Friend asks: I would like to make an app to ask for authentication before launching. I can do that on MacOS via creating an encrypted disc image and put the app in there, and windows has robust third party tools for it. But how would you go about it on Linux, especially since it’s a .deb (that gets auto-updated all the time via its repo) and not an appimage/flatpak? Others need access to the user account, but I want to restrict that one app. Creating a different user account for it is out of the question btw, since you can still change the password for that user via the primary admin account. Also, I don’t want to be running full VMs that take forever to boot to use that one app. Is there any simple way to lock an app under Linux?
Nothing at all is safe from the root account, or from any user that can elevate to root. Think of the root account as the system itself - the thing you’re trying to protect may be encrypted and safe at rest if you’ve brought it in from elsewhere, but as soon as you enter a password and decrypt it, you’re handing that password and decrypted data over to a system fully controlled by that root account.
Yes, there is. If a folder or file is encrypted (with a different password), it is safe from root too. That’s what I’m after. Root can’t change the password of an encrypted volume.
But root can scrape that password as soon as you enter it, and has access to that encrypted data as soon as you decrypt it. That’s what I’m saying.
If you think anything on a *nix system is “safe” from root or a user that can elevate to root, you’re deluding yourself with wishful thinking.