Current version
Git/Latestdiff: 1.5.6
Latest Snapshots
Produced after each commit or rebase to new upstream version
GIT
RSBAC source code, can be unstable sometimes
No events planned
This shows you the differences between two versions of the page.
Last revisionBoth sides next revision | |||
wiki:experiences:igraltist:acl [2012/07/21 19:50] – (old revision restored) 127.0.0.1 | wiki:experiences:igraltist:acl [2012/07/21 19:54] – (old revision restored) 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
[[wiki: | [[wiki: | ||
+ | |||
Line 15: | Line 16: | ||
The AUTH and or the RC module is much comfortable. | The AUTH and or the RC module is much comfortable. | ||
All have to do as security user (uid 400). | All have to do as security user (uid 400). | ||
+ | |||
+ | ===== 2. Create your first ' | ||
+ | |||
+ | Named as example Suing.\\ | ||
+ | The P is using as type Private. The other options is G as type Global.\\ | ||
+ | The number 1 on then and set the group-id. So it was empty on test befor and therefor i using the number 1. | ||
+ | |||
+ | <code bash> | ||
+ | $acl_group add_group P Suing 1 | ||
+ | </ | ||
+ | |||
+ | ===== 3. Controll the setup ===== | ||
+ | |||
+ | <code bash> | ||
+ | $acl_group list_groups | ||
+ | Group 1: owner 400 (security), type P, name ' | ||
+ | </ | ||
+ | |||
+ | ===== 4. Add this new created ' | ||
+ | |||
+ | The subj_type is GROUP.\\ | ||
+ | The subj_id is the group-id number from previous created group.\\ | ||
+ | The rights is A which grant all.\\ | ||
+ | The target-type is FILE.\\ | ||
+ | The filename is the absolute pathname /bin/su. | ||
+ | |||
+ | <code bash> | ||
+ | $acl_grant GROUP 1 A FILE /bin/su | ||
+ | </ | ||
+ | |||
+ | ===== 5. Add the user(s) to the new create ' | ||
+ | |||
+ | The number 1 after add_member indicates the group-id number.\\ | ||
+ | The number 1000 is in my case the first default user-id.\\ | ||
+ | |||
+ | <code bash> | ||
+ | $acl_group add_member 1 1000 | ||
+ | </ | ||
+ | |||
+ | ===== 6. Check the ' | ||
+ | |||
+ | <code bash> | ||
+ | $acl_group get_group_members 1 | ||
+ | 1000 jens | ||
+ | </ | ||
+ | |||
+ | ===== 7. List the ' | ||
+ | |||
+ | List the rights and save it to restore later. | ||
+ | < | ||
+ | $acl_rights FILE / | ||
+ | / | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | ===== 8. Change the default ' | ||
+ | |||
+ | The rights [-s] is set to 0.\\ | ||
+ | The target-type is FILE.\\ | ||
+ | The filename is the absolute path /bin/su. | ||
+ | |||
+ | <code bash> | ||
+ | $acl_mask -s 0 FILE /bin/su | ||
+ | </ | ||
+ | |||
+ | ===== 9. List again the ' | ||
+ | |||
+ | < | ||
+ | $acl_rights FILE / | ||
+ | / | ||
+ | </ | ||
+ | |||
+ | From now on, only member from ' | ||
+ | |||
+ | ===== 10. Test change user as root user ===== | ||
+ | |||
+ | <code bash>su - security | ||
+ | -bash: /bin/su: Operation not permitted | ||
+ | </ | ||
+ | |||
+ | This is the output from security-log. | ||
+ | |||
+ | <code bash | ||
+ | Wed Nov 3 12:54:01 2010 :< | ||
+ | </ | ||
+ | |||
+ | The root user don't have EXECUTE rights, because befor we remove with acl_mask the default rights and set them to zero. | ||
+ | |||
+ | ===== 11. Remove an user from ACL ===== | ||
+ | For example to remove an user from a acl file entry: | ||
+ | <code bash> | ||
+ | acl_grant -m USER " | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ===== 12. Example to prevent an user to use dmesg ===== | ||
+ | Create a acl group to assing to file / | ||
+ | <code bash> | ||
+ | acl_group add_group P Dmesg 2 | ||
+ | </ | ||
+ | |||
+ | Add the acl group to the file. | ||
+ | <code bash> | ||
+ | acl_grant GROUP 2 A FILE /bin/dmesg | ||
+ | </ | ||
+ | |||
+ | Remove all default entries from the target file. | ||
+ | <code bash> | ||
+ | acl_mask -s 0 FILE /bin/dmesg | ||
+ | </ | ||
+ | |||
+ | Try the setup. | ||
+ | <code bash> | ||
+ | dmesg | ||
+ | -bash: /bin/dmesg: Operation not permitted | ||
+ | </ | ||
+ | |||
+ | Visit the rsbac logfile. | ||
+ | <code bash> | ||
+ | Fri Jul 1 06:09:32 2011 :< | ||
+ | Fri Jul 1 06:09:34 2011 :< | ||
+ | </ | ||
+ | |||
+ | ===== Conclusion ===== | ||
+ | |||
+ | The ' | ||
+ | |||
+ | This example can easy modify to use on other cases. | ||
+ | |||