From: ao@morpork.shnet.org (A. Ott)
Subject: Re: Overlapping rights ?
Date: 14 Oct 1999 13:51:00 +0200
Next Article (by Date): Re: Overlapping rights ? Vadim Kogan
Previous Article (by Date): Overlapping rights ? Luc Stepniewski
Top of Thread: Overlapping rights ? Luc Stepniewski
Next in Thread: Re: Overlapping rights ? Vadim Kogan
Articles sorted by: [Date]
[Author]
[Subject]
********* ***************** ********** **** ***** ***** ************ To subject Overlapping rights ? luc.stepniewski@c2a.fr (Luc Stepniewski) wrote: ********** ******************** ****** ******** ******* ************* > I'm discovering RSBAC, so my knowledge level about RSBAC is really low :-) > I've looked at the example scripts in the admin tarball (are there other > usage examples available anywhere ?, I learn much faster with examples, > but with RSBAC, they are really rare :-). I know. :( > About the home_area.sh example, I'd like to ask some questions: > When applying the script, a default user is restricted from writing outside > /home (which is normal), but another user, like root is restricted from > accessing in the /home directory. > Another problem is that normal users can't anymore write in /tmp. How can I > allow normal users read/write access in /home AND /tmp. Making /tmp a > 'Home area type' is not a solution, as it prevents root (and other System > admin, Role Admin) from accessing it :-( > > How can I do this ? If you want user write access to /tmp, setup another FD type 'tmp', give all roles read-write access to this type and set /tmp and /var/tmp to this type. Unfortunately, some programs have /tmp compiled in. The admin menues use the TMPDIR environment variable, if set, and /tmp otherwise. If you add a line export TMPDIR=~ to your /etc/profile, the menues will use the user's home dir. Alternatively, create a /home/tmp dir. If you want root to still access /home, e.g. to create new users, give role 'System Admin' appropiate rights to FD type Homearea. You might consider to restrict those rights to those that are really needed, like CREATE, SEARCH, MODIFY_PERMISSIONS_DATA, etc. My main point was not letting root read or even change any private user data, so denying all OPEN_* requests might be enough. You might find it easier to use the ACL model, when groups are implemented. When you are finished, I'd be pleased, if you could post a summary, maybe even an updated example script, to this list. > Ps: Is there an archive of the mailing list ? Sorry, only in my mail system. I meant to configure one, but didn't take the time for learning how to do it. Anybody knowing? Amon. -- Please remove second ao for E-Mail reply - no spam please! ## CrossPoint v3.11 ## - To unsubscribe from the rsbac list, send a mail to majordomo@morpork.shnet.org with unsubscribe rsbac as single line in the body.
Next Article (by Date): Re: Overlapping rights ? Vadim Kogan
Previous Article (by Date): Overlapping rights ? Luc Stepniewski
Top of Thread: Overlapping rights ? Luc Stepniewski
Next in Thread: Re: Overlapping rights ? Vadim Kogan
Articles sorted by: [Date]
[Author]
[Subject]