Vandoorselaere Yoann wrote:
> "Carl A. Cook" <[EMAIL PROTECTED]> writes:
>
> > >
> > > >> But am having a problem with Squid... it can't get to the access.log,
> > > >> and further investigation shows it can't access the cache.log either.
> > > >> (permissions problem) I can squid -z though.
> > >
> > > >try :
> > >
> > > >chmod 711 /var/log
> > > >chown root.root /var/log
> > >
> > > >and if it doesn't work,
> > > >fill a *real* bug report with the squid logfile.
> > > >( just the interesting part )
> >
> > IT WORKED!! Since /var/log did not have the Execute bit set, processes could
> > not traverse it to get to their sub. Thanks! (with Dutch accent)
>
> cool :)
>
> >
> > >
> > >
> > > >> Also Netscape always segfaults, possibly because it can't write to its
> > > >> config directory. (permissions?)
> > >
> > > >uhhh.
> > > >Never *ever* put high security on a workstation !
> > > >I've already said it : system security 5 is paranoia mode :)
> > >
> >
> > This is actually a firewall, but need Netscape for CGIs. Believe I am at 4.
> > Checked attribs & ownership of .netscape dirs, and all OK. Shouldn't matter
> > anyway, as root should have no trouble with permissions. Netscape just says
> > 'Segmentation fault (core dumped)'. GREPped /var/log for 'netscape' and only
> > came up with this, in security/suid_group_today:
> > /usr/lib/netscape/movemail (huh?)
>
> so do this :
>
> strace netscape >& output
> end send me output ( clear text please ).
>
> >
> > When installing Mandrake it asks what security level. I found 'paranoid' was
> > almost unusable, so selected 'high', the next level down. Presume these
> > correspond to MSEC levels 5 & 4 respectively. Thing is, LILO never asks for a
> > password, which is supposed to be a feature of 4, though I may have declined
> > that in install.
>
> you have :)
> reconfigure using /etc/security/msec/init.sh 4
>
> >
> > >
> > >
> > > >> And xfs will not recognize a new ttf dir, when installed with
> > > >> chkfontpath. (permissions?) Sometimes xfs won't start at all and
> > > >> causes
> > > >> X to crash on startup with "could not find 'fixed' font". That problem
> > > >> has spontaneously healed... twice.
> > >
> > > >Please give real report,
> > > >saying it will not fix it.
> > >
> > > >I need a dump of what X / xfs are saying.
> >
> > > 'Real' report? Please clarify. I have again 'chkfontadd --add
> > > /usr/share/fonts/ttf/Fontz', and 'chmod 644 *' all new fonts (same as
> > > Chinese fonts), set directory permissions the same and chowned root:root.
> > > The system seized up with a dimmed screen when I tried to K|Logout. I had
> > > to Reset to reboot and X again refuses to start, failing to get the 'fixed'
> > > font since 'xfs' had failed to start.
> >
> > > In messages where xfs logs:
> >
> > > Feb 21 10:07:05 hydra PAM_pwdb[729]: (su) session opened for user xfs by
> > > (uid=0)
> > > Feb 21 10:07:05 hydra PAM_pwdb[729]: (su) session closed for user xfs
> > > Feb 21 10:07:05 hydra xfs: xfs startup succeeded
> > > Feb 21 10:07:07 hydra xfs: Fatal font server error:
> > > Feb 21 10:07:07 hydra xfs: Element #10 (starting at 0) of font path is bad
> > > or has a bad font: "/usr/X11R6/lib/X11/fonts/misc:unscaled"
> >
> > > It doesn't matter which of the system font paths is first, it fails in the
> > > same manner. (bad path or bad font) X11 seems to have no log, but probably
> > > to syslog. Anyway it's clear X can't start because the font server it
> > > depends on (FontPath "unix/:-1") had not started. And when I remove my
> > > new font path from /etc/X11/fs/config, X runs happily again. My procedure
> > > worked fine on RedHat6.1. Permissions?
> >
> > >
> > > >> I have httpd nicely routed through TCPWrappers and the inside machines
> > > >> can see it, but noone outside can. (permissions again?)
> > >
> > > >please give more detailled report,
> > > >Do you have some usefull log ?
> >
> >root is mailed each time an inside machine accesses Apache (which I would >like
> to turn off -?-) and I don't have any records when an outside machine >tried and
> failed to reach my firewall. ( http://216.87.138.158/ ) When this >was tested
> things were chaotic, and I had to do a new install of M7.0.2.
>
> >When I access Squid's cache_mgr CGI from a machine inside the perimeter I >get
> 'Forbidden - You don't have permission to access /cgi-bin/cachemgr.cgi >on this
> server.' It finds it, but won't let me have it. This worked under RH6.1.
>
> will see tomorrow :)
>
> >
> > >
> > >
> > >
> > > >> And why CAN I ping my firewall's outside interface from an inside
> > > >> machine, with firewalling, masquarading, & ip_forwarding OFF??!! What's
> > >
> > > >Are you sure ip forwarding is off ?
> > > >i'm not...
> > >
> > > >just do :
> > >
> > > >cat /proc/sys/net/ipv4/ip_forward
> > >
> > > >and give me the result back.
> > >
> > > Yes, had done this before with a result of 0.
> >
> > > Turned it off by # echo 0 > /proc/sys/net/ipv4/ip_forward, AND by changing
> > > /etc/sysconfig/network's ip_forward to "no", set aside my
> > > firewall/antispoof/masq script, and reboot.
> >
> > > When I could still ping the outside interface I thought I was hallucinating,
> > > so triple-checked that masq was off, my firewalling script was not executing
> > > and that ip_forward was 0, using your cat command. All seem correctly
> > > disabled. I can still ping the outside firewall interface (eth0 connected
> > > to DSL router) from an inside machine connecting to firewall through eth1.
> >
> > > All worked correctly with RedHat 6.1. The fact I can ping, implies I am not
> > > filtering.
> >
> > Thanks in advance for your help.
> > --
> > Carl A. Cook
> > quantumATaugustmailDOTcom
> >
> > Certainly the game is rigged. Don't let that stop you...
> > If you don't bet you can't win.
> >
> --
> -- Yoann, http://prelude.sourceforge.net
> It is well known that M$ products don't call free() after a malloc().
> The Unix community wish them good luck for their future developments.
