Re: acl and more


From: Amon Ott <ao@rsbac.org>
Subject: Re: acl and more
Date: Thu, 9 Aug 2001 12:36:29 +0200

Next Article (by Subject): Re: acl and more Arkady A Drovosekov
Previous Article (by Subject): Re: acl and more "renaud"
Top of Thread: acl and more Arkady A Drovosekov
Next in Thread: Re: acl and more Arkady A Drovosekov
Articles sorted by: [Date] [Author] [Subject]


On Don, 09 Aug 2001 renaud wrote:
> I am a beginner with rsbac and I have a question about roles  : i did
> compile with rc,auth, acl and i did all the attr commands mentionned in the
> docs.
> 
> As I try to make a simple 777 directory (/test/acltest) and managing the ACL
> for this directory I changed the default mask to permit everything except
> CHDIR end CREATE.
> 
> To verify my work I try to chdir and mkdir  to this dir with basic user,
> root, and secoff  . I'm rejected with root and basic user but I can chdir
> and mkdir with secoff .
> 
> I can't figure out why secoff has all those rights, and even with the rc
> role admin menu I didn't manage to change this.  Can you help me please ??

secoff has SUPERVISOR right, which includes all other rights and can (with
default RSBAC settings) never be masked out. This is meant to keep you from
having no access by anyone.

To mask SUPERVISOR out, you need to:
- enable masking out in RSBAC kernel config
- add an ACL entry for a user A to /test/acltest with right SUPERVISOR
- as user A, change the mask to not contain SUPERVISOR any more

Then secoff cannot access the dir anymore, but A still has full access.

If you want, you can now revoke SUPERVISOR from A, but then you have no
SUPERVISOR there anymore! You will have to use soft mode or a maint kernel to
regain access in case of a configuration error.

User A can of course also be secoff, but the direct entry is always needed.

Amon.
-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Subject): Re: acl and more Arkady A Drovosekov
Previous Article (by Subject): Re: acl and more "renaud"
Top of Thread: acl and more Arkady A Drovosekov
Next in Thread: Re: acl and more Arkady A Drovosekov
Articles sorted by: [Date] [Author] [Subject]


Go to Compuniverse LWGate Home Page.