https://www.rsbac.org/ 2026-04-30T15:24:35+00:00 https://www.rsbac.org/ https://www.rsbac.org/lib/tpl/rsbac/images/favicon.ico text/html 2012-07-21T19:58:43+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/acl-su?rev=1342900723&do=diff text/html 2012-07-21T19:55:13+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/acl?rev=1342900513&do=diff Back to igraltist's experiences/ACL RSBAC ACL Example Problem description On standard linux system nothing prevented the root user switch to any other user. Solution with ACL Groups This is only example for ACL. The AUTH and or the RC module is much comfortable. All have to do as security user (uid 400). text/html 2013-10-03T06:43:06+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/admins?rev=1380782586&do=diff back to igraltist experiences Split of the the admin duties RSBAC gives the opportunity to split the all mighty root user into different admin users. With this setup the root user is still present but the first task from an admin is transfer to specialized user. Need the RSBAC RC module. text/html 2012-08-18T14:14:00+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/booting?rev=1345299240&do=diff Back to igraltist's experiences /RSBAC RC The first part When you hit this site I guess you have successfully boot your RSBAC system and RC is waiting to setup. All is depend on the proper setup of the RC module. Most linux distribution using the Filesystem Hierarchy Standard. The first two colums in the table below refer to the RC type number and RC type name. I use my system so some directories maybe differ on your system. text/html 2012-07-21T20:02:55+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/examples?rev=1342900975&do=diff Back to igraltist experiences Examples On this site I give some example for using different RSBAC modules. This is mostly from daily using but also gives me a place for look up my self. If you need help to get the right paramaters for rsbac_jail then see explain jail messages. text/html 2012-08-18T11:14:18+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/installation?rev=1345288458&do=diff Back to igraltist experiences Requirements RSBAC can use on every modern computer on which the linux kernel 2.4 or 2.6 runs >3.0. The kernel support for 2.4 and 2.6 is droped. You can choose your favorite linux distribution. My favorites are gentoo and debian. I have tested it on an old cpu with 133Mhz and 64MB. text/html 2012-08-18T10:42:10+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/introduction?rev=1345286530&do=diff Back to igraltist experiences Why I chose RSBAC? I read an article in linux magazin. I bought a linux-magazin this contained a cd with adamantix. Through this I have learned a lot and still be learning. Thanks to all people which have helped me a lot. Mainly on the irc chanel rsbac on freenode. text/html 2008-07-14T02:39:06+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/jail_apache2?rev=1216003146&do=diff This is the modified apache2 init-script --- apache2_orginal 2008-07-01 14:33:17.000000000 +0200 +++ apache2 2008-07-02 18:11:08.000000000 +0200 @@ -115,6 +115,8 @@ fi done fi + echo "sleeping a bit, otherwise the port is blocking from dieing apache" + sleep 2 } # Stupid hack to keep lintian happy. (Warrk! Stupidhack!). @@ -126,7 +128,9 @@ #ssl_scache shouldn't be here if we're just starting up. [ -f /var/run/apache2/ssl_scache ] && rm -f /var/run/apache2/*ssl_s… text/html 2011-06-30T04:13:24+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/jail_apcupsd?rev=1309407204&do=diff ; ; RSBAC JAIL definition for apcupsd ; 20110112 ; ; Tested by Jens Kasten ; ; on Gentoo(hardened) ; "" "lo" (allow-netlink allow-inet-raw allow-external-ipc allow-dev-write allow-dev-read auto-adjust-ip-address) (setgid setuid) () (rlimit) text/html 2008-07-12T04:35:16+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/jail_cron?rev=1215837316&do=diff This is the modified cron init-script diff -u cron_org cron --- cron_org 2008-07-03 04:10:46.000000000 +0200 +++ cron 2008-07-03 04:12:02.000000000 +0200 @@ -23,7 +23,7 @@ case "$1" in start) log_daemon_msg "Starting periodic command scheduler" "crond" - start-stop-daemon --start --quiet --pidfile /var/run/crond.pid --name cron --startas /usr/sbin/cron -- $LSBNAMES + run-jail cron start-stop-daemon --start --quiet --pidfile /var/run/crond.pid --name cron --startas /usr… text/html 2008-07-14T00:28:39+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/jail_cups?rev=1215995319&do=diff --- cupsd_org 2008-07-14 02:28:06.000000000 +0200 +++ cupsd 2008-07-05 02:22:26.000000000 +0200 @@ -9,7 +9,7 @@ start() { ebegin "Starting cupsd" - start-stop-daemon --start --quiet --exec /usr/sbin/cupsd + run-jail cupsd start-stop-daemon --start --quiet --exec /usr/sbin/cupsd eend $? } text/html 2009-01-12T03:25:40+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/jail_dbus?rev=1231730740&do=diff ; jail definition for dbus ; 29.08.2008 ; tested on gentoo by igraltist "" "lo" (allow-external-ipc allow-dev-get-status allow-dev-read allow-dev-write auto-adjust-ip-address private-namespace) (setgid setuid dac-override) (priority) () text/html 2011-06-30T05:01:29+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/jail_ddclient?rev=1309410089&do=diff ; ; RSBAC JAIL definition for ddclient ; 11.02.2009 20110113 ; ; Installed versions: 3.7.3-r1(12:58:00 10.11.2010)(ssl) ; ; tested by: Jens Kasten (igraltist) ; ; tested on: Gentoo (Hardened) ; "" "" (allow-dev-read allow-dev-write allow-external-ipc allow-inet-raw allow-netlink) () () (rlimit) text/html 2011-06-30T04:58:34+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/jail_dhcpd?rev=1309409914&do=diff ; ; RSBAC JAIL definition for dhcpd ; ; In the configuration file from dhcpd is set chroot ; and is changing to user and group dhcp. ; ; 20110111 ; ; Installed versions: 3.1.3_p1(12:09:38 06.05.2011)(kernel_linux -doc -minimal -selinux -static) ; ; Tested by Jens Kasten(igraltist) ; on Gentoo(hardened) ; "" "" (allow-dev-write allow-external-ipc allow-inet-raw allow-all-net-family) (net-raw sys-chroot dac-override chown net-bind-service setgid setuid) () () text/html 2008-07-14T02:56:12+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/jail_dmeventd?rev=1216004172&do=diff --- dmeventd_org 2008-07-14 04:53:34.000000000 +0200 +++ dmeventd 2008-07-05 03:27:51.000000000 +0200 @@ -9,7 +9,7 @@ start() { ebegin "Starting dmeventd" - start-stop-daemon --start --exec /sbin/dmeventd --pidfile /var/run/dmeventd.pid + run-jail dmeventd start-stop-daemon --start --exec /sbin/dmeventd --pidfile /var/run/dmeventd.pid eend $? } text/html 2008-07-11T21:01:10+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/jail_flags?rev=1215810070&do=diff run-jail.py with the dictionary jail_flags self.jail_flags = { "allow-dev-read": "-d", "allow-dev-write": "-D", "allow-external-ipc": "-i", "allow-all-net-family": "-n", "allow-inet-raw": "-r", "allow-tty-open": "-t", "allow-inet-localhost": "-o", "allow-dev-get-status": "-e", "allow-dev-mod-system": "-E", "allow-mount": "-u", "allow-sui… text/html 2011-06-30T04:28:43+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/jail_ntpd?rev=1309408123&do=diff --- ntpd_org 2008-07-14 02:29:40.000000000 +0200 +++ ntpd 2008-07-05 01:52:18.000000000 +0200 @@ -22,7 +22,7 @@ checkconfig || return $? ebegin "Starting ntpd" - start-stop-daemon --start --exec /usr/sbin/ntpd \ + run-jail ntpd start-stop-daemon --start --exec /usr/sbin/ntpd \ --pidfile /var/run/ntpd.pid \ -- -p /var/run/ntpd.pid ${NTPD_OPTS} eend $? "Failed to start ntpd" text/html 2011-06-30T04:31:40+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/jail_pdnsd?rev=1309408300&do=diff ; ; RSBAC JAIL definition for pdnsd ; 20081407,20110113 ; ; Installed versions: 1.2.8(10:37:18 10.11.2010)(urandom -debug -ipv6 -isdn -test) ; ; test by: Jens Kasten (igraltist) ; run on: Gentoo (hardened) ; ; daemon change user and group to pdnsd ; "" "0.0.0.0" (allow-external-ipc allow-dev-read allow-dev-write) (net-raw sys-ptrace net-bind-service setgid setuid) () () text/html 2008-07-14T06:34:30+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/jail_ping?rev=1216017270&do=diff ; ; RSBAC JAIL definition ping ; 2.10.06 ; "" "0.0.0.0" ;"192.168.1.1" (allow-dev-write allow-dev-read allow-inet-raw) () () () ping rsbac.org This is execute now: rsbac_jail -D -d -r ping rsbac.org PING rsbac.org (81.169.183.215) 56(84) bytes of data. text/html 2009-01-12T03:19:16+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/jail_portmap?rev=1231730356&do=diff --- portmap_org 2008-07-14 04:58:03.000000000 +0200 +++ portmap 2008-07-05 03:36:52.000000000 +0200 @@ -11,7 +11,7 @@ start() { ebegin "Starting portmap" - start-stop-daemon --start --quiet --exec /sbin/portmap -- ${PORTMAP_OPTS} + run-jail portmap start-stop-daemon --start --quiet --exec /sbin/portmap -- ${PORTMAP_OPTS} local ret=$? eend ${ret} # without, if a service depending on portmap is started too fast, text/html 2011-06-30T04:55:18+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/jail_postfix?rev=1309409718&do=diff --- postfix_org 2008-07-14 04:43:40.000000000 +0200 +++ postfix 2008-07-14 02:05:07.000000000 +0200 @@ -12,7 +12,8 @@ start() { ebegin "Starting postfix" - postfix /usr/sbin/postfix start >/dev/null 2>&1 + run-jail postfix /usr/sbin/postfix start + #>/dev/null 2>&1 eend $? } @@ -24,6 +25,7 @@ reload() { ebegin "Reloading postfix" - postfix /usr/sbin/postfix reload >/dev/null 2>&1 + run-jail postfix /usr/sbin/postfix reload + #>/dev/null 2>&1 eend $? } text/html 2008-07-14T02:52:29+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/jail_powernowd?rev=1216003949&do=diff --- powernowd_org 2008-07-14 04:49:20.000000000 +0200 +++ powernowd 2008-07-05 03:38:09.000000000 +0200 @@ -7,7 +7,7 @@ start() { ebegin "Starting powernowd" - /usr/sbin/powernowd -q ${POWERNOWD_OPTS} + run-jail powernowd /usr/sbin/powernowd -q ${POWERNOWD_OPTS} eend $? } text/html 2011-06-30T05:03:01+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/jail_rklogd?rev=1309410181&do=diff ; ; RSBAC JAIL definition for rklogd ; 20110112 ; ; Tested by Jens Kasten (igraltist)) ; "" "lo" (allow-external-ipc allow-dev-write allow-dev-read private-namespace) () (rsbac-log) () text/html 2008-07-14T06:39:29+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/jail_rsync?rev=1216017569&do=diff ; ; RSBAC JAIL definition for rsync ; 20080507 ; ; Tested by igraltist "" "0.0.0.0" (allow-external-ipc allow-dev-read allow-dev-write allow-ipc-parent) () () (rlimit) rsync This is execute now: rsbac_jail -i -d -D -P -M rlimit rsync rsync version 3.0.2 protocol version 30 text/html 2008-07-14T00:24:28+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/jail_samba?rev=1215995068&do=diff --- samba_org 2008-07-14 02:21:38.000000000 +0200 +++ samba 2008-07-13 17:34:30.000000000 +0200 @@ -23,7 +23,13 @@ eval cmd_exec=\$${daemon}_${signal} if [ -n "${cmd_exec}" ]; then ebegin "${my_service_name} -> ${signal}: ${daemon}" - samba ${cmd_exec} > /dev/null + if [ "${signal}" = "start" ];then + #echo ${cmd} '->' ${!cmd} + run-jail samba ${cmd_exec} + # > /dev/null + else + ${cmd_exec} + fi last_result=$? eend ${last_result} fi text/html 2008-07-14T02:36:02+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/jail_shorewall?rev=1216002962&do=diff ; ; RSBAC JAIL definition for shorewall ; 20080707 ; ; Tested by: ; igraltist on gentoo ; "" "0.0.0.0" (allow-dev-read allow-dev-write allow-dev-get-status allow-all-net-family allow-inet-raw allow-ipc-syslog allow-ipc-parent) (net-admin sys-resource setuid setgid net-raw) (firewall) (firewall net-id sysctl rlimit) text/html 2008-07-14T03:13:05+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/jail_squid?rev=1216005185&do=diff --- squid_org 2008-07-14 05:09:33.000000000 +0200 +++ squid 2008-07-05 16:35:50.000000000 +0200 @@ -98,7 +98,7 @@ maxfds umask 027 cd $cdr - start-stop-daemon --quiet --start \ + run-jail squid start-stop-daemon --quiet --start \ --pidfile $PIDFILE \ --chuid $CHUID \ --exec $DAEMON -- $SQUID_ARGS < /dev/null text/html 2011-06-30T06:50:17+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/jail_syslog-ng?rev=1309416617&do=diff --- syslog-ng_org 2008-07-14 02:42:13.000000000 +0200 +++ syslog-ng 2008-07-14 02:42:33.000000000 +0200 @@ -36,7 +36,7 @@ checkconfig || return 1 ebegin "Starting syslog-ng" [ -n "${SYSLOG_NG_OPTS}" ] && SYSLOG_NG_OPTS="-- ${SYSLOG_NG_OPTS}" - start-stop-daemon --start --quiet --exec /usr/sbin/syslog-ng ${SYSLOG_NG_OPTS} + run-jail syslog-ng start-stop-daemon --start --quiet --exec /usr/sbin/syslog-ng ${SYSLOG_NG_OPTS} eend $? "Failed to start syslog-ng" } text/html 2008-07-14T01:10:53+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/jail_syslogd?rev=1215997853&do=diff This is the modified syslogd init-script. --- sysklogd_org 2008-07-03 05:22:39.000000000 +0200 +++ sysklogd 2008-07-11 16:23:35.000000000 +0200 @@ -59,7 +59,7 @@ start) echo -n "Starting system log daemon: syslogd" create_xconsole - start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD + rsbac_jail -Y -i-N start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD echo "." ;; stop) @@ -76,7 +76,7 @@ echo -n "Restarting system log daemon: syslogd"… text/html 2008-07-14T02:33:36+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/jail_vixie-cron?rev=1216002816&do=diff --- vixie-cron_org 2008-07-14 02:36:08.000000000 +0200 +++ vixie-cron 2008-07-07 04:44:02.000000000 +0200 @@ -11,7 +11,7 @@ start() { ebegin "Starting vixie-cron" - start-stop-daemon --start --quiet --exec /usr/sbin/cron + run-jail vixie-cron start-stop-daemon --start --quiet --exec /usr/sbin/cron eend $? } text/html 2008-07-14T06:35:56+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/jail_wget?rev=1216017356&do=diff ; ; RSBAC JAIL definition wget ; ; "" "0.0.0.0" (allow-dev-write allow-dev-read) () () () wget rsbac.org This is execute now: rsbac_jail -D -d wget rsbac.org --2008-07-14 08:35:32-- http://rsbac.org/ text/html 2011-01-07T05:27:30+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/kernel_boot_parameters?rev=1294378050&do=diff Kernel boot parameters All paramaters depends on, that the modules are include in the kernel. See security models to get an overview. In the table below only the most often used parameters are listed. See kernel parameters to get all. Parameter Explanation rsbac_softmode*If the kernel does have softmode available, its turn it on. text/html 2011-01-07T13:39:28+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/kvm_guest_jail?rev=1294407568&do=diff Back to igraltist's experiences/KVM on RSBAC Start kvmguest with rsbac_jail Based on the run-jail script and kvm-admin i do this. kvm-jail-config ; ; RSBAC JAIL definition for kvm ; 20080507 ; ; Tested by igraltist ; "" "0.0.0.0" (allow-dev-read allow-dev-write allow-ipc-syslog allow-ipc-parent allow-inet-raw allow-all-net-family) (net-raw setgid setuid dac-override net-admin dac-read-search sys-resource sys-module) () (rlimit) text/html 2011-02-14T12:17:25+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/kvm-network?rev=1297685845&do=diff Back to igraltist's experiences / KVM Network What you need Here are listed some points, which maybe helpfull to use the kvm-qemu network. In most cases the user running a host machine thats already connected to internet or he wish to do that. From this stage this points are appears: text/html 2012-05-13T05:53:44+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/kvm?rev=1336888424&do=diff Back to igraltist's experiences/KVM on RSBAC Howto setup a kvm user on gentoo Software packages The listed software packages are required: * iproute2 (getnoo => sys-apps/iproute2,) * brctl (gentoo => net-misc/bridge-utils,) * tunctl (gentoo => sys-apps/usermode-utilities,) * tightvnc (gentoo text/html 2011-01-07T14:22:37+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/manpages?rev=1294410157&do=diff Back to igraltist's experiences/Manpages Manpage The manpages below are for rsbac version 1.4.4. The new manpages are in process. Manpages could be visited on external link in the moment: manpages * attr_get_net * attr_back_net * rc_get_eff_rights_fd * rc_set_item * attr_get_fd * pm_create * rc_get_current_role * attr_get_ipc * rc_copy_role * switch_adf_log * acl_mask * attr_get_process * attr_set_group * auth_set_cap * pm_ct_exec * rc_create_file * rc_r… text/html 2010-05-25T14:33:55+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/manual?rev=1274798035&do=diff Back to igraltist's experiences Manpage Manpages can visit in the moment on external link: manpages * attr_get_net * attr_back_net * rc_get_eff_rights_fd * rc_set_item * attr_get_fd * pm_create * rc_get_current_role * attr_get_ipc * rc_copy_role * switch_adf_log * acl_mask * attr_get_process * attr_set_group * auth_set_cap * pm_ct_exec * rc_create_file * rc_role_wrap * attr_get_file_dir * rsbac_check * attr_get_up * attr_get_user * attr_get_group … text/html 2009-10-28T23:12:00+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/patch_fix_pax?rev=1256771520&do=diff This site contain the patches wich are need if PAX was applied to the rsbac-kernel-source. Patches * svn_r_801 * svn_r_802 text/html 2010-07-15T23:24:19+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/patches?rev=1279236259&do=diff This site contain the patches which are need if PAX was applied to the rsbac-kernel-source. Get RSBAC source If a rsbac patch for the current kernel version is not available, then you can use the git repository to obtain the linux source with already included rsbac-patches. text/html 2011-09-11T17:57:48+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/rc_old?rev=1315763868&do=diff RC Module RC Testsetup Prepare the System to get more verbose description what is missing on RC you should set this debug options. Append in the ``/boot/grub/menu.lst`` for the used rsbac-kernel on line ``kernel`` rsbac_softmode rsbac_nosyslog rsbac_cap_process_hiding rsbac_debug_adf_auth rsbac_debug_adf_rc rsbac_debug_adf_jail rsbac_debug_adf_um rsbac_debug_jail_log_missing_rbsac_debug_cap_log_missing text/html 2012-07-28T10:20:54+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/rc?rev=1343470854&do=diff Back to igraltist's experiences /RSBAC RC RC Module Short explanation Default RSBAC with RC module is using this roles: * Gerneral_User 0 * Role_Admin 1 * System_Admin 2 * Auditor 3 to run the system. The permission for this roles are predefined. All this roles can be modify. This page show only snippets or some ideas of using the RC module not a whole working setup for a server or desktop. text/html 2012-07-21T20:01:34+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/run-jail?rev=1342900894&do=diff Back to igraltist's experiences/JAIL run-jail Iam using my own tool to manage the RSBAC JAIL. See the mericurial repository. Prepearation Three important necessary preparations are have to be done. * Enable jail support in the kernel. * Enable RSBAC Debug support (RSBAC ---> General Options ---> [*]RSBAC-Debugging), needed for developing the jail polices. text/html 2008-07-11T22:55:05+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/scd_flags?rev=1215816905&do=diff the run-jail.py dictionary scd self.scd = { "time-strucs": "time_strucs", "clock": "clock", "host-id": "host_id", "net-id": "net_id", "ioports": "ioports", "rlimit": "rlimit", "swap": "swap", "syslog": "syslog", "rsbac": "rsbac", "rsbac-log": "rsbac_log", "other": "other", "kmem": "kmem", "network": "network"… text/html 2013-08-09T11:57:55+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/setup?rev=1376049475&do=diff back to igraltist experiences New home directory To make the user management easier I create a subdirectories for admin users and normal users. There are many reasons to do this. One of this is, I will protect the home directories with ACL RC module. For convention I use this structure: text/html 2012-07-21T20:10:43+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rsbac.org/wiki/experiences/igraltist/um-gentoo?rev=1342901443&do=diff Back to igraltist's experiences UM on Gentoo Linux System preparation The description below take the case to only use authenticate against rsbac. Read this howto handbook user-managment and migrating users and groups to rsbac management. The point 9. is valid for a Debian system. On a Gentoo is the main file to edit '/etc/pam.d/system-auth'.