IBM / ibmichroot

A set of scripts to facilitate the use of chroot-based containers for IBM i
MIT License
21 stars 9 forks source link

permissions in chroot #29

Open abmusse opened 8 years ago

abmusse commented 8 years ago

Original report by Aaron Bartell (Bitbucket: aaronbartell, GitHub: aaronbartell).


So far we've been pretty loose on permissions when creating chroot environments - changing ones that are necessary or else things don't work (i.e. .ssh directory).

We create chroot environments with directories/files that mirror what is in base PASE. I am thinking the same should be done with permissions in chroot.

GOAL: Create a shell script that can optionally invoked to traverse directories in chroot, check permissions of same directory/file in base PASE, and then chmod the chroot directory/file.

I started digging and found Linux has the stat command but AIX doesn't. AIX has the istat command but PASE doesn't (that I can see).

Before I get too much further into research I wanted to run this idea by you to get thumbs up and also ask whether there are stat-type commands for PASE I don't know about; or do I need to write a script.

abmusse commented 8 years ago

Original comment by Tony Cairns (Bitbucket: rangercairns, GitHub: rangercairns).


Well, as you can see, i don't like the idea of matching PASE in the chroot locations.

Your question about stat ... no, grasshopper. To wit, when you consider a technology like recommended crtautl authorization list(s), a Unix-centric stat seems mickey mouse (*).

(*) repeat -- Of course, security, similar to election politics, has many candidates with different views ( cough ... loud views).

abmusse commented 8 years ago

Original comment by Tony Cairns (Bitbucket: rangercairns, GitHub: rangercairns).


So, two schools of thought.

  1. a complete PASE chroot for multiple users -- permissions company of guys
  2. a sandbox for Bob to keep him safe -- permissions just Bob (no one else)

In both cases, i am inclined to think that security is tighter than the original PASE.

  1. multiple users -- crtautl -- authorization list for only guys in company
  2. just Bob -- chroot -R bob . -- just Bob (the-great-one-and-only)

So, no, i do not think exact matching PASE is all that and a box of cookies (*).

(*) Of course, security, similar to election politics, has many candidates with different views ( cough ... loud views).