HPE Community
Operating System - HP-UX
1826480 Members
4236 Online
109692 Solutions
New Discussion

Directory encryption

 
Daniel Fourie
Frequent Advisor

‎07-24-2003 03:11 AM

‎07-24-2003 03:11 AM

Directory encryption

I would like to know if it is possible to setup encryption for a directory where files are stored. Meaning I would like this directory be protected by a key or password.

Any help will be thankfull
Knowlage is Power
0 Kudos
Reply
9 REPLIES 9
Bill Hassell
Honored Contributor

‎07-24-2003 03:24 AM

‎07-24-2003 03:24 AM

Re: Directory encryption

There is nothing in standard HP-UX that can do this. The problem is that there are MANY different ways to access a directory and every command and library that deals with files would have to be changed. And of course, scripted solutions (and cron jobs) would have big problems running without user intervention.

The problem you describe is easily solved by changing the permissions to 700 for the directory and make it owned by the user that has the right to look at it. All other users will see: dir_name unreadable. If you need more than one user to look at the directory, use ACL's (man acl).


Bill Hassell, sysadmin
0 Kudos
Reply
Daniel Fourie
Frequent Advisor

‎07-24-2003 03:33 AM

‎07-24-2003 03:33 AM

Re: Directory encryption

That sounds great, but how do I block root from accessing this directory.
Knowlage is Power
0 Kudos
Reply
Rainer von Bongartz
Honored Contributor

‎07-24-2003 04:21 AM

‎07-24-2003 04:21 AM

Re: Directory encryption

That's exactly the problem......

Regards
Rainer
He's a real UNIX Man, sitting in his UNIX LAN making all his UNIX plans for nobody ...
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎07-24-2003 04:23 AM

‎07-24-2003 04:23 AM

Re: Directory encryption

This matter is handled on HP-UX boxes by systems administrators that take the time to plan out group and user permissions, set umasks and if necessary use JFS ACL's

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Massimo Bianchi
Honored Contributor

‎07-24-2003 04:29 AM

‎07-24-2003 04:29 AM

Re: Directory encryption

root can do anything... but no-one, except administrators, should have a root account.

Massimo
0 Kudos
Reply
Tim D Fulford
Honored Contributor

‎07-24-2003 04:41 AM

‎07-24-2003 04:41 AM

Re: Directory encryption

Some people/companies think a 3rd party (usually security) should have root password & only allow sys-admins to use it upon request!!

e.g. No one uses root

Tim
-
0 Kudos
Reply
Jason Deckard
Occasional Advisor

‎07-24-2003 05:37 AM

‎07-24-2003 05:37 AM

Re: Directory encryption

Encrypting the directory entry itself would be difficult and, I believe, ineffective.

Using open() to access the directory entry will return an error (EISDIR). If you had a way to read the directory information into memory, encrypt it, and write it back to disk, the OS would probably complain (or worse). Even if you could encrypt the directory entry AND it didn't cause problems with the OS, you are merely encrypting the directory entry itself and not the files within the directory (it may be difficult for someone to access the files in that directory, but the files would still be in plain text).

Perhaps it would be better to create a utility that encrypted every file in the directory, while leaving the directory entry itself alone. Is that the answer you were looking for or am I taking the question a bit too literally?
[Insert humorous and/or inspirational quote here]
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎07-24-2003 10:31 AM

‎07-24-2003 10:31 AM

Re: Directory encryption

Hi,

To add on, one pretty effective way of hiding directories from view and be only accessible with a proper login is via a chroot cage.

A chroot cage creates a virtual root where the user has access to but no other directories beyond that. One classic example is anonymous FTP. It is a chroot cage with a virtual / directory. Any anonymous user will not have access to your actual real / and beyond. Only legitimate users with proper userids and passwords can access your real / directories and subdirectories, given the right permissions of course.

Note that using rsh (restricted shell) does not prevent users from accessing the real /.

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎07-24-2003 10:38 AM

‎07-24-2003 10:38 AM

Re: Directory encryption

Hi,

You can block root access by making use of tools such as Platinum AutoSecure or equivalent tools. They allow you to limit what root can do.

Only a different security administrator that manages the AutoSecure configuration can assign privileges to root but the security administrator himself cannot create a superuser account for himself.

Here's more details on AutoSecure from a pretty old article. I last heard it has been bought over by Computer Associates but I can't remember the exact new name. I believe it is part of CA eTrust Suite.

http://www.industrywriter.com/Platinum_samples/Autosecure%20article.htm

An extract on the relevant:

Limiting the power of root ??? A well known feature of UNIX is its use of Root ??? or Superuser ??? authority to provide an administrator with access to sensitive system files and resources. Unfortunately, and all too often, users who have no business performing system administrative tasks are able to indirectly establish root authority and gain access to restricted files. AutoSecure copes with this vulnerability by totally encapsulating Root, instead of simply trying to hide it or work around it. The result is that a user or object with Root authority is required to pass the same authorization checking as a regular user and cannot gain superuser access to system resources unless AutoSecure authorizes it. And regular users cannot change their login ids in order to assume the id of someone with Root user authorization.

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.