[rsbac] rsbac RC tutorial
Arkady A Drovosekov
drawa at suct.uu.ru
Fri Mar 28 17:42:42 MET 2003
On Fri, Mar 28, 2003 at 12:59:06PM +0100, Thorsten Sauter wrote:
> 1. I'm looking for some realworld examples (eg. protecting
> sendmail/ssh/ftp)
ex:
attr_set_file_dir -a CAP FILE /usr/sbin/sendmail min_caps NET_BIND_SERVICE
? attr_set_file_dir -a CAP FILE /usr/sbin/sendmail min_caps SETUID
? auth_set_cap FILE add /usr/sbin/sendmail 1000 65534
add system user 'sendmail'
run sendmail as user 'sendmail'
> 4. I'm tyring to run apache without root right. For this I have simply
> applied the Linux CAP through the FF modules to /usr/sbin/apache. I'm
> not sure it this is a good way, is it? Maybe not the best way to do
> everything on filesystem base.
apache contains in the sources some checks for uid like that:
if (!getuid()) {
you have to change it to something like:
if (1 || !getuid()) {
change config.layout to put all var files into one dir (/var/apache-r3 here)
after recompiling you can apply something like this:
daemon=/usr/local/apache-r3/lib/apache-r3
var=/var/apache-r3
init_user=www-init
work_user=www-data
attr_set_file_dir CAP FILE "$daemon" min_caps SETGID SETUID
NET_BIND_SERVICE
auth_set_cap FILE add "$daemon" "$work_user"
attr_set_file_dir DIR "$var" linux_dac_disable 1
acl_grant -r -s -u $init_user RW FD "$var"
# ??? acl_grant -r -s -u $work_user RW FD "$var"
and change apache.conf
--
Best regards,
Arkady
More information about the rsbac
mailing list