-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #47 from LeChatP/develop
Fixes and tests + Better conflict resolution + Scenarios in documentation
- Loading branch information
Showing
12 changed files
with
1,788 additions
and
800 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
# Is a Linux system without root user possible ? | ||
|
||
To make it short, not really. But you can design your system to never have to use the root user. This is what RootAsRole aims, and the exact purpose of Linux Capabilities. Let's consider you want a system without root user and you want to setup a webserver. Firstly, let's create the apache2 user and group: | ||
|
||
```bash | ||
sr adduser apache2 | ||
``` | ||
|
||
We consider that we still use the default configuration of RootAsRole. Then, let's add a task to install apache2 with the apache2 user: | ||
|
||
```bash | ||
sr chsr r r_root t install_apache2 add | ||
sr chsr r r_root t install_apache2 cmd whitelist add apt install apache2 | ||
sr chsr r r_root t install_apache2 cmd whitelist add "apt upgrade( -y)? apache2" | ||
sr chsr r r_root t install_apache2 cred set --caps CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_NET_BIND_SERVICE,CAP_SETUID --setuid apache2 --setgid apache2 | ||
``` | ||
|
||
Then, let's add a task to start apache2 with the apache2 user: | ||
|
||
```bash | ||
sr chsr r r_root t start_apache2 add | ||
sr chsr r r_root t start_apache2 cmd whitelist add "systemctl ((re)?start|stop) apache2" | ||
sr chsr r r_root t start_apache2 cmd whitelist add "service apache2 ((re)?start|stop)" | ||
sr chsr r r_root t install_apache2 cred set --caps CAP_NET_BIND_SERVICE,CAP_SETUID --setuid apache2 --setgid apache2 | ||
``` | ||
|
||
So now you can install and start apache2 with the apache2 user: | ||
|
||
```bash | ||
sr apt install apache2 | ||
``` | ||
|
||
This should install apache2 configuration files owned by apache2 user and group. Then you can start apache2 with the apache2 user: | ||
|
||
```bash | ||
sr systemctl start apache2 | ||
``` | ||
|
||
This should start apache2 with the apache2 user. You can also stop it with the apache2 user: | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.