Mr. Sudakar: On 3/26/07 3:59 AM, "Alex Sudakar" <alex.sudakar@xxxxxxxxx> wrote: > Hi Matthias and Stuart - > > Matthias Schniedermeyer wrote: > >> I find that "umount -l" gives a little added privacy. >> >> The "Lazy"-umount erases the mountpoint from the global namespace. >> Effectively erasing it from the radar of any process that hasn't >> anything "open" inside that particular mountpoint. > > Fascinating! I had no idea such a thing existed. Unfortunately > there doesn't seem to be any such feature for Solaris x86, which > is the platform with which I am concerned. A pity, because that > would be ideal -- very clever! Still, I was also curious as to > solutions with Linux or general Unix, so thanks for the > information! > > Stuart Blake Tener wrote: > >> With multiple people logged in as root, your system >> administrator should be canned. > > It's not that bad. Just typically one administator - me - on > the system, but the root password is known to others, who might > decide at any time to login and have a look around. I'd like > to be able to work on various local files and such knowing that > they wouldn't be able to read anything I deem to be private, > should they intrude. Your empiricism of giving users (even programmers) root level access to the Unix box is far beyond a "no-no", its murderous to a Unix box! Using "sudo", you can allow the users that you have to accomplish what they need at the root level while asserting a reasonable level of control and "logability" of their actions. Sudo can allow them (in conjunction with creative scripting) to have not only access to just specific commands, but even to just specific command line options (I have done this with Perl and Bash scripts)! I (and most Unix Admins) understand that sometimes root level control must be used by users, but its like giving a person the master keys for every door at a bank, just so they can open their safe deposit box. This is far from any model of measured administrative philosophy that I have seen used or implemented in current times, and is usually more of an attitude of lazy system administrators unwilling to implement a more controlled environment for them and their users. > >> Now getting a product that is (at least) running Windows and >> Linux, you have the TrueCrypt, and since it is open source perhaps >> it will get ported to MacOS and Solaris. > > Interesting; I'd never heard of TrueCrypt, just looked it up, > thanks for the tip. As it stands I right now I don't know of any > encryption product for Solaris x86, but I dare say there must > be something out there. Regarding true crypt; since it does use virtual disks with flat files for an encryption implementation, and already runs under Linux, making it work with Solaris might not be that hard of a job. I would also fire off a request for that kind of support to their development team. However, I see the future of disk space management for small users as being personal SANs, and am sure that some smart group of fellows will soon have a Linux based distribution that is intended to provide that type of specific functionality, also inclusive of iSCSI and encryption. My personal plan for encrypted volumes will change soon, as iSCSI becomes an integral part of most common operating systems. With an iSCSI initiator that is now free for MacOS 10.4 (Tiger), and the presumption of its inclusiveness to the new forthcoming 10.5 (Leopard), Windows, Solaris, Linux, and most new OS releases will have this as well. Now I have not yet tried this, but I am thinking that iSCSI (which can serve up block level devices) using Loop-AES to encrypt those block level devices, will be the answer for me in the future. This would then mean that a Windows, Solaris, MacOS, or other main stream OS would be able to iSCSI mount a raw partition (encrypted by Loop-AES) and the user could then format that iSCSI mounted raw partition with any filesystem they find appropriate. You might also take a look at Open Solaris, as this has other options that a pure Solaris box from Sun might not have, though I do see the way ahead with regard to encrypted partitions for me as building a Linux box that will have encrypted block level iSCSI served raw partitions as enabling what I need to give users encrypted disk across the totality of the enterprise. Here are some websites that I frequent, which have info on the open source software I was speaking off: http://www.thefreecountry.com/ - then look in the security section NOTE: Oddly, Loop-AES is conspicuously absent on this website, I do not know why, as it has been around for quite a long time. For info on Open Solaris, check: www.opensolaris.org Good luck! > > Cheers, > > > Alex. -- Very Respectfully, IT3 Stuart Blake Tener, USN Beverly Hills, California Amateur Radio Call Sign: N3GWG (Extra) email: teners@xxxxxxxxxxx phone: +(1) 310.358.0202 (Beverly Hills, CA) phone: +(1) 215.338.6005 (Philadelphia, PA) E-Fax: +(1) 915.773.0935 (Telecopier) Military emails (checked monthly until remote NMCI access is secured) NIPRNET: stuart.tener@xxxxxxxx / tenerstu@xxxxxxx SIPRNET: NONE TS/SCI: tenerstu@xxxxxxxxxx (GWAN) Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
