On Saturday 06 April 2002 10:47, you wrote:
> On Friday 05 April 2002 11:28 pm, Damian wrote:
> > El vie, 05-04-2002 a las 02:51, Ric Tibbetts escribi�:
> > > On Thu, 2002-04-04 at 16:07, Thomas Gamble wrote:
> > > > Since upgrading to 8.2 I have noticed that changes to the login
> > > > manager don't stick. In particular, changing 'Show Users' to 'None'.
> > > > After a couple of login cycles this reverts back to 'All but no
> > > > show'. I've seen this same bahavior on three separate installations
> > > > of MDK8.2 all clean installs. It seems as though a script is running
> > > > somewhere that regenerates the /usr/share/config/kdm/kdmrc file, but
> > > > I've been unsuccessful in finding anything. Editing this file
> > > > directly has the same result. Has anyone else had this problem, and
> > > > have you found a solution?
> > >
> > > It's not just kdm. I'm having exactly the same problem with gdm. I
> > > thought it was just me.
> > >
> > > Anyone have a fix yet? Or at least a cause?
> > >
> > > Thanks!
> > >
> > > Ric
> >
> > possible cause: security level? just wondering...
>
> It turns out this is exactly the cause.
>
> In particular, it is related to the msec script that gets run from both
> /etc/cron.daily and /etc/cron.hourly. This script is a link to
> /usr/share/msec/security.sh which calls /usr/share/msec/msec.py. msec.py
> tests for security levels and makes corrections to certain system setting
> based on the current level setting.
>
> The following code snippet from /usr/share/msec/msec.py appears to be the
> offender:
>
> if level >= 4:
> set_user_umask('077')
> set_shell_history_size(10)
> allow_root_login(0)
> enable_sulogin(1)
> allow_user_list(0)
> enable_promisc_check(1)
> accept_icmp_echo(0)
> accept_bogus_error_responses(0)
> allow_reboot(0)
> enable_at_crontab(0)
> if level == 4:
> password_aging(60, 30)
> else:
> password_aging(30, 15)
> else:
> set_user_umask('022')
> set_shell_history_size(-1)
> allow_root_login(1)
> enable_sulogin(0)
> allow_user_list(1)
> enable_promisc_check(0)
> accept_icmp_echo(1)
> accept_bogus_error_responses(1)
> allow_reboot(1)
> enable_at_crontab(1)
> password_aging(99999)
>
> The call to 'allow_user_lists(1)' in the 'else' portion is the problem.
> This has the result of forcing the 'ShowUsers' setting in kdmrc to 'All'.
> Commenting this line out fixes the problem and still allows higher security
> level settings to force 'ShowUsers' to 'None'. This script also affects
> similar settings in gdm (I believe it's the 'Browser' setting)and this
> change should fix that as well.
The reccommended way to change these default security settings is to add the
appropriate entries to the file /etc/security/msec/level.local (create it if
necessary) . In this case just add the line "allow_user_list(0)" (without
quotes).
There is an excellent article on this at :
http://www.mandrakesecure.net/en/docs/msec.php
Also enter "man mseclib" in a terminal, or man:/mseclib in your browser for a
list of settings that can be manually configured.
Hope this helps,
--
Tim C
[EMAIL PROTECTED]
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
