On Sun, Jul 03, 2005 at 07:16:57PM +1200, Dominik Margraf wrote: > Therefore is there any way to encrypt all users' folders and making > the computer to set this up by default when a new user is generated? > So that even the root can't see the contents of the users' folders.
If you set up encryption so that you have to type a passphrase, someone, like an administrator (root) has to know the passphrase to get the filesystems unencrypted, and then you have some kind of working key in memory for an attacker. If you don't even have to have a pass-phrase, there's an unencrypted key being stored on disk, which is next to worthless. The short version is that you must trust the root user, period, and people looking to store sensitive information would do well to only ever handle that information in unencrypted form on a machine they've personally secured. That might not be realistic in many cases, but real security is a pain in the neck. As a half-measure, they can encrypt it on a machine with an administrator they trust, but they still can't overwrite the sectors the file occupied, so unencrypted bits may be left on-disk not allocated in files. You have to find a trustworthy root user. After that, you have to secure your machine, run no unneccessary services, make sure the users have good passwords, etc. to help make sure that no untrusted user (an attacker) can become root. After you take care of the basics like that, you can look into putting the partition that holds the home directories in some kind of encrypted loopback filesystem. But if you don't cover the basics first, you're just giving yourself a false sense of security. This isn't really a flaw in UNIX systems. The truth is that anyone with physical access to a machine is as much root as they care to take the trouble to be. I can't really find anything in the useradd command to change the default permissions on new home directories. Run the useradd command without -m to create the home directory so you have to create it manually, so that you will not forget to run chmod 700 /home/newuser. -- Adam Fabian <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]