Current version
Git/Latestdiff: 1.5.6
Latest Snapshots
Produced after each commit or rebase to new upstream version
GIT
RSBAC source code, can be unstable sometimes
No events planned
This is an old revision of the document!
To make the user management easier I create a subdirectories for admin users and normal users.
There are many reasons to do this. One of this is, I will protect the home directories with ACL RC module.
For convention I use this structure:
/home/ admins/ backuper/ configer/ security/ updater/ users/ my_name/
So, update your `/etc/passwd` for your users.
Add a new file in `/etc/profile.d`. Copy & paste it or downloaded from profile.
# used by run-jail PATH=/usr/local/jails:$PATH export PATH # for RC module to display the role name rc_role_number=$(rc_get_current_role 2> /dev/null | awk '{ print $5 }') rc_role=$(rc_get_item ROLE $rc_role_number name 2> /dev/null) if [ "$role" != "" ]; then export PS1="($role) $PS1" fi
pass
This is not really necessary but when using `run-jail` to put `ping` or `wget` into a jail is practical. The reason is, when adding the path then the `bash` search firstly in `/usr/local/jails` and if there a symlink with `ping` or any name this would as first executed.
With the script `run-jail-helper` can create such symlink and create or modify a jail policy:
run-jail-helper -h usage: run-jail-helper [-h] [-m MODIFY] [-c CREATE] [-p PROG_NAME] optional arguments: -h, --help show this help message and exit -m MODIFY, --modify MODIFY Modify a jail configuration file. -c CREATE, --create CREATE Create a dummy jail configuration file. -p PROG_NAME, --prog-name PROG_NAME Create a symlink so that a the progam is execute in RSBAC jail always. The '/etc/profile' have to prepared.
Why the package managment have to modified?
An admin user updater will manage the package managment. The updater-shell script can leave a file with rsbac attributes thats have to execute on the end on every install procedure. Therefor I use the package manager hooks to do this.
This is now different for every distribution. I use gentoo and debian, so I have a way how to plugin in on those systems.
I refer to the home directory setup.
A new file `/etc/portage/bashrc` is needed.
Copy & paste it or download here bashrc.
This is a prototype and could maybe change a bit in the future. I am testing the structure in the moment.
post_pkg_postinst() { rsbac_attributes_initial="/etc/rsbac/packages/${CATEGORY}/${PN}/${PF}.sh" rsbac_attributes="/home/admins/updater/packages/${CATEGORY}/${PN}/${PF}.sh" einfo "Applying rsbac attributes:"; # first policy if [ -f "${rsbac_attributes_initial}" ]; then sh ${rsbac_attributes_initial} else einfo "No rsbac attribute initial available" fi # second which found if [ -f "${rsbac_attributes}" ]; then sh ${rsbac_attributes} else einfo "No rsbac attribute available" fi }
A new file `/etc/apt/apt.d/80rsbac` is needed.
Copy & paste it or download here 80rsbac.
Not yet tested
DPkg::Post-Invoke { “ rsbac_attributes_initial="/etc/rsbac/packages/${CATEGORY}/${PN}/${PF}.sh" rsbac_attributes="/home/admins/updater/packages/${CATEGORY}/${PN}/${PF}.sh" einfo "Applying rsbac attributes:"; # first policy if [ -f "${rsbac_attributes_initial}" ]; then sh ${rsbac_attributes_initial} else echo "No rsbac attribute initial available" fi # second which found if [ -f "${rsbac_attributes}" ]; then sh ${rsbac_attributes} else echo "No rsbac attribute available" fi }
When using nfs4 store to manage the portage tree then some modification have to do.
addgroup --gid 410 updater adduser --home /srv/nfs4/portage --gid 410 --uid 410 --disabled-password --disabled-login updater
/srv/nfs4/portage 192.168.0.0/24(rw,sync,insecure,nohide,no_subtree_check,root_squash)
/mnt/portage /srv/nfs4/portage none bind 0 0
cd /srv/nfs4/portage chown updater:updater -Rv . find -type d | xargs chmod 755 find -type f | xargs chmod 640
When the portage tree mounted via nfs then RSBAC create a directory rsbac.dat.
rsync: readdir("/usr/portage/rsbac.dat"): Operation not permitted (1) rsync: delete_file: rmdir(rsbac.dat) failed: Operation not permitted (1)
To exclude this edit make.conf and add this line.
PORTAGE_RSYNC_EXTRA_OPTS="--exclude=/rsbac.dat"