[rsbac] About this part of Jens Documentation

Javier Juan Martínez Cabezón tazok.id0 at gmail.com
Mon Feb 16 16:59:08 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Some time ago I tried this type of configuration. Fakeroot was needed
because emerge always check against uid, and it had FS_MASK caps
including CAP_CHOWN and CAP_FSETID granted as minimum caps. It was
strange because after upgrading all written files were owned by
updater_user and not by root. By this reason I discarded this approach.

I'm surprised that you could do this approach because is the approach
I've always tried with fd_individual_types assigned to dirs to
automate it.



On 15/02/15 20:57, Jens Kasten wrote:
> Am Sun, 15 Feb 2015 18:41:39 +0100 schrieb Javier Juan Martínez
> Cabezón <tazok en rsbac.org>:
> 
> Hi Javier,
> 
> You have to enable in kernel config fake root in section RSBAC.
> 
> You can use rsbac_menu /path/to/bin and choose fake root uid or 
> attr_set_file_dir FILE /path/to/bin fake_root_uid [0-3]
> 
> Yes set it to emerge but fake_root_uid is not for expand permisson
> for an user its just make possible to fool programs if they do a
> check like is user_id == 0.
> 
> The permission is set for example: attr_set_user updater min_caps
> CHOWN DAC_OVERRIDE DAC_READ_SEARCH FOWNER FSETID MKNOD
> NET_BIND_SERVICE
> 
> 
> Depend on setup maybe have to change some roles too.
> 
> Grüße
> 
> Jens
> 
> 
> 
> 
> 
> Hi Jens, it's related with this part of your docs.
> 
> Did you need to set fakeroot in some place? How did you do it? That
> is, did you set fakeroot to emerge binary or how did you deal with
> owner permissions of new packages installed?
> 
> http://www.rsbac.org/wiki/experiences/igraltist/admins#add_updater_user
>
> 
> 
> 
>> _______________________________________________ rsbac mailing
>> list rsbac en rsbac.org http://www.rsbac.org/mailman/listinfo/rsbac
> 
> _______________________________________________ rsbac mailing list 
> rsbac en rsbac.org http://www.rsbac.org/mailman/listinfo/rsbac
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJU4hPJAAoJEFfmTgt/w77fVrwP/i1eBzJ9kPhgOA5JT0Kd3+65
3BkRCOV89D3aSzPJbotC7BYnkTrcW0eyjBQIaTiW/bOvZ/QJrf9YSH6XOR3oCfn8
XpSc7KfrAdCIgAYSBp6hxh8Q0o9mGCfq/ehEbknYw+ldvSMOjWB0mWI32y3PxVUW
uZ7p0kEsMhRILA7PNoSl1M9gO0MQPY8Jj/a0mONywN4soQpjOcBu8hFmbyGfzdy3
xHfhE9JkWpV2KeUbIeeuavJqIgfw2dTI5xyWYpdXrhpuOMPGwxnYv5lTIbDmlZns
9BEutrm9CSw785sxQBnZc9oebhe3TXwHMbdeYpDqnwrNK89zVOEDIbacVPA7ujvT
bGVarCpLdtKKmWzWJSrEzOQIXQD1Mj/CPSFy3laaamTCo4kzwSbEDh9TpLoRy/1Y
pldN5UyzBFZlBP6WJ6K9o6T9ghxlkk05SAXdgBPCnmBYNVK9tg+5ihPAHozMqo7j
//37I5hSg9vKRVoISkknD0Ti/ZED1Rmg5mvjC5GJnQxZBoHlLyDz8DBl4x7J/OLo
xJmmG3sPQh29S6AMT66wmytvu6HXMef8+vnNn7Jzv2d0ZCR690m+REcbTWLSac5h
9+NipLKsMI0zSjS91rUf/gKw5ogau19rLxVxaFknmI6Ixl/iyaZsSJ5e7LuvI33d
89aUzOv2t5PeYkPpB2Mn
=Dob5
-----END PGP SIGNATURE-----



More information about the rsbac mailing list