[rsbac] ssh rc-role

jens jens at igraltist.dyndns.org
Wed Aug 23 12:14:16 CEST 2006

you mean this can solve the problem?
for me, i will rent a server for let running apache and postfix there.
for this machine i have only ssh access.
some webinterface for reboot mayby.
for e.g., when the a rsbac-kernel is booting then bevor granting anything,
setup rc-roles and rc-types.
from now all are running under the same rc-role. only the bootproccess has its 
when this rc_inerhit_mixed work, mayby then is better from the beginning
use this role_inherit_mixed.
all the time the rc-role for the ssh will be used for look for the systim if 
all right and also use from normal user-account.

Am Montag, 21. August 2006 19:00 schrieb tazok:
> I think your problem is the use of the rc_forced_role on an FD. When
> you makes an execute system call on the sshd daemon it gets his
> default role from the initial role and when a setuid syscall is made
> it takes the value of the rc_forced_role. If you assign one role to
> this, it will act as a "wrapper" to all users that make logging into
> the system (all of them will run with the same role and the same
> privileges). I think your problem comes from here.
> Try this: Make a new role, sshd_daemon for example and grant it the
> necessary privileges to work. After this, assign the value
> role_inherit_mixed_up to the rc_forced_role option. With this (and if
> I'm not wrong) after the user logs into the system it will do it with
> his/her own privileges. Something like this is which will happen:
> sshd(sshd_role) --> login success-->setuid (transition to
> user_default_role). _______________________________________________
> rsbac mailing list
> rsbac at rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac

More information about the rsbac mailing list