Score:0

Restricting folder interaction of a user with root privileges

in flag

Often times when creating an Ubuntu Linux image, rather than giving an administrator root access, a new user is created with root privileges. Let's call this new user "root_2".

# adduser root_2
 Adding user `root_2' ...
 Adding new group `root_2' (1002) ...
 Adding new user `root_2' (1002) with group `root_2' ...
 Creating home directory `/home/root_2' ...
 Copying files from `/etc/skel' ...
 Enter new UNIX password:
 Retype new UNIX password:
 passwd: password updated successfully

# usermod -aG sudo root_2

# su - root_2

# grep '^sudo' /etc/group

Above code - see reference:

https://www.liquidweb.com/kb/how-to-add-a-user-and-grant-root-privileges-on-ubuntu-16-04/

Now suppose you want to exclude interaction of a particular folder, meaning root_2 cannot read, write, execute or view anything with that folder. Because root_2 has so many privileges, I'm sure there are back door ways to get access to that folder, even if you restrict folder access. Perhaps seeing indexes that exist of the file system. Or macros that root would normally have by default.

This seems like a simple question, but is there a way to truly protect the contents of a folder from user root_2? If so, please be exhaustive as you can for Ubuntu 21.04.

MacGyver avatar
in flag
Every distribution of Linux has development that is standard across all Linux distributions and some specific. If I ask broadly, for Linux, or even all Ubuntu versions, there will be too many answers.
MacGyver avatar
in flag
This is specific to Ubuntu. If I ask for all Linux distributions, I can do so, but I'll need to be more specific. Maybe I will, but I'd like to ask here first. My image is Ubuntu, so I'm trying to understand what is there.
ar flag
Please add the Ubuntu version this is specific to in your question.
MacGyver avatar
in flag
There you go @user68186
muru avatar
us flag
If you give the `root_2` user unrestricted sudo access, then whatever another user could do (aside from removing `root_2`'s `sudo` access), `root_2` could undo. You could encrypt the directory, but even that only works until you need to decrypt it (at which point some background script or something like that setup by `root_2` could get at the unencrypted contents). The best way is to not give unlimited `sudo` access in the first place.
ar flag
21.04 has reached the end of life, and is off topic here.
MacGyver avatar
in flag
What is the current stable version of Ubuntu now?
cn flag
@MacGyver that would be 22.04. as LTS and 22.10 as not LTS. 23.04 is about to arrive.
MacGyver avatar
in flag
That was a typo on my part
Score:5
cn flag

Now suppose you want to exclude interaction of a particular folder, meaning root_2 cannot read, write, execute or view anything with that folder.

Impossible if the files are on that system, And you forgot delete :) You can use methods to make it difficult but it will never be impossible.

This seems like a simple question, but is there a way to truly protect the contents of a folder from user root_2?

An admin user (we do not use root) can always undo anything another admin did. Not even encryption can prevent that. All that the user needs to do is catch the encryption key and that can be done by installing a key press catch program (there is one in the repositories.

You can have a special case user that can do more than a normal user but that is not an admin.

a new user is created with root privileges

"root" means owning the system.

If you do not want another admin to do anything with a file or directory do not store it on that system. And do not connect it to that system if you store it on an external medium.

MacGyver avatar
in flag
Thank you! You took the easy way out of this one, you little stinker!
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.