wiki:experiences:telmich
Releases
Current version
Git/Latestdiff: 1.5.6
Latest Snapshots
Produced after each commit or rebase to new upstream version
GIT
RSBAC source code, can be unstable sometimes
Events
No events planned
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| wiki:experiences:telmich [2005/12/30 14:31] – 84.161.74.190 | wiki:experiences:telmich [2006/05/02 13:40] (current) – external edit 127.0.0.1 | ||
|---|---|---|---|
| Line 5: | Line 5: | ||
| * motivated developers | * motivated developers | ||
| * small community (still) | * small community (still) | ||
| + | * still unknown to many people out there | ||
| + | |||
| + | ====== TODO ====== | ||
| + | |||
| + | Things I want to achieve / do with RSBAC: | ||
| + | |||
| + | - Create a new user, who | ||
| + | - may create, delete and modify other users (like a end user compatible user manager) | ||
| + | - Understand and use PM (there is no " | ||
| + | - Create a new user, who can shutdown / reboot the system | ||
| + | - use jails | ||
| + | - use rsbac_mod for apache, as soon as vhosts are supported | ||
| + | - test daemons, check whether they can run with rsbac | ||
| + | - test cinit with RSBAC | ||
| ====== common problems ====== | ====== common problems ====== | ||
| Line 12: | Line 26: | ||
| When you enabled ssh (see below) you may be able to **directly** login as //you// or **root**, but using __su__ | When you enabled ssh (see below) you may be able to **directly** login as //you// or **root**, but using __su__ | ||
| or __sudo__ may fail, because you are normally **not** allowed to setuid (to change) to another user. | or __sudo__ may fail, because you are normally **not** allowed to setuid (to change) to another user. | ||
| + | |||
| + | ===== upgrading your system ===== | ||
| + | |||
| + | When you upgrade your system (especially ssh, login or pam) you may lose complete control | ||
| + | over your system. Like I did some seconds ago: | ||
| + | |||
| + | - I logged in as root | ||
| + | - I typed " | ||
| + | - I went away, shopping for the company | ||
| + | - I came back and wanted to login as " | ||
| + | - The answer was " | ||
| + | |||
| + | What happened? | ||
| + | - The update saw that there are new packages and dist-upgrade installs them | ||
| + | - The dist upgrade replaced /// | ||
| + | - The inode of /bin/login changed | ||
| + | - The old settings for /bin/login vanished | ||
| + | - I am not able to login anymore | ||
| + | - sshd also got replaced, so the connection is reseted by the rsbac host | ||
| + | |||
| + | **How to solve the problem** | ||
| + | - I am right now trying it... | ||
| + | - I rebooted the system | ||
| + | - At the grub prompt I added // | ||
| + | - Now I am able to login as rsbac_400 on the console (at least in theory it still boots) | ||
| + | - And now I can restore the standard settings: | ||
| + | - Allow /bin/login to setuid (use // | ||
| + | - Allow / | ||
| ====== HOWTO ====== | ====== HOWTO ====== | ||
| Line 155: | Line 197: | ||
| - call / | - call / | ||
| - That's how it worked here | - That's how it worked here | ||
| - | |||
| - | |||
| ==== configuring apache (http server) ==== | ==== configuring apache (http server) ==== | ||
| [[http:// | [[http:// | ||
| - | but bevor start, mayby you build for all directorys wich start from the root-directory a rc-type. | + | |
| - | do it in the softmode. | + | |
| - | go to rsbac_menu, then RC Types: | + | |
| - | there FD File/Dire type name and New Type : Enter type number to add ; just press enter, then again enter and chose the name for this rc-type. the first is | + | |
| - | /bin than again and this all other directorys but exclude /boot /proc /dev /sys. | + | |
| - | i also prefer to build a rc-type for /usr/bin /usr/sbin , because the /use has many public inside so the rc-type /usr becomes very public :). also later you can this do for the /var . | + | |
