Hi Jeff, Jeff Cai wrote: > Darren comments below: > > On Tue, 2007-10-16 at 08:02 +0100, Darren Kenny wrote: >> That's not quite true about RBAC - while there is nothing in GConf to deal >> with >> RBAC, it *could* have an effect - if the RBAC role provides the user with the >> ability to modify files in /etc - which is where the mandatory settings are >> stored by default. > > But currently could RBAC control the access to the directory /etc? I > mean, have gconf-editor already supported RBAC? I can also use vi to > change gconf file only if I have the permission of writing the > directory /etc. This doesn't relate with RBAC.
gconf-editor doesn't need to support RBAC directly, the RBAC "root" role allows a user to run with essentially all privileges, so if you are that user, you can write files directly in /etc - which means that you can in turn use gconf's tools to modify these settings just like if you logged in as root on a normal system and performed the same actions. You can find out more about "root as a Role" at: http://docsun.cites.uiuc.edu/sun_docs/C/solaris_9/SUNWaadm/SYSADV6/p23.html#RBACTASK-20 >> As Jeff says, there is the risk of inconsistency if a user is logged in, but >> in >> normal use, a user shouldn't ever write a file to /etc, but in >> ${HOME}/.gconf. >> >> An other issue is that the configuration in /etc generally isn't re-read >> until >> AFTER the gconf daemon is restarted for a user - so this would mean that a >> currently logged-in user would be unlikely to see the change until after they >> logout and login again - but it could be forced by a user running : >> >> gconftool-2 --shutdown >> >> while would shutdown a running gconf2d daemon, which would be automatically >> started again the next time a client app looks for a setting from it (which >> is >> generally quite soon after the shutdown), and when it restarts the new >> settings >> in /etc will be re-read. >> >> APOC changes all of this (AFAIK) due to the settings being stored in LDAP >> rather >> than files - but I don't know enough about APOC to be able to confirm that a >> change to a mandatory setting would take immediate effect, anyone else know?? > > The answer is yes. Only if the application is able to listen to events > of value change of GConf. You can get more from > http://docs.sun.com/app/docs/doc/817-7573/ezswi?a=view Cool, kinda guessed it might, but didn't want to assume. Darren.
