[rsbac] Good stuff

Amon Ott ao at rsbac.org
Mon Oct 25 09:09:13 CEST 2004 

On Sonntag, 24. Oktober 2004 17:57, Nick Vasiliev wrote:
> Hey guys, I have been playing around with RSBAC for a
> couple of days and I have to say, good stuff. Keep it

Thanks for the flowers. :)

> up. I do have a couple of questions. I have read the
> documentation you provided at your site and at
> books.rsbac.org however it left a lot of things
> unanswered.

Yeah, I know. Many of them.
 
> Under pkgs/ssh I have auth_may_setuid 1
> However when the process starts up by itself I can't
> log in via SSH because remote access SUID is denied.
> Now if I go into processes menu and select SSH as the
> process then I will be able to manually set it in
> there to allow auth_may_setuid to 1. However if I
> restart the service and it has a new PID it will not
> work any more, and will be set back to 0. 

Did you cross check that your /usr/sbin/sshd binary has 
auth_may_setuid set, not e.g. /etc/init.d/ssh or /usr/bin/ssh?
 
> Second question that I have, is that I am unsure about
> how the permissions and ACLs work toghether. For
> example if I deny a user permission to a file, and
> then allow it with the ACL it wouldn't work, I have
> been trying to tweak something here and there for a
> while. ANy ideas?

RSBAC restrictions are additional to the Linux permissions. There are 
three ways to override the Linux permissions:

Per user / CAP module: Set a min_caps value to give this user Linux 
capabilities with rsbac_user_menu <user>

Per program / CAP module: Set a min_caps value to give this program 
Linux capabilities with rsbac_fd_menu <path>

Per target dir tree: Use linux2acl tool to convert Linux rights to an 
ACL script, apply this script, disable Linux rights checking for this 
dir with rsbac_fd_menu <dir> (needs an RSBAC kernel option) and then 
tweak the ACLs as required.

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
-------------- nächster Teil --------------
Ein Dateianhang mit Bin?rdaten wurde geschreddert...
Dateiname   : nicht verf?gbar
Dateityp    : application/pgp-signature
Dateigr??e  : 189 bytes
Beschreibung: signature
URL         : http://www.rsbac.org/pipermail/rsbac/attachments/20041025/9472dc29/attachment.bin

More information about the rsbac mailing list