[rsbac] About this part of Jens Documentation
Jens Kasten
jens at rsbac.org
Thu Feb 19 11:18:59 CET 2015
The problem is for example you upgrade the ssh and there some settings you had set this are lost after ugrade.
Javier Juan Martínez Cabezón <tazok.id0 at gmail.com> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>
>I have chosen this approach, welcome suggestions.
>
>emerge has it's own forced_role, and it's caps as minimum.
>emerge binaries has its own fd_type
>When I need to make an upgrade I grant it with ttl as bofh (my secoff)
>without commit to root, granting R, MAP_EXEC and EXECUTE to emerge_t
>
>Something like this
>rc_set_item -t 15 ROLE $root_role" type_comp_fd "emerge_bin_t" R
>EXECUTE MAP_EXEC
>
>Since is a python script, privileges are marked as absolute.
>
>No need to fakeroot and you can take all RC learning mode capability
>since you use a new role to emerge.
>
>Comments are appreciated
>
>
>
>On 15/02/15 20:57, Jens Kasten wrote:
>> Am Sun, 15 Feb 2015 18:41:39 +0100 schrieb Javier Juan Martínez
>> Cabezón <tazok at rsbac.org>:
>>
>> Hi Javier,
>>
>> You have to enable in kernel config fake root in section RSBAC.
>>
>> You can use rsbac_menu /path/to/bin and choose fake root uid or
>> attr_set_file_dir FILE /path/to/bin fake_root_uid [0-3]
>>
>> Yes set it to emerge but fake_root_uid is not for expand permisson
>> for an user its just make possible to fool programs if they do a
>> check like is user_id == 0.
>>
>> The permission is set for example: attr_set_user updater min_caps
>> CHOWN DAC_OVERRIDE DAC_READ_SEARCH FOWNER FSETID MKNOD
>> NET_BIND_SERVICE
>>
>>
>> Depend on setup maybe have to change some roles too.
>>
>> Grüße
>>
>> Jens
>>
>>
>>
>>
>>
>> Hi Jens, it's related with this part of your docs.
>>
>> Did you need to set fakeroot in some place? How did you do it? That
>> is, did you set fakeroot to emerge binary or how did you deal with
>> owner permissions of new packages installed?
>>
>> http://www.rsbac.org/wiki/experiences/igraltist/admins#add_updater_user
>>
>>
>>
>>
>>> _______________________________________________ rsbac mailing
>>> list rsbac at rsbac.org http://www.rsbac.org/mailman/listinfo/rsbac
>>
>> _______________________________________________ rsbac mailing list
>> rsbac at rsbac.org http://www.rsbac.org/mailman/listinfo/rsbac
>>
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1
>
>iQIcBAEBAgAGBQJU466rAAoJEFfmTgt/w77fhMEP/i07YHYhlzCZySd/mjVHKu6B
>jYme8HchWvEo8xCEpeaBCeRTYDtUCJGEvhsId8cjRD+4rbmCpyjFOQNp3mHNb2Ph
>sYBdQdIntRBfu6zzUBK+Wvh+Sdp8wcuTj0EBvjXnZ5DZSKJnrqb1SsmRzMznUyDv
>ZYLAQIV5JZu+r4oyWFzKy8hufnUcqlN/VUTb2UppuYqHmGa6KpZbl68NvYsIqhnA
>0CCfR0czztPAi4lTRB4E0dLYHV4pATCuAcl8A0GvZiRe8YB+o+QllAGzz8MR7fPI
>xmpW2QTra0P0ed/aQV5c0oxdSOpecYsMIRP7+g15l2fXrJAc2KAHHpbZNeyIYOZU
>XJOwft4kJSaDrYK9HEe6C+yWZ43wcKHnuyAyRH5/aDINjm08F3lbtv+tjZrhBkBO
>2qtQ2wSqS9xj3bFny2YTPnDU+ef/r9eefdwsiSKdfy/3zvkjcYN38BuTP0WMlXvh
>z9uK1ogvVuFZeeXz/GwV/lVtmXxpz/MNXsp+V54lF5a14srkKR9difLqs8giPrl3
>0LtDkMTeGM1onhxGTLIq95HT3MYuO8t4ddJKmvddf4By1K+mah8dpI46gSOVJfte
>CdbwoxJBk3iGKhPayAjKB5xc+qORMTm8ICiHQ1nzb/CqcIJP8TQtbMK0NRoLz9xi
>rteg+qQ6Tn/6sPSN/O5f
>=plLL
>-----END PGP SIGNATURE-----
>
>_______________________________________________
>rsbac mailing list
>rsbac at rsbac.org
>http://www.rsbac.org/mailman/listinfo/rsbac
More information about the rsbac
mailing list