wiki:experiences:igraltist:acl-su
=>  Releases

Current version
Git/Latestdiff: 1.5.6

Latest Snapshots
Produced after each commit or rebase to new upstream version

GIT
RSBAC source code, can be unstable sometimes

=>  Events

No events planned

This is an old revision of the document!

Back to igraltist's experiences/RSBAC ACL

12. Example to prevent an user to use dmesg

Create a acl group to assing to file /bin/dmesg. 

acl_group add_group P Dmesg 2

Add the acl group to the file. 

acl_grant GROUP  2 A FILE /bin/dmesg

Remove all default entries from the target file. 

acl_mask -s 0 FILE  /bin/dmesg

Try the setup. 

dmesg
-bash: /bin/dmesg: Operation not permitted

Visit the rsbac logfile. 

Fri Jul  1 06:09:32 2011 :<6>0000000416|rsbac_adf_request(): request GET_STATUS_DATA, pid 15922, ppid 15921, prog_name bash, prog_file /bin/bash, uid 1000, remote ip 192.168.1.5, target_type FILE, tid Device 253:14 Inode 72435 Path /bin/dmesg, attr none, value none, result NOT_GRANTED by ACL
Fri Jul  1 06:09:34 2011 :<6>0000000417|rsbac_adf_request(): request EXECUTE, pid 10231, ppid 15922, prog_name bash, prog_file /bin/bash, uid 1000, remote ip 192.168.1.5, target_type FILE, tid Device 253:14 Inode 72435 Path /bin/dmesg, attr none, value none, result NOT_GRANTED by ACL

Conclusion

The 'ACL' modul offers a good possibility and is easy to use.

This example can easy modify to use on other cases.

//
wiki/experiences/igraltist/acl-su.1342900693.txt.gz · Last modified: 2012/07/21 21:58 by 127.0.0.1

wiki/experiences/igraltist/acl-su.1342900693.txt.gz · Last modified: 2012/07/21 21:58 by 127.0.0.1
This website is kindly hosted by m-privacy