[rsbac] Type Comp Group -> READ
Amon Ott
ao at rsbac.org
Fri Mar 2 09:26:16 CET 2007
On Thursday 01 March 2007 23:02, Sven Seeland wrote:
> I'm currently setting up a homeserver as a hobby-project of mine
> and - you guessed it - I'm using RSBAC to secure it. I've found it
> to be the best available solution for my purposes except for one
> thing: documentation. Which is why I'm on this list.
We are working on the handbook...
> And here comes my first question...
> I'm currently running into quite a few programs that are trying to
> READ a target of the type "group", like so:
>
> <6>0034764112|rsbac_adf_request(): request READ, pid 2010, ppid
> 2009, prog_name id, prog_file /bin/id, uid 0, audit uid 400, remote
> ip 192.168.11.3, target_type GROUP, tid 65534, attr none, value
> none, result NOT_GRANTED (Softmode) by RC
>
> Well. I know what the group target is (kinda) - it's a linux user
> group. But what happens when you "read" it? Is it generally safe to
> grant this right? Or is it unneccessary since the programs will
> operate without it just as well? I know how to grant the right and
> make the conflicts go away, the question is whether I should and
> how restrictive I should be about it.
Generally, READ allows access to the User Management information which
used to be stored in /etc/group. So it is quite harmless and can be
granted. Some programs do not even run correctly, if they cannot read
info about their own active groups, so you must grant this right for
those.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac
mailing list