[[wiki:experiences/igraltist|back to igraltist experiences]]
====== Split of the the admin duties ======
RSBAC gives the opportunity to split the all mighty root user into different admin users.
With this setup the root user is still present but the first task from an admin is transfer to specialized user.
Need the RSBAC RC module.
===== Add security user =====
RSBAC using a special user to configure the RSBAC policies.
In this example you see that the homedirectory is set to `/home/admins/security`.
Do just notice it. The explanation will become later clear from itself.
Add an user security: (the follow command works on gentoo and debian)
test -d /home/admins || mkdir /home/admins
groupadd -g 400 security
useradd -g 400 -u 400 -d /home/admins/security -s /bin/bash -c "Security User" -m security
# set a new password
passwd security
chmod 750 /home/admins/security
[[wiki:experiences/igraltist/admins#|Top]]
===== Add updater user =====
In this example the home directory is set to `/home/admins/updater`.
The updater-shell which is below set as login-shell is a python dialog script.
When the system is running with RSBAC then caps have to set.
I have tested, this user can not send data using `scp` to the remote machine.
Also he can not navigate through the filesystem.
Add an user updater: (the follow command works on gentoo and debian)
test -d /home/admins || mkdir /home/admins
groupadd -g 410
useradd -g 410 -u 410 -d /home/admins/updater -s /usr/bin/updater-shell -c "User for gentoo package managment " -m updater
# set a new password
passwd updater
chmod 750 /home/admins/updater
Debian need a fix because the `python setup.py install` put all to `/usr/local`.
Just do set a symlink:
ln -s /usr/local/bin/updater-shell /usr/bin/updater-shell
To allow using the updater-shell as shell you have to add it in `/etc/shells`
==== Gentoo Updater ====
On a Gentoo system the user updater must in group portage.
When using RSBAC UM add group.
rsbac_usermod -G 250 updater