Hi,
I always use "sudo -U user -l" as root and it gives me list of sudo access, that person have. But on one Solaris server, I can't run it. recently only I installed latest patchset on this server. Not sure, if that changed something on this. However, sudo package is showing old one.
Please suggest, if I am missing something here.
I just need to know what should be done on a login user so that no one can access it except through sudo
i.e.
telnet server
login: user
NO ACCESS
telnet server
login: mylogin
sudo - user <any command>
ACCESS GRANTED
thanks (0 Replies)
Hi All,
I got lots of request with sudo, a manager request, verbal command, do this and do that.
The problem with this kind of request is when I added that script and that. It will not be perfect, it's because I can't verify the userid sudo access, I can't reset their password as well, I... (2 Replies)
hi all,
i want to know y kernel is giving access for multiple users to access a file when one user may be the owner is executing that file. Because other user can manipulate that file when the other user is executing that file, it will give the unexpected result to owner . plz help me... (1 Reply)
Hi all,
I have to create SSH public key for multiple users.
Iam creating a script in which, through root, I have to switch to multiple accounts to create SSH keys and then transfer it to the respective servers.
First I tried with single user id and everything worked fine.
When I try to sudo... (1 Reply)
Hello All,
I want to create a script that will do ONLY su to any user on the server with hpadmin login using sudo. Can anyone let me know how can it do it.
Regards
Ankit (1 Reply)
I'm actually working with a Ubuntu-System here and have a question about executing a command with 'sudo'.
I tried and got a error message like "not allowed".
After this I logged in with 'sudo -s' and typed the command without 'sudo'. This worked well.
Can please somebody explain me this... (0 Replies)
Linux ubuntu 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:56:25 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
Hi Folks,
Please help me. I am bit struck here.
Here is the OS info.
Linux ubuntu 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:56:25 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
I have a... (17 Replies)
Hi All,
I want to configure samba share permission so that only directory creator/owner has a read and write permission and other users should not have any read/write access to that folder.Will that be possible and how can this be achieved within samba configuration.
Regards,
Sahil (1 Reply)
Install the sudo pkg SFWsudo.tar
bash#tar -xvf SFWsudo.tar
bash#pkgadd -d . SFWsudo
path may be /opt/sfw/bin
Make entry the user name in sudoer file
path of the sudoer file
/opt/sfw/etc/sudoers
check with the below command as a user (not as a root user)
user1$... (1 Reply)
Discussion started by: Narendiran
1 Replies
LEARN ABOUT DEBIAN
git_selinux
git_selinux(8) Git SELinux policy documentation git_selinux(8)NAME
git_selinux - Security Enhanced Linux Policy for the Git daemon.
DESCRIPTION
Security-Enhanced Linux secures the Git server via flexible mandatory access control.
FILE_CONTEXTS
SELinux requires files to have an extended attribute to define the file type. Policy governs the access daemons have to these files.
SELinux Git policy is very flexible allowing users to setup their web services in as secure a method as possible.
The following file contexts types are by default defined for Git:
git_system_content_t
- Set files with git_system_content_t if you want the Git system daemon to read the file, and if you want the file to be modifiable and
executable by all "Git shell" users.
git_session_content_t
- Set files with git_session_content_t if you want the Git session and system daemon to read the file, and if you want the file to be modi-
fiable and executable by all users. Note that "Git shell" users may not interact with this type.
BOOLEANS
SELinux policy is customizable based on least access required. Git policy is extremely flexible and has several booleans that allow you to
manipulate the policy and run Git with the tightest access possible.
Allow the Git system daemon to search user home directories so that it can find git session content. This is useful if you want the Git
system daemon to host users personal repositories.
sudo setsebool -P git_system_enable_homedirs 1
Allow the Git system daemon to read system shared repositories on NFS shares.
sudo setsebool -P git_system_use_nfs 1
Allow the Git system daemon to read system shared repositories on Samba shares.
sudo setsebool -P git_system_use_cifs 1
Allow the Git session daemon to read users personal repositories on NFS mounted home directories.
sudo setsebool -P use_nfs_home_dirs 1
Allow the Git session daemon to read users personal repositories on Samba mounted home directories.
sudo setsebool -P use_samba_home_dirs 1
To also allow Git system daemon to read users personal repositories on NFS and Samba mounted home directories you must also allow the Git
system daemon to search home directories so that it can find the repositories.
sudo setsebool -P git_system_enable_homedirs 1
To allow the Git System daemon mass hosting of users personal repositories you can allow the Git daemon to listen to any unreserved ports.
sudo setsebool -P git_session_bind_all_unreserved_ports 1
GIT_SHELL
The Git policy by default provides a restricted user environment to be used with "Git shell". This default git_shell_u SELinux user can
modify and execute generic Git system content (generic system shared respositories with type git_system_content_t).
To add a new Linux user and map him to this Git shell user domain automatically:
sudo useradd -Z git_shell_u joe
ADVANCED_SYSTEM_SHARED_REPOSITORY_AND GIT_SHELL_RESTRICTIONS
Alternatively Git SELinux policy can be used to restrict "Git shell" users to git system shared repositories. The policy allows for the
creation of new types of Git system content and Git shell user environment. The policy allows for delegation of types of "Git shell" envi-
ronments to types of Git system content.
To add a new Git system repository type, for example "project1" create a file named project1.te and add to it:
policy_module(project1, 1.0.0)
git_content_template(project1)
Next create a file named project1.fc and add a file context specification for the new repository type to it:
/srv/git/project1.git(/.*)? gen_context(system_u:object_r:git_project1_content_t,s0)
Build a binary representation of this source policy module, load it into the policy store and restore the context of the repository:
make -f /usr/share/selinux/devel/Makefile project.pp
sudo semodule -i project1.pp
sudo restorecon -R -v /srv/git/project1
To create a "Git shell" domain that can interact with this repository create a file named project1user.te in the same directory as where
the source policy for the Git systemm content type is and add the following:
policy_module(project1user, 1.0.0)
git_role_template(project1user)
git_content_delegation(project1user_t, git_project1_content_t)
gen_user(project1user_u, user, project1user_r, s0, s0)
Build a binary representation of this source policy module, load it into the policy store and map Linux users to the new project1user_u
SELinux user:
make -f /usr/share/selinux/devel/Makefile project1user.pp
sudo semodule -i project1user.pp
sudo useradd -Z project1user_u jane
system-config-selinux is a GUI tool available to customize SELinux policy settings.
AUTHOR
This manual page was written by Dominick Grift <domg472@gmail.com>.
SEE ALSO selinux(8), git(8), chcon(1), semodule(8), setsebool(8)domg472@gmail.com 27 May 2010 git_selinux(8)