admin role access for a changeconfig (puppet) daemon?

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

admin role access for a changeconfig (puppet) daemon?

Postby law » Mon Apr 21, 2008 7:59 pm

So, I've got this daemon that is going to need pretty much unfettered access to everything on a box. I'd like to be able to remotely manage grsec ACLs through puppet, but obviously this is going to require the puppet daemon to have some kind of special access. How can I give a daemon that normally runs as 'root' on a non-grsec'd system the heightened privileges it needs to do its thing? Ideally, I'd like to to not have to enter a password for it to authenticate, but ONLY if its started from a specific host (the master). Any ideas?

--Lee
law
 
Posts: 15
Joined: Wed Jun 27, 2007 2:21 pm

Re: admin role access for a changeconfig (puppet) daemon?

Postby windo » Thu Apr 24, 2008 9:57 am

wdym "started from a specific host"?

you can override any/most options in subject configuration, so if your daemon *only* ever does things that the master tells it to do over an authenticated session, you can just give it the right to update/run everything.

you can most probably write a wrapper around gradm to reload the policy, but you'd have to take care not to store the password anywhere the root could read from.
windo
 
Posts: 6
Joined: Wed Mar 12, 2008 12:31 pm

Re: admin role access for a changeconfig (puppet) daemon?

Postby law » Thu Apr 24, 2008 11:52 am

Ahh, so I wouldn't even need to create a seperate role for it, I could just define a subject that gives it access to everything and call it good? Sounds like a plan!

--Lee
law
 
Posts: 15
Joined: Wed Jun 27, 2007 2:21 pm


Return to RBAC policy development

cron