Sophie

Sophie

distrib > Mandriva > 2006.0 > x86_64 > by-pkgid > fc85cc4b62f25c8fe3efc86a6c339b7e > files > 95

rsbac-admin-1.2.4-2.2.20060mdk.x86_64.rpm

#!/bin/bash
#
# RC sample administration - secure apache web server with CGIs
#
#
DOCTYPE=`rc_get_item list_unused_fd_type_nr | head -n 1`
APACHEROLE=`rc_get_item list_unused_role_nr | head -n 1`
CGIROLE=`rc_get_item list_unused_role_nr | head -n 2 | tail -n 1`
#
GENERALTYPE=0
GENERALUSERROLE=0
ROLEADMINROLE=1
SYSADMINROLE=2
USEDROLES="`rc_get_item list_used_role_nr`"
USEDTYPES="`rc_get_item list_used_fd_type_nr`"
APACHEBIN=/usr/sbin/httpd
DOCROOT=/usr/local/httpd
CGIDIR=/usr/local/httpd/cgi-bin
APACHEUSER=wwwrun
#
# Redo security check
if test "`attr_get_file_dir DIR $DOCROOT rc_type_fd`" != "65"
then echo "$DOCROOT already has a rc_type_fd set, exiting!" ; exit
fi
#
echo ""
echo Create new type $DOCTYPE \"WWW Docs\"
rc_set_item TYPE $DOCTYPE type_fd_name "WWW Docs" || exit
#
echo ""
echo Give \"Role Admin\" read and attribute rights to DOCTYPE $DOCTYPE
rc_set_item ROLE $ROLEADMINROLE type_comp_fd $DOCTYPE R 1 || exit
rc_set_item ROLE $ROLEADMINROLE type_comp_fd $DOCTYPE SE 1 || exit
#
echo ""
echo Create new roles $APACHEROLE \"Apache Role\" and $CGIROLE \"CGI Role\"
rc_set_item ROLE $APACHEROLE name "Apache Role" || exit
rc_set_item ROLE $CGIROLE name "CGI Role" || exit
#
echo ""
echo Disallow file creation for $CGIROLE \"CGI Role\"
rc_set_item ROLE $CGIROLE def_fd_create_type 66 || exit
#
echo ""
echo Give \"Apache Role\" and \"CGI Role\" read rights to DOCTYPE $DOCTYPE
rc_set_item ROLE $APACHEROLE type_comp_fd $DOCTYPE R 1 || exit
rc_set_item ROLE $CGIROLE type_comp_fd $DOCTYPE R 1 || exit
#
echo ""
echo Give \"Apache Role\" CREATE and DELETE right to IPC type GENERALTYPE $GENERALTYPE
for i in CREATE DELETE
  do rc_set_item ROLE $APACHEROLE type_comp_ipc $GENERALTYPE $i 1 || exit
done
#
echo ""
echo Give \"Apache Role\" and \"CGI Role\" SEARCH right to
echo GENERALTYPE $GENERALTYPE to go down to own files
for i in SEARCH
  do rc_set_item ROLE $APACHEROLE type_comp_fd $GENERALTYPE $i 1 || exit
     rc_set_item ROLE $CGIROLE type_comp_fd $GENERALTYPE $i 1 || exit
done
#
echo ""
echo Give \"System Admin\" read-write rights to DOCTYPE $DOCTYPE
rc_set_item ROLE $SYSADMINROLE type_comp_fd $DOCTYPE RW 1 || exit
#
echo ""
echo Set type $DOCTYPE \"WWW Docs\" for $DOCROOT and $CGIDIR
attr_set_file_dir DIR $DOCROOT rc_type_fd $DOCTYPE || exit
attr_set_file_dir DIR $CGIDIR rc_type_fd $DOCTYPE || exit
#
echo ""
echo Give all CGIs in $CGIDIR rc_force_role \"CGI Role\"
for i in ${CGIDIR}/*
do \
  attr_set_file_dir FILE $i rc_force_role $CGIROLE || exit
done
#
echo ""
echo Set role $APACHEROLE \"Apache Role\" for $APACHEUSER
attr_set_user $APACHEUSER rc_def_role $APACHEROLE || exit
#
echo ""
echo "Ready. Please check your new configuration."
echo ""
echo "Don't forget to set an AUTH capability for $APACHEBIN,"
echo "user $APACHEUSER, if AUTH is active:"
echo auth_set_cap FILE add $APACHEBIN $APACHEUSER
echo ""
echo Also you might have to set perl's Registry.pm file to rc_type_fd $DOCTYPE
echo to run perl CGI scripts.

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional