(More) Specifics:

  • Undoing the protection should include filling in a password.
  • The password should be different from the one used with sudo or any other passwords that are used for acquiring elevated privileges.

All (possible) solutions and suggestions are welcome! Thanks in advance!

Edit: Perhaps additional specifications:

  • With 'displace‘, I mean anything involving that resembles the result of mv, cp (move, cut, copy) or whatsoever. The files should remain in their previously assigned locations/places and should not be able to ‘pop up’ anywhere.
  • I require for the files to be unreadable.
  • I don’t care if it’s modifiable or not.
  • I don’t require this for my whole system! Only for a specific set of files.
  • bitfucker
    link
    fedilink
    arrow-up
    5
    ·
    edit-2
    6 months ago

    By definition, you can’t. Any software level solution will fail since you can just move the drive somewhere else. It must be baked into the hardware and firmware.

    Edit to add further clarification. Do you need it to be failing on every device or just on a device that you control? Since as stated before, moving a mass storage will completely overthrow any software solution

    • poki@discuss.onlineOP
      link
      fedilink
      arrow-up
      1
      ·
      6 months ago

      Do you need it to be failing on every device or just on a device that you control?

      Actually, I’m fine with a solution that only works on a device that I control. But, failing on every device is nice as well.

      • bitfucker
        link
        fedilink
        arrow-up
        2
        ·
        6 months ago

        Right, working on every device requires a hardware solution. I haven’t encountered any such hardware yet but I do know that it is possible. Next, your second requirement makes what you’re trying to accomplish impossible. Privilege escalation by definition will escalate the privilege. The problem lies in the fact that the root user is basically a god in linux. You can even wipe your system if you so desire. However, you can read more into SELinux or other similar systems. It works by basically running check on the kernel level not user level. But the only solutions I can think of will make other day-to-day tasks more of a hassle. Also, note that whoever knows how to modify the SELinux can also bypass the system. I found an answer on serverfault that points to a blog. However, I haven’t read the blog yet. You may find an answer there.