Re: Protecting message files acess even from root
On Sat, 2014-02-01 at 11:38 -0200, Fabio S. Schmidt wrote: > Thanks Sven, I really appreciate your considerations, especially about > the encryption of the SMTP traffic. > I will test Mandatory Access Control (MCS), like Se-linux(YES, I know > that NSA wrote it) or Apparmor for instance, and customising SUDO: > http://pubs.gpaterno.com//2009/protecting-confidential-files-selinux-2009.pdf > Sorry for not being specific from the beginning, but this research is > for a government e-mail system, and we really need to ensure that even > administrators cannot access the messages, encrypted or not. Please come back with what you discover. This is an interesting question. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Protecting message files acess even from root
Thanks Sven, I really appreciate your considerations, especially about the encryption of the SMTP traffic. I will test Mandatory Access Control (MCS), like Se-linux(YES, I know that NSA wrote it) or Apparmor for instance, and customising SUDO: http://pubs.gpaterno.com//2009/protecting-confidential-files-selinux-2009.pdf Sorry for not being specific from the beginning, but this research is for a government e-mail system, and we really need to ensure that even administrators cannot access the messages, encrypted or not. On 1 February 2014 07:38, Sven Schwedas wrote: > Given that a physical root can bypass any and every ACL, encrypting > messages (upon receiving, e.g.) is the only remotely plausible way to > prevent access. > > And even then the admin could sniff all SMTP traffic and copy messages > before encryption, so you'd need to monitor him anyway. > > > > Why again does someone you trust so little have root access to anything > more sensitive than a calculator? ;-) > > On 2014-01-31 17:47, Fabio S. Schmidt wrote: > > Hi Dan ! Thanks for the answer ! > > > > I'm trying to prevent local access from a physical administrator. Even > > if looged as root should be impossible to read the messages on the Cyrus > > partitions. Other emails stores that I have dealt with also stores the > > messages in files. > > > > Blackman and Goetz, Thanks for the reply, but my problem is that not all > > messages will be encrypted at the source. AND EVEN if the message is > > encrypted we want to prevent the access from a physical administrator. > > > > > > > > > > Cyrus Home Page: http://www.cyrusimap.org/ > > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > > To Unsubscribe: > > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus > > > > -- > Mit freundlichen Grüßen, / Best Regards, > Sven Schwedas > Systemadministrator > TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz > Mail/XMPP: sven.schwe...@tao.at | +43 (0)680 301 7167 > http://software.tao.at > > > > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > To Unsubscribe: > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus > -- My best regards, Fabio Soares Schmidt Linux Professional Institute - LPIC-3 Microsoft Certified Technology Specialist: Active Directory Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Protecting message files acess even from root
Given that a physical root can bypass any and every ACL, encrypting messages (upon receiving, e.g.) is the only remotely plausible way to prevent access. And even then the admin could sniff all SMTP traffic and copy messages before encryption, so you'd need to monitor him anyway. Why again does someone you trust so little have root access to anything more sensitive than a calculator? ;-) On 2014-01-31 17:47, Fabio S. Schmidt wrote: > Hi Dan ! Thanks for the answer ! > > I'm trying to prevent local access from a physical administrator. Even > if looged as root should be impossible to read the messages on the Cyrus > partitions. Other emails stores that I have dealt with also stores the > messages in files. > > Blackman and Goetz, Thanks for the reply, but my problem is that not all > messages will be encrypted at the source. AND EVEN if the message is > encrypted we want to prevent the access from a physical administrator. > > > > > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > To Unsubscribe: > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus > -- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas Systemadministrator TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz Mail/XMPP: sven.schwe...@tao.at | +43 (0)680 301 7167 http://software.tao.at signature.asc Description: OpenPGP digital signature Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Protecting message files acess even from root
On 31 Jan 2014, at 16:10, Fabio S. Schmidt wrote: > Hello! > Considering that Cyrus stores messages in files, does anyone have any > experience on the protection of access to these files, even for the root > user? > > I researched about SELINUX and found no conclusive documentation. > http://en.wikipedia.org/wiki/Public-key_cryptography - Mark Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Protecting message files acess even from root
Hi Dan ! Thanks for the answer ! I'm trying to prevent local access from a physical administrator. Even if looged as root should be impossible to read the messages on the Cyrus partitions. Other emails stores that I have dealt with also stores the messages in files. Blackman and Goetz, Thanks for the reply, but my problem is that not all messages will be encrypted at the source. AND EVEN if the message is encrypted we want to prevent the access from a physical administrator. Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Protecting message files acess even from root
Yes, this is the answer. If messages need to protected from everyone, including root, then they should be PGP encrypted at the source; with MUA client-side decryption. On 01/31/2014 10:37 AM, Mark Blackman wrote: > > On 31 Jan 2014, at 16:10, Fabio S. Schmidt wrote: > >> Hello! >> Considering that Cyrus stores messages in files, does anyone have any >> experience on the protection of access to these files, even for the root >> user? >> >> I researched about SELINUX and found no conclusive documentation. >> > > http://en.wikipedia.org/wiki/Public-key_cryptography > > - Mark > > > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > To Unsubscribe: > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus > Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: Protecting message files acess even from root
On 01/31/14 14:10 -0200, Fabio S. Schmidt wrote: >Hello! >Considering that Cyrus stores messages in files, does anyone have any >experience on the protection of access to these files, even for the root >user? > >I researched about SELINUX and found no conclusive documentation. Are you attempting to prevent local access (from a physical administrator), or remote access via root login? How does cyrus differ from other email stores that you've dealt with (security wise)? -- Dan White Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Protecting message files acess even from root
Hello! Considering that Cyrus stores messages in files, does anyone have any experience on the protection of access to these files, even for the root user? I researched about SELINUX and found no conclusive documentation. -- My best regards, Fabio Soares Schmidt Linux Professional Institute - LPIC-3 Microsoft Certified Technology Specialist: Active Directory Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus