Summary: rbac cluebyfour?

From: Jacob Ritorto <jacob.ritorto_at_gmail.com>
Date: Fri Aug 29 2008 - 15:03:46 EDT
Thanks to all who responded.  Some actually answered my question and
gave instructions on how to do it with big crazy RBAC, while others
admonished me to not use such a big hammer when setfacl (POSIX file
access control list settings) should to the trick neatly.  This is
Solaris 8 SPARC 7/01, by the way..

I chose the facls method.  It was a daunting mess due to missing
documentation on Docs.Sun.COM.  Fortunately Softpanorama came through
as usual with the missing info:
http://www.softpanorama.org/Solaris/ACL/index.shtml

To give a bit more detail on what my scenario, we have a
multi-customer host that dishes out confidential, unique info to
clients.  Obviously it;s necessary that they not see each others'
files, but the user oracle had to be able to dish out said files.  So
'trivial' or traditional unix perms were not appropriate to the task.

Solution:

1) Create individual home dirs for users that have 700 traditional
unix permissions.  This way nobody can peer at others' files.

2) set initial default inheritance capability in facls (the part they
failed to mention on docs.sun.com).  This enables you to specify the
acl behaviour of files dropped in the directory:

setfacl -r -m default:user::rwx,default:group::---,default:other:---,default:mask:rwx
~bob/

3) give oracle and the customer the ability to manipulate the files,
despite not being listed in trivial acl:
setfacl -r -m default:user:oracle:rwx ~bob/
setfacl -r -m default:user:bob:rwx ~bob/

4) repeat similar for other clients

5) check it and confirm with real world testing:
root@Lumpy~bob[8]14:22#getfacl ~bob/
# file: bob
# owner: bob
# group: clients
user::rwx
user:oracle:rwx         #effective:rwx
group::---              #effective:---
mask:rwx
other:---
default:user::rwx
default:user:oracle:rwx
default:user:bob:rwx
default:group::---
default:mask:rwx
default:other:---


Seems good now.

thx
jake



I wrote:
>         Is it appropriate to use RBAC to allow one user to write files
> in the directory of another user?  We need 600 perms for user bob's
> home but want user oracle to dump output there.  If RBAC is the right
> way to do this, would someone give recipe/example please?  I can't
> digest the entire RBAC documentation before deadline.
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Fri Aug 29 15:06:19 2008

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:11 EST