Carlos E. R. said the following on 07/24/2012 05:59 AM:
ACL can do it, I think, but it requires someone designing a long list of what binaries must run for the desired action (say, configure nfs in yast), and what files you must have read or write access, then define a group that has all those permissions defined. And you have to do this for the hundred different actions you can permit or not. Once done, you can assign users to those action groups. Then you need months or years to test all this.
You've just described why I've always {hated,despised} ACL as an access control mechanism. Lists? Think Mikado! With a little thought the UNIX groups mechanism can come close to a RBAC-like functionality. The thing is that instead of thinking in terms of lists you need to think in terms of set-theory, which can be a bit of a stretch, since this is way beyond what gets taught in schools. http://en.wikipedia.org/wiki/Role-based_access_control <quote> RBAC differs from access control lists (ACLs), used in traditional discretionary access-control systems, in that it assigns permissions to specific operations with meaning in the organization, rather than to low level data objects. </quote> The key is to create new groups to define the functional layers you need rather than just accept the out-of-the-box groups in /etc/group that come with the distribution. Groups as roles and groups as capability are separate. The result, if you look at it from the contents of /etc/group, certainly looks like lists, but sets membership has to be written down somehow. Google a little ... RBAC using AppArmour with Suse http://wiki.apparmor.net/index.php/RBAC_2_3 http://wiki.apparmor.net/index.php/AppArmorRBAC Even without AppArmour, the use of PAM is interesting There's also pam_capability which can implement a form of RBAC using the Capability functions. Novell RBAC using LDAP http://www.novell.com/communities/node/1656/nam%20open%20lab%205%3A%20settin... RBAC with SELinux http://www.ibm.com/developerworks/linux/library/l-rbac-selinux/ Explanation of RBAC in SELinux (section 6.1.1) http://flylib.com/books/en/2.803.1.47/1/ See also http://it.toolbox.com/wiki/index.php/UNIX_Groups_and_RBAC_Roles http://www.linuxlinks.com/article/20110414155714166/MAC-RBAC-Tools.html http://en.wikipedia.org/wiki/Grsecurity http://seedit.sourceforge.net/doc/2.0/rbac_guide.pdf or go google for yourself. There's a lot out there on ways to use and implement RBAC and the principles behind it. -- I would rather be exposed to the inconveniences attending too much liberty, than those attending too small a degree of it. --Thomas Jefferson (letter to Archibald Stuart, Dec. 23, 1791, on the encroachments of state governments) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org