(More) Specifics:
- Undoing the protection should include filling in a password.
- The password should be different from the one used with
sudoor any other passwords that are used for acquiring elevated privileges.
All (possible) solutions and suggestions are welcome! Thanks in advance!
Edit: Perhaps additional specifications:
- With 'displace‘, I mean anything involving that resembles the result of
mv,cp(move, cut, copy) or whatsoever. The files should remain in their previously assigned locations/places and should not be able to ‘pop up’ anywhere. - I require for the files to be unreadable.
- I don’t care if it’s modifiable or not.
- I don’t require this for my whole system! Only for a specific set of files.
It seems I wasn’t clear as most people misunderstood me.
But, to give a very precise example; say
~/some/folder.chattr,chmodorchownor similar utilities that remove access as long as one doesn’t have elevated privileges.Then, what prevents whosoever, to copy that file through cloning the complete disk?
Even if they’re not able to get past the password, it will be found on the cloned disk. SO, basically, I ask for some method that prevents the file to even be copied through a disk clone. I don’t care that it has three passwords protecting it. What I want is for the disk clone (or whatever sophisticated copy/mv/cut or whatsoever utility exists) to somehow fail while trying to attempt the action on the protected files.
Nothing. At most, you can have a hardware encrypted drive that won’t permit access to the encrypted data without a password, but the file will remain available after unlocking that. Plus, dedicated people (law enforcement, data recovery specialists) may be able to get access to the flash chip itself unless you buy one that self destruct on any tampering attempts (and even those have flaws).
You cannot prevent copying of data if that data is readable at disk level. At most, you can make the data useless by padding a layer of encryption (as well-encrypted data may as well be random data without the key material). That’s why everyone is going for encryption: encrypted files may as well be inaccessible to anyone who doesn’t know the passphrase. There’s no sense in copying a file which you cannot possibly read any bytes from.
If the key is gone (i.e. the real key is a password protected file that gets overwritten so even the password doesn’t work anymore), the file becomes irretrievable. This is sometimes called “cryptographic erase” in the context of disks. There are variations of this, for instance, storing the key in the computer’s processor (fTPM) behind a password, and clearing that key out. There’s no way to get the key out of the fTPM so it cannot be backed up. Even if someone were to guess your password, the file will forever remain locked. Or at least until someone manages to break all cryptography, but even quantum computers don’t know how to do that part yet.
If you’re willing to go deep, you could reprogram the firmware on your SSD/HDD to refuse reading the file. A few years back, someone made a proof of concept firmware that detected disk imaging attempts (because all blocks on the disk were read in order) and had the firmware return garbage while secretly wiping the disk when this detection triggered. You could, in theory, write firmware that refuses to read that block of data. However, if whoever you’re hiding this file from know about that, they can take out the platter/memory chips and dump them directly, bypassing your firmware entirely.
Very informative. I appreciate it!
By definition, you can’t. Any software level solution will fail since you can just move the drive somewhere else. It must be baked into the hardware and firmware.
Edit to add further clarification. Do you need it to be failing on every device or just on a device that you control? Since as stated before, moving a mass storage will completely overthrow any software solution
Actually, I’m fine with a solution that only works on a device that I control. But, failing on every device is nice as well.
Right, working on every device requires a hardware solution. I haven’t encountered any such hardware yet but I do know that it is possible. Next, your second requirement makes what you’re trying to accomplish impossible. Privilege escalation by definition will escalate the privilege. The problem lies in the fact that the root user is basically a god in linux. You can even wipe your system if you so desire. However, you can read more into SELinux or other similar systems. It works by basically running check on the kernel level not user level. But the only solutions I can think of will make other day-to-day tasks more of a hassle. Also, note that whoever knows how to modify the SELinux can also bypass the system. I found an answer on serverfault that points to a blog. However, I haven’t read the blog yet. You may find an answer there.
Thank you!
You’re welcome. I also recommends Arch Wiki on SELinux. It helps clarify a lot of things and how different it is with traditional linux privilege escalation.
Will do.
Oh that’s quite simple! Just don’t have the files on the first disk in the first place. Make them a remote mount from a server, for example via sshfs, webdav, etc. Heck, even ftp if it comes down to it. That way, even though you can clone the disks, you can not get to the files if you don’t also have the full authentication requirements for the remote server (such as a password).
At a conceptual level, you can’t do anything via
rootto prevent someone who clones the disk from… well, cloning the disk. Having physical access to a disk is a much higher level of access than even root, so if what you are looking for is for your content to not be cloned, you need to fortify physical access to the device.Understood. Thank you!