Re: /etc protection


From: Amon Ott <ao@rsbac.org>
Subject: Re: /etc protection
Date: Thu, 23 Aug 2001 09:11:31 +0200

Next Article (by Subject): Re: /etc protection Bencsath Boldizsar
Previous Article (by Subject): Re: /etc protection steve
Top of Thread: Re: /etc protection steve
Next in Thread: Re: /etc protection Bencsath Boldizsar
Articles sorted by: [Date] [Author] [Subject]


On Don, 23 Aug 2001 RedLeftHand wrote:
> What model is recommended for protecting /etc from write access by root, 
> while still allowing normal boot-up tasks; loading modules, hwclock access,
> /proc mounting? How, briefly, is that model implemented?

Unfortunately, /etc is a collection of files and dirs with very different
protection needs. Other ones are /lib and /usr/lib.

What I do is define an RC type 'config files' and set it for all files and
dirs that contain fixed configuration. Root is not allowed to modify them.

If a program has to change anything, e.g. for booting, you can define a role
that allows that, and use it as forced or initial role for the program.

For configuration, a special role can be defined and e.g. set for a certain
user or program (e.g. interactive editor).

Amon.
-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Subject): Re: /etc protection Bencsath Boldizsar
Previous Article (by Subject): Re: /etc protection steve
Top of Thread: Re: /etc protection steve
Next in Thread: Re: /etc protection Bencsath Boldizsar
Articles sorted by: [Date] [Author] [Subject]


Go to Compuniverse LWGate Home Page.