[rsbac] secoff
Amon Ott
rsbac@rsbac.org
Tue Dec 31 12:04:01 2002
On Saturday 28 December 2002 22:52, cnf wrote:
> is there a way i can block any access to secoff except fe serial login
> within rsbac ?
>
> mostly i would like to disable su - to secoff, and ssh login to secoff
>
> now, i could use auth, and add every uid cept 400 for both su and sshd,
> but that seems to be a bit cumbersome ...
That's the official solution.
> anyway to set auth to allow setuid, except to this uid ?
auth_set_cap FILE add /usr/sbin/sshd 0 399
auth_set_cap FILE add /usr/sbin/sshd 401 -1
Just two range entries... The -1 is internally translated to the maximum user
ID value: 2^32-1. Usually, I allow 0, 400, 500-100000 for sshd, with 400
optional, and 0, nobody for su. Why would you need 1-399?
You know that you can protect AUTH settings with RC model instead of AUTH
itself? This protection will soon be improved for better setups.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22