0

In case there are two or more admins in ubuntu, can one admin prevent another admin from accessing his/her data ?

Regards.

lounice
  • 25
  • If both admins can run sudocommands and obtain root-rights .. NO. – Soren A Dec 29 '17 at 10:38
  • 3
    Create an encrypted partition for your personal files. – M. Dm. Dec 29 '17 at 11:00
  • How can I do that ? – lounice Dec 29 '17 at 11:24
  • https://askubuntu.com/questions/932191/how-to-restrict-root-user-access-to-user-folders – derHugo Dec 29 '17 at 11:42
  • @M.Dm. that does not prevent this problem. Another admin can still access that data. – Rinzwind Dec 29 '17 at 12:23
  • You can prevent this if you use apparmor to limit root access to /home and encrypt your home directory. This behavior, of course, can be circumvented by direct access to system files via recovery mode or a live CD and with such access one could in theory access you user data via an almost unlimited number of ways from scripts to key loggers to custom kernels to who knows what. – Panther Dec 29 '17 at 18:26

1 Answers1

2

No.

And anyone with physical access can change anything on a system. They do not even have to be an admin; they just need to be able to reboot.

The only way to prevent others to see your data is by storing it on another media (usb stick or on-line). And to lower the risk of exposure you always need to unmount whatever media the data is stored on.

Regarding encryption:

Another admin can view your data when you have the data visible in your system. Mounting an encrypted volume as "root" is not enough; another "root" user will be seen as owner of the data.

Someone that can reboot the system can also reset the password of an encrypted volume. Yes, you would know someone accessed it but ... the whole idea was to prevent access.

Rinzwind
  • 299,756
  • I am asking this because I am afraid that a team member (in a research lab) is trying to use my work without my permission and he insisted to have an admin account on my computer. This is a very difficult and stressful situation. I don't know what to do in order to protect my intellectual property (my work). I have a laptop, but I need the power of my office computer (GPU + CPU). – lounice Dec 29 '17 at 10:53
  • 1
    Keep your data away from that system when you are not on it. – Rinzwind Dec 29 '17 at 12:22
  • 1
    -1 This ignores encryption. – fkraiem Dec 29 '17 at 12:28
  • 2
    How can a user that can reboot the system change the key of the encrypted volume? If I give you a encrypted volume, you have no way of changing the key in any meaningful way. It will not protect a mounted volume, but it will protect data at rest. That said - I do fully agree with your conclusion... – vidarlo Dec 29 '17 at 12:57
  • @vidarlo never saw this sorry, But back then https://access.redhat.com/solutions/1543373 with LUKS1, With LUKS2 no longer possible. – Rinzwind May 07 '22 at 12:13