Using group membership for role-based access
In larger environments, access controls are usually granted based on group membership. Group membership is easier to manage than individual permissions: just adding or removing users from a group automatically grants or revokes permissions, and administrators can easily find out which permission(s) a user will have based on the group membership.
How to do it…
In order to use group membership as a high-level method for assigning permissions, administrators need to take care of the following aspects:
Add user(s) to the groups they should belong to:
~# gpasswd -a user1 dba ~# gpasswd -a user1 dev
Assign the proper SELinux user to the group:
~# semanage login -s dbadm_u %dbaRestrict binaries and libraries that should only be called by a specific group:
~# chgrp -R dev /usr/lib/gcc /usr/x86_64-pc-linux-gnu/gcc-bin ~# chmod -R o-rx /usr/lib/gcc /usr/x86_64-pc-linux-gnu/gcc-bin
Use group notation inside the
sudoersfile to grant specific privileges to...
