https://www.rsbac.org/ 2026-05-12T21:13:06+00:00 https://www.rsbac.org/ https://www.rsbac.org/lib/tpl/rsbac/images/favicon.ico text/html 2009-01-13T09:53:03+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/documentation/rsbac_handbook/security_models/acl?rev=1231840383&do=diff Access Control Lists (ACL) Access Control Lists specify, which subject (user, RC role or ACL group) may access which object (of an object type) with which requests (usual RSBAC requests and ACL specials). If there is no ACL entry for a subject at an object, the rights of the parent object are inherited. Inheritance can be restricted by inheritance masks. text/html 2009-01-13T09:52:19+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/documentation/rsbac_handbook/security_models/auth?rev=1231840339&do=diff Authenticated User (AUTH) This module can be seen as a support module for all others. It restricts CHANGE_OWNER on process targets (setuid) for a process: the request is only granted, if the process has either the auth_may_setuid flag set or the target user ID is in its capability set. The auth_may_setuid flag and the capability set are inherited on execute from the program file. text/html 2013-08-26T16:22:49+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/documentation/rsbac_handbook/security_models/cap?rev=1377534169&do=diff Linux Capabilities (CAP) This module can be used to * restrict rights of programs run by root * add root rights to normal users or programs run by them It is only the RSBAC module which directly interferes with existing Linux access control. text/html 2009-01-13T09:54:56+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/documentation/rsbac_handbook/security_models/daz?rev=1231840496&do=diff Dazuko (DAZ) interface The Dazuko module includes the official Dazuko Antivirus scanner interface, which is actively supported by many professional antivirus products. This means that the actual scanning is done by separate user space daemons, which have to be obtained from their respective vendors. Some of these scanner daemons are available for free, for example the text/html 2006-05-17T13:27:07+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/documentation/rsbac_handbook/security_models/ff?rev=1147872427&do=diff File Flags (FF) This model defines some access flags for files, fifos, symlinks and dirs. Currently, the following flags are supported: Flag Value Checked for Notes no_protection 0 ALL text/html 2009-01-13T10:49:32+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/documentation/rsbac_handbook/security_models/jail?rev=1231843772&do=diff The JAIL module The JAIL module provides a new call rsbac_jail, which makes a chroot call (with chdir(“/”)) and adds further restrictions on the calling process and all subprocesses. Some of these restrictions can be turned off by flags to the syscall or the rsbac_jail command line wrapper, these are marked with an * in the following list. The rsbac_jail system call also takes the allowed IP-Address for binding (may be 0.0.0.0 for any) as parameter. text/html 2009-01-14T17:43:59+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/documentation/rsbac_handbook/security_models/mac?rev=1231955039&do=diff Mandatory Access Control (MAC) The Bell and La Padula Model, often called Mandatory Access Control, describes access by active entities, called subjects, to passive entities, called objects. One entity can, depending on type of access, be in both roles. text/html 2009-01-13T09:51:26+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/documentation/rsbac_handbook/security_models/rc?rev=1231840286&do=diff Role Compatibility (RC) The original RC module has been added in RSBAC version 1.0.8. Note that the number of roles and types is only limited by their 32 bit integer index number and system resources. Roles can be changed if the process owner changes, via a system call (only text/html 2008-02-28T15:35:47+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/documentation/rsbac_handbook/security_models/um?rev=1204212947&do=diff ~~TOC~~ Traditional Linux user management subsystem The traditional Linux user management, specially the common passwd/shadow scheme with PAM, has several security problems: * PAM libraries running in process context: The PAM libraries are mapped into every process, which has to authenticate users or change user accounts. This means that every single such process must have read or even write access to sensitive authentication data, and an exploit in only one of them reveals all this sensiti… text/html 2008-02-28T11:41:34+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/documentation/rsbac_handbook/security_models/vum?rev=1204198894&do=diff Virtual User Management Design Starting from version 1.4, RSBAC contains Virtual User Management (VUM), which is an extension to the existing User Management (UM). Every user id now consists of a 32 Bit virtual set (vset) number and the old fashioned 32 Bit uid. The normal set of users is vset 0. It also exists, if VUM has been turned off in kernel configuration. All other vset numbers can be used as desired, there is no list of known sets.