Mailinglist Archive: opensuse (817 mails)

< Previous Next >
Re: [opensuse] yast access restrictions
Carlos E. R. said the following on 07/24/2012 05:59 AM:
ACL can do it, I think, but it requires someone designing a long list of what
binaries must
run for the desired action (say, configure nfs in yast), and what files you
must have read or
write access, then define a group that has all those permissions defined. And
you have to do
this for the hundred different actions you can permit or not. Once done, you
can assign users
to those action groups. Then you need months or years to test all this.

You've just described why I've always {hated,despised} ACL as an access
control mechanism.

Lists? Think Mikado!

With a little thought the UNIX groups mechanism can come close to a
RBAC-like functionality. The thing is that instead of thinking in terms
of lists you need to think in terms of set-theory, which can be a bit of
a stretch, since this is way beyond what gets taught in schools.
http://en.wikipedia.org/wiki/Role-based_access_control
<quote>
RBAC differs from access control lists (ACLs), used in traditional
discretionary access-control systems, in that it assigns permissions to
specific operations with meaning in the organization, rather than to low
level data objects.
</quote>


The key is to create new groups to define the functional layers you need
rather than just accept the out-of-the-box groups in /etc/group that
come with the distribution. Groups as roles and groups as capability are
separate.

The result, if you look at it from the contents of /etc/group, certainly
looks like lists, but sets membership has to be written down somehow.

Google a little ...

RBAC using AppArmour with Suse
http://wiki.apparmor.net/index.php/RBAC_2_3
http://wiki.apparmor.net/index.php/AppArmorRBAC
Even without AppArmour, the use of PAM is interesting

There's also pam_capability which can implement a form of RBAC using the
Capability functions.

Novell RBAC using LDAP
http://www.novell.com/communities/node/1656/nam%20open%20lab%205%3A%20setting%20rbac

RBAC with SELinux
http://www.ibm.com/developerworks/linux/library/l-rbac-selinux/
Explanation of RBAC in SELinux (section 6.1.1)
http://flylib.com/books/en/2.803.1.47/1/


See also

http://it.toolbox.com/wiki/index.php/UNIX_Groups_and_RBAC_Roles

http://www.linuxlinks.com/article/20110414155714166/MAC-RBAC-Tools.html

http://en.wikipedia.org/wiki/Grsecurity

http://seedit.sourceforge.net/doc/2.0/rbac_guide.pdf

or go google for yourself. There's a lot out there on ways to use and
implement RBAC and the principles behind it.



--
I would rather be exposed to the inconveniences attending too much
liberty, than those attending too small a degree of it.
--Thomas Jefferson (letter to Archibald Stuart, Dec. 23, 1791,
on the encroachments of state governments)
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >