Re: RC separation of duty


From: ao@morpork.shnet.org (A. Ott)
Subject: Re: RC separation of duty
Date: 08 Nov 1999 10:08:00 +0100

Next Article (by Author): Re: RC separation of duty ao@morpork.shnet.org (A. Ott)
Previous Article (by Author): Re: RC separation of duty ao@morpork.shnet.org (A. Ott)
Top of Thread: RC separation of duty ao@morpork.shnet.org (A. Ott)
Next in Thread: Re: RC separation of duty "Paul D. Robertson"
Articles sorted by: [Date] [Author] [Subject]


********* ***************** ********** ****  *****   ***** ************
  To subject Re: RC separation of duty
  proberts@clark.net (Paul D. Robertson)  wrote:
********** ******************** ******  ********  ******* *************

> On 5 Nov 1999, A. Ott wrote:
>
> > Well, there is a reason why I called this thread RC separation of duty. It
> > is about RC only. :)
>
> I have a question about this, because I'm only starting to play with
> roles and I'm more used to MAC catagories for compartments/containers.
> Is it currently possible to limit role based on login path, and set a
> system default role if you haven't logged in using an approved method
> that's role-high.
>
> For instance, SYSADMIN needs to log in via /usr/local/sbin/sshd,
> otherwise the maximum role privilege you can use is USER.  I don't mind
> having to fix sshd to do some sort of RSBAC call.

No, this concept is not (yet) included in RC. You can only use AUTH model  
to limit the list of users /bin/login may change to. This was my original  
idea of login path limiting.

Maybe I should allow a negative AUTH capability list, meaning 'every user  
but the listed ones'. Or a range setting.

> Still trying to get the models straight in my head :)

Don't worry about asking.

Amon.

--
Please remove second ao for E-Mail reply - no spam please!
## CrossPoint v3.11 ##
-
To unsubscribe from the rsbac list, send a mail to
majordomo@morpork.shnet.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Author): Re: RC separation of duty ao@morpork.shnet.org (A. Ott)
Previous Article (by Author): Re: RC separation of duty ao@morpork.shnet.org (A. Ott)
Top of Thread: RC separation of duty ao@morpork.shnet.org (A. Ott)
Next in Thread: Re: RC separation of duty "Paul D. Robertson"
Articles sorted by: [Date] [Author] [Subject]


Go to Compuniverse LWGate Home Page.