5

There's a 22.04.1 system which I'm the sole user (thus root) which I'm considering leaving to someone else. There's a chance I'll take the system back, in which case it would be nice to have things the way I left them for me, but it's slim. What I'd really like is to create a role that basically be root with the exception to not be able to lower/diminish any privilege of mine nor be able to look in my profile folder nor my settings (ie browser history).

Is there a way to create such a quasi-root user profile?

David Spillett
  • 183
DynV
  • 59
  • 2
    You should probably just backup and wipe the device, both for your own protection, but also so the new user has a nice, clean-slate experience – Alexander Sep 21 '22 at 12:09

4 Answers4

18

No, you can't do this.

If you give someone physical access, they can do whatever they want.

Similarly, if you add another user to sudoers they can obtain the same privileges as a root user.

Even if you could somehow do what you're asking, there's no way the device is going to be returned to you with everything exactly how it was. That's also setting quite an unrealistic expectation of whoever you're allowing to use the device.

Why don't you just make a backup or take a system image?

FYI, just because you are the sole user, does not make that user root. root login is disabled in Ubuntu by default.

Nmath
  • 12,333
  • And even with other Linux distros, you're not Root unless you change to the Root account. – Davidw Sep 20 '22 at 01:50
  • @Nmath What is the highest set of privileges I can give a user that will both prevent any of my current privilege to be removed and forbid that user from accessing my user folder? Would such a user at least be able to update Ubuntu security? If not, would a user able to update Ubuntu security able to access my user folder? – DynV Sep 20 '22 at 02:23
  • 5
    My suggestion is to back up your data or make a system image. Then you should reinstall the operating system cleanly for the person you are giving it to. That will remove your personal information. (However if they are tech savvy, even then they could potentially recover files unless you used full disk encryption, or if you scrubbed the disk by overwriting every addressable bit.) If/when you get the device back, then you can restore your backups. You must understand that if you give the device to someone, they can do any and everything they want with it. – Nmath Sep 20 '22 at 03:21
  • 7
    @DynV Anyone with physical access can do literally anything with the system. Permissions work only as long as the system is enforcing them, but with physical access nothing prevents you from booting a different system that doesn't, or on which you are root. If you want to prevent something from tampering, use encryption. – gronostaj Sep 20 '22 at 06:13
10

Rule one of security: If someone has physical access to a system, they control that system.

You can do all you want with fancy access control, but that’s all useless if someone else has physical access to the system. They could boot some other OS on it and access the data that way. They could remove the persistent storage device and put it in another system to access it. They could just wipe the whole system.

And this is all ignoring that nothing equivalent to what you want is easily doable on Linux. It’s technically possible to achieve something like what you’re asking for with SELinux in MCS mode, but setting it up requires a vast amount of knowledge about SELinux and Linux in general, and it’s pretty much certain to break an Ubuntu system.

The correct solution here is to do a full system image (essentially clone the disk), and then do a clean install. That way the other person cannot access any of your files (because they don’t exist on the system anymore), and if you take the laptop back you can just use the system image you created to restore it to the state it was in before you gave it to them.

Austin Hemmelgarn
  • 864
  • I'm not interested in rolling back software nor OS updates nor delete anything from the user I'm considering leaving it to if I take it back. Is there some tool that's made to backup only what was specifically made for my use of the system, such as permissions, user folder and settings? – DynV Sep 21 '22 at 03:33
  • You may want to add wiping the disk before reinstalling to make sure no old data persists. – Oskar Skog Sep 21 '22 at 06:28
  • 2
    @DynV The problem is that if you don’t trust this person to mess with your stuff, you should not be trusting them to not leave behind some nasty surprise that might steal your data. If you want to be sure of the system being secure if you take it back, you will need a clean reinstall anyway, and will need to update things to the latest anyway. Note that this is not an issue specific to Linux, you would have the exact same problem with macOS or Windows as well. – Austin Hemmelgarn Sep 21 '22 at 11:55
  • @AustinHemmelgarn The user is quite computer illiterate. As an example: I had to teach every single detail of booting the computer, updating the time (CMOS is dead) and ensuring there's an internet connection, which took > 1 hr. I'd like an answer to my question and I consider myself warned. – DynV Sep 21 '22 at 22:06
  • 1
    @DynV You don't know the computer literacy of the user's friend. – Zano Sep 22 '22 at 09:00
  • @DynV The fact that they’re not particularly computer literate is arguably more reason to be potentially concerned here. Will they practice good security? Will they notice if the system gets compromised by some drive-by attack in their web browser? Will they make sure nobody else has access to the computer? This isn’t about just trusting them to not do anything malicious, it’s also about trusting them to do the right thing when it comes to security. – Austin Hemmelgarn Sep 22 '22 at 11:29
3

This is something of a ‘background’ answer.

