[rsbac] secoff

Amon Ott rsbac@rsbac.org
Tue Dec 31 12:04:01 2002

On Saturday 28 December 2002 22:52, cnf wrote:
> is there a way i can block any access to secoff except fe serial login
> within rsbac ?
> mostly i would like to disable su - to secoff, and ssh login to secoff
> now, i could use auth, and add every uid cept 400 for both su and sshd,
> but that seems to be a bit cumbersome ...

That's the official solution.
> anyway to set auth to allow setuid, except to this uid ?

auth_set_cap FILE add /usr/sbin/sshd 0 399
auth_set_cap FILE add /usr/sbin/sshd 401 -1

Just two range entries... The -1 is internally translated to the maximum user 
ID value: 2^32-1. Usually, I allow 0, 400, 500-100000 for sshd, with 400 
optional, and 0, nobody for su. Why would you need 1-399?

You know that you can protect AUTH settings with RC model instead of AUTH 
itself? This protection will soon be improved for better setups.

http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22