[rsbac] Good stuff
ao at rsbac.org
Mon Oct 25 09:09:13 CEST 2004
On Sonntag, 24. Oktober 2004 17:57, Nick Vasiliev wrote:
> Hey guys, I have been playing around with RSBAC for a
> couple of days and I have to say, good stuff. Keep it
Thanks for the flowers. :)
> up. I do have a couple of questions. I have read the
> documentation you provided at your site and at
> books.rsbac.org however it left a lot of things
Yeah, I know. Many of them.
> Under pkgs/ssh I have auth_may_setuid 1
> However when the process starts up by itself I can't
> log in via SSH because remote access SUID is denied.
> Now if I go into processes menu and select SSH as the
> process then I will be able to manually set it in
> there to allow auth_may_setuid to 1. However if I
> restart the service and it has a new PID it will not
> work any more, and will be set back to 0.
Did you cross check that your /usr/sbin/sshd binary has
auth_may_setuid set, not e.g. /etc/init.d/ssh or /usr/bin/ssh?
> Second question that I have, is that I am unsure about
> how the permissions and ACLs work toghether. For
> example if I deny a user permission to a file, and
> then allow it with the ACL it wouldn't work, I have
> been trying to tweak something here and there for a
> while. ANy ideas?
RSBAC restrictions are additional to the Linux permissions. There are
three ways to override the Linux permissions:
Per user / CAP module: Set a min_caps value to give this user Linux
capabilities with rsbac_user_menu <user>
Per program / CAP module: Set a min_caps value to give this program
Linux capabilities with rsbac_fd_menu <path>
Per target dir tree: Use linux2acl tool to convert Linux rights to an
ACL script, apply this script, disable Linux rights checking for this
dir with rsbac_fd_menu <dir> (needs an RSBAC kernel option) and then
tweak the ACLs as required.
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
-------------- nächster Teil --------------
Ein Dateianhang mit Bin?rdaten wurde geschreddert...
Dateiname : nicht verf?gbar
Dateityp : application/pgp-signature
Dateigr??e : 189 bytes
URL : http://www.rsbac.org/pipermail/rsbac/attachments/20041025/9472dc29/attachment.bin
More information about the rsbac