On Fri, Jul 27, 2001 at 03:08:12PM +0200, Ronan KERYELL wrote:
> >>>>> On 27 Jul 2001 12:43:03 +0200, Johannes Niess <[EMAIL PROTECTED]> said:
> Johannes> Tom Strickland <[EMAIL PROTECTED]> writes:
> >> Our system will be run largely without a competent Unix
> >> administrator on-site. The secretary and one other individual will
> >> be responsible for tape-changing, cleaning and amrecover for files
> >> and directories deleted by users. My question: Some of our files
> >> are more confidential and I would like to hide these a little: the
> >> director's files and the accounts. Is there anyway to protect
> >> these? It doesn't have to be high grade security, just security
> >> through obscurity.
> Johannes> What about sudo? The recovered files keep owner and
> Johannes> permissions. Let the operator's sudo to the (too powerfull
> Johannes> in this case) Amanda user just for amcheck, amrecover and
> Johannes> what else you like. You'll see their actions in the
> Johannes> syslog. The good thing: no password for the Amanda user has
> Johannes> to be given away.
> Johannes> We have set up just our tape changing that way.
> I'm not sure it is enough...
> The main issue is once your file system is on tape, everybody can look at
> them if it is uncrypted.
> What could be nice in amanda or at least at the dumper API level is to
> crypt the files with the public key of their owners.
> The recovery would require the secret private key of their owners...
True, but we don't need that level of security. It's an option for the
future, but not one that we're pursuing at the moment. I'd rather get
a basic system going than add complexity right now.
Tom