| - | the next is assign this created rc-types to the directorys. | + | |
| - | in the rsbac_menu go tho File/Dir Atrributes: | + | |
| - | now when /bin is chose go to RC Type FD: and you will see here now the bevor created rc-types. | + | |
| - | wich is to take, for better remembering use the /bin and press enter. | + | |
| - | you must see now RC Type FD: 6 / bin e.g mayby 8 or 9. | + | |
| - | this step must repeat for every RC Type wich are left over, but bevor | + | |
| - | echo debug_adf_rc 1 > / | + | |
| - | echo debug_nosyslog 1 > / | + | |
| - | in this time and later also very quickly the logfile can grow, if you have have no seperate partition for the security-user and for /var/log than and your space is only 500MB for the / directory, it can very quickly fill up your partition if both logger are write and the system will mayby stand because out off space. thats why you dont need the syslog for rsbac-logging when rklogd is present. | + | |
| - | i prefer the setup over ssh, because i login wich so many konsoles how i need. two i need for, one from this as root-user | + | |
| - | tail -f / | + | |
| - | the directorys are mayby different. | + | |
| - | now starts to visit the logfiles. | + | |
| - | continue foolow | + | |
| ==== configuring openvpn (vpn server) ==== | ==== configuring openvpn (vpn server) ==== | ||
| Line 379: | Line 400: | ||
| ==== creating a user/group administrator | ==== creating a user/group administrator | ||
| + | |||
| + | ===== dosinux.schottelius.org ===== | ||
| + | |||
| + | ==== configuring apache2 (http server) ==== | ||
| + | |||
| + | - Do apt-get install apache2 before | ||
| + | - See what happens:< | ||
| + | dosinux# / | ||
| + | dosinux# dmesg | ||
| + | 0000001236|rsbac_adf_request(): | ||
| + | prog_file / | ||
| + | NOT_GRANTED by RC ACL | ||
| + | 0000001237|rsbac_adf_request(): | ||
| + | prog_file / | ||
| + | result NOT_GRANTED by RC ACL | ||
| + | 0000001238|rsbac_adf_request(): | ||
| + | apache2, prog_file / | ||
| + | value 33, result NOT_GRANTED by AUTH | ||
| + | 0000001239|rsbac_adf_request(): | ||
| + | apache2, prog_file / | ||
| + | value 33, result NOT_GRANTED by AUTH | ||
| + | 0000001240|rsbac_adf_request(): | ||
| + | apache2, prog_file / | ||
| + | value 33, result NOT_GRANTED by AUTH | ||
| + | 0000001241|rsbac_adf_request(): | ||
| + | apache2, prog_file / | ||
| + | value 33, result NOT_GRANTED by AUTH | ||
| + | 0000001242|rsbac_adf_request(): | ||
| + | apache2, prog_file / | ||
| + | value 33, result NOT_GRANTED by AUTH | ||
| + | </ | ||
| + | - Add the AUTH capability 33 (www-data), use rsbac_400 and rsbac_fd_menu / | ||
| + | - TADA, it runs:< | ||
| + | dosinux# / | ||
| + | dosinux# dmesg | ||
| + | 0000001243|rsbac_adf_request(): | ||
| + | 0000001244|rsbac_adf_request(): | ||
| + | dosinux# ps axu | grep apache2 | ||
| + | root 3693 0.8 0.9 16744 5436 ? Ss | ||
| + | www-data | ||
| + | www-data | ||
| + | www-data | ||
| + | www-data | ||
| + | www-data | ||
| + | root 3701 0.0 0.0 | ||
| + | </ | ||
| + | |||
| + | ===== Roles ===== | ||
| + | |||
| + | Roles should make life easier, currently they are just making my life more complicated. Let's see what we can do with them. | ||
| + | |||
| + | ==== creating a " | ||
| + | |||
| + | The first problem to solve with Roles is to create a user, which is able to | ||
| + | - create | ||
| + | - delete | ||
| + | - and modify other users (like a end user compatible user manager) | ||
| + | |||
| + | |||
| + | First of all, I create a user: | ||
| + | - login as rsbac_400, do < | ||
| + | - now do < | ||
| + | - login as root and do< | ||
| + | mkdir / | ||
| + | chown user_manager ~user_manager</ | ||
| + | - Now we successfully created a normal user. | ||
| + | - TOBEDONE... | ||
| ===== Backup ===== | ===== Backup ===== | ||
wiki/experiences/telmich.1135953074.txt.gz · Last modified: 2006/05/02 13:40 (external edit)