Re: encrpyt harddrive without passphrase/userinput
On Sun, Feb 26, 2006 at 10:11:44PM +0100, Mario Ohnewald wrote: Hello security list! I would like to secure the harddrive/partitions of linux box. The whole setup must fulfill the following requirements: a) it must be able to boot (remotely) without userinput/passphrase b) the importtant partitions such as /etc, /var, /usr and /home must be encrypted/protected. I just ask myself why you bother encrypting a filesystem that will be accessible to anyone having access to the machine since it boots without password? Is this even possible? Is there a way? Is it something you'd really want? Encrypting a filesystem is a protection against someone having physical access to the machine or the harddrive. If the machine (the disk in another machine) boots without password, you might as well _not_ encrypt it. HIR (hope I'm right) Horst -- Real programmers don't bring brown-bag lunches. If the vending machine doesn't sell it, they don't eat it. Vending machines don't sell quiche. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: encrpyt harddrive without passphrase/userinput
Hello, Am Sonntag, 26. Februar 2006 22:11 schrieb Mario Ohnewald: Hello security list! I would like to secure the harddrive/partitions of linux box. The whole setup must fulfill the following requirements: a) it must be able to boot (remotely) without userinput/passphrase b) the importtant partitions such as /etc, /var, /usr and /home must be encrypted/protected. Is this even possible? Is there a way? Can you be more verbose please? What information do you try to protect? If you want to encrypt something, you need some kind of secret. This can either be generated randomly (pro: no input, cons: Information vanishes on reboot) or supplied elsewhere. Keyboard input, network, external media, etc. Keep smiling yanosz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: encrpyt harddrive without passphrase/userinput
Hi Horst On Sun, 2006-02-26 at 22:23 +0100, Horst Pflugstaedt wrote: On Sun, Feb 26, 2006 at 10:11:44PM +0100, Mario Ohnewald wrote: Hello security list! I would like to secure the harddrive/partitions of linux box. The whole setup must fulfill the following requirements: a) it must be able to boot (remotely) without userinput/passphrase b) the importtant partitions such as /etc, /var, /usr and /home must be encrypted/protected. I just ask myself why you bother encrypting a filesystem that will be accessible to anyone having access to the machine since it boots without password? It boots with grub and pam/unix password. Is this even possible? Is there a way? Is it something you'd really want? Encrypting a filesystem is a protection against someone having physical access to the machine or the harddrive. If the machine (the disk in another machine) boots without password, you might as well _not_ encrypt it. Thats the point. In my case i can not protect the linux box or lock it away 100% securely. I need to secure the box in some way without having a physical protection. Someone should be able to: Steal the whole server or hard drives, but still not be able to read it. Maybe we could narrow the actual problem down to where this scenario actually fails or where the problems are?! Maybe someone has some cool ideas, too. Cheers, Mario -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: encrpyt harddrive without passphrase/userinput
* Mario Ohnewald: The whole setup must fulfill the following requirements: a) it must be able to boot (remotely) without userinput/passphrase b) the importtant partitions such as /etc, /var, /usr and /home must be encrypted/protected. Put the key on an USB stick, and load it from an initial ramdisk? This works quite well, but I don't know if it matches your requirements. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: encrpyt harddrive without passphrase/userinput
* Horst Pflugstaedt: I just ask myself why you bother encrypting a filesystem that will be accessible to anyone having access to the machine since it boots without password? You can return hard disks to the vendor for warranty claims even if they still contain sensitive data. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: encrpyt harddrive without passphrase/userinput
On Sun, 2006-02-26 at 14:13 -0800, Stephan Wehner wrote: Who is going to be booting this machine?? It´s a server. It is supposed to be online all the time. Once turned on it will run till someone reboots its remotely or due to power failure or something alike. The whole scenario can be pictured like this: Put your server in a corner of a street and secure it. In case someone hits the reset button it needs to be able to boot automatically without user input. In a nutshell: Secure it without physical security and user input. I guess it can`t be done?! :( Not the usual way... Stephan Mario Ohnewald wrote: Hi Horst On Sun, 2006-02-26 at 22:23 +0100, Horst Pflugstaedt wrote: On Sun, Feb 26, 2006 at 10:11:44PM +0100, Mario Ohnewald wrote: Hello security list! I would like to secure the harddrive/partitions of linux box. The whole setup must fulfill the following requirements: a) it must be able to boot (remotely) without userinput/passphrase b) the importtant partitions such as /etc, /var, /usr and /home must be encrypted/protected. I just ask myself why you bother encrypting a filesystem that will be accessible to anyone having access to the machine since it boots without password? It boots with grub and pam/unix password. Is this even possible? Is there a way? Is it something you'd really want? Encrypting a filesystem is a protection against someone having physical access to the machine or the harddrive. If the machine (the disk in another machine) boots without password, you might as well _not_ encrypt it. Thats the point. In my case i can not protect the linux box or lock it away 100% securely. I need to secure the box in some way without having a physical protection. Someone should be able to: Steal the whole server or hard drives, but still not be able to read it. Maybe we could narrow the actual problem down to where this scenario actually fails or where the problems are?! Maybe someone has some cool ideas, too. Cheers, Mario -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: encrpyt harddrive without passphrase/userinput
