[rsbac] backup-user

Jens Kasten jens at kasten-edv.de
Thu Jul 19 19:38:55 CEST 2007

On Thursday 19 July 2007 17:54:25 Javier Martínez wrote:
> > thanks, this was missing.
> > but now mayby is better two different user for the backup.
> > one allows to read all dirs and files and the reverse user must bevor
> > look and save the rsbac attribute and then put the backup back and set
> > the attribute back.
> > so this user must have more rights, but the user wich do the backup is
> > many more time in use.
> Why better¿?. Why don't you create one special user with his role for
> it instead of admin?. Grant CAP_DAC_READ_SEARCH as min_cap to the user
> to read all and create one script with one separate type with
> CAP_DAC_OVERRIDE granted in their own type with a forced role marked
> with their necessary rights  and and make it only accessible by this
> trusted user. You have alternatives to do this. Assure you use too the
> CAP_LD_PRELOAD hack with minimun capabilities.

i have already create an user with his own rc-role and some other things and  
i use this cap-settings too. 
but 2 users for backup are  better, and than two different rc-roles.
i think when i do backup i like to backup also the rsbac-attribute for this 
files or dirs.
so the user must able to read the rsbac-attribute. but then for recovering
this user must has also to set-attribute ability and this user i think is than 
more powerfull, so thatswhy splitt it into 2 users for backup.
> _______________________________________________
> rsbac mailing list
> rsbac at rsbac.org
> http://www.rsbac.org/mailman/listinfo/rsbac

More information about the rsbac mailing list