Summary: rbac cluebyfour?
- From: "Jacob Ritorto" <jacob.ritorto@xxxxxxxxx>
- Date: Fri, 29 Aug 2008 15:03:46 -0400
Thanks to all who responded. Some actually answered my question and
gave instructions on how to do it with big crazy RBAC, while others
admonished me to not use such a big hammer when setfacl (POSIX file
access control list settings) should to the trick neatly. This is
Solaris 8 SPARC 7/01, by the way..
I chose the facls method. It was a daunting mess due to missing
documentation on Docs.Sun.COM. Fortunately Softpanorama came through
as usual with the missing info:
To give a bit more detail on what my scenario, we have a
multi-customer host that dishes out confidential, unique info to
clients. Obviously it;s necessary that they not see each others'
files, but the user oracle had to be able to dish out said files. So
'trivial' or traditional unix perms were not appropriate to the task.
1) Create individual home dirs for users that have 700 traditional
unix permissions. This way nobody can peer at others' files.
2) set initial default inheritance capability in facls (the part they
failed to mention on docs.sun.com). This enables you to specify the
acl behaviour of files dropped in the directory:
setfacl -r -m default:user::rwx,default:group::---,default:other:---,default:mask:rwx
3) give oracle and the customer the ability to manipulate the files,
despite not being listed in trivial acl:
setfacl -r -m default:user:oracle:rwx ~bob/
setfacl -r -m default:user:bob:rwx ~bob/
4) repeat similar for other clients
5) check it and confirm with real world testing:
# file: bob
# owner: bob
# group: clients
Seems good now.
Is it appropriate to use RBAC to allow one user to write files_______________________________________________
in the directory of another user? We need 600 perms for user bob's
home but want user oracle to dump output there. If RBAC is the right
way to do this, would someone give recipe/example please? I can't
digest the entire RBAC documentation before deadline.
sunmanagers mailing list
- Prev by Date: Command doesn't work in cron but works in shell
- Next by Date: SUMMARY: Command doesn't work in cron but works in shell
- Previous by thread: Command doesn't work in cron but works in shell
- Next by thread: SUMMARY: Command doesn't work in cron but works in shell