Others have noted that what you are looking for is infeasible, if someone has physical access. There's another reason why you can't control the privileges of a unix user, though...

Unix doesn't have ‘privileges’.

The traditional unix security model is:

  • Access to the filesystem, or filesystem-like things, is controlled by the user/group/other model.
  • ...but processes with UID 0 are exempt from checking.

That is, it's not that root has ‘high privilege’, but permissions checks are simply skipped, wholesale, for processes with UID 0. There is nothing between ‘ordinary user’ and ‘free pass to do everything’ (‘Hello, I'm root, can I...?’ – ‘Yes!’).

One exception (others mentioned this) is systems which have a MAC component, such as SELinux, or the TrustedBSD framework used in macOS amongst others (yes, Macs have MACs!). Here, access controls, with ACLs, are built in to the kernel, and root/UID-0 processes are subject to those controls, just like any other. For the purposes of this answer, I'm taking those to be something of an add-on (and this is why I said ‘traditional’ above).

Another exception appears to be sudo. But that's not a way of manipulating privileges, but simply a suid-root program (ie, a userland add-on) which will let certain users create a UID-0 process... which is therefore exempt from checking. This walks and quacks like a privilege system, but it isn't really one.

Depending on your tastes, this situation is elegantly minimalist, or how-can-they-have-got-away-with-it brainless (my vote is for the former).

Other well-known systems with real privilege systems are VMS, with an intricate set of privileges and permissions (of which the only one that really mattered was SETPRV, the privilege to give yourself privileges (I never managed to get anyone to give me that bit)), or Windows which, because of its designer, inherited important parts of the VMS conceptual architecture.

(To get back to your original question, the real answer, as others have said, is to take a backup or image of the box, and restore that if and when you take back the machine).

Norman Gray
  • 151
  • 3
  • Linux has "some" sense of privileges in the form of "capabilities" but it's fairly weak because (1) the groups it breaks things into are often over-broad (CAP_SYS_ADMIN notoriously being a dumping ground) (2) there are (were?) well known escalations for getting from one capability to another. – mbrig Sep 21 '22 at 22:02
1

You want to both be root?

Yes, kind of. It's dirty and a bit hacky.

Add a user newuser and then move the users entry in /etc/passwd to the top. Change the userid of newuser to 0. If you already have a home directory created, then you have to fix the permissions too with chown -R newuser: /home/newuser. Otherwise create them with the correct permissons.

Now you can connect to your server with newuseror root - both in effect being root, but not sharing a home directory.

Drawbacks:

  • Even if connected as root the system will show newuser in the prompt and file permissions.
  • There is, of course, no security whatsoever between both accounts.

You want your files to be safe from the other user?

Encrypt your home partiton with a password. Then the files are unreadable, even for root. Here is an answer how to do that with encryptfs

https://askubuntu.com/a/1029330/783023

And another HowTo here

https://www.linuxuprising.com/2018/04/how-to-encrypt-home-folder-in-ubuntu.html

You don't want the other user to be able to mess with your user or your files?

Well, you can't. Giving someone root access means they can delete your user and files, even if encrypted.

Giving them physical access, even if they don't have a root account, also means your user and files are not safe from deletion.

Community
  • 1
Robert Riedl
  • 4,351
  • I don't like how this creates a Frankenstein. – iBug Sep 20 '22 at 14:30
  • 1
    @iBug: It's old tradition that you can do this with UID 0. It really is supposed to work. But I don't see how this is an answer to OP at all. – Joshua Sep 20 '22 at 18:00
  • It answers the part about both being root @Joshua. I can add a link to a different answer to protect OPs files. – Robert Riedl Sep 21 '22 at 07:10
  • Frankenstein's Monster you mean @iBug ? And yes, two root accounts is dirty and hacky. Hence the disclaimer. – Robert Riedl Sep 21 '22 at 07:18