[rsbac] Válasz: Re: [rsbac] Backup problem
Amon Ott
rsbac@rsbac.org
Thu Aug 8 15:28:01 2002
On Thursday, 8. August 2002 14:00, ghorvath@minolta.hu wrote:
> On Thursday, 8. August 2002 10:06, ghorvath@minolta.hu wrote:
> > I am using 1.2.1-pre1 because when I wanted to update my working config
> > was unable even to start my machine. But this is an other story.
> > 1. At me, System Admin role doesn't have access to SCD [network nor
> > firewall] at all. The problem is when I make a backup and restore it, it
>
> > will have full access.
> > 2. The same with NET{DEV,TEMP,OBJ} System Admin role has NO access to
> > these. Contrary to this after a backup/restore it will.
>
> The problem here are the default settings for an unconfigured system.
> -----------
> Yes I understand this, but why doesn't the backup script save my null
> rights into the file, and then the restore process should overwrite the
> default settings? Like with SCD [host_id]?
Null rights items get removed in the data structures, so we can only guess
where items should be zeroed - probably in the default cases. It would have
worked, if you had left a single right active.
A possible workaround is to remove roles 0-2 before restore to get all rights
revoked:
rc_set_item role ROLE <num> remove_role
The current rsync version of the tools now includes a new switch -r to
rc_get_item backup, which adds this for every role in the backup. This switch
is also used in backup_all.
But you then have to switch off RC module or use maint kernel on restore!
> > 3. By the way, after a backup in the backup file I will find
> > "attr_set_file_dir //etc/.." instead of "attr_set_file_dir FD //etc/..".
> I
> > have to make the changes by hand (I have a small script for it :-). Is
> > this normal or it is not but it is corrected in a later version?
>
> It should work nevertheless, because FD is the default target and gets
> used
> when missing. Will correct this.
> -------------
> Unfortunately it doesn't work. At least not with 1.2.1-pre1. Right now I
> am testing pre4.
Some (but not all) FD outputs were missing in attr_back_fd, I have put them
in. Also in rsync version, just sync it into your -pre4 tree.
Amon.
--
http://www.rsbac.org