On Wednesday 03 October 2018 03:48:18 Stefan G. Weichinger wrote: > Am 03.10.18 um 07:48 schrieb Gene Heskett: > > On Wednesday 03 October 2018 00:48:28 Nathan Stratton Treadway wrote: > >> On Tue, Oct 02, 2018 at 19:19:03 -0400, Gene Heskett wrote: > >>> ERROR: picnc: selfcheck request failed: file/dir '/usr/local/etc' > >>> (/usr/local/etc/amanda-security.conf) is writable by the group > >>> Client check: 5 hosts checked in 11.353 seconds. 5 problems > >>> found. (brought to you by Amanda 3.5.1) > >>> > >>> Everything in the src build dir and below is owned by amanda:disk, > >>> actually built by amanda in the /home/amanda directory, same as I > >>> have always done it. > >>> > >>> An ls -l of /usr/local shows etc is owned by root:staff. > >>> > >>> And amanda is not the only user of that etc directory. > >> > >> (Sorry, didn't see this particular message until after replying to > >> the one you sent at 21:43...) > >> > >> The question is "does the 'staff' group really need write > >> permissions on /usr/local/etc/ ?" > >> > >> Assuming not, the easy solution is to remove group-write permission > >> from the directory. > >> > >> (If you actually do have non-root members of "staff" writing to > >> that directory in your environment [or to /usr/local/, etc.], you > >> may need to move the amanda-security.conf file to a different, > >> amanda-specific path -- e.g. by tweaking your build script to pass > >> --with-security-file to configure.) > >> > >> Nathan > > > > I had to back out to local, removing group perms, but once I did > > that to local, makes it look like: > > drw-r-Sr-x 15 root staff 4096 Jun 28 2017 local > > > > the error messages changed to > > > > ERROR: coyote: selfcheck request failed: No defined tcp_port_range > > in '/usr/local/etc/amanda-security.conf' > > ERROR: shop: selfcheck request failed: No defined tcp_port_range > > in '/usr/local/etc/amanda-security.conf' > > ERROR: lathe: selfcheck request failed: No defined tcp_port_range > > in '/usr/local/etc/amanda-security.conf' > > ERROR: GO704: selfcheck request failed: No defined tcp_port_range > > in '/usr/local/etc/amanda-security.conf' > > ERROR: picnc: selfcheck request failed: No defined tcp_port_range > > in '/usr/local/etc/amanda-security.conf' > > > > Which sounds just as serious. Is there no end to this so-called > > security fix? > > I have set in that file: > > tcp_port_range=512,1023
So do I but it ends at 1024. So I used that one to overwrite a somewhat shorter version that was already in /etc, so its now: ############################################################ # /etc/amanda-security.conf # # # # See: man amanda-security.conf # # # # This file must be installed at /etc/amanda-security.conf # # # # It list all executables amanda can execute as root. # # This file must contains realpath to executable, with # # all symbolic links resolved. # # You can use the 'realpath' command to find them. # # # # It list program and a symbolic name for the program # # Followed by the realpath of the binary # # # # Uncomment and edit the following lines to let Amanda to # # use customized system commands. If multiple PATH is # # necessary, please put them in different lines. # # e.g.: # # amgtar:GNUTAR_PATH=/usr/bin/tar # # amgtar:GNUTAR_PATH=/usr/bin/tar-1.28 # # # # Only binary listed are allowed to be run as root. # # # # You can find the configured binary with amgetconf # # amgetconf build.gnutar_path # # amgetconf build.star_path # # amgetconf build.bsdtar_path # # # ############################################################ #runtar:gnutar_path=/bin/tar #amgtar:gnutar_path=/bin/tar #amstar:star_path=/usr/bin/star #ambsdtar:bsdtar_path=/usr/bin/bsdtar #restore_by_amanda_user=no tcp_port_range=512,1024 udp_port_range=512,1024 But using your msgs syntax for that new line in my gh.cf file, it can't find it. ./gh.cf: 25: ./gh.cf: --with-security-file=/etc/amanda-security.conf: not found The added line: --with-security-file=/etc/amanda-security.conf So thats not right either. -- Cheers, Gene Heskett -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Genes Web page <http://geneslinuxbox.net:6309/gene>