[rsbac] backup-user

Javier Martínez tazok.id0 at gmail.com
Thu Jul 19 20:01:58 CEST 2007

2007/7/19, Jens Kasten <jens en kasten-edv.de>:

> i have already create an user with his own rc-role and some other things and
> i use this cap-settings too.
> but 2 users for backup are  better, and than two different rc-roles.
> i think when i do backup i like to backup also the rsbac-attribute for this
> files or dirs.
> so the user must able to read the rsbac-attribute. but then for recovering
> this user must has also to set-attribute ability and this user i think is than
> more powerfull, so thatswhy splitt it into 2 users for backup.

Yes but the question is that you can have two totally different roles
with the same user ;) .
Take note of the rc_forced_role and the rc_initial_role.

So you could for example create three roles, backup_user role the
first as initial role of the user, and make only compatible with the
backup_scripts_t and incompatible with others one, then create two
additional roles, one the read_backup and grant it the DAC_READ_SEARCH
min capability (of type backup_scripts_t) and assign it to the
read_script as a force role (with his privileges)
the other one assign to it a forced role to the script called
write_backup and grant DAC_OVERRIDE to it.

More information about the rsbac mailing list