[rsbac] ACL Issue

Amon Ott ao at rsbac.org
Wed Oct 27 09:30:45 CEST 2004 

On Dienstag, 26. Oktober 2004 21:32, Nick Vasiliev wrote:
> Ok, heh more questions. For me to practice ACLs I have
> created a test at /home/test, and I created two users
> bill and bob. I have set permissions on the folder to
> 700 , and chowned rooted it. Then turned of DAC
> persmissions and gave bob rights to access it with
> ACL, and it has worked fine and bob was able to access
> the folder. However so was Bill. I made another ACL
> and didn't give bill any privigliges and he was till
> able to access it. I assume it is because of the min

You must change the mask on /home/test to restrict right inheritance 
from /home for group 0 (everyone), of which all users are members by 
definition. Then only the rights in the mask are left over. Now (or 
better before that...) you can grant explicit rights to some users or 
groups.

> cap, when I went to change the min cap on the folder
> it told me:
> Cap min CAPS: No file Specified, when I want to access
> the max the same thing happened. 

ACL and CAP are independent - whatever CAP setting will not help you 
to get or reduce ACL rights, only standard Linux DAC rights.
 
> Also, right now I am able to ssh into the machine
> fine, however when I look at the process sshd, it
> tells me that SetUID is at 0, which means that it
> can't do it. And I know that u need to be to setuid in
> order connect with ssh because it was one of the
> problems i had earlier. I also looked at the fine
> /usr/sbin/sshd and it didn't have the setuid set on
> it. 

The module responsible for control of user ids is AUTH. You need to 
add AUTH capabilities for the target uids at the sshd binary or set 
the big auth_may_setuid switch instead, which is the equivalent of a 
CAP range 0:<max>.

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
-------------- nächster Teil --------------
Ein Dateianhang mit Bin?rdaten wurde geschreddert...
Dateiname   : nicht verf?gbar
Dateityp    : application/pgp-signature
Dateigr??e  : 189 bytes
Beschreibung: signature
URL         : http://www.rsbac.org/pipermail/rsbac/attachments/20041027/173f7a83/attachment.bin

More information about the rsbac mailing list