[webstack-discuss] [security-discuss] Apache 2.2 Service management using RBAC
Ludovic Champenois
Ludovic.Champenois at Sun.COM
Wed Oct 31 19:33:58 PDT 2007
Glenn Brunette wrote:
> By "system files" do you mean the contents of /etc/apache2? At
> least in Nevada, there is now only one file that is not marked
> as editable:
>
> /etc/apache2/httpd.conf-example f none 0644 root bin 16694 30581
> 1187823644 SUNWapch2r
>
> which I think is a bug and will file one if I do not see one existing.
> All of the files (even in Solaris 10) in /etc/apache2 are/should be
> editable by end users. If they are not - it is a bug IMHO.
>
Great to hear... So maybe we could do the change for sxde b79...
Or maybe a post configuration step to enable user ludo to use the
webstack could do:
# setfacl -m user:ludo:rw- httpd.conf
# setfacl -m mask:rw- httpd.conf
as Jyri suggested to me?
What about log files and the entire htdocs content if user 'ludo' wants
to deploy apps there?
Ludo
> That said, as the author of the BluePrint, I should have noted
> that issue in the paper. I would make a note if I ever do an
> update to address this point.
>
> g
>
> Jyri Virkki wrote:
>
>> Darren J Moffat wrote:
>>
>>> Restricting Service Administration in the Solaris 10 Operating System
>>>
>>> http://www.sun.com/blueprints/0605/819-2887.pdf
>>>
>>> That is the recommended approach, it is a superset of what you have done.
>>>
>> Hm, this document also changes (p.10) ownership of system files under
>> /etc which are not marked as editable in their package prototype.
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.opensolaris.org/pipermail/webstack-discuss/attachments/20071031/4e61c093/attachment.html>
More information about the webstack-discuss
mailing list