Hi Mario, On Sun, 26 Feb 2006, Mario Ohnewald wrote: a) it must be able to boot (remotely) without userinput/passphrase b) the importtant partitions such as /etc, /var, /usr and /home must be encrypted/protected. I think the problem will be that you cannot put /etc outside of the root partition. This means that you cannot boot normally and read the secret from somewhere on the net. Maybe someone has some cool ideas, too. Just a thought without being able to exactly tell how to realize this: boot from CD, read the key/passphrase via network, mount the (encrypted) root partition and chroot to it? Regards, Lothar -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: encrpyt harddrive without passphrase/userinput
Horst Pflugstaedt [EMAIL PROTECTED] wrote: a) it must be able to boot (remotely) without userinput/passphrase You can use nfs-root or initramdisk from a trusted machine. b) the importtant partitions such as /etc, /var, /usr and /home must be encrypted/protected. I just ask myself why you bother encrypting a filesystem that will be accessible to anyone having access to the machine since it boots without password? No password entry does not mean nopassword. A remote server for the password can ensure, that the machine can only boot on the right subnet and allows easy earising of all data by deleting the key on the server. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: encrpyt harddrive without passphrase/userinput
On Sun, Feb 26, 2006 at 11:17:56PM +0100, Florian Weimer wrote: * Horst Pflugstaedt: I just ask myself why you bother encrypting a filesystem that will be accessible to anyone having access to the machine since it boots without password? You can return hard disks to the vendor for warranty claims even if they still contain sensitive data. even if the disk boots in another machine, thus revealing the sensitive data? If there is no protection to the encryption, encrypting a filesystem is just useless waste of cpu-time. As Jan pointed out: you need a secret for encryption. g'night Horst -- No, no, I don't mind being called the smartest man in the world. I just wish it wasn't this one. -- Adrian Veidt/Ozymandias, WATCHMEN -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: encrpyt harddrive without passphrase/userinput
Hello, I think this should be possible over a special rebuild of initrd image, which runs before root partition is mounted. But i don't think you'll find a real secure way to get the secret over the net. Regards, Andreas Lothar Ketterer schrieb: Hi Mario, On Sun, 26 Feb 2006, Mario Ohnewald wrote: a) it must be able to boot (remotely) without userinput/passphrase b) the importtant partitions such as /etc, /var, /usr and /home must be encrypted/protected. I think the problem will be that you cannot put /etc outside of the root partition. This means that you cannot boot normally and read the secret from somewhere on the net. Maybe someone has some cool ideas, too. Just a thought without being able to exactly tell how to realize this: boot from CD, read the key/passphrase via network, mount the (encrypted) root partition and chroot to it? Regards, Lothar -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
securing /var/www or web content
Hi, May I know what are the possibilities to secure the content of my www folder? I want my local user to access because right now when login as an ordinary user using ssh i can delete the content of my www folder. What will I do? any idea? Thank you, Arnel Pastrana [EMAIL PROTECTED] The key is not to prioritize your shedule but to prioritize your priorities. --- Stephen R Covey -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: securing /var/www or web content
You can try to create a user with useradd and the -d option. >From man useradd :The options which apply to the useradd command are: -d home_dir The new user will be created using home_dir as the value for the user's login directory. The default is to append the login name to default_home and use that as the login directory name.--Debian Addict site : http://www.debianaddict.org2006/2/25, Arnel Pastrana [EMAIL PROTECTED]: Hi,May I know what are the possibilities to secure the content of my wwwfolder?I want my local user to access because right now when login as anordinary user using ssh i can delete the content of my www folder. What will I do? any idea?Thank you,Arnel Pastrana[EMAIL PROTECTED] The key is not to prioritize your shedule but to prioritize yourpriorities.--- Stephen R Covey --To UNSUBSCRIBE, email to [EMAIL PROTECTED]with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: securing /var/www or web content
