Florian Bantner wrote: > > Hmm, have you considered ramdisks? > > That's the idea I was looking for. Heard also today of the > possibility to encrypt whole filessystems. In the moment I'm > thinking about that. A combination was nice. When I'm right this > would make it even for root hard to do something. Not impossible but > hard. That's really not bad at all.
It depends what kind of skills you expect root to have. Remember that root is in a position to modify the kernel if he wants to. I can easily imagine a kernel patch that watches the ramdisk (or any fs) for certain types of files (by name, ownership, or whatever), and makes extra copies of them under /root without the user's knowledge. It probably wouldn't even be a hard change to make. And of course, for the ramdisk to exist in the first place, you need root's cooperation, so he probably knows why you want it and what you're using it for. Even without a kernel patch, he can always just modify mutt, vim, or gpg to do what he needs. Or just replace vim with a shell script that calls the real vim and then copies the file for him afterwards (the easiest method, though also the most obvious). You can make it so that root has to do more than look in /tmp for cleartext files, but I doubt you can make it hard if root is a competent programmer. Craig -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
