[CLUE-Tech] Sys Admin security and user directory security

Kevin Cullis kevincu at orci.com
Mon Dec 17 22:09:47 MST 2001 

Tim,

That's what I figured.  I guess the only way of ensuring that "financial
data" (or any other data that needs to be hidden from prying eyes) has
restricted access is having a program secure it if it's proprietary,
i.e. using an Oracle DB or something. The issue is not about trusting
the sysadmin, but a need to know sort of thing.

Would Zope or other type of application/program provide something like
this? Or would root still have access?

Thanks for the help.

Kevin

"Timothy C. Klein" wrote:
> 
> Kevin,
> 
> Hmm, this sounds like something of an intractable problem for the
> average *nix system.  The sysadmin will need root, and root can read
> anything on the hard drive.  Don't know any simple way around that.
> With some *very* crafty use of groups, the admin could be given all the
> privileges needed to update the system, without being root, *maybe*.
> Perhaps some kind of ACL (access control list) stuff would be the best,
> as provided by SELinux from the NSA or Trustix or something?  I have
> never tried it either, but I bet it can be done with those type of
> distros more naturally.
> 
> Tim
> 
> * Kevin Cullis (kevincu at orci.com) wrote:
> > OK folks,
> >
> > I've got a question that I have not been able to answer: How can you
> > provide system security and directory security at the same time with
> > different people?  For example, I'd like to let the sysadmin handle all
> > of the upgrades, updates, etc for the computer security but NOT allow
> > the sysadmin to view the financials in /home/kevin directory. I'm
> > assuming this is possible, but how does one go about it?
> 
> --
> ==============================================
> == Timothy Klein || teece at silverklein.net   ==
> == ---------------------------------------- ==
> == "Hello, World" 17 Errors, 31 Warnings... ==
> ==============================================
> _______________________________________________
> CLUE-Tech mailing list
> CLUE-Tech at clue.denver.co.us
> http://clue.denver.co.us/mailman/listinfo/clue-tech

-- 

"Success is never final, failure is never fatal" - Kevin Cullis
---
Kevin Cullis
kcullis at coloradoexcellence.org
303-893-CPEX (2739)
Colorado Performance Excellence, Inc
http://www.coloradoexcellence.org

More information about the clue-tech mailing list