[rsbac] Restricting /etc/passwd & /etc/shadow from root...
Chirag Pandya
cpandya at gmail.com
Sat Mar 25 14:18:45 CET 2006
> How do I restrict /etc/passwd & /etc/group file from root and allow
> access only to "useradd" and "userdel" programs ? Which Model is
> recommended for this ? FF / RC / MAC ? Please let me know the details of
> doing the same.
>
If possible, use the RSBAC User Management scheme, it avoids all the
/etc/passwd, /etc/shadow complications as discussed by Amon in a
previous thread and also found here:
http://www.rsbac.org/documentation/different_models/um
If you still want to use /etc/passwd scheme, try using RC model to
protect it. Create and assign a new TYPE to /etc/passwd, /etc/shadow
files. Define compabilities such that root role can only READ these
files. Create a new ROLE that has write permissions to this new TYPE.
Now assign this force role to useradd, usermod ... commands.
Hope this helps,
--
Chirag
More information about the rsbac
mailing list