[apparmor] RBAC based on AppArmor
Seth Arnold
seth.arnold at canonical.com
Mon May 9 19:57:40 UTC 2016
On Mon, May 09, 2016 at 02:09:09PM +0530, Adishesh M wrote:
> is there any howto document available for updating httpd/apache profile to
> include role based access.
> i need to create two roles : one readonly access for httpd and other httpd
> admin role.
Hello Adishesh,
Can you describe what you're trying to accomplish?
There's a few dozen webservers out there and while there's existing
profiles for e.g. apache[1] those profiles are certainly not "read-only".
Of course what makes it difficult to prepare a "standard profile" is that
web servers are expected to do so much. If you really just want to serve
static pages, you could start with a profile like:
/path/to/server {
#include <abstractions/base>
capability setgid,
capability setuid,
capability net_bind_service,
network inet stream,
network inet6 stream,
/var/www/** r,
/var/logs/<whatever> rwl,
}
You'll need to amend this profile to do whatever it is your program needs.
You may be able to use fewer capabilities if it doesn't bind to port 80 or
drop privileges once running (say, if it just runs as a different user
in the first place).
Updating the web content is another question. You could use a specific
user with a specific shell, and confine that shell. You could use sftp and
confine the ssh daemon. You could use a cronjob to periodically pull
updates via rsync or git and have -those- be confined. What workflow do
you want to support?
Thanks
1: http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/view/head:/profiles/apparmor.d/usr.sbin.apache2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160509/fb663011/attachment.pgp>
More information about the AppArmor
mailing list