[[wiki:experiences/igraltist|back to igraltist experiences]]






===== New home directory =====

To make the user management easier I create a subdirectories for admin users and normal users.
There are many reasons to do this. One of this is, I will protect the home directories with <del>ACL</del> RC module.

For convention I use this structure:

<code bash>
/home/
           admins/
                       backuper/
                       configer/
                       security/
                       updater/
           users/
                    my_name/
</code>

So, update your `/etc/passwd` for your users.



===== Add new profile file =====

Add a new file in `/etc/profile.d`.
Copy & paste it or downloaded from [[http://kasten-edv.de/download/rsbac/profile|profile]].

==== Gentoo  ====
<code bash>
# used by run-jail 
PATH=/usr/local/jails:$PATH
export PATH

# for RC module to display the role name 
rc_role_number=$(rc_get_current_role 2> /dev/null | awk '{ print $5 }')
rc_role=$(rc_get_item ROLE $rc_role_number name 2> /dev/null)
if [ "$role" != "" ]; then 
	export PS1="($role) $PS1"
fi
</code>

==== Debian ====
pass




==== Why expand the path? ====

This is not really necessary but when using `run-jail` to put `ping` or `wget` into a jail is practical.
The reason is, when adding the path then the `bash` search firstly in `/usr/local/jails` and if there a symlink 
with `ping` or any name this would as first executed.

With the script `run-jail-helper` can create such symlink and create or modify a jail policy:
<code bash>
run-jail-helper -h
usage: run-jail-helper [-h] [-m MODIFY] [-c CREATE] [-p PROG_NAME]

optional arguments:
  -h, --help            show this help message and exit
  -m MODIFY, --modify MODIFY
                        Modify a jail configuration file.
  -c CREATE, --create CREATE
                        Create a dummy jail configuration file.
  -p PROG_NAME, --prog-name PROG_NAME
                        Create a symlink so that a the progam is execute in
                        RSBAC jail always. The '/etc/profile' have to
                        prepared.
</code>


===== Modify package managment =====

Why the package managment have to modified?

An admin user updater will manage the package managment.
The updater-shell script can leave a file with rsbac attributes thats have to execute on the end on every install procedure.
Therefor I use the package manager hooks to do this.

This is now different for every distribution. I use gentoo and debian, so I have a way how to plugin in on those systems.

I refer to the home directory setup.


==== Gentoo ====

A new file `/etc/portage/bashrc` is needed.

Copy & paste it or download here [[http://kasten-edv.de/download/rsbac/profile/bashrc|bashrc]].

This is a prototype and could maybe change a bit in the future. I am testing the structure in the moment.
<code bash>
post_pkg_postinst() { 
    rsbac_attributes_initial="/etc/rsbac/packages/${CATEGORY}/${PN}/${PF}.sh"
    rsbac_attributes="/home/admins/updater/packages/${CATEGORY}/${PN}/${PF}.sh"
    einfo  "Applying rsbac attributes:"; 
    # first policy
    if [ -f "${rsbac_attributes_initial}" ]; then
        sh ${rsbac_attributes_initial}
    else
        einfo "No rsbac attribute initial available"
    fi
    # second which found
    if [ -f "${rsbac_attributes}" ]; then
        sh ${rsbac_attributes}
    else
        einfo "No rsbac attribute available"
    fi
}
</code>





==== Debian ====

A new file `/etc/apt/apt.d/80rsbac` is needed.

Copy & paste it or download here [[http://kasten-edv.de/download/rsbac/profile/80rsbac|80rsbac]]. 

Not yet tested
<code bash>
DPkg::Post-Invoke { “
    rsbac_attributes_initial="/etc/rsbac/packages/${CATEGORY}/${PN}/${PF}.sh"
    rsbac_attributes="/home/admins/updater/packages/${CATEGORY}/${PN}/${PF}.sh"
    einfo  "Applying rsbac attributes:"; 
    # first policy
    if [ -f "${rsbac_attributes_initial}" ]; then
        sh ${rsbac_attributes_initial}
    else
        echo "No rsbac attribute initial available"
    fi
    # second which found
    if [ -f "${rsbac_attributes}" ]; then
        sh ${rsbac_attributes}
    else
        echo "No rsbac attribute available"
    fi
}
</code>



===== NFS Portage =====

When using nfs4 store to manage the portage tree then some modification have to do.

  * Add user updater (uid=410,gid=410) to nfs4 server. This example is when running a debian as portage nfs4 server.
<code bash>
addgroup --gid 410 updater
adduser  --home /srv/nfs4/portage --gid 410 --uid 410 --disabled-password --disabled-login updater
</code>
  * Add portage tree to exportfs
<code bash>
/srv/nfs4/portage	192.168.0.0/24(rw,sync,insecure,nohide,no_subtree_check,root_squash)
</code>
  *Add portage tree to fstab
<code bash>
/mnt/portage		/srv/nfs4/portage	none	bind	0	0
</code>
  * Modifiy file permission on the exported portage tree
<code bash>
cd /srv/nfs4/portage
chown updater:updater -Rv .
find -type d  | xargs chmod 755
find -type f  | xargs chmod 640
</code>


===== Modify make.conf for emerge --sync =====
When the portage tree mounted via nfs then RSBAC create a directory rsbac.dat. \\

<code bash>
rsync: readdir("/usr/portage/rsbac.dat"): Operation not permitted (1)
rsync: delete_file: rmdir(rsbac.dat) failed: Operation not permitted (1)
</code>

To exclude this edit make.conf and add this line.
<code bash>
PORTAGE_RSYNC_EXTRA_OPTS="--exclude=/rsbac.dat"
</code>