RSBAC gives the opportunity to split the all mighty root user into different admin users. With this setup the root user is still present but the first task from an admin is transfer to specialized user. Need the RSBAC RC module.
RSBAC using a special user to configure the RSBAC policies. In this example you see that the homedirectory is set to `/home/admins/security`. Do just notice it. The explanation will become later clear from itself.
Add an user security: (the follow command works on gentoo and debian)
test -d /home/admins || mkdir /home/admins groupadd -g 400 security useradd -g 400 -u 400 -d /home/admins/security -s /bin/bash -c "Security User" -m security # set a new password passwd security chmod 750 /home/admins/security
In this example the home directory is set to `/home/admins/updater`. The updater-shell which is below set as login-shell is a python dialog script. When the system is running with RSBAC then caps have to set.
I have tested, this user can not send data using `scp` to the remote machine. Also he can not navigate through the filesystem.
Add an user updater: (the follow command works on gentoo and debian)
test -d /home/admins || mkdir /home/admins groupadd -g 410 useradd -g 410 -u 410 -d /home/admins/updater -s /usr/bin/updater-shell -c "User for gentoo package managment " -m updater # set a new password passwd updater chmod 750 /home/admins/updater
Debian need a fix because the `python setup.py install` put all to `/usr/local`.
Just do set a symlink:
ln -s /usr/local/bin/updater-shell /usr/bin/updater-shell
To allow using the updater-shell as shell you have to add it in `/etc/shells`
On a Gentoo system the user updater must in group portage. When using RSBAC UM add group.
rsbac_usermod -G 250 updater