[rsbac] rsbac RC tutorial

Thorsten Sauter tsauter at gmx.net
Fri Mar 28 15:20:37 MET 2003 

On Fri, Mar 28, 2003 at 05:42:42PM +0500, Arkady A Drovosekov wrote:
> On Fri, Mar 28, 2003 at 12:59:06PM +0100, Thorsten Sauter wrote:
> > 1. I'm looking for some realworld examples (eg. protecting
> > sendmail/ssh/ftp)
> ex:
> attr_set_file_dir -a CAP FILE /usr/sbin/sendmail min_caps NET_BIND_SERVICE
> ? attr_set_file_dir -a CAP FILE /usr/sbin/sendmail min_caps SETUID
> ? auth_set_cap FILE add /usr/sbin/sendmail 1000 65534
> add system user 'sendmail'
> run sendmail as user 'sendmail'
uh. a little bit to complex for me. I'm current still in the "using
dialog" phase :)
But I'll try to understand the example.

> > 4. I'm tyring to run apache without root right. For this I have simply
> > applied the Linux CAP through the FF modules to /usr/sbin/apache. I'm
> > not sure it this is a good way, is it? Maybe not the best way to do
> > everything on filesystem base.
> apache contains in the sources some checks for uid like that:
> if (!getuid()) {
> you have to change it to something like:
> if (1 || !getuid()) {
> 
> change config.layout to put all var files into one dir (/var/apache-r3 here)
> after recompiling you can apply something like this:
> 
> daemon=/usr/local/apache-r3/lib/apache-r3
> var=/var/apache-r3
> init_user=www-init
> work_user=www-data
> attr_set_file_dir CAP FILE "$daemon" min_caps SETGID SETUID
> NET_BIND_SERVICE
> auth_set_cap FILE add "$daemon" "$work_user"
> attr_set_file_dir DIR "$var" linux_dac_disable 1
> acl_grant -r -s -u $init_user RW FD "$var"
> # ??? acl_grant -r -s -u $work_user RW FD "$var"
> 
> and change apache.conf
hmm. I have successfully setup apache without changing the source code.
CAP_DAC_OVERRIDE, CAP_NET_BIND_SERVICE. Is this not a good way?

Thanks for the reply
Thorsten

-- 
Thorsten Sauter
<tsauter at gmx.net>

				(Is there life after /sbin/halt -p?)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://gateway.compuniverse.de/pipermail/rsbac/attachments/20030328/9e6e2122/attachment.bin

More information about the rsbac mailing list