Re: Overlapping rights ?

From: ao@morpork.shnet.org (A. Ott)
Subject: Re: Overlapping rights ?
Date: 14 Oct 1999 13:51:00 +0200

Next Article (by Author): Re: Speed of rsbac ? ao@morpork.shnet.org (A. Ott)
Previous Article (by Author): Removing CONFIG_RSBAC_SYNC_WRITE ao@morpork.shnet.org (A. Ott)
Top of Thread: Overlapping rights ? Luc Stepniewski
Next in Thread: Re: Overlapping rights ? Vadim Kogan
Articles sorted by: [Date] [Author] [Subject] 

********* ***************** ********** ****  *****   ***** ************
  To subject Overlapping rights ?
  luc.stepniewski@c2a.fr (Luc Stepniewski)  wrote:
********** ******************** ******  ********  ******* *************

> I'm discovering RSBAC, so my knowledge level about RSBAC is really low :-)
> I've looked at the example scripts in the admin tarball (are there other
> usage examples available anywhere ?, I learn much faster with examples,
> but with RSBAC, they are really rare :-).

I know. :(

> About the home_area.sh example, I'd like to ask some questions:
> When applying the script, a default user is restricted from writing outside
> /home (which is normal), but another user, like root is restricted from
> accessing in the /home directory.
> Another problem is that normal users can't anymore write in /tmp. How can I
> allow normal users read/write access in /home AND /tmp. Making /tmp  a
> 'Home area type' is not a solution, as it prevents root (and other System
> admin, Role Admin) from accessing it :-(
>
> How can I do this ?

If you want user write access to /tmp, setup another FD type 'tmp', give  
all roles read-write access to this type and set /tmp and /var/tmp to this  
type. Unfortunately, some programs have /tmp compiled in.

The admin menues use the TMPDIR environment variable, if set, and /tmp  
otherwise. If you add a line
export TMPDIR=~
to your /etc/profile, the menues will use the user's home dir.  
Alternatively, create a /home/tmp dir.

If you want root to still access /home, e.g. to create new users, give  
role 'System Admin' appropiate rights to FD type Homearea. You might  
consider to restrict those rights to those that are really needed, like  
CREATE, SEARCH, MODIFY_PERMISSIONS_DATA, etc. My main point was not  
letting root read or even change any private user data, so denying all  
OPEN_* requests might be enough. You might find it easier to use the ACL  
model, when groups are implemented.

When you are finished, I'd be pleased, if you could post a summary, maybe  
even an updated example script, to this list.

> Ps: Is there an archive of the mailing list ?

Sorry, only in my mail system. I meant to configure one, but didn't take  
the time for learning how to do it. Anybody knowing?

Amon.

--
Please remove second ao for E-Mail reply - no spam please!
## CrossPoint v3.11 ##
-
To unsubscribe from the rsbac list, send a mail to
majordomo@morpork.shnet.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Author): Re: Speed of rsbac ? ao@morpork.shnet.org (A. Ott)
Previous Article (by Author): Removing CONFIG_RSBAC_SYNC_WRITE ao@morpork.shnet.org (A. Ott)
Top of Thread: Overlapping rights ? Luc Stepniewski
Next in Thread: Re: Overlapping rights ? Vadim Kogan
Articles sorted by: [Date] [Author] [Subject]

Go to Compuniverse LWGate Home Page.