dinsdag 22 juli 2008

rbac f9

Let us assume we want to make user "joe" our website operator.
"joe" should only be able to operate apache.
To operate apache one traditionally would need a root password.

In fedora 9 root can be confined to specific roles.
Also in Fedora 9 user no longer need a root password to gain root
privileges due to SELinux support built-in sudo.
Pre-Fedora 9 a combination of su and newrole was used to gain root
privileges. This required a user to enter his password for newrole and
then also the root password for su.

Here is how you do it:

1. useradd joe
2. passwd joe
3. /usr/sbin/semanage user -a -L s0 -r s0-s0 -R "staff_r webadm_r" -P
user webadmin
4. /usr/sbin/semanage login -a -s webadmin -r s0-s0 joe
5. echo "joe ALL=(all) TYPE=webadm_t ROLE=webadm_r ALL" >> /etc/sudoers

When joe logs into the system, he will find himself in the staff_t user
domain (id -Z). This is a restricted user domain. The staff_r role is
similar to the user_r with the important exeption that staff_r may
transition to other , maybe more privileged, domain. unlike user_r.
user_r is confined to the user_t user domain, and may not transition.

If joe wants to, for example, restart the webserver, he can just type
sudo service httpd restart. Similar if joe wanted to edit a file that is
owned by apache, joe can edit the file in the webadm_t userdomain by
just typing sudo vi /etc/httpd/conf.d/httpd.conf.

Joe can also open a terminal session in the webadm_t domain by running:
sudo sh. If you would have even more roles, then joe would be able to
define in which user domain he wants to start a new terminal session:
sudo -t webadm_t -r webadm_r sh

Joe can even login to the system directly in the webadm_t domain by
using: ssh joe/webadm_r@localhost

You can delegate very specific administration tasks without having to
share the root password!

Geen opmerkingen: