Page 1 of 1

Non-interactive server administration

PostPosted: Thu Nov 27, 2008 12:51 pm
by evilangel
Hi all,

I would like to use Grsecurity RBAC model to protect some files of my servers (daemons and their config files).
However I am facing a problem.

When installing servers, we are using masters to have the same image deployed everywhere.
Then, to deploy software, we are using scripts to copy both binaries and configuration files from a master to the server.

Therefore, I need my "installation" user to by able to write files in folders like /etc.
In addition, my "installation user" shall also be able to remove some files for maintenance purpose in the same folder.
Thus, my "installation" user needs to have write access to folder such as /etc.

Is there a way to prevent an attacker that reached Root user, to switch (su) to "installation" user and modify my config files ?
In such a non-interactive administration, i don't know if it is possible to use the gr administrator profile...

Hope it was clear enough.

Thanks

Re: Non-interactive server administration

PostPosted: Mon Dec 15, 2008 10:13 am
by evilangel
I am still wondering about the problem.
I am maybe not taking it the good way.

I could administrate my server directly using the RBAC administrator account instead of the "installation" user.

In such case, is it possible to open a SSH session under RBAC admin account ?
Or you have to log, and then "upgrade" your profile to RBAC admin account ?

Thanks