On Wednesday 03 October 2018 03:48:18 Stefan G. Weichinger wrote:
> Am 03.10.18 um 07:48 schrieb Gene Heskett:
> > On Wednesday 03 October 2018 00:48:28 Nathan Stratton Treadway wrote:
> >> On Tue, Oct 02, 2018 at 19:19:03 -0400, Gene Heskett wrote:
> >>> ERROR: picnc: selfcheck request failed: file/dir '/usr/local/etc'
> >>> (/usr/local/etc/amanda-security.conf) is writable by the group
> >>> Client check: 5 hosts checked in 11.353 seconds. 5 problems
> >>> found. (brought to you by Amanda 3.5.1)
> >>>
> >>> Everything in the src build dir and below is owned by amanda:disk,
> >>> actually built by amanda in the /home/amanda directory, same as I
> >>> have always done it.
> >>>
> >>> An ls -l of /usr/local shows etc is owned by root:staff.
> >>>
> >>> And amanda is not the only user of that etc directory.
> >>
> >> (Sorry, didn't see this particular message until after replying to
> >> the one you sent at 21:43...)
> >>
> >> The question is "does the 'staff' group really need write
> >> permissions on /usr/local/etc/ ?"
> >>
> >> Assuming not, the easy solution is to remove group-write permission
> >> from the directory.
> >>
> >> (If you actually do have non-root members of "staff" writing to
> >> that directory in your environment [or to /usr/local/, etc.], you
> >> may need to move the amanda-security.conf file to a different,
> >> amanda-specific path -- e.g. by tweaking your build script to pass
> >> --with-security-file to configure.)
> >>
> >> Nathan
> >
> > I had to back out to local, removing group perms, but once I did
> > that to local, makes it look like:
> > drw-r-Sr-x 15 root staff 4096 Jun 28 2017 local
> >
> > the error messages changed to
> >
> > ERROR: coyote: selfcheck request failed: No defined tcp_port_range
> > in '/usr/local/etc/amanda-security.conf'
> > ERROR: shop: selfcheck request failed: No defined tcp_port_range
> > in '/usr/local/etc/amanda-security.conf'
> > ERROR: lathe: selfcheck request failed: No defined tcp_port_range
> > in '/usr/local/etc/amanda-security.conf'
> > ERROR: GO704: selfcheck request failed: No defined tcp_port_range
> > in '/usr/local/etc/amanda-security.conf'
> > ERROR: picnc: selfcheck request failed: No defined tcp_port_range
> > in '/usr/local/etc/amanda-security.conf'
> >
> > Which sounds just as serious. Is there no end to this so-called
> > security fix?
>
> I have set in that file:
>
> tcp_port_range=512,1023
So do I but it ends at 1024.
So I used that one to overwrite a somewhat shorter version that was
already in /etc, so its now:
############################################################
# /etc/amanda-security.conf #
# #
# See: man amanda-security.conf #
# #
# This file must be installed at /etc/amanda-security.conf #
# #
# It list all executables amanda can execute as root. #
# This file must contains realpath to executable, with #
# all symbolic links resolved. #
# You can use the 'realpath' command to find them. #
# #
# It list program and a symbolic name for the program #
# Followed by the realpath of the binary #
# #
# Uncomment and edit the following lines to let Amanda to #
# use customized system commands. If multiple PATH is #
# necessary, please put them in different lines. #
# e.g.: #
# amgtar:GNUTAR_PATH=/usr/bin/tar #
# amgtar:GNUTAR_PATH=/usr/bin/tar-1.28 #
# #
# Only binary listed are allowed to be run as root. #
# #
# You can find the configured binary with amgetconf #
# amgetconf build.gnutar_path #
# amgetconf build.star_path #
# amgetconf build.bsdtar_path #
# #
############################################################
#runtar:gnutar_path=/bin/tar
#amgtar:gnutar_path=/bin/tar
#amstar:star_path=/usr/bin/star
#ambsdtar:bsdtar_path=/usr/bin/bsdtar
#restore_by_amanda_user=no
tcp_port_range=512,1024
udp_port_range=512,1024
But using your msgs syntax for that new line in my gh.cf file, it can't
find it.
./gh.cf: 25: ./gh.cf: --with-security-file=/etc/amanda-security.conf: not
found
The added line:
--with-security-file=/etc/amanda-security.conf
So thats not right either.
--
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>
