[rsbac] backup-user
Javier Martínez
tazok.id0 at gmail.com
Thu Jul 19 17:54:25 CEST 2007
>
> thanks, this was missing.
> but now mayby is better two different user for the backup.
> one allows to read all dirs and files and the reverse user must bevor look and
> save the rsbac attribute and then put the backup back and set the attribute
> back.
> so this user must have more rights, but the user wich do the backup is many
> more time in use.
>
Why better¿?. Why don't you create one special user with his role for
it instead of admin?. Grant CAP_DAC_READ_SEARCH as min_cap to the user
to read all and create one script with one separate type with
CAP_DAC_OVERRIDE granted in their own type with a forced role marked
with their necessary rights and and make it only accessible by this
trusted user. You have alternatives to do this. Assure you use too the
CAP_LD_PRELOAD hack with minimun capabilities.
More information about the rsbac
mailing list