Table of Contents

back to igraltist experiences

Split of the the admin duties

RSBAC gives the opportunity to split the all mighty root user into different admin users. With this setup the root user is still present but the first task from an admin is transfer to specialized user. Need the RSBAC RC module.

Add security user

RSBAC using a special user to configure the RSBAC policies. In this example you see that the homedirectory is set to `/home/admins/security`. Do just notice it. The explanation will become later clear from itself.

Add an user security: (the follow command works on gentoo and debian)

test -d /home/admins || mkdir /home/admins
groupadd -g 400 security
useradd -g 400 -u 400 -d /home/admins/security -s /bin/bash -c "Security User" -m security
 
# set a new password
passwd security
 
chmod 750 /home/admins/security

Top

Add updater user

In this example the home directory is set to `/home/admins/updater`. The updater-shell which is below set as login-shell is a python dialog script. When the system is running with RSBAC then caps have to set.

I have tested, this user can not send data using `scp` to the remote machine. Also he can not navigate through the filesystem.

Add an user updater: (the follow command works on gentoo and debian)

test -d /home/admins || mkdir /home/admins
groupadd -g 410
useradd -g 410 -u 410 -d /home/admins/updater -s /usr/bin/updater-shell -c "User for gentoo package managment " -m updater
 
# set a new password
passwd updater
 
chmod 750 /home/admins/updater

Debian need a fix because the `python setup.py install` put all to `/usr/local`.

Just do set a symlink:

ln -s /usr/local/bin/updater-shell /usr/bin/updater-shell

To allow using the updater-shell as shell you have to add it in `/etc/shells`

Gentoo Updater

On a Gentoo system the user updater must in group portage. When using RSBAC UM add group.

rsbac_usermod -G 250 updater