To make the user management easier I create a subdirectories for admin users and normal users.
There are many reasons to do this. One of this is, I will protect the home directories with ACL RC module.
For convention I use this structure:
/home/ admins/ backuper/ configer/ security/ updater/ users/ my_name/
So, update your `/etc/passwd` for your users.
Add a new file in `/etc/profile.d`. Copy & paste it or downloaded from profile.
# used by run-jail PATH=/usr/local/jails:$PATH export PATH # for RC module to display the role name rc_role_number=$(rc_get_current_role 2> /dev/null | awk '{ print $5 }') rc_role=$(rc_get_item ROLE $rc_role_number name 2> /dev/null) if [ "$role" != "" ]; then export PS1="($role) $PS1" fi
pass
This is not really necessary but when using `run-jail` to put `ping` or `wget` into a jail is practical. The reason is, when adding the path then the `bash` search firstly in `/usr/local/jails` and if there a symlink with `ping` or any name this would as first executed.
With the script `run-jail-helper` can create such symlink and create or modify a jail policy:
run-jail-helper -h usage: run-jail-helper [-h] [-m MODIFY] [-c CREATE] [-p PROG_NAME] optional arguments: -h, --help show this help message and exit -m MODIFY, --modify MODIFY Modify a jail configuration file. -c CREATE, --create CREATE Create a dummy jail configuration file. -p PROG_NAME, --prog-name PROG_NAME Create a symlink so that a the progam is execute in RSBAC jail always. The '/etc/profile' have to prepared.
Why the package managment have to modified?
An admin user updater will manage the package managment. The updater-shell script can leave a file with rsbac attributes thats have to execute on the end on every install procedure. Therefor I use the package manager hooks to do this.
This is now different for every distribution. I use gentoo and debian, so I have a way how to plugin in on those systems.
I refer to the home directory setup.
A new file `/etc/portage/bashrc` is needed.
Copy & paste it or download here bashrc.
This is a prototype and could maybe change a bit in the future. I am testing the structure in the moment.
post_pkg_postinst() { rsbac_attributes_initial="/etc/rsbac/packages/${CATEGORY}/${PN}/${PF}.sh" rsbac_attributes="/home/admins/updater/packages/${CATEGORY}/${PN}/${PF}.sh" einfo "Applying rsbac attributes:"; # first policy if [ -f "${rsbac_attributes_initial}" ]; then sh ${rsbac_attributes_initial} else einfo "No rsbac attribute initial available" fi # second which found if [ -f "${rsbac_attributes}" ]; then sh ${rsbac_attributes} else einfo "No rsbac attribute available" fi }
A new file `/etc/apt/apt.d/80rsbac` is needed.
Copy & paste it or download here 80rsbac.
Not yet tested
DPkg::Post-Invoke { “ rsbac_attributes_initial="/etc/rsbac/packages/${CATEGORY}/${PN}/${PF}.sh" rsbac_attributes="/home/admins/updater/packages/${CATEGORY}/${PN}/${PF}.sh" einfo "Applying rsbac attributes:"; # first policy if [ -f "${rsbac_attributes_initial}" ]; then sh ${rsbac_attributes_initial} else echo "No rsbac attribute initial available" fi # second which found if [ -f "${rsbac_attributes}" ]; then sh ${rsbac_attributes} else echo "No rsbac attribute available" fi }
When using nfs4 store to manage the portage tree then some modification have to do.
addgroup --gid 410 updater adduser --home /srv/nfs4/portage --gid 410 --uid 410 --disabled-password --disabled-login updater
/srv/nfs4/portage 192.168.0.0/24(rw,sync,insecure,nohide,no_subtree_check,root_squash)
/mnt/portage /srv/nfs4/portage none bind 0 0
cd /srv/nfs4/portage chown updater:updater -Rv . find -type d | xargs chmod 755 find -type f | xargs chmod 640
When the portage tree mounted via nfs then RSBAC create a directory rsbac.dat.
rsync: readdir("/usr/portage/rsbac.dat"): Operation not permitted (1) rsync: delete_file: rmdir(rsbac.dat) failed: Operation not permitted (1)
To exclude this edit make.conf and add this line.
PORTAGE_RSYNC_EXTRA_OPTS="--exclude=/rsbac.dat"