Morten Torstensen wrote: > ankush grover wrote: >> c) Security of Maildir means even root user should not be able to read >> any user's mail. > > You can do that with SElinux... you would have to limit filesystem > access AND user access so that root just not su to a user and access > it from there. > > But someone who have physical access to the server will be able to get > access. Administrative routines need access too, for stuff like backup > and restore. > > So for c) I would limit what I can and then have audit routines to map > usage. > and limit root so he can't disable selinux? ummmmmm. right. and, as Morten points out, backup needs access to maildir (and of course, anyone with physical access to the backup media will have access to the mail on them too) Only thing I can think of... setup the administrators 'normal' accounts to have specific SUDO's for _all_ 'normal' administrative activities, and put the real root password on a slip of paper in a sealed envelope in the key escrow safe that requires 3 people's combinations to open. and hope nothing goes wrong.