[rsbac] backup-user
Jens Kasten
jens at kasten-edv.de
Thu Jul 19 19:38:55 CEST 2007
On Thursday 19 July 2007 17:54:25 Javier Martínez wrote:
> > thanks, this was missing.
> > but now mayby is better two different user for the backup.
> > one allows to read all dirs and files and the reverse user must bevor
> > look and save the rsbac attribute and then put the backup back and set
> > the attribute back.
> > so this user must have more rights, but the user wich do the backup is
> > many more time in use.
>
> Why better¿?. Why don't you create one special user with his role for
> it instead of admin?. Grant CAP_DAC_READ_SEARCH as min_cap to the user
> to read all and create one script with one separate type with
> CAP_DAC_OVERRIDE granted in their own type with a forced role marked
> with their necessary rights and and make it only accessible by this
> trusted user. You have alternatives to do this. Assure you use too the
> CAP_LD_PRELOAD hack with minimun capabilities.
i have already create an user with his own rc-role and some other things and
i use this cap-settings too.
but 2 users for backup are better, and than two different rc-roles.
i think when i do backup i like to backup also the rsbac-attribute for this
files or dirs.
so the user must able to read the rsbac-attribute. but then for recovering
this user must has also to set-attribute ability and this user i think is than
more powerfull, so thatswhy splitt it into 2 users for backup.
> _______________________________________________
> rsbac mailing list
> rsbac at rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac
More information about the rsbac
mailing list