(More) Specifics:

  • Undoing the protection should include filling in a password.
  • The password should be different from the one used with sudo or any other passwords that are used for acquiring elevated privileges.

All (possible) solutions and suggestions are welcome! Thanks in advance!

Edit: Perhaps additional specifications:

  • With 'displace‘, I mean anything involving that resembles the result of mv, cp (move, cut, copy) or whatsoever. The files should remain in their previously assigned locations/places and should not be able to ‘pop up’ anywhere.
  • I require for the files to be unreadable.
  • I don’t care if it’s modifiable or not.
  • I don’t require this for my whole system! Only for a specific set of files.
  • IsoKiero
    link
    fedilink
    English
    arrow-up
    8
    ·
    6 months ago

    What’s your end goal here? You try to keep files just on that one media without any options to make copies of them? Or maintain an image which has enforced files at their directories? And against what kind of scenarios?

    ACLs and SELinux aren’t useful as they can be simply bypassed by using another installation and overriding those as root, same thing with copying. Only thing I can think of, up to a degree, is to use immutable media, like CD-R, where it’s physically impossible to move files once they’re in place and even that doesn’t prevent copying anything.

    • poki@discuss.onlineOP
      link
      fedilink
      arrow-up
      2
      ·
      6 months ago

      What’s your end goal here?

      Incoming XY problem.

      I want to prevent myself from reinstalling my system. The trick I came up with involved the use of files that couldn’t be disk cloned. However, if it’s far far easier to accomplish it through other means, then please feel free to enlighten me on this.

      You try to keep files just on that one media without any options to make copies of them?

      Yes.

      Or maintain an image which has enforced files at their directories?

      No, not necessarily.

      And against what kind of scenarios?

      Protecting myself from myself. That’s where the password requirement comes in: I can send a delayed message to myself that holds the password. The end result shouldn’t in the absolute sense prevent full access for always. Unlocking the protection should be possible and should require the involvement of the earlier mentioned password that is received through a delayed message. That way, those files can be accessed eventually, but only after I had intended to.

      ACLs and SELinux aren’t useful as they can be simply bypassed by using another installation and overriding those as root

      Excellent! I didn’t know this. Thank you for clarifying this for me!

      Only thing I can think of, up to a degree, is to use immutable media, like CD-R, where it’s physically impossible to move files once they’re in place and even that doesn’t prevent copying anything.

      The files should remain on the same disk that I run my OS from. So, unfortunately, this doesn’t quite help me. Thank you regardless!

      • IsoKiero
        link
        fedilink
        English
        arrow-up
        1
        ·
        6 months ago

        I want to prevent myself from reinstalling my system.

        Any even remotely normal file on disk doesn’t stop that, regardless of encryption, privileges, attributes or anything your running OS could do to the drive. If you erase partition table it’ll lose your ‘safety’ file too without any questions asked as on that point the installer doesn’t care (nor see/manage) on individual files on the medium. And this is exactly what ‘use this drive automatically for installation’ -option does on pretty much all of the installers I’ve seen.

        Protecting myself from myself.

        That’s what backups are for. If you want to block any random usb-stick installer from running you could set up a boot options on bios to exclude those and set up a bios password, but that only limits on if you can ‘accidently’ reinstall system from external media.

        And neither of those has anything to do on read/copy protection for the files. If they contain sensitive enough data they should be encrypted (and backed up), but that’s a whole another problem than protecting the drive from accidental wipe. Any software based limitation concerning your files falls apart immediately (excluding reading the data if it’s encrypted) when you boot another system from external media or other hard drive as whatever solution you’re using to protect them is no longer running.

        Unless you give up the system management to someone else (root passwords, bios password and settings…) who can keep you from shooting yourself on the foot, there’s nothing that could get you what you want. Maybe some cloud-based filesystem from Amazon with immutable copies could achieve that, but it’s not really practical on any level, financial very much included. And even with that (if it’s even possible in the first place, I’m not sure) if you’re the one holding all the keys and passwords, the whole system is on your mercy anyways.

        So the real solution is to back up your files, verify regularly that backups work and learn not to break your things.