Olivier, How is that going to solve the problem? His user doesn't have /var/www as a home ; the issue is /var/www is world-readable/writeable/executable. The files in your /var/www should strictly speaking only be accessible to your webserver ; for apache usually www-data or apache or httpd accounts should have rwx permissions. Grep for these in /etc/passwd if unsure which one to use. You could then set the permissions to xy0 for /var/www with chmod. Test, if your site doesn't funtion adequately anymore, set the permissions for other to r(4) only. So for instance: chmod -R 770 www-data:www-data (www-data is the account under which the apache daemon runs on Debian). Check out: man chmod man chrgrp Have fun Roger On Mon, February 27, 2006 1:44 am, Olivier Papauré said: You can try to create a user with useradd and the -d option. From man useradd : The options which apply to the useradd command are: -d home_dir The new user will be created using home_dir as the value for the user's login directory. The default is to append the login name to default_home and use that as the login directory name. -- Debian Addict site : http://www.debianaddict.org 2006/2/25, Arnel Pastrana [EMAIL PROTECTED]: Hi, May I know what are the possibilities to secure the content of my www folder? I want my local user to access because right now when login as an ordinary user using ssh i can delete the content of my www folder. What will I do? any idea? Thank you, Arnel Pastrana [EMAIL PROTECTED] The key is not to prioritize your shedule but to prioritize your priorities. --- Stephen R Covey -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Life is 10 percent what you make it and 90 percent how you take it. - Irving Berlin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: securing /var/www or web content
There is the option of POSIX access control lists. Deny remote login for the users you want to have access to the webroot and add them to the access control list. For remote users, deny access. Now, if you want to have users log in remotely and not be able to access those files, then the only solution I can see is to give each user two logins, one for remote login with lesser permissions and local only accounts with more permissions. For more on access control lists, SUSE has a good overview here: http://www.suse.de/~agruen/acl/linux-acls/online/ To see if your filesystem supports ACLs, you can grep ACL /boot/config-kernel-version. On my system here running SID and 2.6.15-1-k7, these modules are enabled. CONFIG_EXT2_FS_POSIX_ACL=y CONFIG_EXT3_FS_POSIX_ACL=y CONFIG_REISERFS_FS_POSIX_ACL=y CONFIG_JFS_POSIX_ACL=y CONFIG_FS_POSIX_ACL=y CONFIG_XFS_POSIX_ACL=y CONFIG_NFS_V3_ACL=y CONFIG_NFSD_V2_ACL=y CONFIG_NFSD_V3_ACL=y CONFIG_NFS_ACL_SUPPORT=m To enable ACLs, you just need to add the acl option in your fstab for that partition. Hope that helps! Daniel On 2/26/06, Sels, Roger [EMAIL PROTECTED] wrote: Olivier, How is that going to solve the problem? His user doesn't have /var/www as a home ; the issue is /var/www is world-readable/writeable/executable. The files in your /var/www should strictly speaking only be accessible to your webserver ; for apache usually www-data or apache or httpd accounts should have rwx permissions. Grep for these in /etc/passwd if unsure which one to use. You could then set the permissions to xy0 for /var/www with chmod. Test, if your site doesn't funtion adequately anymore, set the permissions for other to r(4) only. So for instance: chmod -R 770 www-data:www-data (www-data is the account under which the apache daemon runs on Debian). Check out: man chmod man chrgrp Have fun Roger On Mon, February 27, 2006 1:44 am, Olivier Papauré said: You can try to create a user with useradd and the -d option. From man useradd : The options which apply to the useradd command are: -d home_dir The new user will be created using home_dir as the value for the user's login directory. The default is to append the login name to default_home and use that as the login directory name. -- Debian Addict site : http://www.debianaddict.org 2006/2/25, Arnel Pastrana [EMAIL PROTECTED]: Hi, May I know what are the possibilities to secure the content of my www folder? I want my local user to access because right now when login as an ordinary user using ssh i can delete the content of my www folder. What will I do? any idea? Thank you, Arnel Pastrana [EMAIL PROTECTED] The key is not to prioritize your shedule but to prioritize your priorities. --- Stephen R Covey -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Life is 10 percent what you make it and 90 percent how you take it. - Irving Berlin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: securing /var/www or web content
Hi On Sat, February 25, 2006 5:09 am, Arnel Pastrana said: The files in your /var/www should strictly speaking only be accessible to your webserver ; for apache usually www-data or apache or httpd accounts should have rwx permissions. Grep for these in /etc/passwd if unsure which one to use. Yes it uses www-data That's the account apache uses by default on debian, if installed from the package ;) You could then set the permissions to xy0 for /var/www with chmod. Test, if your site doesn't funtion adequately anymore, set the permissions for other to r(4) only. Hi thanks for the help when I did this So for instance: chmod -R 770 www-data:www-data (www-data is the account under which the apache daemon runs on Debian). It shows in my site forbidden. May I know what's the problem? Thanks again. Probably the webserver needs the file(s) to be world-readable. Try a chmod 774 on your website for instance. Does that work Arnel? Cheers Roger -- Life is 10 percent what you make it and 90 percent how you take it. - Irving Berlin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]