On Wed, Apr 20, 2005 at 23:13:58 +0100, Jamie Lokier wrote: > Jan Hudec wrote: > > > For FUSE, what's needed is that a user can mount something, and the > > > mounted fs is visible only to that user, but it's visible to _all_ of > > > the user's processes. > > > > Including root's su to that user... > > Keeping information in a process group is the *only* way to actually > > lock out root. > > If root is _intending_ to view the user's data, it will succeed. > > Keeping them in a process group won't prevent that: root can look at > the data accessible by any process (via ptrace or /dev/mem). > > The problem most clearly illustrating the need for private user data > is sshfs, or anything which mounts over ssl/tls. > > > That is, except some kind of keyring in kernel. > > For secure user data, as in sshfs, that's the only real solution: a > keyring in kernel which cannot be accessed simply by calling su, and > which must be accessed to gain access to the mounted directory. > > Which is no different from securing user data when scp+ssh-agent is used.
Yes. You are right. I realized that too.
By the way, IIRC so far the root can access all kernel memory too via
/dev/kmem. So the limiting of root's rights would have to be limited
a bit more yet.
-------------------------------------------------------------------------------
Jan 'Bulb' Hudec <[EMAIL
PROTECTED]>
signature.asc
Description: Digital signature
