[rsbac] ACLs / acl_grant Problem
Amon Ott
ao at rsbac.org
Mon Jan 16 08:42:42 CET 2006
On Montag 16 Januar 2006 01:59, jochem_ippers at email.de wrote:
> when I try to change an acl nothing seems to happen; for example
(existing file and existing user) when I do:
>
> acl_grant -v -k -u jochem LOCK FD /tmp/hallo
> Revoke rights:
00000000010000000000000000000000000000000000000000000000000
> for USER 1001
> Processing FD '/tmp/hallo'
>
> nothing changes (same with the -m option), LOCK right is still
there:
>
> acl_rights -u jochem FILE /tmp/hallo
> acl_rights: User 1001
> /tmp/hallo
00000000010000000000001110100000011011010010111111110110100
>
> I compiled rsbac version 1.2.5.1 (rsbac-admin-tools 1.2.5.1) for
kernel 2.6.14. I tried different compile combinations, at the time I
try a kernel with ACL as the only security module.
The rights this user has are inherited from the rights the group 0
(everyone) has to :DEFAULT:, going down to this file via / and /tmp
and through the file's inheritance mask. In Netware speech, :DEFAULT:
would be the container which contains the whole filesystem.
To reduce these rights, you must set explicit rights for all users and
groups, that shall have access, and then change the inheritance mask
with acl_mask.
acl_grant changes the acl at the file itself - if there is no entry
for the user, revoking with -k will change nothing. acl_tlist can
show you all acl entries for this file.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac
mailing list