如何限制 root 对 aix 上文件夹的访问?
我想限制对 aix 上某些文件夹的访问。
即使是 root 用户也应该被限制访问某些文件夹。 对于 e..gi,在 aix 5.3 服务器上有用户 - aixuser 和 root 我有一个文件夹 - myfolder。
我希望只有 aixuser 才能访问此文件夹,而不是 root。
我怎样才能做到这一点?
I want to restrict access to certain folder on aix.
even root user should be restricted to access certain folders.
for e..g i have user - aixuser and root on aix 5.3 server
and i have a folder - myfolder.
i want only aixuser to have access to this folder and not root.
how can i do this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
不,这是不可能的。 root 用户的整个概念依赖于不受限制的访问。 您可以使用用户/组/其他范例或访问控制列表轻松保护您的文件免受其他常规用户的侵害,但是,一旦有人拥有 root 权限,您就根本无法限制他们。
这样做有一个很好的理由 - 如果您因某种原因失去了对文件的访问权限,您希望管理员如何为您恢复它们?
解决您的问题的方法是限制具有 root 访问权限的人数或以某种方式加密您的文件。 但即使后一个建议也无法阻止坚定的根用户,他们可以查看您的进程地址空间或拦截您的输入流以获取您的密码(如果需要)。
唯一可行的安全措施是拥有自己的盒子,并且只有您拥有 root 权限。 然后,您可以将不同机器上的根用户视为您机器上的普通用户。
No, this cannot be done. The whole concept of the root user relies on unfettered access. You can quite easily protect your files from other regular users, using either the user/group/other paradigm or access control lists but, once someone has root powers, you cannot restrict them at all.
There's a good reason for this - if you lost access to your files somehow, how would you expect the administrators to recover them for you?
The way of dealing with your concerns is to either restrict the number of people with root access or somehow encrypt your files. But even that latter suggestion wouldn't stop a determined root user who can look inside your process address spaces or intercept your input stream to grab your passwords if need be.
The only workable security will be having your own box with only you having the root powers. Then you can treat a root user on a different box as just a regular user on yours.
您不能排除对任何本地文件系统上的任何文件的 root 访问权限。
You cannot exclude root access to any file on any local file system.
正如 paxdiablo 所说,root 用户权限是 AIX(实际上任何 UNIX/Linux 机器)中的终极权限。 在 RBAC 中,将角色权限设置为 aix(在 mkrole 命令中)将授予您执行 root 用户可以执行的所有操作的权限,但仅限于 root 用户。
UID=0、GID=0 为 root 提供了机器上所需的所有访问权限。
as paxdiablo is saying, root user privilege is the ultimate thing in AIX (infact any UNIX/Linux machine). In RBAC, setting the role permissions to aix (in the mkrole command) will give you permissions to do everything a root user can do but nothing more than the root user.
Having UID=0, GID=0 gives root all the access it needs on a machine.
实际上我相信你可以使用加密文件系统来做到这一点。 我还没有做过。 抱歉回复含糊不清。 但我相信 EFS 有两种模式。 一种是信任 root,另一种是不信任 root。
来自 https://www.ibm.com/developerworks/aix /library/au-efs/index.html
如果您认真考虑一下,加密是您唯一的选择。 root 可以打开硬盘并将其复制到另一个驱动器,然后对文件系统本身进行任何操作。 防止 root 的唯一方法是通过加密。
Actually I believe you can do it with the encrypted file system. I have not done it. Sorry for the vague reply. But I believe EFS has two modes. One is to trust root and the other is to not trust root.
From https://www.ibm.com/developerworks/aix/library/au-efs/index.html
If you really think about it, encryption is the only choice you have. Root can open up the hard disk and copy it over to another drive, then go monkey with the file system itself do what it pleases. The only way to protect against root is via encryption.