On 17. jún 2002 o 17:35, Spot wrote: > Title > ===== > Mandrake 8.2 msec security issue
> Affected
> ========
> The msec security system in Mandrake 8.2 Download Edition, 8.2 Boxed
> Edition, and possibly other Mandrake 8.2 releases
permissions which are subject of post are still in cooker's
("mandrake-current") version msec-0.23-1mdk...
> Effect
> ======
> Default security settings leave users' home directories world readable.
> msec even went as far as to undo changes I made as administrator of the
> machine:
> I chmod'd each user's home directory to 700. As it's a laptop, it gets
> shut down from time to time. Upon reboot, the permissions reverted to
> what they were before. msec referted the perms back to 755. This
> default is inherently insecure for obvious reasons.
> Further reading into the msec docs returned info that the perms would
> have been changed back after 4 am, when msec does it's checking.
this is bad way to change permissions which setting msec. if you need
change default permissions, which is described in files
/usr/share/msec/perm.[0-5] you can create file
/etc/security/msec/perm.local with your own permissions, or off course
change permissions directly in /usr/share/msec/perm.x, or disable
running msec from cron, or whatever else :)
if is msec bad for you generally, you can uninstall msec from system
without problems..
i don't know why msec developers choose this permissions in default msec
level, but if you need """safer""" system you have many option to change
this default values.
i think, msec is problematical step to securelly linux distribution,
better way is imho implementing serious security model with acl system
(rsbac, lids, medusa etc.), not crap patches (like grsecurity) as we
can see in "kernel-secure" package in mandrake distribution. surelly,
this is too coplex problem, and i don't want discuss here about it, this
is only for focusing to fundamental problems in one "mainstream" linux
distribution.
p.s: i know, my english is very bad, excuse me.
--
Linux 2.4.18-19mdk
Mandrake Linux release 8.3 (Cooker) for i586
2:04pm up 7 days, 18:04, 5 users, load average: 0.00, 0.00, 0.00
msg66395/pgp00000.pgp
Description: PGP signature
