linux privacy from other accounts

out of principle, i wonder if there is a way to have privacy between accounts. if users have the ability to escalate to root privileges (to install applications for example), they could also view the personal files of other accounts via a file manager.

is there a way to prevent this while still using the same system? permissions for each user folder is irrelevant with root privileges.

per-user encryption would work for debian/ubuntu, but what about fedora? it encrypts the whole home directory (even without use of LVM).

 

trying using sudo. dont grant anyone su root privileges.

 

but sudo will still allow root privileges to see the files. maybe there is a group like adm which just allows installation of software, and not any other action requiring root/sudo.

 

try granting sudoers only access to commands they need. like apt-get or rpm.

 

thanks, i am researching that now. i previously tried to find how to deal with that sort of situation, but didnt get anywhere.

there would of course also be the issue of su, i saw it would require pam settings to reserve the su command for only the super user/admin. i have yet to see info on that which i can understand.

this is all a matter of principle, it seems wrong to not know how to have some simple privacy, besides going to extreme lengths like managing separate systems (one for each user) with entire home encryption (as fedora likes to do).

basically, there are two ways to look at it:

1. for reckless and abnoxious people, allow limited actions.
2. for the trustworthy, deny certain actions like being able to read other user files.

 

Physical access to a computer is total access to a computer.
Only exception I can think of is files encrypted with TrueCrypt.
Have you seen Hak5's USB Rubber Ducky? Load payloads that automatically get root and set up reverse shells onto the SD card, plug it in, device auto-executes payloads while recognized as a HID.

 

Take a peek at encfs. It might do what you're after. It's not completely transparent to the user, but it's secure enough.

I use Debian for everything, but some of my clients are over on the Red Hat side (CentOS, Fedora, et al.) and where it's necessary and the user is technically oriented enough, encfs does the trick.