[rsbac] rsbac RC tutorial

Arkady A Drovosekov drawa at suct.uu.ru
Fri Mar 28 17:42:42 MET 2003

On Fri, Mar 28, 2003 at 12:59:06PM +0100, Thorsten Sauter wrote:
> 1. I'm looking for some realworld examples (eg. protecting
> sendmail/ssh/ftp)
attr_set_file_dir -a CAP FILE /usr/sbin/sendmail min_caps NET_BIND_SERVICE
? attr_set_file_dir -a CAP FILE /usr/sbin/sendmail min_caps SETUID
? auth_set_cap FILE add /usr/sbin/sendmail 1000 65534
add system user 'sendmail'
run sendmail as user 'sendmail'

> 4. I'm tyring to run apache without root right. For this I have simply
> applied the Linux CAP through the FF modules to /usr/sbin/apache. I'm
> not sure it this is a good way, is it? Maybe not the best way to do
> everything on filesystem base.
apache contains in the sources some checks for uid like that:
if (!getuid()) {
you have to change it to something like:
if (1 || !getuid()) {

change config.layout to put all var files into one dir (/var/apache-r3 here)
after recompiling you can apply something like this:

attr_set_file_dir CAP FILE "$daemon" min_caps SETGID SETUID
auth_set_cap FILE add "$daemon" "$work_user"
attr_set_file_dir DIR "$var" linux_dac_disable 1
acl_grant -r -s -u $init_user RW FD "$var"
# ??? acl_grant -r -s -u $work_user RW FD "$var"

and change apache.conf
Best regards,

More information about the rsbac mailing list