att.com [135.207.24.155])
by MultiHostMXServer (8.9.3/8.9.x4) with ESMTP id NAA32223
for <cfs-users@crypto.com>; Tue, 17 Oct 2000 13:30:02 -0400 (EDT)
Received: from mail-blue.research.att.com (mail-blue.research.att.com [135.207.30.102]) by nsa.research.att.com (8.7.3/8.7.3) with ESMTP id NAA10158 for <cfs-users@nsa.research.att.com>; Tue, 17 Oct 2000 13:30:00 -0400 (EDT)
Received: by mail-blue.research.att.com (Postfix)
id C773D4CE6E; Tue, 17 Oct 2000 13:30:01 -0400 (EDT)
Delivered-To: cfs-users@research.att.com
Received: from rockford.dyndns.org (unknown [203.197.135.71])
by mail-blue.research.att.com (Postfix) with ESMTP id BDFED4CE31
for <cfs-users@research.att.com>; Tue, 17 Oct 2000 13:29:58 -0400 (EDT)
Received: from ravi by Ravi's mail server; Tue, 17 Oct 2000 23:00:16 +0530
From: "Ravikant K. Rao" <ravi@symonds.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <14828.35995.442152.281808@rockford.dyndns.org>
Date: Tue, 17 Oct 2000 23:00:03 +0530 (IST)
To: Valdis.Kletnieks@vt.edu
Cc: cfs-users@research.att.com
Subject: Re: using cfs with /home
In-Reply-To: <200010171341.e9HDfYn34114@black-ice.cc.vt.edu>
References: <20001016061907.B23833@symonds.net>
<200010161359.e9GDxkV25592@black-ice.cc.vt.edu>
<20001016211406.A32299@symonds.net>
<200010171341.e9HDfYn34114@black-ice.cc.vt.edu>
X-Mailer: VM 6.72 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid
Sender: owner-cfs-users@crypto.com
Precedence: bulk
Hello,
>>>>> "Valdis" == Valdis Kletnieks <Valdis.Kletnieks@vt.edu> writes:
Valdis> On Mon, 16 Oct 2000 21:14:06 PDT, "Ravikant K.Rao" said:
>> Oh - My whole original idea of encrypting /home and /home/$USER
>> was for a multiuser setup, so that no one user can peek into
>> another user's setup
Valdis> chmod 700 $HOME
Valdis> If file permissions aren't stopping user A and B from
Valdis> getting into each other's stuff, you have BIGGER problems.
Again, thanks for your comments - I have more to add.
I was looking at a very non-conventional level of System
Logging, on possibly Debian Linux or OpenBSD as base O/S, with very
many tweaks and configuration modifications, where in, the logging
will not even go to /var/log but instead, possibly to /home/log ,
which is encrypted using CFS such that even root has no access to it -
the idea is that if the machine gets compromised, even with a root
shell access to the intruder, he will not have access to the logs,
which would ascertain that the local sysop would atleast *know* that
his machine got compromised - Now this is tricky because I would have
to get the system syslog to auto cattach and write logs and cdetach
and suchlike and well, at any rate, whichever users are on the
machine, are going to be alienated from each other via modes for their
directories apart from cfs itself. (so much so, that even root does
not have access permissions over those directories)
I understand that this would involve a bit of coding
(unless something like this already exists) and well, "You couldn't
run a compile of foo.c which would set system loads soaring, what with
syslog already doing major encryption" ... but again, these would be
my needs for a gateway machine with hardly any users on it, and hardly
anything happening on it, apart from it being on the network.
Thanks much for your time and comments,
-ravi
